VPN业务隔离
在广域网技术中,BGP MPLS VPN可以在一台路由器上通过VPN实例达到隔离同一台路由器上连接的相同网段的效果。其实VPN实例这种技术不一定非要在BGP MPLS VPN中使用,我们也可以把VPN实例的技术使用在隔离业务当中。
实验网络拓扑图
SW1上有vlan 10的三层业务段和vlan 20的三层业务段,同样SW2上也有vlan10和vlan20的三层业务段。现在需要实现SW1上的vlan 10和SW2上的vlan10互通,SW1和SW2上的vlan20互通,但是vlan10和vlan20之间两两不能互通。此时就可以使用创建多个VPN实例达到业务隔离的效果。
实验组网
根据上述拓扑结构,配置 VPN 实现业务隔离的思路如下:
1、创建VPN实例
2、交换机:创建vlan,将vlanif绑定VPN实例,接口加入对应vlan
路由器:创建虚接口,将三层虚接口绑定VPN实例
3、配置ospf多进程
SW1 配置
创建vpn实例
<Huawei>system-view [Huawei]sysname SW1 [SW1]ip vpn-instance vpn1 //创建VPN实例 [SW1-vpn-instance-vpn1]ipv4-family [SW1-vpn-instance-vpn1-af-ipv4]route-distinguisher 100:1 //设置RD [SW1-vpn-instance-vpn1-af-ipv4]vpn-target 100:1 [SW1-vpn-instance-vpn1-af-ipv4]q [SW1-vpn-instance-vpn1]q [SW1]ip vpn-instance vpn2 [SW1-vpn-instance-vpn2]ipv4-family [SW1-vpn-instance-vpn2-af-ipv4]route-distinguisher 200:1 [SW1-vpn-instance-vpn2-af-ipv4]vpn-target 200:1 [SW1-vpn-instance-vpn2-af-ipv4]q [SW1-vpn-instance-vpn2]q
创建vlan,将vlanif绑定VPN实例
[SW1]vlan batch 10 20 [SW1]interface Vlanif 10 [SW1-Vlanif10]ip binding vpn-instance vpn1 //把三层虚接口绑定VPN实例 [SW1-Vlanif10]ip address 192.168.1.1 24 [SW1-Vlanif10]q [SW1]int Vlanif 20 [SW1-Vlanif20]ip binding vpn-instance vpn2 [SW1-Vlanif20]ip address 192.168.2.1 24
交换机接口加入对应vlan
此处将G0/0/1设置为trunk,G0/0/2和G0/0/3分别采用access和hybrid,在F&Q中将解释这两种接口的区别
[SW1]int GigabitEthernet 0/0/1 [SW1-GigabitEthernet0/0/1]port link-type trunk [SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [SW1-GigabitEthernet0/0/1]q [SW1]int GigabitEthernet 0/0/2 [SW1-GigabitEthernet0/0/2]port link-type access [SW1-GigabitEthernet0/0/2]port default vlan 10 [SW1-GigabitEthernet0/0/2]q [SW1]interface GigabitEthernet 0/0/3 [SW1-GigabitEthernet0/0/3]port link-type hybrid [SW1-GigabitEthernet0/0/3]port hybrid untagged vlan 20 [SW1-GigabitEthernet0/0/3]port hybrid pvid vlan 20 [SW1-GigabitEthernet0/0/3]q
配置OSPF多进程
创建基于实例的ospf,这样可以把vlan10和vlan20的路由进行分别学习,从而到达业务隔离的效果
[SW1]ospf 1 vpn-instance vpn1 [SW1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 [SW1-ospf-1-area-0.0.0.0]q [SW1-ospf-1]q [SW1]ospf 2 vpn-instance vpn2 [SW1-ospf-2]area 0.0.0.0 [SW1-ospf-2-area-0.0.0.0]network 192.168.2.0 0.0.0.255
R1 配置
创建vpn实例
<Huawei>system-view [Huawei]sysname R1 [R1]ip vpn-instance vpn1 [R1-vpn-instance-vpn1]ipv4-family [R1-vpn-instance-vpn1-af-ipv4]route-distinguisher 100:1 [R1-vpn-instance-vpn1-af-ipv4]vpn-target 100:1 [R1-vpn-instance-vpn1-af-ipv4]q [R1-vpn-instance-vpn1]q [R1]ip vpn-instance vpn2 [R1-vpn-instance-vpn2]ipv4-family [R1-vpn-instance-vpn2-af-ipv4]route-distinguisher 200:1 [R1-vpn-instance-vpn2-af-ipv4]vpn-target 200:1 [R1-vpn-instance-vpn2-af-ipv4]q [R1-vpn-instance-vpn2]q
创建虚接口,将三层虚接口绑定VPN实例
