三层架构框架:
接入层:提供端口的密度,用于用户终端的接入。一般使用二层交换机、AP等设备。
汇聚层(分布层):流量的集合处。可以用到的技术有:DHCP / VLAN / STP / HSRP / VRRP / channel / QOS / ACL…
核心层:使用NAT实现内网与公网之间的访问。能够进行高速路由转发。
三层架构的核心:
冗余—备份。 线路备份、设备备份、网关备份、UPS(电源)备份。
注:UPS(电源)备份不属于技术。设备若存在双电源口,将两根电源查到不同的供电处即可实现电源备份。
三层架构案例:
拓扑图:
要求:
1:ISP只能配置公有IP,不得再进行其他任何配置。
2:所有PC通过DHCP获取IP地址。
3:STP-MSTP合理分组,VLAN—混用中继和混杂模式。
4:内网IP地址基于172.16.0.0/16合理分配。
5:ISP Telnet 登录R1的公有IP地址,实际登录到SW1上。
6:正常所有PC均可以访问ISP环回。当随机在SW1和SW2中关闭一台设备时,PC依然可以正常访问ISP。
配置与思路:
1:划分IP地址。
R1与R2之间公有地址使用12.1.1.0/24网段,ISP(R2)环回地址为2.2.2.0/24.
内网IP地址:
172.16.0.0/27----R1与SW1之间
172.16.0.32/27----R1与SW2之间
172.16.0.64/27----VLAN1
172.16.0.66/27----VLAN1的网关
172.16.0.96/27----VLAN2
172.16.0.98/27----VLAN2的网关
172.16.0.128/27----VLAN3
172.16.0.130/27----VLAN3的网关
2:配置
1>:在SW1上配置DHCP,并且作为主网关使所有PC可以通过DHCP获取IP地址
SW1:
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy
[Huawei]sysname sw1
[sw1]
[sw1]vlan 2
[sw1-vlan2]quit
[sw1]vlan 3
[sw1-vlan3]quit
[sw1]interface Vlanif 1
[sw1-Vlanif1]ip address 172.16.0.65 27
[sw1-Vlanif1]vrrp vrid 1 virtual-ip 172.16.0.66
[sw1-Vlanif1]vrrp vrid 1 priority 120
[sw1-Vlanif1]vrrp vrid 1 preempt-mode timer delay 20
[sw1-Vlanif1]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 30
[sw1-Vlanif1]
[sw1-Vlanif1]quit
[sw1]dhcp enable
[sw1]ip pool 1
[sw1-ip-pool-1]network 172.16.0.64 mask 27
[sw1-ip-pool-1]gateway-list 172.16.0.66
[sw1-ip-pool-1]dns-list 8.8.8.8
[sw1-ip-pool-1]quit
[sw1]interface Vlanif 1
[sw1-Vlanif1]dhcp select global
[sw1-Vlanif1]quit
[sw1]
[sw1]interface Vlanif 2
[sw1-Vlanif2]ip add
[sw1-Vlanif2]ip address 172.16.0.97 27
[sw1-Vlanif2]vrrp vrid 2 virtual-ip 172.16.0.98
[sw1-Vlanif2]vrrp vrid 2 priority 120
[sw1-Vlanif2]vrrp vrid 2 preempt-mode timer delay 20
[sw1-Vlanif2]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 30
[sw1-Vlanif2]quit
[sw1]ip pool 2
[sw1-ip-pool-2]network 172.16.0.96 mask 27
[sw1-ip-pool-2]gateway-list 172.16.0.98
[sw1-ip-pool-2]dns-list 8.8.8.8
[sw1-ip-pool-2]quit
[sw1]
[sw1]interface Vlanif 2
[sw1-Vlanif2]dhcp select global
[sw1-Vlanif2]quit
[sw1]interface Vlanif 3
[sw1-Vlanif3]ip address 172.16.0.129 27
[sw1-Vlanif3]vrrp vrid 3 virtual-ip 172.16.0.130
[sw1-Vlanif3]vrrp vrid 3 priority 120
[sw1-Vlanif3]vrrp vrid 3 preempt-mode timer delay 20
[sw1-Vlanif3]vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 30
[sw1-Vlanif3]quit
[sw1]ip pool 3
[sw1-ip-pool-3]network 172.16.0.128 mask 27
[sw1-ip-pool-3]gateway-list 172.16.0.130
[sw1-ip-pool-3]dns-list 8.8.8.8
[sw1-ip-pool-3]quit
[sw1]interface Vlanif 3
[sw1-Vlanif3]dhcp select global
[sw1-Vlanif3]quit
[sw1]interface GigabitEthernet 0/0/4
[sw1-GigabitEthernet0/0/4]port hybrid tagged vlan 1 to 3
[sw1-GigabitEthernet0/0/4]quit
[sw1]interface GigabitEthernet 0/0/5
