1中石油网络培训中石油网络培训2网络培训网络培训进一步思考网络维护站场网络结构与配置中石油管道系统网络概述及典型结构图3网络培训网络培训概述北京主控中心天然气管道SCADA系统6套，原油管道SCADA系统2套；廊坊备控中心天然气管道SCADA系统6套，原油管道SCADA系统2套；共16套系统。北京华油所管辖的管线有陕京一线、陕京二线、陕京三线、陕京四线（大唐煤制气）、永唐秦、港清三线等，属于调控中心天然气第一套系统。北京华油所管辖的管线到调控中心的链路有：光纤、DDN、GPRS、卫星。各分站之间不通，但可以同时访问北京和廊坊，当到其中一个中心的所有链路都down掉后，数据流可以从另一中心绕行。例如，到北京的所有链路都down掉后，站场来的数据流可以从廊坊绕到北京。站场到某个中心的链路有一个通的时候，站场数据流不能从另一中心绕行。4网络培训网络培训典型网络结构图：BJR1BJR1BJR2BJR22811-12811-12811-22811-2LFR1LFR1LFR2LFR2BJ6509S1BJ6509S1BJ6509S2BJ6509S2LF6509S1LF6509S1LF6509S2LF6509S2北（主）北（主）北（北（备） ）廊（主）廊（主）廊（廊（备） ）EIGRP AS XEIGRP AS XBGP AS YBGP AS YBGP AS X1BGP AS X1BGP AS X2BGP AS X25网络培训网络培训进一步思考网络维护站场网络结构与配置中石油管道系统网络概述及典型结构图6网络培训网络培训典型网络结构图：7网络培训网络培训站站场R1R1路由器路由器VLAN配置:! 在enable状态下配置下列命令vlan databasevlan databasevlan vlan ! 对应PLC的第一个IP地址段vlan vlan ! 对应PLC的第二个IP地址段exitexit基本配置:service timestamps debug datetime msec service timestamps debug datetime msec !设置毫秒时间戳service timestamps log datetime msec service timestamps log datetime msec !设置毫秒时间戳service password-encryptionservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-inservice tcp-keepalives-outservice tcp-keepalives-out! !hostname hostname ! !备注：备注：service tcp-keepalives-in 和和 service tcp-keepalives-out 命令来监控进入路由器或者从路由器输出的命令来监控进入路由器或者从路由器输出的TCP连接。如连接。如果路由器或交换机没有收到远程系统的响应，会自动关闭连接果路由器或交换机没有收到远程系统的响应，会自动关闭连接 通常和通常和telnet，ssh一起使用这样做的最大好处就是可以减少一起使用这样做的最大好处就是可以减少路由器的负担路由器的负担8网络培训网络培训! 认证相关配置enable secret enable secret aaa new-modeaaa new-modeaaa local authentication attempts max-fail 3aaa local authentication attempts max-fail 3aaa authentication login default localaaa authentication login default localusername username secret secret line vty 0 4line vty 0 4transport input telnettransport input telnetexec-timeout 3 0exec-timeout 3 0access-class 20 inaccess-class 20 in! 定义访问控制列表，只允许相关设备telnet到路由器! 关闭一些无用的服务no service dhcpno service dhcpno ip domain- lookupno ip domain- lookupno ip bootp serverno ip bootp serverip dhcp bootp ignoreip dhcp bootp ignoreno ip http serverno ip http serverno ip source-routeno ip source-route! !9网络培训网络培训!logging buffered 4096logging buffered 4096! !snmp-server community pertoData ro 10snmp-server community pertoData ro 10! 定义访问控制列表，只运行相关网管设备访问snmp! !接口配置:interface fastethernet 0/0interface fastethernet 0/0description description ! 到北京的主链路ip address ip address speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex fullbandwidth 10000bandwidth 10000! 只在metric计算时起作用，不影响物理接口速率。带宽和时延按照实际情况配置，这里按10M配置delay 100 delay 100 ! 配置的参数为10的倍数，即dealy 100实际的dealy 为1000 usecno shutdownno shutdowninterface fastethernet 0/1interface fastethernet 0/110网络培训网络培训description description ! 到廊坊的主链路ip address ip address speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex fullbandwidth 10000bandwidth 10000! 带宽和时延按照实际情况配置，这里按照10M配置delay 100delay 100no shutdownno shutdown! !interface fastethernet 0/1/0interface fastethernet 0/1/0description description ! 