项目实战【真实企业网络项目复盘：高可用性网络设计与实现】

采用经典的"核心-汇聚-接入"三层架构：核心层：部署两台华为CE12800交换机(C-1/C-2)，通过4×10G Eth-Trunk互联【负责高速数据转发和区域间路由汇聚层：按业务区域划分，使用华为S7700系列交换机【负责连接核心层和接入层，实现流量的汇聚和分发接入层：华为S5700系列交换机，支持PoE+满足IP电话和AP需求【直接连接终端用户或生产设备，提供网络接入服务KPI指标目标值实际

周湘zx

1861人浏览 · 2025-03-30 16:58:26

周湘zx · 2025-03-30 16:58:26 发布

该项目是一个企业级网络架构设计项目，旨在构建一个高性能、高可靠性和高安全性的网络环境，满足企业不同业务区域（如服务器区、互联网区、办公区、生产区）的网络需求。项目采用了分层架构设计（核心层、汇聚层、接入层），并结合了多种网络技术（如MSTP、VRRP、OSPF等）来实现网络的冗余、负载均衡和高效路由。此外，项目还注重实践操作，通过真实设备（如华为、华三）和模拟器（如华为ENSP）的结合，确保配置的准确性和可行性。

一、项目背景

随着企业数字化转型的深入，现有网络基础设施已难以支撑业务发展需求。经全面评估发现，当前网络主要存在三大痛点：

基础设施老化
性能瓶颈凸显
安全架构落后

二、网络架构设计概述

1、整体拓扑设计

采用经典的"核心-汇聚-接入"三层架构：

核心层：部署两台华为CE12800交换机(C-1/C-2)，通过4×10G Eth-Trunk互联【负责高速数据转发和区域间路由】；
汇聚层：按业务区域划分，使用华为S7700系列交换机【负责连接核心层和接入层，实现流量的汇聚和分发】；
接入层：华为S5700系列交换机，支持PoE+满足IP电话和AP需求【直接连接终端用户或生产设备，提供网络接入服务】。

2、区域划分与互联

区域	设备组成	主要业务	特殊要求
生产区	D-1/D-2 + A1-A3	MES系统、PLC控制	低延迟、高可靠性
办公区	D-5/D-6 + A4/A5	OA系统、视频会议	带宽保障、访问控制
服务器区	C-1/C-2 + D-3/D-4	ERP、数据库	安全隔离、负载均衡
互联网区	F-1防火墙集群	外网接入	安全防护、流量过滤

3、关键技术选型

冗余协议：MSTP+VRRP组合方案
路由协议：多区域OSPF设计
安全方案：基于VLAN的微隔离

三、技术实现

二层技术：
- MSTP（多生成树协议）：用于破除环路并实现冗余。不同区域配置不同的MSTP实例和根桥，例如：
  - 生产区：MSTP名称为SC，实例1映射VLAN 21，实例2映射VLAN 22、23、100。
  - 办公区：MSTP名称为BG，实例1映射VLAN 11、12、13，实例2映射VLAN 14、15、16、100。
  - 服务器区：MSTP名称为WFQ，实例1映射VLAN 31、33、100，实例2映射VLAN 32、34、35。
- VRRP（虚拟路由冗余协议）：实现网关冗余。主备设备根据VLAN分配角色，并监控上行链路状态，双上行故障时自动切换网关。
- 链路聚合：如D-1与D-2、D-5与D-6、C-1与C-2之间的链路聚合，提高带宽和可靠性。

（一）生产区

1、D-1

//改名
[Huawei]sysname D-1

//创建vlan
[D-1]vlan batch 21 22 100 1102 1104 1109     //创建vlan 21 22 100 1102 1104 1109

//配置之后无法链路聚合，因此先进行链路聚合
//配置聚合链路
[D-1]interface Eth-Trunk 0     //创建聚合口 0 
[D-1]interface g 0/0/1     //进入g0/0/1接口
[D-1-GigabitEthernet0/0/1]eth-trunk 0      //将g0/0/1口定义进聚合口0
[D-1]interface g 0/0/2     //进入g0/0/2口
[D-1-GigabitEthernet0/0/2]eth-trunk 0     //将g0/0/2口定义进聚合口0
[D-1]display interface Eth-Trunk 0		//查看聚合口

//接口划入VLAN(创建trunk接口，放通相关vlan)
[D-1]interface GigabitEthernet 0/0/3     //进入g0/0/3口
[D-1-GigabitEthernet0/0/3]port link-type trunk      //定义该接口为trunk口
[D-1-GigabitEthernet0/0/3]port trunk allow-pass vlan21 22 100    //定义该trunk口通过vlan21 22 100
[D-1]interface GigabitEthernet 0/0/4     //进入g0/0/4口
[D-1-GigabitEthernet0/0/4]po li t     //定义该接口为trunk口
[D-1-GigabitEthernet0/0/4]po t all v 21 22 100     //定义该trunk口通过vlan21 22 100
[D-1]interface Eth-Trunk 0     //进入该接口为聚合口0
[D-1-Eth-Trunk0]po li t     //定义该聚合口为trunk口
[D-1-Eth-Trunk0]po t all v 21 22 100 1102     //定义该聚合口通过vlan21 22 100 1102

[D-1]display interface vlanif	//查看创建的vlan信息
[D-1]display vlan
[D-1]display vlan summary

//配置网关IP地址
[D-1]interface vlanif 21     //进入vlanif口21
[D-1-Vlanif21]ip address 10.1.21.1 24     //ip配置为 10.1.21.1/24
[D-1]interface vlanif 22     //进入vlanif口22
[D-1-Vlanif22]ip address 10.1.22.1 24     //ip配置为10.1.22.1/24
[D-1]interface vlanif 100     //进入vlanif口100
[D-1-Vlanif100]ip address 10.1.100.65 26     //ip配置为10.1.100.65/26
[D-1]interface vlanif 1102     //进入vlanif口1102
[D-1-Vlanif1102]ip address 10.1.0.5 30     //ip配置为10.1.0.5/30
[D-1]interface vlanif 1104     //进入vlanif口1104
[D-1-Vlanif1104]ip address 10.1.0.14 30     //ip配置为10.1.0.14/30
[D-1]interface vlanif 1109     //进入vlanif口1109
[D-1-Vlanif1109]ip address 10.1.0.34 30     //ip配置为10.1.0.34/30

[D-1]display ip routing-table	//查看IP地址
[D-1]display ip interface brief


//MSTP配置
[D-1]stp mode mstp     //stp认证为mstp
[D-1]stp enable     //开启stp服务
[D-1]stp region-configuration      //进入stp配置视图
[D-1-mst-region]region-name SC     //更改命名为SC
[D-1-mst-region]instance 1 vlan 21      //建立树1其通过vlan为21
[D-1-mst-region]instance 2 vlan 22 100     //建立树2其通过vlan为22 100
[D-1-mst-region]active region-configuration      //保存配置
[D-1]stp instance 1 root primary      //D-1为实例1，0的根
[D-1]stp instance 2 root secondary     //D-1为实例2的备份根

[D-1]display stp brief		//查看最小生成树

//配置VRRP
[D-1]interface Vlanif 21     //进入vlanif21接口
[D-1-Vlanif21]vrrp vrid 1 virtual-ip 10.1.21.254      //创建vrrp组1，虚拟网关定义为10.1.21.254
[D-1-Vlanif21]vrrp vrid 1 priority 120     //定义设定组1的优先级为120(增加优先级为master)
[D-1-Vlanif21]vrrp vrid 1 preempt-mode timer delay 20       //更改转发目标延时为20s
//双上行down时优先级减少22，优先级为98小于100会切换网关
[D-1-Vlanif21]vrrp vrid 1 track interface Vlanif 1104 reduced 11     //定义其上行链路断开后优先级-11
[D-1-Vlanif21]vrrp vrid 1 track interface Vlanif 1109 reduced 11     //定义其上行链路断开后优先级-11

[D-1]interface Vlanif 22     //进入vlanif22接口
[D-1-Vlanif21]vrrp vrid 1 virtual-ip 10.1.22.254      //创建vrrp组2，虚拟网关定义为10.1.22.254

[D-1]display vrrp interface Vlanif 21	//查看vrrp及实例映射
[D-1]dis vrrp brief
[D-1]dis vrrp

2、D-2

//改名
[Huawei]sysname D-2

//创建vlan
[D-2]vlan batch 21 22 23 100 1102 1105 1110

//配置聚合链路
[D-2]interface Eth-Trunk 0
[D-2]interface g 0/0/1
[D-2-GigabitEthernet0/0/1]eth-trunk 0
[D-2]interface g 0/0/2
[D-2-GigabitEthernet0/0/2]eth-trunk 0