[sw1-GigabitEthernet0/0/5]port hybrid tagged vlan 1 to 3
[sw1-GigabitEthernet0/0/5]quit
[sw1]
SW3:
<Huawei>system-view
[Huawei]sysname sw3
[sw3]interface Eth0/0/1
[sw3-Ethernet0/0/1]port link-type trunk
[sw3-Ethernet0/0/1]port trunk allow-pass vlan 1 to 3
[sw3-Ethernet0/0/1]quit
[sw3]vlan 2
[sw3-vlan2]quit
[sw3]vlan 3
[sw3-vlan3]quit
[sw3]port-group group-member Ethernet 0/0/3 to Ethernet 0/0/5
[sw3-port-group]port link-type access
[sw3-port-group]quit
[sw3]interface Eth0/0/4
[sw3-Ethernet0/0/4]port default vlan 2
[sw3-Ethernet0/0/4]quit
[sw3]interface Eth0/0/5
[sw3-Ethernet0/0/5]port default vlan 3
[sw3-Ethernet0/0/5]quit
[sw3]
SW4:
<Huawei>system-view
[Huawei]sysname sw4
[sw4]interface Eth0/0/1
[sw4-Ethernet0/0/1]port link-type trunk
[sw4-Ethernet0/0/1]port trunk allow-pass vlan 1 to 3
[sw4-Ethernet0/0/1]quit
[sw4]vlan 2
[sw4-vlan2]quit
[sw4]vlan 3
[sw4-vlan3]quit
[sw4]port-group group-member Ethernet 0/0/3 to Ethernet 0/0/4
[sw4-port-group]port link-type access
[sw4-port-group]quit
[sw4]interface Eth0/0/3
[sw4-Ethernet0/0/3]port default vlan 2
[sw4-Ethernet0/0/3]quit
[sw4]interface Eth0/0/4
[sw4-Ethernet0/0/4]port default vlan 3
[sw4-Ethernet0/0/4]quit
[sw4]
测试:
PC1:
PC2:
PC3:
PC4:
PC5:
测试得出所有PC将SW1作为网关通过DHCP可以正常获取IP地址。
2>:在SW2上进行配置,使SW2作为SW2的备份网关。并且SW1与SW2之间的链路进行叠加。
SW2:
<Huawei>system-view
[Huawei]sysname sw2
[sw2]vlan 2
[sw2-vlan2]quit
[sw2]vlan 3
[sw2-vlan3]quit
[sw2]interface Vlanif 1
[sw2-Vlanif1]ip address 172.16.0.67 27
[sw2-Vlanif1]vrrp vrid 1 virtual-ip 172.16.0.66
[sw2-Vlanif1]quit
[sw2]dhcp enable
[sw2]ip pool 1
[sw2-ip-pool-1]network 172.16.0.64 mask 27
[sw2-ip-pool-1]gateway-list 172.16.0.66
[sw2-ip-pool-1]dns-list 8.8.8.8
[sw2-ip-pool-1]quit
[sw2]interface Vlanif 1
[sw2-Vlanif1]dhcp select global
[sw2-Vlanif1]quit
[sw2]
[sw2]interface Vlanif 2
[sw2-Vlanif2]ip address 172.16.0.99 27
[sw2-Vlanif2]vrrp vrid 2 virtual-ip 172.16.0.98
[sw2-Vlanif2]quit
[sw2]ip pool 2
[sw2-ip-pool-2]network 172.16.0.96 mask 27
[sw2-ip-pool-2]gateway-list 172.16.0.98
[sw2-ip-pool-2]dns-list 8.8.8.8
[sw2-ip-pool-2]quit
[sw2]interface Vlanif 2
[sw2-Vlanif2]dhcp select global
[sw2-Vlanif2]quit
[sw2]
[sw2]interface Vlanif 3
[sw2-Vlanif3]ip address 172.16.0.131 27
[sw2-Vlanif3]vrrp vrid 3 virtual-ip 172.16.0.130
[sw2-Vlanif3]quit
[sw2]ip pool 3
[sw2-ip-pool-3]network 172.16.0.128 mask 27
[sw2-ip-pool-3]gateway-list 172.16.0.130
[sw2-ip-pool-3]dns-list 8.8.8.8
[sw2-ip-pool-3]quit
[sw2]interface Vlanif 3
[sw2-Vlanif3]dhcp select global
[sw2-Vlanif3]quit
[sw2]interface GigabitEthernet 0/0/5
[sw2-GigabitEthernet0/0/5]port hybrid tagged vlan 1 to 3
[sw2-GigabitEthernet0/0/5]quit
[sw2]interface GigabitEthernet 0/0/4
[sw2-GigabitEthernet0/0/4]port hybrid tagged vlan 1 to 3
