I. Overview of the related concepts of link aggregation for Huawei network equipment:
1. What is link aggregation?
2. What are the restrictions on member interfaces?
3. What are the working modes of link aggregation?
4. The concept of active interface and inactive interface.
5. The concept of active end and passive end.
6. What kinds of load balancing modes are there?
1. What is link aggregation?
.
Link aggregation is to treat multiple physical interfaces as a logical interface to increase bandwidth and provide line redundancy. The bandwidth of link aggregation is theoretically equivalent to the total bandwidth of the physical interfaces included. It is very suitable for enterprise core networks. At the same time, a member interface or link that participates in the bundling is damaged, which does not affect the normal operation of the aggregated link and provides redundancy. Surplus. The link aggregation protocol supported by Huawei equipment is LACP (link aggregation control protocol). In Huawei equipment, multiple physical interfaces are bundled into a logical interface, which is called an Eth-Trunk interface.
.
2. What are the restrictions on member interfaces?
When adding member interfaces to Eth-Trunk, you need to pay attention to the following issues:
- Each Eth-Trunk interface can contain up to 8 Member interface;
- The member interface cannot be configured with any function and static MAC address separately;
- When the member interface is added to the Eth-Trunk, it must be the default hybrid type interface (this type is Huawei equipment The default interface type);
- Eth-Trunk interfaces cannot be nested, that is, member interfaces cannot be Eth-Trunk;
- An Ethernet interface can only be added to an Eth-Trunk interface. If you need to add other Eth-Trunk interfaces, you must first exit the original Eth-Trunk interface;
- The member interfaces in an Eth-Trunk interface must be of the same type, that is, FE port and GE port cannot be added to the same Eth-Trunk interface.
- The Ethernet interfaces on different interface boards can be added to the same Eth-Trunk.
- If the local device uses Eth-Trunk, the peer interface directly connected to the member interface must also be bundled as an Eth-Trunk interface so that both ends can communicate normally.
- When the rates of member interfaces are inconsistent, the interface with a low rate in actual use may be congested, causing packet loss.
- When the member interface joins the Eth-Trunk, it learns the MAC address according to the Eth-Trunk, not according to the member interface.
3. What are the working modes of link aggregation?
.
The link aggregation modes supported by Huawei network equipment include manual load sharing mode and static LACP mode:
- Manual load sharing Mode: In this mode, there is no LACP protocol message involved. All configurations are done manually, such as adding multiple member interfaces. In this mode, all interfaces are in the forwarding state, realizing link load sharing. The load sharing method it supports is a treasure trove of destination MAC, source MAC, source MAC exclusive OR destination MAC, source IP, destination IP, source IP exclusive OR destination IP. The manual load mode is usually used when the peer device does not support the LSCP protocol.
- Static LACP mode: In this mode, both ends of the line use the LACP protocol to negotiate to determine the link aggregation mode of the active interface and the inactive interface. In this mode, create an Eth-Trunk and join Eth- Trunk member interfaces need to be completed manually, and the determination of active interfaces and inactive interfaces is negotiated by the LACP protocol. Static LACP mode is also called M:N mode. In this way, the dual functions of link load sharing and redundancy backup can be realized. In the link aggregation group, M links are active, forwarding data and load sharing, while the other N links are inactive and do not forward data. When there is a link failure in M links, the system will Automatically select the highest priority link from the N backup links to replace the failed link, and start forwarding data.
The main difference between static LACP mode and manual load sharing mode is that static LACP mode can have backup links, while in manual load sharing mode all member interfaces are in Forwarding state, share the load flow, unless the line fails.
.
4. The concept of active interface and inactive interface.
.
The interface that is active and responsible for forwarding data is called the active interface. On the contrary, an interface that is in an inactive state and is forbidden to forward data is called an inactive interface en. Active interfaces and inactive interfaces generally do not require human intervention. In the static LACP mode, the upper and lower limits of the number of active interfaces can be configured.
.
Depending on the configured working mode, the roles are divided as follows:
- Manual load sharing mode: Normally, all interfaces are active interfaces , Unless there is a link failure on these interfaces.
- Static LACP mode: The interfaces corresponding to M links are active interfaces and are responsible for forwarding data, and the interfaces corresponding to N links are inactive interfaces and are responsible for redundant backup.
5. The concept of active end and passive end.
.
