企业IPv6网关负载分担方案的设计与实现

背景需求

（1）随着企业业务数量大幅增加，以及网络应用的高速发展，现有IPv4地址已不能满足需求，根据通信架构合理规划IPv6网络，对企业网络进行构建及扩充。

（2）企业业务量上升网络主机对外部访问量增加，单一网关设计的网络不再满足高可用性的要求，需要根据企业网络需求，设计多个网关的主/备运行，在当前运行网关设备故障或维护时，依然可以保证业务流量的畅通。

（3）依照企业网络规划，需要基于IPv6设计的路由协议及地址可兼容与企业网关备份策略及技术，合理配置网管设备，使其可用于IPv6网络网关备份。

（4）接入层划分vlan实现二层隔离。

（5）使用vrrp6技术实现网关冗余备份

（6）使用ospfv3技术实现内网互联互通

（7）使用dhcpv6技术实现终端自动获取ip地址

（8）使用防火墙配置安全策略保护内网安全

将该公司申请的/48进一步划分为/46， 分配给各部门

|------|---------------------|--------|
| 接入单位 | 地址 | 所属vlan |
| 行政部 | 2001:100:200:1::/64 | 10 |
| IT部 | 2001:100:200:2::/64 | 20 |
| 商务部 | 2001:100:200:3::/64 | 30 |
| 办公有线 | 2001:100:200:4::/64 | 40 |
| 车间 | 2001:100:200:5::/64 | 50 |
| 测试 | 2001:100:200:6::/64 | 60 |
| 服务器 | 2001:100:200:7::/64 | N/A |

设备互联地址

|-------------|-------------------------|
| 名称 | 地址 |
| FW---核心1 | 2001:100:200:abc::/126 |
| FW---核心2 | 2001:100:200:abc::4/126 |
| FW---服务器核心1 | 2001:100:200:abc::8/126 |
| FW---服务器核心2 | 2001:100:200:abc::C/126 |
| 出口地址 | 2005::/64 |

拓扑

配置过程

Vlan创建

vlan batch 10 20 30 40

vlan batch 50 60

其他交换机配置相同

交换机接口划分

办公楼接入交换机

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

interface GigabitEthernet0/0/2

port link-type access

port default vlan 10

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/4

port link-type access

port default vlan 10

车间接入交换机

interface GigabitEthernet0/0/1

port link-type access

port default vlan 50

interface GigabitEthernet0/0/2

port link-type access

port default vlan 50

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 2 to 4094

#接入交换机

其他配置均相同 加入相应vlan即可

汇聚交换机配置

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 10 20 30 40

interface GigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan 10 20 30 40

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 10 20 30 40

interface GigabitEthernet0/0/4

port link-type trunk

port trunk allow-pass vlan 10 20 30 40

interface GigabitEthernet0/0/5

port link-type trunk

port trunk allow-pass vlan 10 20 30 40

interface GigabitEthernet0/0/6

port link-type trunk

port trunk allow-pass vlan 10 20 30 40

生产车间汇聚交换机

interface GigabitEthernet0/0/1

port link-type trunk

port trunk allow-pass vlan 50 60

interface GigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan 50 60

interface GigabitEthernet0/0/3

port link-type trunk

port trunk allow-pass vlan 50 60

interface GigabitEthernet0/0/4

port link-type trunk

port trunk allow-pass vlan 50 60

核心配置业务接口

开启ipv6

其他设备均要开启ipv6功能

配置接口ipv6地址，配置vrrp网关

interface GigabitEthernet0/0/0.10

dot1q termination vid 10

ipv6 enable

ipv6 address 2001:100:200:1::1/64

undo ipv6 nd ra halt

ospfv3 1 area 0.0.0.0

vrrp6 vrid 10 virtual-ip FE80::1 link-local

vrrp6 vrid 10 virtual-ip 2001:100:200:1::3

vrrp6 vrid 10 priority 120

arp broadcast enable

interface GigabitEthernet0/0/0.20

dot1q termination vid 20

ipv6 enable

ipv6 address 2001:100:200:2::1/64

undo ipv6 nd ra halt

ospfv3 1 area 0.0.0.0

vrrp6 vrid 20 virtual-ip FE80::2 link-local

vrrp6 vrid 20 virtual-ip 2001:100:200:2::3

vrrp6 vrid 20 priority 120

arp broadcast enable

dhcpv6 server vlan20

interface GigabitEthernet0/0/0.30

dot1q termination vid 30

ipv6 enable

ipv6 address 2001:100:200:3::1/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 30 virtual-ip FE80::3 link-local

vrrp6 vrid 30 virtual-ip 2001:100:200:3::3

arp broadcast enable

interface GigabitEthernet0/0/0.40

dot1q termination vid 40

ipv6 enable

ipv6 address 2001:100:200:4::1/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 40 virtual-ip FE80::4 link-local

