单臂路由

　　我们上一部分聊了如何在只配置IP地址和子网掩码的情况下搭配vlan进行网络通讯，但是我们实际应用中一般还有一个属性，那就是网关，所以这篇就主要聊一下在有网关的情况下如何实现跨vlan的访问：

网络配置示意图

　　这里有个理解就是我们在网络通讯的时候为什么一定要网关，当时有一位大佬是这样给我讲的，参考下图：

　　哈哈，就是下面小弟办事不好使的时候就要找大佬，然后让大佬出门面去沟通。同理的如果一个网段内没有找到我们想要的IP地址，那就要去找网关来帮忙去问问目的地址的信息，包括一些网络安全管理的设备也是基于网关或者网段去管理，通常来讲同网段的网络是不受限制的，当然如果在软件层面（分布式防火墙NSX）有做限制的情况例外。
　　这里有个情况就是网关到底配置在什么地方和用哪个IP，这个问题我想了很久，实际自己做一次以后就清楚了，网关的地址可以配置在任何一个三层交换机或者路由器上，当然一些功能多的防火墙也是可以的，这样的话就可以对所有的网络做到一个监管的功能，但是所有的上行访问都会来找，如果忙不过来就会出问题，（想想你让陈浩南天天去收保护费还怎么做洪兴扛把子，早晚得累死。）所以前期对于整个网络架构的上下行带宽要有一个初步的估算，然后确认架构的分配。

实验一 交换机做网关配置

实验需求：实验的拓扑如下图，PC1、PC2、PC3、PC4连接同一台交换机，PC1、PC2的人属于同一个部门（如销售部）并且属于192.168.10.0/24，PC3、PC4的人属于同一个部门（财务部）并且属于192.168.20.0/24，在配置好网关地址以后可以进行互相访问。

在配置好IP地址后，由于所有的PC都连接了同一个交换机，在没有配置vlan的情况下，所有的机器都在默认的vlan1下，所以PC和PC2在一个网段，是可以直接ping通的，但是PC3、PC4和PC1不是一个网段的，所以就会找上行的网关地址，从抓包信息上我们能看到有个arp的询问192.168.10.254地址的信息。

交换机配置计划

这里有个反逻辑的点，就是为什么一定要配置vlan。因为如果是一个二层的设备，是不具备三层的转发功能的，所以需要使用一个虚拟接口来替代，也就是使用vlanif接口来配置网关，然后把PC加到对应的vlan中。

配置过程

system-view 
#创建vlan
[switch]vlan batch 10 20
#创建网关
[switch]interface vlanif 10    
[switch-Vlanif10]undo shutdown 
Info: Interface Vlanif10 is not shutdown.
[switch-Vlanif10]ip address 192.168.10.254 255.255.255.0
[switch-Vlanif10]quit
[switch]interface vlanif 20
[switch-Vlanif20]undo shutdown
Info: Interface Vlanif20 is not shutdown.
[switch-Vlanif20]ip address 192.168.20.254 255.255.255.0
[switch-Vlanif20]q
#绑定接口
[switch]interface g0/0/1
[switch-GigabitEthernet0/0/1]port link-type access 
[switch-GigabitEthernet0/0/1]port default vlan 10
[switch]interface g0/0/2
[switch-GigabitEthernet0/0/2]port link-type access 
[switch-GigabitEthernet0/0/2]port default vlan 10
[switch-GigabitEthernet0/0/2]q
[switch]interface g0/0/3
[switch-GigabitEthernet0/0/3]port link-type access 
[switch-GigabitEthernet0/0/3]port default vlan 20
[switch-GigabitEthernet0/0/3]q
[switch]interface g0/0/4
[switch-GigabitEthernet0/0/4]port link-type access 
[switch-GigabitEthernet0/0/4]port default vlan 20
display  vlan

结果验证

ping测试效果

ping同时抓包效果

可以看到PC1在对同网段和跨网段发出的ARP是不一样的，同网段就是直接问那个机器是谁，跨网段就是问网关是谁。

实验二 单臂路由配置

上面我们用的是二层交换机配置了vlanif来实现网关间的通讯，接下来配置路由器的网关

配置思路

配置过程

*交换机配置*
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname switch1
[switch1]info-center source ds channel 0 log state off trap state off
[switch1]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[switch1]interface g0/0/1
[switch1-GigabitEthernet0/0/1]port link-type access
[switch1-GigabitEthernet0/0/1]port default vlan 10
[switch1-GigabitEthernet0/0/1]quit
[switch1]interface g0/0/2
[switch1-GigabitEthernet0/0/2]port link-type access 
[switch1-GigabitEthernet0/0/2]port default vlan 20
[switch1-GigabitEthernet0/0/2]quit
[switch1]interface g0/0/3
[switch1-GigabitEthernet0/0/3]port link-type trunk 
[switch1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[switch1-GigabitEthernet0/0/3]quit
[switch1]