[R1]int GigabitEthernet 0/0/0.10 [R1-GigabitEthernet0/0/0.10]ip binding vpn-instance vpn1 [R1-GigabitEthernet0/0/0.10]ip address 192.168.1.254 24 [R1-GigabitEthernet0/0/0.10]dot1q termination vid 10 //路由器的子接口要生效,需要给子接口强制打上vlan10或者vlan20的标记 [R1-GigabitEthernet0/0/0.10]arp broadcast enable //开启子接口arp广播 [R1-GigabitEthernet0/0/0.10]q [R1]int GigabitEthernet 0/0/0.20 [R1-GigabitEthernet0/0/0.20]ip binding vpn-instance vpn2 [R1-GigabitEthernet0/0/0.20]ip address 192.168.2.254 24 [R1-GigabitEthernet0/0/0.20]dot1q termination vid 20 [R1-GigabitEthernet0/0/0.20]arp broadcast enable [R1-GigabitEthernet0/0/0.20]q [R1]int GigabitEthernet 0/0/1.10 [R1-GigabitEthernet0/0/1.10]ip binding vpn-instance vpn1 [R1-GigabitEthernet0/0/1.10]ip address 10.1.1.1 24 [R1-GigabitEthernet0/0/1.10]dot1q termination vid 10 [R1-GigabitEthernet0/0/1.10]arp broadcast enable [R1-GigabitEthernet0/0/1.10]q [R1]int GigabitEthernet 0/0/1.20 [R1-GigabitEthernet0/0/1.20]ip binding vpn-instance vpn2 [R1-GigabitEthernet0/0/1.20]ip address 10.1.2.1 24 [R1-GigabitEthernet0/0/1.20]dot1q termination vid 20 [R1-GigabitEthernet0/0/1.20]arp broadcast enable
配置OSPF多进程
[R1]ospf 1 vpn-instance vpn1 [R1-ospf-1]area 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]q [R1-ospf-1]q [R1]ospf 2 vpn-instance vpn2 [R1-ospf-2]area 0.0.0.0 [R1-ospf-2-area-0.0.0.0]network 192.168.2.0 0.0.0.255 [R1-ospf-2-area-0.0.0.0]network 10.1.2.0 0.0.0.255
R2 配置
创建vpn实例
<Huawei>system-view [Huawei]sysname R2 [R2]ip vpn-instance vpn1 [R2-vpn-instance-vpn1]ipv4-family [R2-vpn-instance-vpn1-af-ipv4]route-distinguisher 100:1 [R2-vpn-instance-vpn1-af-ipv4]vpn-target 100:1 [R2-vpn-instance-vpn1-af-ipv4]q [R2-vpn-instance-vpn1]q [R2]ip vpn-instance vpn2 [R2-vpn-instance-vpn2]ipv4-family [R2-vpn-instance-vpn2-af-ipv4]route-distinguisher 200:1 [R2-vpn-instance-vpn2-af-ipv4]vpn-target 200:1 [R2-vpn-instance-vpn2-af-ipv4]q [R2-vpn-instance-vpn2]q
创建虚接口,将三层虚接口绑定VPN实例
[R2]int g0/0/0.10 [R2-GigabitEthernet0/0/0.10]ip binding vpn-instance vpn1 [R2-GigabitEthernet0/0/0.10]ip address 10.1.1.2 24 [R2-GigabitEthernet0/0/0.10]dot1q termination vid 10 [R2-GigabitEthernet0/0/0.10]arp broadcast enable [R2-GigabitEthernet0/0/0.10]q [R2]int g0/0/0.20 [R2-GigabitEthernet0/0/0.20]ip binding vpn-instance vpn2 [R2-GigabitEthernet0/0/0.20]ip address 10.1.2.2 24 [R2-GigabitEthernet0/0/0.20]dot1q termination vid 20 [R2-GigabitEthernet0/0/0.20]arp broadcast enable [R2-GigabitEthernet0/0/0.20]q [R2]int GigabitEthernet 0/0/1.10 [R2-GigabitEthernet0/0/1.10]ip binding vpn-instance vpn1 [R2-GigabitEthernet0/0/1.10]ip address 172.16.1.254 24 [R2-GigabitEthernet0/0/1.10]dot1q termination vid 10 [R2-GigabitEthernet0/0/1.10]arp broadcast enable [R2-GigabitEthernet0/0/1.10]q [R2]int GigabitEthernet 0/0/1.20 [R2-GigabitEthernet0/0/1.20]ip binding vpn-instance vpn2 [R2-GigabitEthernet0/0/1.20]ip address 172.16.2.254 24 [R2-GigabitEthernet0/0/1.20]dot1q termination vid 20 [R2-GigabitEthernet0/0/1.20]arp broadcast enable
配置OSPF多进程
[R2]ospf 1 vpn-instance vpn1 [R2-ospf-1]area 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]q [R2-ospf-1]q [R2]ospf 2 vpn-instance vpn2 [R2-ospf-2]area 0.0.0.0 [R2-ospf-2-area-0.0.0.0]network 10.1.2.0 0.0.0.255 [R2-ospf-2-area-0.0.0.0]network 172.16.2.0 0.0.0.255
SW2 配置
创建vpn实例
