一、背景介紹
vrrp作爲一種常見的虛擬路由冗餘協議,工作在應用層,協議號爲112,該協議普遍用於各種生產環境中,其工作原理是隱藏多個實際提供服務的網元地址,取而代之使用一個虛擬的地址進行反向代理,所有終端指向反向代理地址,這樣即使一臺或多臺網元故障,反向代理地址依然生效,網元之間通過一個特定的組播地址進行通信
本章就以2個網元對外提供統一網關地址爲例,介紹vrrp的使用。
二、實驗拓撲
- PC1和PC2屬於vlan和vlan20,SW3爲接入層交換機,SW1和SW2是三層交換機與二層交換機SW3之間通過trunk相連
- 3個SW之間使用MSTP,且SW2爲instance1的主根,instance2的備根,SW1正好相反
- vlan10跟vlan20的網關地址位於2臺三層交換機的svi接口,是一個反向代理地址,且互爲主備
三、配置文件
SW1的配置文件
[SW1]display current-configuration # sysname SW1 # undo info-center enable # vlan batch 10 20 # stp instance 1 root secondary stp instance 2 root primary # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # stp region-configuration region-name hw revision-level 1 instance 1 vlan 10 instance 2 vlan 20 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface Vlanif10 ip address 192.168.10.2 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.10.254 # interface Vlanif20 ip address 192.168.20.2 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.20.254 vrrp vrid 2 priority 150 # interface MEth0/0/1 # interface Ethernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 # interface Ethernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20
SW2的配置文件
[SW2]display current-configuration # sysname SW2 # undo info-center enable # vlan batch 10 20 # stp instance 1 root primary stp instance 2 root secondary # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # stp region-configuration region-name hw revision-level 1 instance 1 vlan 10 instance 2 vlan 20 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface Vlanif10 ip address 192.168.10.1 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.10.254 vrrp vrid 1 priority 150 # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.20.254 # interface MEth0/0/1 # interface Ethernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 # interface Ethernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20
SW3的配置文件
[SW3]display current-configuration # sysname SW3 # undo info-center enable # vlan batch 10 20 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # stp region-configuration region-name hw revision-level 1 instance 1 vlan 10 instance 2 vlan 20 active region-configuration # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface MEth0/0/1 # interface Ethernet0/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 # interface Ethernet0/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 # interface Ethernet0/0/3 port link-type access port default vlan 10 stp edged-port enable # interface Ethernet0/0/4 port link-type access port default vlan 20 stp edged-port enable
此時在SW1的e0/0/1口抓包,SW2的vlanif10正常時,PC1去ping網關流量不會經過該端口,當將SW2的vlanif10端口shutdown,再使用PC1去ping網關在該端口上就能抓到流量
四、注意事項
- vrrp是應用層協議,所以配置時必須在三層以上設備的接口進行配置
- vrrp主網關多與mstp根橋保持一致,以本案爲例,SW2是MSTP instance1的根橋,所以vlan10的網關優先選取SW2,原因就是instance1此時在SW3上的e0/0/2接口是阻塞狀態,SW1同樣道理
- 還可以在端口故障時設置自動降低優先級,該命令使用時默認端口故障條件成立
[SW2-Vlanif10]vrrp vrid 10 track interface Vlanif 10 ? increased Increase priority reduced Reduce priority <cr>