//接口划入VLAN
[D-2]interface GigabitEthernet 0/0/3
[D-2-GigabitEthernet0/0/3]po li t
[D-2-GigabitEthernet0/0/3]po t all v 21 22 100
[D-2]interface GigabitEthernet 0/0/4
[D-2-GigabitEthernet0/0/4]po li t
[D-2-GigabitEthernet0/0/4]po t all v 21 22 100
[D-2]interface GigabitEthernet 0/0/5
[D-2-GigabitEthernet0/0/5]po li t
[D-2-GigabitEthernet0/0/5]po t all v 23 100
[D-2]interface Eth-Trunk 0
[D-2-Eth-Trunk0]po li t
[D-2-Eth-Trunk0]po t all v 21 22 23 100 1102

//配置网关IP地址
[D-2]interface vlanif 21
[D-2-Vlanif21]ip address 10.1.21.2 24
[D-2]interface vlanif 22
[D-2-Vlanif22]ip address 10.1.22.2 24
[D-2]interface vlanif 23
[D-2-Vlanif23]ip address 10.1.23.1 24
[D-2]interface vlanif 100
[D-2-Vlanif100]ip address 10.1.100.66 26
[D-2]interface vlanif 1102
[D-2-Vlanif1102]ip address 10.1.0.6 30
[D-2]interface vlanif 1105
[D-2-Vlanif1105]ip address 10.1.0.18 30
[D-2]interface vlanif 1110
[D-2-Vlanif1110]ip address 10.1.0.38 30

//MSTP配置
[D-2]stp mode mstp 
[D-2]stp enable 
[D-2]stp region-configuration 
[D-2-mst-region]region-name SC
[D-2-mst-region]instance 1 vlan 21 
[D-2-mst-region]instance 2 vlan 22 100
[D-2-mst-region]active region-configuration 
[D-2]stp instance 1 root secondary 	
[D-2]stp instance 2 root primary 

//配置VRRP
[D-2]interface Vlanif 21
[D-2-Vlanif21]vrrp vrid 1 virtual-ip 10.1.21.254 

[D-2]interface Vlanif 22
[D-2-Vlanif22]vrrp vrid 1 virtual-ip 10.1.22.254 
[D-2-Vlanif22]vrrp vrid 1 priority 120
[D-2-Vlanif22]vrrp vrid 1 preempt-mode timer delay 20
[D-2-Vlanif22]vrrp vrid 1 track interface Vlanif 1105 reduced 11
[D-2-Vlanif22]vrrp vrid 1 track interface Vlanif 1110 reduced 11

3、A-1

//改名
[Huawei]sysname A-1

//创建vlan
[A-1]vlan 21 to 22
[A-1]vlan 100

//接口划入VLAN
[A-1]interface GigabitEthernet 1/0/1
[A-1-GigabitEthernet1/0/1]po li t
[A-1-GigabitEthernet1/0/1]port trunk permit vlan 21 22 100
[A-1]interface GigabitEthernet 1/0/2
[A-1-GigabitEthernet1/0/2]po li t
[A-1-GigabitEthernet1/0/2]port trunk permit vlan 21 22 100
[A-1]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/24
[A-1-if-range]port link-type access
[A-1-if-range]port access vlan 21

//配置IP地址
[A-1]interface Vlan-interface 100
[A-1-Vlan-interface100]ip address 10.1.100.67 26

//MSTP配置
[A-1]stp mode mstp 
[A-1]stp region-configuration 
[A-1-mst-region]region-name SC	
[A-1-mst-region]instance 1 vlan 21 
[A-1-mst-region]instance 2 vlan 22 100
[A-1-mst-region]active region-configuration 

[A-1]stp pathcost-standard dot1t   //修改开销值算法

//边缘接口+BPDU保护
[A-1]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/24
[A-1-if-range]stp edged-port enable 
[A-1]stp bpdu-protection

4、A-2

//改名
[Huawei]sysname A-2

//创建vlan
[A-2]vlan 21 to 22
[A-2]vlan 100

//接口划入VLAN
[A-2]interface GigabitEthernet 1/0/1
[A-2-GigabitEthernet1/0/1]po li t
[A-2-GigabitEthernet1/0/1]port trunk permit vlan 21 22 100
[A-2]interface GigabitEthernet 1/0/2
[A-2-GigabitEthernet1/0/2]po li t
[A-2-GigabitEthernet1/0/2]port trunk permit vlan 21 22 100
[A-2]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/24
[A-2-if-range]port link-type access
[A-2-if-range]port access vlan 22

//配置IP地址
[A-2]interface Vlan-interface 100
[A-2-Vlan-interface100]ip address 10.1.100.68 26

//MSTP配置
[A-2]stp mode mstp 
[A-2]stp region-configuration 
[A-2-mst-region]region-name SC	
[A-2-mst-region]instance 1 vlan 21 
[A-2-mst-region]instance 2 vlan 22 100
[A-2-mst-region]active region-configuration 

[A-2]stp pathcost-standard dot1t   //修改开销值算法

//边缘接口+BPDU保护
[A-2]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/24
[A-2-if-range]stp edged-port enable 
[A-2]stp bpdu-protection

5、A-3

//改名
[Huawei]sysname A-3

//创建vlan
[A-3]vlan 23
[A-3]vlan 100

//接口划入VLAN
[A-3]interface GigabitEthernet 1/0/1
[A-3-GigabitEthernet1/0/1]po li t
[A-3-GigabitEthernet1/0/1]port trunk permit vlan 23 100
[A-3]interface range GigabitEthernet 1/0/2 to GigabitEthernet 1/0/24
[A-3-if-range]port link-type access
[A-3-if-range]port access vlan 23

//配置IP地址
[A-3]interface Vlan-interface 100
[A-3-Vlan-interface100]ip address 10.1.100.69 26

//边缘接口
[A-3]interface range GigabitEthernet 1/0/2 to GigabitEthernet 1/0/24
[A-3-if-range]stp edged-port enable 
[A-3]stp pathcost-standard dot1t   //修改开销值算法

（二）办公区

1、D-5

//改名
[Huawei]sysname D-5

//创建vlan
[D-5]vlan 11 to 16 
[D-5]vlan batch 100 1103 1107 1111

//配置聚合链路
[D-5]interface Bridge-Aggregation 1
[D-5]interface g 1/0/1
[D-5-GigabitEthernet1/0/1]port link-aggregation group 1
[D-5]interface g 1/0/2
[D-5-GigabitEthernet1/0/2]port link-aggregation group 1

//接口划入VLAN
[D-5]interface GigabitEthernet 1/0/3
[D-5-GigabitEthernet1/0/3]po li t
[D-5-GigabitEthernet1/0/3]port trunk permit vlan 11 12 13 14 15 16 100
[D-5]interface GigabitEthernet 1/0/4
[D-5-GigabitEthernet1/0/4]po li t
[D-5-GigabitEthernet1/0/4]port trunk permit vlan 11 12 13 14 15 16 100
[D-5]interface Bridge-Aggregation 1
[D-5-Bridge-Aggregation1]po li t
[D-5-Bridge-Aggregation1]port trunk permit vlan 11 12 13 14 15 16 100 1103

//配置网关IP地址
[D-5]interface vlanif 11
[D-5-Vlanif11]ip address 10.1.11.1 24
[D-5]interface vlanif 12
[D-5-Vlanif12]ip address 10.1.12.1 24
[D-5]interface vlanif 13
[D-5-Vlanif13]ip address 10.1.13.1 24
[D-5]interface vlanif 14
[D-5-Vlanif14]ip address 10.1.14.1 24
[D-5]interface vlanif 15
[D-5-Vlanif15]ip address 10.1.15.1 24
[D-5]interface vlanif 16
[D-5-Vlanif16]ip address 10.1.16.1 24
[D-5]interface vlanif 100
[D-5-Vlanif100]ip address 10.1.100.129 26
[D-5]interface vlanif 1103
[D-5-Vlanif1103]ip address 10.1.0.9 30
[D-5]interface vlanif 1107
[D-5-Vlanif1107]ip address 10.1.0.26 30
[D-5]interface vlanif 1111
[D-5-Vlanif1111]ip address 10.1.0.42 30


//MSTP配置
[D-5]stp mode mstp 
[D-5]stp region-configuration 
[D-5-mst-region]region-name BG
[D-5-mst-region]instance 1 vlan 11 12 13
[D-5-mst-region]instance 2 vlan 14 15 16 100
[D-5-mst-region]active region-configuration 
[D-5]stp instance 1 root primary 
[D-5]stp instance 2 root secondary

//配置VRRP
[D-5]track 1 interface Vlan-interface 1107
[D-5]track 2 interface Vlan-interface 1111