<Huawei>system-view [Huawei]sysname SW2 [SW2]ip vpn-instance vpn1 [SW2-vpn-instance-vpn1]ipv4-family [SW2-vpn-instance-vpn1-af-ipv4]route-distinguisher 100:1 [SW2-vpn-instance-vpn1-af-ipv4]vpn-target 100:1 [SW2-vpn-instance-vpn1-af-ipv4]q [SW2-vpn-instance-vpn1]q [SW2]IP vpn-instance vpn2 [SW2-vpn-instance-vpn2]ipv4-family [SW2-vpn-instance-vpn2-af-ipv4]route-distinguisher 200:1 [SW2-vpn-instance-vpn2-af-ipv4]vpn-target 200:1 [SW2-vpn-instance-vpn2-af-ipv4]q [SW2-vpn-instance-vpn2]q [SW2]
创建vlan,将vlanif绑定VPN实例
[SW2]vlan batch 10 20 [SW2]int Vlanif 10 [SW2-Vlanif10]ip binding vpn-instance vpn1 [SW2-Vlanif10]ip address 172.16.1.1 24 [SW2-Vlanif10]q [SW2]int Vlanif 20 [SW2-Vlanif20]ip binding vpn-instance vpn2 [SW2-Vlanif20]ip address 172.16.2.1 24
交换机接口加入对应vlan
[SW2]int GigabitEthernet 0/0/1 [SW2-GigabitEthernet0/0/1]port link-type trunk [SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20 [SW2-GigabitEthernet0/0/1]q [SW2]int g0/0/2 [SW2-GigabitEthernet0/0/2]port link-type access [SW2-GigabitEthernet0/0/2]port default vlan 10 [SW2-GigabitEthernet0/0/2]q [SW2]interface GigabitEthernet 0/0/3 [SW2-GigabitEthernet0/0/3]port link-type hybrid [SW2-GigabitEthernet0/0/3]port hybrid untagged vlan 20 [SW2-GigabitEthernet0/0/3]port hybrid pvid vlan 20
配置OSPF多进程
[SW2]ospf 1 vpn-instance vpn1 [SW2-ospf-1]area 0.0.0.0 [SW2-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255 [SW2-ospf-1-area-0.0.0.0]q [SW2-ospf-1]q [SW2]ospf 2 vpn-instance vpn2 [SW2-ospf-2]area 0.0.0.0 [SW2-ospf-2-area-0.0.0.0]network 172.16.2.0 0.0.0.255
实验验证
配置完成后,SW1和SW2上相同的vlan可以互通,不同vlan之间不能互通
使用 PC1 ping PC3 可以通信,PC1 ping PC4 无法通信
使用 AR1 ping AR2 的G0/0/1.10 能够通信,ping G0/0/1.20 无法通信
[R1]ping -vpn-instance vpn1 -a 192.168.1.254 172.16.1.254 PING 172.16.1.254: 56 data bytes, press CTRL_C to break Reply from 172.16.1.254: bytes=56 Sequence=1 ttl=255 time=20 ms Reply from 172.16.1.254: bytes=56 Sequence=2 ttl=255 time=30 ms Reply from 172.16.1.254: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 172.16.1.254: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 172.16.1.254: bytes=56 Sequence=5 ttl=255 time=30 ms --- 172.16.1.254 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/20/30 ms [R1]ping -vpn-instance vpn1 -a 192.168.1.254 172.16.2.254 PING 172.16.2.254: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 172.16.2.254 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
查看vpn实例的路由,发现SW1上vpn只学到相同vpn的路由
[SW1]display ip routing-table vpn-instance vpn1 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpn1 Destinations : 4 Routes : 4 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 OSPF 10 2 D 192.168.1.254 Vlanif10 172.16.1.0/24 OSPF 10 3 D 192.168.1.254 Vlanif10 192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10 192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10 [SW1]display ip routing-table vpn-instance vpn2 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpn2 Destinations : 4 Routes : 4 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.2.0/24 OSPF 10 2 D 192.168.2.254 Vlanif20 172.16.2.0/24 OSPF 10 3 D 192.168.2.254 Vlanif20 192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20 192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
F & Q
一、在交换机的接口配置中,hybrid口和access口有什么区别?