[sw2-GigabitEthernet0/0/4]quit
SW4:
[sw4]interface Eth0/0/2
[sw4-Ethernet0/0/2]port link-type trunk
[sw4-Ethernet0/0/2]port trunk allow-pass vlan 1 to 3
[sw4-Ethernet0/0/2]quit
SW3:
[sw3]interface Eth0/0/2
[sw3-Ethernet0/0/2]port link-type trunk
[sw3-Ethernet0/0/2]port trunk allow-pass vlan 1 to 3
[sw3-Ethernet0/0/2]quit
链路叠加:
链路叠加的要求:
1、通道的对端必须为同一台设备;
2、通道的所有物理接口应该具有相同的速率、双工模式;相同的类型,相同的vlan允许列表;
SW1:
[sw1]interface Eth-Trunk 0
[sw1-Eth-Trunk0]quit
[sw1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]eth-trunk 0
[sw1-GigabitEthernet0/0/2]quit
[sw1]interface GigabitEthernet 0/0/3
[sw1-GigabitEthernet0/0/3]eth-trunk 0
[sw1-GigabitEthernet0/0/3]quit
[sw1]interface Eth-Trunk 0
[sw1-Eth-Trunk0]port link-type hybrid
[sw1-Eth-Trunk0]port hybrid tagged vlan 1 to 3
[sw1-Eth-Trunk0]quit
SW2:
[sw2]interface Eth-Trunk 0
[sw2-Eth-Trunk0]quit
[sw2]interface GigabitEthernet 0/0/2
[sw2-GigabitEthernet0/0/2]eth-trunk 0
[sw2-GigabitEthernet0/0/2]quit
[sw2]interface GigabitEthernet 0/0/3
[sw2-GigabitEthernet0/0/3]eth-trunk 0
[sw2-GigabitEthernet0/0/3]quit
[sw2]interface Eth-Trunk 0
[sw2-Eth-Trunk0]port link-type hybrid
[sw2-Eth-Trunk0]port hybrid tagged vlan 1 to 3
[sw2-Eth-Trunk0]quit
3>:配置MSTP,VLAN1划入组1,VLAN2、3划入组2,且主根为SW1,备份根为SW2。
SW1:
[sw1]stp mode mstp
[sw1]stp enable
[sw1]stp region-configuration
[sw1-mst-region]region-name a
[sw1-mst-region]instance 1 vlan 1
[sw1-mst-region]instance 2 vlan 2 to 3
[sw1-mst-region]active region-configuration
[sw1-mst-region]quit
[sw1]stp instance 1 root primary
[sw1]stp instance 2 root primary
SW2:
[sw2]stp mode mstp
[sw2]stp enable
[sw2]stp region-configuration
[sw2-mst-region]region-name a
[sw2-mst-region]instance 1 vlan 1
[sw2-mst-region]instance 2 vlan 2 to 3
[sw2-mst-region]active region-configuration
[sw2-mst-region]quit
[sw2]stp instance 1 root secondary
[sw2]stp instance 2 root secondary
SW3:
[sw3]stp mode mstp
[sw3]stp enable
[sw3]stp region-configuration
[sw3-mst-region]region-name a
[sw3-mst-region]instance 1 vlan 1
[sw3-mst-region]instance 2 vlan 2 to 3
[sw3-mst-region]active region-configuration
[sw3-mst-region]quit
SW4:
[sw4]stp mode mstp
[sw4]stp enable
[sw4]stp region-configuration
[sw4-mst-region]region-name a
[sw4-mst-region]instance 1 vlan 1
[sw4-mst-region]instance 2 vlan 2 to 3
[sw4-mst-region]active region-configuration
[sw4-mst-region]quit
4>:在SW1和SW2上给物理接口配置IP地址来让SW1和SW2能与R1进行访问。
注:由于ENSP上的三层交换机在模拟器上不能直接给物理接口配置IP地址(真机可以),所以需要换思路:将需要配置IP地址的接口改为access模式并且划分到一个VLAN中,然后给该VLAN配置IP地址即可达到相同的效果。
SW1:
[sw1]vlan 10
[sw1-vlan10]quit
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access
[sw1-GigabitEthernet0/0/1]port default vlan 10
[sw1-GigabitEthernet0/0/1]quit
[sw1]interface Vlanif 10
[sw1-Vlanif10]ip address 172.16.0.2 27