[D-5]interface Vlanif 11
[D-5-Vlanif11]vrrp vrid 1 virtual-ip 10.1.11.254 
[D-5-Vlanif11]vrrp vrid 1 priority 120
[D-5-Vlanif11]vrrp vrid 1 preempt-mode delay 20
[D-5-Vlanif11]vrrp vrid 1 track 1 priority reduced 11
[D-5-Vlanif11]vrrp vrid 1 track 2 priority reduced 11

[D-5]interface Vlanif 12
[D-5-Vlanif12]vrrp vrid 1 virtual-ip 10.1.12.254 
[D-5-Vlanif12]vrrp vrid 1 priority 120
[D-5-Vlanif12]vrrp vrid 1 preempt-mode delay 20
[D-5-Vlanif12]vrrp vrid 1 track 1 priority reduced 11
[D-5-Vlanif12]vrrp vrid 1 track 2 priority reduced 11

[D-5]interface Vlanif 13
[D-5-Vlanif13]vrrp vrid 1 virtual-ip 10.1.11.254 
[D-5-Vlanif13]vrrp vrid 1 priority 120
[D-5-Vlanif13]vrrp vrid 1 preempt-mode delay 20
[D-5-Vlanif13]vrrp vrid 1 track 1 priority reduced 11
[D-5-Vlanif13]vrrp vrid 1 track 2 priority reduced 11

[D-5]interface Vlanif 14
[D-5-Vlanif14]vrrp vrid 1 virtual-ip 10.1.14.254 

[D-5]interface Vlanif 15
[D-5-Vlanif15]vrrp vrid 1 virtual-ip 10.1.15.254 

[D-5]interface Vlanif 16
[D-5-Vlanif16]vrrp vrid 1 virtual-ip 10.1.16.254

2、D-6

//改名
[Huawei]sysname D-6

//创建vlan
[D-6]vlan 11 to 16 
[D-6]vlan batch 100 1103 1108 1112

//配置聚合链路
[D-6]interface Bridge-Aggregation 1
[D-6]interface g 1/0/1
[D-6-GigabitEthernet1/0/1]port link-aggregation group 1
[D-6]interface g 1/0/2
[D-6-GigabitEthernet1/0/2]port link-aggregation group 1

//接口划入VLAN
[D-6]interface GigabitEthernet 1/0/3
[D-6-GigabitEthernet1/0/3]po li t
[D-6-GigabitEthernet1/0/3]port trunk permit vlan 11 12 13 14 15 16 100
[D-6]interface GigabitEthernet 1/0/4
[D-6-GigabitEthernet1/0/4]po li t
[D-6-GigabitEthernet1/0/4]port trunk permit vlan 11 12 13 14 15 16 100
[D-6]interface Bridge-Aggregation 1
[D-6-Bridge-Aggregation1]po li t
[D-6-Bridge-Aggregation1]port trunk permit vlan 11 12 13 14 15 16 100 1103

//配置网关IP地址
[D-6]interface vlanif 11
[D-6-Vlanif11]ip address 10.1.11.2 24
[D-6]interface vlanif 12
[D-6-Vlanif12]ip address 10.1.12.2 24
[D-6]interface vlanif 13
[D-6-Vlanif13]ip address 10.1.13.2 24
[D-6]interface vlanif 14
[D-6-Vlanif14]ip address 10.1.14.2 24
[D-6]interface vlanif 15
[D-6-Vlanif15]ip address 10.1.15.2 24
[D-6]interface vlanif 16
[D-6-Vlanif16]ip address 10.1.16.2 24
[D-6]interface vlanif 100
[D-6-Vlanif100]ip address 10.1.100.130 26
[D-6]interface vlanif 1103
[D-6-Vlanif1103]ip address 10.1.0.10 30
[D-6]interface vlanif 1108
[D-6-Vlanif1108]ip address 10.1.0.30 30
[D-6]interface vlanif 1112
[D-6-Vlanif1112]ip address 10.1.0.46 30


//MSTP配置
[D-6]stp mode mstp 
[D-6]stp region-configuration 
[D-6-mst-region]region-name BG
[D-6-mst-region]instance 1 vlan 11 12 13
[D-6-mst-region]instance 2 vlan 14 15 16 100
[D-6-mst-region]active region-configuration 
[D-6]stp instance 1 root secondary
[D-6]stp instance 2 root primary 

//配置VRRP
[D-6]track 1 interface Vlan-interface 1108
[D-6]track 2 interface Vlan-interface 1112

[D-6]interface Vlanif 11
[D-6-Vlanif11]vrrp vrid 1 virtual-ip 10.1.11.254 

[D-6]interface Vlanif 12
[D-6-Vlanif12]vrrp vrid 1 virtual-ip 10.1.12.254 

[D-6]interface Vlanif 13
[D-6-Vlanif13]vrrp vrid 1 virtual-ip 10.1.11.254 

[D-6]interface Vlanif 14
[D-6-Vlanif14]vrrp vrid 1 virtual-ip 10.1.14.254 
[D-6-Vlanif14]vrrp vrid 1 priority 120
[D-6-Vlanif14]vrrp vrid 1 preempt-mode delay 20
[D-6-Vlanif14]vrrp vrid 1 track 1 priority reduced 11
[D-6-Vlanif14]vrrp vrid 1 track 2 priority reduced 11

[D-6]interface Vlanif 15
[D-6-Vlanif15]vrrp vrid 1 virtual-ip 10.1.15.254 
[D-6-Vlanif15]vrrp vrid 1 priority 120
[D-6-Vlanif15]vrrp vrid 1 preempt-mode delay 20
[D-6-Vlanif15]vrrp vrid 1 track 1 priority reduced 11
[D-6-Vlanif15]vrrp vrid 1 track 2 priority reduced 11

[D-6]interface Vlanif 16
[D-6-Vlanif16]vrrp vrid 1 virtual-ip 10.1.16.254 
[D-6-Vlanif16]vrrp vrid 1 priority 120
[D-6-Vlanif16]vrrp vrid 1 preempt-mode delay 20
[D-6-Vlanif16]vrrp vrid 1 track 1 priority reduced 11
[D-6-Vlanif16]vrrp vrid 1 track 2 priority reduced 11

3、A-4

//改名
[Huawei]sysname A-4

//创建vlan
[A-4]vlan 11 to 16
[A-4]vlan 100

//接口划入VLAN
[A-4]interface GigabitEthernet 1/0/1
[A-4-GigabitEthernet1/0/1]po li t
[A-4-GigabitEthernet1/0/1]port trunk permit vlan 11 12 13 14 15 16 100
[A-4]interface GigabitEthernet 1/0/2
[A-4-GigabitEthernet1/0/2]po li t
[A-4-GigabitEthernet1/0/2]port trunk permit vlan 11 12 13 14 15 16 100
[A-4]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/5
[A-4-if-range]port link-type access
[A-4-if-range]port access vlan 11
[A-4]interface range GigabitEthernet 1/0/6 to GigabitEthernet 1/0/10
[A-4-if-range]port link-type access
[A-4-if-range]port access vlan 12
[A-4]interface range GigabitEthernet 1/0/11 to GigabitEthernet 1/0/15
[A-4-if-range]port link-type access
[A-4-if-range]port access vlan 13

//配置IP地址
[A-4]interface Vlan-interface 100
[A-4-Vlan-interface100]ip address 10.1.100.131 26

//MSTP配置
[A-4]stp mode mstp 
[A-4]stp region-configuration 
[A-4-mst-region]region-name BG	
[A-4-mst-region]instance 1 vlan 11 12 13
[A-4-mst-region]instance 2 vlan 14 15 16 100
[A-4-mst-region]active region-configuration 

//边缘接口+BPDU保护
[A-4]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/15
[A-4-if-range]stp edged-port enable 
[A-4]stp bpdu-protection

4、A-5

//改名
[Huawei]sysname A-5

//创建vlan
[A-5]vlan 11 to 16
[A-5]vlan 100

//接口划入VLAN
[A-5]interface GigabitEthernet 1/0/1
[A-5-GigabitEthernet1/0/1]po li t
[A-5-GigabitEthernet1/0/1]port trunk permit vlan 11 12 13 14 15 16 100
[A-5]interface GigabitEthernet 1/0/2
[A-5-GigabitEthernet1/0/2]po li t
[A-5-GigabitEthernet1/0/2]port trunk permit vlan 11 12 13 14 15 16 100
[A-5]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/5
[A-5-if-range]port link-type access
[A-5-if-range]port access vlan 14
[A-5]interface range GigabitEthernet 1/0/6 to GigabitEthernet 1/0/10
[A-5-if-range]port link-type access
[A-5-if-range]port access vlan 15
[A-5]interface range GigabitEthernet 1/0/11 to GigabitEthernet 1/0/15
[A-5-if-range]port link-type access
[A-5-if-range]port access vlan 16

