VRRP双备份组以及双线路备份

VRRP 双备份组以及双线路备份

 

客户现况:

电信光纤两根A 和B ，NBR2000 路由器两台ls1 和ls2 ，电脑365 台，内网IP 段192.168.1.0/24 和192.168.2.0/24,PC 网关192.168.1.1 和192.168.2.1

 

客户要求:

1, 两条光纤互为备份, 在一条光纤出现故障时, 流量自动切换到另一条光纤上.

2, 两台路由器互为备份, 在一台路由器出现故障时, 流量自动切换到另一台路由器上.

 

要求分析:

1, 两台路由器皆在两个wan 口上接入两条光纤, 配置浮动路由,ls1 平时跑A , ls2 平时跑B, 某光纤出现问题, 浮动路由起效.

2, 配置双VRRP 备份组, 虚拟网关分别为192.168.1.1/24 和192.168.2.1/24, 分别对应下面的PC 设置. ls1 作为VRRP 1 的master,VRRP 2 的backup,ls2 作为VRRP 2 的master,VRRP 1 的backup. 当某路由器出现故障. 自动切换到另一路由器并承担所有PC 流量转发.

 

技术实施:( 无关配置省略)

ls1#sh run

hostname ls1

access-list 1 permit 192.168.1.0 0.0.0 .255

access-list 1 permit 192.168.2.0 0.0.0 .255

!

!

interface FastEthernet 0/2

 ip nat outside

 ip address 222.80.180.5 255.255.255.248

 duplex auto

 speed auto

!

interface Null 0

!

interface GigabitEthernet 0/0

 vrrp 1 priority 120

 vrrp 1 preempt delay 5

 vrrp 1 ip 192.168.1.1

 vrrp 2 timers learn

 vrrp 2 preempt delay 5

 vrrp 2 ip 192.168.2.1

 ip nat inside

 no ip redirects

 no ip mask-reply

 no ip proxy-arp

 ip address 192.168.1.250 255.255.255.0

 ip address 192.168.2.252 255.255.255.0 secondary

 duplex auto

 speed auto

!

interface GigabitEthernet 0/1

 ip nat outside

 no ip redirects

 no ip mask-reply

 no ip proxy-arp

 ip address 222.80.180.21 255.255.255.248

 duplex auto

 speed auto

!

!

ip nat pool nbr_setup_build_pool prefix-length 24

 address 222.80.180.21 222.80.180.21 match interface GigabitEthernet 0/1

 address 222.80.180.5 222.80.180.5 match interface FastEthernet 0/2

!

ip nat inside source list 1 pool nbr_setup_build_pool

ip route 0.0.0 .0 0.0.0.0 GigabitEthernet 0/1 222.80.180.17

ip route 0.0.0 .0 0.0.0.0 FastEthernet 0/2 222.80.180.1 10

 

 

ls1#sh vrrp b

Interface         Grp Pri Time  Own Pre State   Master addr     Group addr

GigabitEthernet 0/0    1 120   -    -   P  Master  192.168.1.250 192.168.1.1

GigabitEthernet 0/0    2 100   -    -   P  Backup  192.168.2.250 192.168.2.1

ls1#sh vrrp

GigabitEthernet 0/0 - Group 1

  State is Master

  Virtual IP address is 192.168.1.1 configured

  Virtual MAC address is 0000.5e00.0101

  Advertisement interval is 1 sec

  Preemption is enabled

    min delay is 5 sec

  Priority is 120

  Master Router is 192.168.1.250 (local), priority is 120

  Master Advertisement interval is 1 sec

  Master Down interval is 3 sec

GigabitEthernet 0/0 - Group 2

  State is Backup

  Virtual IP address is 192.168.2.1 configured

  Virtual MAC address is 0000.5e00.0102

  Advertisement interval is 1 sec

  Preemption is enabled

    min delay is 5 sec

  Priority is 100

  Master Router is 192.168.2.250 , pritority is 120

  Master Advertisement interval is 1 sec

  Master Down interval is 3 sec

ls1#sh ip route

 

Codes:    C - connected, S - static,  R - RIP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

      * - candidate default

 

Gateway of last resort is 222.80.180.17 to network 0.0.0 .0

S*   0.0.0 .0/0 [1/0] via 222.80.180.17, GigabitEthernet 0/1

C    192.168.1.0/24 is directly connected, GigabitEthernet 0/0

C    192.168.1.1/32 is local host.

C    192.168.1.250/32 is local host.

C    192.168.2.0/24 is directly connected, GigabitEthernet 0/0

C    192.168.2.252/32 is local host.

C    222.80.180.0/29 is directly connected, FastEthernet 0/2

C    222.80.180.5/32 is local host.

C    222.80.180.16/29 is directly connected, GigabitEthernet 0/1

C    222.80.180.21/32 is local host.