In static LACP mode, among the devices at both ends of the aggregation group, you need to select one end as the active end and the other end as the passive end. Generally, the end with higher LACP priority is the active end, and the end with lower LACP priority is the passive end. If the priority is the same, usually the segment with a smaller MAC address is selected as the active end. (The smaller the priority value, the higher the priority).
.
The purpose of distinguishing the active end and the passive end is to ensure that the active interfaces finally confirmed by the devices at both ends are the same, otherwise both ends will select active interfaces according to their respective interface priorities, and the final activity determined by both ends The interfaces are likely to be inconsistent, and the aggregation link cannot be established. As shown below:
SwitchA selects the two above The interface is the active interface, and SwitchB chooses the following two interfaces as the active interface. Because SwitchA has a higher priority, both ends of the final active interface are based on SwitchA. Therefore, the active end should be determined first, and the passive end should follow the active end. The interface priority of the side is used to select the active interface.
.
6. What are the load balancing modes?
.
The main function of link aggregation is to increase bandwidth and increase redundancy, and the common practice is to implement load sharing on multiple physical links.
Commonly used load sharing modes include:
- dst-ip (destination IP address) mode: TCP/UDP port number from destination IP address and outgoing port Select the 3-bit value of the specified bit to perform the exclusive OR operation in each, and select the corresponding outgoing interface in the Eth-Trunk table according to the operation result.
- dst-mac (destination MAC address) mode: Perform exclusive OR operation on the 3bit values of the specified bits from the destination MAC address, VLAN ID, Ethernet type, and ingress port information, and select Eth- according to the result of the operation. The corresponding outgoing interface in the Trunk table.
- src-ip (source IP address) mode: From the source IP address and the TCP/UDP port number of the ingress port, respectively specify the 3bit value for the exclusive OR operation, and select the Eth-Trunk table according to the operation result Corresponding outgoing interface in.
- src-mac (source MAC address) mode: XOR operation is performed on the 3bit values of the specified bits from the source MAC address, VLAN ID, Ethernet type, and ingress port information, and select Eth- according to the result of the operation. The corresponding outgoing interface in the Trunk table.
- src-dst-ip (exclusive OR of source IP address and destination IP address) mode: Perform exclusive OR operation on the operation results of the destination IP address and source IP address in two load sharing modes, according to the operation result Select the corresponding outgoing interface in the Eth-Trunk table.
- src-dst-mac (exclusive OR of source MAC address and destination MAC address) mode: select specific bits from destination MAC address, source MAC address, VLAN ID, Ethernet type, and ingress port information. Perform exclusive-OR operation on the 3bit value of, and select the corresponding outgoing interface in the Eth-Trunk table according to the result of the operation.
2. Huawei network equipment configuration command:
Here we start with the configuration of a large network topology, and the Huawei network equipment Write down the basic configuration commands, you can download the topology map I provided: https://pan.baidu.com/s/1GHXSRZv0Ha730osgI03qeQ&shfl=sharepset
Extraction code: 38t2, the topology map is not for the purpose of practicality, but For the purpose of involving more configuration commands and technologies. The network topology diagram is as follows:
< p>The commands involved in this topology map are as follows:
- Link aggregation
- vlan division
- Single-arm routing and Layer three switching
- OSPF and RIP dynamic routing configuration
- Route redistribution
- PAT and static NAT configuration
- Basic ACL and Advanced ACL configuration
Network topology analysis:
1. OSPF and RIP part:
.
R2 is the company’s gateway router, and R1 simulates a public network router, so it is not possible to configure a route to the company. The company’s intranet uses two dynamic routing protocols, RIP and OSPF. The two interfaces GE0/0/0 and GE0/0/1 of R2 and SW1 and SW2 use OSPF dynamic routing and belong to area0. R2’s GE0/0/2 and R3 and R4 all use dynamic routing protocol RIP. Therefore, it is necessary to perform route redistribution on the R2 router. So that different routing protocols learn from each other. As a gateway router, R2 needs to have a default route pointing to the public network, and this default route needs to be redistributed to OSPF and RIP protocols.
.
2. Link aggregation:
.
SW1 and SW2 use link aggregation to aggregate two physical links into a logical link for load sharing and backup. Set SW1 as the active end of LACP, and the logical link performs load sharing based on the MAC mode.
3. NAT and ACL:
.
The two network segments 192.168.10.0/24 and 192.168.11.0/24 in the simulated intranet cannot be connected to the public network, so ACL needs to be set . Windows server 2016 builds a web server and uses static NAT to publish to the public network so that win 7 clients can access the web server.
