HCIE之datacom一把梭（vxlan手动配置vtep）

最新推荐文章于 2024-03-22 08:25:21 发布

漂洋过海来看你~

最新推荐文章于 2024-03-22 08:25:21 发布

阅读量271

点赞数 3

文章标签：网络网络协议

本文链接：https://blog.csdn.net/qq_45053147/article/details/135977195

版权

本文详细描述了如何配置CE设备和使用VXLAN技术来实现不同子网间的互访，包括RIP协议的配置、桥接域（BD）的设置、VXLANVNI的映射以及NVE接口的对等体配置，同时涉及了多租户环境下的NAT和安全策略设置。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

vxlan同子网互访

拓扑
在这里插入图片描述

要求同子网互访，PC1能跟PC2互通，PC3能跟PC4互通
"基本配置3台CE设备underlay网络通过rip协议互通"
----------------------------------------------------------------
underlay基本配置如下
CE2配置：
#
vlan batch 12 to 13
#
interface GE1/0/0
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 12
#
interface GE1/0/1
 undo shutdown
 port link-type trunk
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
interface Vlanif12
 ip address 10.1.12.2 255.255.255.0
#
rip 1
 version 2
 network 10.0.0.0
 network 2.0.0.0

CE3配置：
#
interface GE1/0/0
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 13
#
interface GE1/0/1
 undo shutdown
 port link-type trunk
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#
interface Vlanif13
 ip address 10.1.13.3 255.255.255.0
#
rip 1
 version 2
 network 10.0.0.0
 network 3.0.0.0

CE1配置：
#
interface GE1/0/0
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 12
#
interface GE1/0/1
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 13
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
interface Vlanif12
 ip address 10.1.12.1 255.255.255.0
#
interface Vlanif13
 ip address 10.1.13.1 255.255.255.0
#
rip 1
 version 2
 network 10.0.0.0
 network 1.0.0.0

------------------------------------------------------------------
vxlan配置
CE2配置：
#
bridge-domain 10
 vxlan vni 10
#
bridge-domain 20
 vxlan vni 20
#
interface GE1/0/1.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 20
#
interface Nve1
 source 2.2.2.2
 vni 10 head-end peer-list 3.3.3.3
 vni 20 head-end peer-list 3.3.3.3

CE3配置：
#
bridge-domain 10
 vxlan vni 10
#
bridge-domain 20
 vxlan vni 20
#
interface GE1/0/1.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 20
#
interface Nve1
 source 3.3.3.3
 vni 10 head-end peer-list 2.2.2.2
 vni 20 head-end peer-list 2.2.2.2在这里插入代码片

vxlan跨子网互访

CE2配置：
#
bridge-domain 10
 vxlan vni 10
#
bridge-domain 20
 vxlan vni 20
#
interface GE1/0/1.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 20
#
interface Nve1
 source 2.2.2.2
 vni 10 head-end peer-list 3.3.3.3
 vni 10 head-end peer-list 1.1.1.1
 vni 20 head-end peer-list 3.3.3.3
 vni 20 head-end peer-list 1.1.1.1

CE3配置：
#
bridge-domain 10
 vxlan vni 10
#
bridge-domain 20
 vxlan vni 20
#
interface GE1/0/1.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 20
#
interface Nve1
 source 3.3.3.3
 vni 10 head-end peer-list 2.2.2.2
 vni 10 head-end peer-list 1.1.1.1
 vni 20 head-end peer-list 2.2.2.2
 vni 20 head-end peer-list 1.1.1.1

CE1配置：
#
bridge-domain 10
 vxlan vni 10
#
bridge-domain 20
 vxlan vni 20
#
interface Vbdif10
 ip address 10.1.10.254 255.255.255.0
#
interface Vbdif20
 ip address 10.1.20.254 255.255.255.0
#
interface Nve1
 source 1.1.1.1
 vni 10 head-end peer-list 2.2.2.2
 vni 10 head-end peer-list 3.3.3.3
 vni 20 head-end peer-list 2.2.2.2
 vni 20 head-end peer-list 3.3.3.3在这里插入代码片

vxlan多租户互访

逻辑拓扑
在这里插入图片描述
实验拓扑

有A,B租户，
东西向流量：A租户之间可以互通，B租户之间可以互通
南北向流量：A租户，B租户通过NAT访问8.8.8.8，且流量会从核心引流到防火墙，再从防火墙回到核心，再到外网（防火墙采取虚拟防火墙方案）

