VRRP(Virtual Router Redundancy Protocol)和MSTP(Multiple Spanning Tree Protocol)是两种不同的协议,VRRP是一种用于实现网关冗余的协议,而MSTP是一种用于提供网络冗余和容错的协议。
虽然它们是不同的协议,但它们可以在网络中一起使用,以提供更高的可靠性和容错能力。在这种情况下,VRRP可以用于实现网关冗余,确保网络中始终有可用的网关设备,而MSTP可以用于提供网络冗余,确保网络中没有单点故障。
具体来说,如果在网络中使用VRRP和MSTP组合,则可以将两个协议配置在不同的设备上。其中,VRRP协议可以在多个设备之间配置,以提供网关冗余。而MSTP协议可以在所有设备之间配置,以提供网络冗余。
在这种配置下,如果某个设备的网关出现故障,则VRRP协议将自动将另一个设备的网关设备选为活动网关,并接管流量。同时,MSTP协议可以在其他设备之间重新计算网络拓扑,并重新配置网络,以确保网络中没有单点故障。
VRRP和MSTP组合可以提供更高的可靠性和容错能力,使网络能够更好地应对故障和故障恢复。
目录
前言
1.实验背景介绍
2.拓扑图
3.设备命名规则
4.设备互联信息
5.设备配置
6.内外网互访、NAT结果验证
7.总结
理论背景:本实验通过将MSTP协议和VRRP协议进行结合组网,验证网络架构的冗余性和健壮性。同时搭建内网和外网两大部分,模拟外网用户和内网用户通过数据中心和城域网进行业务交互。出口设备将内外网的用户、终端和服务器地址进行双向转换,增加网络访问的合规性。本实验中出口设备因为存在双向动态NAT,并且NAT地址池所分配的IP地址范围较大,所以要实现端到端精准访问控制较难,想到这一点的可以一起讨论。
实际需求:外网用户、终端需要访问内网用户和服务器,内网用户、终端需要访问外网用户和服务器,并且在访问时有以下需求:
1.公网IP进入内网时需要被NAT成内网地址才能予以访问;
2.内网IP访问外网时需要以公网IP访问。
同时,在数据中心,核心交换区需要有较强的冗余性,要求整体网络较健壮,经过核心设备时流量需要负载。
IP地址规划规则:以最后一个段为准,相对于设备为“左小右大”,相对于线路为“左大右小”。例如:线路:左端口:192.168.1.2/24,右端口:192.168.1.1/24;设备:左端口:192.168.1.1/24,右端口:192.168.1.2/24。
拓扑图
设备类型 | 命名规则 | 设备标识 |
路由器 | 接入路由器 | AR(Access Router) |
外联接入路由器 | exAR(External Access Router) | |
交换机 | 核心交换机 | CS(Core Switch) |
接入交换机 | AccS(Access Switch) | |
外联汇聚交换机 | exAS(External Access Switch) | |
汇聚交换机 | AS(Aggregation Switch) | |
PC | 内网用户 | PC1 |
外网用户 | PC2 | |
服务器 | 内网服务器 | Server2 |
外网服务器 | Server1 | |
客户端 | 内网终端 | Client2 |
外网终端 | Client1 |
本端设备 | 接口 | 模式 | IP地址/ETH | 对端设备 | 接口 | 模式 | IP地址/ETH |
CS1 | GE1/0/0 | route | 172.31.1.1/30 | AR | GE0/0/0 | route | 172.31.1.2/30 |
GE1/0/1 | bridge | Eth-trunk 12 | CS2 | GE1/0/1 | bridge | Eth-trunk 12 | |
GE1/0/2 | bridge | GE1/0/2 | bridge | ||||
GE1/0/3 | bridge | Trunk | AS | GE0/0/1 | bridge | Trunk | |
exAS | GE1/0/0 | route | 172.16.1.1/30 | AR | GE0/0/1 | route | 172.16.1.2/30 |
GE1/0/1 | bridge | Eth-trunk 12 | CS1 | GE1/0/1 | bridge | Eth-trunk 12 | |
GE1/0/2 | bridge | GE1/0/2 | bridge | ||||
GE1/0/3 | bridge | Trunk | AS | GE0/0/2 | bridge | Trunk | |
CS1 | GE0/0/0 | route | 172.31.1.2/30 | CS1 | GE1/0/0 | route | 172.31.1.1/30 |
GE0/0/1 | route | 172.16.1.2/30 | CS2 | GE1/0/0 | route | 172.16.1.1/30 | |
GE0/0/2 | route | 172.10.1.1/30 | exAR | GE0/0/1 | route | 172.10.1.2/30 | |
GE0/0/1 | bridge | Trunk | CS1 | GE1/0/3 | bridge | Trunk | |
exAS | GE0/0/2 | bridge | Trunk | CS2 | GE1/0/3 | bridge | Trunk |
GE0/0/3 | bridge | Access | PC1 | Eth0/0/1 | bridge | Access | |
GE0/0/4 | bridge | Access | Client2 | Eth0/0/0 | bridge | Access | |
GE0/0/5 | bridge | Access | Server2 | Eth0/0/0 | bridge | Access | |
CS1 | GE0/0/1 | bridge | Access | PC2 | Eth0/0/1 | bridge | Access |
GE0/0/2 | bridge | Access | Server1 | Eth0/0/0 | bridge | Access | |
GE0/0/3 | bridge | Access | Client1 | Eth0/0/0 | bridge | Access | |
GE0/0/4 | bridge | Vlan100: | exAR | GE0/0/0 | routr | 100.1.1.1/24 | |
exAS | GE0/0/0 | route | 100.1.1.1/24 | exAS | GE0/0/4 | bridge | Vlan100: |