.
4. All the network segments within the company are 192.168.X.0/24.
.
The first part of the configuration:
.
The first part starts with the configuration of GE0/0/0 and GE0/0/1 of the R2 router, and then proceed Configure the router interface IP address, OSPF, Layer 3 switch interface, VLAN, link aggregation configuration, Layer 2 switch interface configuration and partition VLAN, and finally test whether the lowest PC can ping the router’s GE0/0/0 interface (You need to configure OSPF before you can ping through).
.
R2 router configuration is as follows:
un ter mo sys
[R2]ip route-static 0.0.0.0 0.0.0.0 200.0.0.2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.7.2 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[ R2-GigabitEthernet0/0/1]ip add 192.168.8.2 24
[R2-GigabitEthernet0/0/1]ospf 10
[R2-ospf-10]area 0
[R2-ospf-10-area-0.0.0.0]net 192.168.7.0 0.0 .0.255
[R2-ospf-10-area-0.0.0.0]net 192.168.8.0 0.0.0.255
[R2-ospf-10-area-0.0.0.0]quit
[R2-ospf-10]default-route-advertise
SW1 is configured as follows :
un ter mo sys
[SW1]vlan ba 2 to 8
[SW1]in vlan 7
[SW1-Vlanif7]ip add 192.168.7.1 24
[SW1-Vlanif7]in vlan 2
[SW1-Vlanif2]ip add 192.168. 2.254 24
[SW1-Vlanif2]in vlan 3
[SW1-Vlanif3]ip add 192.168.3.254 24
[SW1-Vlanif3]in vlan 4
[SW1-Vlanif4]ip add 192.168.4.254 24
[SW1-Vlanif4]in g0/0/1
[SW1-GigabitEthernet0/0/ 1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 7 < br />
[SW1-GigabitEthernet0/0 /1]lacp pri 1000
[SW1]int Eth-Trunk 12
[SW1-Eth-Trunk12]mode lacp-static
[SW1-Eth-Trunk12]load-balance dst-mac
[SW1-Eth-Trunk12]trunkport g0/0/23
[SW1-Eth-Trunk12 ]trunkport g0/0/24
[SW1-Eth-Trunk12]port link-type trunk
[SW1-Eth-Trunk12]in g0/0/2
[SW1-GigabitEthernet0/0/2]port link- type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[ SW1-GigabitEthernet0/0/2]in g0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[SW1]ospf 10
[SW1-ospf-10]area 0
[SW1-ospf-10-area-0.0.0.0]net 192.168. 2.0 0.0.0.255
[SW1-ospf-10-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[SW1-ospf -10-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[SW1-ospf-10-area-0.0.0.0]net 192.168.7.0 0.0.0.255
The SW2 configuration is as follows:
un ter mo sys
[SW2]vlan ba 2 to 8
[SW2]in vlan 8
[ SW2-Vlanif8]ip add 192.168.8.1 24
[SW2-Vlanif8]in vlan 6
[SW2- Vlanif6]ip add 192.168.6.254 24
[SW2-Vlanif6]in vlan 5
[SW2-Vlanif5] ip add 192.168.5.254 24
[SW2-Vlanif5]in g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 8
[SW2]int Eth-Trunk 12
[SW2-Eth-Trunk12]mode lacp-static
[SW2-Eth-Trunk12]trunkport g0/0/23
[SW2- Eth-Trunk12]trunkport g0/0/24
[SW2-Eth-Trunk12]port link-type trunk
[SW2-Eth-Trunk12]port trunk allow-pass vlan all
[SW2- Eth-Trunk12]in g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]in g0 /0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[SW2]ospf 10
[SW2-ospf-10]area 0
[SW2-ospf-10-area-0.0.0.0]net 192.168.8.0 0.0.0.255
[SW2-ospf-10-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[SW2-ospf-10-area-0.0.0.0]net 192.168.6.0 0.0.0.255
SW4 configuration is as follows:
SW4>undo ter mosys
[SW4]vlan ba 2 to 8
[SW4]in g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type trunk
[SW4-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW4 -GigabitEthernet0/0/1]in g0/0/3
[SW4-GigabitEthernet0/0/3]port link-type access
[SW4-GigabitEthernet0/0/3]port default vlan 2
[SW4-GigabitEthernet0/0/3]in g0/0 /2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4- GigabitEthernet0/0/2]port default vlan 3
SW5 configuration is as follows:
undo ter mo sys
[SW5]vlan 4
[SW5-vlan4]quit
[SW5]in g0/0/1
[SW5- GigabitEthernet0/0/1]port link-type trunk
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW5-GigabitEthernet0/0/1]in g0/0/2
[SW5-GigabitEthernet0/0/2]port link-type access
[SW5-GigabitEthernet0/0/2]port default vlan 4
Because of SW6, There is not much difference between the configuration of SW7 and SW5. They are to change the interface type, create the corresponding vlan, and add the interface to the vlan. The trunk interface allows all vlan information to pass, so SW6 and SW7 do not write Note, the corresponding note can refer to the configuration of SW5.
