华为supervlan(聚合vlan)技术背景与组网实验
技术背景与组网实验)
一 技术背景1. Super VLAN技术产生背景一般的三层交换机中通常是采用一个VLAN对应一个vlanif接口的方式实现广播域之间的互通这在某些情况下导致了IP地址的浪费。因为一个VLAN对应的子网中子网号、子网定向广播地址、子网缺省网关地址不能用作VLAN内的主机IP地址且子网中实际接入的主机可能少于编址数多出来的IP地址也会因不能再被其他VLAN使用而浪费掉。如下VLAN规划中VLAN2预计未来有10个主机地址的需求但按编址方式至少需要给其分配一个掩码长度是28的子网10.1.1.0/28其中10.1.1.0为子网号10.1.1.15为子网定向广播地址10.1.1.1为子网缺省网关地址这三个地址都不能用作主机地址剩下范围在10.1.1.210.1.1.14的地址可以被主机使用共13个。VLAN2子网实际地址需求只有10个剩余的3个也不能再被其他VLAN使用。网络中的VLAN越多浪费的IP地址也就越多。为了解决上述问题VLAN聚合应运而生。它通过引入Super-VLAN和Sub-VLAN的概念使每个Sub-VLAN对应一个广播域并让多个Sub-VLAN和一个Super-VLAN关联只给Super-VLAN分配一个IP子网所有Sub-VLAN都使用Super-VLAN的IP子网和缺省网关进行三层通信。这样多个Sub-VLAN共享一个网关地址节约了子网号、子网定向广播地址、子网缺省网关地址且各Sub-VLAN间的界线也不再是从前的子网界线了它们可以根据各自主机的需求数目在Super-VLAN对应子网段灵活的划分IP地址范围从而保证了各个Sub-VLAN作为一个独立广播域实现广播隔离又节省了IP地址资源提高了编址的灵活性。Super-VLAN技术主要目的是减少IP地址浪费。2. Super VLAN概念Super VLAN也叫VLAN聚合VLAN Aggregation指在一个物理网络内用多个VLAN称为Sub-VLAN隔离广播域并将这些Sub-VLAN聚合成一个逻辑的VLAN称为Super-VLAN。Super VLAN可以配置三层接口Sub VLAN不能配置三层接口。所有Sub-VLAN共用一个IP网段要进行三层通信时将使用Super VLAN三层接口的IP地址作为网关地址使用同一个缺省网关并且可以通过Super VLAN的VLANIF接口实现三层互通。3. Super VLAN应用场景Super VLAN适用于用户多VLAN多大量VLAN的IP地址在同一个网段但是又要实现不同VLAN之间二层隔离的场景。VLAN之间如果有互访的需求可以对Super VLAN开启ARP代理。常见的场景有宾馆酒店小区宽带接入等。一个房间或者一户人家一个VLAN彼此隔离但是IP地址有限无法给数量庞大的VLAN每个分一个网段IP只能共用一个IP地址段。例如VLAN 10的IP地址段是10.10.10.0/24一户人家可能就使用了1个或2个IP剩余200多个IP地址浪费了。Super VLAN可以使VLAN11-100共享10.10.10.0/24网段节约了IP地址。与MUX VLAN隔离功能相比Super VLAN属于三层功能需要三层交换机支持。MUX VLAN属于二层交换机功能。Super VLAN的配置较为简单MUX VLAN配置较为复杂但对用户间的访问控制灵活性不如MUX VLANSuper VLAN内需要查询部分暂时离线的用户时网关需要在每个子VLAN内广播发送报文可能较大的消耗设备CPU资源。4. Super VLAN工作原理通过建立Super--VLAN和Sub-VLAN间的映射关系把三层逻辑接口和物理接口结合起来实现普通VLAN功能的同时也达到节省P地址的目的。一个Super-VLAN可以包含一个或多个Sub-VLAN。Sub-VLAN要添加端口才能激活只要有一个子VLAN是激活的,那么SUPER VLAN就是激活的。Sub-VLAN不占用一个独立的网段。同一个Super-VLAN中无论终端属于哪一个Sub-VLAN它的IP地址都在Super-VLAN对应的网段内。Super-VLAN只建立三层VlanIf接口IP地址与网关对应不包含物理接口。与普通VLAN不同的是它的VlanIf接口的Up不依赖于自身物理接口的Up而是只要它所含Sub-VLAN中存在Up的物理接口就Up负责实现所有Sub-VLAN共享同一个三层接口的需求使不同Sub-VLAN内的主机可以共用同一个网关。VLAN 1不能配置为Super VLAN。Sub-VLAN只包含物理接口不建立三层VlanIf接口隔离广播域Sub-VLAN间相互隔离每个Sub-VLAN内的主机与外部的三层通信是靠Super-VLAN的三层VLANIF接口来实现的不同Sub-VLAN下的终端默认不能互通如果要通信需要在Super-VLAN的VLANIF接口上开启Proxy ARP代理ARP。二 网络拓扑三 配置实现sysname HX#vlan batch 10 20 30 100 1000#vlan 100//supervlanaggregate-vlanaccess-vlan 10 20 30#interface Vlanif100ip address 192.168.100.254 255.255.255.0#interface Vlanif1000//上联vlan和互联地址ip address 1.1.1.1 255.255.255.0#interface GigabitEthernet0/0/1//上联vlan和互联地址port link-type accessport default vlan 1000#interface GigabitEthernet0/0/2port link-type trunkport trunk allow-pass vlan 10#interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 20#interface GigabitEthernet0/0/4port link-type trunkport trunk allow-pass vlan 30#ip route-static 0.0.0.0 0.0.0.0 1.1.1.2#四 业务测试4.1 PC1测试可以ping通网关出口但是无法ping通其他subvlan地址PCping 192.168.100.254Ping 192.168.100.254: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.254: bytes32 seq1 ttl255 time78 ms--- 192.168.100.254 ping statistics ---1 packet(s) transmitted1 packet(s) received0.00% packet lossround-trip min/avg/max 78/78/78 msPCPCping 202.1.1.1Ping 202.1.1.1: 32 data bytes, Press Ctrl_C to breakFrom 202.1.1.1: bytes32 seq1 ttl254 time94 ms--- 202.1.1.1 ping statistics ---1 packet(s) transmitted1 packet(s) received0.00% packet lossround-trip min/avg/max 94/94/94 msPCPCping 192.168.100.2Ping 192.168.100.2: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.1: Destination host unreachablePCPCping 192.168.100.3Ping 192.168.100.3: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.1: Destination host unreachablePC4.2 PC2测试可以ping通网关出口但是无法ping通其他subvlan地址PCping 192.168.100.254Ping 192.168.100.254: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.254: bytes32 seq1 ttl255 time93 ms--- 192.168.100.254 ping statistics ---1 packet(s) transmitted1 packet(s) received0.00% packet lossround-trip min/avg/max 93/93/93 msPCping 202.1.1.1Ping 202.1.1.1: 32 data bytes, Press Ctrl_C to breakFrom 202.1.1.1: bytes32 seq1 ttl254 time110 msFrom 202.1.1.1: