前言
VRRP(Virtual Router Redundancy Protocol)和MSTP(Multiple Spanning Tree Protocol)是兩種不同的協定,VRRP是一種用于實作網關備援的協定,而MSTP是一種用于提供網絡備援和容錯的協定。
雖然它們是不同的協定,但它們可以在網絡中一起使用,以提供更高的可靠性和容錯能力。在這種情況下,VRRP可以用于實作網關備援,確定網絡中始終有可用的網關裝置,而MSTP可以用于提供網絡備援,確定網絡中沒有單點故障。
具體來說,如果在網絡中使用VRRP和MSTP組合,則可以将兩個協定配置在不同的裝置上。其中,VRRP協定可以在多個裝置之間配置,以提供網關備援。而MSTP協定可以在所有裝置之間配置,以提供網絡備援。
在這種配置下,如果某個裝置的網關出現故障,則VRRP協定将自動将另一個裝置的網關裝置選為活動網關,并接管流量。同時,MSTP協定可以在其他裝置之間重新計算網絡拓撲,并重新配置網絡,以確定網絡中沒有單點故障。
VRRP和MSTP組合可以提供更高的可靠性和容錯能力,使網絡能夠更好地應對故障和故障恢複。
目錄
前言
1.實驗背景介紹
2.拓撲圖
3.裝置命名規則
4.裝置互聯資訊
5.裝置配置
6.内外網互訪、NAT結果驗證
7.總結
1.實驗背景介紹
理論背景:本實驗通過将MSTP協定和VRRP協定進行結合組網,驗證網絡架構的備援性和健壯性。同時搭建内網和外網兩大部分,模拟外網使用者和内網使用者通過資料中心和城域網進行業務互動。出口裝置将内外網的使用者、終端和伺服器位址進行雙向轉換,增加網絡通路的合規性。本實驗中出口裝置因為存在雙向動态NAT,并且NAT位址池所配置設定的IP位址範圍較大,是以要實作端到端精準通路控制較難,想到這一點的可以一起讨論。
實際需求:外網使用者、終端需要通路内網使用者和伺服器,内網使用者、終端需要通路外網使用者和伺服器,并且在通路時有以下需求:
1.公網IP進入内網時需要被NAT成内網位址才能予以通路;
2.内網IP通路外網時需要以公網IP通路。
同時,在資料中心,核心交換區需要有較強的備援性,要求整體網絡較健壯,經過核心裝置時流量需要負載。
IP位址規劃規則:以最後一個段為準,相對于裝置為“左小右大”,相對于線路為“左大右小”。例如:線路:左端口:192.168.1.2/24,右端口:192.168.1.1/24;裝置:左端口:192.168.1.1/24,右端口:192.168.1.2/24。
2.拓撲圖
拓撲圖
3.裝置命名規則
| 裝置類型 | 命名規則 | 裝置辨別 |
| 路由器 | 接入路由器 | AR(Access Router) |
| 外聯接入路由器 | exAR(External Access Router) | |
| 交換機 | 核心交換機 | CS(Core Switch) |
| 接入交換機 | AccS(Access Switch) | |
| 外聯彙聚交換機 | exAS(External Access Switch) | |
| 彙聚交換機 | AS(Aggregation Switch) | |
| PC | 内網使用者 | PC1 |
| 外網使用者 | PC2 | |
| 伺服器 | 内網伺服器 | Server2 |
| 外網伺服器 | Server1 | |
| 用戶端 | 内網終端 | Client2 |
| 外網終端 | Client1 |
4.裝置互聯資訊
| 本端裝置 | 接口 | 模式 | IP位址/ETH | 對端裝置 | 接口 | 模式 | IP位址/ETH |
| CS1 | GE1/0/0 | route | 172.31.1.1/30 | AR | GE0/0/0 | route | 172.31.1.2/30 |
| GE1/0/1 | bridge | Eth-trunk 12 | CS2 | GE1/0/1 | bridge | Eth-trunk 12 | |
| GE1/0/2 | bridge | GE1/0/2 | bridge | ||||
| GE1/0/3 | bridge | Trunk | AS | GE0/0/1 | bridge | Trunk | |
| exAS | GE1/0/0 | route | 172.16.1.1/30 | AR | GE0/0/1 | route | 172.16.1.2/30 |
| GE1/0/1 | bridge | Eth-trunk 12 | CS1 | GE1/0/1 | bridge | Eth-trunk 12 | |
| GE1/0/2 | bridge | GE1/0/2 | bridge | ||||
| GE1/0/3 | bridge | Trunk | AS | GE0/0/2 | bridge | Trunk | |
| CS1 | GE0/0/0 | route | 172.31.1.2/30 | CS1 | GE1/0/0 | route | 172.31.1.1/30 |
| GE0/0/1 | route | 172.16.1.2/30 | CS2 | GE1/0/0 | route | 172.16.1.1/30 | |
| GE0/0/2 | route | 172.10.1.1/30 | exAR | GE0/0/1 | route | 172.10.1.2/30 | |
| GE0/0/1 | bridge | Trunk | CS1 | GE1/0/3 | bridge | Trunk | |
| exAS | GE0/0/2 | bridge | Trunk | CS2 | GE1/0/3 | bridge | Trunk |
| GE0/0/3 | bridge | Access | PC1 | Eth0/0/1 | bridge | Access | |
