博信信息网数据中心-HCIE DC分布式网关综合实验
vxlan分布式网关场景
vlan10→BD10→VNI10→RD10:1→RT10:1→eRT10:100vlan20→BD20→VNI20→RD10:2→RT10:2→eRT10:100vlan30→BD30→VNI30→RD10:3→RT10:3→eRT10:200vlan40→BD40→VNI40→RD10:4→RT10:4→eRT10:200vpnA→RD10:100→eVPN RT10:100→VNI15vpnB→RD10:200→eVPN RT10:200→VNI25 实验需求Underlay使用OSPF协议互相学习路由;使用100.1.1.0/32作为源地址构建iBGP eVPN邻居;vxlan隧道使用10.1.1.0/32作为vtep源地址;VPN实例/BD域/地址等相关参数按照规划配置;各个租户业务地址允许访问外网8.8.8.8;外网服务器8.8.8.8允许使用telnet访问AR2;外网服务器8.8.8.8允许使用ftp登录AR3;允许AR2通过ftp登录AR3;允许AR3通过telnet访问AR2。实验步骤路由器ISP
https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101225&lang=zh&idPath=24030814%7C21782165%7C21782236%7C22318638%7C7542409
实验拓扑实验规划互联地址规划CE互联地址10.1.XY.0/24网段,编号小在前,即CE1-CE3为10.1.13.0/24;Gateway Leaf与防火墙三个互联段如图所示,防火墙地址取小;CE1和CE2为RR,只需创建用于构建evpn邻居的LoopBack0地址100.1.1.0/32;CE3-CE6为Leaf,除了LoopBack0外还需创建LoopBack1地址10.1.1.0/32作为vtep的源地址;防火墙通过主备方式部署,主备协商地址为1.1.1.0/30;Gateway Leaf与ISP互联地址分别为211.1.1.0/30和212.1.1.0/30;ISP创建LoopBack8地址8.8.8.8/32模拟外网。业务地址规划租户A为vlan10和vlan20,地址分别为10.0.10.0/24和10.0.20.0/24;租户B为vlan30和vlan40,地址分别为10.0.30.0/24和10.0.40.0/24;AR2为telnet的server设备,地址为10.0.10.10/24;AR3为ftp的server设备,地址为10.0.40.10/24;BD/VNI/RD/RT规划
vlan10→BD10→VNI10→RD10:1→RT10:1→eRT10:100vlan20→BD20→VNI20→RD10:2→RT10:2→eRT10:100vlan30→BD30→VNI30→RD10:3→RT10:3→eRT10:200vlan40→BD40→VNI40→RD10:4→RT10:4→eRT10:200vpnA→RD10:100→eVPN RT10:100→VNI15vpnB→RD10:200→eVPN RT10:200→VNI25 实验需求Underlay使用OSPF协议互相学习路由;使用100.1.1.0/32作为源地址构建iBGP eVPN邻居;vxlan隧道使用10.1.1.0/32作为vtep源地址;VPN实例/BD域/地址等相关参数按照规划配置;各个租户业务地址允许访问外网8.8.8.8;外网服务器8.8.8.8允许使用telnet访问AR2;外网服务器8.8.8.8允许使用ftp登录AR3;允许AR2通过ftp登录AR3;允许AR3通过telnet访问AR2。实验步骤路由器ISP
interface GigabitEthernet0/0/0AR2
ip address 211.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 212.1.1.1 255.255.255.0
#
interface LoopBack8
ip address 8.8.8.8 255.255.255.255
#
ip route-static 202.1.1.0 255.255.255.240 211.1.1.2
ip route-static 202.1.1.0 255.255.255.240 212.1.1.2
#
interface GigabitEthernet0/0/0AR3
ip address 10.0.10.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
user-interface vty 0 4
authentication-mode password
user privilege level 15
set authentication password cipher Admin@123
ftp server enable地址配置
#
aaa
local-user ftp password cipher Admin@123
local-user ftp privilege level 15
local-user ftp ftp-directory flash:
local-user ftp service-type ftp
interface GigabitEthernet0/0/0
ip address 10.0.40.10 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.40.253
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
略
OSPF配置略 网络类型改为P2P
邻居与路由的验证[CE1]display ospf peer brief
OSPF Process 1 with Router ID 11.1.1.1
Peer Statistic Information
Total number of peer(s): 4
Peer(s) in full state: 4
-----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GE1/0/0 33.1.1.1 Full
0.0.0.0 GE1/0/1 44.1.1.1 Full
0.0.0.0 GE1/0/2 55.1.1.1 Full
0.0.0.0 GE1/0/3 66.1.1.1 Full
-----------------------------------------------------------------------------
[CE2]display ospf peer brief
OSPF Process 1 with Router ID 22.1.1.1
Peer Statistic Information
Total number of peer(s): 4
Peer(s) in full state: 4
-----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GE1/0/0 33.1.1.1 Full
0.0.0.0 GE1/0/1 44.1.1.1 Full
0.0.0.0 GE1/0/2 55.1.1.1 Full
0.0.0.0 GE1/0/3 66.1.1.1 Full
-----------------------------------------------------------------------------
[CE3]display ospf routingIBGP eVPN配置CE1-CE6
OSPF Process 1 with Router ID 33.1.1.1
Routing for Network
------------------------------------------------------------------------------
Destination Cost Type Next-Hop AdvRouter Area
