目录
VRRP介绍
背景:
考虑到基于网关或者路由发生单点故障,为了提升网络可靠性,我们需要对网关做冗余。
VRRP:
Virtual Router Redundancy Protocol,叫做虚拟路由器冗余协议或虚拟路由冗余协议
VRRP路由器:
运行VRRP的路由器,一台VRRP路由器可以同时参与到多个VRRP组中,在不同的组中,一台VRRP路由器可以充当不同的角色(比如R1在VRRP组1中做为主,但在VRRP组2中配置主备都可以,不同组之间不受影响)
VRRP组:
一个VRRP组由多个VRRP路由器组成,使用想用的VRID(Virtual Router ID,虚拟路由器ID)进行标识,属于同一个VRRP组的VRRP路由器相互交换信息,每一个VRRP组中只有一个Master也就是主设备(比如R1、R2、R3在一个组中,但是主设备只能是一个)。
虚拟路由器:
对于每一个VRRP组,抽象出来的一个逻辑路由器,该路由器充当网络用户的网关,该路由器并非真实存在,事实上对于用户而言,只需知道虚拟路由器的IP,至于具体的虚拟路由器的角色由谁来承担,数据转发任务由谁来承担,Master故障后谁来接替,这是VRRP的工作。
虚拟MAC地址:
通过VRRP形成的虚拟路由器使用虚拟IP地址和虚拟MAC与网络中的PC进行通信,虚拟MAC的格式如下:最后一个字节的VRID表示虚拟路由器ID的十六进制,例如VRID是1,虚拟MAC地址为00-00-5E-00-01-01。
优先级:
优先级是0-255,0代表退出VRRP组,比如主设备退出VRRP组是发送优先级为0的消息,备设备接收之后会立即选择主设备;255代表当前路由器为虚拟IP的地址拥有者,也就是当前路由器上某个接口配置了这个IP地址,这个路由器的优先级最大。
职责:
Master:主设备
Backup:备设备
VRRP配置
基础配置
AR1 Master设备配置
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.1.252 24# 虚拟地址不需要配置子网掩码,这个子网掩码与你配置的这个接口的IP地址掩码一致
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 virtual-ip 192.168.1.254#默认优先级是100,数值越大越优先
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 priority 120
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 preempt-mode timer delay 20
AR2 backup设备配置
[AR2]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]ip address 192.168.1.253 24
[AR2-GigabitEthernet0/0/2]vrrp vrid 1 virtual-ip 192.168.1.254
VRRP组存在上行链路,要对上行链路的状态做监控
R1是VRRP 1的主设备,是PC1的网关设备;R2是VRRP 2的主设备,是PC2的网关设备。
例如现在R1与SW2之间的链路出现问题:R1的g0/0/0接口关闭,但路由器R1上还是VRRP 1的Master状态,不会发生切换,PC1的所有流量仍发送给R1,导致此时用户无法通信。即VRRP无法通过感知接口发生故障来完成主备设备切换。
AR1 配置
# 配置vrid 1组为Master
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.1.252 24
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 virtual-ip 192.168.1.254# 配置120优先级,默认优先级是100,数值越大越优先
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 priority 120# 抢占时延
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 preempt-mode timer delay 20# 配置vrid 2 组为Backup
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.253 24
[AR1-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.168.2.254
AR2 配置
# 配置vrid 1组为backup(因为AR1配置的是120比默认的100大,所以vrid 1中AR1是Master)
[AR2]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]ip address 192.168.1.253 24
[AR2-GigabitEthernet0/0/2]vrrp vrid 1 virtual-ip 192.168.1.254# vrid 2组中为Master(优先级120,比AR1的vrid 2 中的默认100优先级大,所以vrid 2中AR2应为Master)
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/2]ip address 192.168.1.252 24
[AR2-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.168.2.254
[AR2-GigabitEthernet0/0/0]vrrp vrid 2 priority 120
[AR2-GigabitEthernet0/0/0]vrrp vrid 2 preempt-mode timer delay 20
对上行链路进行跟踪
[AR1]interface GEthernet0/0/1
[AR2-GigabitEthernet0/0/1]vrrp vrid 1 track interface GigabitEthernet0/0/0 reduced 50
#监视上行接口g/0/0,当此接口Down掉,R1在VRRP组1中裁减优先级50,使优先级变为70,小于R2的优先级100,从而R2变成VRRP组1的主设备,流量便会都从AR2中走。
基于三层交换机的VRRP组配置:
三层交换机通过配置vlanif接口,然后配置VRRP
接入层交换机SW3
# 创建vlan
[SW3]vlan batch 10
# 连接PC的接口为access
[SW3]interface Ethernet0/0/1
[SW3-Ethernet0/0/1]port link-type access
[SW3-Ethernet0/0/1]port default vlan 10
# 上行链路为trunk
[SW3]interface GigabitEthernet0/0/1
