ACL应用之VRRP
VRRP发送报文方式是什么?
组播 地址:224.0.0.18
VRRP报文是由哪个设备发送的?
master 主路由设备发送
VRRP的报文协议号是多少?
112
可能存在的一种ACL拒绝VRRP报文产生MASTER错误的情况
案例
1.如图配置IP地址
2.配置 VRRP 虚拟网关和优先级
3.配置 ACL 确保 R2 也成为 Master
-acl不能控制自己发出流量所以要在r2设置acl
4.确保其他类型的流量可以互通
-因为要确保所有流量互通所以不能用ip协议
-所以需要使用高级ACL针对性阻止vrrp报文进入
VRRP多master的常见原因:1.IP地址必须相同
2.vrid必须相同
3.virtual-ip(虚拟ip)必须相同
4.认证必须成功
5.通过ACL拒绝vrrp报文后备份网关自动变成网关
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.1.251 24
[R1-GigabitEthernet0/0/0]q
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.254
[R1-GigabitEthernet0/0/0]vrrp vrid 1 priority 200
[R1-GigabitEthernet0/0/0]q
<R1>telnet 192.168.1.252
Press CTRL_] to quit telnet mode
Trying 192.168.1.252 ...
Connected to 192.168.1.252 ...
Login authentication
Pasword:
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.1.252 24
[R2-GigabitEthernet0/0/0]q
[R2]ping 192.168.1.251
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.254
[R2-GigabitEthernet0/0/0]vrrp vrid 1 priority 150
[R2-GigabitEthernet0/0/0]q
[R2]dis vrrp b
[R2]acl 3000
[R2-acl-adv-3000]rule 10 deny 112 source 192.168.1.251 0.0.0.0 destination 224.0
.0.18 0.0.0.0
[R2-acl-adv-3000]q
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[R2-GigabitEthernet0/0/0]q
[R2]dis vrrp b
Total:1 Master:1 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
1 Master GE0/0/0 Normal 192.168.1.254
[R2]dis acl all
rule 10 deny 112 source 192.168.1.251 0 destination 224.0.0.18 0 (22 matches)
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode pas
Please configure the login pas (maximum length 16):HCIE
[R2-ui-vty0-4]q