全部博文(1015)
分类: 网络与安全
2011-12-17 21:49:06
引用
qiuhua-12 的 交换网络设计之二层设计,三层设计;
topology summary:
核心层有A,B两台三层交换机,汇聚层有C,D两台交换机,接入层是二层交换机,接入层双上连到汇聚层;
1)二层设计:
1.1包括生成树的设计;生成树的附加工具(loop guard,root guard,portfast ,bpduguard,),udld;
1.2 vlan的设计:包括业务vlan(面向的是接入层交换机);管理vlan;互联vlan;
1.3 链路捆绑: ethernet channel
接入层是二层交换机,接入层双上连到汇聚层;汇聚层的C和D之间是TRUNK.TRUNK了多个接入层的VLAN;
需要考虑几个方面:
1.1 生成树的设计::
1.1.1是主备还是负载分担:
因为是双上连,所以必须在设计考虑是主备还是负载分担;接入层是100M到桌面,到汇聚层的上连可以用100M网线或光纤,或者是1000M多模光纤上连汇聚层,主要取决于实际接入层的流量;
1.1.2 思科和华为都建议用单生成树,但只是建议而已;
思科在文档中提到如果建立数据中心,建议用主备,
We recommend that you have a single spanning-tree topology in the data center. In the event that you need to load balance traffic to the uplinks between the access and the aggregation switches, assign different priorities for even VLANs and odd VLANs.
The first configuration step is to assign the root and the secondary root switches. Because our recommendation is to not do uplink load balancing in the data centerthe examples in this design document show one aggregation (aggregation1) switch as the root for all the instances and the other aggregation switch as the root for all the other instances (aggregation2). The configuration for Native IOS on aggregation1 is as follows:
spanning-tree vlan 3,5,10,20,30,100,200 root primary
The configuration on aggregation2 for Native IOS is as follows:
spanning-tree vlan 3,5,10,20,30,100,200 root secondary
1.1.3 二层的冗余链路通过stp来实现环路避免:
现在建议采用Rapid PVST+:
802.1D Spanning Tree Protocol (STP) has a drawback of slow convergence. Cisco Catalyst switches support
three types of STPs, which are PVST+, rapid&8722;PVST+ and MST. PVST+ is based on IEEE802.1D standard
and includes Cisco proprietary extensions such as BackboneFast, UplinkFast, and PortFast. Rapid&8722;PVST+ is
based on IEEE 802.1w standard and has a faster convergence than 802.1D. RSTP (IEEE 802.1w) natively
includes most of the Cisco proprietary enhancements to the 802.1D Spanning Tree, such as BackboneFast and
UplinkFast.
Spanning Tree
UplinkFast and BackboneFast features are PVST+ features. These are disabled when you enable
rapid&8722;PVST+ because those features are built within rapid&8722;PVST+.
The configuration of the features such as PortFast, BPDUguard, BPDUfilter, root
guard, and loopguard are applicable in rapid&8722;PVST+ mode also.
1.1.4 生成树的附加工具(loop guard,root guard,portfast ,bpduguard,)
#一般接入层启用portfast,bpduguard或者root guard;
#cisco建议在交换网络所有的接入层和汇聚层交换机启用loop guard;
#注意 root guard和loop guard是互斥的,不能在同一端口同时启用;
比如说全局启用了loop guard之后,在接口上再启用root guard,那么loop guard将失效;
当把root guard disable了,loop guard又再次生效;
loopguard:
The configuration of LoopGuard for IOS is as follows:
(config)#spanning-tree loopguard default
This command enables LoopGuard globally on the entire switch. We recommend enabling LoopGuard on all the ports at both aggregation and access switches.
