锐捷实验
- 一、核心
- 1 开局MLAG组网(厂商初始化工作)
- 1.1 peerlink:
- 1.2 keepalive:
- 1.3 vap domain 1
- 2 开局基础配置(厂商初始化工作)
- 2.1 关闭 telnet 服务、web服务
- 2.2 时钟 NTP
- 2.3 LLDP封装:
- 2.4 snmp
- 2.5 日志:
- 2.6 trap acl,ssh acl
- 2.7 巨帧转发
- 2.8 开启netconf并且最大会话次数为10
- 2.9 ACL仅对三层报文生效
- 2.10 开启五元组hash
- 2.11 核心生成树关闭
- 3 业务配置(其他分工人员)
- 二、接入交换机
- 1 开局MLAG组网
- 1.1 peerlink
- 1.2 keepalive
- 1.3 vap
- 2 开局基础配置(厂商初始化工作 同上 此处省略)
- 3 业务配置(服务器透传vlan)
- 3.1 业务vlan透传到核心
- 3.2 下联服务器放通(服务器mode4 模式 bond1)
- 3.3 服务器模式对接 常用
一、核心
1 开局MLAG组网(厂商初始化工作)
核心、Leaf 均配置MLAG(MLAG的vap domain ID 为 1,1.1.1.0/30 为keepalive IP,1.1.1.4/30 为数据同步IP)
1.1 peerlink:
vlan 4094
name For_peer-link
interface vlan 4094
ip add 1.1.1.5/30
interface agg255
no mac-address-learning
sw mo trunk
sw trunk allowed vlna only 2-4094
peer-link
interface hun0/55
carrier-delay up 2 down 0
port-group 255 mode active
lacp short-timeout
interface hun0/56
carrier-delay up 2 down 0
port-group 255 mode active
lacp short-timeout
1.2 keepalive:
interface agg254
no switchport
ip address 1.1.1.1.1 30
vap error-down except
interface ten0/47
no switchport
port-group 254 mode active
lacp short-timeout
interface ten0/48
no switchport
port-group 254 mode active
lacp short-timeout
1.3 vap domain 1
no fast-convergence
recover up-dely 120 none-vap 60
priority 5 (M2配置 4)
data-sysnc local 1.1.1.5 peer 1.1.1.6
peer keepalive local 1.1.1.1 peer 1.1.1.2
dual-active auto recovery
查看:
show vap keepalive
show vap peer-link
show vap data-sync(查看数据同步)
2 开局基础配置(厂商初始化工作)
用户名 加密
username openstackadmin privilege 15 password Pr@ject2018
username COC_operator privilege 15 password shixun@2023
username COC_monitor privilege 1 password shixun@2023
username yundiao_read privilege 1 password shixun@2023
privilege exec all level 1 show run
privilege exec level 15 enable
加密:service password-encryption
2.1 关闭 telnet 服务、web服务
enable service ssh-server
no enable service telnet-server
no enable service telnet-server
!
no enable service web-server http
no enable service web-server https
2.2 时钟 NTP
clock timezone beijing 8 0
ntp update-calendar
ntp server vrf NET-manage 10.30.1.254 source Mgmt 0 pre
2.3 LLDP封装:
lldp enable
lldp management-address-tlv 本机带外地址
2.4 snmp
snmp-server host 地址1 vrf NET-manage traps version 2c yundiao*&COC2016
snmp-server host 地址2 vrf NET-manage traps version 2c yundiao*&COC2016
snmp-server community 只读串 RO 2000
snmp-server trap-source mgmt 0
snmp-server enable traps
no snmp-server enable version v1
snmp-server user yundiao SNMPGROUP v3 auth sha yundiao*&COC2016 priv aes128 yundiao*&COC2016
snmp-server group SNMPGROUP v3 priv read default write default access 2000
2.5 日志:
logging userinfo command-log (命令记录)
logging source interface Mgmt 0
logging facility local4
logging server 日志地址1 vrf NET-manage udp-port 5000 level warnings
logging server 日志地址2 vrf NET-manage udp-port 5000 level warnings
2.6 trap acl,ssh acl
trap acl:
ip access-list extended 2000
10 permit ip host snmp主机地址1 any
15 permit ip host snmp主机地址2 any
1000 deny ip any any
list-remark For_SNMP
ssh acl:
ip access-list extended 2001
10 permit ip 192.168.0.0 0.0.7.255 any
20 permit ip 10.30.0.0 0.0.1.255 any
1000 deny ip any any
list-remark For_Login
本地认证调用acl
line vty 0 9
transport input ssh
session-timeout 10
access-class 2001 in
login local
width 256
logging synchronous(日志输出同步,敲入命令不会弹出信息)
privilege level 15
!
line console 0
session-timeout 10
privilege level 15
logging synchronous(日志输出同步,敲入命令不会弹出信息)
login local
width 256
2.7 巨帧转发
mtu forwarding 9216(允许转发mtu为9216内的数据包,默认1500)
2.8 开启netconf并且最大会话次数为10
netconf enable
netconf max-sessions 10
2.9 ACL仅对三层报文生效
svi router-acls enable
2.10 开启五元组hash
load-balance-profile ruijie
y
ipv4 field src-ip dst-ip protocol l4-src-port l4-dst-port
ipv6 field src-ip dst-ip protocol l4-src-port l4-dst-port
hash-disturb 16
!
aggregateport load-balance enhanced profile ruijie
!
