一、物理网络拓扑
二、建设原则
2.1、隔离网采用fabirc组网架构,spine节点采用两台独立组网。border-leaf和server-leaf通过点到点 full mesh和spine互联
2.2、spine设备链接server-leaf border-leaf nas-leaf
2.3、borde上旁挂,FW和负载均衡,并且连接到外网核心和运管核心
2.4、border-leaf旁挂两对FW和SLB,分别对应互联网VPC和外联网VPC
三、逻辑网络架构
3.1、隔离区为单租户,多vpc场景,业务vpc规划有外联网vpc,互联网vpc。vpc绑定同一个VRF-OUT的外部网络
3.2、规划单独的NAS kernal vpc,用于宿主机访问NAS,NAS vpc不绑定外部网络。仅在fabric内部通信
3.3、隔离网但对为互联网、外联网vpc规划物理FW和负载均衡。FW和BL通过vbdif接口互联,负载均衡和web代理服务器通过逻辑接口接入fabric网络
四、通过模拟器模拟隔离网组网
部分重要配置
4.1spine节点配置
接口配置
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.1.1.1 255.255.255.252
ospf network-type p2p
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.1.1.5 255.255.255.252
ospf network-type p2p
interface GE1/0/8
undo portswitch
undo shutdown
ip address 10.1.1.9 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
IGP路由协议配置
#
ospf 10 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.1.1.5 0.0.0.0
network 10.1.1.9 0.0.0.0
BGP路由协议配置
bgp 1
router-id 1.1.1.1
peer 2.2.2.2 as-number 1
peer 2.2.2.2 connect-interface LoopBack0
peer 3.3.3.3 as-number 1
peer 3.3.3.3 connect-interface LoopBack0
peer 4.4.4.4 as-number 1
peer 4.4.4.4 connect-interface LoopBack0
#
ipv4-family unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
l2vpn-family evpn
undo policy vpn-target
peer 2.2.2.2 enable
peer 2.2.2.2 advertise irb
peer 2.2.2.2 reflect-client
peer 3.3.3.3 enable
peer 3.3.3.3 advertise irb
peer 3.3.3.3 reflect-client
peer 4.4.4.4 enable
peer 4.4.4.4 advertise irb
peer 4.4.4.4 reflect-client
4.2、server-leaf1配置
evpn-overlay enable
#
ip vpn-instance 800-DC01-DMZ-ECN-IN
ipv4-family
route-distinguisher 10:1001
vpn-target 0:1001 export-extcommunity
vpn-target 0:1001 export-extcommunity evpn
vpn-target 0:1001 import-extcommunity
vpn-target 0:1001 import-extcommunity evpn
vxlan vni 1001
#
ip vpn-instance 800-DC01-DMZ-INT-IN
description 800-CSLM_800-DC01-DMZ-INT
ipv4-family
route-distinguisher 10:1000
vpn-target 0:1000 export-extcommunity
vpn-target 0:1000 export-extcommunity evpn
vpn-target 0:1000 import-extcommunity
vpn-target 0:1000 import-extcommunity evpn
vxlan vni 1000
#
bridge-domain 2102
vxlan vni 122102
evpn
route-distinguisher 10:122102
vpn-target 0:1000 export-extcommunity
vpn-target 0:122102 export-extcommunity
vpn-target 0:122102 import-extcommunity
arp broadcast-suppress enable
arp l2-proxy gateway-mac
#
bridge-domain 2202
vxlan vni 122202
evpn
route-distinguisher 10:122202
vpn-target 0:122202 export-extcommunity
vpn-target 0:1001 export-extcommunity
vpn-target 0:122202 import-extcommunity
arp broadcast-suppress enable
arp l2-proxy gateway-mac
#
interface Vbdif2102
ip binding vpn-instance 800-DC01-DMZ-INT-IN
ip address 214.8.11.254 255.255.252.0
mac-address 0000-5e00-0011
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif2202
ip binding vpn-instance 800-DC01-DMZ-ECN-IN
ip address 214.8.43.254 255.255.252.0
mac-address 0000-5e00-0010
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0.2102 mode l2
encapsulation dot1q vid 2102
bridge-domain 2102
#
interface GE1/0/0.2202 mode l2
encapsulation dot1q vid 2202
bridge-domain 2202
#
interface GE1/0/9
undo portswitch
undo shutdown
ip address 10.1.1.2 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface Nve1
source 2.2.2.2
vni 122102 head-end peer-list protocol bgp
vni 122202 head-end peer-list protocol bgp
bgp 1
router-id 2.2.2.2
peer 1.1.1.1 as-number 1
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpn-instance 800-DC01-DMZ-ECN-IN
default-route imported
import-route direct
import-route static
advertise l2vpn evpn
#
ipv4-family vpn-instance 800-DC01-DMZ-INT-IN