10.1.1.3/32 0 Direct 10.1.1.3 33.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.23.2 44.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.13.1 44.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.23.2 55.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.13.1 55.1.1.1 0.0.0.0
10.1.1.6/32 2 Stub 10.1.23.2 66.1.1.1 0.0.0.0
10.1.1.6/32 2 Stub 10.1.13.1 66.1.1.1 0.0.0.0
10.1.13.0/24 1 Direct 10.1.13.3 33.1.1.1 0.0.0.0
10.1.14.0/24 2 Stub 10.1.13.1 11.1.1.1 0.0.0.0
10.1.15.0/24 2 Stub 10.1.13.1 11.1.1.1 0.0.0.0
10.1.16.0/24 2 Stub 10.1.13.1 11.1.1.1 0.0.0.0
10.1.23.0/24 1 Direct 10.1.23.3 33.1.1.1 0.0.0.0
10.1.24.0/24 2 Stub 10.1.23.2 22.1.1.1 0.0.0.0
10.1.25.0/24 2 Stub 10.1.23.2 22.1.1.1 0.0.0.0
10.1.26.0/24 2 Stub 10.1.23.2 22.1.1.1 0.0.0.0
100.1.1.1/32 1 Stub 10.1.13.1 11.1.1.1 0.0.0.0
100.1.1.2/32 1 Stub 10.1.23.2 22.1.1.1 0.0.0.0
100.1.1.3/32 0 Direct 100.1.1.3 33.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.23.2 44.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.13.1 44.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.23.2 55.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.13.1 55.1.1.1 0.0.0.0
100.1.1.6/32 2 Stub 10.1.23.2 66.1.1.1 0.0.0.0
100.1.1.6/32 2 Stub 10.1.13.1 66.1.1.1 0.0.0.0
Total Nets: 18
Intra Area: 18 Inter Area: 0 ASE: 0 NSSA: 0
[CE6]display ospf routing
OSPF Process 1 with Router ID 66.1.1.1
Routing for Network
------------------------------------------------------------------------------
Destination Cost Type Next-Hop AdvRouter Area
10.1.1.3/32 2 Stub 10.1.26.2 33.1.1.1 0.0.0.0
10.1.1.3/32 2 Stub 10.1.16.1 33.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.26.2 44.1.1.1 0.0.0.0
10.1.1.4/32 2 Stub 10.1.16.1 44.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.26.2 55.1.1.1 0.0.0.0
10.1.1.5/32 2 Stub 10.1.16.1 55.1.1.1 0.0.0.0
10.1.1.6/32 0 Direct 10.1.1.6 66.1.1.1 0.0.0.0
10.1.13.0/24 2 Stub 10.1.16.1 11.1.1.1 0.0.0.0
10.1.14.0/24 2 Stub 10.1.16.1 11.1.1.1 0.0.0.0
10.1.15.0/24 2 Stub 10.1.16.1 11.1.1.1 0.0.0.0
10.1.16.0/24 1 Direct 10.1.16.6 66.1.1.1 0.0.0.0
10.1.23.0/24 2 Stub 10.1.26.2 22.1.1.1 0.0.0.0
10.1.24.0/24 2 Stub 10.1.26.2 22.1.1.1 0.0.0.0
10.1.25.0/24 2 Stub 10.1.26.2 22.1.1.1 0.0.0.0
10.1.26.0/24 1 Direct 10.1.26.6 66.1.1.1 0.0.0.0
100.1.1.1/32 1 Stub 10.1.16.1 11.1.1.1 0.0.0.0
100.1.1.2/32 1 Stub 10.1.26.2 22.1.1.1 0.0.0.0
100.1.1.3/32 2 Stub 10.1.26.2 33.1.1.1 0.0.0.0
100.1.1.3/32 2 Stub 10.1.16.1 33.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.26.2 44.1.1.1 0.0.0.0
100.1.1.4/32 2 Stub 10.1.16.1 44.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.26.2 55.1.1.1 0.0.0.0
100.1.1.5/32 2 Stub 10.1.16.1 55.1.1.1 0.0.0.0
100.1.1.6/32 0 Direct 100.1.1.6 66.1.1.1 0.0.0.0
Total Nets: 18
Intra Area: 18 Inter Area: 0 ASE: 0 NSSA: 0
evpn-overlay enable //全局使能EVPN作为VXLAN的控制平面CE1
bgp 1CE2
router-id 11.1.1.1
peer 100.1.1.3 as-number 1
peer 100.1.1.3 connect-interface LoopBack0
peer 100.1.1.4 as-number 1
peer 100.1.1.4 connect-interface LoopBack0
peer 100.1.1.5 as-number 1
peer 100.1.1.5 connect-interface LoopBack0
peer 100.1.1.6 as-number 1
peer 100.1.1.6 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.3 enable
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 reflect-client
#
l2vpn-family evpn
undo policy vpn-target //两台RR设备记得关闭对接收的VPN路由或者标签进行RT过滤
peer 100.1.1.3 enable
peer 100.1.1.3 advertise irb
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 advertise irb
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 advertise irb
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 advertise irb
