01-H3C_S12500_EVI扩展VLAN绑定VPN典型配置举例
本章节下载: 01-H3C_S12500_EVI扩展VLAN绑定VPN典型配置举例 (220.14 KB)
目 录
本文档介绍了EVI扩展VLAN绑定VPN的配置举例。
EVI(Ethernet Virtualization Interconnect,以太网虚拟化互联)是一种基于IP核心网的大二层互联技术,它可以实现虚拟机在跨越IP核心网的物理站点之间的自由迁移并且无需改变站点内部和IP核心网络的路由及转发信息。
当EVI站点内的扩展VLAN接口配置IP地址后,可以实现不同扩展VLAN之间的三层互通。同时,通过将部分扩展VLAN绑定同一个VPN,可以实现这些扩展VLAN的数据与其他扩展VLAN之间的三层隔离。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文假设您已了解EVI和VPN特性。
· 本地EVI边缘设备不支持作为对端数据中心的网关。
· EVI特性需要安装配套的License。License分为园区网License和数据中心License两大类,其中只有数据中心License支持EVI。
如图1所示,某公司在三个不同的地区设立了三个数据中心,并要求采用EVI技术实现数据中心之间的二层互连,不同数据中心之间的资源能动态调配和管理,VLAN号相同的数据业务和服务器能自由迁移,数据迁移过程对用户透明,并且迁移过程中不改变数据业务和服务器的IP地址(否则用户的访问流量会中断)。具体要求如下:
· 三个数据中心的VLAN10、VLAN20、VLAN30和VLAN40通过运营商(运营商为三层IP网络)网络实现二层互连;
· VLAN10和VLAN20需要绑定VPN1实现与其他VLAN之间的三层隔离,但是VLAN10和VLAN20之间可以三层互通,其他VLAN之间也可以三层互通;
· 为节省成本,要求直接使用EVI的边缘设备Switch A、Switch B和Switch C作为各自数据中心的网关。
图1 EVI扩展VLAN绑定VPN配置举例
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Switch A |
Loop0 |
1.1.1.1/32 |
Switch C |
Loop0 |
3.3.3.3/32 |
|
Loop1 |
1.1.1.2/32 |
|
Loop1 |
3.3.3.4/32 |
|
Vlan-int100 |
100.1.1.1/24 |
|
Vlan-int100 |
100.1.1.3/24 |
|
Vlan-int10 |
10.1.1.1/24 |
|
Vlan-int10 |
10.1.1.3/24 |
|
Vlan-int20 |
20.1.1.1/24 |
|
Vlan-int20 |
20.1.1.3/24 |
|
Vlan-int30 |
30.1.1.1/24 |
|
Vlan-int30 |
30.1.1.3/24 |
|
Vlan-int40 |
40.1.1.1/24 |
|
Vlan-int40 |
40.1.1.3/24 |
Switch B |
Loop0 |
2.2.2.2/32 |
|
|
|
|
Loop1 |
2.2.2.3/32 |
|
|
|
|
Vlan-int100 |
100.1.1.2/24 |
|
|
|
|
Vlan-int10 |
10.1.1.2/24 |
|
|
|
|
Vlan-int20 |
20.1.1.2/24 |
|
|
|
|
Vlan-int30 |
30.1.1.2/24 |
|
|
|
|
Vlan-int40 |
40.1.1.2/24 |
|
|
|
· 为实现两个数据中心之间VLAN10、VLAN20、VLAN30和VLAN40的二层互通,需要在Switch A、Switch B和Switch C之间建立EVI网络,并将VLAN10、VLAN20、VLAN30和VLAN40配置成扩展VLAN;
· 为实现当数据业务和服务器在迁移过程中无需修改IP地址和网关,需要在各数据中心的网关Switch A、Switch B和Switch C上创建相同VRRP备份组。由于本例中要求EVI边缘设备直接作为网关,因此需要将Switch A、Switch B和Switch C同时配置成VRRP的Master,并使用相同的虚拟IP地址。为避免站点间提示IP地址冲突,因此需要配置过滤策略过滤VRRP对应的免费ARP报文;
· 为了实现不同站点下VPN实例下的三层转发,需要配置GRE隧道对VPN实例中的数据进行引流。
本举例是在S12500-CMW710-R7328P02版本上进行配置和验证的。
· 同一个EVI网络实例中,所有的边缘设备必须配置相同的Netwok ID。但是,同一台边缘设备上的不同Tunnel接口必须配置不同的Netwok ID;
· 同一个EVI网络实例中的所有边缘设备上配置的扩展VLAN必须一致,否则可能会引起扩展VLAN中的数据泄露;
· 不同的EVI网络实例不能使用相同的扩展VLAN。
· 不能使用Vlan-interface1作为EVI边缘设备的公网接口;
· EVI扩展VLAN的VLAN接口不支持作为公网出接口。
如果在动态MAC地址表项老化时间内本地EVI边缘设备没有接收到对端数据中心的报文,那么本地EVI边缘设备上的动态MAC地址表项不会主动触发学习更新,直到该表项老化被删除。此时,发给对端数据中心的报文会因为在本地EVI边缘设备的MAC地址表中找不到对应表项而被丢弃,造成流量黑洞。只有当EVI边缘设备学习ARP表项时才能同时触发更新动态MAC地址表项。
为了避免流量黑洞的产生,需要配置MAC地址表项老化时间不小于动态ARP表项老化时间。缺省情况下,S12500的动态ARP表项老化时间为25分钟,动态MAC地址表项老化时间为5分钟。因此,建议您修改动态MAC地址表项的老化时间为30分钟。
配置过滤策略过滤VRRP对应的免费ARP报文时,需要先用display vrrp verbose命令查看VRRP备份组对应的虚拟MAC地址。
· 同一个EVI网络实例中的所有扩展VLAN只能绑定同一个VPN实例。如果实际部署业务需要绑定多个VPN,则需要创建多个EVI网络实例。
· 配置接口绑定VPN后,需要重新配置接口的IP地址。
(1) 配置Switch A上各接口的IP地址及路由协议
# 配置Switch A的公网接口(即EVI边缘设备的公网接口)。
<SwitchA> system-view
[SwitchA] vlan 100
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 5/0/1
[SwitchA-GigabitEthernet5/0/1] port access vlan 100
[SwitchA-GigabitEthernet5/0/1] evi enable
[SwitchA-GigabitEthernet5/0/1] undo shutdown
[SwitchA-GigabitEthernet5/0/1] quit
[SwitchA] interface Vlan-interface 100
[SwitchA-Vlan-interface100] ip address 100.1.1.1 24
[SwitchA-Vlan-interface100] undo shutdown
[SwitchA-Vlan-interface100] quit
# 创建Loopback接口,作为EVI隧道的源接口。
[SwitchA] interface LoopBack 0
[SwitchA-LoopBack0] ip address 1.1.1.1 32
[SwitchA-LoopBack0] quit
[SwitchA] interface LoopBack 1
[SwitchA-LoopBack1] ip address 1.1.1.2 32
[SwitchA-LoopBack1] quit
# 配置OSPF路由协议,发布公网路由。
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[SwitchA-ospf-1-area-0.0.0.0] network 1.1.1.2 0.0.0.0
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
