三层架构框架:

接入层:提供端口的密度,用于用户终端的接入。一般使用二层交换机、AP等设备。
汇聚层(分布层):流量的集合处。可以用到的技术有:DHCP / VLAN / STP / HSRP / VRRP / channel / QOS / ACL…
核心层:使用NAT实现内网与公网之间的访问。能够进行高速路由转发。

三层架构的核心:

冗余—备份。 线路备份、设备备份、网关备份、UPS(电源)备份。
:UPS(电源)备份不属于技术。设备若存在双电源口,将两根电源查到不同的供电处即可实现电源备份。

三层架构案例:

拓扑图:

三层网络架构设计 网络三层架构配置实例_ensp


要求:

1:ISP只能配置公有IP,不得再进行其他任何配置。

2:所有PC通过DHCP获取IP地址。

3:STP-MSTP合理分组,VLAN—混用中继和混杂模式。

4:内网IP地址基于172.16.0.0/16合理分配。

5:ISP Telnet 登录R1的公有IP地址,实际登录到SW1上。

6:正常所有PC均可以访问ISP环回。当随机在SW1和SW2中关闭一台设备时,PC依然可以正常访问ISP。

配置与思路:

1:划分IP地址。
R1与R2之间公有地址使用12.1.1.0/24网段,ISP(R2)环回地址为2.2.2.0/24.

内网IP地址:

172.16.0.0/27----R1与SW1之间
    172.16.0.32/27----R1与SW2之间
    
    172.16.0.64/27----VLAN1
    172.16.0.66/27----VLAN1的网关
    
    172.16.0.96/27----VLAN2
    172.16.0.98/27----VLAN2的网关
    
    172.16.0.128/27----VLAN3
    172.16.0.130/27----VLAN3的网关

2:配置

1>:在SW1上配置DHCP,并且作为主网关使所有PC可以通过DHCP获取IP地址

SW1:

<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sy	
[Huawei]sysname sw1
[sw1]
[sw1]vlan 2
[sw1-vlan2]quit 
[sw1]vlan 3
[sw1-vlan3]quit 
[sw1]interface Vlanif 1
[sw1-Vlanif1]ip address 172.16.0.65 27
[sw1-Vlanif1]vrrp vrid 1 virtual-ip 172.16.0.66
[sw1-Vlanif1]vrrp vrid 1 priority 120
[sw1-Vlanif1]vrrp vrid 1 preempt-mode timer delay 20
[sw1-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 30
[sw1-Vlanif1]
[sw1-Vlanif1]quit 
[sw1]dhcp enable 
[sw1]ip pool 1
[sw1-ip-pool-1]network 172.16.0.64 mask 27
[sw1-ip-pool-1]gateway-list  172.16.0.66
[sw1-ip-pool-1]dns-list 8.8.8.8
[sw1-ip-pool-1]quit 
[sw1]interface Vlanif 1	
[sw1-Vlanif1]dhcp select global 
[sw1-Vlanif1]quit 
[sw1]
[sw1]interface Vlanif 2
[sw1-Vlanif2]ip add	
[sw1-Vlanif2]ip address 172.16.0.97 27
[sw1-Vlanif2]vrrp vrid 2 virtual-ip 172.16.0.98
[sw1-Vlanif2]vrrp vrid 2 priority 120
[sw1-Vlanif2]vrrp vrid 2 preempt-mode timer delay 20
[sw1-Vlanif2]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 30
[sw1-Vlanif2]quit 
[sw1]ip pool 2
[sw1-ip-pool-2]network 172.16.0.96 mask 27
[sw1-ip-pool-2]gateway-list  172.16.0.98
[sw1-ip-pool-2]dns-list 8.8.8.8
[sw1-ip-pool-2]quit 
[sw1]
[sw1]interface Vlanif 2
[sw1-Vlanif2]dhcp select global 
[sw1-Vlanif2]quit 
[sw1]interface Vlanif 3
[sw1-Vlanif3]ip address 172.16.0.129 27
[sw1-Vlanif3]vrrp vrid 3 virtual-ip 172.16.0.130
[sw1-Vlanif3]vrrp vrid 3 priority 120
[sw1-Vlanif3]vrrp vrid 3 preempt-mode timer delay 20
[sw1-Vlanif3]vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 30
[sw1-Vlanif3]quit 
[sw1]ip pool 3
[sw1-ip-pool-3]network 172.16.0.128 mask 27
[sw1-ip-pool-3]gateway-list 172.16.0.130
[sw1-ip-pool-3]dns-list 8.8.8.8
[sw1-ip-pool-3]quit 
[sw1]interface Vlanif 3
[sw1-Vlanif3]dhcp select global 
[sw1-Vlanif3]quit 
[sw1]interface GigabitEthernet 0/0/4	
[sw1-GigabitEthernet0/0/4]port hybrid tagged vlan 1 to 3
[sw1-GigabitEthernet0/0/4]quit 
[sw1]interface GigabitEthernet 0/0/5
[sw1-GigabitEthernet0/0/5]port hybrid tagged vlan 1 to 3
[sw1-GigabitEthernet0/0/5]quit 
[sw1]

