华三路由交换BAGG链路聚合+IRF虚拟化典型案例

接入层：ASW交换机

汇聚层：由于网络比较简单，此案例没有涉及汇聚层

核心层：CSW01、CSW02两台交换机做IRF虚拟化，即堆叠

如图下图，Host_1是本地主机，PC_1的DHCP与网关在核心上，两边VLAN为98，99，CSW01、CSW02做IRF虚拟化，防火墙及路由器做外网网关设备，ISP为运营商。

由于IRF虚拟化的限制，所以当所有设备没有配置的时候，优先做IRF虚拟化：

chassis convert mode  //irf切换irf模式，如果是路由器做堆叠，需要转换为三层模式

CSW01-IRF:

int range ten-g 1/0/52 t1/0/51

shutdown

qu

irf-port 1/1

port group int t1/0/51

port group int t1/0/52

qu

int range t1/0/51 t1/0/52

undo shutdown

save

irf-port-configuration active

CSW02-IRF

irf member 1 renumber 2 #一定要进行这一步

qu #退出到接口视图，重启

reboot

int range t 2/0/51 t2/0/52

shutdown

qu

irf-port 2/2

port group int t2/0/51

port group int t2/0/52

qu

int range t2/0/51 t2/0/52

undo shutdown

save

irf-port-c at

dis irf

dis int brief #此时有2/0/开头的口子说明IRF虚拟化成功了

ASW和CSW01之间的LINK-AGG

#创建BAGG 1 2 3

int Bridge-Aggregation 1

int Bridge-Aggregation 2

int range g1/0/2 g2/0/2

pory link-aggregation group 1

int range g1/0/48 g2/0/48

port link-aggregation group 2

ASW

interface Bridge-Aggregation 1

qu

int range g1/0/47 g1/0/48

interface Bridge-Aggregation 1

port link-Aggregation group 1

CSW01和FW防火墙之间的LINK-AGG

FW

int Route-Aggregation 1

int range g1/0/0 g1/0/1

port link-Aggregation group 1

CSW01配置VLAN、配置接口IP、缺省路由

[CSW01] vlan 98 to 99

    Vlan 100

[CSW01]interface Vlan-interface 100

[CSW01]ip address 16.2.1.1 30

[CSW01]ip route-static 0.0.0.0 0 16.2.1.2

CSW01配置DHCP、PC_1和Host_1的网关

dhcp enable

dhcp server ip-pool dhcp

network 16.2.98.0 24

dns-list 114.114.114.114

gateway-list 16.2.98.254

qu

dhcp server forbidden-ip 16.2.98.200 16.2.98.254

int int Vlan-interface 98

ip address 16.2.98.254 24

int int Vlan-interface 99

ip address 16.2.99.254 24

int int Vlan-interface 100

ip address 16.2.1.2 30

FW配置私网路由

[FW]ip route-static 0.0.0.0 0 200.0.0.1

[FW]ip route-static 16.82.0.0 16 16.82.100.1

FW配置ACL和NAT

[FW]interface g1/0/23

[FW-GigabitEthernet1/0/23]nat outbound 2000

[FW-GigabitEthernet1/0/23]qu

[FW]acl basic 2000

[FW-acl-ipv4-basic-2000]rule permit source 16.82.0.0 0.0.255.255

配置安全策略

admin

admin

1、将端口加入安全与域，security-zone

2、配置安装策略 security-pollcy

security-zone name trust

import interface g1/0/0

             g1/0/1

             RAGG  1

security-zone name untrust

import int g 1/0/23

security-policy ip

    rule name trust2untrust

       souurce-zone trust

       destination-zone untrust

       destination-ip 210 #创建210地址池

           action pass #动作

dis session table ipv4

       destination-ip 210#只能访问210

object-group ip add 210

        network host add 210.0.1 #添加可以访问的目标地址

        network subnet 16.82.10.0 255.255.255.0 #添加可以访问的子网段

ISP配置LOOKBACK地址、接口地址：

int g0/0

ip address 200.0.0.1 24

int lookback0

ip address 210.0.0.1 30

给PC_1配置，我这里是静态，配置动态获取也可以。

最后，就可以用ping命令测试连通性了

排错：

内网不通：先检查IP地址，检查网关，再检查聚合端口是否允许通过，vlan是否放通，