# 配置Switch A的扩展VLAN接口。
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] quit
[SwitchA] vlan 40
[SwitchA-vlan40] quit
[SwitchA] interface gigabitethernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] port link-type trunk
[SwitchA-GigabitEthernet3/0/1] undo port trunk permit vlan 1
[SwitchA-GigabitEthernet3/0/1] port trunk permit vlan 10 20 30 40
[SwitchA-GigabitEthernet3/0/1] undo shutdown
[SwitchA-GigabitEthernet3/0/1] quit
# 配置扩展VLAN接口的IP地址,实现扩展VLAN之间的三层互通。
[SwitchA] interface vlan-interface 30
[SwitchA-Vlan-interface30] ip address 30.1.1.1 24
[SwitchA-Vlan-interface30] undo shutdown
[SwitchA-Vlan-interface30] quit
[SwitchA] interface vlan-interface 40
[SwitchA-Vlan-interface40] ip address 40.1.1.1 24
[SwitchA-Vlan-interface40] undo shutdown
[SwitchA-Vlan-interface40] quit
(2) 配置EVI隧道
# 建立EVI隧道。
[SwitchA] interface Tunnel 1 mode evi
[SwitchA-Tunnel1] source LoopBack 0
[SwitchA-Tunnel1] evi network-id 1
[SwitchA-Tunnel1] evi neighbor-discovery server enable
[SwitchA-Tunnel1] evi extend-vlan 10 20
[SwitchA-Tunnel1] quit
[SwitchA] interface Tunnel 2 mode evi
[SwitchA-Tunnel2] source LoopBack 1
[SwitchA-Tunnel2] evi network-id 2
[SwitchA-Tunnel2] evi neighbor-discovery server enable
[SwitchA-Tunnel2] evi extend-vlan 30 40
# 配置ARP泛洪抑制功能,可以减少EVI隧道中ARP泛洪的次数。
[SwitchA-Tunnel2] evi arp-suppression enable
[SwitchA-Tunnel2] quit
[SwitchA] interface Tunnel 1
[SwitchA-Tunnel1] evi arp-suppression enable
[SwitchA-Tunnel1] quit
# 配置MAC地址表项的老化时间为30分钟。
[SwitchA] mac-address timer aging 1800
(3) 配置VRRP
# 创建VRRP备份组。
[SwitchA] interface Vlan-interface 10
[SwitchA-Vlan-interface10] vrrp vrid 10 virtual-ip 10.1.1.254
[SwitchA-Vlan-interface10] quit
[SwitchA] interface Vlan-interface 20
[SwitchA-Vlan-interface20] vrrp vrid 20 virtual-ip 20.1.1.254
[SwitchA-Vlan-interface20] quit
[SwitchA] interface Vlan-interface 30
[SwitchA-Vlan-interface30] vrrp vrid 30 virtual-ip 30.1.1.254
[SwitchA-Vlan-interface30] quit
[SwitchA] interface Vlan-interface 40
[SwitchA-Vlan-interface40] vrrp vrid 40 virtual-ip 40.1.1.254
[SwitchA-Vlan-interface40] quit
# 配置ACL匹配VRRP备份组对于的虚拟MAC地址。
[SwitchA] display vrrp verbose
IPv4 Virtual Router Information:
Running Mode : Standard
Total number of virtual routers : 4
Interface Vlan-interface10
VRID : 10 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 10.1.1.254
Virtual MAC : 0000-5e00-010a
Master IP : 10.1.1.1
Interface Vlan-interface20
VRID : 20 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 20.1.1.254
Virtual MAC : 0000-5e00-0114
Master IP : 20.1.1.1
Interface Vlan-interface30
VRID : 30 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 30.1.1.254
Virtual MAC : 0000-5e00-011e
Master IP : 30.1.1.1
Interface Vlan-interface40
VRID : 40 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 40.1.1.254
Virtual MAC : 0000-5e00-0128
Master IP : 40.1.1.1
[SwitchA] acl number 4010
[SwitchA-acl-ethernetframe-4010] rule 5 deny type 0806 ffff source-mac 0000-5e00-010a ffff-ffff-ffff
[SwitchA-acl-ethernetframe-4010] quit
[SwitchA] acl number 4020
[SwitchA-acl-ethernetframe-4020] rule 5 deny type 0806 ffff source-mac 0000-5e00-0114 ffff-ffff-ffff
[SwitchA-acl-ethernetframe-4020] quit
[SwitchA] acl number 4030
[SwitchA-acl-ethernetframe-4030] rule 5 deny type 0806 ffff source-mac 0000-5e00-011e ffff-ffff-ffff
[SwitchA-acl-ethernetframe-4030] quit
[SwitchA] acl number 4040
[SwitchA-acl-ethernetframe-4040] rule 5 deny type 0806 ffff source-mac 0000-5e00-0128 ffff-ffff-ffff
[SwitchA-acl-ethernetframe-4030] quit
# 在扩展VLAN的出方向应用包过滤策略过滤VRRP对应的免费ARP报文。
[SwitchA] packet-filter 4010 vlan 10 outbound
[SwitchA] packet-filter 4020 vlan 20 outbound