GE0/0/1 | route | 172.10.1.2/24 | AR | GE0/0/2 | route | 172.10.1.1/24 |
CS1:
MSTP配置:
vlan batch 10 20 30 //创建vlan
stp enable //开启stp
stp mode mstp //stp模式切换为mstp
stp instance 1 root primary //配置STP实例1,并将本地设备指定为该实例的主根桥
stp instance 2 root secondary //配置STP实例2,并将本地设备指定为该实例的次要根桥
stp region-configuration //配置mstp域
region-name huawei //mstp域名
instance 1 vlan 10 //绑定实例和vlan
instance 2 vlan 20 30MSTP主要起到负载和防环的作用,将实例和vlan绑定后,流量访问将根据实例和vlan的映射情况进行分担流量。
VRRP配置:
interface Vlanif10 //配置vlan接口
ip address 10.1.1.254 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.250
vrrp vrid 1 priority 120 //配置vrrp的优先级,默认为100
vrrp vrid 1 preempt timer delay 3 //配置抢占延迟时间,默认为立即抢占
vrrp vrid 1 authentication-mode md5 huawei //配置认证秘钥
vrrp vrid 2 virtual-ip 10.1.1.251
vrrp vrid 2 authentication-mode md5 huawei
interface Vlanif20
ip address 20.1.1.254 255.255.255.0
vrrp vrid 3 virtual-ip 20.1.1.250
vrrp vrid 3 priority 120
vrrp vrid 3 preempt timer delay 3
vrrp vrid 3 authentication-mode md5 huawei
vrrp vrid 4 virtual-ip 20.1.1.251
vrrp vrid 4 authentication-mode md5 huawei
interface Vlanif30
ip address 30.1.1.254 255.255.255.0
vrrp vrid 5 virtual-ip 30.1.1.250
vrrp vrid 5 priority 120
vrrp vrid 5 preempt timer delay 3
vrrp vrid 5 authentication-mode md5 huawei
vrrp vrid 6 virtual-ip 30.1.1.251
vrrp vrid 6 authentication-mode md5 huaweiVRRP主要起到网关冗余的作用,配置vrrp后将根据配置优先级选出主备,正常情况下数据都通过主设备(master)进行转发,当主设备发生故障(接口故障或者单机故障) 时,备设备(backup)就会接管主设备进行数据的转发,保证业务不中断。
接口和路由配置:
interface Eth-Trunk12 //创建L2聚合端口
port link-type trunk
port trunk allow-pass vlan 10 20 30
interface GE1/0/0
undo portswitch
undo shutdown
ip address 172.31.1.1 255.255.255.252
interface GE1/0/1
undo shutdown
eth-trunk 12 //加入聚合端口12
interface GE1/0/2
undo shutdown
eth-trunk 12
interface GE1/0/3
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 20 30
ip route-static 0.0.0.0 0.0.0.0 172.31.1.2 //配置默认路由配置链路聚合的作用是增加链路的收发带宽同时也增加链路的冗余,增强设备间的数据转发安全。
查看:
MSTP:
[CS1]display stp brief
MSTID Port Role STP State Protection Cost
Edged
0 GE1/0/3 ROOT forwarding none 199999
disable
0 Eth-Trunk12 ALTE discarding none 99999
disable
1 GE1/0/3 DESI forwarding none 199999
disable
1 Eth-Trunk12 DESI forwarding none 99999
disable
2 GE1/0/3 ALTE discarding none 199999
disable
2 Eth-Trunk12 ROOT forwarding none 99999
disable
VRRP:
[CS1]display vrrp
Type:
N: Normal
A: Administrator
M: Member
L: Load-Balance
LM: Load-Balance-Member
Total:6 Master:3 Backup:3 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 N 10.1.1.250
2 Backup Vlanif10 N 10.1.1.251
3 Master Vlanif20 N 20.1.1.250
4 Backup Vlanif20 N 20.1.1.251
5 Master Vlanif30 N 30.1.1.250
6 Backup Vlanif30 N 30.1.1.251
Eth-Trunk:
[CS1]dis eth-trunk 12
Eth-Trunk12's state information is:
Working Mode: Normal Hash Arithmetic: According to flow
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 32
Operating Status: up Number of Up Ports in Trunk: 2