1.1.5 udld
它不和其他的生成树工具冲突;默认是全局启用的时候,所有光口都启用了;如果想在电口上启用,需要在电口接口模式下启用;
The conclusion is that LoopGuard and UDLD complement each other, and therefore UDLD should also be
enabled globally: To enable these features, enter the following commands:
aggregation2(config)#udld enable
1.2 vlan的设计:包括业务vlan(面向的是接入层交换机);管理vlan;互联vlan;
1.2.1 业务vlan: 尽量将业务vlan限制在一个主配线间内。一个vlan对应一个网段;
1.2.2 管理vlan; 若干个汇聚块是连续的子网;对于管理vlan,是总体规划的;
1.2.3 互联vlan:
# 汇聚层和核心层是ospf邻居关系,同一汇聚层两台交换机之间也是ospf关系,核心一样;
# 特别:cisco支持 vlan interface和routed interface两种方式建立ospf关系;
而华为只支持vlan interface一种;
# 必须 在 汇聚层交换机为 ospf 建立专门的路由vlan;
解释:虽然汇聚层交换机之间的trunk链路上trunk了多个接入层的vlan,并且为每个vlan都建立了vlan interface的三层ip,在通告的时候(network命令),将包括所有的vlan interface,这样所有的vlan interface都运行了ospf,将在两台交换机之间建立多个ospf关系,比如说4个vlan,那么将有4个ospf邻居关系;所以为了减少邻居关系,passive这些vlan,而专门建立一个ospf vlan;
1.3 链路捆绑: ethernet channel
一般在核心交换机之间,分布层交换机之间启用,核心之间启用的是三层channel,分布层交换机之间启用的是二层channel;
2)三层设计:
2.1 ospf 路由设计
2.2 vrrp,hsrp设计
2.3 IP地址设计
2.1 ospf 路由设计
2.1.1路由器标识(Router ID)
在每个OSPF进程中,路由器都需要有唯一的Router ID来标识自己。在缺省情形下,路由器指定最高的Loopback IP地址做为自己的Router ID。为保证OSPF Router ID相对稳定,在OSPF进程的配置中,指定Loopback 0接口的IP地址为Router ID 。
配置参考:
interface Loopback0
ip address 10.7.251.1 255.255.255.255
router ospf 99
router-id 10.7.251.1
2.1.2 邻居关系建立
OSPF建立邻居关系取决于接口的OSPF网络类型。OSPF网络类型可以分为以下5种。网络的类型可以通过命令进行调整
。Point-to-point:
在离港网络中,核心交换机之间以三层接口建立OSPF邻居关系,接口网络类型为OSPF point-to-point;核心交换机和分布层交换机以三层接口建立OSPF邻居关系,接口网络类型为OSPF point-to-point;T1、T2、ServerFarm分布层交换机之间以Interface VLAN100接口建立建立OSPF邻居关系,接口网络类型同样为OSPF point-to-point。
配置参考:
interface type slot/port
ip ospf network point-to-point
2.1.3
缺省模式下,思科路由器中所有接口的Metric的自动计算公式为:参考带宽/接口带宽 。参考带宽是可以修改的,缺省值为100Mbps 。
改造后离港网络的最高链路带宽为2Gbps,大于参考带宽,所以修改参考带宽为100000Mbps。
router ospf 99
auto-cost reference-bandwidth 100000
修改参考带宽后接口Metric如下:
37 OSPF 接口Metric对照表
|
链路类型 |
链路带宽(Mbps) |
Metric 值 |
|
2 ports GE Channel |
2,000 |
50 |
|
GigabitEthernet |
1,000 |
100 |
|
VLAN Interface |
1,000 |
100 |
|
Loopback |
|
1 |
|
FastEthernet |
100 |
1000 |
|
10M Ethernet |
10 |
10000 |
|
! |
|
|
|
Note |
|
OSPF Domain中所有路由器的参考带宽必须是一致的。 |
2.2 vrrp,hsrp设计
HSRP的Active/Standby的位置与STP主根/备根位置一致,以保证数据路径为最佳路径。
2.3 IP地址设计
包括业务vlan网段的ip,三层设备的loopback地址和二层设备的管理地址;设备互联地址;
二层补充和更新:
二层:
1)vtp:
Before configuring VLANs you need to define the VTP mode for the switch. Use the VTP transparent
mode for the following reasons:
&8226; There are no major benefits from automatic VLAN configuration distribution between switches
because VLANs are only placed between aggregation and access switches,.
