Huawei--企业级架构_华为企业架构规划方法 csdn博客

要求：业务分流，去分部走R1 去互联网走R2；互为备份，

接入层部分：

1、创建vlan

2、修改接口模式

3、把接口划入vlan

汇聚层部分：

1、创建vlan

[sw1vlan batch 2 to 3

[sw2]vlan batch 2 to 3

2、接口做聚合，接口配trunk干道，并允许所有vlan通过

[sw1]int Eth-Trunk 1
[sw1-Eth-Trunk1]trunkport g0/0/1
[sw1-Eth-Trunk1]trunkport g0/0/2
[sw1-Eth-Trunk1]port link-type trunk
[sw1-Eth-Trunk1]port trunk allow-pass vlan all

[sw2]int Eth-Trunk 1
[sw2-Eth-Trunk1]trunkport g0/0/1
[sw2-Eth-Trunk1]trunkport g0/0/2
[sw2-Eth-Trunk1]port link-type trunk
[sw2-Eth-Trunk1]port trunk allow-pass vlan all

[sw1]int g0/0/3
[sw1-GigabitEthernet0/0/3]port link-type trunk
[sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[sw1]int g0/0/4
[sw1-GigabitEthernet0/0/4]port link-type trunk
[sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan all

[sw2-GigabitEthernet0/0/3]port link-type trunk
[sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[sw2-GigabitEthernet0/0/4]port link-type trunk
[sw2-GigabitEthernet0/0/4]port trunk allow-pass vlan all

[sw3-GigabitEthernet0/0/1]port link-type trunk
[sw3-GigabitEthernet0/0/1]port trunk allow-pass vlan all

[sw3-GigabitEthernet0/0/2]port link-type trunk
[sw3-GigabitEthernet0/0/2] port trunk allow-pass vlan all

[sw4-GigabitEthernet0/0/1]port link-type trunk
[sw4-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[sw4-GigabitEthernet0/0/2]port link-type trunk
[sw4-GigabitEthernet0/0/2]port trunk allow-pass vlan all

3、做负载分担，默认就是源目ip
[sw1-Eth-Trunk1]load-balance src-dst-ip
[sw2-Eth-Trunk1]load-balance src-dst-ip

4、做生成树

[sw1]stp enable //开启生成树，每个交换机都要开启
[sw1]stp region-configuration
[sw1-mst-region]region-name a //设置名字
[sw1-mst-region]revision-level 1
[sw1-mst-region]instance 1 vlan 2
[sw1-mst-region]instance 2 vlan 3 //挂入两个vlan
[sw1-mst-region]active region-configuration //激活

[sw2]stp region-configuration
[sw2-mst-region] region-name a
[sw2-mst-region] revision-level 1
[sw2-mst-region] instance 1 vlan 2
[sw2-mst-region] instance 2 vlan 3
[sw2-mst-region] active region-configuration

[sw3]stp region-configuration
[sw3-mst-region] region-name a
[sw3-mst-region] revision-level 1
[sw3-mst-region] instance 1 vlan 2
[sw3-mst-region] instance 2 vlan 3

[sw3-mst-region] active region-configuration

[sw4]stp region-configuration
[sw4-mst-region] region-name a
[sw4-mst-region] revision-level 1
[sw4-mst-region] instance 1 vlan 2
[sw4-mst-region] instance 2 vlan 3
[sw4-mst-region] active region-configuration

5、调成主备分流的根

[sw1]stp instance 1 root primary //sw1是vlan2的主，是vlan3的备
[sw1]stp instance 2 root secondary

[sw2]stp instance 1 root secondary //sw2是vlan2的备，vlan3的主
[sw2]stp instance 2 root primary



如果sw3的g0/0/1口挂了，流量会从g0/0/2进入 从discarding到forwarding只需要1~2s
stp edged-port enable //在边缘端口开启安全保护
[sw3]stp bpdu-protection

[sw4]stp bpdu-protection //做BPDU优化
6、给vlan配ip
[sw1]int vlan 2
[sw1-Vlanif2]ip add 10.2.2.1 24

[sw2-Vlanif2]ip address 10.2.2.2 24
[sw1-Vlanif3]ip add 10.2.3.1 24
[sw2-Vlanif3]ip address 10.2.3.2 24

7、做vrrp，sw1做vlan2的主网关，sw2做vlan3的主网关,做主网关的优先级设置高一些
[sw1-Vlanif2]vrrp vrid 1 virtual-ip 10.2.2.254
[sw1-Vlanif2]vrrp vrid 1 priority 120
[sw1-Vlanif2]vrrp vrid 1 preempt-mode timer delay 5 //抢占时间设为5s
[sw1-Vlanif2]vrrp vrid 1 authentication-mode md5 123//为了安全期间，可以做个认证

优先级默认是100，所有做备份网关的不用改。
[sw2-Vlanif2] vrrp vrid 1 virtual-ip 10.2.2.254
[sw2-Vlanif2] vrrp vrid 1 preempt-mode timer delay 5
[sw2-lanif2]vrrp vrid 1 authentication-mode md5 123