peer 100.1.1.6 reflect-client
#
bgp 1CE3
router-id 22.1.1.1
peer 100.1.1.3 as-number 1
peer 100.1.1.3 connect-interface LoopBack0
peer 100.1.1.4 as-number 1
peer 100.1.1.4 connect-interface LoopBack0
peer 100.1.1.5 as-number 1
peer 100.1.1.5 connect-interface LoopBack0
peer 100.1.1.6 as-number 1
peer 100.1.1.6 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.3 enable
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 reflect-client
#
l2vpn-family evpn
undo policy vpn-target
peer 100.1.1.3 enable
peer 100.1.1.3 advertise irb
peer 100.1.1.3 reflect-client
peer 100.1.1.4 enable
peer 100.1.1.4 advertise irb
peer 100.1.1.4 reflect-client
peer 100.1.1.5 enable
peer 100.1.1.5 advertise irb
peer 100.1.1.5 reflect-client
peer 100.1.1.6 enable
peer 100.1.1.6 advertise irb
peer 100.1.1.6 reflect-client
#
bgp 1CE4
router-id 33.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise irb
#
bgp 1CE5
router-id 44.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise irb
#
bgp 1CE6
router-id 55.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise i
bgp 1查看eVPN邻居关系
router-id 66.1.1.1
peer 100.1.1.1 as-number 1
peer 100.1.1.1 connect-interface LoopBack0
peer 100.1.1.2 as-number 1
peer 100.1.1.2 connect-interface LoopBack0
#
ipv4-family unicast
peer 100.1.1.1 enable
peer 100.1.1.2 enable
#
l2vpn-family evpn
policy vpn-target
peer 100.1.1.1 enable
peer 100.1.1.1 advertise irb
peer 100.1.1.2 enable
peer 100.1.1.2 advertise irb
#
[CE1]display bgp evpn peer配置BD域
BGP local router ID : 11.1.1.1
Local AS number : 1
Total number of peers : 4
Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
100.1.1.3 4 1 4 5 0 00:00:31 Established 0
100.1.1.4 4 1 4 4 0 00:00:20 Established 0
100.1.1.5 4 1 4 4 0 00:00:09 Established 0
100.1.1.6 4 1 4 5 0 00:00:01 Established 0
[CE2]display bgp evpn peer
BGP local router ID : 22.1.1.1
Local AS number : 1
Total number of peers : 4
Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
100.1.1.3 4 1 4 5 0 00:00:46 Established 0
100.1.1.4 4 1 4 4 0 00:00:33 Established 0
100.1.1.5 4 1 4 4 0 00:00:23 Established 0
100.1.1.6 4 1 4 5 0 00:00:15 Established 0
CE3-CE6
bridge-domain 10配置VPN实例
vxlan vni 10
evpn
route-distinguisher 10:1
vpn-target 10:1 export-extcommunity
vpn-target 10:100 export-extcommunity //用于把vxlan主机路由通过eVPN传递
vpn-target 10:1 import-extcommunity
#
bridge-domain 20
vxlan vni 20
evpn
route-distinguisher 10:2
vpn-target 10:2 export-extcommunity
vpn-target 10:100 export-extcommunity
vpn-target 10:2 import-extcommunity
#
bridge-domain 30
vxlan vni 30
evpn
route-distinguisher 10:3
vpn-target 10:3 export-extcommunity
vpn-target 10:200 export-extcommunity
vpn-target 10:3 import-extcommunity
#
bridge-domain 40
vxlan vni 40
evpn
route-distinguisher 10:4
vpn-target 10:4 export-extcommunity
vpn-target 10:200 export-extcommunity
vpn-target 10:4 import-extcommunity
#
CE3-CE6
ip vpn-instance A配置业务接入
ipv4-family
route-distinguisher 10:100
vpn-target 10:100 export-extcommunity evpn
vpn-target 10:100 import-extcommunity evpn
vxlan vni 15
#
ip vpn-instance B
ipv4-family
route-distinguisher 10:200
vpn-target 10:200 export-extcommunity evpn
vpn-target 10:200 import-extcommunity evpn
vxlan vni 25
#
CE3/CE4
interface GE1/0/2配置业务网关
undo shutdown
#
interface GE1/0/2.10 mode l2
encapsulation dot1q vid 10
bridge-domain 10
#
interface GE1/0/2.20 mode l2
encapsulation dot1q vid 20
bridge-domain 20
#
interface GE1/0/2.30 mode l2
encapsulation dot1q vid 30
bridge-domain 30
#
interface GE1/0/2.40 mode l2
encapsulation dot1q vid 40
bridge-domain 40