 

##############################################################################################################

ls2#sh run

 

access-list 1 permit 192.168.1.0 0.0.0 .255

access-list 1 permit 192.168.2.0 0.0.0 .255

!

interface FastEthernet 0/2

 ip nat outside

ip address 222.80.180.22 255.255.255.248

 duplex auto

 speed auto

!

interface Null 0

!

interface GigabitEthernet 0/0

 vrrp 1 timers learn

 vrrp 1 preempt delay 5

 vrrp 1 ip 192.168.1.1

 vrrp 1 de.ion "VIP-area"

 vrrp 2 priority 120

 vrrp 2 preempt delay 5

 vrrp 2 ip 192.168.2.1

 ip nat inside

no ip redirects

 ip address 192.168.2.250 255.255.255.0

 ip address 192.168.1.252 255.255.255.0 secondary

 duplex auto

 speed auto

!

interface GigabitEthernet 0/1

 ip nat outside

 ip address 222.80.180.6 255.255.255.248

 duplex auto

 speed auto

!

!

ip nat pool nbr_setup_build_pool prefix-length 24

 address 222.80.180.6 222.80.180.6 match interface GigabitEthernet 0/1

 address 222.80.180.22 222.80.180.22 match interface FastEthernet 0/2

!

ip nat inside source list 1 pool nbr_setup_build_pool

!

ip route 0.0.0 .0 0.0.0.0 GigabitEthernet 0/1 222.80.180.1

ip route 0.0.0 .0 0.0.0.0 FastEthernet 0/2 222.80.180.17 10

 

ls2#  sh vrrp

GigabitEthernet 0/0 - Group 1

  State is Backup

  Virtual IP address is 192.168.1.1 configured

  Virtual MAC address is 0000.5e00.0101

  Advertisement interval is 1 sec

  Preemption is enabled

    min delay is 5 sec

  Priority is 100

  Master Router is 192.168.1.250 , pritority is 120

  Master Advertisement interval is 1 sec

  Master Down interval is 3 sec

  De.ion : VIP-area

GigabitEthernet 0/0 - Group 2

  State is Master

  Virtual IP address is 192.168.2.1 configured

  Virtual MAC address is 0000.5e00.0102

  Advertisement interval is 1 sec

  Preemption is enabled

    min delay is 5 sec

  Priority is 120

  Master Router is 192.168.2.250 (local), priority is 120

  Master Advertisement interval is 1 sec

  Master Down interval is 3 sec

ls2#sh vrrp br

Interface         Grp Pri Time  Own Pre State   Master addr     Group addr

GigabitEthernet 0/0    1 100   -    -   P  Backup  192.168.1.250 192.168.1.1

GigabitEthernet 0/0    2 120   -    -   P  Master  192.168.2.250 192.168.2.1

ls2#sh ip route

 

Codes:    C - connected, S - static,  R - RIP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

      * - candidate default

 

Gateway of last resort is 222.80.180.1 to network 0.0.0 .0

S*   0.0.0 .0/0 [1/0] via 222.80.180.1, GigabitEthernet 0/1

C    192.168.1.0/24 is directly connected, GigabitEthernet 0/0

C    192.168.1.252/32 is local host.

C    192.168.2.0/24 is directly connected, GigabitEthernet 0/0

C    192.168.2.1/32 is local host.

C    192.168.2.250/32 is local host.

C    222.80.180.0/29 is directly connected, GigabitEthernet 0/1

C    222.80.180.6/32 is local host.

C    222.80.180.16/29 is directly connected, FastEthernet 0/2

C    222.80.180.22/32 is local host.

 

测试:

1, 拨掉ls1 路由器G0/1 网线, 浮动路由起效. 流量切换经由F0/2 口转发.ls2 上同样测试通过.

2, 关闭ls1 路由器电源,VRRP 生效, 所有PC 流量切换到ls2 路由器上转发, 达到冗余热备;

把电源接回,ls1 重新作为VRRP 1 的网关, 转发192.168.1.0/24 段的流量. 达到负载分流.

两种测试, 网络均会闪断. 特别是online game 会退出. 浮动路由会在1s 内切换. 而VRRP 需要8-11s(preempt 5s+ Master Down interval 3s) 切换. 但在全自动下已算是比较完美的实现可靠性.

 

PS: 经过测试完毕, 客户对实际效果非常满意. 而实际上客户还有一个初衷, 是想在网络被攻击时, 路由器能自动切换而保证网络的不间断. 利用VRRP 实现这一点, 可以吗? 实际上本人很早以前就有过这个想法，并做了测试. 发现实际效果不尽如意. 因为VRRP 的工作机制, 是靠backup 在不停检测master 的状态来切换的, 比如设置1S 间隔发送一次消息, 失效时间就是3S, 在3S 时间内接收不到master 消息, 认为它失效, 并接替成为master . 这看起来很完美. 但在遭受DDOS 攻击时, 路由器并不会完全的失去响应. 在死亡边缘挣扎着又发出几个消息. 那么原来的backup 就会认为它已经活了, 就把master 地位还给它. 然后又发不出消息,backup 又会取代它………. 如此循环.. 循环.. 导致的实际效果就是在master 和backup 状态不停切换, 网络一塌糊涂. 根本不可用. 除非路由器完全死掉, 也就是说电源拨了或硬件故障.

 

更新 ：上面关于担忧的被攻击时vrrp 状态不停切换，网络受影响的问题。有了新看法。

如果说被攻击到那种程度，就算不做vrrp 的情况下，网络也同样是不可用了，对吧？

那又有人提出，起码在不做vrrp 的情况下，可以手动切换网关啊。这个根本也不存在问题了，既然要用到手动切换了，那做vrrp 后，同样可以手动切换的嘛，因为本身就是做了vrrp 双备份组，有两个虚拟网关的啊。