[sw1-Vlanif2]vrrp vrid 1 track interface g0/0/3
reduced 30//vrrp上行链路追踪，即上行链路断开后，vlan2 优先级减去30小于备份网关，就可以进行切换

[sw2-Vlanif3]vrrp vrid 1 track interface g0/0/3
reduced 30

把sw1和2的上行接口划入vlan中，并配上ip地址

[sw1]int g0/0/5

[sw1-GigabitEthernet0/0/3]port
link-type access

[sw1-GigabitEthernet0/0/3]port default vlan 101

[sw1-Vlanif101]ip add 10.2.101.1
24

[sw2int g0/0/5

[sw2GigabitEthernet0/0/3]port
link-type access

[sw2GigabitEthernet0/0/3]port default vlan 102

[sw2-Vlanif202]ip address 10.2.202.2
255.255.255.0

做互通，即互联地址

[sw1-Vlanif102]ip add 10.2.102.1
24

[sw2-Vlanif102]ip add 10.2.101.2
24

8、做地址池（dhcp）的分割
[sw1]dhcp enable
[sw1-Vlanif2]dhcp select global
[sw1]ip pool vlan2
[sw1-ip-pool-vlan2]network 10.2.2.0 mask 255.255.255.0
[sw1-ip-pool-vlan2]gateway-list 10.2.2.254
[sw1-ip-pool-vlan2]dns-list 114.114.114.114
[sw1-ip-pool-vlan2]excluded-ip-address 10.2.2.129 10.2.2.253//分割地址，把后面两个分出去（排除后面两个）
[sw2]dhcp enable
[sw2-Vlanif2]dhcp select global
[sw2]ip pool vlan2
[sw2-ip-pool-vlan2]network 10.2.2.0 mask 255.255.255.0
[sw2-ip-pool-vlan2]gateway-list 10.2.2.254
[sw2-ip-pool-vlan2]dns-list 114.114.114.114
[sw2-ip-pool-vlan2]excluded-ip-address 10.2.2.1 10.2.2.128
Vlan3也是做法与vlan2一样

测试：同一vlan 、不同vlan的pc是否通
下面是获取的ip

核心层部分：
域内起ospf，域间起bgp
1、先配置ip地址
2、起ospf
SW1：

设置沉默接口，sw1和sw2都要配置

检查邻居间关系

修改开销值
[r1-GigabitEthernet0/0/1]ospf cost 2
[r2-GigabitEthernet0/0/1]ospf cost 2
在AS1中底层铺设OSPF

其余的一样
R6 ospf中要调成stub-router
3、做BGP
在AS1内部建立IBGP（R6作为反射器，利用对等体组），全局，同时也要做mpls vpnv4
[r6]bgp 1
[r6-bgp]group IBGP
[r6-bgp]peer IBGP connect-interface LoopBack 0
[r6-bgp]peer IBGP reflect-client
[r6-bgp]peer 10.1.3.3 group IBGP
[r6-bgp]peer 10.1.4.4 group IBGP
[r6-bgp]peer 10.1.8.8 group IBGP
[r6-bgp]peer 10.1.9.9 group IBGP

激活组
[r6-bgp-af-vpnv4]peer 10.1.3.3 group IBGP
[r6-bgp-af-vpnv4]peer 10.1.4.4 group IBGP
[r6-bgp-af-vpnv4]peer 10.1.8.8 group IBGP
[r6-bgp-af-vpnv4]peer 10.1.9.9 group IBGP
做mpls
[r8]mpls lsr-id 10.1.8.8
[r8]mpls
[r8-mpls]mpls ldp
[r8-GigabitEthernet0/0/1]mpls
[r8-GigabitEthernet0/0/1]mpls ldp
[r8-GigabitEthernet0/0/0]mpls
[r8-GigabitEthernet0/0/0]mpls ldp
R3/4/5/6/7/9 都做同样的；

R3：做vpnv4


R4/8/9和R3配置一样

配置VRF：
[r3]ip vpn-instance AS2
[r3-vpn-instance-AS2]route-distinguisher 3:3
[r3-vpn-instance-AS2-af-ipv4]vpn-target 3:3
[r3-GigabitEthernet0/0/2]ip binding vpn-instance AS2
[r3-GigabitEthernet0/0/2]ip add 10.2.13.2 24

R4:

Bgp：
[r9]bgp 1
[r9-bgp]ipv4-family vpn-instance AS4
[r9-bgp-AS4]peer 10.4.119.1 as-number 4
R8/3/4同等操作

接下来有个重发布
[r1]bgp 2
[r1-bgp]import-route ospf 1
[r1]ospf 1
[r1-ospf-1]import-route bgp
R1上同等操作


R8总共做5个VRF空间，其中一个是控制AS5到总部的流量，剩下的是控制到策略中心的流量
4、测试
R1：