1. 作業要求:
參照拓撲:
利用跟蹤技術實作鍊路的安全備份,達到讓使用者安全上網的需求!
1.1 正常情況vlan10的使用者走左側鍊路(即通過s1 通路internet)
Vlan20的使用者走右側鍊路(即通過s0 通路internet)
1.2 當S1鍊路斷掉後,VLAN10也走右側通過S0上網(R5的vlan10、20成為master)
1.3 當S1鍊路複原之後,vlan10還自動切回這條路(鍊路分流,提升速度)
1.4 提示:R14上監控S1 ,R5上監控S0
2. 拓撲圖
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454589629uqq.jpg"></a>
IP位址配置設定表:
路由器 端口 ip位址及子網路遮罩 網關 DNS
R7 S1 192.168.1.1/24
S0 192.168.2.1/24
E1 192.168.101.222/24
R14 S1 192.168.1.2/24 192.168.1.1
R5 S0 192.168.2.2/24 192.168.2.1
V10 E0/4 192.168.10.8/24 192.168.101.24 222.88.88.88
V20 E0/14 192.168.20.10/24 192.168.101.24 222.88.88.88
注意:v10指的是vlan10内的主機 v20指的是vlan20内的主機
其他裝置為本區域網路上網用的,直接連上即可(可上網網關為192.168.101.254/24
主DNS為:222.88.88.88 輔助DNS:222.85.85.85 )
3. 裝置描述:
路由器:H3C Quidway R2621(3台)
交換機:H3C Quidway S 3526E (2台)
4. 配置指令及注意事項:
4.1 <b>配ip+</b><b>啟動gvrp</b><b>(vlan</b><b>同步)+</b><b>做通道+</b><b>啟動STP</b>
<b>配基本ip</b>
[R14]int s1
[R14-Serial1]ip add 192.168.1.2 24
[R14-Serial1]int e1.10
[R14-Ethernet1.10]vlan-type dot1q vid 10
[R14-Ethernet1.10]ip address 192.168.10.1 24
[R14-Ethernet1.10]int e1.20
[R14-Ethernet1.20]vlan-type dot1q vid 20
[R14-Ethernet1.20]ip address 192.168.20.1 24
[R5]int s0
[R5-Serial0]ip add 192.168.2.2 24
[R5-Serial0]int e1.10
[R5-Ethernet1.10]vlan-type dot1q vid 10
[R5-Ethernet1.10]ip add 192.168.10.2 24
[R5-Ethernet1.10]int e1.20
[R5-Ethernet1.20]vlan-type dot1q vid 20
[R5-Ethernet1.20]ip add 192.168.20.2 24
<b>啟動gvrp</b><b>協定并做trunk</b><b>鍊路</b>
[S10]gvrp //該協定目的達到交換機上vlan資訊同步
GVRP is enabled globally.
[S10]stp enable //啟用生成樹協定
[S10]int e 0/1
[S10-Ethernet0/1]port link-type trunk
[S10-Ethernet0/1]port trunk permit vlan all
Please wait........................................... Done.
[S10-Ethernet0/1]quit
[S10]vlan 10
[S10-vlan10]port e0/4 to e 0/5
[S10-vlan10]vlan 20
[S10-vlan20]port e0/11 to e 0/15
<b> </b><b>通道:通過鍊路聚合實作(要求百兆全雙工鍊路)</b>
[S10]link-aggregation eth 0/9 to et0/10 ingress
The duplex of aggregating ports should be full mode!
[S10]int e0/9
[S10-Ethernet0/9]duplex full
[S10-Ethernet0/9]speed 100
[S10]int e0/10
[S10-Ethernet0/10]duplex full
[S10-Ethernet0/10]
%Aug 19 17:50:25 2012 S10 L2INF/5/PORT LINK STATUS CHANGE:
Ethernet0/10: turns into DOWN state
%Aug 19 17:50:26 2012 S10 L2INF/5/PORT LINK STATUS CHANGE:
Ethernet0/10: turns into UP state
[S10-Ethernet0/10]speed 100
<b>Gvrp </b><b>協定應用于接口</b>
[S10-Ethernet0/9]port link-type trunk
[S10-Ethernet0/9]port trunk permit vlan all
[S10-Ethernet0/9]gvrp
GVRP is enabled on port Ethernet0/9.
[S10-Ethernet0/9]int e0/10
[S10-Ethernet0/10]port link-type trunk
[S10-Ethernet0/10]port trunk permit vlan all
[S10-Ethernet0/10]gvrp
GVRP is enabled on port Ethernet0/10.
