项目背景
某企业网络拓扑如下图所示,企业内部有VLAN10和20,IP地址分别为192.168.10.0/24和192.168.20.0/24,网关为192.168.x.254/24。
很多同学纠结 :核心交换机与出口路由器连接的端口是access还是trunk呢?如何实现交换机与路由器对接互联,其实有多种方案,我们一一为大家介绍。
方案1:Access接口对接
规划VLAN 100作为核心交换机和出口路由器的对接VLAN,Vlanif 100地址为192.168.100.1/30,路由器G0/0/0接口IP地址为192.168.100.2/30。
接入交换机配置要点:
(1)创建VLAN 10和20;
(2)把接口G0/0/1、G0/0/2、G0/0/3设置为access接口,并划入对应VLAN;
(3)把接口G0/0/24设置为trunk,并允许VLAN10和20通过。
接入交换机配置命令:
[Huawei] sysname acsw
[acsw] vlan batch 10 20 //创建VLAN 10和20
[acsw] int g0/0/1
[acsw-GigabitEthernet0/0/1] port link-type access //接口设置为access
[acsw-GigabitEthernet0/0/1] port default vlan 10 //接口放入VLAN 10
[acsw-GigabitEthernet0/0/1] quit
[acsw] int g0/0/2
[acsw-GigabitEthernet0/0/2] port link-type access
[acsw-GigabitEthernet0/0/2] port default vlan 10
[acsw-GigabitEthernet0/0/2] quit
[acsw]int g0/0/3
[acsw-GigabitEthernet0/0/3] port link-type access
[acsw-GigabitEthernet0/0/3] port default vlan 20
[acsw-GigabitEthernet0/0/3] quit
[acsw] int g0/0/24
[acsw-GigabitEthernet0/0/24] port link-type trunk //接口设置为trunk
[acsw-GigabitEthernet0/0/24] port trunk allow-pass vlan 10 20 //trunk接口放行VLAN 10和20的流量
核心交换机配置要点:
(1)创建VLAN10、20和100,前两个为业务VLAN,而VLAN 100为核心交换机与路由器的对接VLAN;
(2)分别配置Vlanif10、Vlanif20和Vlanif100,前两个为用户网关,Vlanif100为核心交换机与路由器的对接地址;
(3)接入和核心互联接口配置为trunk,并允许业务VLAN 10和20通过;
(4)核心交换机和出口路由器互联接口设置为access接口,并划入VLAN 100。
核心交换机配置命令:
[Huawei] sysname coresw
[coresw] vlan batch 10 20 100 //批量创建VLAN 10、20和100
[coresw] interface Vlanif 10
[coresw-Vlanif10] ip address 192.168.10.254 24 //给vlanif 10配置IP地址
[coresw-Vlanif10] quit
[coresw] interface Vlanif 20
[coresw-Vlanif20] ip address 192.168.20.254 24
[coresw-Vlanif20] quit
[coresw] interface Vlanif 100
[coresw-Vlanif100] ip address 192.168.100.1 30
[coresw] interface g0/0/24
[coresw-GigabitEthernet0/0/24] port link-type trunk
[coresw-GigabitEthernet0/0/24] port trunk allow-pass vlan 10 20
[coresw] interface g0/0/1
[coresw-GigabitEthernet0/0/1] port link-type access
[coresw-GigabitEthernet0/0/1] port default vlan 100
出口路由器配置命令:
[Huawei] sysname router
[router] interface g0/0/0
[router-GigabitEthernet0/0/0] ip address 192.168.100.2 30 //配置接口IP地址
[router] ip route-static 192.168.10.0 24 192.168.100.1 //配置回程路由
[router] ip route-static 192.168.20.0 24 192.168.100.1 //配置回程路由
测试连通性,PC1可以ping通PC3,也可以ping通出口路由器,通信正常。
PC1>ping 192.168.20.1
Ping 192.168.20.1: 32 data bytes, Press Ctrl_C to break
From 192.168.20.1: bytes=32 seq=1 ttl=127 time=172 ms
From 192.168.20.1: bytes=32 seq=2 ttl=127 time=94 ms