default-route imported
import-route direct
import-route static
advertise l2vpn evpn
#
l2vpn-family evpn
policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 advertise irb
#
ospf 10 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.2 0.0.0.0
4.3、server-leaf2配置
evpn-overlay enable
#
ip vpn-instance 800-DC01-DMZ-ECN-IN
description 800-CSLM_800-DC01-DMZ-ECN
ipv4-family
route-distinguisher 9:1001
vpn-target 0:1001 export-extcommunity
vpn-target 0:1001 export-extcommunity evpn
vpn-target 0:1001 import-extcommunity
vpn-target 0:1001 import-extcommunity evpn
vxlan vni 1001
#
ip vpn-instance 800-DC01-DMZ-INT-IN
description 800-CSLM_800-DC01-DMZ-INT
ipv4-family
route-distinguisher 9:1000
vpn-target 0:1000 export-extcommunity
vpn-target 0:1000 export-extcommunity evpn
vpn-target 0:1000 import-extcommunity
vpn-target 0:1000 import-extcommunity evpn
vxlan vni 1000
#
bridge-domain 2102
vxlan vni 122102
evpn
route-distinguisher 9:122102
vpn-target 0:1000 export-extcommunity
vpn-target 0:122102 export-extcommunity
vpn-target 0:122102 import-extcommunity
arp broadcast-suppress enable
arp l2-proxy gateway-mac
#
bridge-domain 2202
vxlan vni 122202
evpn
route-distinguisher 9:122202
vpn-target 0:122202 export-extcommunity
vpn-target 0:1001 export-extcommunity
vpn-target 0:122202 import-extcommunity
arp broadcast-suppress enable
arp l2-proxy gateway-mac
#
#
interface Vbdif2102
ip binding vpn-instance 800-DC01-DMZ-INT-IN
ip address 214.8.11.254 255.255.252.0
mac-address 0000-5e00-0011
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif2202
ip binding vpn-instance 800-DC01-DMZ-ECN-IN
ip address 214.8.43.254 255.255.252.0
mac-address 0000-5e00-0010
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/0.2102 mode l2
encapsulation dot1q vid 2102
bridge-domain 2102
#
interface GE1/0/0.2202 mode l2
encapsulation dot1q vid 2202
bridge-domain 2202
interface GE1/0/9
undo portswitch
undo shutdown
ip address 10.1.1.6 255.255.255.252
ospf network-type p2p
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Nve1
source 3.3.3.3
vni 122102 head-end peer-list protocol bgp
vni 122202 head-end peer-list protocol bgp
#
bgp 1
router-id 3.3.3.3
peer 1.1.1.1 as-number 1
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpn-instance 800-DC01-DMZ-ECN-IN
default-route imported
import-route direct
import-route static
advertise l2vpn evpn
#
ipv4-family vpn-instance 800-DC01-DMZ-INT-IN
default-route imported
import-route direct
import-route static
advertise l2vpn evpn
#
l2vpn-family evpn
policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 advertise irb
#
ospf 10 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.6 0.0.0.0
4.4、border-leaf配置
evpn-overlay enable
#
ip vpn-instance 800-DC01-DMZ-ECN-IN
description 800-CSLM_800-DC01-DMZ-ECN
ipv4-family
route-distinguisher 3:1001
vpn-target 0:1001 export-extcommunity
vpn-target 0:1001 export-extcommunity evpn
vpn-target 0:1001 import-extcommunity
vpn-target 0:1001 import-extcommunity evpn
vxlan vni 1001
#
ip vpn-instance 800-DC01-DMZ-INT-IN
description 800-CSLM_800-DC01-DMZ-INT
ipv4-family
route-distinguisher 3:1000
vpn-target 0:1000 export-extcommunity
vpn-target 0:1000 export-extcommunity evpn
vpn-target 0:1000 import-extcommunity
vpn-target 0:1000 import-extcommunity evpn
vxlan vni 1000
#
ip vpn-instance 800-DC01-DMZ-OUT
description NAAS_800-DC01-DMZ-OUT
ipv4-family
route-distinguisher 3:1000000
vpn-target 800:1 export-extcommunity
vpn-target 800:1 export-extcommunity evpn
vpn-target 800:1 import-extcommunity
vpn-target 800:1 import-extcommunity evpn
