vrrp的工作原理
vrrp : 虚拟路由器网关冗余协议
-应用场景
终端设备访问不同网段设备的时候,必须经过网关。如果只有1个网关,那么网络就存在 单点故障,所以为了避免单点故障导致网络的通信中断, 所以,我们建议在一个网段中,可以同时添加多个网关,从而增加网关的冗余性和网络的可靠性; 但是,多网关的部署会带来其他的问题:
1.网关IP地址冲突
2.终端用户需要频繁的切换网关IP地址 针对上述两个问题,我们提出:
在同网段的多个网关之间运行VRRP,形成1个虚拟网关,终端用户都配置和使用虚拟网关 就可以了。-作用:
在同一个网段的多个真实网关之间配置和运用,形成层一个虚拟路由器, 从而实现网关的冗余和负载均衡;
-概述 VRRP 协议是公有标准协议,适用于 IPv4 网络的是 VRRP 版本2 VRRP 属于网络层协议, VRRP 的报文是封装在IP头部后面的,协议号为:112 VRRP 的发送报文的方式是组播,组播地址是:224.0.0.18
(表示所有的VRRP路由器)
-设备角色:
主网关, 通过比较VRRP优先级,优先级大的是主网关;
周期性的发送VRRP报文,维护主网关和备份网关的身份;周期时间默认是1s; 备份网关,通过比较 VRRP 优先级,优先级小的是备份网关;
通过不断的接收 主网关发送的 VRRP 报文来判断主网关的状态;
如果在一定的时间内,收不到 VRRP 报文,则认为主网关出现故障,自己升级为主网关;
这个“一定的时间”,默认是“主网关发送VRRP的周期”的3倍,所以默认是 3s 。 虚拟网关,通过VRRP虚拟出来的网关IP地址,这个网关IP地址,是配置在终端设备上的;
终端设备访问其他网段时,直接将数据发送给虚拟网关IP地址,
此时只有主网关会回应针对虚拟网关IP地址的ARP请求,所以最终终端设备发送的数据
发送到了“主网关”设备上;
网关的VRRP状态:
@初始化 ,表示 VRRP 刚刚运行; @主(master),表示该网关接口处于主网关状态,可以转发用来发来的数据,还可以周期性的发送VRRP报文
@备(backup),表示该网关接口处于备份网关,不转发用户数据,仅仅用来接收主网关的VRRP报文VRRP 的网关选举原则:
1.首先比较VRRP优先级,数值越大越好,默认是 100 ;
2.其次比较VRRP的接口IP地址,数值越大越好;
工作原理
1.网关之间发送VRRP爆粉,比较优先级。
2.优先级大为主网关,优先级小的为备份网关。
sw1
<Huawei>u t m //取消消息提示
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys sw1 //设置名字
[sw1]vlan 10 //创建vlan
[sw1-vlan10]q //退出
[sw1]int g0/0/2 //进入接口
[sw1-GigabitEthernet0/0/2]port link-type trunk //接口设置为trunk模式
[sw1-GigabitEthernet0/0/2]port trunk allow-pass vlan all //允许所有的vlan通过
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys sw2
[sw2]vlan 10
[sw2-vlan10]q
[sw2]int g0/0/2
[sw2-GigabitEthernet0/0/2]port link-type trunk
[sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
The device is running!
<Huawei>
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei] sys sw3
[sw3]vlan 10
[sw3-vlan10]q
[sw3]port-group 1
[sw3-port-group-1]group-member g0/0/1 g0/0/2
[sw3-port-group-1]port link-type trunk
[sw3-port-group-1]port trunk allow-pass vlan all
[sw3-port-group-q
[sw3]int e0/0/3
[sw3-Ethernet0/0/3]port link-type access //设置为access模式
[sw3-Ethernet0/0/3]port default vlan 10 //允许所有vlan通过
sw1
int vlanif 10 //你所创建的vlan 10接口
[sw1-Vlanif10]ip address 192.168.1.1 24 //设置网关
sw2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.1.254 //进入vrrp 讲vlan10添加网关
[sw2-Vlanif10]vrrp vrid 10 priority 200 // 设置优先级
谁的优先级大谁在主要工作
sw2
给sw2接口设置个设置网关并且看看是否可以跟交换机是否可以连通
[sw2]int vlanif 10
[sw2-Vlanif10]ip address 192.168.1.2 24 //设置网关
[sw2-Vlanif10]ping 192.168.1.1 //测试连通性
sw2-Vlanif10]vrrp vrid 10 virtual-ip 192.168.1.254 //进入vrrp 讲vlan10添加网关
[sw2-Vlanif10]vrrp vrid 10 priority 150 //设置vrrp的优先级
在pc级做测试抓包可以看一下
display vrrp brief // 主要看状态 (Backup 备份) 为 (master 主网关) ;
sw3
<sw1> u t m
Info: Current terminal monitor is off.