#
CE3
interface Vbdif10
ip binding vpn-instance A
ip address 10.0.10.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance A
ip address 10.0.20.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif30
ip binding vpn-instance B
ip address 10.0.30.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif40
ip binding vpn-instance B
ip address 10.0.40.254 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
CE4
interface Vbdif10配置VXLAN隧道
ip binding vpn-instance A
ip address 10.0.10.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif20
ip binding vpn-instance A
ip address 10.0.20.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif30
ip binding vpn-instance B
ip address 10.0.30.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
interface Vbdif40
ip binding vpn-instance B
ip address 10.0.40.253 255.255.255.0
arp distribute-gateway enable
arp collect host enable
#
CE3
interface Nve1
source 10.1.1.3
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
CE4
interface Nve1
source 10.1.1.4
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
CE5
interface Nve1
source 10.1.1.5
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
CE6
interface Nve1查看VXLAN隧道
source 10.1.1.6
vni 10 head-end peer-list protocol bgp
vni 20 head-end peer-list protocol bgp
vni 30 head-end peer-list protocol bgp
vni 40 head-end peer-list protocol bgp
#
[CE4]display vxlan peer查看eVPN路由
Number of peers : 12
Vni ID Source Destination Type Out Vni ID
-------------------------------------------------------------------------------
10 10.1.1.4 10.1.1.3 dynamic 10
10 10.1.1.4 10.1.1.5 dynamic 10
10 10.1.1.4 10.1.1.6 dynamic 10
20 10.1.1.4 10.1.1.3 dynamic 20
20 10.1.1.4 10.1.1.5 dynamic 20
20 10.1.1.4 10.1.1.6 dynamic 20
30 10.1.1.4 10.1.1.3 dynamic 30
30 10.1.1.4 10.1.1.5 dynamic 30
30 10.1.1.4 10.1.1.6 dynamic 30
40 10.1.1.4 10.1.1.3 dynamic 40
40 10.1.1.4 10.1.1.5 dynamic 40
40 10.1.1.4 10.1.1.6 dynamic 40
[CE4]display vxlan tunnel
Number of vxlan tunnel : 3
Tunnel ID Source Destination State Type Uptime
-----------------------------------------------------------------------------------
4026531841 10.1.1.4 10.1.1.3 up dynamic 00:02:18
4026531842 10.1.1.4 10.1.1.5 up dynamic 00:02:06
4026531843 10.1.1.4 10.1.1.6 up dynamic 00:01:59
[CE5]display vxlan peer
Number of peers : 12
Vni ID Source Destination Type Out Vni ID
-------------------------------------------------------------------------------
10 10.1.1.5 10.1.1.3 dynamic 10
10 10.1.1.5 10.1.1.4 dynamic 10
10 10.1.1.5 10.1.1.6 dynamic 10
20 10.1.1.5 10.1.1.3 dynamic 20
20 10.1.1.5 10.1.1.4 dynamic 20
20 10.1.1.5 10.1.1.6 dynamic 20
30 10.1.1.5 10.1.1.3 dynamic 30
30 10.1.1.5 10.1.1.4 dynamic 30
30 10.1.1.5 10.1.1.6 dynamic 30
40 10.1.1.5 10.1.1.3 dynamic 40
40 10.1.1.5 10.1.1.4 dynamic 40
40 10.1.1.5 10.1.1.6 dynamic 40
[CE5]display vxlan tunnel
Number of vxlan tunnel : 3
Tunnel ID Source Destination State Type Uptime
-----------------------------------------------------------------------------------
4026531841 10.1.1.5 10.1.1.3 up dynamic 00:02:50
4026531842 10.1.1.5 10.1.1.4 up dynamic 00:02:42
4026531843 10.1.1.5 10.1.1.6 up dynamic 00:02:31
[CE5]display ip routing-table vpn-instance A protocol bgp配置防火墙与geteway leaf接口
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
A Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.10.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.10.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.20.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.20.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