在华为交换机中,接口的端口类型(access、hybrid、trunk)决定了该端口如何处理VLAN标签。下面是每种端口类型的基本解释:
-
Access端口:通常用于连接终端设备,如PC。Access端口只能属于一个VLAN,并且发送和接收的帧都是未打标签的(untagged)。当数据帧通过Access端口时,交换机会将VLAN标签添加到帧中(发送时)或移除VLAN标签(接收时)。
-
Hybrid端口:可以属于多个VLAN,并且可以发送和接收打标签的(tagged)和未打标签的(untagged)帧。Hybrid端口允许配置一个默认的VLAN(PVID),该VLAN的帧将以未打标签的形式发送。
-
Trunk端口:通常用于交换机之间的连接。Trunk端口可以属于多个VLAN,并且发送和接收的帧都是打标签的(tagged),除非配置了特定的VLAN以未打标签的形式发送。
在上述SW的配置中,如果使用access,则仅需配置 port default vlan 10,接口会将VLAN 10设置为默认VLAN。PC发送的帧是未打标签的,交换机会将这些帧视为属于VLAN 10。
如果使用hybrid, port hybrid tagged vlan 10 表示将VLAN 10配置为打标签的VLAN。这意味着交换机期望接收到的VLAN 10的帧是带有VLAN标签的。然而,PC通常不会发送带有VLAN标签的帧,因此交换机无法正确处理这些帧,这会导致通信失败。
为了解决这个问题,在Hybrid端口配置中为VLAN 10设置一个未打标签的默认VLAN(PVID),这样PC发送的未打标签帧就会被交换机视为属于VLAN 10。配置如下:
[SW1] interface GigabitEthernet 0/0/1 [SW1-GigabitEthernet0/0/1] port link-type hybrid [SW1-GigabitEthernet0/0/1] port hybrid untagged vlan 10 //此处将tagged改为untagged [SW1-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [SW1-GigabitEthernet0/0/1] quit
二、为什么在绑定vpn后接口IP消失了?
在华为设备的配置中,当你为一个接口配置VPN实例时,该接口上原有的IPv4和IPv6配置会被清除。这是因为在VPN实例中,接口的IP地址配置将与VPN实例相关联,而不是直接与物理接口相关联。
所以配置IP的操作应该在绑定vpn之后
[R1-GigabitEthernet0/0/0.10]ip address 192.168.1.254 24 [R1-GigabitEthernet0/0/0.10]ip binding vpn-instance vpn1 Info: All IPv4 related configurations on this interface are removed! Info: All IPv6 related configurations on this interface are removed!
三、为什么在 SW1 上 ping 不通 AR2 ?
现象为:在 SW1 上 ping 不通 AR2 ,在AR1 上能 ping 通 SW1 和 AR2,抓包后显示,ping 命令从AR1的 G0/0/0.10 进入,未能从 G0/0/1.10 发出。
在路由器的子接口配置中,有两个重要的配置命令:
[R1]int g0/0/0.10 //进入子接口 [R1-GigabitEthernet0/0/0.10]ip add 192.168.1.254 24 ///配置子接口地址 [R1-GigabitEthernet0/0/0.10]dot1q termination vid 10 //标记终止的vid编号 [R1-GigabitEthernet0/0/0.10]arp broadcast enable //开启子接口的arp广播(默认不开启)
dot1q termination vid 10路由器的子接口要生效,需要给子接口强制打上vlan10或者vlan20的标记
arp broadcast enable需要开启子接口的arp广播,可通过display arp vpn-instance vpn1自行验证开关arp广播后arp表的差异。