[S10-Ethernet0/10]quit
[S38]GVRP
[S38]stp enable //啟用生成樹協定
[S38]INT E0/1
[S38-Ethernet0/1]port link-type trunk
[S38-Ethernet0/1]port trunk permit vlan all
[S38]link-aggregation eth0/9 to eth0/10 both 改為另一個模式即 ingress
S38]int e0/9
[S38-Ethernet0/9]duplex full
[S38-Ethernet0/9]speed 100
[S38-Ethernet0/9]gvrp
[S38-Ethernet0/9]int e0/10
[S38-Ethernet0/10]
%Aug 19 17:01:54 2012 S38 SYSM/5/MAC MOVE:Slot=1;MAC addr 00e0-fc06-5520 will move to port 9 from port 10
%Aug 19 17:01:54 2012 S38 SYSM/5/MAC MOVE:Slot=1;MAC addr 00e0-fc06-5520 will move to port 10 from port 9
[S38-Ethernet0/10]duplex ful
[S38-Ethernet0/10]speed 100
[S38-Ethernet0/10]gvrp
<b>檢視鍊路捆綁狀态</b>
[S38]dis link-aggregation e0/9
Master port: Ethernet0/9
Other sub-ports:
Ethernet0/10
Mode: both
[S38]dis link-aggregation e0/10
This port is not a master port. Its master port is Ethernet0/9.
[S38]dis gvrp status
GVRP is enabled
[S38]dis gvrp statistics
GVRP statistics on port Ethernet0/1
GVRP Status : Disabled
GVRP Failed Registrations : 0
GVRP Last Pdu Origin : 0000-0000-0000
GVRP Registration Type : Normal
GVRP statistics on port Ethernet0/9
GVRP Status : Enabled
GVRP Last Pdu Origin : 00e0-fc06-5520
GVRP statistics on port Ethernet0/10
<b> </b><b>檢測gvrp</b><b>是否生效</b>
[S38]dis vlan all
VLAN ID: 1
VLAN Type: static
Route Interface: not configured
Description: VLAN 0001
Tagged Ports: none
Untagged Ports:
Ethernet0/1 Ethernet0/2 Ethernet0/3
Ethernet0/4 Ethernet0/5 Ethernet0/6
Ethernet0/7 Ethernet0/8 Ethernet0/9
Ethernet0/10 Ethernet0/11 Ethernet0/12
Ethernet0/13 Ethernet0/14 Ethernet0/15
Ethernet0/16 Ethernet0/17 Ethernet0/18
Ethernet0/19 Ethernet0/20 Ethernet0/21
Ethernet0/22 Ethernet0/23 Ethernet0/24
VLAN ID: 10
VLAN Type: dynamic
Description: VLAN 0010
Tagged Ports:
Ethernet0/9 Ethernet0/10
Untagged Ports: none
VLAN ID: 20
VLAN Type: dynamic
Route Interface: not configured
Description: VLAN 0020
Tagged Ports:
Untagged Ports: none //證明gvrp已達到同步
<b>給vlan</b><b>劃分端口:</b>
[S38]vlan 10
[S38-vlan10]port e0/4 to e0/5
Dynamic VLAN is configured, now changed to static!
[S38-vlan10]vlan 20
[S38-vlan20]port e0/11 to e0/15
[R14]ping 192.168.10.2
PING 192.168.10.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.2: bytes=56 Sequence=0 ttl=255 time = 13 ms
Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=255 time = 2 ms
[R5]ping 192.168.10.1
PING 192.168.10.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time = 2 ms
Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time = 2 ms
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458970LffY.jpg"></a>
<b>4.2 </b><b>配置VRRP </b><b>備援安全配置:</b>
[R14]vrrp ping-enable //不寫不能ping通虛拟ip
[R14]int e1.10
[R14-Ethernet1.10]vrrp vrid 10 virtual-ip 192.168.10.254
[R14-Ethernet1.10]vrrp vrid 10 priority 120 //優先級
[R14-Ethernet1.10]vrrp vrid 10 preempt-mode //權限争奪
[R14-Ethernet1.10]vrrp vrid 10 track serial 1 reduced 40
//跟蹤出口,調整浮動值(在優先級的基礎上)
[R14-Ethernet1.10]int e1.20 // 優先級預設100
[R14-Ethernet1.20]vrrp vrid 20 virtual-ip 192.168.20.254
[R14-Ethernet1.20]vrrp vrid 20 preempt-mode
[R14-Ethernet1.20]vrrp vrid 20 track serial 1 reduced 40
[R14]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 //靜态路由
[R5]int e1.10
[R5-Ethernet1.10]vrrp vrid 10 virtual-ip 192.168.10.254
[R5-Ethernet1.10]vrrp vrid 10 preempt-mode
[R5-Ethernet1.10]vrrp vrid 10 track s0 reduced 40
[R5-Ethernet1.10]int e1.20
[R5-Ethernet1.20]vrrp vrid 20 virtual-ip 192.168.20.254
[R5-Ethernet1.20]vrrp vrid 20 priority 120
[R5-Ethernet1.20]vrrp vrid 20 preempt-mode
[R5-Ethernet1.20]vrrp vrid 20 track s0 reduce 40
[R5]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
[R5]ping -C 2000 192.168.20.2
PING 192.168.20.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.20.2: bytes=56 Sequence=0 ttl=255 time = 1 ms
Reply from 192.168.20.2: bytes=56 Sequence=1 ttl=255 time = 2 ms
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458975Fll6.jpg"></a>
[R7]int s0
[R7-Serial0]ip add 192.168.2.1 24
[R7-Serial0]
%01:04:55: Line protocol ip on the interface Serial0 is UP
[R7-Serial0]shutdown
% Interface Serial0 is down
%01:05:01: Interface Serial0 is DOWN
[R7-Serial0]undo shutdown
% Interface Serial0 is reset
[R7]int s1
[R7-Serial1]ip add 192.168.1.1 24
[R7-Serial1]
%01:08:14: Line protocol ip on the interface Serial1 is UP
[R7-Serial1]shutdown //串行端口的另一端要複位!