<sw1>sys
Enter system view, return user view with Ctrl+Z.
[sw1]vlan 20
[sw1-vlan20]int vlanif 20
[sw1-Vlanif20]ip address 192.168.10.2 30
[sw1-Vlanif20]q
[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access
[sw1-GigabitEthernet0/0/1]port default vlan 20
[sw1-GigabitEthernet0/0/1]q
[sw1]ip route-static 0.0.0.0 0 192.168.10.1 //配置静态路由
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R1
[R1]int g0/0/0.
[R1-GigabitEthernet0/0/0]ip address 1.1.1.254 24
[R1-GigabitEthernet0/0/0]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.10.1 30
[R1-GigabitEthernet0/0/1]q
[R1]ip route-static 192.168.1.0 24 192.168.10.2
[R1]
ping 1.1.1.1
我们讲三层交换机接口关闭模拟端口坏了一下就发现无法pc机就无法和pc2通讯了,所以我们可以兼用多条链路
[[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]shutdown //关闭接口
[sw1-GigabitEthernet0/0/1]undo shutdown // 启用接口
sw2
[sw2]vlan 30
[sw2-vlan30]int vlanif 30
[sw2-Vlanif30]ip address 192.168.20.2 30
[sw2-Vlanif30]q
[sw2]int g0/0/1
[sw2-GigabitEthernet0/0/1]port link-type access
[sw2-GigabitEthernet0/0/1]port default vlan 30
[sw2]ip route-static 0.0.0.0 0 192.168.20.1
R1
[R1]int g2/0/0
[R1-GigabitEthernet2/0/0]ip address 192.168.20.1 30
[R1-GigabitEthernet2/0/0]q
[R1]ip route-static 192.168.1.0 24 192.168.20.2
[R1]
模式我们的第一台交换坏了vrrp自动切换到了备份的网关了,下面没有加入修复了第一台交换机他又可以使用了
sw1
追踪
[sw1-Vlanif20]int vlanif 10
[sw1-Vlanif10]vrrp vrid 10 track int g0/0/1 reduced 110 //进入主用网关接口降低110(这条命令一般是在主网关上配置路由器上追踪某个接口)
浮动路由
浮动路由:
-应用场景
有的环境中,路由器等设备不容易出现故障,但是路由器之间的互联链路容易出现故障,为了表面
设备之间出现“单点链路”故障,所以我们在设备之间增加多个“互联链路”,从而实现链路备份。
如果想实现这种方案的话,
我们就必须要求在路由器中,针对主链路的路由条目,优先放入路由表;
针对备份链路的路由条目,不能放入路由表;
如果主链路出现故障,那么备份链路的路由条目才可以放入路由表;
如果主链路修复好了,那么备份链路的路由条目又不能放入路由表;
sw1
u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]vlan 10
[Huawei-vlan10]q
[Huawei]port-group 1
[Huawei-port-group-1]group-member g0/0/2 e0/0/1
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-port-group-1]port default vlan 10
sw2
[sw2]vlan 40
[sw2-vlan40]q
[sw2-port-group-1]group-member e0/0/1 e0/0/2
[sw2-Ethernet0/0/2]port link-type access
[sw2-port-group-1]port default vlan 40
R1
[R1-Ethernet0/0/0]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.2.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.3.1 24
[Huawei]int g2/0/0
[Huawei-GigabitEthernet2/0/0]ip address 192.168.1.254 24
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.2.1 24
[Huawei]ip route-static 192.168.4.0 24 192.168.2.2
R1
[Huawei]ip route-static 192.168.3.0 255.255.255.0 192.168.2.2
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 192.168.3.1 24
说明两个口同时在使用
R1
[Huawei]ip route-static 192.168.4.0 255.255.255.0 192.168.3.2 preference 100 //设置优先级越小就那条走哪条链路
ip route-static 192.168.1.0 255.255.255.0 192.168.3.1 preference 100 //设置优先级越小就那条走哪条链路
0接口的可以抓到
1接口没有在是使用
<sw3>u t m
Info: Current terminal monitor is off.
<sw3>sys
Enter system view, return user view with Ctrl+Z.