SW6 configuration is as follows:
undo ter mo sys
[SW6]vlan 5
[SW6-vlan5]in g0/0/1
[SW6-GigabitEthernet0/0/1]port link-type trunk
[SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW6-GigabitEthernet0/0/1]in g0/0/2
[SW6-GigabitEthernet0/0/2]port link-type access
[SW6-GigabitEthernet0/0/2 ]port default vlan 5
SW7 configuration is as follows:
un ter mo sys
[SW7 ]vlan 6
[SW7-vlan6]in g0/0/1
[SW7-GigabitEthernet0/0/1]port link-type trunk
[SW7-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW7-GigabitEthernet0/0/1]in g0/0/2
[SW7-GigabitEthernet0/0/2]port link-type access
[SW7- GigabitEthernet0/0/2]port default vlan 6
After the above configuration, the following network part has been connected, and you can use your PC for ping test.
.
The second part of the configuration:
.
The second part starts to configure the GE0/0/2 interface of the R2 router to the R4 router and the switches below. First, configure the GE0/0/2 of the R2 router Interface IP and configure RIP, redistribute OSPF and RIP routes, configure R3 interface IP and RIP routing, and finally configure R4 interface IP, single-arm routing, and RIP routing.
.
The R2 router configuration is as follows:
[R2]in g0/0/2
[ R2-GigabitEthernet0/0/2]ip add 192.168.12.1 24
[R2-GigabitEthernet0/0/2]rip
[R2-rip-1]ver 2
[R2-rip-1]undo summary
[ R2-rip-1]net 192.168.12.0
[R2-rip-1]import-route ospf 10 < br />[R2-rip-1]default-route originate
[R2-rip-1]ospf 10
[R2-ospf-10]import-route rip 1
R3 The router configuration is as follows:
undo ter mo sys < br />[R3]in g0/0/0
[R3i-GigabitEthernet0/0/0]ip add 192.168.12.2 24
[R3-GigabitEthernet0/0/1]ip add 192.168.13.1 24
[R3-rip-1]ver 2
[R3-rip-1]un sum
[R3-rip-1]net 192.168.12.0
[R3i-rip-1]net 192.168.13.0
R4 router configuration is as follows:
un ter mo sys
[R4]in g0/0/1
[R4-GigabitEthernet0/0/1]in g0/0/0.10 < !--Configure one-arm routing-->
[R4-GigabitEthernet0/0/0.10]ip add 192.168.10.1 24
[R4-GigabitEthernet0 /0/0.10]dot ter vid 10
[R4-GigabitEthernet0/0/0.10]arp bro ena
[R4-GigabitEthernet0/0/0.10]in g0/0/0.11
[R4-GigabitEthernet0/0/ 0.11]ip add 192.168.11.1 24
[R4-GigabitEthernet0/0/0.11]dot1q ter vid 11
[R4]rip
[R4-rip-1]ver 2
[R4-rip-1]un sum
[ R4-rip-1]net 192.168.13.0
[R4-rip-1]net 192.168.10.0
[R4-rip-1]net 192.168 .11.0
SW3 switch configuration is as follows:
un ter mo sys
[SW3]vlan ba 10 to 11
[SW3]in g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 11
[SW3-GigabitEthernet0/0/1]in g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 10
[SW3-GigabitEthernet0/0/3]port link-type access
[SW3-GigabitEthernet0/0/3]port default vlan 11
After the above configuration, the following networks are all set up. You can use the PC to test the ping by yourself.
.
Part III Configuration:
Now you need to configure the Internet part. Start the configuration from the GE3/0/0 interface of the R2 router. First configure the IP address of the interface, and then configure the corresponding interface IP address of the Internet router R1 Note that the Internet router R1 cannot be configured with a routing table, but it still requires all intranets to be able to ping the win 7 client, because in practice, the company’s internal private network address cannot be routed on the public network, and the router on the public network is not It is possible to configure the routing table to point directly to the inside of the company, which requires the use of NAT. In order to elicit the ACL configuration method, it is specified that PC5 and PC6 cannot communicate with the public network, and the rest can be used.