基础配置：
SW1：
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20

SW2：
#
vlan batch 30 40
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 30 40
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 40

CE2：
#
vlan batch 10 20
#
bridge-domain 10
 vxlan vni 1
#
bridge-domain 20
 vxlan vni 2
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.1.12.2 255.255.255.0
#
interface GE1/0/1
 undo shutdown
#
interface GE1/0/1.10 mode l2
 encapsulation dot1q vid 10
 bridge-domain 10
#
interface GE1/0/1.20 mode l2
 encapsulation dot1q vid 20
 bridge-domain 20
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
rip 1
 version 2
 network 10.0.0.0
 network 2.0.0.0
#
interface Nve1
 source 2.2.2.2
 vni 1 head-end peer-list 1.1.1.1
 vni 2 head-end peer-list 1.1.1.1

CE3：
#
vlan batch 30 40
#
bridge-domain 30
 vxlan vni 3
#
bridge-domain 40
 vxlan vni 4
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.1.13.3 255.255.255.0
#
interface GE1/0/1
 undo shutdown
#
interface GE1/0/1.30 mode l2
 encapsulation dot1q vid 30
 bridge-domain 30
#
interface GE1/0/1.40 mode l2
 encapsulation dot1q vid 40
 bridge-domain 40
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#
rip 1
 version 2
 network 10.0.0.0
 network 3.0.0.0
#
interface Nve1
 source 3.3.3.3
 vni 3 head-end peer-list 1.1.1.1
 vni 4 head-end peer-list 1.1.1.1

CE1：
#
ip vpn-instance a
 ipv4-family
  route-distinguisher 1:1
#
ip vpn-instance b
 ipv4-family
  route-distinguisher 1:2
#
-------------------------配置BD域---------------------------
bridge-domain 10
 vxlan vni 1
#
bridge-domain 20
 vxlan vni 2
#
bridge-domain 30
 vxlan vni 3
#
bridge-domain 40
 vxlan vni 4
-------------------------配置BD域---------------------------

--------------------------------配置vbdif----------------------------
interface Vbdif10
 ip binding vpn-instance a
 ip address 192.168.1.254 255.255.255.0
#
interface Vbdif20
 ip binding vpn-instance b
 ip address 192.168.2.254 255.255.255.0
#
interface Vbdif30
 ip binding vpn-instance a
 ip address 192.168.3.254 255.255.255.0
#
interface Vbdif40
 ip binding vpn-instance b
 ip address 192.168.4.254 255.255.255.0
--------------------------------配置vbdif----------------------------

--------------------------------配置与虚拟FW互通接口地址-------------------------
interface Vlanif100
 ip binding vpn-instance a
 ip address 192.168.100.254 255.255.255.0
#
interface Vlanif200
 ip binding vpn-instance b
 ip address 192.168.200.254 255.255.255.0
--------------------------------配置与虚拟FW互通接口地址-------------------------

--------------------------------配置根墙与核心互通地址-------------------------
interface Vlanif255
 ip address 192.168.255.254 255.255.255.0
--------------------------------配置根墙与核心互通地址-------------------------
#  

interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 100 200 255
 mode lacp-static
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 10.1.12.1 255.255.255.0
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 10.1.13.1 255.255.255.0
#
interface GE1/0/2
 undo shutdown
 eth-trunk 1
#
interface GE1/0/3
 undo shutdown
 eth-trunk 1
#
interface GE1/0/4
 undo portswitch
 undo shutdown
 ip address 10.1.11.254 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#  