//配置IP地址
[A-5]interface Vlan-interface 100
[A-5-Vlan-interface100]ip address 10.1.100.132 26

//MSTP配置
[A-5]stp mode mstp 
[A-5]stp region-configuration 
[A-5-mst-region]region-name BG	
[A-5-mst-region]instance 1 vlan 11 12 13
[A-5-mst-region]instance 2 vlan 14 15 16 100
[A-5-mst-region]active region-configuration 

//边缘接口+BPDU保护
[A-5]interface range GigabitEthernet 1/0/3 to GigabitEthernet 1/0/15
[A-5-if-range]stp edged-port enable 
[A-5]stp bpdu-protection

（三）服务器

1、C-1

//改名
[Huawei]sysname C-1

//创建vlan
[C-1]vlan 31 to 35
[C-1]vlan 100
[C-1]vlan 1101
[C-1]vlan 1104 to 1108 

//配置聚合链路
[C-1]interface Bridge-Aggregation 1
[C-1]interface g 1/0/1
[C-1-GigabitEthernet0/0/1]port link-aggregation group 1
[C-1]interface g 1/0/2
[C-1-GigabitEthernet0/0/2]port link-aggregation group 1

//接口划入VLAN
[C-1]interface GigabitEthernet 1/0/5
[C-1-GigabitEthernet1/0/5]po li t
[C-1-GigabitEthernet1/0/5]port trunk permit vlan 31 32 33 34 35 100
[C-1]interface GigabitEthernet 1/0/6
[C-1-GigabitEthernet1/0/6]po li t
[C-1-GigabitEthernet1/0/6]port trunk permit vlan 31 32 33 34 35 100
[C-1]interface Bridge-Aggregation 1
[C-1-Bridge-Aggregation1]po li t
[C-1-Bridge-Aggregation1]port trunk permit vlan 31 32 33 34 35 100 1101

//配置网关IP地址
[C-1]interface vlanif 31
[C-1-Vlanif31]ip address 10.1.31.1 24
[C-1]interface vlanif 32
[C-1-Vlanif32]ip address 10.1.32.1 24
[C-1]interface vlanif 33
[C-1-Vlanif33]ip address 10.1.33.1 24
[C-1]interface vlanif 34
[C-1-Vlanif34]ip address 10.1.34.1 24
[C-1]interface vlanif 35
[C-1-Vlanif35]ip address 10.1.35.1 24
[C-1]interface vlanif 100
[C-1-Vlanif100]ip address 10.1.100.1 26
[C-1]interface vlanif 1101
[C-1-Vlanif1101]ip address 10.1.0.1 30
[C-1]interface vlanif 1104
[C-1-Vlanif1104]ip address 10.1.0.13 30
[C-1]interface vlanif 1105
[C-1-Vlanif1105]ip address 10.1.0.17 30
[C-1]interface vlanif 1106
[C-1-Vlanif1106]ip address 10.1.0.21 30
[C-1]interface vlanif 1107
[C-1-Vlanif1107]ip address 10.1.0.25 30
[C-1]interface vlanif 1108
[C-1-Vlanif1108]ip address 10.1.0.29 30


//MSTP配置
[C-1]stp mode mstp 
[C-1]stp enable
[C-1]stp region-configuration 
[C-1-mst-region]region-name FWQ
[C-1-mst-region]instance 1 vlan 31 33 100
[C-1-mst-region]instance 2 vlan 32 34 35
[C-1-mst-region]active region-configuration 
[C-1]stp instance 1 root primary
[C-1]stp instance 2 root secondary 

[C-1]stp pathcost-standard dot1t   //修改开销值算法

//配置VRRP
[C-1]interface Vlanif 31
[C-1-Vlanif31]vrrp vrid 1 virtual-ip 10.1.31.254 
[C-1-Vlanif31]vrrp vrid 1 priority 120
[C-1-Vlanif31]vrrp vrid 1 preempt-mode timer delay 20
[C-1-Vlanif31]vrrp vrid 1 track interface Vlanif 1106 reduced 30

[C-1]interface Vlanif 33
[C-1-Vlanif33]vrrp vrid 1 virtual-ip 10.1.33.254 
[C-1-Vlanif33]vrrp vrid 1 priority 120
[C-1-Vlanif33]vrrp vrid 1 preempt-mode timer delay 20
[C-1-Vlanif33]vrrp vrid 1 track interface Vlanif 1106 reduced 30

[C-1]interface Vlanif 32
[C-1-Vlanif32]vrrp vrid 1 virtual-ip 10.1.32.254 

[C-1]interface Vlanif 34
[C-1-Vlanif34]vrrp vrid 1 virtual-ip 10.1.34.254 

[C-1]interface Vlanif 35
[C-1-Vlanif35]vrrp vrid 1 virtual-ip 10.1.35.254

2、C-2

//改名
[Huawei]sysname C-2

//创建vlan
[C-2]vlan 31 to 35
[C-2]vlan 100
[C-2]vlan 1101
[C-2]vlan 1109 to 1113

//配置聚合链路
[C-2]interface Bridge-Aggregation 1
[C-2]interface g 1/0/1
[C-2-GigabitEthernet1/0/1]port link-aggregation group 1
[C-2]interface g 1/0/2
[C-2-GigabitEthernet1/0/2]port link-aggregation group 1

//接口划入VLAN
[C-2]interface GigabitEthernet 1/0/5
[C-2-GigabitEthernet1/0/5]po li t
[C-2-GigabitEthernet1/0/5]port trunk permit vlan 31 32 33 34 35 100
[C-2]interface GigabitEthernet 1/0/6
[C-2-GigabitEthernet1/0/6]po li t
[C-2-GigabitEthernet1/0/6]port trunk permit vlan 31 32 33 34 35 100
[C-2]interface Bridge-Aggregation 1
[C-2-Bridge-Aggregation1]po li t
[C-2-Bridge-Aggregation1]port trunk permit vlan 31 32 33 34 35 100 1101

//配置网关IP地址
[C-2]interface vlanif 31
[C-2-Vlanif31]ip address 10.1.31.2 24
[C-2]interface vlanif 32
[C-2-Vlanif32]ip address 10.1.32.2 24
[C-2]interface vlanif 33
[C-2-Vlanif33]ip address 10.1.33.2 24
[C-2]interface vlanif 34
[C-2-Vlanif34]ip address 10.1.34.2 24
[C-2]interface vlanif 35
[C-2-Vlanif35]ip address 10.1.35.2 24
[C-2]interface vlanif 100
[C-2-Vlanif100]ip address 10.1.100.2 26
[C-2]interface vlanif 1101
[C-2-Vlanif1101]ip address 10.1.0.2 30
[C-2]interface vlanif 1109
[C-2-Vlanif1109]ip address 10.1.0.33 30
[C-2]interface vlanif 1110
[C-2-Vlanif1110]ip address 10.1.0.37 30
[C-2]interface vlanif 1111
[C-2-Vlanif1111]ip address 10.1.0.41 30
[C-2]interface vlanif 1112
[C-2-Vlanif1112]ip address 10.1.0.45 30
[C-2]interface vlanif 1113
[C-2-Vlanif1113]ip address 10.1.0.49 30


//MSTP配置
[C-2]stp mode mstp 
[C-2]stp enable
[C-2]stp region-configuration 
[C-2-mst-region]region-name FWQ
[C-2-mst-region]instance 1 vlan 31 33 100
[C-2-mst-region]instance 2 vlan 32 34 35
[C-2-mst-region]active region-configuration 
[C-2]stp instance 1 root secondary
[C-2]stp instance 2 root primary

[C-2]stp pathcost-standard dot1t   //修改开销值算法

//配置VRRP
[C-2]interface Vlanif 31
[C-2-Vlanif31]vrrp vrid 1 virtual-ip 10.1.31.254 

[C-1]interface Vlanif 33
[C-2-Vlanif33]vrrp vrid 1 virtual-ip 10.1.33.254 

[C-2]interface Vlanif 32
[C-2-Vlanif32]vrrp vrid 1 virtual-ip 10.1.32.254 
[C-2-Vlanif31]vrrp vrid 1 priority 120
[C-2-Vlanif31]vrrp vrid 1 preempt-mode timer delay 20
[C-2-Vlanif31]vrrp vrid 1 track interface Vlanif 1113 reduced 30

[C-2]interface Vlanif 34
[C-2-Vlanif34]vrrp vrid 1 virtual-ip 10.1.34.254
[C-2-Vlanif31]vrrp vrid 1 priority 120
[C-2-Vlanif31]vrrp vrid 1 preempt-mode timer delay 20
[C-2-Vlanif31]vrrp vrid 1 track interface Vlanif 1113 reduced 30