[SwitchA] packet-filter 4030 vlan 30 outbound
[SwitchA] packet-filter 4040 vlan 40 outbound
(4) 配置扩展VLAN绑定VPN
# 创建VPN,用于隔离VLAN10和VLAN20。
[SwitchA] ip vpn-instance vpn1
[SwitchA-vpn-instance-vpn1] route-distinguisher 10:20
[SwitchA-vpn-instance-vpn1] quit
# 创建GRE隧道,由于有三个站点,因此每个站点各需要创建两条GRE隧道。
[SwitchA] interface tunnel 20 mode gre
[SwitchA-Tunnel20] description to-site2
[SwitchA-Tunnel20] ip binding vpn-instance vpn1
[SwitchA-Tunnel20] ip address 10.20.1.1 255.255.255.0
[SwitchA-Tunnel20] source 1.1.1.1
[SwitchA-Tunnel20] destination 2.2.2.2
[SwitchA-Tunnel20] quit
[SwitchA] interface tunnel 30 mode gre
[SwitchA-Tunnel30] description to-site3
[SwitchA-Tunnel30] ip binding vpn-instance vpn1
[SwitchA-Tunnel30] ip address 10.30.1.1 255.255.255.0
[SwitchA-Tunnel30] source 1.1.1.1
[SwitchA-Tunnel30] destination 3.3.3.3
[SwitchA-Tunnel30] quit
# 配置扩展VLAN10和VLAN20绑定VPN1。
[SwitchA] interface Vlan-interface 10
[SwitchA-Vlan-interface10] ip binding vpn-instance vpn1
[SwitchA-Vlan-interface10] ip address 10.1.1.1 24
[SwitchA-Vlan-interface10] undo shutdown
[SwitchA-Vlan-interface10] quit
[SwitchA] interface Vlan-interface 20
[SwitchA-Vlan-interface20] ip binding vpn-instance vpn1
[SwitchA-Vlan-interface20] ip address 20.1.1.1 24
[SwitchA-Vlan-interface20] undo shutdown
[SwitchA-Vlan-interface20] quit
(1) 配置Switch B上各接口的IP地址及路由协议
# 配置Switch B的公网接口(即EVI边缘设备的公网接口)。
<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan10] quit
[SwitchB] interface gigabitethernet 5/0/1
[SwitchB-GigabitEthernet5/0/1] port access vlan 100
[SwitchB-GigabitEthernet5/0/1] evi enable
[SwitchB-GigabitEthernet5/0/1] undo shutdown
[SwitchB-GigabitEthernet5/0/1] quit
[SwitchB] interface Vlan-interface 100
[SwitchB-Vlan-interface100] ip address 100.1.1.2 24
[SwitchB-Vlan-interface100] undo shutdown
[SwitchB-Vlan-interface100] quit
# 创建Loopback接口,作为EVI隧道的源接口。
[SwitchB] interface LoopBack 0
[SwitchB-LoopBack0] ip address 2.2.2.2 32
[SwitchB-LoopBack0] quit
[SwitchB] interface LoopBack 1
[SwitchB-LoopBack1] ip address 2.2.2.3 32
[SwitchB-LoopBack1] quit
# 配置OSPF路由协议,发布公网路由。
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[SwitchB-ospf-1-area-0.0.0.0] network 2.2.2.3 0.0.0.0
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
# 配置Switch B的扩展VLAN接口。
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
[SwitchB] vlan 40
[SwitchB-vlan40] quit
[SwitchB] interface gigabitethernet 3/0/1
[SwitchB-GigabitEthernet3/0/1] port link-type trunk
[SwitchB-GigabitEthernet3/0/1] undo port trunk permit vlan 1
[SwitchB-GigabitEthernet3/0/1] port trunk permit vlan 10 20 30 40
[SwitchB-GigabitEthernet3/0/1] undo shutdown
[SwitchB-GigabitEthernet3/0/1] quit
# 配置扩展VLAN接口的IP地址,实现扩展VLAN之间的三层互通。
[SwitchB] interface vlan-interface 30
[SwitchB-Vlan-interface30] ip address 30.1.1.2 24
[SwitchB-Vlan-interface30] undo shutdown
[SwitchB-Vlan-interface30] quit
[SwitchB] interface vlan-interface 40
[SwitchB-Vlan-interface40] ip address 40.1.1.2 24
[SwitchB-Vlan-interface40] undo shutdown
[SwitchB-Vlan-interface40] quit
(2) 配置EVI隧道
# 建立EVI隧道。
[SwitchB] interface Tunnel 1 mode evi
[SwitchB-Tunnel1] source LoopBack 0
[SwitchB-Tunnel1] evi network-id 1
[SwitchB-Tunnel1] evi neighbor-discovery client enable 1.1.1.1
[SwitchB-Tunnel1] evi extend-vlan 10 20
[SwitchB-Tunnel1] quit
[SwitchB] interface Tunnel 2 mode evi
[SwitchB-Tunnel2] source LoopBack 1
[SwitchB-Tunnel2] evi network-id 2
[SwitchB-Tunnel2] evi neighbor-discovery client enable 1.1.1.2
[SwitchB-Tunnel2] evi extend-vlan 30 40
# 配置ARP泛洪抑制功能,可以减少EVI隧道中ARP泛洪的次数。
[SwitchB-Tunnel2] evi arp-suppression enable
[SwitchB-Tunnel2] quit
[SwitchB] interface Tunnel 1