[SW3-GigabitEthernet0/0/1]port link-type trunk
[SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[SW3]interface GigabitEthernet0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk
[SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
三层交换机SW1&SW2配置相同
# 创建vlan
vlan 10
# 交换机相连链路为trunk
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
VRRP配置
SW1 作为主网关
[SW1]interface Vlanif10
[SW1-Vlanif10]ip address 192.168.10.253 255.255.255.0
[SW1-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[SW1-Vlanif10]vrrp vrid 1 priority 120 # 优先级120,默认100
[SW1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20 # 抢占时延
SW2 作为备网关
[SW2]interface Vlanif10
[SW2-Vlanif10]ip address 192.168.10.252 255.255.255.0
[SW2-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
VRRP检查
[SW1] dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.10.254
----------------------------------------------------------------
Total:1 Master:1 Backup:0 Non-active:0
[SW2]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif10 Normal 192.168.10.254
----------------------------------------------------------------
Total:1 Master:0 Backup:1 Non-active:0
MSTP + VRRP 经典组网
MSTP的优势:RSTP和STP存在缺陷:局域网内所有的VLAN共享一棵生成树,因此无法在VLAN间实现数据流量的负载均衡,预想链路会被阻塞,可能造成部分VLAN的报文无法转发,所以使用MSTP,MSTP可以基于VLAN进行负载负担。
二层配置:划分vlan,接口类型,STP生成树
SW1 :连接交换机的为access,上行链路为trunk
# vlan划分
[SW1]vlan batch 10 20
# access接口
[SW1] interface Ethernet0/0/1
[SW1-Ethernet0/0/1] port link-type access
[SW1-Ethernet0/0/1] port default vlan 10
[SW1] interface Ethernet0/0/2
[SW1-Ethernet0/0/2] port link-type access
[SW1-Ethernet0/0/2] port default vlan 20
# trunk链路
[SW1]interface GigabitEthernet0/0/1
[SW1-GigabitEthernet0/0/1] port link-type trunk
[SW1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
[SW1] interface GigabitEthernet0/0/2
[SW1-GigabitEthernet0/0/2] port link-type trunk
[SW1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20
# MSTP的实例配置
[SW1]stp region-configuration
[SW1-mst-region]region-name Huawei
[SW1-mst-region]instance 1 vlan 10 20
[SW1-mst-region]active region-configuration
SW2:连接交换机的为access,上行链路为trunk
# VLAN划分
[SW2]vlan batch 30 40
# access接口
[SW2]interface Ethernet0/0/1
[SW2-Ethernet0/0/1]port link-type access
[SW2-Ethernet0/0/1]port default vlan 30
[SW2]interface Ethernet0/0/2
[SW2-Ethernet0/0/2]port link-type access
[SW2-Ethernet0/0/2]port default vlan 40
# Trunk链路
[SW2]interface GigabitEthernet0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 30 40
[SW2]interface GigabitEthernet0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 30 40
# MSTP的实例配置
[SW2]stp region-configuration
[SW2-mst-region]region-name Huawei
[SW2-mst-region]instance 2 vlan 30 40
[SW2-mst-region]active region-configuration
L3-S1:配置trunk链路、配置MSTP生成树
# VLAN划分
[L3-S1]vlan batch 10 20 30 40
# Trunk链路
[L3-S1]interface GigabitEthernet0/0/1
[L3-S1-GigabitEthernet0/0/1]port link-type trunk
[L3-S1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[L3-S1]interface GigabitEthernet0/0/2
[L3-S1-GigabitEthernet0/0/2]port link-type trunk
[L3-S1-GigabitEthernet0/0/2]port trunk allow-pass vlan 30 40