连接站场交换机S1的接口switchport access vlan switchport access vlan speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex full no shutdown no shutdown! !interface fastethernet 0/1/1interface fastethernet 0/1/1description description ! 连接站场交换机S2的接口11网络培训网络培训 switchport access vlan switchport access vlan speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex full no shutdown no shutdowninterface fastethernet 0/1/2interface fastethernet 0/1/2description description ! 连接站场R2的接口no switchportno switchportspeed 100speed 100duplex fullduplex fullip address ip address no shutdown no shutdowninterface vlan interface vlan descriptioin descriptioin ! 对应PLC第一个IP地址段ip address ip address standby 10 ip standby 10 ip standby 10 priority 110standby 10 priority 110! R1为HSRP主standby 10 preemptstandby 10 preemptstandby 10 timer 2 6standby 10 timer 2 6! !12网络培训网络培训interface vlan interface vlan descriptioin descriptioin ! 对应PLC第二个IP地址段ip address ip address standby 20 ip standby 20 ip standby 20 priority 110standby 20 priority 110! R1为HSRP主standby 20 preemptstandby 20 preemptstandby 20 timer 2 6standby 20 timer 2 6! !生成树配置：spanning-tree vlan spanning-tree vlan root primary root primary! ! R1为生成树的根spanning-tree vlan spanning-tree vlan root primary root primary!路由配置：router eigrp router eigrp no auto-summaryno auto-summaryeigrp log-neighbor-changeseigrp log-neighbor-changespassive-interface vlan passive-interface vlan ! 本地vlan接口设置为passivepassive-interface vlan passive-interface vlan 13网络培训网络培训network 0.0.0.0network 0.0.0.0eigrp stub connected leak-map leak-core-route eigrp stub connected leak-map leak-core-route !ACL及Route-map配置：access-list 10 permit access-list 10 permit ! 用于snmp的访问控制列表.!access-list 20 permit access-list 20 permit ! 用于telnet控制的访问控制列表.! ACL30用于leak-map的访问控制列表，为北京和廊坊发布的路由access-list 30 permit access-list 30 permit .!route-map leak-core-route permit 10route-map leak-core-route permit 10match ip address 30match ip address 30!安全配置：key chain key-hsrpkey chain key-hsrp! HSRP认证配置14网络培训网络培训key 1key 1 key-string key-string ! !interface vlan interface vlan standby 10 authention md5 key-chain key-hsrpstandby 10 authention md5 key-chain key-hsrp! !interface vlan interface vlan standby 20 authention md5 key-chain key-hsrpstandby 20 authention md5 key-chain key-hsrp!key chain key-eigrpkey chain key-eigrp! EIGRP认证配置key 2key 2 key-string key-string ! !interface fastethernet 0/0interface fastethernet 0/0ip authentication mode eigrp ip authentication mode eigrp md5 md5 !在接口下声明key chain，并采用MD5对hello包进行加密ip authentication key-chain eigrp ip authentication key-chain eigrp key-eigrp key-eigrp！在接口下调用key chain!interface fastethernet 0/1interface fastethernet 0/1ip authentication mode eigrp ip authentication mode eigrp md5 md5 !在接口下声明key chain，并采用MD5对hello包进行加密15网络培训网络培训ip authentication key-chain eigrp ip authentication key-chain eigrp key-eigrp key-eigrp！在接口下调用key chain! 