--------------------------------------------------------------------------------
PortName Status Weight
GE1/0/1 Up 1
GE1/0/2 Up 1 CS2:
MSTP配置:
vlan batch 10 20 30
stp instance 1 root secondary
stp instance 2 root primary
stp enable
stp region-configuration
region-name huawei
instance 1 vlan 10
instance 2 vlan 20 30VRRP配置:
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.250
vrrp vrid 1 authentication-mode md5 huawei
vrrp vrid 2 virtual-ip 10.1.1.251
vrrp vrid 2 priority 120
vrrp vrid 2 preempt timer delay 3
vrrp vrid 2 authentication-mode md5 huawei
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
vrrp vrid 3 virtual-ip 20.1.1.250
vrrp vrid 3 authentication-mode md5 huawei
vrrp vrid 4 virtual-ip 20.1.1.251
vrrp vrid 4 priority 120
vrrp vrid 4 preempt timer delay 3
vrrp vrid 4 authentication-mode md5 huawei
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
vrrp vrid 5 virtual-ip 30.1.1.250
vrrp vrid 5 authentication-mode md5 huawei
vrrp vrid 6 virtual-ip 30.1.1.251
vrrp vrid 6 priority 120
vrrp vrid 6 preempt timer delay 3
vrrp vrid 6 authentication-mode md5 huawei接口和路由配置:
interface Eth-Trunk12
port link-type trunk
port trunk allow-pass vlan 10 20 30
interface GE1/0/0
undo portswitch
undo shutdown
ip address 172.16.1.1 255.255.255.252
interface GE1/0/1
undo shutdown
eth-trunk 12
interface GE1/0/2
undo shutdown
eth-trunk 12
interface GE1/0/3
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 20 30
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2查看:
MSTP:
[CS2]display stp brief
MSTID Port Role STP State Protection Cost
Edged
0 GE1/0/3 ROOT forwarding none 199999
disable
0 Eth-Trunk12 DESI forwarding none 99999
disable
1 GE1/0/3 ALTE discarding none 199999
disable
1 Eth-Trunk12 ROOT forwarding none 99999
disable
2 GE1/0/3 DESI forwarding none 199999
disable
2 Eth-Trunk12 DESI forwarding none 99999
disable
VRRP:
[CS2]display vrrp
Type:
N: Normal
A: Administrator
M: Member
L: Load-Balance
LM: Load-Balance-Member
Total:6 Master:3 Backup:3 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif10 N 10.1.1.250
2 Master Vlanif10 N 10.1.1.251
3 Backup Vlanif20 N 20.1.1.250
4 Master Vlanif20 N 20.1.1.251
5 Backup Vlanif30 N 30.1.1.250
6 Master Vlanif30 N 30.1.1.251
Eth-Trunk:
[CS2]display eth-trunk 12
Eth-Trunk12's state information is:
Working Mode: Normal Hash Arithmetic: According to flow
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 32
Operating Status: up Number of Up Ports in Trunk: 2
--------------------------------------------------------------------------------
PortName Status Weight
GE1/0/1 Up 1
GE1/0/2 Up 1 AccS:
MSTP配置:
vlan batch 10 20 30
stp region-configuration
region-name huawei
instance 1 vlan 10
instance 2 vlan 20 30
active region-configuration //激活mstp域配置AccS交换机是S5700,CS交换机是CE12800,所以在MSTP域配置方式上有一点不同。AccS需要使用命令“active region-configuration”才能保存MSTP配置,否则退出mstp域后配置会被自动清除!