&8226; With the currently available version of VTP, VLAN misconfiguration errors can be propagated
through VTP, creating an unnecessary risk. For instance, server VLANs accidentally removed from
a switch can propagate and this can isolate the entire server farm.
Enter the following commands to configure VTP:
vtp domain domain name
vtp mode transparent
Use the same VTP domain name everywhere in the data center.
2)vlan:
Access VLANs—For servers, primarily(业务VLAN);
Layer 3 VLANs—To provide a contiguous OSPF area for communication between MSFCs(互联VLAN);
Management VLAN;
3)Trunk Configuration
You can configure trunks between the following network devices:
&8226; Aggregation switches, which carry practically all of the VLANs;
&8226; Access switches and aggregation switches, which carry only the server VLANs;
&8226; Aggregation switches and the service appliances;
To define the VLANs allowed on a trunk, enter the following command:
switchport trunk allowed vlan 10,20
You can modify the list of the VLANs allowed on a trunk with the following commands in Native IOS:
switchport trunk allowed vlan add vlan number
switchport trunk allowed vlan remove vlan number
The recommended trunk encapsulation is 802.1q, mainly because it is the standard. The configuration in
Catalyst 6500 IOS is as follows:
switchport trunk encapsulation dot1q
可以去掉DTP协商,减少收敛时间:switchport nogative,只是建议;
4)etherchannel
分为二层和三层两种;
建议设置成:channel-group 1 mode on on的意思是不用协商,只是建议;
5)stp
We recommend that you have a single spanning-tree topology in the data center. In the event that you need to
load balance traffic to the uplinks between the access and the aggregation switches, assign different
priorities for even VLANs and odd VLANs.
spanning-tree vlan 3,5,10,20,30,100,200 root primary
6)stp tool:
6.1全网启用loopguard:
This command enables LoopGuard globally on the entire switch. We recommend enabling LoopGuard on all
the ports at both aggregation and access switches.
(config)#spanning-tree loopguard default
6.2 接入层启用root guard 或者bpduguard;
连接PC一般用bpduguard;
连接交换机一般用root guard;
7.udld
引用
qiuhua-12 的 交换网络设计之二层设计,三层设计;
topology summary:
核心层有A,B两台三层交换机,汇聚层有C,D两台交换机,接入层是二层交换机,接入层双上连到汇聚层;
1)二层设计:
1.1包括生成树的设计;生成树的附加工具(loop guard,root guard,portfast ,bpduguard,),udld;
1.2 vlan的设计:包括业务vlan(面向的是接入层交换机);管理vlan;互联vlan;
1.3 链路捆绑: ethernet channel
接入层是二层交换机,接入层双上连到汇聚层;汇聚层的C和D之间是TRUNK.TRUNK了多个接入层的VLAN;
需要考虑几个方面:
1.1 生成树的设计::
1.1.1是主备还是负载分担:
因为是双上连,所以必须在设计考虑是主备还是负载分担;接入层是100M到桌面,到汇聚层的上连可以用100M网线或光纤,或者是1000M多模光纤上连汇聚层,主要取决于实际接入层的流量;
1.1.2 思科和华为都建议用单生成树,但只是建议而已;
思科在文档中提到如果建立数据中心,建议用主备,
We recommend that you have a single spanning-tree topology in the data center. In the event that you need to load balance traffic to the uplinks between the access and the aggregation switches, assign different priorities for even VLANs and odd VLANs.