[SwitchB-Tunnel1] evi arp-suppression enable
[SwitchB-Tunnel1] quit
# 配置MAC地址表项的老化时间为30分钟。
[SwitchB] mac-address timer aging 1800
(3) 配置VRRP
# 创建VRRP备份组。
[SwitchB] interface Vlan-interface 10
[SwitchB-Vlan-interface10] vrrp vrid 10 virtual-ip 10.1.1.254
[SwitchB-Vlan-interface10] quit
[SwitchB] interface Vlan-interface 20
[SwitchB-Vlan-interface20] vrrp vrid 20 virtual-ip 20.1.1.254
[SwitchB-Vlan-interface20] quit
[SwitchB] interface Vlan-interface 30
[SwitchB-Vlan-interface30] vrrp vrid 30 virtual-ip 30.1.1.254
[SwitchB-Vlan-interface30] quit
[SwitchB] interface Vlan-interface 40
[SwitchB-Vlan-interface40] vrrp vrid 40 virtual-ip 40.1.1.254
[SwitchB-Vlan-interface40] quit
# 配置ACL匹配VRRP备份组对于的虚拟MAC地址。
[SwitchB] display vrrp verbose
IPv4 Virtual Router Information:
Running Mode : Standard
Total number of virtual routers : 4
Interface Vlan-interface10
VRID : 10 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 10.1.1.254
Virtual MAC : 0000-5e00-010a
Master IP : 10.1.1.1
Interface Vlan-interface20
VRID : 20 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 20.1.1.254
Virtual MAC : 0000-5e00-0114
Master IP : 20.1.1.1
Interface Vlan-interface30
VRID : 30 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 30.1.1.254
Virtual MAC : 0000-5e00-011e
Master IP : 30.1.1.1
Interface Vlan-interface40
VRID : 40 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 40.1.1.254
Virtual MAC : 0000-5e00-0128
Master IP : 40.1.1.1
[SwitchB] acl number 4010
[SwitchB-acl-ethernetframe-4010] rule 5 deny type 0806 ffff source-mac 0000-5e00-010a ffff-ffff-ffff
[SwitchB-acl-ethernetframe-4010] quit
[SwitchB] acl number 4020
[SwitchB-acl-ethernetframe-4020] rule 5 deny type 0806 ffff source-mac 0000-5e00-0114 ffff-ffff-ffff
[SwitchB-acl-ethernetframe-4020] quit
[SwitchB] acl number 4030
[SwitchB-acl-ethernetframe-4030] rule 5 deny type 0806 ffff source-mac 0000-5e00-011e ffff-ffff-ffff
[SwitchB-acl-ethernetframe-4030] quit
[SwitchB] acl number 4040
[SwitchB-acl-ethernetframe-4040] rule 5 deny type 0806 ffff source-mac 0000-5e00-0128 ffff-ffff-ffff
[SwitchB-acl-ethernetframe-4040] quit
# 在扩展VLAN的出方向应用包过滤策略过滤VRRP对应的免费ARP报文。
[SwitchB] packet-filter 4010 vlan 10 outbound
[SwitchB] packet-filter 4020 vlan 20 outbound
[SwitchB] packet-filter 4030 vlan 30 outbound
[SwitchB] packet-filter 4040 vlan 40 outbound
(4) 配置扩展VLAN绑定VPN
# 创建VPN,用于隔离VLAN10和VLAN20。
[SwitchB] ip vpn-instance vpn1
[SwitchB-vpn-instance-vpn1] route-distinguisher 10:20
[SwitchB-vpn-instance-vpn1] quit
# 创建GRE隧道,由于有三个站点,因此每个站点各需要创建两条GRE隧道。
[SwitchB] interface tunnel 10 mode gre
[SwitchB-Tunnel10] description to-site1
[SwitchB-Tunnel10] ip binding vpn-instance vpn1
[SwitchB-Tunnel10] ip address 10.20.1.2 255.255.255.0
[SwitchB-Tunnel10] source 2.2.2.2
[SwitchB-Tunnel10] destination 1.1.1.1
[SwitchB-Tunnel10] quit
[SwitchB] interface tunnel 30 mode gre
[SwitchB-Tunnel30] description to-site3
[SwitchB-Tunnel30] ip binding vpn-instance vpn1
[SwitchB-Tunnel30] ip address 20.30.1.1 255.255.255.0
[SwitchB-Tunnel30] source 2.2.2.2
[SwitchB-Tunnel30] destination 3.3.3.3
[SwitchB-Tunnel30] quit
# 配置扩展VLAN10和VLAN20绑定VPN1。
[SwitchB] interface Vlan-interface 10
[SwitchB-Vlan-interface10] ip binding vpn-instance vpn1
[SwitchB-Vlan-interface10] ip address 10.1.1.2 24
[SwitchB-Vlan-interface10] undo shutdown
[SwitchB-Vlan-interface10] quit
[SwitchB] interface Vlan-interface 20
[SwitchB-Vlan-interface20] ip binding vpn-instance vpn1
[SwitchB-Vlan-interface20] ip address 20.1.1.2 24
[SwitchB-Vlan-interface20] undo shutdown
[SwitchB-Vlan-interface20] quit
(1) 配置Switch C上各接口的IP地址及路由协议
# 配置Switch C的公网接口(即EVI边缘设备的公网接口)。
<SwitchC> system-view
