Table of contents
1. Overall structure
The whole structure is a data center - first-level branches - second-level branches - sub-branches.
Topology:
Core needs and solutions to consider:
High availability:
Dual centers, dual devices, link bundling, dynamic protocols, VRRP, spanning tree, BFD, firewall HA
Device stacking, Huawei series stacking, horizontal virtualization, is said to have many bugs, but easy to manage and use; Cisco series vpc, vertical virtualization, classic 7-5-2 architecture, better stability, more complicated configuration and management
In practice, it seems that both technologies have many applications, so it is difficult to compare them.
Easy to extend:
Modular and regional design. Each area is relatively independent. Static routing is used to interconnect the core and areas. Adding and removing areas will not affect other areas.
high performance:
In order to ensure higher performance, the load of each device should be reduced as much as possible to avoid all traffic being concentrated on one side of the device, so offloading technology needs to be used.
The internal traffic is divided into business and office traffic by type, so when planning the IP, it is also divided into two large segments according to business and office traffic, and the traffic is divided based on this.
When using static routing, static routing + VRRP is used to achieve offloading and redundancy.
Static route shunt implementation
在设备上同一个接口下配置两个VRRP实例10和20,主用设备分别在业务和办公上 ip route 业务网段 业务地址下一跳为实例10的virtual-ip ip route 业务网段 业务地址下一跳为实例20的virtual-ip
When using OSPF, increase the cost when introducing static routes through OSPF+prefix-list to achieve offloading and redundancy.
ospf 100
#
import-route static route-policy static_ospf
#
route-policy static_ospf permit node 10
if-match ip address prefix-list YW
#
route-policy static_ospf permit node 20
if-match ip address prefix-list OA
apply cost + 1000
#
ip prefix-list YW index 10 permit 业务网段
ip prefix-list OA index 10 permit 办公网段
#When using BGP, increase the cost through BGPcommunity to achieve offloading and redundancy.
#
BGP 65000
network 总行办公地址 route-policy BGPCM-OA
network 总行业务地址 route-policy BGPCM-YW
peer 一级分行互联地址 route-policy DS-OUT export
#
ip community-filter advanced DC-OA permit 65000:20
ip community-filter advanced DC-YW permit 65000:10
#
route-policy DS-OUT permit node 10
if-match community-filter DC-YW
#
route-policy DS-OUT permit node 20
if-match community-filter DC-OA
apply cost 1000
#
route-policy BGPCM-OA permit node 10
apply community 65000:20
#
route-policy BGPCM-YW permit node 10
apply community 65000:10
#The convergence time of dynamic routing should be reduced and BFD should be associated with it. OSPF association with BFD is necessary.
#这里联动BFD,主要为了快速切换
#由于上联分行使用的是MSTP链路,这种链路在发生故障时并不会使互连接口down
#而OSPF本身是一个在IP层上的协议,是无连接的,所有只有等到dead-time超时的时候才会认为此链路失效进行收敛
#dead-time的超时时间默认一般为40s,40s的中断时间是无法忍受的
#这里使用BFD联动上联接口,检测到链路中断后也可以快速触发OSPF收敛
#BGP是在TCP上的协议,链路中断会立即导致TCP的连接中断,也不会有这种问题,但仍可以联动BFD来加速收敛safety:
Within the branch, ACL is used to isolate business and office traffic.
#
interface Vlan-interface10
packet-filter 3010 inbound
#
interface Vlan-interface20
packet-filter 3020 inbound
#禁止办公访问业务
acl number 3010
rule 10 deny ip source 办公网段 destination 业务网段
rule 1000 permit ip
#禁止业务访问业务
acl number 3020
rule 10 deny ip source 业务网段 destination 办公网段
rule 1000 permit ipBetween branches, because OSPF is a link state protocol and cannot restrict the sending and receiving of LSAs based on network segments, the routes of other branches are filtered when distributing routes through the downstream OSPF of the secondary branch.
Restrictions can only be made at each branch, and other routes can be restricted from adding to the routing table through prefix-list.
ip prefix-list ospfIn index 10 permit 需要的路由
Ospf 100
Filter-policy ip-prefix ospfIn importBetween branches, the community attribute of BGP connected to the first-level branch and data center is used to filter the routes of other branches (implemented above)
Ease of use:
Configure dhcp so that the office system PC can be plug-and-play
2. Data center
Topology:
Core needs and solutions to consider:
Active-active in active and standby centers.
Using Cisco's OTV technology, which is a MACinIP technology, this technology allows the servers in the primary and secondary centers to exist in the same large layer 2 environment, so that the primary and secondary centers can be on the same network segment.
In this way, VRRP can be used on the aggregation switch to complete ms-level switching at the network level of the active and backup centers. Of course, the application server cannot be so fast.
3. First-level branches
Topology:
Core needs and solutions to consider:
Switching between active and standby:
The uplink router of the secondary branch is directly connected to the disaster recovery, and the cost is increased when using BGP community to achieve offloading and redundancy.
Then when importing static routes through OSPF+prefix-list, increase the cost to implement offloading and bring it back to the main center.