The first configuration step is to assign the root and the secondary root switches. Because our recommendation is to not do uplink load balancing in the data centerthe examples in this design document show one aggregation (aggregation1) switch as the root for all the instances and the other aggregation switch as the root for all the other instances (aggregation2). The configuration for Native IOS on aggregation1 is as follows:
spanning-tree vlan 3,5,10,20,30,100,200 root primary
The configuration on aggregation2 for Native IOS is as follows:
spanning-tree vlan 3,5,10,20,30,100,200 root secondary
1.1.3 二层的冗余链路通过stp来实现环路避免:
现在建议采用Rapid PVST+:
802.1D Spanning Tree Protocol (STP) has a drawback of slow convergence. Cisco Catalyst switches support
three types of STPs, which are PVST+, rapid&8722;PVST+ and MST. PVST+ is based on IEEE802.1D standard
and includes Cisco proprietary extensions such as BackboneFast, UplinkFast, and PortFast. Rapid&8722;PVST+ is
based on IEEE 802.1w standard and has a faster convergence than 802.1D. RSTP (IEEE 802.1w) natively
includes most of the Cisco proprietary enhancements to the 802.1D Spanning Tree, such as BackboneFast and
UplinkFast.
Spanning Tree
UplinkFast and BackboneFast features are PVST+ features. These are disabled when you enable
rapid&8722;PVST+ because those features are built within rapid&8722;PVST+.
The configuration of the features such as PortFast, BPDUguard, BPDUfilter, root
guard, and loopguard are applicable in rapid&8722;PVST+ mode also.
1.1.4 生成树的附加工具(loop guard,root guard,portfast ,bpduguard,)
#一般接入层启用portfast,bpduguard或者root guard;
#cisco建议在交换网络所有的接入层和汇聚层交换机启用loop guard;
#注意 root guard和loop guard是互斥的,不能在同一端口同时启用;
比如说全局启用了loop guard之后,在接口上再启用root guard,那么loop guard将失效;
当把root guard disable了,loop guard又再次生效;
loopguard:
The configuration of LoopGuard for IOS is as follows:
(config)#spanning-tree loopguard default
This command enables LoopGuard globally on the entire switch. We recommend enabling LoopGuard on all the ports at both aggregation and access switches.
1.1.5 udld
它不和其他的生成树工具冲突;默认是全局启用的时候,所有光口都启用了;如果想在电口上启用,需要在电口接口模式下启用;
The conclusion is that LoopGuard and UDLD complement each other, and therefore UDLD should also be
1.2 vlan的设计:包括业务vlan(面向的是接入层交换机);管理vlan;互联vlan;
1.2.1 业务vlan: 尽量将业务vlan限制在一个主配线间内。一个vlan对应一个网段;
1.2.2 管理vlan; 若干个汇聚块是连续的子网;对于管理vlan,是总体规划的;
1.2.3 互联vlan:
# 汇聚层和核心层是ospf邻居关系,同一汇聚层两台交换机之间也是ospf关系,核心一样;
# 特别:cisco支持 vlan interface和routed interface两种方式建立ospf关系;
而华为只支持vlan interface一种;
# 必须 在 汇聚层交换机为 ospf 建立专门的路由vlan;
解释:虽然汇聚层交换机之间的trunk链路上trunk了多个接入层的vlan,并且为每个vlan都建立了vlan interface的三层ip,在通告的时候(network命令),将包括所有的vlan interface,这样所有的vlan interface都运行了ospf,将在两台交换机之间建立多个ospf关系,比如说4个vlan,那么将有4个ospf邻居关系;所以为了减少邻居关系,passive这些vlan,而专门建立一个ospf vlan;
1.3 链路捆绑: ethernet channel
一般在核心交换机之间,分布层交换机之间启用,核心之间启用的是三层channel,分布层交换机之间启用的是二层channel;
2)三层设计:
2.1 ospf 路由设计
2.2 vrrp,hsrp设计
2.3 IP地址设计
2.1 ospf 路由设计
2.1.1路由器标识(Router ID)
在每个OSPF进程中,路由器都需要有唯一的Router ID来标识自己。在缺省情形下,路由器指定最高的Loopback IP地址做为自己的Router ID。为保证OSPF Router ID相对稳定,在OSPF进程的配置中,指定Loopback 0接口的IP地址为Router ID 。
配置参考:
interface Loopback0
ip address 10.7.251.1 255.255.255.255
router ospf 99
router-id 10.7.251.1
2.1.2 邻居关系建立
OSPF建立邻居关系取决于接口的OSPF网络类型。OSPF网络类型可以分为以下5种。网络的类型可以通过命令进行调整