[SwitchC] vlan 100
[SwitchC-vlan10] quit
[SwitchC] interface gigabitethernet 5/0/1
[SwitchC-GigabitEthernet5/0/1] port access vlan 100
[SwitchC-GigabitEthernet5/0/1] evi enable
[SwitchC-GigabitEthernet5/0/1] undo shutdown
[SwitchC-GigabitEthernet5/0/1] quit
[SwitchC] interface Vlan-interface 100
[SwitchC-Vlan-interface100] ip address 100.1.1.3 24
[SwitchC-Vlan-interface100] undo shutdown
[SwitchC-Vlan-interface100] quit
# 创建Loopback接口,作为EVI隧道的源接口。
[SwitchC] interface LoopBack 0
[SwitchC-LoopBack0] ip address 3.3.3.3 32
[SwitchC-LoopBack0] quit
[SwitchC] interface LoopBack 1
[SwitchC-LoopBack1] ip address 3.3.3.4 32
[SwitchC-LoopBack1] quit
# 配置OSPF路由协议,发布公网路由。
[SwitchC] ospf 1
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 100.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[SwitchC-ospf-1-area-0.0.0.0] network 3.3.3.4 0.0.0.0
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
# 配置Switch C的扩展VLAN接口。
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] vlan 20
[SwitchC-vlan20] quit
[SwitchC] vlan 30
[SwitchC-vlan30] quit
[SwitchC] vlan 40
[SwitchC-vlan40] quit
[SwitchC] interface gigabitethernet 3/0/1
[SwitchC-GigabitEthernet3/0/1] port link-type trunk
[SwitchC-GigabitEthernet3/0/1] undo port trunk permit vlan 1
[SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 10 20 30 40
[SwitchC-GigabitEthernet3/0/1] undo shutdown
[SwitchC-GigabitEthernet3/0/1] quit
# 配置扩展VLAN接口的IP地址,实现扩展VLAN之间的三层互通。
[SwitchC] interface vlan-interface 30
[SwitchC-Vlan-interface30] ip address 30.1.1.3 24
[SwitchC-Vlan-interface30] undo shutdown
[SwitchC-Vlan-interface30] quit
[SwitchC] interface vlan-interface 40
[SwitchC-Vlan-interface40] ip address 40.1.1.3 24
[SwitchC-Vlan-interface40] undo shutdown
[SwitchC-Vlan-interface40] quit
(2) 配置EVI隧道
# 建立EVI隧道。
[SwitchC] interface Tunnel 1 mode evi
[SwitchC-Tunnel1] source LoopBack 0
[SwitchC-Tunnel1] evi network-id 1
[SwitchC-Tunnel1] evi neighbor-discovery client enable 1.1.1.1
[SwitchC-Tunnel1] evi extend-vlan 10 20
[SwitchC] interface Tunnel 2 mode evi
[SwitchC-Tunnel2] source LoopBack 1
[SwitchC-Tunnel2] evi network-id 2
[SwitchC-Tunnel2] evi neighbor-discovery client enable 1.1.1.2
[SwitchC-Tunnel2] evi extend-vlan 30 40
# 配置ARP泛洪抑制功能,可以减少EVI隧道中ARP泛洪的次数。
[SwitchC-Tunnel2] evi arp-suppression enable
[SwitchC-Tunnel2] quit
[SwitchC] interface Tunnel 1
[SwitchC-Tunnel1] evi arp-suppression enable
[SwitchC-Tunnel1] quit
# 配置MAC地址表项的老化时间为30分钟。
[SwitchC] mac-address timer aging 1800
(3) 配置VRRP
# 创建VRRP备份组。
[SwitchC] interface Vlan-interface 10
[SwitchC-Vlan-interface10] vrrp vrid 10 virtual-ip 10.1.1.254
[SwitchC-Vlan-interface10] quit
[SwitchC] interface Vlan-interface 20
[SwitchC-Vlan-interface20] vrrp vrid 20 virtual-ip 20.1.1.254
[SwitchC-Vlan-interface20] quit
[SwitchC] interface Vlan-interface 30
[SwitchC-Vlan-interface30] vrrp vrid 30 virtual-ip 30.1.1.254
[SwitchC-Vlan-interface30] quit
[SwitchC] interface Vlan-interface 40
[SwitchC-Vlan-interface40] vrrp vrid 40 virtual-ip 40.1.1.254
[SwitchC-Vlan-interface40] quit
# 配置ACL匹配VRRP备份组对于的虚拟MAC地址。
[SwitchC] display vrrp verbose
IPv4 Virtual Router Information:
Running Mode : Standard
Total number of virtual routers : 4
Interface Vlan-interface10
VRID : 10 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 10.1.1.254
Virtual MAC : 0000-5e00-010a
Master IP : 10.1.1.1
Interface Vlan-interface20
VRID : 20 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 20.1.1.254
Virtual MAC : 0000-5e00-0114
Master IP : 20.1.1.1
Interface Vlan-interface30
VRID : 30 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 30.1.1.254
Virtual MAC : 0000-5e00-011e
Master IP : 30.1.1.1