[CE5]display ip routing-table vpn-instance B protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
B Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.30.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.30.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.40.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.40.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
[CE6]display ip routing-table vpn-instance A protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
A Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.10.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.10.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.20.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.20.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
[CE6]display ip routing-table vpn-instance B protocol bgp
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
B Routing Table : BGP
Destinations : 4 Routes : 4
BGP routing table status : <Active>
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.30.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.30.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
10.0.40.1/32 IBGP 255 0 RD 10.1.1.3 VXLAN
10.0.40.2/32 IBGP 255 0 RD 10.1.1.4 VXLAN
BGP routing table status : <Inactive>
Destinations : 0 Routes : 0
fw1
vlan batch 100 200 110
#
interface Eth-Trunk1
trunkport GigabitEthernet 1/0/0
trunkport GigabitEthernet 1/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
fw2
vlan batch 100 200 110
#
interface Eth-Trunk1
trunkport GigabitEthernet 1/0/0
trunkport GigabitEthernet 1/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
CE5
vlan batch 100 200 110
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/3
undo shutdown
#
interface Eth-Trunk1
trunkport GE 1/0/2
trunkport GE 1/0/3
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
CE6
vlan batch 100 200 110配置主备防火墙
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/3
undo shutdown
#
interface Eth-Trunk1
trunkport GE 1/0/2
trunkport GE 1/0/3
port link-type trunk
port trunk allow-pass vlan 100 110 200
#
FW1
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.1 255.255.255.252
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
hrp mirror config enable
hrp interface GigabitEthernet1/0/2 remote 1.1.1.2
hrp base config enable
hrp mirror session enable
hrp nat resource primary-group
hrp standby config enable
undo hrp preempt
hrp track interface Eth-Trunk1
hrp enable
FW2
interface GigabitEthernet1/0/2配置防火墙与gateway leaf互联
undo shutdown
ip address 1.1.1.2 255.255.255.252
#
firewall zone dmz
add interface GigabitEthernet1/0/2
#
hrp mirror config enable
hrp standby-device
hrp interface GigabitEthernet1/0/2 remote 1.1.1.2
hrp base config enable
hrp mirror session enable
hrp nat resource primary-group
hrp standby config enable
undo hrp preempt
hrp track interface Eth-Trunk1
hrp enable
CE5
interface Vlanif100
ip binding vpn-instance A
ip address 10.1.100.2 255.255.255.252
#
interface Vlanif110
ip address 10.1.110.2 255.255.255.252
#
interface Vlanif200
ip binding vpn-instance B
ip address 10.1.200.2 255.255.255.252
#
CE6
interface Vlanif100
ip binding vpn-instance A
ip address 10.1.100.2 255.255.255.252
#
interface Vlanif110
ip address 10.1.110.2 255.255.255.252
#
interface Vlanif200
ip binding vpn-instance B
ip address 10.1.200.2 255.255.255.252
#
FW
vsys enable配置防火墙与GATEWAY LEAF的路由
#
vsys name A
assign vlan 100
#
vsys name B
assign vlan 200
#
interface Vlanif100
ip binding vpn-instance A
ip address 10.1.100.1 255.255.255.252
#
interface Vlanif110