vxlan vni 1000000
bridge-domain 5000
vxlan vni 1000001
evpn
route-distinguisher 3:1000001
vpn-target 0:1000001 export-extcommunity
vpn-target 0:1000 export-extcommunity
vpn-target 0:1000001 import-extcommunity
arp broadcast-suppress enable
#
bridge-domain 5001
vxlan vni 1000002
evpn
route-distinguisher 3:1000002
vpn-target 0:1000002 export-extcommunity
vpn-target 800:1 export-extcommunity
vpn-target 0:1000002 import-extcommunity
arp broadcast-suppress enable
#
bridge-domain 5002
vxlan vni 1000003
evpn
route-distinguisher 3:1000003
vpn-target 0:1000003 export-extcommunity
vpn-target 0:1001 export-extcommunity
vpn-target 0:1000003 import-extcommunity
arp broadcast-suppress enable
arp l2-proxy gateway-mac
#
bridge-domain 5003
description ECN_OUT
vxlan vni 1000004
evpn
route-distinguisher 3:1000004
vpn-target 800:1 export-extcommunity
vpn-target 0:1000004 export-extcommunity
vpn-target 0:1000004 import-extcommunity
arp broadcast-suppress enable
#
bridge-domain 5004
vxlan vni 1000005
evpn
route-distinguisher 3:1000005
vpn-target 0:1000005 export-extcommunity
vpn-target 0:1000 export-extcommunity
vpn-target 0:1000005 import-extcommunity
arp broadcast-suppress enable
#
interface Vbdif5000
description INT_IN_TO_FW
ip binding vpn-instance 800-DC01-DMZ-INT-IN
ip address 55.9.48.1 255.255.255.248
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif5001
description INT_OUT_TO_FW
ip binding vpn-instance 800-DC01-DMZ-OUT
ip address 55.13.48.1 255.255.255.248
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif5002
description ECN_IN_TO_FW
ip binding vpn-instance 800-DC01-DMZ-ECN-IN
ip address 55.9.80.1 255.255.255.248
vxlan anycast-gateway enable
arp collect host enable
#
interface Vbdif5003
description ECN_OUT_TO_FW
ip binding vpn-instance 800-DC01-DMZ-OUT
ip address 55.13.48.17 255.255.255.248
vxlan anycast-gateway enable
arp collect host enable
#
interface GE1/0/7
undo portswitch
description To_DC01-EBON-CS01-4FJFBF13_FortyGige0/0/1
undo shutdown
ip binding vpn-instance 800-DC01-DMZ-OUT
ip address 55.13.32.2 255.255.255.252
ospf network-type p2p
#
interface GE1/0/8
undo portswitch
undo shutdown
ip address 10.1.1.10 255.255.255.252
ospf network-type p2p
#
interface GE1/0/9
undo shutdown
#
interface GE1/0/9.2000 mode l2
encapsulation dot1q vid 1112
bridge-domain 5002
#
interface GE1/0/9.2001 mode l2
encapsulation dot1q vid 1011
bridge-domain 5001
#
interface GE1/0/9.2002 mode l2
encapsulation dot1q vid 1012
bridge-domain 5003
#
interface GE1/0/9.2003 mode l2
encapsulation dot1q vid 1111
bridge-domain 5000
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface LoopBack115
ip binding vpn-instance 800-DC01-DMZ-OUT
ip address 115.1.1.1 255.255.255.255
#
interface Nve1
source 4.4.4.4
vni 1000000 head-end peer-list protocol bgp
vni 1000001 head-end peer-list protocol bgp
vni 1000002 head-end peer-list protocol bgp
vni 1000003 head-end peer-list protocol bgp
vni 1000004 head-end peer-list protocol bgp
vni 1000005 head-end peer-list protocol bgp
vni 1000006 head-end peer-list protocol bgp
#
bgp 1
router-id 4.4.4.4
peer 1.1.1.1 as-number 1
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpn-instance 800-DC01-DMZ-ECN-IN
default-route imported
import-route static
advertise l2vpn evpn
#
ipv4-family vpn-instance 800-DC01-DMZ-INT-IN
default-route imported
import-route static
advertise l2vpn evpn
#
ipv4-family vpn-instance 800-DC01-DMZ-OUT
default-route imported
import-route static
advertise l2vpn evpn
#
l2vpn-family evpn
policy vpn-target
peer 1.1.1.1 enable