。Point-to-point:
在离港网络中,核心交换机之间以三层接口建立OSPF邻居关系,接口网络类型为OSPF point-to-point;核心交换机和分布层交换机以三层接口建立OSPF邻居关系,接口网络类型为OSPF point-to-point;T1、T2、ServerFarm分布层交换机之间以Interface VLAN100接口建立建立OSPF邻居关系,接口网络类型同样为OSPF point-to-point。
配置参考:
interface type slot/port
ip ospf network point-to-point
2.1.3
缺省模式下,思科路由器中所有接口的Metric的自动计算公式为:参考带宽/接口带宽 。参考带宽是可以修改的,缺省值为100Mbps 。
改造后离港网络的最高链路带宽为2Gbps,大于参考带宽,所以修改参考带宽为100000Mbps。
router ospf 99
auto-cost reference-bandwidth 100000
修改参考带宽后接口Metric如下:
37 OSPF 接口Metric对照表
|
链路类型 |
链路带宽(Mbps) |
Metric 值 |
|
2 ports GE Channel |
2,000 |
50 |
|
GigabitEthernet |
1,000 |
100 |
|
VLAN Interface |
1,000 |
100 |
|
Loopback |
|
1 |
|
FastEthernet |
100 |
1000 |
|
10M Ethernet |
10 |
10000 |
|
! |
|
|
|
Note |
|
OSPF Domain中所有路由器的参考带宽必须是一致的。 |
HSRP的Active/Standby的位置与STP主根/备根位置一致,以保证数据路径为最佳路径。
2.3 IP地址设计
包括业务vlan网段的ip,三层设备的loopback地址和二层设备的管理地址;设备互联地址;
二层补充和更新:
二层:
1)vtp:
Before configuring VLANs you need to define the VTP mode for the switch. Use the VTP transparent
mode for the following reasons:
&8226; There are no major benefits from automatic VLAN configuration distribution between switches
because VLANs are only placed between aggregation and access switches,.
&8226; With the currently available version of VTP, VLAN misconfiguration errors can be propagated
through VTP, creating an unnecessary risk. For instance, server VLANs accidentally removed from
a switch can propagate and this can isolate the entire server farm.
Enter the following commands to configure VTP:
vtp domain domain name
vtp mode transparent
Use the same VTP domain name everywhere in the data center.
2)vlan:
Access VLANs—For servers, primarily(业务VLAN);
Layer 3 VLANs—To provide a contiguous OSPF area for communication between MSFCs(互联VLAN);
Management VLAN;
3)Trunk Configuration
You can configure trunks between the following network devices:
&8226; Aggregation switches, which carry practically all of the VLANs;
&8226; Access switches and aggregation switches, which carry only the server VLANs;
&8226; Aggregation switches and the service appliances;
To define the VLANs allowed on a trunk, enter the following command:
switchport trunk allowed vlan 10,20
You can modify the list of the VLANs allowed on a trunk with the following commands in Native IOS:
switchport trunk allowed vlan add vlan number
switchport trunk allowed vlan remove vlan number
The recommended trunk encapsulation is 802.1q, mainly because it is the standard. The configuration in
Catalyst 6500 IOS is as follows:
switchport trunk encapsulation dot1q
可以去掉DTP协商,减少收敛时间:switchport nogative,只是建议;
4)etherchannel
分为二层和三层两种;
建议设置成:channel-group 1 mode on on的意思是不用协商,只是建议;
5)stp
We recommend that you have a single spanning-tree topology in the data center. In the event that you need to
load balance traffic to the uplinks between the access and the aggregation switches, assign different
priorities for even VLANs and odd VLANs.
spanning-tree vlan 3,5,10,20,30,100,200 root primary
6)stp tool:
6.1全网启用loopguard:
This command enables LoopGuard globally on the entire switch. We recommend enabling LoopGuard on all
the ports at both aggregation and access switches.
(config)#spanning-tree loopguard default
6.2 接入层启用root guard 或者bpduguard;
连接PC一般用bpduguard;
连接交换机一般用root guard;
7.udld