Interface Vlan-interface40
VRID : 40 Adver Timer : 100
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 40.1.1.254
Virtual MAC : 0000-5e00-0128
Master IP : 40.1.1.1
[SwitchC] acl number 4010
[SwitchC-acl-ethernetframe-4010] rule 5 deny type 0806 ffff source-mac 0000-5e00-010a ffff-ffff-ffff
[SwitchC-acl-ethernetframe-4010] quit
[SwitchC] acl number 4020
[SwitchC-acl-ethernetframe-4020] rule 5 deny type 0806 ffff source-mac 0000-5e00-0114 ffff-ffff-ffff
[SwitchC-acl-ethernetframe-4020] quit
[SwitchC] acl number 4030
[SwitchC-acl-ethernetframe-4030] rule 5 deny type 0806 ffff source-mac 0000-5e00-011e ffff-ffff-ffff
[SwitchC-acl-ethernetframe-4030] quit
[SwitchC] acl number 4040
[SwitchC-acl-ethernetframe-4040] rule 5 deny type 0806 ffff source-mac 0000-5e00-0128 ffff-ffff-ffff
[SwitchC-acl-ethernetframe-4040] quit
# 在扩展VLAN的出方向应用包过滤策略过滤VRRP对应的免费ARP报文。
[SwitchC] packet-filter 4010 vlan 10 outbound
[SwitchC] packet-filter 4020 vlan 20 outbound
[SwitchC] packet-filter 4030 vlan 30 outbound
[SwitchC] packet-filter 4040 vlan 40 outbound
(4) 配置扩展VLAN绑定VPN
# 创建VPN,用于隔离VLAN10和VLAN20。
[SwitchC] ip vpn-instance vpn1
[SwitchC-vpn-instance-vpn1] route-distinguisher 10:20
[SwitchC-vpn-instance-vpn1] quit
# 创建GRE隧道,由于有三个站点,因此每个站点各需要创建两条GRE隧道。
[SwitchC] interface tunnel 10 mode gre
[SwitchC-Tunnel10] description to-site1
[SwitchC-Tunnel10] ip binding vpn-instance vpn1
[SwitchC-Tunnel10] ip address 10.30.1.2 255.255.255.0
[SwitchC-Tunnel10] source 3.3.3.3
[SwitchC-Tunnel10] destination 1.1.1.1
[SwitchC-Tunnel10] quit
[SwitchC] interface tunnel 20 mode gre
[SwitchC-Tunnel20] description to-site2
[SwitchC-Tunnel20] ip binding vpn-instance vpn1
[SwitchC-Tunnel20] ip address 20.30.1.2 255.255.255.0
[SwitchC-Tunnel20] source 3.3.3.3
[SwitchC-Tunnel20] destination 2.2.2.2
[SwitchC-Tunnel20] quit
# 配置扩展VLAN10和VLAN20绑定VPN1。
[SwitchC] interface Vlan-interface 10
[SwitchC-Vlan-interface10] ip binding vpn-instance vpn1
[SwitchC-Vlan-interface10] ip address 10.1.1.3 24
[SwitchC-Vlan-interface10] undo shutdown
[SwitchC-Vlan-interface10] quit
[SwitchC] interface Vlan-interface 20
[SwitchC-Vlan-interface20] ip binding vpn-instance vpn1
[SwitchC-Vlan-interface20] ip address 20.1.1.3 24
[SwitchC-Vlan-interface20] undo shutdown
[SwitchC-Vlan-interface20] quit
(1) 验证服务器迁移后,数据是否仍然可以转发
将Site 1中的VLAN10中某台服务器(IP地址为10.1.1.100)迁移至Site 2的VLAN10中,从外网ping这台服务器(IP地址不变),仍然可以ping通。
C:\>ping 10.1.1.100
Pinging 10.1.1.100 with 32 bytes of data:
Reply from 10.1.1.100: bytes=32 time=37ms TTL=128
Reply from 10.1.1.100: bytes=32 time=1ms TTL=128
Reply from 10.1.1.100: bytes=32 time=1ms TTL=128
Reply from 10.1.1.100: bytes=32 time=1ms TTL=128
Ping statistics for 10.1.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 37ms, Average = 10ms
C:\>
(2) 验证VLAN10和VLAN20之间的数据是否可以互通
从Site 1的VLAN20中一台主机(IP地址为20.1.1.200)ping Site 2的VLAN10中一台服务器(IP地址为10.1.1.100),可以ping通。
C:\>ping 10.1.1.100
Pinging 10.1.1.100 with 32 bytes of data:
Reply from 10.1.1.100: bytes=32 time=37ms TTL=128
Reply from 10.1.1.100: bytes=32 time=1ms TTL=128
Reply from 10.1.1.100: bytes=32 time=1ms TTL=128
Reply from 10.1.1.100: bytes=32 time=1ms TTL=128
Ping statistics for 10.1.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 37ms, Average = 10ms
C:\>
(3) 验证VLAN30和VLAN40之间的数据是否可以互通
从Site 1的VLAN30中一台主机(IP地址为30.1.1.200)ping Site 2的VLAN40中一台服务器(IP地址为40.1.1.100),可以ping通。
C:\>ping 40.1.1.100
Pinging 40.1.1.100 with 32 bytes of data:
Reply from 40.1.1.100: bytes=32 time=37ms TTL=128
Reply from 40.1.1.100: bytes=32 time=1ms TTL=128
Reply from 40.1.1.100: bytes=32 time=1ms TTL=128
Reply from 40.1.1.100: bytes=32 time=1ms TTL=128