[sw3] vlan batch 2 5
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw3]int e0/0/3
[sw3-Ethernet0/0/3]port link-type access
[sw3-Ethernet0/0/3]port default vlan 2
[sw3-Ethernet0/0/3]int e0/0/1
[sw3-Ethernet0/0/1]port link-type access
[sw3-Ethernet0/0/1]port default vlan 5
[sw3-Ethernet0/0/1]int g0/0/1
[sw3-GigabitEthernet0/0/1]port-grou 1
[sw3-port-group-1]group-member g0/0/1 g0/0/2
[sw3-port-group-1]port link-type trunk
[sw3-port-group-1]port trunk allow-pass vlan all
SW1
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys SW1
[SW1]vlan batch 2 3 5
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]int vlan 2
[SW1-Vlanif2]ip add
[SW1-Vlanif2]ip address 192.168.1.1 24
[SW1-Vlanif2]int vlan 5
[SW1-Vlanif5]ip address 192.168.5.1 24
[SW1-Vlanif5]q
[SW1]port-group group-member g0/0/2
[SW1-port-group]port link-type trunk
[SW1-port-group]port trunk allow-pass vlan all
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 3
[SW1]int vlan3
[SW1-Vlanif3]ip address 192.168.2.1 24
[SW1]int vlan 2
[SW1-Vlanif2] vrrp vrid 2 virtual-ip 192.168.1.254 //设置主网关
[SW1-Vlanif2] vrrp vrid 2 priority 200 //设置比备用网关大的优先级一般0到254
[SW1]int vlan5
[SW1-Vlanif5]vrrp vrid 5 virtual-ip 192.168.5.254 //设置主网关,要在同一个网段
[SW1-Vlanif5]vrrp vrid 5 priority 160 //设置比备用网关大的优先级一般0到254
[SW1]int vlan 2
[SW1-Vlanif2] vrrp vrid 2 track interface gi0/0/1 reduced 110 //一口异常给他降110
[SW1]ip route-static 192.168.3.0 255.255.255.0 192.168.2.2
[SW1]ip route-static 192.168.4.0 255.255.255.0 192.168.4.1
[SW1]ip route-static 192.168.4.0 255.255.255.0 192.168.2.2
[SW1]ip route-static 192.168.6.0 255.255.255.0 192.168.2.2
VRRP 链路跟踪:
-应用场景
通常情况下,如果 VRRP 主网关的内网链路出现故障,导致 VRRP 报文无法发送,
那么在三倍的发送周期后,备份网关就可以感知到故障,从而升级为主网关,不影响数据转发;
但是,
如果VRRP 主网关连接外网的链路出现故障,无法将数据转发到其他网段,但是此时该设备依然是
主网关的角色,那么终端设备发送的数据依然被该设备接收,但是数据就直接被丢弃了,因为
没有去往其他网段的路由,从而导致数据转发中断;
为了避免这种问题的发生,我们引入了“VRRP链路跟踪技术”,即当VRRP协议跟踪的链路 down 掉
以后,那么 VRRP 主网关发送的报文的优先级,就会自动的降低,并且低于 备份网关的优先级,
从而让之前的备份网关成为主网关,继续转发用户数据;
但是被跟踪的链路恢复 UP 以后,优先级再次恢复原来的数值,从而又再次成为主网关,转发用户
数据。
-配置:
仅仅在VRRP 主网关的接口上配置,被跟踪的链路是 gi0/0/1接口,
如果该端口 down 掉,则vrrp主网关发送的优先级从200,降低为 90,从而成为备份网关。
配置如下:
SW1:
interface vlanif 10
vrrp vrid 2 track interface gi0/0/1 reduced 110
// 如果 gi0/0/1 处于 down 的状态,则该接口发送的VRRP报文的优先级变成90
即 200-110,从而让 SW2 成为主网
关;
sw2
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys SW2
[SW2]vlan batch 2 4 5
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[SW2-GigabitEthernet0/0/2]q
[SW2]int g0/0/4
[SW2-GigabitEthernet0/0/4]port link-type access
[SW2-GigabitEthernet0/0/4]port default vlan 4
[SW2-GigabitEthernet0/0/4]q
[SW2]int vlan 2
[SW2-Vlanif2]ip address 192.168.1.2 24
[SW2-Vlanif2]int vlan 5
[SW2-Vlanif5]ip address 192.168.5.2 24
[SW2-Vlanif5]int vlan 4
[SW2-Vlanif4]ip address 192.168.4.1 24
[SW2]int vlan2
[SW2-Vlanif2]vrrp vrid 2 virtual-ip 192.168.1.254
[SW2-Vlanif2]vrrp vrid 2 priority 150
display vrrp brief
[SW2]int vlan 5
[SW2-Vlanif5]vrrp vrid 5 virtual-ip 192.168.5.254
[SW2-Vlanif5]vrrp vrid 5 priority 200
[SW2]ip route-static 192.168.3.0 255.255.255.0 192.168.7.2
[SW2]ip route-static 192.168.4.0 255.255.255.0 192.168.7.2
[SW2]ip route-static 192.168.6.0 255.255.255.0 192.168.7.2
R1
<R1>u t m
Info: Current terminal monitor is off.