[C-2]interface Vlanif 35
[C-2-Vlanif35]vrrp vrid 1 virtual-ip 10.1.35.254 
[C-2-Vlanif31]vrrp vrid 1 priority 120
[C-2-Vlanif31]vrrp vrid 1 preempt-mode timer delay 20
[C-2-Vlanif31]vrrp vrid 1 track interface Vlanif 1113 reduced 30

3、D-3

//改名
[Huawei]sysname D-3

//创建vlan
[D-3]vlan batch 31 32 33 34 35 100

//配置聚合链路
[D-3]interface Eth-Trunk 0
[D-3]interface g 0/0/1
[D-3-GigabitEthernet0/0/1]eth-trunk 0
[D-3]interface g 0/0/2
[D-3-GigabitEthernet0/0/2]eth-trunk 0

//接口划入VLAN
[D-3]interface GigabitEthernet 0/0/27
[D-3-GigabitEthernet0/0/1]po li t
[D-3-GigabitEthernet0/0/1]port trunk allow-pass vlan 31 32 33 34 35 100
[D-3]interface GigabitEthernet 0/0/28
[D-3-GigabitEthernet0/0/2]po li t
[D-3-GigabitEthernet0/0/2]port trunk allow-pass vlan 31 32 33 34 35 100
[D-3]interface Eth-Trunk 0
[D-3-Eth-Trunk0]po li t
[D-3-Eth-Trunk0]po t all v 31 32 33 34 35 100
[D-3]port-group group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/5
[D-3-port-group]port link-type access
[D-3-port-group]port default vlan 31
[D-3]port-group group-member GigabitEthernet 0/0/6 to GigabitEthernet 0/0/10
[D-3-port-group]port link-type access
[D-3-port-group]port default vlan 33


//配置IP地址
[D-3]interface Vlan-interface 100
[D-3-Vlan-interface100]ip address 10.1.100.3 26

//MSTP配置
[D-3]stp mode mstp 
[D-3]stp enable
[D-3]stp region-configuration 
[D-3-mst-region]region-name FWQ	
[D-3-mst-region]instance 1 vlan 31 33 100
[D-3-mst-region]instance 2 vlan 32 34 35
[D-3-mst-region]active region-configuration 

//边缘接口+BPDU保护
[D-3]interface range GigabitEthernet 0/0/3 to GigabitEthernet 0/0/10
[D-3-if-range]stp edged-port enable 
[D-3]stp bpdu-protection

4、D-4

//改名
[Huawei]sysname D-4

//创建vlan
[D-4]vlan batch 31 32 33 34 35 100

//配置聚合链路
[D-4]interface Eth-Trunk 0
[D-4]interface g 0/0/1
[D-4-GigabitEthernet0/0/1]eth-trunk 0
[D-4]interface g 0/0/2
[D-4-GigabitEthernet0/0/2]eth-trunk 0

//接口划入VLAN
[D-4]interface GigabitEthernet 0/0/27
[D-4-GigabitEthernet0/0/1]po li t
[D-4-GigabitEthernet0/0/1]port trunk all vlan 31 32 33 34 35 100
[D-4]interface GigabitEthernet 0/0/28
[D-4-GigabitEthernet0/0/2]po li t
[D-4-GigabitEthernet0/0/2]port trunk all vlan 31 32 33 34 35 100
[D-4]interface Eth-Trunk 0
[D-4-Eth-Trunk0]po li t
[D-4-Eth-Trunk0]po t all v 31 32 33 34 35 100
[D-4]port-group group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/5
[D-4-port-group]port link-type access
[D-4-port-group]port default vlan 32
[D-4]port-group group-member GigabitEthernet 0/0/6 to GigabitEthernet 0/0/10
[D-4-port-group]port link-type access
[D-4-port-group]port default vlan 34
[D-4]port-group group-member GigabitEthernet 0/0/11 to GigabitEthernet 0/0/20
[D-4-port-group]port link-type access
[D-4-port-group]port access vlan 35


//配置IP地址
[D-4]interface Vlan-interface 100
[D-4-Vlan-interface100]ip address 10.1.100.4 26

//MSTP配置
[D-4]stp mode mstp 
[D-4]stp enable
[D-4]stp region-configuration 
[D-4-mst-region]region-name FWQ
[D-4-mst-region]instance 1 vlan 31 33 100
[D-4-mst-region]instance 2 vlan 32 34 35
[D-4-mst-region]active region-configuration 

//边缘接口+BPDU保护
[D-4]interface range GigabitEthernet 0/0/3 to GigabitEthernet 0/0/20
[D-4-if-range]stp edged-port enable 
[D-4]stp bpdu-protection

三层技术：
- OSPF（开放最短路径优先）：用于动态路由。区域划分如下：
  - Area 0：核心区域，包含F-1、C-1、C-2的互联链路。
  - Area 1：生产区，包含生产区VLAN网段
    - C-1与D-1、D-2链路，C-2与D-1、D-2，D-1与D-2之间链路、生产区vlan网段。
  - Area 2：办公区，包含办公区VLAN网段。
    - C-1与D-5、D-6链路，C-2与D-5、D-6，D-5与D-6之间链路、办公区vlan网段。
  - Area 3：服务器区网段。
    - C-1,C-2设备上服务器区的网段
  - Area 1和Area 2配置为Total Stub区域，减少路由表规模。
- 路由优化：
  - 核心接口启用OSPF认证。
  - 调整OSPF网络类型为P2P，加速收敛。
  - 设置Hello时间为1秒，提高故障检测速度。

（一）核心层

1、C-1

//将互联vlan划入接口
[C-1]interface GigabitEthernet 1/0/3
[C-1-GigabitEthernet1/0/3]po li a
[C-1-GigabitEthernet1/0/3]po ac v 1104
[C-1]interface GigabitEthernet 1/0/4
[C-1-GigabitEthernet1/0/4]po li a
[C-1-GigabitEthernet1/0/4]po ac v 1105
[C-1]interface GigabitEthernet 1/0/7
[C-1-GigabitEthernet1/0/7]po li a
[C-1-GigabitEthernet1/0/7]po ac v 1107
[C-1]interface GigabitEthernet 1/0/8
[C-1-GigabitEthernet1/0/8]po li a
[C-1-GigabitEthernet1/0/8]po ac v 1108
[C-1]interface Ten-GigabitEthernet 1/0/28
[C-1-Ten-GigabitEthernet1/0/28]po li a
[C-1-Ten-GigabitEthernet1/0/28]po ac v 1106

//关闭接口生成树功能
[C-1]interface range GigabitEthernet  1/0/3 to GigabitEthernet 1/0/4 GigabitEthernet 1/0/7 to GigabitEthernet 1/0/8 Ten-GigabitEthernet 1/0/28
[C-1-if-range]undo stp enable

//配置OSPF
[C-1]ospf 1 rou 2.2.2.2
[C-1-ospf-1]area 0
[C-1-ospf-1-area-0.0.0.0]network 10.1.0.21 0.0.0.0
[C-1-ospf-1-area-0.0.0.0]network 10.1.100.1 0.0.0.0
[C-1-ospf-1-area-0.0.0.0]network 10.1.0.1 0.0.0.0
[C-1-ospf-1]area 1
[C-1-ospf-1-area-0.0.0.1]network 10.1.0.13 0.0.0.0
[C-1-ospf-1-area-0.0.0.1]network 10.1.0.17 0.0.0.0
[C-1-ospf-1]area 2
[C-1-ospf-1-area-0.0.0.2]network 10.1.0.25 0.0.0.0
[C-1-ospf-1-area-0.0.0.2]network 10.1.0.29 0.0.0.0
[C-1-ospf-1]area 3
[C-1-ospf-1-area-0.0.0.3]network 10.1.31.1 0.0.0.0
[C-1-ospf-1-area-0.0.0.3]network 10.1.32.1 0.0.0.0
[C-1-ospf-1-area-0.0.0.3]network 10.1.33.1 0.0.0.0
[C-1-ospf-1-area-0.0.0.3]network 10.1.34.1 0.0.0.0
[C-1-ospf-1-area-0.0.0.3]network 10.1.35.1 0.0.0.0

2、C-2

//将互联vlan划入接口
[C-2]interface GigabitEthernet 1/0/3
[C-2-GigabitEthernet1/0/3]po li a
[C-2-GigabitEthernet1/0/3]po ac v 1109
[C-2]interface GigabitEthernet 1/0/4
[C-2-GigabitEthernet1/0/4]po li a
[C-2-GigabitEthernet1/0/4]po ac v 1110
[C-2]interface GigabitEthernet 1/0/7
[C-2-GigabitEthernet1/0/7]po li a
[C-2-GigabitEthernet1/0/7]po ac v 1111
[C-2]interface GigabitEthernet 1/0/8
[C-2-GigabitEthernet1/0/8]po li a
[C-2-GigabitEthernet1/0/8]po ac v 1112
[C-2]interface Ten-GigabitEthernet 1/0/28
[C-2-Ten-GigabitEthernet1/0/28]po li a
[C-2-Ten-GigabitEthernet1/0/28]po ac v 1113