4. Secondary branches
Topology:
5. Branch
Topology:
#内部的互联口都可以使用链路捆绑技术,这里就不每个端口都写了
#办公侧的类似
sysname 上联路由器-业务
#管理地址,同时作为OSPF的router-id
interface LoopBack0
description **Mangerment**
ip address 10.95.34.254 255.255.255.255
#上联,与分行互联互联,改成p2p模式,不用选举BR,RDR,减少OSPF报文数
interface GigabitEthernet0/0
description **link_to-UPlink**
ospf network-type p2p
ip address 10.95.253.14 255.255.255.252
#下联,与汇聚交换机-业务互联
interface GigabitEthernet0/0
description **link_to-UPlink**
ospf network-type p2p
ip address 10.95.34.241 255.255.255.252
#横联,连接上联路由器-办公
interface GigabitEthernet0/2
description **link_to-上联路由器-办公**
ospf network-type p2p
ip address 10.95.34.245 255.255.255.252
#一个支行定义为一个非骨干区域
#支行为最终分支,但由于是双点上联,由于分流的技术需要,不能定义为末节区域
#需要通过分行的骨干区域下发路由时做过滤,来减少路由
#这里联动BFD,主要为了快速切换
#由于上联分行使用的是MSTP链路,这种链路在发生故障时并不会使互连接口down
#而OSPF本身是一个在IP层上的协议,是无连接的,所有只有等到dead-time超时的时候才会认为此链路失效进行收敛
#dead-time的超时时间默认一般为40s,40s的中断时间是无法忍受的
#这里使用BFD联动上联接口,检测到链路中断后也可以快速触发OSPF收敛
#BGP是在TCP上的协议,链路中断会立即导致TCP的连接中断,也不会有这种问题
ospf 100 router-id 10.95.34.254
bfd all-interfaces enable
area 0.0.0.101
network 10.95.253.14 0.0.0.0
network 10.95.34.241 0.0.0.0
network 10.95.253.245 0.0.0.0sysname 汇聚交换机-业务
#
vlan 10
description YeWu
#
vlan 20
description OA
#
vlan 21
description Video
#追踪上联接口,接口down时优先级下降10,变为备状态
#业务和办公流量隔离
interface Vlan-interface10
ip address 10.95.34.126 255.255.255.128
vrrp vrid 10 virtual-ip 10.95.34.126
vrrp vrid 10 priority 105
vrrp vrid 10 preempt-mode delay 100
vrrp tracrk GigabitEthernet0/0
packet-filter 3010 inbound
#业务侧办公vlan为备份
interface Vlan-interface20
ip address 20.95.34.126 255.255.255.128
vrrp vrid 20 virtual-ip 20.95.34.126
packet-filter 3020 inbound
#
interface Vlan-interface21
ip address 21.95.34.142 255.255.255.240
vrrp vrid 21 virtual-ip 20.95.34.142
packet-filter 3020 inbound
#设置为业务根桥,办公的备根
stp region-configuration
region-name region1
instance 1 vlan 10
instance 2 vlan 20
instance 2 vlan 21
active region-configuration
#
stp instance 1 root primary
stp instance 2 root secondry
stp mode rstp
#
interface GigabitEthernet0/0
description **link_to-上联路由器-业务**
ip address 10.95.34.242 255.255.255.252
#下联和横联
inter g0/xxx
port link-type trunk
port trunk allow-pass vlan 10,20,21
undo port trunk allow-pass vlan 1
#
ospf 100 router-id 10.95.34.254
bfd all-interfaces enable
area 0.0.0.101
network 10.95.34.126 0.0.0.0
network 20.95.34.126 0.0.0.0
network 20.95.34.142 0.0.0.0
#禁止办公访问业务
acl number 3010
rule 10 deny ip source 20.95.34.0 0.0.0.255 destination 10.95.34.0 0.0.0.255
rule 1000 permit ip
#禁止业务访问业务
acl number 3020
rule 10 deny ip source 10.95.34.0 0.0.0.255 destination 20.95.34.0 0.0.0.255
rule 1000 permit ip#这个实在是没啥东西
sysname 接入交换机01
#管理地址
interface Vlan-interface10
ip address 10.95.34.250 255.255.255.128
#
#末节端口
interface GigabitEthernet0/9
port link-mode bridge
port access vlan 10
stp edged-port
# 6. Technical discussion
Use static routing or dynamic routing:
When interconnecting the core to each functional area:
The advantage of using static routing is that it makes it easier to sort out the traffic path. The path of each network segment is clear at a glance, making it easy to troubleshoot and divert traffic.
Moreover, if a fault occurs, it will be limited to each functional area and will not affect routing in other areas, thus enhancing stability.
The prerequisite for using static routing is that IP planning must be done well, and network segment planning for each functional area must be separated. Otherwise, a large number of messy static routes will become difficult to maintain.
If the entire network is in an OSPF domain, although configuration is convenient, the traffic path becomes unknown and troubleshooting becomes inconvenient, and traffic distribution cannot be achieved using OSPF alone.
Moreover, firewall devices are generally not recommended to be added to OSPF areas. When interconnecting with firewalls is involved, static routing is generally recommended.
Try to use static routing here.
When interconnecting branches:
This is a mouth-shaped structure of four routers, which can only use dynamic protocols. Static routes cannot automatically switch when encountering a failure.
Should the four devices use a mouth-shaped structure or a fully interconnected structure:
Under normal circumstances, a mouth-shaped structure should be used to ensure sufficient redundancy. Excessive redundancy is just a waste.
But if there is a firewall, it should be fully interconnected, because the common firewall HA is a life-or-death operation. If the core switch is connected in a symmetrical manner, and if one fails, the firewall on the downstream link will be the main one.
In this case, business interruption will occur.
Should BGP or OSPF be used when interconnecting branches?
The advantage of BGP is that it can control routing more precisely, but the configuration is relatively complicated. Considering future operation and maintenance, it should not be used in branches.
If there are professional maintenance personnel in high-level branches, it will be better to use BGP.