接口配置:
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
interface GigabitEthernet0/0/5
port link-type access
port default vlan 30验证:
MSTP:
[AccS]display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 DESI FORWARDING NONE
0 GigabitEthernet0/0/4 DESI FORWARDING NONE
0 GigabitEthernet0/0/5 DESI FORWARDING NONE
1 GigabitEthernet0/0/1 ROOT FORWARDING NONE
1 GigabitEthernet0/0/2 DESI FORWARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
2 GigabitEthernet0/0/1 DESI FORWARDING NONE
2 GigabitEthernet0/0/2 ROOT FORWARDING NONE
2 GigabitEthernet0/0/4 DESI FORWARDING NONE
2 GigabitEthernet0/0/5 DESI FORWARDING NONE
接口:
[AccS]display interface brief
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 up up 0% 0% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
GigabitEthernet0/0/3 up up 0% 0% 0 0
GigabitEthernet0/0/4 up up 0% 0% 0 0
GigabitEthernet0/0/5 up up 0% 0% 0 0AR
接口配置:
interface GigabitEthernet0/0/0
ip address 172.31.1.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 172.16.1.2 255.255.255.252
interface GigabitEthernet0/0/2
ip address 172.10.1.1 255.255.255.0 路由配置:
ip route-static 0.0.0.0 0.0.0.0 172.10.1.2
ip route-static 10.1.1.0 255.255.255.0 172.31.1.1
ip route-static 20.1.1.0 255.255.255.0 172.31.1.1
ip route-static 30.1.1.0 255.255.255.0 172.31.1.1exAR
接口配置:
interface GigabitEthernet0/0/0
ip address 100.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.10.1.2 255.255.255.0 路由配置:
ip route-static 10.1.1.0 255.255.255.0 172.10.1.1
ip route-static 20.1.1.0 255.255.255.0 172.10.1.1
ip route-static 30.1.1.0 255.255.255.0 172.10.1.1
ip route-static 158.1.1.0 255.255.255.0 100.1.1.2
ip route-static 172.16.1.0 255.255.255.0 172.10.1.1
ip route-static 172.31.1.0 255.255.255.0 172.10.1.1
ip route-static 178.1.1.0 255.255.255.0 100.1.1.2
ip route-static 189.1.1.0 255.255.255.0 100.1.1.2静态路由需要逐跳进行配置,所以需要的路由条目数量就比较多,并且因为有缺省路由的存在,在配置时需要注意掩码,防止出现路由环路。
NAT配置:
创建ACL:
acl number 2000
rule 5 permit source 10.1.1.0 0.0.0.255
rule 10 permit source 20.1.1.0 0.0.0.255
rule 15 permit source 30.1.1.0 0.0.0.255
rule 20 permit source 172.0.0.0 0.255.255.255 //将内网互联地址转换为公网地址
rule 25 deny
acl number 2001
rule 5 permit source 178.1.1.0 0.0.0.255
rule 10 permit source 158.1.1.0 0.0.0.255
rule 15 permit source 189.1.1.0 0.0.0.255
rule 20 permit source 100.0.0.0 0.255.255.255 //将公网互联地址转换为内网地址
rule 25 deny
创建地址池:
nat address-group 1 172.10.1.10 172.10.1.15
nat address-group 2 100.1.1.10 100.1.1.15
接口下调用NAT:
interface GigabitEthernet0/0/0
nat outbound 2000 address-group 2
interface GigabitEthernet0/0/1
nat outbound 2001 address-group 1 exAS
VLAN及接口配置:
vlan batch 100 158 178 189 192
interface Vlanif100
ip address 100.1.1.2 255.255.255.0
interface Vlanif158
ip address 158.1.1.254 255.255.255.0
interface Vlanif178
ip address 178.1.1.254 255.255.255.0
interface Vlanif189
ip address 189.1.1.254 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 178
interface GigabitEthernet0/0/2
port link-type access
port default vlan 158
interface GigabitEthernet0/0/3
port link-type access
port default vlan 189
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100路由配置:
ip route-static 0.0.0.0 0.0.0.0 100.1.1.1终端配置按照拓扑图给的地址配置即可。
验证方式:
1.PC1访问PC2,通过Wireshark抓取数据包查看;
2.PC2访问PC1,通过Wireshark抓取数据包查看。
内外网互访标识:PC1和PC2能互相访问(ping模拟访问)
NAT命中标识:
1.源地址和原地址相同则表示NAT未命中;
2.源地址和原地址不同则表示NAT命中。
验证1:PC1--->PC2,在PC2的Eth0/0/0接口通过Wireshark抓取数据包。图示如下:
PC1--->PC2
查看抓取的数据包:
验证2:PC2--->PC1,在PC1的Eth0/0/0接口通过Wireshark抓取数据包。图示如下:
PC2--->PC1
查看抓取的数据包:
以上结果显示内外网互访时NAT都能命中,说明NAT地址池及ACL策略都正确。
本实验在配置完成后可以实现需求。在此实验中,由于VRRP处于TCP/IP模型的2.5层,所以此实验中的协议基本都是二层协议,对于网络协议的应用不多,只用到静态路由。由于拓扑有限,只能配置静态路由。后续我会专门出针对三大路由协议的专题文章,希望和大家一起探讨。
页面更新:2024-02-29
本站资料均由网友自行发布提供,仅用于学习交流。如有版权问题,请与我联系,QQ:4156828
© CopyRight 2008-2024 All Rights Reserved. Powered By bs178.com 闽ICP备11008920号-3
闽公网安备35020302034844号