2.11 核心生成树关闭
no spanning-tree
!
no spanning-tree mst configuration
!
3 业务配置(其他分工人员)
网关地址配置
interface vlan 100
ip add 192.168.10.1/24
二、接入交换机
1 开局MLAG组网
1.1 peerlink
vlan 4094
name For_peer-link
interface vlan 4094
ip add 1.1.1.5/30
interface AggregatePort 255
no mac-address-learning
switchport mode trunk
switchport trunk allowed vlan only 2-4094
peer-link
!
interface HundredGigabitEthernet 0/55
description pT:m2:ip.100GE0/55_M-LAG
carrier-delay up 2 down 0
port-group 255 mode active
lacp short-timeout
!
interface HundredGigabitEthernet 0/56
description pT:m2:ip.100GE0/56_M-LAG
carrier-delay up 2 down 0
port-group 255 mode active
lacp short-timeout
1.2 keepalive
interface AggregatePort 254
no switchport
ip address 1.1.1.1 255.255.255.252
vap error-down except
interface TFGigabitEthernet 0/47
no switchport
description pT:m2:ip.25GE0/47_peer-alived
port-group 254 mode active
lacp short-timeout
!
interface TFGigabitEthernet 0/48
no switchport
description pT:m2:ip.25GE0/48_peer-alived
port-group 254 mode active
lacp short-timeout
!
1.3 vap
vap domain 1
no fast-convergence
recover up-delay 120 none-vap 60
priority 5
data-sync local 1.1.1.5 peer 1.1.1.6
peer-keepalive local 1.1.1.1 peer 1.1.1.2
dual-active auto recovery
2 开局基础配置(厂商初始化工作 同上 此处省略)
生成树开启
spanning-tree
spanning-tree mst configuration
revision 255
name ctyun
instance 1 vlan 1-4094
!
备注:现网中网关在接入(m-lag),BGP互联组网(只有管理交换机才开启生成树使能,传统网络也就是网关在核心时候也要开启生成树)
3 业务配置(服务器透传vlan)
vlan range 1,200-209,300-309,500-3999
3.1 业务vlan透传到核心
interface AggregatePort 1
描述格式:机楼 -机房-行号-机柜号-设备功能编码-厂商代码-起始高度.对端管理IP.逻辑端口
description uT:SJZX-111-C-08_C-09-CSW-RGS6510-M1_M2-01U40.agg11
switchport mode trunk
switchport trunk allowed vlan only 200-209,300-309,500-3999
spanning-tree bpdufilter enable
vap 1
interface HundredGigabitEthernet 0/49
描述格式:机楼 -机房-行号-机柜号-设备功能编码-厂商代码-起始高度.对端管理IP.端口号
description uT:SJZX-111-C-08-CSW-RGS6510-01U40:172.16.10.1.100GE0/49
port-group 1 mode active
lacp short-timeout
interface HundredGigabitEthernet 0/50
描述格式:机楼 -机房-行号-机柜号-设备功能编码-厂商代码-起始高度.对端管理IP.端口号
description uT:SJZX-111-C-09-CSW-RGS6510-01U40:172.16.10.2.100GE0/49
port-group 1 mode active
lacp short-timeout
3.2 下联服务器放通(服务器mode4 模式 bond1)
interface AggregatePort 11
description dT:Jisuan:servername.bond1
storm-control broadcast level 10
description dT:J1.bond1
switchport mode trunk
switchport trunk allowed vlan only 301
spanning-tree bpduguard enable
spanning-tree portfast
vap 11
!
interface AggregatePort 12
storm-control broadcast level 10
description dT:J2.bond1
switchport mode trunk
switchport trunk allowed vlan only 301
spanning-tree bpduguard enable
spanning-tree portfast
vap 12
!
interface AggregatePort 13
storm-control broadcast level 10
description dT:C1.bond1
switchport mode trunk
switchport trunk allowed vlan only 302
spanning-tree bpduguard enable
spanning-tree portfast
vap 13
!
备注:
① storm-control broadcast level 10 该接口广播流量不能超过带宽的10%,否则丢弃
② spanning-tree portfast
接入服务器:blocking->listening->learing->forwarding(50s后进入转发状态,配置 spanning-tree portfast,节省50s时间)
③ spanning-tree bpduguard enable 配置portfast使用,接到交换机上,会收到bpdu报文,造成环路,配置此命令后,会errdisable(防环)
3.3 服务器模式对接 常用
mode1:有容错能力,一个down,另外一个顶替(资源利用率1/N),交换机对接access或者trunk即可
mode2:port-group 11
mode4:port-group 11 mode active(lacp对接)
mode6:交换机无需特别配置
