VXLAN各类型二层子接口的应用场景

如上图,简单介绍一下各类型二层子接口的应用场景

基于二层物理接口GE 1/0/1,分别创建二层子接口GE 1/0/1.1和GE 1/0/1.2,且分
别配置其流封装类型为dot1q和untag。配置如下:

interface GE1/0/1.1 mode l2 //创建二层子接口GE1/0/1.1
encapsulation dot1q vid 10 //只允许携带VLAN Tag 10的报文进入VXLAN隧道
bridge-domain 10 //报文进入的是BD 10

interface GE1/0/1.2 mode l2 //创建二层子接口GE1/0/1.2
encapsulation untag //只允许不携带VLAN Tag的报文进入VXLAN隧道
bridge-domain 20 //报文进入的是BD 20

基于二层物理接口GE 1/0/2,创建二层子接口GE 1/0/2.1,且流封装类型为
default。配置如下:

interface GE1/0/2.1 mode l2 //创建二层子接口GE1/0/2.1
encapsulation default //允许所有报文进入VXLAN隧道
bridge-domain 30 //报文进入的是BD 30

下面介绍一下二层子接口的应用场景:

我们先来解答下是否可以在GE 1/0/1上再创建一个default类型的二层子接口。答案是不可以。其实根据 表2-1的描述,这一点很容易理解。因为default类型的二层子接口允许所有报文进入VXLAN隧道,而dot1q和untag类型的二层子接口只允许某一类报文进入VXLAN隧道。这就决定了,default类型的二层子接口跟其他两种类型的二层子接口是不可以在同一物理接口上共存的。否则,报文到了接口之后如何判断要进入哪个二层子接口呢。 所以,default 类型的子接口,一般应用在经过此接口的报文均需要走同一条VXLAN 隧道的场景,即下挂的VM 全部属于同一BD 。例如, 上图中VM3和VM4均属于BD 30,则GE 1/0/2上就可以创建default类型的二层子接口。

再来看下为什么可以在GE 1/0/1上分别创建dot1q和untag类型的二层子接口。如上图所示,VM1和VM2分别属于VLAN 10和VLAN 20,且分别属于不同的大二层域BD 10和BD 20,显然他们发出的报文要进入不同的VXLAN隧道。如果VM1和VM2发出的报文在到达VTEP的GE 1/0/1接口时,一个是携带VLAN 10的Tag的,一个是不携带VLAN Tag的(比如二层交换机上行连接VTEP的接口上配置的接口类型是Trunk,允许通过的VLAN为10和20,PVID为VLAN 20),则为了区分两种报文,就必须要在GE1/0/1上分别创建dot1q和untag类型的二层子接口。 所以,当经过同一物理接口的报文既有带VLAN Tag 的,又有不带VLAN Tag 的,并且他们各自要进入不同的VXLAN 隧道,则可以在该物理接口上同时创建dot1q 和untag 类型的二层子接口。

当然,现网中可能存在各种不同的组网,这里就不一一列举出来。所以在实际应用中,请务必根据组网需求,合理规划二层子接口的流封装类型。

华为AR路由器模拟PPPOE认证服务器

我这里模拟三条运营商接入

配置AR1:

1.创建PPPOE虚拟模板1、2、3

interface Virtual-Template1
ppp authentication-mode pap
remote address pool 1
ip address 100.100.100.1 255.255.255.0
#
interface Virtual-Template2
ppp authentication-mode pap
remote address pool 2
ip address 200.200.200.1 255.255.255.0
#
interface Virtual-Template3
ppp authentication-mode pap
remote address pool 3
ip address 202.202.202.1 255.255.255.0

q

2.应用模板到对应接口

interface GigabitEthernet0/0/0
pppoe-server bind Virtual-Template 2
#
interface GigabitEthernet0/0/1
pppoe-server bind Virtual-Template 1
#
interface GigabitEthernet0/0/2
pppoe-server bind Virtual-Template 3

q

3.创建PPPOE账号

aaa

local-user pppoeuser password cipher pppoepwd

local-user pppoeuser2 password cipher pppoepwd2

local-user pppoeuser3 password cipher pppoepwd3

q

save

配置USG:

安全策略自行配置,这里就不多配置了,主要以生成PPPOE账号为主

#DNS配置、将运营商线路绑定DNS
dns resolve
dns server 114.114.114.114
dns server unnumbered interface Dialer0
dns server unnumbered interface Dialer1
dns server unnumbered interface Dialer2
dns proxy enable
#绑定PPPOE线路1(100M)
interface Dialer0
 link-protocol ppp
 ppp chap user pppoeuser
 ppp chap password cipher  xxxxxxxxxxxx
 ppp pap local-user pppoeuser password cipher xxxxxxxxxxxxxx
 ppp ipcp dns admit-any
 ip address ppp-negotiate
 dialer user pppoeuser
 dialer bundle 1
#绑定PPPOE线路2(200M)
interface Dialer1
 link-protocol ppp
 ppp chap user pppoeuser2
 ppp chap password cipher xxxxxxxxxxxxxxxxxxx
 ppp pap local-user pppoeuser2 password cipher xxxxxxxxxxxxxxxxx
 ppp ipcp dns admit-any
 ip address ppp-negotiate
 dialer user pppoeuser2
 dialer bundle 2
#绑定PPPOE线路3(500M)
interface Dialer2
 link-protocol ppp
 ppp chap user pppoeuser3
 ppp chap password cipher xxxxxxxxxxxxxxxxxxxx
 ppp pap local-user pppoeuser3 password cipher xxxxxxxxxxxxxxxxxxxxxxx
 ppp ipcp dns admit-any
 ip address ppp-negotiate
 dialer user pppoeuser3
 dialer bundle 3
#将PPPOE线路绑定到接口
interface GigabitEthernet  x/x/x
 pppoe-client dial-bundle-number 1
 undo shutdown
interface GigabitEthernet x/x/x
 pppoe-client dial-bundle-number 2
 undo shutdown
interface GigabitEthernet x/x/x
 pppoe-client dial-bundle-number 3
 undo shutdown
#配置到公网路由,含静态线路
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet x/x/x xxx.xxx.xxx.1
ip route-static 0.0.0.0 0.0.0.0 Dialer0
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 0.0.0.0 0.0.0.0 Dialer2
#允许静态地址、PPPOE线路NAT转换
nat-policy
 rule name GuideNat1611107228409
  egress-interface GigabitEthernet x/x/x
  action source-nat easy-ip
 rule name GuideNat1611109674919
  egress-interface Dialer0
  action source-nat easy-ip
 rule name GuideNat1611111522976
  egress-interface Dialer1
  action source-nat easy-ip
 rule name GuideNat1611111585664
  egress-interface Dialer2
  action source-nat easy-ip

 

华为防火墙VPN配置

ISP:
interface GE1/0/19
 undo portswitch
 undo shutdown
 ip address 100.100.100.1 255.255.255.0
 commit
 q

interface GE1/0/18
 undo portswitch
 undo shutdown
 ip address 200.200.200.1 255.255.255.0
 q

interface LoopBack0
 ip address 11.11.11.11 255.255.255.255
 commit

ospf 2 router-id 11.11.11.11
area 0.0.0.0
  network 11.11.11.11 0.0.0.0
  network 100.100.100.1 0.0.0.0
  network 200.200.200.1 0.0.0.0
  q
  q