[sw1-Vlanif10]quit
SW2:
[sw2]vlan 10
[sw2-vlan10]
[sw2-vlan10]quit
[sw2]interface GigabitEthernet 0/0/1
[sw2-GigabitEthernet0/0/1]port link-type access
[sw2-GigabitEthernet0/0/1]port default vlan 10
[sw2-GigabitEthernet0/0/1]quit
[sw2]interface Vlanif 10
[sw2-Vlanif10]ip address 172.16.0.34 27
[sw2-Vlanif10]quit
R1:
[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]ip address 172.16.0.1 27
[r1-GigabitEthernet0/0/1]quit
[r1]interface GigabitEthernet 0/0/2
[r1-GigabitEthernet0/0/2]ip address 172.16.0.33 27
[r1-GigabitEthernet0/0/2]quit
测试R1与SW1和SW2物理接口能否正常访问:
5>:在R1上配置VLAN1、2、3的静态路由,下一跳分别为SW1和SW2连接R1的物理接口,且下一跳为SW2连接R1的接口的路由为备份路由,优先级数值较大。
R1:
[r1]ip route-static 172.16.0.64 27 172.16.0.2
[r1]ip route-static 172.16.0.96 27 172.16.0.2
[r1]ip route-static 172.16.0.128 27 172.16.0.2
[r1]ip route-static 172.16.0.64 27 172.16.0.34 preference 61
[r1]ip route-static 172.16.0.96 27 172.16.0.34 preference 61
[r1]ip route-static 172.16.0.128 27 172.16.0.34 preference 61
6>:在R1和R2上配置公网地址,并通过NAT实现所有PC可以访问ISP环回
R1:
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 12.1.1.1 24
[r1-GigabitEthernet0/0/0]quit
[r1]acl 2000
[r1-acl-basic-2000]rule 5 permit source 172.16.0.0 0.0.0.255
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]nat outbound 2000
[r1-GigabitEthernet0/0/0]quit
[r1]ip route-static 0.0.0.0 0 12.1.1.2
SW1:
[sw1]ip route-static 0.0.0.0 0 172.16.0.1
SW2:
[sw2]ip route-static 0.0.0.0 0 172.16.0.33
测试所有PC能否正常访问ISP环回:
PC1:
PC2:
PC3:
PC4:
PC5:
7>:在SW1上开启telnet服务,并在R1上配置端口映射。
SW1:
[sw1]user-interface vty 0 4
[sw1-ui-vty0-4]authentication-mode password
[sw1-ui-vty0-4]user privilege level 15
[sw1-ui-vty0-4]set authentication password simple huawei123
[sw1-ui-vty0-4]quit
R1:
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]nat server protocol tcp global current-interface telnet
inside 172.16.0.2 telnet
Warning:The port 23 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[r1-GigabitEthernet0/0/0]
在R2上进行测试:
<r2>telnet 12.1.1.1
Press CTRL_] to quit telnet mode
Trying 12.1.1.1 ...
Connected to 12.1.1.1 ...
Login authentication
Password:
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
The current login time is 2019-11-14 21:54:52.
<sw1>sy
<sw1>system-view
Enter system view, return user view with Ctrl+Z.
[sw1]
[sw1]
测试:将SW1设备关闭,再次测试PC能否正常访问ISP环回。
PC1:
PC2:
PC3:
PC4:
PC5:
3:MSTP测试
对于生成树而言,根网桥为SW1,则为避免环路会阻塞SW4连接3号线的端口。PC4、5获取DHCP是通过SW4连接2号线的端口进行获取的(主网关正常的情况下)。此时断开2号线,测试PC4、5能否正常访问 ISP环回。
SW4:
[sw4]interface Eth0/0/1
[sw4-Ethernet0/0/1]shutdown
PC4:
PC5:
对于生成树组1而言,正常情况下会阻塞SW3连接2号线的端口(主网关正常),PC1通过SW3连接3号线的端口获取IP地址。将SW3连接3号线的端口关闭,再次测试PC1能否正常访问ISP环回。
SW3:
[sw3]interface Eth0/0/1
[sw3-Ethernet0/0/1]shutdown
PC1:
至此,ENSP实现企业网三层架构全部完成。但缺点是接入层的PC没有做线路冗余,没有达到高可靠性。