bytes32 seq2 ttl254 time63 ms--- 202.1.1.1 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 63/86/110 msPCPCping 192.168.100.1Ping 192.168.100.1: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.2: Destination host unreachablePCPCping 192.168.100.3Ping 192.168.100.3: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.2: Destination host unreachablePC4.3 PC3测试可以ping通网关出口但是无法ping通其他subvlan地址PCPCping 192.168.100.254Ping 192.168.100.254: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.254: bytes32 seq1 ttl255 time47 msFrom 192.168.100.254: bytes32 seq2 ttl255 time32 ms--- 192.168.100.254 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 32/39/47 msPCPCPCping 202.1.1.1Ping 202.1.1.1: 32 data bytes, Press Ctrl_C to breakFrom 202.1.1.1: bytes32 seq1 ttl254 time62 msFrom 202.1.1.1: bytes32 seq2 ttl254 time47 ms--- 202.1.1.1 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 47/54/62 msPCPCping 192.168.100.1Ping 192.168.100.1: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.3: Destination host unreachablePCPCping 192.168.100.2Ping 192.168.100.2: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.3: Destination host unreachablePC五 状态查看5.1 核心状态查看HXdis super-vlanVLAN ID Sub-vlan--------------------------------------------------------------------------------100 10 20 30HXHXHXHXdis sub-vlanVLAN ID Super-vlan--------------------------------------------------------------------------------10 100 //subvlan映射到supervlan同时subvlan的端口映射给supervlan20 10030 100HX//subvlan映射到supervlan同时subvlan的端口映射给supervlan所以supervlan虽然无法添加接口但是又subvlan映射过来的端口vlan虚接口就会UP。HXdis ip in b*down: administratively down^down: standby(l): loopback(s): spoofingThe number of interface that is UP in Physical is 4The number of interface that is DOWN in Physical is 1The number of interface that is UP in Protocol is 3The number of interface that is DOWN in Protocol is 2Interface IP Address/Mask Physical ProtocolMEth0/0/1 unassigned down downNULL0 unassigned up up(s)Vlanif1 unassigned up downVlanif100 192.168.100.254/24 up upVlanif1000 1.1.1.1/24 up upHX六 supervlan的虚拟接口下开启arp代理arp-proxy inner-sub-vlan-proxy实现不同subvlan之间的互通6.1 arp-proxy inner-sub-vlan-proxy配置interface Vlanif100ip address 192.168.100.254 255.255.255.0arp-proxy inner-sub-vlan-proxyenable6.2 业务测试-不同subvlan业务互通6.2.1 PC1测试PCPCping 192.168.100.2Ping 192.168.100.2: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.2: bytes32 seq1 ttl127 time93 msFrom 192.168.100.2: bytes32 seq2 ttl127 time94 ms--- 192.168.100.2 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 93/93/94 msPCping 192.168.100.3Ping 192.168.100.3: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.3: bytes32 seq1 ttl127 time63 msFrom 192.168.100.3: bytes32 seq2 ttl127 time78 ms--- 192.168.100.3 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 63/70/78 msPC6.2.2 PC2测试PCping 192.168.100.1Ping 192.168.100.1: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.1: bytes32 seq1 ttl127 time62 ms--- 192.168.100.1 ping statistics ---1 packet(s) transmitted1 packet(s) received0.00% packet lossround-trip min/avg/max 62/62/62 msPCping 192.168.100.3Ping 192.168.100.3: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.3: bytes32 seq1 ttl127 time63 msFrom 192.168.100.3: bytes32 seq2 ttl127 time47 ms--- 192.168.100.3 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 47/55/63 msPC6.2.3 PC3测试PCping 192.168.100.1Ping 192.168.100.1: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.1: bytes32 seq1 ttl127 time78 msFrom 192.168.100.1: bytes32 seq2 ttl127 time46 ms--- 192.168.100.1 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 46/62/78 msPCping 192.168.100.2Ping 192.168.100.2: 32 data bytes, Press Ctrl_C to breakFrom 192.168.100.2: bytes32 seq1 ttl127 time46 msFrom 192.168.100.2: bytes32 seq2 ttl127 time63 ms--- 192.168.100.2 ping statistics ---2 packet(s) transmitted2 packet(s) received0.00% packet lossround-trip min/avg/max 46/54/63 msPC