Ping statistics for 40.1.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 37ms, Average = 10ms
C:\>
(4) 验证VLAN10、VLAN20和VLAN30、VLAN40之间的数据是否可以互通
从Site 1的VLAN20中一台主机(IP地址为20.1.1.200)ping Site 2的VLAN40中一台服务器(IP地址为40.1.1.100),无法ping通。
C:\ >ping 40.1.1.100
Pinging 40.1.1.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 40.1.1.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
从Site 1的VLAN10中一台主机(IP地址为10.1.1.200)ping Site 2的VLAN30中一台服务器(IP地址为30.1.1.100),无法ping通。
C:\ >ping 30.1.1.100
Pinging 30.1.1.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 30.1.1.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>
· Switch A:
#
version 7.1.045, Release 7328
#
sysname SwitchA
#
ip vpn-instance vpn1
route-distinguisher 10:20
#
packet-filter 4010 vlan 10 outbound
packet-filter 4020 vlan 20 outbound
packet-filter 4030 vlan 30 outbound
packet-filter 4040 vlan 40 outbound
#
mac-address timer aging 1800
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 100
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 1.1.1.2 255.255.255.255
#
interface Vlan-interface10
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.254
#
interface Vlan-interface20
ip binding vpn-instance vpn1
ip address 20.1.1.1 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.254
#
interface Vlan-interface30
ip address 30.1.1.1 255.255.255.0
vrrp vrid 30 virtual-ip 30.1.1.254
#
interface Vlan-interface40
ip address 40.1.1.1 255.255.255.0
vrrp vrid 40 virtual-ip 40.1.1.254
#
interface Vlan-interface100
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet5/0/1
port link-mode bridge
port access vlan 100
evi enable
#
interface GigabitEthernet3/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30 40
#
interface Tunnel1 mode evi
evi arp-suppression enable
evi extend-vlan 10 20
source LoopBack0
evi network-id 1
evi neighbor-discovery server enable
#
interface Tunnel2 mode evi
evi arp-suppression enable
evi extend-vlan 30 40
source LoopBack1
evi network-id 2
evi neighbor-discovery server enable
#
interface Tunnel20 mode gre
description to-site2
ip binding vpn-instance vpn1
ip address 10.20.1.1 255.255.255.0
source 1.1.1.1
destination 2.2.2.2
#
interface Tunnel30 mode gre
description to-site3
ip binding vpn-instance vpn1
ip address 10.30.1.1 255.255.255.0
source 1.1.1.1
destination 3.3.3.3
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.1.1.2 0.0.0.0
network 100.1.1.0 0.0.0.255
#
acl number 4010
rule 5 deny type 0806 ffff source-mac 0000-5e00-010a ffff-ffff-ffff
#
acl number 4020
rule 5 deny type 0806 ffff source-mac 0000-5e00-0114 ffff-ffff-ffff
#
acl number 4030
rule 5 deny type 0806 ffff source-mac 0000-5e00-011e ffff-ffff-ffff
#
acl number 4040
rule 5 deny type 0806 ffff source-mac 0000-5e00-0128 ffff-ffff-ffff
#
return
· Switch B:
#
version 7.1.045, Release 7328
#
sysname SwitchB
#
ip vpn-instance vpn1
route-distinguisher 10:20
#
packet-filter 4010 vlan 10 outbound
packet-filter 4020 vlan 20 outbound
packet-filter 4030 vlan 30 outbound
packet-filter 4040 vlan 40 outbound
#
mac-address timer aging 1800
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 100
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack1
ip address 2.2.2.3 255.255.255.255
#
interface Vlan-interface10
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.254
#
interface Vlan-interface20
ip binding vpn-instance vpn1
ip address 20.1.1.2 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.254
#
interface Vlan-interface30
ip address 30.1.1.2 255.255.255.0
vrrp vrid 30 virtual-ip 30.1.1.254
#
interface Vlan-interface40
ip address 40.1.1.2 255.255.255.0
vrrp vrid 40 virtual-ip 40.1.1.254