| GE0/0/4 | bridge | Access | Client2 | Eth0/0/0 | bridge | Access | |
| GE0/0/5 | bridge | Access | Server2 | Eth0/0/0 | bridge | Access | |
| CS1 | GE0/0/1 | bridge | Access | PC2 | Eth0/0/1 | bridge | Access |
| GE0/0/2 | bridge | Access | Server1 | Eth0/0/0 | bridge | Access | |
| GE0/0/3 | bridge | Access | Client1 | Eth0/0/0 | bridge | Access | |
| GE0/0/4 | bridge | Vlan100: 100.1.1.2/24 | exAR | GE0/0/0 | routr | 100.1.1.1/24 | |
| exAS | GE0/0/0 | route | 100.1.1.1/24 | exAS | GE0/0/4 | bridge | Vlan100: 100.1.1.2/24 |
| GE0/0/1 | route | 172.10.1.2/24 | AR | GE0/0/2 | route | 172.10.1.1/24 |
5.裝置配置
CS1:
MSTP配置:
vlan batch 10 20 30 //建立vlan
stp enable //開啟stp
stp mode mstp //stp模式切換為mstp
stp instance 1 root primary //配置STP執行個體1,并将本地裝置指定為該執行個體的主根橋
stp instance 2 root secondary //配置STP執行個體2,并将本地裝置指定為該執行個體的次要根橋
stp region-configuration //配置mstp域
region-name huawei //mstp域名
instance 1 vlan 10 //綁定執行個體和vlan
instance 2 vlan 20 30 MSTP主要起到負載和防環的作用,将執行個體和vlan綁定後,流量通路将根據執行個體和vlan的映射情況進行分擔流量。
VRRP配置:
interface Vlanif10 //配置vlan接口
ip address 10.1.1.254 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.250
vrrp vrid 1 priority 120 //配置vrrp的優先級,預設為100
vrrp vrid 1 preempt timer delay 3 //配置搶占延遲時間,預設為立即搶占
vrrp vrid 1 authentication-mode md5 huawei //配置認證秘鑰
vrrp vrid 2 virtual-ip 10.1.1.251
vrrp vrid 2 authentication-mode md5 huawei
interface Vlanif20
ip address 20.1.1.254 255.255.255.0
vrrp vrid 3 virtual-ip 20.1.1.250
vrrp vrid 3 priority 120
vrrp vrid 3 preempt timer delay 3
vrrp vrid 3 authentication-mode md5 huawei
vrrp vrid 4 virtual-ip 20.1.1.251
vrrp vrid 4 authentication-mode md5 huawei
interface Vlanif30
ip address 30.1.1.254 255.255.255.0
vrrp vrid 5 virtual-ip 30.1.1.250
vrrp vrid 5 priority 120
vrrp vrid 5 preempt timer delay 3
vrrp vrid 5 authentication-mode md5 huawei
vrrp vrid 6 virtual-ip 30.1.1.251
vrrp vrid 6 authentication-mode md5 huawei VRRP主要起到網關備援的作用,配置vrrp後将根據配置優先級選出主備,正常情況下資料都通過主裝置(master)進行轉發,當主裝置發生故障(接口故障或者單機故障) 時,備裝置(backup)就會接管主裝置進行資料的轉發,保證業務不中斷。
接口和路由配置:
interface Eth-Trunk12 //建立L2聚合端口
port link-type trunk
port trunk allow-pass vlan 10 20 30
interface GE1/0/0
undo portswitch
undo shutdown
ip address 172.31.1.1 255.255.255.252
interface GE1/0/1
undo shutdown
eth-trunk 12 //加入聚合端口12
interface GE1/0/2
undo shutdown
eth-trunk 12
interface GE1/0/3
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 20 30
ip route-static 0.0.0.0 0.0.0.0 172.31.1.2 //配置預設路由 配置鍊路聚合的作用是增加鍊路的收發帶寬同時也增加鍊路的備援,增強裝置間的資料轉發安全。
檢視:
MSTP:
[CS1]display stp brief
MSTID Port Role STP State Protection Cost
Edged