[L3-S1]interface GigabitEthernet0/0/24
[L3-S1-GigabitEthernet0/0/24]port link-type trunk
[L3-S1-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 20 30 40
# MSTP的实例配置
[L3-S1]stp region-configuration
[L3-S1-mst-region]region-name Huawei
[L3-S1-mst-region]instance 1 vlan 10 20
[L3-S1-mst-region]instance 2 vlan 30 40
[L3-S1-mst-region]active region-configuration
# 主备根桥
[L3-S1]stp instance 1 root primary
[L3-S1]stp instance 2 root secondary
L3-S2:配置trunk链路、配置MSTP生成树
# vlan划分
[L3-S2]vlan batch 10 20 30 40
# trunk链路
[L3-S2]interface GigabitEthernet0/0/1
[L3-S2-GigabitEthernet0/0/1]port link-type trunk
[L3-S2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[L3-S2]interface GigabitEthernet0/0/2
[L3-S2-GigabitEthernet0/0/2]port link-type trunk
[L3-S2-GigabitEthernet0/0/2]port trunk allow-pass vlan 30 40
[L3-S2]interface GigabitEthernet0/0/24
[L3-S2-GigabitEthernet0/0/24]port link-type trunk
[L3-S2-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 20 30 40
# MSTP的实例配置
[L3-S2]stp region-configuration
[L3-S2-mst-region]region-name Huawei
[L3-S2-mst-region]instance 1 vlan 10 20
[L3-S2-mst-region]instance 2 vlan 30 40
[L3-S2-mst-region]active region-configuration
# 主备根桥
[L3-S2]stp instance 2 root primary
[L3-S2]stp instance 1 root secondary
三层配置:IP地址 、路由、VRRP
L3-S1
# L3-S1 作为vlan10 和 VLAN20的主网关
[L3-S1]interface Vlanif10
[L3-S1-Vlanif10]ip address 192.168.10.253 255.255.255.0
[L3-S1-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[L3-S1-Vlanif10]vrrp vrid 1 priority 120
[L3-S1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 20
[L3-S1]interface Vlanif20
[L3-S1-Vlanif20]ip address 192.168.20.253 255.255.255.0
[L3-S1-Vlanif20]vrrp vrid 1 virtual-ip 192.168.20.254
[L3-S1-Vlanif20]vrrp vrid 1 priority 120
[L3-S1-Vlanif20]vrrp vrid 1 preempt-mode timer delay 20
#
# L3-SW1 作为vlan30和VLAN40的备网关
[L3-S1]interface Vlanif30
[L3-S1-Vlanif30]ip address 192.168.30.253 255.255.255.0
[L3-S1-Vlanif30]vrrp vrid 2 virtual-ip 192.168.30.254
[L3-S1]interface Vlanif40
[L3-S1-Vlanif40]ip address 192.168.40.253 255.255.255.0
[L3-S1-Vlanif40]vrrp vrid 2 virtual-ip 192.168.40.254
L3-S2
# L3-SW2 作为vlan10 和 VLAN20的备网关【同时也是vlan10和20的备根桥】
#
[L3-S2]interface Vlanif10
[L3-S2-Vlanif10]ip address 192.168.10.252 255.255.255.0
[L3-S2-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[L3-S2]interface Vlanif20
[L3-S2-Vlanif20]ip address 192.168.20.252 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.20.254
# 作为vlan30 和40的主网关【同时也是vlan30和40的主根桥】
[L3-S2]interface Vlanif30
[L3-S2-Vlanif30]ip address 192.168.30.252 255.255.255.0
[L3-S2-Vlanif30]vrrp vrid 2 virtual-ip 192.168.30.254
[L3-S2-Vlanif30]vrrp vrid 2 priority 120
[L3-S2-Vlanif30]vrrp vrid 2 preempt-mode timer delay 20
[L3-S2]interface Vlanif40
[L3-S2-Vlanif40]ip address 192.168.40.252 255.255.255.0
[L3-S2-Vlanif40]vrrp vrid 2 virtual-ip 192.168.40.254
[L3-S2-Vlanif40]vrrp vrid 2 priority 120
[L3-S2-Vlanif40]vrrp vrid 2 preempt-mode timer delay 20
检查:
display vrrp brief 查看VRRP简要信息
display stp brief 查看STP简要信息
# L3-SW1是vlan10 和 vlan20的主网关,是vlan30和vlan40的备网关
[L3-SW1]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.10.254
