网关冗余技术是指把多个物理网关虚拟出一个或多个虚拟的网关,而接入层网络缺省网关静态配置成这些虚拟网关。虚拟网关的转发任务由选举出来的某个物理网关承担,只要不是所有物理网关同时故障,就一定能选举出一个物理网关承担虚拟网关的转发任务。网关冗余技术也可实现流量的负载分担。目前的虚拟网关技术主要有VRRP(虚拟路由器冗余协议)、HSRP(热备份路由器协议)和GLBP(网关负载平衡协议),其中HSRP和GLBP是CISCO的私有技术。HSRP可以完成和VRRP类似的功能,但它们都不具备负载均衡功能。GLBP做了优化,配置同一个虚拟网关地址就可实现负载均衡。
简单介绍几个术语:
VRRP路由器:
是指运行VRRP协议的路由器,是物理实体
虚拟路由器:
是指VRRP创建出来的路由器,是逻辑概念。
主控路由器和备份路由器:
一个VRRP组中有且只有一个处于主控角色的路由器。可以有一个或多个处于备份角色的路由器。
VRRP协议使用选择策略从路由器组中选择一台作为主控路由器,负责ARP响应和转发IP数据包。组中的其他路由器作为备份角色处于待命状态。
简单介绍到这里,那些文绉绉的理论性知识可以参考RFC3768文档。咱直接直接看实例吧,实践出真知。
拓扑环境:
配置:
--------------------ISP---------------------
int eth0
ip ad 8.8.8.8 24
loop
quit
int s1
ip ad 12.1.1.2 24
quit
int s0
ip ad 23.1.1.2 24
quit
----------------------R-1------------------
vrrp ping-enable #开启VRRP ping命令,不开启不能ping通虚拟网关
acl 2000 match-order auto
rule normal permit source any
quit
interface Ethernet1
ip address 172.16.1.1 255.255.255.0
vrrp vrid 172 virtual-ip 172.16.1.3 #虚拟IP地址
vrrp vrid 172 priority 120
vrrp vrid 172 preempt-mode
vrrp vrid 172 track Serial1 reduced 30 #上游链路down掉的时候优先级减30
quit
interface Serial1
ip address 12.1.1.1 255.255.255.0
nat outbound 2000 interface #NAT转换
quit
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
ip route-static 192.168.1.0 255.255.255.0 172.16.1.254 #此处注意下一跳地址
--------------------------R-2-----------------------
vrrp ping-enable
acl 2000 match-order auto
rule normal permit source any
quit
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
vrrp vrid 172 virtual-ip 172.16.1.3
vrrp vrid 172 priority 100
vrrp vrid 172 preempt-mode
quit
interface Serial0
ip address 23.1.1.1 255.255.255.0
nat outbound 2000 interface
quit
ip route-static 0.0.0.0 0.0.0.0 23.1.1.2
ip route-static 192.168.1.0 255.255.255.0 172.16.1.254
----------------------SW-0---------------------------
vlan 10
vlan 20
quit
vlan 10
port eth1/0/1 to eth1/0/4
quit
vlan 20
port eth1/0/21 to eth1/0/24
quit
---------------------SW-3-------------------------
vrrp ping-enable
vlan 100
vlan 200
quit
interface Ethernet0/3
port access vlan 100
quit
interface Ethernet0/24
port access vlan 200
quit
interface Vlan-interface100
ip address 172.16.1.252 255.255.255.0
vrrp vrid 100 virtual-ip 172.16.1.254
vrrp vrid 100 priority 120
vrrp vrid 100 preempt-mode
vrrp vrid 100 track Vlan-interface200 reduced 30
quit
interface Vlan-interface200
ip address 192.168.1.252 255.255.255.0
vrrp vrid 200 virtual-ip 192.168.1.254
vrrp vrid 200 priority 120
vrrp vrid 200 preempt-mode
vrrp vrid 200 track Vlan-interface100 reduced 30
quit
ip route-static 0.0.0.0 0.0.0.0 172.16.1.3
----------------------SW-4-----------------------
vrrp ping-enable
vlan 10
vlan 20
quit
interface Ethernet0/4