*路由器配置*
The device is running!
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname r1
[r1]interface g0/0/0.10
[r1-GigabitEthernet0/0/0.10]dot1q termination vid 10
[r1-GigabitEthernet0/0/0.10]ip address 192.168.10.1 255.255.255.0
[r1-GigabitEthernet0/0/0.10]
Dec  9 2023 20:47:22-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP 
on the interface GigabitEthernet0/0/0.10 has entered the UP state. 
[r1-GigabitEthernet0/0/0.10]arp broadcast enable
[r1-GigabitEthernet0/0/0.10]quit
[r1]interface g0/0/0.20
[r1-GigabitEthernet0/0/0.20]dot1q termination vid 20
[r1-GigabitEthernet0/0/0.20]ip address 192.168.20.1 255.255.255.0
Dec  9 2023 20:48:15-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP 
on the interface GigabitEthernet0/0/0.20 has entered the UP state. 
[r1-GigabitEthernet0/0/0.20]arp broadcast enable 
[r1-GigabitEthernet0/0/0.20]quit
[r1]

结果验证

路由器的单臂路由配置

实验需求：实验的拓扑如下图，PC1、PC2连接同一台交换机，PC3接另一台交换机，PC1属于vlan10，IP段为192.168.10.0/24。PC2属于vlan20，IP段为192.168.20.0/24。PC3属于vlan30，IP段为10.0.0.0/24。

配置思路

配置过程

*交换机1配置*
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname switch1
[switch1]info-center source ds channel 0 log state off trap state off
[switch1]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[switch1]interface g0/0/3
[switch1-GigabitEthernet0/0/1]port link-type access
[switch1-GigabitEthernet0/0/1]port default vlan 10
[switch1-GigabitEthernet0/0/1]quit
[switch1]interface g0/0/4
[switch1-GigabitEthernet0/0/2]port link-type access 
[switch1-GigabitEthernet0/0/2]port default vlan 20
[switch1-GigabitEthernet0/0/2]quit
[switch1]interface g0/0/1
[switch1-GigabitEthernet0/0/3]port link-type trunk 
[switch1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[switch1-GigabitEthernet0/0/3]quit
[switch1]interface g0/0/2
[switch1-GigabitEthernet0/0/3]port link-type trunk 
[switch1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[switch1-GigabitEthernet0/0/3]quit
[switch1]

*交换机2配置*
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname switch1
[switch1]info-center source ds channel 0 log state off trap state off
[switch1]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[switch1]interface g0/0/2
[switch1-GigabitEthernet0/0/1]port link-type access
[switch1-GigabitEthernet0/0/1]port default vlan 30
[switch1-GigabitEthernet0/0/1]quit
[switch1]interface g0/0/1
[switch1-GigabitEthernet0/0/3]port link-type trunk 
[switch1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
[switch1-GigabitEthernet0/0/3]quit

*路由器1配置*
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname router1
[router1]info-center source ds channel 0 log state off trap state off
[router1]interface g0/0/0.10
[router1-interface g0/0/0.10]dot1q termination vid 10
[router1-interface g0/0/0.10]ip address 192.168.10.1 255.255.255.0
[router1-interface g0/0/0.10]arp broadcast enable
[router1-interface g0/0/0.10]quit
[router1]interface g0/0/0.20
[router1-interface g0/0/0.20]dot1q termination vid 20
[router1-interface g0/0/0.20]ip address 192.168.20.1 255.255.255.0
[router1-interface g0/0/0.20]arp broadcast enable
[router1-interface g0/0/0.20]quit
[router1]interface g0/0/0.30
[router1-interface g0/0/0.30]dot1q termination vid 30
[router1-interface g0/0/0.30]ip address 10.1.1.1 255.255.255.0
[router1-interface g0/0/0.30]arp broadcast enable
[router1-interface g0/0/0.30]quit
[router1]

结果验证

实验三 交换机路由配置

这个实验和第一个实验有点像，都是在交换机上配置网关和vlan来实现多网段连接

PC1属于网段1，IP:192.168.10.10 MASK:255.255.255.0 GATEWAY:192.168.10.1 。PC2属于网段2，IP:192.168.20.10 MASK:255.255.255.0 GATEWAY:192.168.20.1。PC3属于网段3，IP:10.1.1.10 MASK:255.255.255.0 GATEWAY:10.1.1.1。