配置中的黑体和斜体配置中的黑体和斜体标识标识的部分的部分为为配置参数，需要根据配置参数，需要根据实际设备实际设备情况填写；情况填写； 配置配置stub leak-mapstub leak-map需要需要IOS 12.3(10.2)TIOS 12.3(10.2)T及以后版本，如及以后版本，如IOSIOS不能不能满满足要求，无法配置足要求，无法配置这这条命令；条命令； 如果如果中的配置无法完成，中的配置无法完成，ACL30ACL30和后和后续续的的route-maproute-map不需要配置。不需要配置。16网络培训网络培训站站场R2R2路由器路由器VLAN配置:! 在enable状态下配置下列命令vlan databasevlan databasevlan vlan ! 对应PLC的第一个IP地址段vlan vlan ! 对应PLC的第二个IP地址段exitexit! !基本配置:17网络培训网络培训service timestamps debug datetime msecservice timestamps debug datetime msecservice timestamps log datetime msecservice timestamps log datetime msecservice password-encryptionservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-inservice tcp-keepalives-outservice tcp-keepalives-outhostname hostname ! 认证相关配置enable secret enable secret aaa new-modeaaa new-modeaaa local authentication attempts max-fail 3aaa local authentication attempts max-fail 3aaa authentication login default localaaa authentication login default local! !username secret username secret ! !line vty 0 4line vty 0 4transport input telnettransport input telnetexec-timeout 3 0exec-timeout 3 0access-class 20 inaccess-class 20 in! 定义访问控制列表，只允许相关设备telnet到路由器! 关闭一些无用的服务no service dhcpno service dhcp18网络培训网络培训no ip domain- lookupno ip domain- lookupno ip bootp serverno ip bootp serverip dhcp bootp ignoreip dhcp bootp ignoreno ip http serverno ip http serverno ip source-routeno ip source-route! !logging buffered 4096logging buffered 4096! !snmp-server community pertoData ro 10snmp-server community pertoData ro 10! 定义访问控制列表，只运行相关网管设备访问snmp!接口配置:interface fastethernet 0/0interface fastethernet 0/0description description ! 到北京的备份链路ip address ip address speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex fullbandwidth 10000bandwidth 10000! 带宽和时延按照实际情况配置，这里按照10M配置19网络培训网络培训delay 100 delay 100 no ip redirectsno ip redirectsno ip proxy-arpno ip proxy-arpno shutdownno shutdown! !interface fastethernet 0/1interface fastethernet 0/1description description ! 到廊坊的备份链路ip address ip address speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex fullbandwidth 10000bandwidth 10000! 带宽和时延按照实际情况配置，这里按照10M配置delay 100delay 100no shutdownno shutdown! !interface fastethernet 0/1/0interface fastethernet 0/1/0description description ! 连接站场交换机S1的接口switchport access vlan switchport access vlan 20网络培训网络培训speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex full no shutdown no shutdown! !interface fastethernet 0/1/1interface fastethernet 0/1/1description description ! 连接站场交换机S2的接口switchport access vlan switchport access vlan speed 100speed 100! 速率和双工配置可能需要根据连接设备的实际情况进行调整duplex fullduplex full no shutdown no shutdown! !interface fastethernet 0/1/2interface fastethernet 0/1/2description description ! 连接站场R1的接口no switchportno switchportspeed 100speed 100duplex fullduplex fullip address ip address no shutdown no shutdown! !interface vlan interface vlan descriptioin descriptioin ! 对应PLC第一个IP地址段ip address ip address 21网络培训网络培训standby 10 ip standby 10 ip ! R2为HSRP备standby 10 preemptstandby 10 preemptstandby 10 timer 2 6standby 10 timer 2 6! !interface vlan interface vlan descriptioin descriptioin ! 