1. 單臂路由技術
現在大部分中小型企業內部網絡中可能會有劃分多個局域網的需求,通常一個二層交換機連接一個局域網,三層路由器的一個物理接口連接一個局域網,這意味着在組建企業網絡時會消耗很多的交換機和路由器這些硬件資源。爲了節省資源同時還能實現多個VLAN間通信需要更好的解決方案,例如單臂路由技術。
單臂路由技術就是用於解決多個VLAN間通信的,它通過三層路由器一個的物理接口來虛擬出多個邏輯子接口,並在每個邏輯子接口上配置不同VLAN間的默認網關,例如當不同VLAN間的PC需要進行通信時,只需把數據發送到默認網關,然後三層路由器會查找路由表把數據轉發到對應的邏輯子接口(以此來轉發不同VLAN間的數據流量),從而實現多個VLAN間通信。
注意:邏輯子接口只是一個虛擬的說法,真正的物理鏈路實際上只有一條。
舉個栗子,如下圖所示:
上圖是單臂路由技術的一個簡單網絡拓撲,PC1和PC2分別處於不同的VLAN,R1作爲一個三層路由器,它的兩個邏輯子接口也配置了不同VLAN的默認網關,10.254是VLAN10的網關,20.254是VLAN20的網關。
當PC1和PC2通信時,PC1首先會把數據包丟給SW1交換機,並由SW1交換機轉發給R1路由器的網關(即邏輯子接口f0/0.10),然後R1路由器再查找路由表,然後把數據從網關(邏輯子接口f0/0.20)轉發出去,由SW1交換機再發送給PC2,最終實現PC1和PC2通信。
開始單臂路由技術部署實驗,SW1交換機創建VLAN10/VLAN20,並將SW1和R1設備之間的鏈路開啓Trunk模式:
SW1#vlan database
SW1(vlan)#vlan 10 name VLAN10
VLAN 10 added:
Name: VLAN10
SW1(vlan)#vlan 20 name VLAN20
VLAN 20 added:
Name: VLAN20
SW1(vlan)#exit
APPLY completed.
Exiting....
SW1#
SW1#conf t
SW1(config)#int f0/0
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
將f0/1接口劃入到VLAN10,f0/2接口劃入到VLAN20中:
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int f0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#exit
SW1(config)#int f0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 20
SW1(config-if)#exit
SW1(config)#exit
SW1#
SW1#show vlan-switch brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
10 VLAN10 active Fa0/1
20 VLAN20 active Fa0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW1#
配置PC1的ip地址和默認網關:
PC1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PC1(config)#no ip routing
PC1(config)#
PC1(config)#int f0/0
PC1(config-if)#no shutdown
PC1(config-if)#ip address 192.168.10.1 255.255.255.0
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.10.254
配置PC2的ip地址和默認網關:
PC2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PC2(config)#no ip routing
PC2(config)#int f0/0
PC2(config-if)#no shutdown
PC2(config-if)#
*Mar 1 00:12:49.919: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:12:50.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
PC2(config-if)#ip address 192.168.20.1 255.255.255.0
PC2(config-if)#exit
PC2(config)#ip default-gateway 192.168.20.254
然後在R1設備上部署單臂路由技術,配置VLAN10/VLAN20的邏輯子接口和網關:
R1(config)#int f0/0.?
<0-4294967295> FastEthernet interface number
R1(config)#int f0/0.
