VRRP配置实例
一,VRRP原理
VRRP原名为虚拟路由冗余协议,是当前以太网网络网关部分应用十分广泛的协议。开启VRRP协议的路由器组,统称为一个备份组,在备份组中有存在担当实际转发任务的Master角色,也存在着监控Master状态的Backup角色,这两个角色依靠VRRP自身的抢占机制,动态维护着路由器角色的变化,以保证网关不中断的提供转发服务。在实际的应用环境中,VRRP除了保证网关高可靠性服务外,也和许多二层协议进行联动提供内网流量的负载均衡,根据实际项目中遇到的拓扑环境,大体上分为以下几种应用模式,
拓扑图1:(VRRP+MSTP环境)
在此拓扑环境中,充当网关角色的更多是没有堆叠能力的三层交换机,而实际项目环境中,此种部署模式更习惯于采用三层交换机堆叠技术替换VRRP+STP,主要是因为堆叠技术产生更大的交换带宽及更小的故障切换延时,能极大的提升性能
配置思路:PC3和PC4分属VLAN3和VLAN4,SW7提供vlan3的网关转发服务,SW8提供vlan4的转发服务,SW7和SW8通过2个备份组提供内网的负载分担转发,二层流量中vlan3的流量以SW7为树根,VLAN4的流量以SW8为树根
具体配置:
SW7:
1,vlan配置
vlan 3
vlan 4
2,stp配置
stp mode mstp
stp regeion-configuration
regeion-name h3c
revision-level 1
instance 3 vlan 3
instance 4 valn 4
active regeion-configuration //激活当前实例配置
stp instance 3 root primary //将SW7配置为vlan 3的根桥
stp instance 4 root secondary //将SW7配置为vlan 4的备份根桥
stp enable
3,VRRP配置
Int vlan-interface 3
Ip address 192.168.3.253 24 //若地址配置与virtual-ip相同,则表示此路由器为IP地址拥有者,VRRP优先级恒为255
Vrrp vrid 3 virtual-ip 192.168.3.254 //配置虚拟IP地址,需要跟组成员同一网段
Vrrp vrid 3 pre timer deny 1 //将抢占延时定时器的时间定为1s
Vrrp vrid 3 priority 120 //定义此备份组中该路由器优先级为120
Vrrp vrid 3 timer adver 3 //将VRRP通告报文的发送周期定为3s
Vrrp vrid 3 authentication simple 123 //采用简单认证方式交互VRRP报文
Interface vlan-interface 4
Ip address 192.168.4.253 24
Vrrp vrid 4 virtual-ip 192.168.4.254
Vrrp vrid 4 pre timer deny 1
Vrrp vrid 4 priority 100
Vrrp vrid 4 timer adver 3
Vrrp vrid 4 authentication simple 123
SW8:
4,vlan配置
vlan 3
vlan 4
5,stp配置
stp mode mstp
stp regeion-configuration
regeion-name h3c
revision-level 1
instance 3 vlan 3
instance 4 valn 4
active regeion-configuration //激活当前mstp配置
stp instance 4 root primary //将SW7配置为vlan 4的根桥,与修改优先级为4096含义相同
stp instance 3 root secondary //将SW7配置为vlan 3的备份根桥,与修改优先级为8192含义相同
stp enable
6,VRRP配置
Interface vlan-interface 3
Ip address 192.168.3.252 24
Vrrp vrid 3 virtual-ip 192.168.3.254
Vrrp vrid 3 pre timer deny 1
Vrrp vrid 3 priority 100
Vrrp vrid 3 timer adver 3
Vrrp vrid 3 authentication simple 123
Interface vlan-interface 4
Ip address 192.168.4.253 24
Vrrp vrid 4 virtual-ip 192.168.4.254
Vrrp vrid 4 pre timer deny 1
Vrrp vrid 4 priority 100
Vrrp vrid 4 timer adver 3
Vrrp vrid 4 authentication simple 123
查看结果display vrrp
SW8上:
[SW8-Vlan-interface4]display vrrp
IPv4 Standby Information:
Run Mode : Standard //运行模式为主备模式
Run Method : Virtual MAC //MAC地址与虚拟IP的对应
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan3 3 Backup 100 3 Simple 192.168.3.254
Vlan4 4 Master 120 3 Simple 192.168.4.254
SW7上:
[SW1]display vrrp
IPv4 Standby Information:
Run Mode : Standard //此处还存在负载均衡模式,为VRRPE,有兴趣可观看VRRPE文档内容
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan3 3 Master 120 3 Simple 192.168.3.254