对应PLC第二个IP地址段ip address ip address standby 20 ip standby 20 ip ！R2为HSRP备standby 20 preemptstandby 20 preemptstandby 20 timer 2 6standby 20 timer 2 6!生成树配置：spanning-tree vlan root secondaryspanning-tree vlan root secondary! R2为生成树的备份根spanning-tree vlan root secondaryspanning-tree vlan root secondary!路由配置：router eigrp router eigrp 22网络培训网络培训no auto-summaryno auto-summaryeigrp log-neighbor-changeseigrp log-neighbor-changespassive-interface vlan passive-interface vlan ! 本地vlan接口设置为passivepassive-interface vlan passive-interface vlan network 0.0.0.0network 0.0.0.0eigrp stub connected leak-map leak-core-route eigrp stub connected leak-map leak-core-route ! !ACL及Route-map配置：access-list 10 permit access-list 10 permit ! 用于snmp的访问控制列表.! !access-list 20 permit access-list 20 permit ! 用于telnet控制的访问控制列表.! ! ACL30用于leak-map的访问控制列表，为北京和廊坊发布的路由access-list 30 permit access-list 30 permit .! !route-map leak-core-route permit 10route-map leak-core-route permit 10match ip address 30match ip address 3023网络培训网络培训安全配置：key chain key-hsrpkey chain key-hsrp! HSRP! HSRP认证配置认证配置key 1key 1 key-string key-string ! !interface vlan interface vlan standby 10 authention md5 key-chain key-hsrpstandby 10 authention md5 key-chain key-hsrp! !interface vlan interface vlan standby 10 authention md5 key-chain key-hsrpstandby 10 authention md5 key-chain key-hsrp! !key chain key-eigrpkey chain key-eigrp! EIGRP认证配置key 2key 2 key-string key-string ! !interface fastethernet 0/0interface fastethernet 0/0ip authentication mode eigrp md5 ip authentication mode eigrp md5 !在接口下声明key chain，并采用MD5对hello包进行加密ip authentication key-chain eigrp key-eigrp ip authentication key-chain eigrp key-eigrp ！在接口下调用key chain!interface fastethernet 0/1interface fastethernet 0/124网络培训网络培训ip authentication mode eigrp ip authentication mode eigrp md5 md5ip authentication key-chain eigrp ip authentication key-chain eigrp key-eigrp key-eigrp! ! 配置中配置中中的黑体和斜体的部分中的黑体和斜体的部分为为配置参数，需要根据配置参数，需要根据实际设备实际设备情况填写；情况填写； 配置配置stub leak-map需要需要IOS 12.3(10.2)T及以后版本，如及以后版本，如IOS不能不能满满足要求，无法配置足要求，无法配置这这条命令；条命令； 如果如果中的配置无法完成，中的配置无法完成，ACL30和后和后续续的的route-map不需要配置。不需要配置。25网络培训网络培训进一步思考网络维护站场网络结构与配置中石油管道系统网络概述及典型结构图26网络培训网络培训查看路由器配置：show runshow run查看路由器HSRP状态：show standbyshow standby查看EIGRP邻居：show ip eigrp neighborshow ip eigrp neighbor查看路由路径 traceroute x.x.x.xtraceroute x.x.x.x查看EIGRP topo：show ip eigrp topology x.x.x.x/maskshow ip eigrp topology x.x.x.x/mask27网络培训网络培训查看路由表：show ip route x.x.x.xshow ip route x.x.x.x查看eigrp路由条目：show ip route eigrpshow ip route eigrp查看路由器端口状态：show ip interface briefshow ip interface brief查看cisco 网络设备邻居：show cdp neighborshow cdp neighbor28网络培训网络培训进一步思考网络维护站场网络结构与配置中石油管道系统网络概述及典型结构图29网络培训网络培训站场及阀室站场及阀室网络地址表示方式：172.17.0.0/26(64位主机)；172.17.0.0/27(32位主机)； 172.17.0.0/28(16位主机)；统一站场、阀室拓扑结构；路由配置的优化：stub、leak-map、passive-interface；IP地址分配：考虑路由汇聚，优化路由表。站场及阀室路由条目：本地路由数（PLC、互联、自环）+ 广域网数 + 需要通信的SCADA + 需要通信的核心地址段 + 其它特殊要求地址30