很长时间以来,我一直在抨击这一点。我希望有人可以帮助我。
我正在重建客户网络,这是我第一次尝试路由。我决定让事情变得简单。我们使用的是 3x HP ProCurve 2920。其中两个服务用户连接,第三个将充当我们的路由器,是我们的服务器和其他网络上行链接的地方。
这是我的 VLAN 布局:
VLAN1 - Legacy / 192.168.11.0/24
VLAN10 - General Students / 10.0.0.0/23
VLAN11 - General Staff / 10.0.20.0/23
VLAN20 - Staff Wireless / 10.0.100.0/23
VLAN21 - Student Wireless / 10.0.120.0/23
VLAN22 - Public Wireless / 10.0.140.0/23
VLAN30 - Servers / 10.0.200.0/23
VLAN40 - Management / 10.0.220.0/23
VLAN1 是现有的扁平网络。我试图在让事情正常工作时不中断网络中断,所以我把它留在了新的 ProCurves 上。VLAN1 目前工作得很好,但我怀疑这是因为 DHCP 仍在分发防火墙 IP 作为默认网关,而不是我创建的新 .254 地址。
我们的防火墙是 Cisco RV016,目前处于禁用 RIP 的网关模式。一旦我让 VLAN 间路由正常工作,我怀疑我需要为 0.0.0.0/0.0.0.0 创建指向 Cisco 的静态路由,或者在防火墙上启用 RIP 路由。现在我想进行 VLAN 间路由工作,然后我将解决防火墙问题。
我在所有三个交换机上都做了以下操作:
- 启用路由
- 定义的 VLAN
- 为上行链路端口上的 VLAN 配置标记
我在我们的路由交换机上做了以下操作:
- 给每个 VLAN 一个 IP 地址作为 VLAN 网关(都以 .254 结尾)
- 在所有 VLAN(包括 VLAN1)上启用 RIPv2
这是我们的路由交换机的交换机配置:
; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0
hostname "LKS-S-04"
module 1 type j9729a
trunk 45-46 trk1 lacp
trunk 47-48 trk2 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
ip routing
interface 45
flow-control
name "LKS-S-02:45"
exit
interface 46
flow-control
name "LKS-S-02:46"
exit
interface 47
flow-control
name "LKS-S-03:47"
exit
interface 48
flow-control
name "LKS-S-03:48"
exit
no snmp-server enable
oobm
ip address 192.168.11.251 255.255.255.0
ip default-gateway 192.168.11.1
exit
router rip
redistribute connected
enable
exit
vlan 1
name "VLAN1 - School Scope (LEGACY)"
untagged 1-44,A1-A2,B1-B2,Trk1-Trk2
ip address 192.168.11.254 255.255.255.0
ip rip 192.168.11.254
exit
vlan 10
name "VLAN10 - General Students"
tagged Trk1-Trk2
ip address 10.0.1.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.1.254
exit
vlan 11
name "VLAN11 - General Staff"
tagged Trk1-Trk2
ip address 10.0.21.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.21.254
exit
vlan 20
name "VLAN20 - Staff Wireless"
tagged Trk1-Trk2
ip address 10.0.101.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.101.254
exit
vlan 21
name "VLAN21 - Student Wireless"
tagged Trk1-Trk2
ip address 10.0.121.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.121.254
exit
vlan 22
name "VLAN22 - Public Wireless"
tagged Trk1-Trk2
ip address 10.0.141.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.141.254
exit
vlan 30
name "VLAN30 - Servers"
tagged Trk1-Trk2
ip address 10.0.201.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.201.254
exit
vlan 40
name "VLAN40 - Management"
tagged Trk1-Trk2
ip address 10.0.221.254 255.255.254.0
ip helper-address 192.168.11.10
ip rip 10.0.221.254
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
这是我的客户端访问开关之一
; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0
hostname "LKS-S-02"
module 1 type j9729a
trunk 45-46 trk1 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
ip routing
interface 45
flow-control
name "LKS-S-04:45"
exit
interface 46