1 Master Vlanif20 Normal 192.168.20.254
2 Backup Vlanif30 Normal 192.168.30.254
2 Backup Vlanif40 Normal 192.168.40.254
# L3-SW2是vlan30 和 vlan40的主网关,是vlan10和vlan20的备网关
[L3-SW2]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif10 Normal 192.168.10.254
1 Backup Vlanif20 Normal 192.168.20.254
2 Master Vlanif30 Normal 192.168.30.254
2 Master Vlanif40 Normal 192.168.40.254
----------------------------------------------------------------
Total:4 Master:2 Backup:2 Non-active:0
# L3-SW1是vlan10 和 vlan20的主根桥,是vlan30和vlan40的备根桥
[L3-SW1]display stp brief
MSTID Port Role STP State Protection
1 GigabitEthernet0/0/1 DESI FORWARDING NONE
1 GigabitEthernet0/0/24 DESI FORWARDING NONE
2 GigabitEthernet0/0/2 ALTE DISCARDING NONE
2 GigabitEthernet0/0/24 ROOT FORWARDING NONE
# L3-SW2vlan10 和 vlan20的备根桥,是vlan30和vlan40的主根桥
[L3-SW2]display stp brief
MSTID Port Role STP State Protection
1 GigabitEthernet0/0/1 DESI FORWARDING NONE
1 GigabitEthernet0/0/24 ROOT FORWARDING NONE
2 GigabitEthernet0/0/2 MAST FORWARDING NONE
2 GigabitEthernet0/0/24 DESI FORWARDING NONE
VRRP报文认证
# 配置命令 vrrp vrid [VRRP组] authentication-mode md5 [密码] 举例如下
[R2-Ethernet0/0/1]vrrp vrid 1 authentication-mode md5 huawei
[R3-Ethernet0/0/1]vrrp vrid 1 authentication-mode md5 huawei
#注意在配置VRRP报文认证时,同一VRRP备份组的认证方式必须相同,否则Master和Backup设备无法协商成功
工作过程
1. VRRP组中的设备选举出Master。Master设备会发送免费ARP报文,将虚拟MAC地址通知给与它连接的设备或者主机,从而承担报文转发任务。
主设备发送ARP报文:
交换机接收到免费ARP报文,生成MAC地址表内容:
<SW>display mac-address
MAC address table of slot 0:
0000-5e00-0101 1 - - GE0/0/1 dynamic 0/-
用户PC接收免费ARP报文,生成ARP缓存表:
PC>arp -a
Internet Address Physical Address Type
192.168.1.254 00-00-5E-00-01-01 dynamic
2. Master设备周期性向备份组内所有Backup设备发送VRRP通告报文。周期是1s一次。
3. 如果Master设备出现故障,VRRP备份组中的剩下的Backup设备重新选举新的Master。
Virtual Router state BACKUP changed to MASTER 表示由Backup切换到Master。
4.VRRP完成状态切换后,新的Master会发送一个免费ARP,用以刷新和他连接设备的MAC地址表,以便把用户流量引向自己。
交换机接收到ARP报文,修改MAC地址表,其实主要就是更改了记录的端口号,MAC地址还是那个虚MAC。
[Huawei]dis mac-address
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
0000-5e00-0101 1 - - GE0/0/2 dynamic 0/-
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1
这个过程,对用户来讲不会发生改变,用户的ARP缓存表未发生变化。
5.抢占和非抢占
当设备发生了故障,恢复以后是否要将原来的Master角色抢回来。
如果开启抢占,则在抢占延时结束后,重新成为Master,原来的Master设备,则成为Backup。
如果不开启抢占,则该设备会一直处于Backup状态,直到新的选举产生。
6.原Master设备故障恢复时,若该设备为IP地址拥有者(则其优先级为255),将直接切换至Master状态。
修改AR1的地址为192.168.1.254
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
Warning: The priority of this VRRP backup group has changed to 255 and will not change.
查看R1 VRRP备份组的详细信息
[AR1]display vrrp
GigabitEthernet0/0/0 | Virtual Router 1
State : Master # 当前状态
Virtual IP : 192.168.1.254 # 虚拟IP地址
Master IP : 192.168.1.254 # Master路由的IP地址
PriorityRun : 255 # 当前运行的优先级
PriorityConfig : 120 # 我们配置的优先级
MasterPriority : 255 # Master设备的优先级
Preempt : YES Delay Time : 20 s # 抢占:Yes 延时:20S
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2023-03-29 14:46:35 UTC-08:00
Last change time : 2023-03-29 15:02:59 UTC-08:00
R2设备原本是Backup的,因为Master掉了才成为Master,优先级小于255,将首先切换至Backup状态,且其优先级恢复为故障前配置的优先级。