rip 1
 version 2
 network 10.0.0.0
 network 1.0.0.0
#
interface Nve1
 source 1.1.1.1
 vni 1 head-end peer-list 2.2.2.2
 vni 2 head-end peer-list 2.2.2.2
 vni 3 head-end peer-list 3.3.3.3
 vni 4 head-end peer-list 3.3.3.3
#
ip route-static 0.0.0.0 0.0.0.0 10.1.11.1（流量从根墙回来后通过静态路由直接出去）
ip route-static 202.1.1.0 255.255.255.0 192.168.255.1（这两条202跟203的路由是外网到核心后因为是nat所以需要在返回到防火墙）
ip route-static 203.1.1.0 255.255.255.0 192.168.255.1
ip route-static vpn-instance a 0.0.0.0 0.0.0.0 192.168.100.1（租户a流量引入到虚拟防火墙a）
ip route-static vpn-instance b 0.0.0.0 0.0.0.0 192.168.200.1（租户b流量引入到虚拟防火墙b）

AR1：
#
interface GigabitEthernet0/0/0
 ip address 10.1.11.1 255.255.255.0
#
interface LoopBack0
 ip address 8.8.8.8 255.255.255.0 
#
ip route-static 202.1.1.0 255.255.255.0 10.1.11.254
ip route-static 203.1.1.0 255.255.255.0 10.1.11.254
#

根防火墙：
#
vlan batch 100 200 255
#
interface Vlanif255
 ip address 192.168.255.1 255.255.255.0
 service-manage ping permit
#
-----------------与核心配置eth-trunk-------------------
interface Eth-Trunk1
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 100 200 255
 mode lacp-static

#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
-----------------与核心配置eth-trunk-------------------
#
-----------------配置虚拟防火墙------------------
vsys enable

#

vsys name a 1
 assign vlan 100
 assign global-ip 202.1.1.1 202.1.1.10 free
#
vsys name b 2
 assign vlan 200
 assign global-ip 203.1.1.1 203.1.1.10 free
 -----------------配置虚拟防火墙------------------
#
------------------根据逻辑架构图划分区域-----------------
firewall zone trust
 
 add interface Virtual-if0
#
firewall zone untrust
 
 add interface Vlanif255
------------------根据逻辑架构图划分区域-----------------
#
 firewall import-flow public 203.1.1.1 203.1.1.10 vpn-instance b（引流）
 firewall import-flow public 202.1.1.1 202.1.1.10 vpn-instance a（引流）
#

ip route-static 0.0.0.0 0.0.0.0 192.168.255.254（防火墙默认路由）
#

虚拟防火墙a：
#
------------------------核心与虚拟防火墙互联口-----------------------
interface Vlanif100
 ip binding vpn-instance a
 ip address 192.168.100.1 255.255.255.0
 service-manage ping permit
------------------------核心与虚拟防火墙互联口-----------------------
#
------------------------根据逻辑图划分区域--------------------------
firewall zone trust
 
 add interface Vlanif100
#
firewall zone untrust

 add interface Virtual-if1
------------------------根据逻辑图划分区域--------------------------
#
------------------------配置nat策略------------------------


nat address-group a 0

 section 0 202.1.1.1 202.1.1.5
#
nat-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  source-address 192.168.3.0 mask 255.255.255.0
  action source-nat address-group a
------------------------配置nat策略------------------------
#
------------------------配置安全策略------------------------


security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  source-address 192.168.3.0 mask 255.255.255.0
  action permit
------------------------配置安全策略------------------------
#
ip route-static 0.0.0.0 0.0.0.0 public（虚拟防火墙a默认指向根防火墙路由）
ip route-static 192.168.1.0 255.255.255.0 192.168.100.254（租户a回程路由）
ip route-static 192.168.3.0 255.255.255.0 192.168.100.254（租户a回程路由）
#

虚拟防火墙b：
#
interface Vlanif200
 ip binding vpn-instance b
 ip address 192.168.200.1 255.255.255.0
 service-manage ping permit
#

firewall zone trust

 add interface Vlanif200
#
firewall zone untrust

 add interface Virtual-if2
#

nat address-group b 3

 section 0 203.1.1.1 203.1.1.5
#
nat-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  source-address 192.168.4.0 mask 255.255.255.0
  action source-nat address-group b
#
security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  source-address 192.168.4.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
ip route-static 192.168.2.0 255.255.255.0 192.168.200.254
ip route-static 192.168.4.0 255.255.255.0 192.168.200.254
#