SW3:

<Huawei>system-view 
[Huawei]sysname sw3
[sw3]interface Eth0/0/1
[sw3-Ethernet0/0/1]port link-type trunk 
[sw3-Ethernet0/0/1]port trunk allow-pass vlan 1 to 3
[sw3-Ethernet0/0/1]quit 
[sw3]vlan 2
[sw3-vlan2]quit 
[sw3]vlan 3
[sw3-vlan3]quit 
[sw3]port-group group-member Ethernet 0/0/3 to Ethernet 0/0/5
[sw3-port-group]port link-type access 
[sw3-port-group]quit 
[sw3]interface Eth0/0/4
[sw3-Ethernet0/0/4]port default vlan 2
[sw3-Ethernet0/0/4]quit 
[sw3]interface Eth0/0/5
[sw3-Ethernet0/0/5]port default vlan 3
[sw3-Ethernet0/0/5]quit 
[sw3]

SW4:

<Huawei>system-view 
[Huawei]sysname sw4
[sw4]interface Eth0/0/1
[sw4-Ethernet0/0/1]port link-type trunk 
[sw4-Ethernet0/0/1]port trunk allow-pass vlan 1 to 3
[sw4-Ethernet0/0/1]quit 
[sw4]vlan 2
[sw4-vlan2]quit 
[sw4]vlan 3
[sw4-vlan3]quit 
[sw4]port-group group-member Ethernet 0/0/3 to Ethernet 0/0/4
[sw4-port-group]port link-type access 
[sw4-port-group]quit 
[sw4]interface Eth0/0/3
[sw4-Ethernet0/0/3]port default vlan 2
[sw4-Ethernet0/0/3]quit 
[sw4]interface Eth0/0/4
[sw4-Ethernet0/0/4]port default vlan 3
[sw4-Ethernet0/0/4]quit 
[sw4]

测试:

PC1:

三层网络架构设计 网络三层架构配置实例_备份_02


PC2:

三层网络架构设计 网络三层架构配置实例_备份_03


PC3:

三层网络架构设计 网络三层架构配置实例_ensp_04


PC4:

三层网络架构设计 网络三层架构配置实例_三层架构_05


PC5:

三层网络架构设计 网络三层架构配置实例_小型企业网_06


测试得出所有PC将SW1作为网关通过DHCP可以正常获取IP地址。

2>:在SW2上进行配置,使SW2作为SW2的备份网关。并且SW1与SW2之间的链路进行叠加。

SW2:

<Huawei>system-view 
[Huawei]sysname sw2
[sw2]vlan 2
[sw2-vlan2]quit 
[sw2]vlan 3
[sw2-vlan3]quit 
[sw2]interface Vlanif 1
[sw2-Vlanif1]ip address 172.16.0.67 27
[sw2-Vlanif1]vrrp vrid 1 virtual-ip 172.16.0.66 
[sw2-Vlanif1]quit 
[sw2]dhcp enable 
[sw2]ip pool 1
[sw2-ip-pool-1]network 172.16.0.64 mask 27
[sw2-ip-pool-1]gateway-list 172.16.0.66
[sw2-ip-pool-1]dns-list 8.8.8.8
[sw2-ip-pool-1]quit 
[sw2]interface Vlanif 1
[sw2-Vlanif1]dhcp select global 
[sw2-Vlanif1]quit 
[sw2]
[sw2]interface Vlanif 2
[sw2-Vlanif2]ip address 172.16.0.99 27
[sw2-Vlanif2]vrrp vrid 2 virtual-ip 172.16.0.98
[sw2-Vlanif2]quit 
[sw2]ip pool 2
[sw2-ip-pool-2]network 172.16.0.96 mask 27
[sw2-ip-pool-2]gateway-list 172.16.0.98
[sw2-ip-pool-2]dns-list 8.8.8.8
[sw2-ip-pool-2]quit 
[sw2]interface Vlanif 2
[sw2-Vlanif2]dhcp select global 
[sw2-Vlanif2]quit 
[sw2]
[sw2]interface Vlanif 3
[sw2-Vlanif3]ip address 172.16.0.131 27
[sw2-Vlanif3]vrrp vrid 3 virtual-ip 172.16.0.130
[sw2-Vlanif3]quit 
[sw2]ip pool 3
[sw2-ip-pool-3]network 172.16.0.128 mask 27
[sw2-ip-pool-3]gateway-list  172.16.0.130
[sw2-ip-pool-3]dns-list 8.8.8.8
[sw2-ip-pool-3]quit 
[sw2]interface Vlanif 3
[sw2-Vlanif3]dhcp select global 
[sw2-Vlanif3]quit 
[sw2]interface GigabitEthernet 0/0/5
[sw2-GigabitEthernet0/0/5]port hybrid tagged vlan 1 to 3
[sw2-GigabitEthernet0/0/5]quit 
[sw2]interface GigabitEthernet 0/0/4
[sw2-GigabitEthernet0/0/4]port hybrid tagged vlan 1 to 3
[sw2-GigabitEthernet0/0/4]quit

SW4:

[sw4]interface Eth0/0/2
[sw4-Ethernet0/0/2]port link-type trunk 
[sw4-Ethernet0/0/2]port trunk allow-pass vlan 1 to 3
[sw4-Ethernet0/0/2]quit

SW3:

[sw3]interface Eth0/0/2	
[sw3-Ethernet0/0/2]port link-type trunk 
[sw3-Ethernet0/0/2]port trunk allow-pass vlan 1 to 3
[sw3-Ethernet0/0/2]quit

链路叠加:
链路叠加的要求:
1、通道的对端必须为同一台设备;
2、通道的所有物理接口应该具有相同的速率、双工模式;相同的类型,相同的vlan允许列表;

SW1:

[sw1]interface Eth-Trunk 0
[sw1-Eth-Trunk0]quit 
[sw1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]eth-trunk 0
[sw1-GigabitEthernet0/0/2]quit 
[sw1]interface GigabitEthernet 0/0/3
[sw1-GigabitEthernet0/0/3]eth-trunk 0
[sw1-GigabitEthernet0/0/3]quit 
[sw1]interface Eth-Trunk 0
[sw1-Eth-Trunk0]port link-type hybrid 
[sw1-Eth-Trunk0]port hybrid tagged vlan 1 to 3
[sw1-Eth-Trunk0]quit

SW2:

[sw2]interface Eth-Trunk 0
[sw2-Eth-Trunk0]quit 
[sw2]interface GigabitEthernet 0/0/2	
[sw2-GigabitEthernet0/0/2]eth-trunk 0
[sw2-GigabitEthernet0/0/2]quit 
[sw2]interface GigabitEthernet 0/0/3
[sw2-GigabitEthernet0/0/3]eth-trunk 0
[sw2-GigabitEthernet0/0/3]quit 
[sw2]interface Eth-Trunk 0
[sw2-Eth-Trunk0]port link-type hybrid 
[sw2-Eth-Trunk0]port hybrid tagged vlan 1 to 3
[sw2-Eth-Trunk0]quit