XM_FW:
interface GigabitEthernet1/0/6
ip address 100.100.100.2 255.255.255.0
service-manage all permit
q

interface LoopBack0
 ip address 22.22.22.22 255.255.255.255
q

firewall zone untrust
add interface GigabitEthernet1/0/6
add interface Tunnel0
q

dhcp enable
interface GigabitEthernet1/0/5
service-manage all permit 
q


interface GigabitEthernet1/0/5.1
 vlan-type dot1q 250
 ip address 10.10.250.1 255.255.255.0
 dhcp select global
 service-manage all permit 
q


firewall zone trust
 
 add interface GigabitEthernet1/0/5
 add interface GigabitEthernet1/0/5.1
q

ip pool vlan250
 gateway-list 10.10.250.1
 network 10.10.250.0 mask 255.255.255.0
 excluded-ip-address 10.10.250.2 10.10.250.100
 lease day 3 hour 0 minute 0
 dns-list 10.10.94.10 10.10.94.11
q

ospf 2 router-id 22.22.22.22
 area 0.0.0.0
  network 22.22.22.22 0.0.0.0
  network 100.100.100.2 0.0.0.0
q
q


security-policy
 rule name local_untrust
  source-zone local
  destination-zone untrust
  source-address 100.100.100.0 mask 255.255.255.0
  destination-address 200.200.200.0 mask 255.255.255.0
  action permit
 rule name loca_trust
  source-zone local
  destination-zone trust
  action permit
 rule name hz_tunnel_xm
  source-zone untrust
  destination-zone trust
  source-address 10.20.250.0 mask 255.255.255.0
  destination-address 10.10.250.0 mask 255.255.255.0
  action permit
 rule name xm_tunnel_hz
  source-zone trust
  destination-zone untrust
  source-address 10.10.250.0 mask 255.255.255.0
  destination-address 10.20.250.0 mask 255.255.255.0
  action permit
 rule name untust_local
  source-zone untrust
  destination-zone local
  source-address 200.200.200.0 mask 255.255.255.0
  destination-address 100.100.100.0 mask 255.255.255.0
  action permit
q
q


隧道配置:
interface Tunnel0
 ip address 192.168.1.1 255.255.255.0
 tunnel-protocol gre
 source 100.100.100.2
 destination 200.200.200.2
q
ip route-static 10.20.250.0 24 Tunnel 0


S1:
vlan 250
q
dhcp enable

interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 250
q

interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 250
q


HZ_FW:
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 200.200.200.2 255.255.255.0
 service-manage all permit
q

interface LoopBack0
 ip address 33.33.33.33 255.255.255.255
q


dhcp enable

interface GigabitEthernet1/0/5
service-manage all permit

interface GigabitEthernet1/0/5.1
 vlan-type dot1q 250
 ip address 10.20.250.1 255.255.255.0
 dhcp select global
 service-manage all permit 
q

firewall zone untrust
 add interface GigabitEthernet1/0/6
 add interface Tunnel0
q

firewall zone trust
 add interface GigabitEthernet1/0/5
 add interface GigabitEthernet1/0/5.1
q

ospf 2 router-id 33.33.33.33
 area 0.0.0.0
  network 33.33.33.33 0.0.0.0
  network 200.200.200.2 0.0.0.0
q
q


ip pool vlan250
 gateway-list 10.20.250.1
 network 10.20.250.0 mask 255.255.255.0
 excluded-ip-address 10.20.250.2 10.20.250.100
 lease day 3 hour 0 minute 0
 dns-list 10.20.94.10 10.20.94.11
q


security-policy
 rule name local_untrust
  source-zone local
  destination-zone untrust
  source-address 200.200.200.0 mask 255.255.255.0
  destination-address 100.100.100.0 mask 255.255.255.0
  action permit
 rule name loca_trust
  source-zone local
  destination-zone trust
  action permit
 rule name xm_tunnel_hz
  source-zone untrust
  destination-zone trust
  source-address 10.10.250.0 mask 255.255.255.0
  destination-address 10.20.250.0 mask 255.255.255.0
  action permit
 rule name hz_tunnel_xm
  source-zone trust
  destination-zone untrust
  source-address 10.20.250.0 mask 255.255.255.0
  destination-address 10.10.250.0 mask 255.255.255.0
  action permit
 rule name untust_local
  source-zone untrust
  destination-zone local
  source-address 100.100.100.0 mask 255.255.255.0
  destination-address 200.200.200.0 mask 255.255.255.0
  action permit
q
q