Vlan4 4 Backup 100 3 Simple 192.168.4.254
注:在SW7和SW8之间通过链路聚合加大心跳的接口带宽,此时的VRRP通告报文都从此处传递,原因是MSTP的单instance上阻断了下行其中一条线路的连通,VRRP ADV报文无法通过下行线路传递;当心跳断裂之后下行线路的阻塞端口会从Discarding转变为Forwarding,VRRP依然运行正常,所以在此处心跳只是一个保障机制,且因为VRRP报文默认每隔1s即向Backup成员通告一次,将其控制在带宽更大的心跳接口上运行更有利于提升网络质量,降低对业务流量的影响
拓扑图2(VRRP+单臂路由)
此网络结构在实际企业级环境中运用较少,网关除了要保证高可靠性之外,还需结合单臂路由实现内网流量的负载分担,思科路由器中只有携带is关键字的IOS才支持单臂路由;
配置思路:SW1上运行vlan2,vlan 3;RT1与RT2运行VRRP备份组作为内网网关
RT1上:
interface GigabitEthernet0/0/0.1
vlan-type dot1q vid 2
ip address 192.168.2.253 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 1
vrrp vrid 2 timer advertise 3
vrrp vrid 2 authentication-mode simple 123
interface GigabitEthernet0/0/0.2
vlan-type dot1q vid 3
ip address 192.168.3.253 255.255.255.0
vrrp vrid 3 virtual-ip 192.168.3.254
vrrp vrid 2 priority 100
vrrp vrid 3 preempt-mode timer delay 1
vrrp vrid 3 timer advertise 3
vrrp vrid 3 authentication-mode simple 123
RT2上:
interface GigabitEthernet0/0/0.1
vlan-type dot1q vid 2
ip address 192.168.2.252 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.254
vrrp vrid 2 priority 100
vrrp vrid 2 preempt-mode timer delay 1
vrrp vrid 2 timer advertise 3
vrrp vrid 2 authentication-mode simple 123
interface GigabitEthernet0/0/0.2
vlan-type dot1q vid 3
ip address 192.168.3.252 255.255.255.0
vrrp vrid 3 virtual-ip 192.168.3.254
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 1
vrrp vrid 3 timer advertise 3
vrrp vrid 3 authentication-mode simple 123
验证结果:
[RT1]display vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
GE0/0/0.1 2 Master 120 3 Simple 192.168.2.254
GE0/0/0.2 3 Backup 100 3 Simple 192.168.3.254
[RT1]disp
[RT1]display vrrp ver
[RT1]display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface GigabitEthernet0/0/0.1
VRID : 2 Adver Timer : 3
Admin Status : Up State : Master
Config Pri : 120 Running Pri : 120
Preempt Mode : Yes Delay Time : 1
Auth Type : Simple Key : 123
Virtual IP : 192.168.2.254
Virtual MAC : 0000-5e00-0102
Master IP : 192.168.2.253
Interface GigabitEthernet0/0/0.2
VRID : 3 Adver Timer : 3
Admin Status : Up State : Backup
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 1
Auth Type : Simple Key : 123
Virtual IP : 192.168.3.254
Master IP : 192.168.3.252
拓扑3:
此为典型的1+1冗余结构,在实际环境应用十分广泛,特别是金融行业基金公司中很多都是这种结构,不过随着三层交换机的发展,路由器的转发性能越显不足,在企业网结构中更多侧重的是路由器丰富的业务接入能力,像E1线路,语音接入等;此模式的路由器连接通常会与防火墙等三层设备互联,整个架构运行在三层环境中,路由器运行VRRP或者HSRP与防火墙的HA相结合,且通常防火墙更靠近网络边界,当防火墙HA发生主备切换时,拥有基本功能的VRRP是不会随着HA的切换而发生角色变化的,此时通常需要在路由器与防火墙互联的接口上采用track+nqa(h3c),track+sla(cisco),track+dldp(锐捷)等,以此来实现主备切换;配置大体上与上面第一种结构相同,在次不再详述VRRP配置,后期会针对高可靠性切换单独出文档说明。