peer 1.1.1.1 advertise irb
#
ospf 10 router-id 4.4.4.4
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.1.1.10 0.0.0.0
#
ospf 100 router-id 4.4.4.4 vpn-instance 800-DC01-DMZ-OUT
import-route direct
import-route static
area 0.0.0.0
network 55.13.32.2 0.0.0.0
network 115.1.1.1 0.0.0.0
route-policy VRF_OUT_staticTospfv2 permit node 10
if-match tag 101
#
route-policy VRF_OUT_staticTospfv2 permit node 20
if-match tag 102
#
route-policy VRF_OUT_staticTospfv2 permit node 30
if-match tag 302
apply cost 1000
#
route-policy VRF_OUT_staticTospfv2 deny node 1000
#
ip route-static vpn-instance 800-DC01-DMZ-ECN-IN 0.0.0.0 0.0.0.0 55.9.80.6
ip route-static vpn-instance 800-DC01-DMZ-INT-IN 0.0.0.0 0.0.0.0 55.9.48.6
ip route-static vpn-instance 800-DC01-DMZ-OUT 214.8.8.0 255.255.252.0 55.13.48.6 description INT_ROUTE
ip route-static vpn-instance 800-DC01-DMZ-OUT 214.8.40.0 255.255.252.0 55.13.48.22 tag 102
4.4防火墙配置(模拟器没有部署两台物理墙,通过划分虚拟系统的方式模拟外联FW和互联网FW)
vlan batch 1011 to 1012 1111 to 1112
vsys enable
resource-class r0
#
#
vsys name ECN_FW 1
description 外联防火墙
assign resource-class r0
assign vlan 1012
assign vlan 1112
#
vsys name INT_FW 2
description 外联网防火墙
assign resource-class r0
assign vlan 1011
assign vlan 1111
#
ip vpn-instance ECN_FW
ipv4-family
ipv6-family
#
ip vpn-instance INT_FW
ipv4-family
ipv6-family
#
ip vpn-instance default
ipv4-family
#
interface Vlanif1011
ip binding vpn-instance INT_FW
ip address 55.13.48.6 255.255.255.248
alias Vlanif1011
service-manage ping permit
#
interface Vlanif1012
ip binding vpn-instance ECN_FW
ip address 55.13.48.22 255.255.255.248
alias Vlanif1012
service-manage ping permit
#
interface Vlanif1111
ip binding vpn-instance INT_FW
ip address 55.9.48.6 255.255.255.248
alias Vlanif1111
service-manage ping permit
#
interface Vlanif1112
ip binding vpn-instance ECN_FW
ip address 55.9.80.6 255.255.255.248
alias Vlanif1112
service-manage ping permit
interface GigabitEthernet0/0/0
undo shutdown
ip address 192.168.6.100 255.255.255.0
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/6
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 1011 to 1012 1111 to 1112
switch vsys ECN_FW
#
acl number 3000
description "Acl for Quintuple Packet Capture"
rule 0 permit ip destination 114.1.1.1 0
rule 1 permit ip source 114.1.1.1 0
#
interface Vlanif1012
ip binding vpn-instance ECN_FW
ip address 55.13.48.22 255.255.255.248
alias Vlanif1012
service-manage ping permit
#
interface Vlanif1112
ip binding vpn-instance ECN_FW
ip address 55.9.80.6 255.255.255.248
alias Vlanif1112
service-manage ping permit
firewall zone trust
set priority 85
add interface Vlanif1012
#
firewall zone untrust
set priority 5
add interface Vlanif1112
#
security-policy
rule name ECN_ANY
action permit
ip route-static 0.0.0.0 0.0.0.0 55.13.48.17
ip route-static 214.8.32.0 255.255.224.0 55.9.80.1 description ECN_YW
#
#
switch vsys INT_FW
#
interface Vlanif1011
ip binding vpn-instance INT_FW
ip address 55.13.48.6 255.255.255.248
alias Vlanif1011
service-manage ping permit
#
interface Vlanif1111
ip binding vpn-instance INT_FW
ip address 55.9.48.6 255.255.255.248
alias Vlanif1111
service-manage ping permit
#
firewall zone trust
set priority 85
add interface Vlanif1111
#
firewall zone untrust
set priority 5
add interface Vlanif1011
#
security-policy
rule name INT_ANY
action permit
ip route-static 0.0.0.0 0.0.0.0 55.13.48.1
ip route-static 214.8.8.0 255.255.252.0 55.9.48.1 des INT-YW
五、业务验证
同一个vpc内的服务器互通
ping网关
ping PC1
验证外联网vpc和外部网络的互通情况115.1.1.1模拟的外部网络
互联网vpc内部互通
和网关互通情况
和外部网络互通
不通vpc之间是相互隔离的(外联网ping互联网)