ip address 10.1.110.1 255.255.255.252
service-manage ping permit
#
interface Vlanif200
ip binding vpn-instance B
ip address 10.1.200.1 255.255.255.252
#
switch vsys A
#
interface Vlanif 100
service-manage ping permit
#
switch vsys B
#
interface Vlanif 200
service-manage ping permit
#
CE5
ip route-static 0.0.0.0 0 211.1.1.1
ip route-static vpn-instance A 0.0.0.0 0 10.1.100.1
ip route-static vpn-instance B 0.0.0.0 0 10.1.200.1
#
bgp 1
#
ipv4-family vpn-instance A
import-route static
advertise l2vpn evpn //将VPN实例IP路由发布给EVPN实例
#
ipv4-family vpn-instance B
import-route static
advertise l2vpn evpn
#
CE6
ip route-static 0.0.0.0 0.0.0.0 212.1.1.1
ip route-static vpn-instance A 0.0.0.0 0.0.0.0 10.1.100.1
ip route-static vpn-instance B 0.0.0.0 0.0.0.0 10.1.200.1
#
bgp 1
#
ipv4-family vpn-instance A
import-route static
advertise l2vpn evpn
#
ipv4-family vpn-instance B
import-route static
advertise l2vpn evpn
#
FW
ip route-static 0.0.0.0 0 10.1.110.2配置防火墙让租户访问外网
根墙
firewall zone trust
add interface Virtual-if0
#
firewall zone untrust
add interface Vlanif110
#
security-policy
rule name trust-untrust
source-zone trust
destination-zone untrust
action permit
rule name untrust-trust
source-zone untrust
destination-zone trust
action permit
#
//把公网指派给不同虚墙
vsys name A
assign global-ip 202.1.1.1 202.1.1.6 free
#
vsys name B 2
assign global-ip 202.1.1.9 202.1.1.14 free
#
//根墙充当路由器,把NAT公网地址引流到不同虚墙
firewall import-flow public 202.1.1.0 202.1.1.7 vpn-instance A
firewall import-flow public 202.1.1.8 202.1.1.15 vpn-instance B
#
虚墙A
ip route-static 0.0.0.0 0.0.0.0 public
ip route-static 10.0.10.0 255.255.255.0 10.1.100.2
ip route-static 10.0.20.0 255.255.255.0 10.1.100.2
#
firewall zone trust
add interface Vlanif100
#
firewall zone untrust
add interface Virtual-if1
#
nat address-group net1 0
mode pat
section 0 202.1.1.1 202.1.1.2
#
nat address-group net2 1
mode pat
section 0 202.1.1.3 202.1.1.4
#
nat-policy
rule name net1
source-zone trust
destination-zone untrust
source-address range 10.0.10.1 10.0.10.5
destination-address 8.8.8.8 mask 255.255.255.255
action source-nat address-group net1
rule name net2
source-zone trust
destination-zone untrust
source-address range 10.0.20.1 10.0.20.5
destination-address 8.8.8.8 mask 255.255.255.255
action source-nat address-group net2
#
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address range 10.0.10.1 10.0.10.5
source-address range 10.0.20.1 10.0.20.5
destination-address 8.8.8.8 mask 255.255.255.255
action permit
#
虚墙B
ip route-static 0.0.0.0 0.0.0.0 public
ip route-static 10.0.30.0 255.255.255.0 10.1.200.2
ip route-static 10.0.40.0 255.255.255.0 10.1.200.2
#
firewall zone trust
add interface Vlanif200
#
firewall zone untrust
add interface Virtual-if2
#
nat address-group net3 2
mode pat
section 0 202.1.1.9 202.1.1.10
#
nat address-group net4 3
mode pat
section 0 202.1.1.11 202.1.1.12
#
nat-policy
rule name net3
source-zone trust
destination-zone untrust
source-address range 10.0.30.1 10.0.30.5
action source-nat address-group net3
rule name net4
source-zone trust
destination-zone untrust
source-address range 10.0.40.1 10.0.40.5
action source-nat address-group net4
#
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address range 10.0.30.1 10.0.30.5
source-address range 10.0.40.1 10.0.40.5
destination-address 8.8.8.8 mask 255.255.255.255
action permit
#
版权声明
本文仅代表作者观点,不代表博信信息网立场。
相关文章
作者文章
- 拨号VPS需要手动换IP吗? 12个月前 (06-25)
- 如何搭建VPS远程拨号服务器? 12个月前 (06-25)
- 如何为拨号VPS搭建最佳代理? 12个月前 (06-25)
- 如何利用VPS进行拨号连接? 12个月前 (06-25)
- 日本VPS拨号动态IP:解锁网络新境界 12个月前 (06-25)