隧道配置:
interface Tunnel0
 ip address 192.168.2.1 255.255.255.0
 tunnel-protocol gre
 source 200.200.200.2
 destination 100.100.100.2
 q
ip route-static 10.10.250.0 24 Tunnel 0


S2:
vlan250
q

dhcp enable
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 250
q

interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 250
q

 

防火墙配置dhcp

FW1:

<USG6000V1>sy
[USG6000V1]sy FW1
[USG6000V1]dhcp enable 


[USG6000V1]int g1/0/6.1
[FW1-GigabitEthernet1/0/6.1]ip add 10.10.250.1 24
[FW1-GigabitEthernet1/0/6.1]vlan-type dot1q 250
[FW1-GigabitEthernet1/0/6.1]dhcp  select global 
[FW1-GigabitEthernet1/0/6.1]service-manage all permit 
[FW1-GigabitEthernet1/0/6.1]q


[FW1]ip pool vlan250
[FW1-ip-pool-vlan250]gateway-list 10.10.250.1
[FW1-ip-pool-vlan250]network 10.10.250.0 mask 255.255.255.0
[FW1-ip-pool-vlan250]dns-list 10.10.94.10 10.10.94.11
[FW1-ip-pool-vlan250]lease day 3
[FW1-ip-pool-vlan250]excluded-ip-address 10.10.250.2 10.10.250.100
[FW1-ip-pool-vlan250]q


[FW1]int g1/0/6
[FW1-GigabitEthernet1/0/6]service-manage all permit 
[FW1-GigabitEthernet1/0/6]q


[FW1]firewall zone trust 
[FW1-zone-trust]add int g1/0/6
[FW1-zone-trust]add int g1/0/6.1


[FW1]security-policy 
[FW1-policy-security]rule name local_trust
[FW1-policy-security-rule-local_trust]source-zone local
[FW1-policy-security-rule-local_trust]destination-zone trust 
[FW1-policy-security-rule-local_trust]action permit 
[FW1-policy-security-rule-local_trust]q
[FW1-policy-security]q

CE1:
<HUAWEI>sy 
[~HUAWEI]sy CE1
[*HUAWEI]commit 
[~CE1]vlan 250
[*CE1-vlan250]q
[*CE1]commit 
dhcp enable
commit

[~CE1]int g1/0/19
[~CE1-GE1/0/19]un shutdown 
[~CE1-GE1/0/19]port link-type trunk 
[*CE1-GE1/0/19]port trunk allow-pass vlan 250
[*CE1-GE1/0/19]undo port trunk allow-pass vlan 1
[*CE1-GE1/0/19]commit
[~CE1-GE1/0/19]q

[~CE1]int vlan250
[*CE1-Vlanif250]ip add 10.10.250.2 24
[*CE1-Vlanif250]commit 
[~CE1-Vlanif250]q

interface GE1/0/1
 undo shutdown
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 250


S1:
sy
sy S1
vlan 250
interface Vlanif250
 ip address 10.10.250.3 255.255.255.0
[S1]dhcp enable 

interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 250

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 250

[S1]ping 10.10.250.1
  PING 10.10.250.1: 56  data bytes, press CTRL_C to break
    Reply from 10.10.250.1: bytes=56 Sequence=1 ttl=255 time=60 ms
    Reply from 10.10.250.1: bytes=56 Sequence=2 ttl=255 time=30 ms
    Reply from 10.10.250.1: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 10.10.250.1: bytes=56 Sequence=4 ttl=255 time=10 ms
    Reply from 10.10.250.1: bytes=56 Sequence=5 ttl=255 time=60 ms