- 项目拓扑与项目需求
项目需求:某企业网络拥有三个出口,分别使用AR1、AR2、AR3链接运营商网络。其中AR1为万兆出口,而AR2、AR3为千兆出口。现在需要实现以下需求:
- 希望vlan10的流量能够强制通过AR1作为业务的出口,vlan20 在AR1上使用负载分担的模式同时使用三个出口访问公网。
- 配置步骤
- IP地址的规划与配置
| AR1 | G0/0/0 | 10.0.14.1 /24 |
| G0/0/1 | 10.0.15.1 /24 | |
| AR2 | G0/0/0 | 10.0.24.1 /24 |
| G0/0/1 | 10.0.25.1 /24 | |
| AR3 | G0/0/0 | 10.0.34.1 /24 |
| G0/0/1 | 10.0.35.1 /24 | |
| AR4 | G0/0/0 | 10.0.14.4 /24 |
| G0/0/1 | 10.0.24.4 /24 | |
| G0/0/2 | 10.0.34.4 /24 | |
| Loopback 0 | 4.4.4.4 /32 | |
| AR5 | G0/0/0 | 10.0.15.5 /24 |
| G0/0/1 | 10.0.25.5 /24 | |
| G0/0/2 | 10.0.35.5 /24 | |
| E0/0/1 | 10.0.100.5 /24 | |
| LSW1 | Vlanif 1 | 10.0.100.10 /24 |
| Vlanif 10 | 10.0.10.254 /24 | |
| Vlanif 20 | 10.0.20.254 /24 |
-
- 交换机LSW1的配置
[LSW1]vlan batch 10 20
[LSW1]interface g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 10
[LSW1-GigabitEthernet0/0/1]interface g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 20
[LSW1-GigabitEthernet0/0/2]quit
[LSW1]interface Vlanif 1
[LSW1-Vlanif1]ip address 10.0.100.10 24
[LSW1-Vlanif1]quit
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip address 10.0.10.254 24
[LSW1-Vlanif10]quit
[LSW1]interface Vlanif 20
[LSW1-Vlanif20]ip address 10.0.20.254 24
[LSW1-Vlanif20]quit
-
- OSPF的配置
AR1
[AR1]ospf
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.0.15.0 0.0.0.255
AR2
[AR2]ospf
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.0.25.0 0.0.0.255
AR3
[AR3]ospf
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
AR5
[AR5]ospf
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]network 10.0.100.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]network 10.0.15.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]network 10.0.25.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
在AR5上查看OSPF邻居表可以发现已经成功的建立了邻居
[AR5]display ospf peer brief
OSPF Process 1 with Router ID 10.0.100.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/0 10.0.14.1 FuLL
0.0.0.0 GigabitEthernet0/0/1 10.0.24.2 FuLL
0.0.0.0 GigabitEthernet0/0/2 10.0.34.3 FuLL
----------------------------------------------------------------------------
[AR5]
LSW1的配置
[LSW1]ospf
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0] network 10.0.100.0 0.0.0.255
-
- 缺省路由的配置
AR1
[AR1]ip route-static 0.0.0.0 0 10.0.14.4
[AR1]ospf
[AR1-ospf-1]default-route-advertise //下发缺省路由
AR2
[AR2]ip route-static 0.0.0.0 0 10.0.24.4
[AR2]ospf
[AR2-ospf-1]default-route-advertise
AR3
[AR3]ip route-static 0.0.0.0 0 10.0.34.4
[AR3]ospf
[AR3-ospf-1]default-route-advertise
-
- 在AR5上查询路由表
[AR5]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 15
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.0.15.1 GigabitEthernet0/0/0
O_ASE 150 1 D 10.0.25.2 GigabitEthernet0/0/1
O_ASE 150 1 D 10.0.35.3 GigabitEthernet0/0/2
10.0.10.0/24 OSPF 10 2 D 10.0.100.10 Ethernet0/0/0
10.0.15.0/24 Direct 0 0 D 10.0.15.5 GigabitEthernet0/0/0
10.0.15.5/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.0.20.0/24 OSPF 10 2 D 10.0.100.10 Ethernet0/0/0
10.0.25.0/24 Direct 0 0 D 10.0.25.5 GigabitEthernet0/0/1
10.0.25.5/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1
10.0.35.0/24 Direct 0 0 D 10.0.35.5 GigabitEthernet0/0/2
10.0.35.5/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
10.0.100.0/24 Direct 0 0 D 10.0.100.5 Ethernet0/0/0
10.0.100.5/32 Direct 0 0 D 127.0.0.1 Ethernet0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
可以发现AR5上有3条缺省路由
-
- NAT的配置
AR1
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source any
[AR1-acl-basic-2000]quit
[AR1]interface g0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000
[AR1-GigabitEthernet0/0/0]quit
AR2
[AR2]acl 2000
[AR2-acl-basic-2000]rule permit source any
[AR2-acl-basic-2000]quit
[AR2]interface g0/0/0
[AR2-GigabitEthernet0/0/0]nat outbound 2000
[AR2-GigabitEthernet0/0/0]quit
AR3
[AR3]acl 2000
[AR3-acl-basic-2000]rule permit source any
[AR3-acl-basic-2000]quit
[AR3]interface g0/0/0
[AR3-GigabitEthernet0/0/0]nat outbound 2000
[AR3-GigabitEthernet0/0/0]quit
-
- 测试网络联通性
现在终端设备已经可以访问外网
-
- 部署策略路由
AR5
[AR5]acl 3000
[AR5-acl-adv-3000]rule permit ip source 10.0.10.0 0.0.0.255 destination any
[AR5-acl-adv-3000]quit
[AR5]policy-based-route 1 permit node 10
[AR5-policy-based-route-1-10]if-match acl 3000
[AR5-policy-based-route-1-10]apply ip-address next-hop 10.0.15.1
[AR5-policy-based-route-1-10]quit
[AR5]interface e0/0/0
[AR5-Ethernet0/0/0]ip policy-based-route 1
-
- 测试策略路由
在AR5上将g0/0/0口开销改大
[AR5]interface g0/0/0
[AR5-GigabitEthernet0/0/0]ospf cost 100
虽然路由表的下一跳不是G0/0/0口,但是流量会按照PBR的配置结果去转发。
在pc1上ping 4.4.4.4 并在AR5的g0/0/0口抓包
可以发现报文都是从AR5的g0/0/0口发送到4.4.4.4 。
