VRF_DHCP-Relay
目录
DHCP Relay实验
拓扑
- 说明
- 在CE1上创建一个VN:TEST
- 将vlanif10和vlanif20加入到当中
- CE上要使用VRF与旁挂的DHCP SERVER对接
第一步:Underlay的配置
# LSW1
sys
sysn LSW1
vlan batch 10 20
int g0/0/1
port link-type access
port default vlan 10
int g0/0/2
port link-type access
port default vlan 20
int g0/0/3
port link-type trunk
port trunk all vlan 10 20
# CE1
sys i
sysn CE1
vlan batch 10 20
ip vpn-instance test
route-dist 1:1
ip vpn-instance dhcp_server
route-dist 2:2
int vlan 10
ip binding vpn-instance test
ip add 192.168.10.1 24
int vlan 20
ip binding vpn-instance test
ip add 192.168.20.1 24
int g1/0/0
undo shutdown
port link-ty trunk
port trunk all vlan 10 20
quit
int g1/0/1
undo shutdown
undo portsw
ip binding vpn-instance dhcp_server
ip add 10.0.12.1 24
quit
第二步:DHCP相关配置
# DHCP SERVER的基础配置
sys
sys dhcp-server
dhcp enable
int g0/0/0
ip add 10.0.12.2 24
dhcp select global
quit
# DHCP SERVER的配置
ip pool vlan_10
network 192.168.10.0 mask 24
gateway-list 192.168.10.1
ip pool vlan_20
network 192.168.20.0 mask 24
gateway-list 192.168.20.1
# CE1
dhcp enable
int vlan 10
dhcp select relay
dhcp relay binding server ip 10.0.12.2 vpn-instance dhcp_server
int vlan 20
dhcp select relay
dhcp relay binding server ip 10.0.12.2 vpn-instance dhcp_server
第三步:VRF互通路由
# CE1上test实例去往dhcp_server的路由
ip route-static vpn-instance test 10.0.12.2 32 vpn-instance dhcp_server
# CE1上dhcp_server回复实例test的路由
ip route-static vpn-instance dhcp_server 192.168.10.0 24 vpn-instance test
ip route-static vpn-instance dhcp_server 192.168.20.0 24 vpn-instance test
# DHCP_server的回包路由
ip route-static 192.168.10.0 24 10.0.12.1
ip route-static 192.168.20.0 24 10.0.12.1
第四步:验证
# PC1
dhcp enable
interface GigabitEthernet0/0/0
ip address dhcp-alloc
# PC2
dhcp enable
interface GigabitEthernet0/0/0
ip address dhcp-alloc
PC1]dis ip int bri
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.10.253/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
[PC1]ping 192.168.20.253
Reply from 192.168.20.253: bytes=56 Sequence=1 ttl=254 time=110 ms
关键知识点
指了路由并不意味着通
做完业务VN与DHCP_SERVER VRF的相互指完路由之后就意味着业务内的主机可以与dhcp_server主机通信吗?
不是这样的,如下所示:
[CE1]dis ip routing-table vpn-instance test
Destination/Mask Proto Pre Cost Flags NextHop Interface
**10.0.12.2/32 Static 60 0 DT 0.0.0.0 dhcp_server**
192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10
192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.10.255/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20
192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
192.168.20.255/32 Direct 0 0 D 127.0.0.1 Vlanif20
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1]ping -vpn-instance test -a 192.168.10.1 10.0.12.2
PING 10.0.12.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
即使三层实例当中拥有10.0.12.2(dhcp_server)的路由,但是test实例内的主机依然是无法ping通dhcp_server主机的。
DCHP 报文能穿越
test实例当中的dhcp报文是如何穿越的呢?
以下是从dhcp-server主机上抓的包
其实看一下报文就能知道CE1内部的VRF之间到底是如何通信的了!我们来梳理一下
-
终端主机开机,向外发送dhcp_discover广播报文,被所属网关探测到
-
由于所属在vlanif-10接口上开启了dhcp中继,中继给了10.0.12.2这台dhcp_server主机,这个时候其实就已经将报文从广播改成了单播,目的地址就是dhcp服务器的地址10.0.12.2,源IP地址是vlanif-10网关的地址192.168.10.1
-
于是,从vlan10所属的test实例当中查找路由表,发现去往10.0.12.2的路由要交给dhcp_server这台实例
[CE1]dis ip routing-table vpn-instance test 10.0.12.2/32 Static 60 0 DT 0.0.0.0 dhcp_server -
dhcp_discover报文被CE1交换机通过内部通信机制交给了dhcp_server实例,dhcp_server也去查找路由表,发现报文的10.0.12.2是自己的直连网段,于是将dhcp_discover报文重新封装成单播报文,目的地址不变,但源地址会改成自己的直连接口地址10.0.12.1,将原本的源IP地址192.168.10.1隐藏到报文当中,如下所示:
-
dhcp_discover的报文顺利到达dhcp服务器,服务器通过判断源IP地址找到地址池,通过dhcp_offer报文向着报文当中隐藏的192.168.10.1回复一个地址,报文根据路由交给CE1上的dhcp_server VRF,VRF再根据路由转发到test实例当中,这个地方当然也会涉及到地址转换,下图是从CE1的下行接口当中抓到的,如下所示:
回复报文的的源和IP地址都都转换了!
总结:
搞这种穿越VRF之间的dhcp中继,我们会发现报文地址会经过多次转换,许多机制是VRF内部完成的,咱们只能看到现象而不到具体的处理机制。
复习:传统的DHCP
接口DHCP
# AR4的配置 sys sysn AR4 dhcp enable int g0/0/0 ip add 192.168.10.1 24 dhcp select interface# PC6 dhcp enable interface GigabitEthernet0/0/0 ip address dhcp-alloc全局DHCP
# AR4 sys SYSN AR4 dhcp enable ip pool test_pool network 192.168.10.0 mask 24 gateway-list 192.168.10.1 int g0/0/0 ip add 192.168.10.1 24 dhcp select global# PC6 dhcp enable interface GigabitEthernet0/0/0 ip address dhcp-allocDHCP 中继
```html
# AR5的配置
sys
sysn AR5_dhcp_server
dhcp enable
ip pool test_pool
network 192.168.10.0 mask 24
gateway-list 192.168.10.1
int g0/0/0
ip add 10.0.45.5 24
dhcp select global
ip route-static 192.168.10.0 24 10.0.45.4
```
```html
# AR4的配置
sys
sysn AR4
dhcp enable
int g0/0/1
ip add 10.0.45.4 24
int g0/0/0
ip add 192.168.10.1 24
dhcp select relay
dhcp relay server-ip 10.0.45.5
```
```html
# PC6
sys
dhcp enable
interface GigabitEthernet0/0/0
ip address dhcp-alloc
[PC6]dis ip int bri
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.10.254/24 up up
```
我们可以来梳理一下这种传统方式的的dhcp中继了,如下所示:
1. 终端广播
2. 网关将广播dhcp发现报文重新封装源192.168.10.1 目标10.0.45.5,发送给10.0.45.5 dhcp服务器
3. dhcp服务器回包,回包源IP是10.0.45.5,目标是192.168.10.1
4. 网关192.168.10.1收到回包之后,源IP不变,目的地方改成目标终端主机
总结:传统方式的DHCP中继比在VRF当中做dhcp要简单多了