flow-control
name "LKS-S-04:46"
exit
no snmp-server enable
oobm
ip address 192.168.11.253 255.255.255.0
ip default-gateway 192.168.11.1
exit
router rip
no redistribute connected
enable
exit
vlan 1
name "DEFAULT_VLAN"
untagged 1-44,47-48,A1-A2,B1-B2,Trk1
no ip address
exit
vlan 10
name "VLAN10 - General Students"
tagged Trk1
no ip address
exit
vlan 11
name "VLAN11 - General Staff"
tagged Trk1
no ip address
exit
vlan 20
name "VLAN20 - Staff Wireless"
tagged Trk1
no ip address
exit
vlan 21
name "VLAN21 - Student Wireless"
tagged Trk1
no ip address
exit
vlan 22
name "VLAN22 - Public Wireless"
tagged Trk1
no ip address
exit
vlan 30
name "VLAN30 - Servers"
tagged Trk1
no ip address
exit
vlan 40
name "VLAN40 - Management"
tagged Trk1
ip address 10.0.220.2 255.255.254.0
exit
spanning-tree Trk1 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
如果我在任何新 VLAN 上为客户端提供静态 IP,它可以 ping 它的默认网关,无论它物理插入哪个交换机。它不能比这更进一步。
这是路由交换机的“show ip route”:
LKS-S-04(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
10.0.0.0/23 VLAN10 - Gen... 10 connected 1 0
10.0.20.0/23 VLAN11 - Gen... 11 connected 1 0
10.0.100.0/23 VLAN20 - Sta... 20 connected 1 0
10.0.120.0/23 VLAN21 - Stu... 21 connected 1 0
10.0.140.0/23 VLAN22 - Pub... 22 connected 1 0
10.0.200.0/23 VLAN30 - Ser... 30 connected 1 0
10.0.220.0/23 VLAN40 - Man... 40 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.11.0/24 VLAN1 - Scho... 1 connected 1 0
并从客户端访问交换机:
LKS-S-02(config)# show ip route
IP Route Entries
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
10.0.220.0/23 VLAN40 - Man... 40 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
我的猜测是客户端访问交换机没有拾取路由,但我认为 RIP 的全部意义在于它为我处理了这些问题。
任何帮助将不胜感激。
更新 1 - 2015-06-18 @ 15:24
我已经禁用了两个用户访问交换机上的路由,并在我的 RS 上禁用了 RIP。
看起来我可以将自己置于任何这些 VLAN 上并 ping 任何其他新 VLAN 网关,但不能 ping 当前位于新 VLAN 上的其他主机。
我仍然无法上网(即使 RS 上有通往我的防火墙的默认路由),并且无论是否分配给我的 RS 的静态路由,我都无法访问我的 192.168.11.0 旧网络。
这是 RS 的新配置:
; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0
hostname "LKS-S-04"
module 1 type j9729a
trunk 45-46 trk1 lacp
trunk 47-48 trk2 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip route 192.168.11.0 255.255.255.0 192.168.11.1
ip routing
interface 45
flow-control
name "LKS-S-02:45"
exit
interface 46
flow-control
name "LKS-S-02:46"
exit
interface 47
flow-control
name "LKS-S-03:47"
exit
interface 48
flow-control
name "LKS-S-03:48"
exit
no snmp-server enable
oobm
ip address 192.168.11.251 255.255.255.0
ip default-gateway 192.168.11.1
exit
vlan 1
name "VLAN1 - School Scope (LEGACY)"
no untagged 8-9
untagged 1-7,10-44,A1-A2,B1-B2,Trk1-Trk2
ip address 192.168.11.254 255.255.255.0
exit
vlan 10
name "VLAN10 - General Students"
tagged Trk1-Trk2
ip address 10.0.1.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 11
name "VLAN11 - General Staff"
tagged Trk1-Trk2
ip address 10.0.21.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 20
name "VLAN20 - Staff Wireless"