port access vlan 10
quit
interface Ethernet0/23
port access vlan 20
quit
interface Vlan-interface10
ip address 172.16.1.253 255.255.255.0
vrrp vrid 100 virtual-ip 172.16.1.254
vrrp vrid 100 priority 100
vrrp vrid 100 preempt-mode
quit
interface Vlan-interface20
ip address 192.168.1.253 255.255.255.0
vrrp vrid 200 virtual-ip 192.168.1.254
vrrp vrid 200 priority 100
vrrp vrid 200 preempt-mode
quit
ip route-static 0.0.0.0 0.0.0.0 172.16.1.3
拓扑有点简陋了...这个环境中我用一个二层交换划分VLAN简化了实验,真实环境中需要可能需要用到三个二层交换呢。细心的朋友也许已经看出来,在这个网络环境中设备的利用率并不高,可能这个网络环境相当稳定,运行了一年也没有出任何问题,那些备份的设备岂不是闲置了一年。怎么解决这个问题?看下面这个案例。
拓扑环境:
配置:
------------------ISP------------------
int eth0/4
ip ad 8.8.8.8 24
loopback #开启环回
quit
int eth0/0
ip ad 12.1.1.2 24
quit
int eth0/1
ip ad 13.1.1.2 24
quit
------------------R-1-------------------
int eth1
ip ad 12.1.1.1 24
quit
int eth0.10 #进入子接口
vlan-type dot1q vid 10 #配置封装协议为802.1q
ip ad 192.168.10.1 24
quit
int eth0.20
vlan-type dot1q vid 20
ip ad 192.168.20.1 24
quit
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 #配置默认路由
acl 2000 match-order auto #创建访问控制列表
rule permit source any #设置为允许所有源IP
quit
int eth1
nat outbound 2000 interface #设置NAT转换
quit
int eth0.10
vrrp vrid 10 virtual-ip 192.168.10.252 #配置VRRP虚拟IP,即接入层主机的网关
vrrp vrid 10 preempt-mode #配置抢占模式
vrrp vrid 10 priority 120 #配置优先级
vrrp vrid 10 track eth1 #track上行接口
quit
int eth0.20
vrrp vrid 20 virtual-ip 192.168.20.252
vrrp vrid 20 preempt-mode
vrrp vrid 20 priority 105
vrrp vrid 20 track eth1
quit
-------------------R-2------------------
int eth1
ip add 13.1.1.1 24
quit
int eth0.10
vlan-type dot1q vid 10
ip ad 192.168.10.2 24
quit
int eth0.20
vlan-type dot1q vid 20
ip ad 192.168.20.2 24
quit
acl 2000 match-order auto
rule permit source any
quit
int eth1
nat outbound 2000 interface
quit
ip route-static 0.0.0.0 0.0.0.0 13.1.1.2
int eth0.10
vrrp vrid 10 virtual-ip 192.168.10.252
vrrp vrid 10 preempt-mode
vrrp vrid 10 priority 100
quit
int eth0.20
vrrp vrid 20 virtual-ip 192.168.20.252
vrrp vrid 20 preempt-mode
vrrp vrid 20 priority 100
quit
----------------------SW-1------------------
vlan 10 #创建VLAN
vlan 20
quit
int eth1/0/24
port link-type trunk #设置trunk链路
port trunk permit vlan all #允许所有Vlan通过
quit
int eth1/0/2
port link-type trunk
port trunk permit vlan all
quit
int eth1/0/10
port access vlan 10 #划为Vlan 10
quit
int eth1/0/20
port access vlan 20
quit
-------------------SW-2------------------
vlan 10
vlan 20
quit
int eth1/0/2
port link-type trunk
port trunk permit vlan all
quit
int eth1/0/24
por link-type trunk
port trunk permit vlan all
quit
int eth1/0/10
port access vlan 10
quit
int eth1/0/20
port access vla 20
quit