.
The R2 router configuration is as follows:
[R2]in g3/0/0
[ R2-GigabitEthernet3/0/0]ip add 200.0.0.1 24
[R2-GigabitEthernet3/0/0]quit
[R2]nat address-group 1 200.0.0.100 200.0.0.100
[R2]acl 2000 < br />[R2-acl-basic-2000]rule 0 per source any
[R2-acl-basic-2000]quit
[R2-acl-adv-3000]rule deny ip source 192.168.10.0 0.0.1.255 destination 200.0. 0.0 0.0.0.255
[R2-acl -adv-3000]rule deny ip source 192.168.10.0 0.0.1.254 destination 201.0.0.0 0.0.0.255
[R2-acl-adv -3000]quit
[R2]in g3/0/0
[R 2-GigabitEthernet3/0/0]nat outbound 2000 address-group 1
[R2-GigabitEthernet3/0/0]nat server global 200.0.0.200 inside 192.168. 2.10
[R2-GigabitEthernet3/0/0]quit
[R2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
The R1 router configuration is as follows:
sys
[R1]in g0/0/0
[R1-GigabitEthernet0/0/0]ip add 200.0.0.2 24
[R1-GigabitEthernet0/0/0]in g0/0/1
[R1-GigabitEthernet0/0/1]ip add 201.0.0.1 24
Now all the configurations are completed, configure by yourself Test on win7 and win server 2016. Note that when performing a ping test on win7 and the intranet or accessing the service of Windows server 2016, you need to ping the address mapped from the intranet and the public address mapped from the server, not the intranet server. Real address.
With some commands for troubleshooting:
.
[R2]display current-configuration
[R2]display ip routing-table
[SW1]display vlan
[SW1]display ip interface brief
[SW1]display current-configuration interface vlan 2
[R2]display nat session all
[R2]display ospf peer brief
[R2]display acl all
[SW1]display eth-trunk 12
The network topology map requires the following knowledge points :
- Even if there is no corresponding vlan client on some switches, it is still necessary to create the corresponding vlan, such as SW1 and SW2 in the topology diagram above, because when the switch receives from a vlan In the case of data packets, if he does not have the vlan, then the data packet will be discarded, but if it passes through the router in the middle, it will be different.
- Huawei’s trunk channel does not allow all vlan communications except vlan 1 by default, while the Cisco device’s trunk allows all vlan communications by default, so when configuring Huawei equipment, after configuring the basic trunk configuration, Be sure to add a command that allows the relevant vlan to pass through the trunk.
- When configuring link aggregation, the smaller the LACP priority value, the higher the priority. By default, the system LACP priority is 32768. Select the end with the smaller LACP priority as the active end in the devices at both ends. If the system has the same LACP priority, select the end with the smaller MAC address as the active end.
- When configuring OSPF, if you want to specify the router-id, you can add the router-id when entering the process mode, such as setting the router-id of R2 to 1.1.1.1: “[R2]ospf 10 router-id 1.1.1.1”.
- Huawei’s Layer 3 switch does not have a command to directly upgrade the Layer 2 interface to a Layer 3 interface, such as “no switchport” in Cisco. Therefore, when directly connected to the router, you can only configure the vlan virtual interface, and then Add the physical interface to the vlan.
- In Huawei, the RIP network can only be declared in a standard way. For example, the network segment is subnetted as “10.10.5.0/24″. When the network segment is declared, it can only be declared as ” 10.0.0.0″, but it should be noted that if there is a network divided by subnets in the network, you must use RIP version 2 (the default is 1), and turn off automatic summarization.
- Huawei’s NAT translation is directly configured in the external interface mode. The internal traffic that needs to be translated needs to be defined through ACL, and the translated internal global address is implemented by configuring the NAT group.
- Huawei’s ACL is basically similar to Cisco. Huawei’s ACL is divided into basic and advanced, similar to Cisco’s standards and extensions. The basic number is 2000~2999, and the advanced number is 3000~3999. You can add a number after the rule command word, or you can omit it. By default, each rule is separated by 5 numbers, because the ACL rule is to stop when it matches, so This makes it possible to insert before a rule for the convenience of changing the rule in the future.