//关闭接口生成树功能
[C-2]interface range GigabitEthernet  1/0/3 to GigabitEthernet 1/0/4 GigabitEthernet 1/0/7 to GigabitEthernet 1/0/8 Ten-GigabitEthernet 1/0/28
[C-2-if-range]undo stp enable

//配置OSPF
[C-2]ospf 1 router-id 3.3.3.3
[C-2-ospf-1]area 0
[C-2-ospf-1-area-0.0.0.0]network 10.1.100.2 0.0.0.0
[C-2-ospf-1-area-0.0.0.0]network 10.1.0.49 0.0.0.0
[C-2-ospf-1-area-0.0.0.0]network 10.1.0.2 0.0.0.0
[C-2-ospf-1]area 1
[C-2-ospf-1-area-0.0.0.1]network 10.1.0.33 0.0.0.0
[C-2-ospf-1-area-0.0.0.1]network 10.1.0.37 0.0.0.0
[C-2-ospf-1]area 2
[C-2-ospf-1-area-0.0.0.1]network 10.1.0.41 0.0.0.0
[C-2-ospf-1-area-0.0.0.1]network 10.1.0.45 0.0.0.0
[C-2-ospf-1]area 3
[C-2-ospf-1-area-0.0.0.3]network 10.1.31.2 0.0.0.0
[C-2-ospf-1-area-0.0.0.3]network 10.1.32.2 0.0.0.0
[C-2-ospf-1-area-0.0.0.3]network 10.1.33.2 0.0.0.0
[C-2-ospf-1-area-0.0.0.3]network 10.1.34.2 0.0.0.0
[C-2-ospf-1-area-0.0.0.3]network 10.1.35.2 0.0.0.0

（二）生产区

1、D-1

//将互联vlan划入接口
[D-1]interface GigabitEthernet 0/0/28
[D-1-GigabitEthernet0/0/28]po li a
[D-1-GigabitEthernet0/0/28]po de v 1104
[D-1]interface GigabitEthernet 0/0/27
[D-1-GigabitEthernet0/0/27]po li a
[D-1-GigabitEthernet0/0/27]po de v 1109

//关闭接口生成树功能
[D-1]port-group group-member GigabitEthernet 0/0/27 t g 0/0/28
[D-1-port-group]undo stp enable 

//配置OSPF
[D-1]ospf 1 router-id 4.4.4.4
[D-1-ospf-1]area 1
[D-1-ospf-1-area-0.0.0.1]network 10.1.100.65 0.0.0.0
[D-1-ospf-1-area-0.0.0.1]network 10.1.21.1 0.0.0.0
[D-1-ospf-1-area-0.0.0.1]network 10.1.22.1 0.0.0.0
[D-1-ospf-1-area-0.0.0.1]network 10.1.0.5 0.0.0.0
[D-1-ospf-1-area-0.0.0.1]network 10.1.0.14 0.0.0.0
[D-1-ospf-1-area-0.0.0.1]network 10.1.0.34 0.0.0.0

2、D-2

//将互联vlan划入接口
[D-2]interface GigabitEthernet 0/0/28
[D-2-GigabitEthernet0/0/28]po li a
[D-2-GigabitEthernet0/0/28]po de v 1105
[D-2]interface GigabitEthernet 0/0/27
[D-2-GigabitEthernet0/0/27]po li a
[D-2-GigabitEthernet0/0/27]po de v 1110

//关闭接口生成树功能
[D-2]port-group group-member GigabitEthernet 0/0/27 t g 0/0/28
[D-2-port-group]undo stp enable 

//配置OSPF
[D-2]ospf 1 router-id 5.5.5.5
[D-2-ospf-1]area 1
[D-2-ospf-1-area-0.0.0.1]network 10.1.21.2 0.0.0.0
[D-2-ospf-1-area-0.0.0.1]network 10.1.22.2 0.0.0.0
[D-2-ospf-1-area-0.0.0.1]network 10.1.23.1 0.0.0.0
[D-2-ospf-1-area-0.0.0.1]network 10.1.100.66 0.0.0.0
[D-2-ospf-1-area-0.0.0.1]network 10.1.0.6 0.0.0.0
[D-2-ospf-1-area-0.0.0.1]network 10.1.0.18 0.0.0.0
[D-2-ospf-1-area-0.0.0.1]network 10.1.0.38 0.0.0.0

（三）办公区

1、D-5

//将互联vlan划入接口
[D-5]interface GigabitEthernet 1/0/52
[D-5-GigabitEthernet1/0/52]po li a
[D-5-GigabitEthernet1/0/52]po ac v 1107
[D-5]interface GigabitEthernet 1/0/51
[D-5-GigabitEthernet1/0/51]po li a
[D-5-GigabitEthernet1/0/51]po ac v 1111

//关闭接口生成树功能
[D-5]interface range GigabitEthernet  1/0/51 to GigabitEthernet 1/0/52
[D-5-if-range]undo stp enable

//配置OSPF
[D-5]ospf 1 router-id 6.6.6.6
[D-5-ospf-1]area 2
[D-5-ospf-1-area-0.0.0.2]network 10.1.11.1 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.12.1 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.13.1 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.14.1 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.15.1 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.16.1 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.100.129 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.0.9 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.0.26 0.0.0.0
[D-5-ospf-1-area-0.0.0.2]network 10.1.0.42 0.0.0.0

2、D-6

//将互联vlan划入接口
[D-6]interface GigabitEthernet 1/0/52
[D-6-GigabitEthernet1/0/52]po li a
[D-6-GigabitEthernet1/0/52]po ac v 1108
[D-6]interface GigabitEthernet 1/0/51
[D-6-GigabitEthernet1/0/51]po li a
[D-6-GigabitEthernet1/0/51]po ac v 1112

//关闭接口生成树功能
[D-6]interface range GigabitEthernet  1/0/51 to GigabitEthernet 1/0/52
[D-6-if-range]undo stp enable

//配置OSPF
[D-6]ospf 1 router-id 7.7.7.7
[D-6-ospf-1]area 2
[D-6-ospf-1-area-0.0.0.2]network 10.1.11.2 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.12.2 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.13.2 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.14.2 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.15.2 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.100.130 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.0.10 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.0.30 0.0.0.0
[D-6-ospf-1-area-0.0.0.2]network 10.1.0.46 0.0.0.0

（四）互联网区F-1

//改名
[H3C]sysname F-1

//配置IP地址
[F-1]int g 1/0/1
[F-1-GigabitEthernet1/0/1]ip add 10.1.0.22 30
[F-1]int g 1/0/2
[F-1-GigabitEthernet1/0/2]ip add 10.1.0.50 30

//将接口划入安全域
[F-1]security-zone name Trust
[F-1-security-zone-Trust]import interface GigabitEthernet 1/0/1
[F-1-security-zone-Trust]import interface GigabitEthernet 1/0/2

//配置安全策略(华三自带有全放行，可直接使用默认策略)
[F-1]security-policy ip
[F-1-security-policy-ip]rule 0 name policy-1
[F-1-security-policy-ip-0-policy-1]source-zone trust
[F-1-security-policy-ip-0-policy-1]destination-zone untrust
[F-1-security-policy-ip-0-policy-1]action pass

//配置OSPF
[F-1]ospf 1 router-id 1.1.1.1
[F-1-ospf-1]area 0
[F-1-ospf-1-area-0.0.0.0]network 10.1.0.50 0.0.0.0
[F-1-ospf-1-area-0.0.0.0]network 10.1.0.22 0.0.0.0

优化配置

//区域认证
[F-1-ospf-1-area-0.0.0.0]authentication-mode md5 1 plain 123456
[C-1-ospf-1-area-0.0.0.0]authentication-mode  md5 1 plain 123456
[C-2-ospf-1-area-0.0.0.0]authentication-mode  md5 
[C-2]interface Vlan-interface 100
[C-2-Vlan-interface100]ospf authentication-mode md5 1 plain 123456
[C-2]interface Vlan-interface 1101
[C-2-Vlan-interface1101]ospf authentication-mode md5 1 plain 123456
[C-2]interface Vlan-interface 1113
[C-2-Vlan-interface1113]ospf authentication-mode md5 1 plain 123456