3>:配置MSTP,VLAN1划入组1,VLAN2、3划入组2,且主根为SW1,备份根为SW2。

SW1:

[sw1]stp mode mstp 
[sw1]stp enable 	
[sw1]stp region-configuration 
[sw1-mst-region]region-name a
[sw1-mst-region]instance 1 vlan 1
[sw1-mst-region]instance 2 vlan 2 to 3
[sw1-mst-region]active region-configuration 
[sw1-mst-region]quit 
[sw1]stp instance 1 root primary 
[sw1]stp instance 2 root  primary

SW2:

[sw2]stp mode mstp 
[sw2]stp enable 
[sw2]stp region-configuration 
[sw2-mst-region]region-name a
[sw2-mst-region]instance 1 vlan 1
[sw2-mst-region]instance 2 vlan 2 to 3
[sw2-mst-region]active region-configuration 
[sw2-mst-region]quit 
[sw2]stp instance 1 root secondary 
[sw2]stp instance 2 root secondary

SW3:

[sw3]stp mode mstp 
[sw3]stp enable 
[sw3]stp region-configuration 
[sw3-mst-region]region-name a
[sw3-mst-region]instance 1 vlan 1
[sw3-mst-region]instance 2 vlan 2 to 3
[sw3-mst-region]active region-configuration 
[sw3-mst-region]quit

SW4:

[sw4]stp mode mstp 
[sw4]stp enable 
[sw4]stp region-configuration 
[sw4-mst-region]region-name a
[sw4-mst-region]instance 1 vlan 1
[sw4-mst-region]instance 2 vlan 2 to 3
[sw4-mst-region]active region-configuration 
[sw4-mst-region]quit

4>:在SW1和SW2上给物理接口配置IP地址来让SW1和SW2能与R1进行访问。

注:由于ENSP上的三层交换机在模拟器上不能直接给物理接口配置IP地址(真机可以),所以需要换思路:将需要配置IP地址的接口改为access模式并且划分到一个VLAN中,然后给该VLAN配置IP地址即可达到相同的效果。

SW1:

[sw1]vlan 10
[sw1-vlan10]quit 
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access 
[sw1-GigabitEthernet0/0/1]port default vlan 10
[sw1-GigabitEthernet0/0/1]quit 
[sw1]interface Vlanif 10
[sw1-Vlanif10]ip address 172.16.0.2 27
[sw1-Vlanif10]quit

SW2:

[sw2]vlan 10
[sw2-vlan10]
[sw2-vlan10]quit 
[sw2]interface GigabitEthernet 0/0/1
[sw2-GigabitEthernet0/0/1]port link-type access 
[sw2-GigabitEthernet0/0/1]port default vlan 10
[sw2-GigabitEthernet0/0/1]quit 
[sw2]interface Vlanif 10
[sw2-Vlanif10]ip address 172.16.0.34 27
[sw2-Vlanif10]quit

R1:

[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]ip address 172.16.0.1 27
[r1-GigabitEthernet0/0/1]quit 
[r1]interface GigabitEthernet 0/0/2
[r1-GigabitEthernet0/0/2]ip address 172.16.0.33 27
[r1-GigabitEthernet0/0/2]quit

测试R1与SW1和SW2物理接口能否正常访问:

三层网络架构设计 网络三层架构配置实例_三层架构_07


三层网络架构设计 网络三层架构配置实例_备份_08

5>:在R1上配置VLAN1、2、3的静态路由,下一跳分别为SW1和SW2连接R1的物理接口,且下一跳为SW2连接R1的接口的路由为备份路由,优先级数值较大。
R1:

[r1]ip route-static 172.16.0.64 27 172.16.0.2
[r1]ip route-static 172.16.0.96 27 172.16.0.2
[r1]ip route-static 172.16.0.128 27 172.16.0.2
[r1]ip route-static 172.16.0.64 27 172.16.0.34 preference 61
[r1]ip route-static 172.16.0.96 27 172.16.0.34 preference 61
[r1]ip route-static 172.16.0.128 27 172.16.0.34 preference 61