#
interface Vlan-interface100
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet5/0/1
port link-mode bridge
port access vlan 100
evi enable
#
interface GigabitEthernet3/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30 40
#
interface Tunnel1 mode evi
evi arp-suppression enable
evi extend-vlan 10 20
source LoopBack0
evi network-id 1
evi neighbor-discovery client enable 1.1.1.1
#
interface Tunnel2 mode evi
evi arp-suppression enable
evi extend-vlan 30 40
source LoopBack1
evi network-id 2
evi neighbor-discovery client enable 1.1.1.2
#
interface Tunnel20 mode gre
description to-site1
ip binding vpn-instance vpn1
ip address 10.20.1.2 255.255.255.0
source 2.2.2.2
destination 1.1.1.1
#
interface Tunnel30 mode gre
description to-site3
ip binding vpn-instance vpn1
ip address 10.30.1.1 255.255.255.0
source 2.2.2.2
destination 3.3.3.3
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.2.2.3 0.0.0.0
network 100.1.1.0 0.0.0.255
#
acl number 4010
rule 5 deny type 0806 ffff source-mac 0000-5e00-010a ffff-ffff-ffff
#
acl number 4020
rule 5 deny type 0806 ffff source-mac 0000-5e00-0114 ffff-ffff-ffff
#
acl number 4030
rule 5 deny type 0806 ffff source-mac 0000-5e00-011e ffff-ffff-ffff
#
acl number 4040
rule 5 deny type 0806 ffff source-mac 0000-5e00-0128 ffff-ffff-ffff
#
return
· Switch C:
#
version 7.1.045, Release 7328
#
sysname SwitchC
#
ip vpn-instance vpn1
route-distinguisher 10:20
#
packet-filter 4010 vlan 10 outbound
packet-filter 4020 vlan 20 outbound
packet-filter 4030 vlan 30 outbound
packet-filter 4040 vlan 40 outbound
#
mac-address timer aging 1800
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 100
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack1
ip address 3.3.3.4 255.255.255.255
#
interface Vlan-interface10
ip binding vpn-instance vpn1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.254
#
interface Vlan-interface20
ip binding vpn-instance vpn1
ip address 20.1.1.3 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.254
#
interface Vlan-interface30
ip address 30.1.1.3 255.255.255.0
vrrp vrid 30 virtual-ip 30.1.1.254
#
interface Vlan-interface40
ip address 40.1.1.3 255.255.255.0
vrrp vrid 40 virtual-ip 40.1.1.254
#
interface Vlan-interface100
ip address 100.1.1.3 255.255.255.0
#
interface GigabitEthernet5/0/1
port link-mode bridge
port access vlan 100
evi enable
#
interface GigabitEthernet3/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10 20 30 40
#
interface Tunnel1 mode evi
evi arp-suppression enable
evi extend-vlan 10 20
source LoopBack0
evi network-id 1
evi neighbor-discovery client enable 1.1.1.1
#
interface Tunnel2 mode evi
evi arp-suppression enable
evi extend-vlan 30 40
source LoopBack1
evi network-id 2
evi neighbor-discovery client enable 1.1.1.2
#
interface Tunnel20 mode gre
description to-site1
ip binding vpn-instance vpn1
ip address 10.20.1.2 255.255.255.0
source 3.3.3.3
destination 1.1.1.1
#
interface Tunnel30 mode gre
description to-site2
ip binding vpn-instance vpn1
ip address 10.30.1.2 255.255.255.0
source 3.3.3.3
destination 2.2.2.2
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.3.3.4 0.0.0.0
network 100.1.1.0 0.0.0.255
#
acl number 4010
rule 5 deny type 0806 ffff source-mac 0000-5e00-010a ffff-ffff-ffff
#
acl number 4020
rule 5 deny type 0806 ffff source-mac 0000-5e00-0114 ffff-ffff-ffff
#
acl number 4030
rule 5 deny type 0806 ffff source-mac 0000-5e00-011e ffff-ffff-ffff
#
acl number 4040
rule 5 deny type 0806 ffff source-mac 0000-5e00-0128 ffff-ffff-ffff
#
return
· H3C S12500系列路由交换机 EVI配置指导-Release 7328
· H3C S12500系列路由交换机 EVI命令参考-Release 7328
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!