tagged Trk1-Trk2
ip address 10.0.101.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 21
name "VLAN21 - Student Wireless"
tagged Trk1-Trk2
ip address 10.0.121.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 22
name "VLAN22 - Public Wireless"
tagged Trk1-Trk2
ip address 10.0.141.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 30
name "VLAN30 - Servers"
tagged Trk1-Trk2
ip address 10.0.201.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 40
name "VLAN40 - Management"
untagged 8-9
tagged Trk1-Trk2
ip address 10.0.221.254 255.255.254.0
ip helper-address 192.168.11.10
exit
vlan 99
name "ROUTING"
tagged Trk1-Trk2
ip address 10.0.250.4 255.255.255.0
exit
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
这是客户端开关之一:
; J9729A Configuration Editor; Created on release #WB.15.16.0008
; Ver #06:0c.fc.f3.ff.37.2d:e0
hostname "LKS-S-02"
module 1 type j9729a
trunk 45-46 trk1 lacp
sntp 300
sntp server priority 1 192.168.11.10
no telnet-server
time timezone -480
no web-management
interface 45
flow-control
name "LKS-S-04:45"
exit
interface 46
flow-control
name "LKS-S-04:46"
exit
no snmp-server enable
oobm
ip address 192.168.11.253 255.255.255.0
ip default-gateway 192.168.11.1
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 47
untagged 1-44,48,A1-A2,B1-B2,Trk1
no ip address
exit
vlan 10
name "VLAN10 - General Students"
tagged Trk1
no ip address
exit
vlan 11
name "VLAN11 - General Staff"
tagged Trk1
no ip address
exit
vlan 20
name "VLAN20 - Staff Wireless"
tagged Trk1
no ip address
exit
vlan 21
name "VLAN21 - Student Wireless"
tagged Trk1
no ip address
exit
vlan 22
name "VLAN22 - Public Wireless"
tagged Trk1
no ip address
exit
vlan 30
name "VLAN30 - Servers"
tagged Trk1
no ip address
exit
vlan 40
name "VLAN40 - Management"
untagged 47
tagged Trk1
ip address 10.0.220.2 255.255.254.0
exit
vlan 99
name "ROUTING"
tagged Trk1
ip address 10.0.250.2 255.255.255.0
exit
spanning-tree Trk1 priority 4
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
和 RS 上的路线:
Destination Gateway VLAN Type Sub-Type Metric Dist.
------------------ --------------- ---- --------- ---------- ---------- -----
0.0.0.0/0 192.168.11.1 1 static 1 1
10.0.0.0/23 VLAN10 - Gen... 10 connected 1 0
10.0.20.0/23 VLAN11 - Gen... 11 connected 1 0
10.0.100.0/23 VLAN20 - Sta... 20 connected 1 0
10.0.120.0/23 VLAN21 - Stu... 21 connected 1 0
10.0.140.0/23 VLAN22 - Pub... 22 connected 1 0
10.0.200.0/23 VLAN30 - Ser... 30 connected 1 0
10.0.220.0/23 VLAN40 - Man... 40 connected 1 0
10.0.250.0/24 ROUTING 99 connected 1 0
127.0.0.0/8 reject static 0 0
127.0.0.1/32 lo0 connected 1 0
192.168.11.0/24 VLAN1 - Scho... 1 connected 1 0
并从防火墙:https ://img.fizi.ca/di/DMIC/firewallRoutes.png
以及我在防火墙上配置的用于访问新 VLAN 的示例静态路由:https ://img.fizi.ca/di/24OO/staticRoutes.png
很近!
更新 - 2015-06-18 @ 16:49
进步。我发现我在 RV016 上配置路由时出错。我应该将网关设置为 192.168.11.254(位于我的 RS 上的 VLAN 1 的 IP)。看起来它解决了所有问题。