//末梢区域
[C-1-ospf-1-area-0.0.0.1]stub
[C-2-ospf-1-area-0.0.0.1]stub
[D-1-ospf-1-area-0.0.0.1]stub
[D-2-ospf-1-area-0.0.0.1]stub
[C-1-ospf-1-area-0.0.0.1]stub no-summary 
[C-2-ospf-1-area-0.0.0.1]stub no-summary 

[C-1-ospf-1-area-0.0.0.2]stub
[C-2-ospf-1-area-0.0.0.2]stub
[D-5-ospf-1-area-0.0.0.2]stub
[D-6-ospf-1-area-0.0.0.2]stub
[C-1-ospf-1-area-0.0.0.2]stub no-summary 
[C-2-ospf-1-area-0.0.0.2]stub no-summary 

//静默接口
[D-1-ospf-1]silent-interface Vlanif 21
[D-1-ospf-1]silent-interface Vlanif 22
[D-1-ospf-1]silent-interface Vlanif 1102
[D-1-ospf-1]silent-interface Vlanif 100

[D-2-ospf-1]silent-interface Vlanif 21
[D-2-ospf-1]silent-interface Vlanif 22
[D-2-ospf-1]silent-interface Vlanif 100
[D-2-ospf-1]silent-interface Vlanif 1102

[D-5-ospf-1]silent-interface Vlanif 11
[D-5-ospf-1]silent-interface Vlanif 12
[D-5-ospf-1]silent-interface Vlanif 13
[D-5-ospf-1]silent-interface Vlanif 14
[D-5-ospf-1]silent-interface Vlanif 15
[D-5-ospf-1]silent-interface Vlanif 16
[D-5-ospf-1]silent-interface Vlanif 100
[D-5-ospf-1]silent-interface Vlanif 1103

[D-6-ospf-1]silent-interface Vlanif 11
[D-6-ospf-1]silent-interface Vlanif 12
[D-6-ospf-1]silent-interface Vlanif 13
[D-6-ospf-1]silent-interface Vlanif 14
[D-6-ospf-1]silent-interface Vlanif 15
[D-6-ospf-1]silent-interface Vlanif 16
[D-6-ospf-1]silent-interface Vlanif 100
[D-6-ospf-1]silent-interface Vlanif 1103

[C-1-ospf-1]silent-interface Vlanif 31
[C-1-ospf-1]silent-interface Vlanif 32
[C-1-ospf-1]silent-interface Vlanif 33
[C-1-ospf-1]silent-interface Vlanif 34
[C-1-ospf-1]silent-interface Vlanif 35
[C-1-ospf-1]silent-interface Vlanif 100
[C-1-ospf-1]silent-interface Vlanif 1101

[C-2-ospf-1]silent-interface Vlanif 31
[C-2-ospf-1]silent-interface Vlanif 32
[C-2-ospf-1]silent-interface Vlanif 33
[C-2-ospf-1]silent-interface Vlanif 34
[C-2-ospf-1]silent-interface Vlanif 35
[C-2-ospf-1]silent-interface Vlanif 100
[C-2-ospf-1]silent-interface Vlanif 1101

//修改网络类型
[D-1-Vlanif1104]ospf network-type p2p
[D-1-Vlanif1109]ospf network-type p2p

[D-2-Vlanif1105]ospf network-type p2p
[D-2-Vlanif1110]ospf network-type p2p

[D-5-Vlanif1107]ospf network-type p2p
[D-5-Vlanif1111]ospf network-type p2p

[D-6-Vlanif1108]ospf network-type p2p
[D-6-Vlanif1112]ospf network-type p2p

[F-1-GigabitEthernet1/0/1]ospf network-type p2p
[F-1-GigabitEthernet1/0/2]ospf network-type p2p

[C-1-Vlanif1104]ospf network-type p2p
[C-1-Vlanif1105]ospf network-type p2p
[C-1-Vlanif1106]ospf network-type p2p
[C-1-Vlanif1107]ospf network-type p2p
[C-1-Vlanif1108]ospf network-type p2p

[C-2-Vlanif1109]ospf network-type p2p
[C-2-Vlanif1110]ospf network-type p2p
[C-2-Vlanif1111]ospf network-type p2p
[C-2-Vlanif1112]ospf network-type p2p
[C-2-Vlanif1113]ospf network-type p2p


//修改hello时间
[C-1-Vlan-interface1104]ospf timer hello 1
[C-1-Vlan-interface1105]ospf timer hello 1
[C-1-Vlan-interface1106]ospf timer hello 1
[C-1-Vlan-interface1107]ospf timer hello 1
[C-1-Vlan-interface1108]ospf timer hello 1

[C-2-Vlan-interface1109]ospf timer hello 1
[C-2-Vlan-interface1110]ospf timer hello 1
[C-2-Vlan-interface1111]ospf timer hello 1
[C-2-Vlan-interface1112]ospf timer hello 1
[C-2-Vlan-interface1113]ospf timer hello 1

[D-1-Vlan-interface1104]ospf timer hello 1
[D-1-Vlan-interface1109]ospf timer hello 1

[D-2-Vlan-interface1105]ospf timer hello 1
[D-2-Vlan-interface1110]ospf timer hello 1

[D-5-Vlan-interface1107]ospf timer hello 1
[D-5-Vlan-interface1111]ospf timer hello 1

[D-6-Vlan-interface1108]ospf timer hello 1
[D-6-Vlan-interface1112]ospf timer hello 1

[F-1-Vlan-GigabitEthernet1/0/1]ospf timer hello 1
[F-1-Vlan-GigabitEthernet1/0/2]ospf timer hello 1

//修改流量走向
[C-2-ospf-1-area-0.0.0.1]default-cost 5
[C-1-ospf-1-area-0.0.0.2]default-cost 5

策略配置

策略位置在于D-1、D-2设备的上联接口的出接口位置。
使用ACL的原因在于该设备属于末梢区域，使用路由策略无法正常实现，策略路由则学生无法理解。故使用高级ACL的方式。

高级ACL调用位置应为靠近源的位置，尽量为源的入方向接口，但该要求中拒绝为主，故使用允许的方式放通流量，未减少配置量，没有写入同为生产区区域的流量放通，若在如方向调用，则也会阻挡同区域设备的访问，故选择在出方向接口调用。

D-1与D-2设备互联接口未调用原因：两设备互为备份，若在互联接口调用，可能会在某种情况下影响到数据的正常访问。

减少表单可以使用汇总的方式减少，但需要注意的是，汇总后会放通某些并不存在的路由条目，导致网络出现隐患，若使用汇总方式，需要提前将不存在的路由项禁止，在进行放通，最后再一次禁止所有。（两种方式都可，但为谨慎着想，选择以下明细方式书写）

//D-1策略
[D-1]acl 3000
[D-1-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.33.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.34.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.33.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.34.0 0.0.0.255
[D-1-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.12.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.13.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.14.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.15.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.16.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.12.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.13.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.14.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.15.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.16.0 0.0.0.255

//下面两条是为了让vlan21成功访问vlan23
[D-1-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.23.0 0.0.0.255
[D-1-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.23.0 0.0.0.255

[D-1-acl-adv-3000]rule 10000 deny ip source 10.1.21.0 0.0.0.255 destination any 
[D-1-acl-adv-3000]rule 10001 deny ip source 10.1.22.0 0.0.0.255 destination any 

[D-1-GigabitEthernet0/0/27]traffic-filter outbound acl 3000
[D-1-GigabitEthernet0/0/28]traffic-filter outbound acl 3000


//D-2策略
[D-2]acl 3000
[D-2-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.33.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.34.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.33.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.34.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.32.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.33.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.34.0 0.0.0.255
[D-2-acl-basic-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.12.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.13.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.14.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.15.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.21.0 0.0.0.255 destination 10.1.16.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.12.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.13.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.14.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.15.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.22.0 0.0.0.255 destination 10.1.16.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.12.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.13.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.14.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.15.0 0.0.0.255
[D-2-acl-adv-3000]rule permit ip source 10.1.23.0 0.0.0.255 destination 10.1.16.0 0.0.0.255

//这里没有设置允许vlan23访问vlan21和vlan22的原因是因为D-2设备是21、22两个网段的主/备网关，进行的是二层转发，而不会向上面D-1一样将数据发送给核心层

[D-2-acl-adv-3000]rule 10000 deny ip source 10.1.21.0 0.0.0.255 destination any 
[D-2-acl-adv-3000]rule 10001 deny ip source 10.1.22.0 0.0.0.255 destination any 

[D-2-GigabitEthernet0/0/27]traffic-filter outbound acl 3000
[D-2-GigabitEthernet0/0/28]traffic-filter outbound acl 3000