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 192.168.10.254 255.255.255.0
R1(config-subif)#exit
R1(config)#
R1(config)#int f0/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 192.168.20.254 255.255.255.0
R1(config-subif)#exit
R1(config)#
從上面的信息可以看出,理論上三層路由設備上可以開啓很多個邏輯子接口,其範圍是: <0-4294967295>。
查看R1設備的路由表信息:
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, FastEthernet0/0.10
C 192.168.20.0/24 is directly connected, FastEthernet0/0.20
R1#
PC1和PC2測試網絡連通性:
PC1#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 80/81/84 ms
PC1#
PC1發送一個ping包給PC2,然後通過wireshark抓包:
PC1#ping 192.168.20.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 100/100/100 ms
PC1#
Wireshark抓取到的數據包,如下圖所示:
很明顯剛纔PC1只發送了一個ping包給PC2,但是從IP地址上看,爲什麼PC1給PC2發送了2個呢?並且第一個請求包的VLAN號是10,第二個請求包的VLAN號是20。
IP地址是分析不出什麼,因此我們從ping包封裝的mac地址入手,首先查看SW1交換機的MAC地址表:
SW1#show mac-address-table
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
cc02.2e70.0000 Self 1 Vlan1
cc01.1bd4.0000 Dynamic 1 FastEthernet0/0
cc04.18ac.0000 Dynamic 20 FastEthernet0/2
cc03.27a4.0000 Dynamic 10 FastEthernet0/1
SW1#
其中cc01.1bd4.0000是R1路由器的mac地址,cc04.18ac.0000是PC2的mac地址,cc03.27a4.0000是PC1的mac地址。
此時,我們通過這三個MAC地址信息,就可以開始分析PC1和PC2的ping包:
- 當PC1發送一個ping包給PC2時,首先會轉發到SW1交換機,然後SW1交換機會把該ping包打上VLAN10的“標籤”轉發給R1路由器。
- R1設備拿到這個ping包,查看ping包的目的ip地址,然後根據其目的ip地址查找路由表發現是PC2主機的,於是修改該ping包的目的mac地址並轉發給PC2,同時打上VLAN20的“標籤”。
- 然後PC2給R1發送一個響應包
- R1再把這個響應包轉發給PC1,最後PC1和PC2完成通信。
2. 三層交換
單臂路由技術存在的一個缺點就是,當交換機到路由器之間的鏈路發生故障時,那麼全網都無法進行通信,單臂路由技術的好處在於節省資源,但缺點是容易導致單點故障問題,後來又引入了三層交換機技術。
三層交換機簡單來理解就是 集成了二層交換機和三層路由器的功能。
三層交換機也有一種叫做SVI的邏輯接口,其功能類似於單臂路由技術中三層路由器中的邏輯子接口,不同的是三層交換機具有很多的SVI邏輯接口,一個VLAN對應一個SVI邏輯接口。
三層交換技術的部署環境要求:二層交換機和三層交換機之間的鏈路必須爲Trunk鏈路。
SW1交換機開啓Trunk模式:
SW1(config)#
SW1(config)#int f0/0
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
*Mar 1 00:02:47.599: %DTP-5-TRUNKPORTON: Port Fa0/0 has become dot1q trunkit
SW1(config)#
SW2交換機開啓Trunk模式:
SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#int f0/0
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW1交換機開啓VTP技術,設置爲Server節點,創建VLAN10/VLAN20,配置如下:
SW1#vlan database
SW1(vlan)#vtp server
Device mode already VTP SERVER.
SW1(vlan)#vtp domain TEST
Changing VTP domain name from NULL to TEST
SW1(vlan)#vtp password 123456
Setting device VLAN database password to 123456.
SW1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
SW1(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
SW1(vlan)#
SW1(vlan)#exit
APPLY completed.
Exiting....
SW1#
SW2交換機開啓VTP技術並設置爲Client節點,配置如下:
SW2#vlan database
SW2(vlan)#vtp client
Setting device to VTP CLIENT mode.
SW2(vlan)#vtp domain TEST
Domain name already set to TEST .
SW2(vlan)#vtp password 123456
Setting device VLAN database password to 123456.
SW2(vlan)#
show命令查看SW2交換機的vlan信息:
SW2#show vlan-switch brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW2#
將SW2學到的VLAN10和VLAN20分別劃入到f0/1和f0/2接口,配置如下:
SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#int f0/1
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 10
SW2(config-if)#exit
SW2(config)#int f0/2
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 20
SW2(config-if)#exit
SW2(config)#exit
SW2#
配置PC1的ip地址和默認網關:
PC1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PC1(config)#no ip routing
PC1(config)#int f0/0
PC1(config-if)#no shutdown
PC1(config-if)#
*Mar 1 00:13:01.403: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:13:02.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
PC1(config-if)#
PC1(config-if)#ip address 192.168.10.1 255.255.255.0
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.10.254
配置PC2的ip地址和默認網關:
PC2#
PC2#conf t
PC2(config)#no ip routing
PC2(config)#int f0/0
PC2(config-if)#no shutdown
PC2(config-if)#ip address 192.168.20.1 255.255.255.0
PC2(config-if)#exit
PC2(config)#ip default-gateway 192.168.20.254
一般三層交換機默認情況下關閉了三層路由功能,需要手動開啓,並且還需要爲不同VLAN配置網關,配置如下:
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routing
SW1(config)#int vlan 10
SW1(config-if)#
*Mar 1 00:21:59.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
SW1(config-if)#ip address 192.168.10.254 255.255.255.0
SW1(config-if)#exit
SW1(config)#int vlan 20
SW1(config-if)#
*Mar 1 00:22:42.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
SW1(config-if)#ip address 192.168.20.254 255.255.255.0
SW1(config-if)#exit
SW1(config)#
查看SW1交換機的路由表信息:
SW1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20
SW1#
從三層交換機中的路由表中確實看到了兩條路由信息,10.0是VLAN10的路由,20.0是VLAN20的路由。
PC1測試網絡連通性:
PC1#ping 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/271/1060 ms
PC1#
PC1#ping 192.168.201
% Unrecognized host or address, or protocol not running.
PC1#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 68/81/104 ms
PC1#
三層技術部署實驗完成。