配置思路

配置过程

*交换机1配置*
The device is running!
<Huawei>system-view  
[Huawei]sysname switch1
[switch1]info-center source ds channel 0 log state off trap state off
[switch1]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[switch1]interface g0/0/2	
[switch1-GigabitEthernet0/0/2]port link-type access 
[switch1-GigabitEthernet0/0/2]port default vlan 10
[switch1-GigabitEthernet0/0/2]quit
[switch1]interface g0/0/3	
[switch1-GigabitEthernet0/0/3]port link-type access 
[switch1-GigabitEthernet0/0/3]port default vlan 20
[switch1-GigabitEthernet0/0/3]quit
[switch1]interface g0/0/1
[switch1-GigabitEthernet0/0/1]port link-type trunk
[switch1-GigabitEthernet0/0/1]port trunk allow-pass vlan all

*交换机2配置*
<Huawei>system-view 
[Huawei]info-center source ds channel 0 log state off trap state off
[Huawei]sysname switch2
[switch2]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[switch2]interface g0/0/2
[switch2-GigabitEthernet0/0/2]port link-type access
[switch2-GigabitEthernet0/0/2]port default vlan 30
[switch2-GigabitEthernet0/0/2]quit
[switch2]interface g0/0/1
[switch2-GigabitEthernet0/0/1]port link-type trunk
[switch2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[switch2-GigabitEthernet0/0/1]quit

*交换机3配置*
The device is running!
<Huawei>system-view 
[Huawei]info-center source ds channel 0 log state off trap state off
[Huawei]sysname switch3
[switch3]port-group group-member g0/0/1 g0/0/2
[switch3-port-group]port link-type trunk
[switch3-GigabitEthernet0/0/1]port link-type trunk
[switch3-GigabitEthernet0/0/2]port link-type trunk
[switch3-port-group]port trunk allow-pass vlan all
[switch3-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[switch3-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[switch3]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[switch3]int vlan 10
[switch3-Vlanif10]
Dec 18 2023 22:42:00-08:00 switch3 %%01IFNET/4/IF_STATE(l)[0]:Interface Vlanif10
 has turned into UP state.
[switch3-Vlanif10]ip address 192.168.10.1 24
[switch3-Vlanif10]
Dec 18 2023 22:42:17-08:00 switch3 %%01IFNET/4/LINK_STATE(l)[1]:The line protoco
l IP on the interface Vlanif10 has entered the UP state.
[switch3-Vlanif10]quit
[switch3]int vlan 20
[switch3-Vlanif20]
Dec 18 2023 22:42:27-08:00 switch3 %%01IFNET/4/IF_STATE(l)[2]:Interface Vlanif20
 has turned into UP state.
[switch3-Vlanif20]ip address 192.168.20.1 24
[switch3-Vlanif20]
Dec 18 2023 22:42:36-08:00 switch3 %%01IFNET/4/LINK_STATE(l)[3]:The line protoco
l IP on the interface Vlanif20 has entered the UP state.
[switch3-Vlanif20]quit
[switch3]int vlan 30
[switch3-Vlanif30]
Dec 18 2023 22:42:48-08:00 switch3 %%01IFNET/4/IF_STATE(l)[4]:Interface Vlanif30
 has turned into UP state.
[switch3-Vlanif30]ip address 10.1.1.1 24
[switch3-Vlanif30]
Dec 18 2023 22:42:56-08:00 switch3 %%01IFNET/4/LINK_STATE(l)[5]:The line protoco
l IP on the interface Vlanif30 has entered the UP state.
[switch3-Vlanif30]

结果验证

中间不通的是因为刚增加了交换机配置，交换机之间没有学习到对应的地址，需要等收敛以后才能生效。

总结

网关可以配置在交换机或者路由器上，在交换机是使用vlanif配置虚拟端口，路由器是端口的子端口来提供服务，至于为什么不使用某个端口来直接做网关呢？
我是这样理解的：如果某个接口配置成了网关，他不再是access或者trunk接口，那么其他网络对他的查询就不再是转发，还有就是接口的状态如果是插了对端才是UP，如果出现问题就是down的状态了。如果要强行赋予这个接口为UP的状态，那为啥不用一个存在于逻辑的接口呢？还不会因为外界的变化DOWN掉。
我们之前的配置都是在配置了vlan和trunk后搭配网关通讯的，上一篇我们试过了没有网关的情况下，可以通过vlan的方式来给链路打上tag标签来通讯，所以如果一个简单的网络其实只需要在上层的交换机或者路由器上配置虚拟接口的网关地址，所有的机器就算在同一个vlan下，也能够做隔离，但是广播域并不能做隔离。