VLAN内部是二层通讯,VLAN间则是三层通讯。
6.1 背景
6.2 单臂路由
6.2.1 流程
注意:单臂路由接口需是100M以上的接口。
划分多个子接口,设置子接口协议。交换机一边设置TRUNK,路由器一边设置802.1Q协议。
VLAN10需要和VLAN20通讯时,由于目标不在同一个子网,先把数据交给网关(子接口IP地址为网关),数据帧发到交换机,然后上干道,TRUNK接口需要打标签VLAN10,进入接口后,接口根据802.1Q的TAG字段判断属于那个VLAN,进入VLAN10对应子接口,查看路由表目标VLAN20对应的网段,此时路由器有两个直连路由,将数据包从子接口转发,打上VLAN20的标签后发送,交换机收到了,移除VLAN20的信息,还原成原始IP包,交给VLAN2O。
在子接口封装协议并设置子接口IP地址。
6.2.2 试验
6.2.2.1 PC机配置(路由器3600模拟)
路由器模拟PC101机
PC1(config)#no ip routing
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip address 192.168.10.1 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.10.254
路由器模拟PC102机
PC1(config)#no ip routing
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip address 192.168.10.2 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.10.254
路由器模拟PC201机
PC1(config)#no ip routing
PC1(config)#interface fastEthernet 0/0
PC1(config-if)#ip address 192.168.20.1 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.20.254
6.2.2.2 交换机配置(路由器3600模拟)
S1(config)#no ip routing
S1#vlan database
S1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
S1(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
S1(config)#interface fastEthernet 0/0
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 10
S1(config-if)#exit
S1(config)#interface fastEthernet 0/1
S1(config-if)#SWitchport mode Access
S1(config-if)#switchport access vlan 10
S1(config-if)#exit
S1(config)#interface fastEthernet 0/5
S1(config-if)#SWitchport mode Access
S1(config-if)#switchport access vlan 20
S1#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
10 VLAN0010 active Fa0/0, Fa0/1
20 VLAN0020 active Fa0/5
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
PC101-VLAN10#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
设置TRUNK接口
S1(config)#interface fastEthernet 0/15
S1(config-if)#switchport trunk encapsulation dot1q
S1(config-if)#switchport mode trunk
查看TRUNK信息
S1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/15 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/15 1-1005
Port Vlans allowed and active in management domain
Fa0/15 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/15 none
6.2.2.3 路由器(3600)配置
Router(config)#interface FastEthernet 0/0
Router(config-if)#no shutdown
Router(config)#interface FastEthernet0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 192.168.10.254 255.255.255.0
Router(config-subif)#no shutdown
Router(config)#interface FastEthernet0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 192.168.20.254 255.255.255.0
Router(config-subif)#no shutdown
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset up up
FastEthernet0/0.10 192.168.10.254 YES manual up up
FastEthernet0/0.20 192.168.20.254 YES manual up up
FastEthernet1/0
6.2.2.4 测试
同VLAN下联通测试
PC101#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
网关路由联通测试
PC101#ping 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/24 ms
跨网关测试
PC101#ping 192.168.20.254
PC101#ping 192.168.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/24 ms
跨VLAN通讯
PC101#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
6.2.3 单臂路由+PAT
6.2.3.1 配置
配置运营商IP,运营商不可能会回指。
WAN(config)#interface fastEthernet 0/0
WAN(config-if)#ip add
WAN(config-if)#ip address 202.101.100.2 255.255.255.0
WAN(config-if)#no shutdown
PAT网关设备
配置互联IP地址
R1(config)#interface fastEthernet 1/0
R1(config-if)#ip address 202.101.100.1 255.255.255.0
R1(config-if)#no shutdown
- 第一步:用ACL定义内网允许做PAT的源地址段。
- 第二步:将ACL关联到外网接口;利用接口F1/0的IP地址负载出去,无需单独公有IP。
R1(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R1(config)#ip nat inside source list 1 interface fastEthernet 1/0 overload
出口1/0
R1(config)#interface fastEthernet 1/0
R1(config-if)#ip nat outside
入口是子接口
R1(config)#interface fastEthernet 0/0.10
R1(config-subif)#ip nat inside
R1(config-subif)#exit
R1(config)#interface fastEthernet 0/0.20
R1(config-subif)#ip nat inside
默认路由
R1(config)#ip route 0.0.0.0 0.0.0.0 202.101.100.2
6.2.3.2 测试
PC101-VLAN10#ping 202.101.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.101.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/42/44 ms
PC201-VLAN20#ping 202.101.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.101.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/44/56 ms