vrrp6 vrid 40 virtual-ip 2001:100:200:4::3

arp broadcast enable

备份配置

interface GigabitEthernet0/0/0.10

dot1q termination vid 10

ipv6 enable

ipv6 address 2001:100:200:1::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 10 virtual-ip FE80::1 link-local

vrrp6 vrid 10 virtual-ip 2001:100:200:1::3

arp broadcast enable

interface GigabitEthernet0/0/0.20

dot1q termination vid 20

ipv6 enable

ipv6 address 2001:100:200:2::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 20 virtual-ip FE80::2 link-local

vrrp6 vrid 20 virtual-ip 2001:100:200:2::3

arp broadcast enable

interface GigabitEthernet0/0/0.30

dot1q termination vid 30

<Huawei>

Please check whether system data has been changed, and save data in time

Configuration console time out, please press any key to log on

<Huawei>dis cu int

[V200R003C00]

interface GigabitEthernet0/0/0

interface GigabitEthernet0/0/0.10

dot1q termination vid 10

ipv6 enable

ipv6 address 2001:100:200:1::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 10 virtual-ip FE80::1 link-local

vrrp6 vrid 10 virtual-ip 2001:100:200:1::3

arp broadcast enable

interface GigabitEthernet0/0/0.20

dot1q termination vid 20

ipv6 enable

ipv6 address 2001:100:200:2::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 20 virtual-ip FE80::2 link-local

vrrp6 vrid 20 virtual-ip 2001:100:200:2::3

arp broadcast enable

interface GigabitEthernet0/0/0.30

dot1q termination vid 30

ipv6 enable

ipv6 address 2001:100:200:3::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 30 virtual-ip FE80::3 link-local

vrrp6 vrid 30 virtual-ip 2001:100:200:3::3

vrrp6 vrid 30 priority 120

arp broadcast enable

interface GigabitEthernet0/0/0.40

dot1q termination vid 40

ipv6 enable

ipv6 address 2001:100:200:4::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 40 virtual-ip FE80::4 link-local

vrrp6 vrid 40 virtual-ip 2001:100:200:4::3

vrrp6 vrid 40 priority 120

arp broadcast enable

interface GigabitEthernet0/0/1

interface GigabitEthernet0/0/1.50

dot1q termination vid 50

ipv6 enable

ipv6 address 2001:100:200:5::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 50 virtual-ip FE80::5 link-local

vrrp6 vrid 50 virtual-ip 2001:100:200:5::3

arp broadcast enable

interface GigabitEthernet0/0/1.60

dot1q termination vid 60

ipv6 enable

ipv6 address 2001:100:200:6::2/64

ospfv3 1 area 0.0.0.0

vrrp6 vrid 60 virtual-ip FE80::6 link-local

vrrp6 vrid 60 virtual-ip 2001:100:200:6::3

arp broadcast enable

配置D HCPv 6

关闭ra报文抑制

interface GigabitEthernet0/0/1

ipv6 enable

ipv6 address 2001:100:200:7::1/64

undo ipv6 nd ra halt

ipv6 nd autoconfig managed-address-flag

ipv6 nd autoconfig other-flag

dhcpv6 server server

配置自动配置 RA标志位 使用有状态dhcpv6 获取地址

配置地址池

dhcpv6 pool server

address prefix 2001:100:200:7::/64

excluded-address 2001:100:200:7::1

excluded-address 2001:100:200:7::3

OSPFv3 配置

interface GigabitEthernet0/0/2

ipv6 enable

ipv6 address 2001:100:200:ABC::1/126

ospfv3 1 area 0.0.0.0

ospfv3 1

router-id 1.1.1.1

其他配置均相同 创建ospfv3 进程 进入接口启用ospfv3 以及区域

防火墙配置

去往ISP路由

ipv6 route-static :: 0 2005::2

Ospfv3 引入默认

安全区域配置

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/1

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/4

firewall zone dmz

set priority 50

add interface GigabitEthernet1/0/2

add interface GigabitEthernet1/0/3

配置安全策略

security-policy

rule name tr-un

source-zone trust

destination-zone untrust

action permit

rule name tr-dmz

source-zone trust

destination-zone dmz

action permit

防火墙OSPF宣告配置

interface GigabitEthernet1/0/1

undo shutdown

ipv6 enable

ipv6 address 2001:100:200:ABC::5/126

ospfv3 1 area 0.0.0.0

interface GigabitEthernet1/0/2

undo shutdown

ipv6 enable

ipv6 address 2001:100:200:ABC::A/126

ospfv3 1 area 0.0.0.0

interface GigabitEthernet1/0/3

undo shutdown

ipv6 enable

ipv6 address 2001:100:200:ABC::E/126

ospfv3 1 area 0.0.0.0

测试

私信获取