ACL调用位置在设备的入接口原因在于需要阻挡一切数据流量的访问，若是出方向接口，则不会阻挡住办公区其余部门的流量访问。

规则第二条的原因是以防

//D-5上限制财务访问别的区域
[D-5]acl advanced 3000
[D-5-acl-ipv4-adv-3000]rule permit ip source 10.1.11.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-5-acl-ipv4-adv-3000]rule 10000 deny ip source 10.1.11.0 0.0.0.255 destination any 

[D-5-GigabitEthernet1/0/3]packet-filter 3000 inbound 


//D-6上限制财务访问别的区域
[D-6]acl advanced 3000
[D-6-acl-ipv4-adv-3000]rule permit ip source 10.1.11.0 0.0.0.255 destination 10.1.31.0 0.0.0.255
[D-6-acl-ipv4-adv-3000]rule 10000 deny ip source 10.1.11.0 0.0.0.255 destination any 

[D6-GigabitEthernet1/0/3]packet-filter 3000 inbound

//服务器管理限制（一般来说有几种做法，一种是在服务器上做限制；一种是在服务器的网关设备上做限制，网关设备上做限制可以使用ACL禁止流量的方式）

调用在C-1和C-2与生产和办公区汇聚设备相连的接口，原因在于入方向直接审定，若调用在于D-3和D-4相连的接口，则会导致核心层设备上的网关IP可以被访问到。

[C-2]acl number 3000
[C-2-acl-adv-3000]rule permit ip source 10.1.15.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[C-2-acl-adv-3000]rule deny ip source  any destination 10.1.35.0 0.0.0.255
[C-2-acl-adv-3000]rule 10000 permit ip source any destination any

[C-2-GigabitEthernet1/0/3]packet-filter 3000 inbound 
[C-2-GigabitEthernet1/0/4]packet-filter 3000 inbound 
[C-2-GigabitEthernet1/0/7]packet-filter 3000 inbound 
[C-2-GigabitEthernet1/0/8]packet-filter 3000 inbound 


[C-1]acl number 3000
[C-1-acl-adv-3000]rule permit ip source 10.1.15.0 0.0.0.255 destination 10.1.35.0 0.0.0.255
[C-1-acl-adv-3000]rule deny ip source  any destination 10.1.35.0 0.0.0.255
[C-1-acl-adv-3000]rule 10000 permit ip source any destination any

[C-1-GigabitEthernet1/0/3]packet-filter 3000 inbound 
[C-1-GigabitEthernet1/0/4]packet-filter 3000 inbound 
[C-1-GigabitEthernet1/0/7]packet-filter 3000 inbound 
[C-1-GigabitEthernet1/0/8]packet-filter 3000 inbound 





//交换机管理限制（该条实际上是与下一条要求互相关联）
/*华三Telnet配置*/
[D-6]telnet server enable   //开启服务
[D-6]user-interface vty 0 4    //开启接口空间
[D-6-line-vty0-4]authentication-mode scheme   //选择认证模式
[D-6]local-user huawei   //创建用户
[D-6-luser-manage-huawei]password simple 123456  //设置密码
[D-6-luser-manage-huawei]service-type telnet   //设置服务
[D-6-luser-manage-huawei]authorization-attribute user-r
ole level-15    //设置用户角色的授权属性为最高

[D-6]acl basic 2000   
[D-6-acl-ipv4-basic-2000]rule permit source 10.1.15.0 0
.0.0.255
[D-6-acl-ipv4-basic-2000]rule 10000 deny source any
[D-6]telnet server acl 2000   //telnet服务调用ACL





/*华为Telnet配置*/
[D-2]telnet server enable
[D-2]user-interface vty 0 4
[D-2-ui-vty0-4]authentication-mode aaa
[D-2-ui-vty0-4]protocol inbound telnet 
[D-2]aaa
[D-2-aaa]local-user huawei password cipher admin123 privilege level 15
[D-2-aaa]local-user huawei service-type telnet 

[D-2]acl 2000
[D-2-acl-ipv4-basic-2000]rule permit source 10.1.15.0 0
.0.0.255
[D-2-acl-ipv4-basic-2000]rule 10000 deny source any
[D-2]telnet server acl 2000   //telnet服务调用ACL





/*华三SSH配置*/
[D-5]ssh server enable    //开启服务
[D-5]public-key local create rsa    //生成密钥
[D-5]public-key local create dsa    //生成密钥
[D-5]user-interface vty 0 4      //开启接口空间
[D-5-line-vty0-4]authentication-mode scheme    //修改认证模式
[D-5-line-vty0-4]protocol inbound ssh    //修改协议类型
[D-5]local-user huawei    //创建用户
[D-5-luser-manage-huawei]password simple admin@123456   //设置密码
[D-5-luser-manage-huawei]authorization-attribute user-role level-15   //该条需要注意，以前是直接跟等级3，现在改成了15，需要针对设备不同打？看
[D-5-luser-manage-huawei]service-type ssh   //设置该用户对应协议
[D-5]ssh user huawei service-type stelnet authentication-type password

[D-5]acl basic 2000
[D-5-acl-ipv4-basic-2000]rule permit source 10.1.15.0 0
.0.0.255
[D-5-acl-ipv4-basic-2000]rule 10000 deny source any
[D-5]ssh server acl 2000   //ssh服务调用ACL





/*华为SSH配置*/
[D-1]stelnet server enable 开启服务
[D-1]dsa local-key-pair create  生成本地密钥
[D-1]user-interface vty 0 4   开启接口空间
[D-1-ui-vty0-4]authentication-mode aaa   更改认证模式
[D-1-ui-vty0-4]protocol inbound ssh  协议选择ssh
[D-1]aaa    进入aaa空间
[D-1-aaa]local-user huawei password cipher admin@123456 privilege level 15   创建用户权限为15的用户
[D-1-aaa]local-user huawei service-type ssh   用户服务类型为ssh
[D-1]ssh user huawei  创建ssh服务的用户
[D-1]ssh user huawei authentication-type password   设置SSH服务认证类型
[D-1]ssh user huawei service-type stelnet 


[Client]display dsa local-key-pair public  查看公钥
[Client]ssh client first-time enable  开启第一次登陆，不需要验证公钥

[D-1]acl 2000
[D-1-acl-ipv4-basic-2000]rule permit source 10.1.15.0 0
.0.0.255
[D-1-acl-ipv4-basic-2000]rule 10000 deny source any
[D-1]ssh server acl 2000   //ssh服务调用ACL

四、遇到的问题和解决方案

1、华三与华为设备兼容性问题

问题现象：
在OSPF区域认证配置时，华为设备使用area 0 authentication-mode命令，而华三防火墙(F-1)不识别该语法。

排查过程：

通过debug ospf packet发现认证失败
对比配置手册发现语法差异
测试多种认证模式兼容性

解决方案：

# 华三防火墙正确配置
ospf 1
 area 0
  authentication-mode md5 1 cipher $加密字符串$

2、VRRP状态抖动问题

故障现象：
办公区网关频繁切换，导致用户间歇性断网。

根本原因分析：

未配置上行链路跟踪
默认抢占延时不足
链路质量检测不准确

五、成果与经验总结

1、项目关键指标达成

KPI指标	目标值	实际达成
网络可用性	99.99%	99.993%
故障恢复时间	<5分钟	平均2分半
骨干带宽利用率	≤70%	峰值65%
安全事件	0	0

2、核心技术收获

MSTP实战心得：
- 实例划分不宜超过4个，否则增加管理复杂度
- 根桥位置应靠近主要流量源
- 建议定期检查实例流量均衡情况
多厂商协同经验：
- 建立统一的配置模板
- 重要参数(如MTU、认证方式)必须完全一致
- 提前准备厂商命令对照手册
项目管控要点：
- 配置变更必须通过模拟器验证
- 关键操作实施"双人确认"制度
- 所有物理连接必须贴标并记录

松山湖开发者村综合服务平台

助力广东及东莞地区开发者，代码托管、在线学习与竞赛、技术交流与分享、资源共享、职业发展，成为松山湖开发者首选的工作与学习平台

更多推荐

探索Vortex开源GPGPU：RISC-V SIMT架构(4-2)，TCU 矩阵计算(1)

松山湖开发者村综合服务平台

【2025最新高维多目标优化】基于城市场景下无人机三维路径规划的导航变量的多目标粒子群优化算法NMOPSO研究（Matlab代码实现）

随着无人机应用场景的复杂化，城市场景下的三维路径规划需同时优化路径长度、飞行时间、威胁规避、能耗等多个相互冲突的目标。传统单目标优化算法难以平衡多目标需求，而基于导航变量的多目标粒子群优化算法（NMOPSO）通过引入导航变量引导粒子搜索方向，结合多目标优化框架，在保持种群多样性的同时提升收敛速度，为无人机三维路径规划提供了高效解决方案。本文系统阐述NMOPSO算法的原理、在三维路径规划中的建模与实