From 192.168.20.1: bytes=32 seq=3 ttl=127 time=78 ms
From 192.168.20.1: bytes=32 seq=4 ttl=127 time=78 ms
From 192.168.20.1: bytes=32 seq=5 ttl=127 time=78 ms
--- 192.168.20.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/100/172 ms
PC> ping 192.168.100.2
Ping 192.168.100.2: 32 data bytes, Press Ctrl_C to break
From 192.168.100.2: bytes=32 seq=1 ttl=254 time=78 ms
From 192.168.100.2: bytes=32 seq=2 ttl=254 time=63 ms
From 192.168.100.2: bytes=32 seq=3 ttl=254 time=47 ms
From 192.168.100.2: bytes=32 seq=4 ttl=254 time=62 ms
From 192.168.100.2: bytes=32 seq=5 ttl=254 time=47 ms
--- 192.168.100.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/59/78 ms
方案2:三层接口对接
该方案需要将核心交换机修改为CE6800系列,eNSP中S5700不支持undo portswitch。核心交换机不需要配置VLAN 100和vlanif 100,其他配置一致。核心交换机可以直接用三层接口与出口路由器实现对接。
核心交换机配置命令:
<HUAWEI> system-view immediately //敲完命令立即生效,不用再commit确认
[HUAWEI] sysname coresw
[coresw] interface g1/0/1 //CE6800没有g0/0/1接口,这里用g1/0/1接口替换
[coresw-GE1/0/1] undo portswitch //关闭二层接口特性,将接口设置为三层接口
[coresw-GE1/0/1] ip address 192.168.100.1 30 //配置接口IP地址,与出口路由器对接
方案3:子接口对接
如果PC网关不在核心交换机,而在出口路由器,可采用子接口完成核心交换机和路由器的对接以及VLAN间路由。接入交换机配置没有变化。
核心交换机配置要点:
(1)创建VLAN 10和20;
(2)核心交换机上行和下行接口均配置为trunk,允许VLAN 10和20通过。
核心交换机配置命令:
[Huawei] sysname coresw
[coresw] vlan batch 10 20 //创建VLAN 10和20
[coresw] int g0/0/1
[coresw-GigabitEthernet0/0/1] port link-type trunk //上行接口配置为trunk
[coresw-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 //trunk上放行VLAN 10和20
[coresw-GigabitEthernet0/0/1] quit
[coresw] interface g0/0/24
[coresw-GigabitEthernet0/0/24] port link-type trunk //下行接口配置为trunk
[coresw-GigabitEthernet0/0/24] port trunk allow-pass vlan 10 20 //trunk上放行VLAN 10和20
出口路由器配置要点:
(1)配置子接口和IP地址,作为用户网关;
(2)配置802.1Q终结的VID,实现VLAN标签封装和剥离;
(3)开启子接口的ARP广播功能,实现跨VLAN流量转发。
出口路由器配置命令(单臂路由):
[Huawei]sysname router
[router] interface g0/0/0.10 //进入子接口
[router-GigabitEthernet0/0/0.10] ip address 192.168.10.254 24 //配置IP地址
[router-GigabitEthernet0/0/0.10] dot1q termination vid 10 //配置子接口终结VLAN 10的流量
[router-GigabitEthernet0/0/0.10] quit
[router] interface g0/0/0.20
[router-GigabitEthernet0/0/0.20] ip address 192.168.20.254 24
[router-GigabitEthernet0/0/0.20] dot1q termination vid 20
[router-GigabitEthernet0/0/0.20] quit
[router] int g0/0/0.10
[router-GigabitEthernet0/0/0.10] arp broadcast enable //开启子接口arp广播功能,实现跨VLAN流量转发
[router-GigabitEthernet0/0/0.10] quit
[router] int g0/0/0.20
[router-GigabitEthernet0/0/0.20] arp broadcast enable //开启子接口arp广播功能,实现跨VLAN流量转发