% Interface Serial1 is down
%01:08:20: Interface Serial1 is DOWN
[R7-Serial1]undo shutdown
% Interface Serial1 is reset
[R7-Serial1]int e 1
[R7-Ethernet1]ip add 192.168.101.222 24
[R7]acl 2000
[R7-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[R7-acl-2000]int e1
[R7-Ethernet1]nat outbound 2000 interface
[R7-Ethernet1]quit
[R7]ip route-static 0.0.0.0 0.0.0.0 192.168.101.254
檢視配置:display cu
ip route-static 0.0.0.0 0.0.0.0 192.168.101.254 preference 60 //預設60
ip route-static 192.168.10.0 255.255.255.0 192.168.1.2 preference 40 //該路正常就走1.2
ip route-static 192.168.10.0 255.255.255.0 192.168.2.2 preference 50 斷掉,走2.2
ip route-static 192.168.20.0 255.255.255.0 192.168.2.2 preference 40
ip route-static 192.168.20.0 255.255.255.0 192.168.1.2 preference 50 !
return
[R7]display ip routing
Routing Tables:
Destination/Mask Proto Pref Metric Nexthop Interface
0.0.0.0/0 Static 60 0 192.168.101.254 Ethernet1
127.0.0.0/8 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.0/24 Direct 0 0 192.168.1.2 Serial1
192.168.1.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.2/32 Direct 0 0 192.168.1.2 Serial1
192.168.2.0/24 Direct 0 0 192.168.2.2 Serial0
192.168.2.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.2.2/32 Direct 0 0 192.168.2.2 Serial0
192.168.10.0/24 Static 40 0 192.168.1.2 Serial1
192.168.20.0/24 Static 40 0 192.168.2.2 Serial0
192.168.101.0/24 Direct 0 0 192.168.101.222 Ethernet1
192.168.101.222/32 Direct 0 0 127.0.0.1 LoopBack0
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458979OQVQ.jpg"></a>
拔掉(shutdown)R14與R7之間的鍊路!狀态發生了改變!
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454589858zhJ.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458991j0b8.jpg"></a>
測試:客戶機:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458996BDPj.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459009Sspx.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459016gjkc.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454590272OcF.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459036mSxQ.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459039QW7c.jpg"></a>
走的是右側的路!
斷開R5 與 R7之間的串行鍊路,測試:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454590440KVw.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459047Ho73.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459051AZhD.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459054vO9z.jpg"></a>
沒有丢包!
<b>斷開R14</b><b>與R7</b><b>之間的鍊路:</b>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459056s8w6.jpg"></a>
<b>Vlan20 </b><b>的機器還能和vlan10</b><b>中的pc</b><b>正常通信!</b>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459058E5vD.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459061DKET.jpg"></a>
Vlan10 中的機器:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459065nGl3.jpg"></a>
主Dns即 222.88.88.88 輔助dns: 222.85.85.85
正常上網:
走的是左側:
經過:192.168.10.1
192.168.1.1
192.168.101.254
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459068A370.jpg"></a>
如果S1斷掉:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459072oMmK.jpg"></a>
本文轉自 gjp0731 51CTO部落格,原文連結:http://blog.51cto.com/guojiping/967608
走的是右側的路,成功!
![圖解HTTP八:确認通路使用者身份的認證[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)