6>:在R1和R2上配置公网地址,并通过NAT实现所有PC可以访问ISP环回

R1:

[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 12.1.1.1 24
[r1-GigabitEthernet0/0/0]quit 
[r1]acl 2000
[r1-acl-basic-2000]rule 5 permit source 172.16.0.0 0.0.0.255
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]nat outbound 2000
[r1-GigabitEthernet0/0/0]quit 
[r1]ip route-static 0.0.0.0 0 12.1.1.2

SW1:

[sw1]ip route-static 0.0.0.0 0 172.16.0.1

SW2:

[sw2]ip route-static 0.0.0.0 0 172.16.0.33

测试所有PC能否正常访问ISP环回:

PC1:

三层网络架构设计 网络三层架构配置实例_小型企业网_09


PC2:

三层网络架构设计 网络三层架构配置实例_冗余_10


PC3:

三层网络架构设计 网络三层架构配置实例_冗余_11


PC4:

三层网络架构设计 网络三层架构配置实例_小型企业网_12


PC5:

三层网络架构设计 网络三层架构配置实例_小型企业网_13


7>:在SW1上开启telnet服务,并在R1上配置端口映射。

SW1:

[sw1]user-interface vty 0 4
[sw1-ui-vty0-4]authentication-mode password 
[sw1-ui-vty0-4]user privilege level 15 
[sw1-ui-vty0-4]set authentication password simple huawei123
[sw1-ui-vty0-4]quit

R1:

[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]nat server protocol tcp global current-interface telnet
 inside 172.16.0.2 telnet 
Warning:The port 23 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[r1-GigabitEthernet0/0/0]

在R2上进行测试:

<r2>telnet 12.1.1.1
  Press CTRL_] to quit telnet mode
  Trying 12.1.1.1 ...
  Connected to 12.1.1.1 ...


Login authentication


Password:
Info: The max number of VTY users is 5, and the number
      of current VTY users on line is 1.
      The current login time is 2019-11-14 21:54:52.
<sw1>sy	
<sw1>system-view 
Enter system view, return user view with Ctrl+Z.
[sw1]
[sw1]

测试:将SW1设备关闭,再次测试PC能否正常访问ISP环回。

三层网络架构设计 网络三层架构配置实例_三层架构_14


PC1:

三层网络架构设计 网络三层架构配置实例_冗余_15


PC2:

三层网络架构设计 网络三层架构配置实例_备份_16


PC3:

三层网络架构设计 网络三层架构配置实例_ensp_17


PC4:

三层网络架构设计 网络三层架构配置实例_备份_18


PC5:

三层网络架构设计 网络三层架构配置实例_冗余_19

3:MSTP测试

三层网络架构设计 网络三层架构配置实例_三层架构_20


对于生成树而言,根网桥为SW1,则为避免环路会阻塞SW4连接3号线的端口。PC4、5获取DHCP是通过SW4连接2号线的端口进行获取的(主网关正常的情况下)。此时断开2号线,测试PC4、5能否正常访问 ISP环回。

SW4:

[sw4]interface Eth0/0/1
[sw4-Ethernet0/0/1]shutdown

PC4:

三层网络架构设计 网络三层架构配置实例_小型企业网_21


PC5:

三层网络架构设计 网络三层架构配置实例_ensp_22

三层网络架构设计 网络三层架构配置实例_三层架构_23

对于生成树组1而言,正常情况下会阻塞SW3连接2号线的端口(主网关正常),PC1通过SW3连接3号线的端口获取IP地址。将SW3连接3号线的端口关闭,再次测试PC1能否正常访问ISP环回。

SW3:

[sw3]interface Eth0/0/1
[sw3-Ethernet0/0/1]shutdown

PC1:

三层网络架构设计 网络三层架构配置实例_冗余_24

至此,ENSP实现企业网三层架构全部完成。但缺点是接入层的PC没有做线路冗余,没有达到高可靠性。