<R1>sys
Enter system view, return user view with Ctrl+Z.
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip address 192.168.2.2 24
[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.3.2 24
[R1-GigabitEthernet0/0/0]q
[R1]int g2/0/2
[R1-GigabitEthernet2/0/2]ip address 192.168.4.2 255.255.255.0
[R1-GigabitEthernet2/0/2]int g2/0/3
[R1-GigabitEthernet2/0/3]ip address 192.168.7.2 255.255.255.0
[R1]ip route-static 192.168.1.0 255.255.255.0 192.168.10.2
[R1]ip route-static 192.168.1.0 255.255.255.0 192.168.20.2
[R1]ip route-static 192.168.1.0 255.255.255.0 192.168.2.1
[R1]ip route-static 192.168.5.0 255.255.255.0 192.168.2.1
[R1]ip route-static 192.168.5.0 255.255.255.0 192.168.7.1
[R1]ip route-static 192.168.6.0 255.255.255.0 192.168.3.1
[R1]ip route-static 192.168.6.0 255.255.255.0 192.168.4.1 preference 100//设自备用线路值越大的作为备用默认值60
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sys R2
^
Error:Too many parameters found at '^' position.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys R2
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip ad
[R2-GigabitEthernet0/0/1]ip address 192.168.3.1 24
[R2-GigabitEthernet0/0/1]int g2/0/0
[R2-GigabitEthernet2/0/0]ip address 192.168.4.1 24
[R2-GigabitEthernet2/0/0]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.6.2 24
[R2-GigabitEthernet0/0/0]q
[R2]ip route-static 192.168.1.0 255.255.255.0 192.168.3.2
[R2]ip route-static 192.168.1.0 255.255.255.0 192.168.4.2
[R2]ip route-static 192.168.2.0 255.255.255.0 192.168.3.2
[R2]ip route-static 192.168.2.0 255.255.255.0 192.168.4.2 preference 100
[R2]ip route-static 192.168.5.0 255.255.255.0 192.168.4.2
[R2]ip route-static 192.168.6.0 255.255.255.0 192.168.2.2
[R2]ip route-static 192.168.6.0 255.255.255.0 192.168.4.2
[R2]ip route-static 192.168.7.0 255.255.255.0 192.168.4.2
VRRP 认证:
-作用:
为了防止同一个网段内的其他路由器攻击当前的 VRRP 主网关,确保当前主网关的安全,
强烈建议配置 VRRP 认证工功能;
-认证类型:
1.明文(simple)
2.密码(MD5)
-认证原则:
1.认证类型必须相同
2.认证密码必须相同
总而言之:
主网关和备份网关上关于认证的配置,必须完全相同。
-配置命令:
SW1/SW2:
interface vlanif 2
vrrp vrid 2 authentication-mode md5 NTD1902 //加密方式
查看 VRRP 的详细参数:
display vrrp
Vlanif2 | Virtual Router 2
State : Master // VRRP 的状态;
Virtual IP : 192.168.1.254 // 虚拟网关的IP地址
Master IP : 192.168.1.1 // 主网关的接口IP地址
PriorityRun : 200 // 正在运行的 VRRP 优先级
PriorityConfig : 200 // 当初配置的VRRP 优先级
MasterPriority : 200 // VRRP 主网关的优先级
Preempt : YES Delay Time : 0 s // VRRP 抢占功能默认是开启的,并且没有任何延迟
TimerRun : 1 s // VRRP 主网关当前发送VRRP报文的周期时间;
TimerConfig : 1 s // 该设备配置的 VRRP 发送报文的周期
Auth type : NONE // VRRP 的认证类型,默认是没有认证;
Virtual MAC : 0000-5e00-0102 // VRRP 虚拟网关对应的虚拟 MAC 地址
Check TTL : YES
Config type : normal-vrrp
Track IF : GigabitEthernet0/0/1 Priority reduced : 110 // VRRP 链路跟踪技术
IF state : UP // VRRP 跟踪的接口的状态,当前是UP
Create time : 2020-02-21 14:45:36 UTC-08:00
Last change time : 2020-02-21 16:30:00 UTC-08:00
[SW2]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
2 Backup (备) Vlanif2 Normal 192.168.1.254 (虚拟网关)
5 Master (主) Vlanif5 Normal 192.168.5.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0