0 GE1/0/3 ROOT forwarding none 199999
disable
0 Eth-Trunk12 ALTE discarding none 99999
disable
1 GE1/0/3 DESI forwarding none 199999
disable
1 Eth-Trunk12 DESI forwarding none 99999
disable
2 GE1/0/3 ALTE discarding none 199999
disable
2 Eth-Trunk12 ROOT forwarding none 99999
disable
VRRP:
[CS1]display vrrp
Type:
N: Normal
A: Administrator
M: Member
L: Load-Balance
LM: Load-Balance-Member
Total:6 Master:3 Backup:3 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 N 10.1.1.250
2 Backup Vlanif10 N 10.1.1.251
3 Master Vlanif20 N 20.1.1.250
4 Backup Vlanif20 N 20.1.1.251
5 Master Vlanif30 N 30.1.1.250
6 Backup Vlanif30 N 30.1.1.251
Eth-Trunk:
[CS1]dis eth-trunk 12
Eth-Trunk12's state information is:
Working Mode: Normal Hash Arithmetic: According to flow
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 32
Operating Status: up Number of Up Ports in Trunk: 2
--------------------------------------------------------------------------------
PortName Status Weight
GE1/0/1 Up 1
GE1/0/2 Up 1 CS2:
MSTP配置:
vlan batch 10 20 30
stp instance 1 root secondary
stp instance 2 root primary
stp enable
stp region-configuration
region-name huawei
instance 1 vlan 10
instance 2 vlan 20 30 VRRP配置:
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.250
vrrp vrid 1 authentication-mode md5 huawei
vrrp vrid 2 virtual-ip 10.1.1.251
vrrp vrid 2 priority 120
vrrp vrid 2 preempt timer delay 3
vrrp vrid 2 authentication-mode md5 huawei
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
vrrp vrid 3 virtual-ip 20.1.1.250
vrrp vrid 3 authentication-mode md5 huawei
vrrp vrid 4 virtual-ip 20.1.1.251
vrrp vrid 4 priority 120
vrrp vrid 4 preempt timer delay 3
vrrp vrid 4 authentication-mode md5 huawei
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
vrrp vrid 5 virtual-ip 30.1.1.250
vrrp vrid 5 authentication-mode md5 huawei
vrrp vrid 6 virtual-ip 30.1.1.251
vrrp vrid 6 priority 120
vrrp vrid 6 preempt timer delay 3
vrrp vrid 6 authentication-mode md5 huawei 接口和路由配置:
interface Eth-Trunk12
port link-type trunk
port trunk allow-pass vlan 10 20 30
interface GE1/0/0
undo portswitch
undo shutdown
ip address 172.16.1.1 255.255.255.252
interface GE1/0/1
undo shutdown
eth-trunk 12
interface GE1/0/2
undo shutdown
eth-trunk 12
interface GE1/0/3
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 20 30
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 檢視:
MSTP:
[CS2]display stp brief
MSTID Port Role STP State Protection Cost
Edged
0 GE1/0/3 ROOT forwarding none 199999
disable
0 Eth-Trunk12 DESI forwarding none 99999
disable
1 GE1/0/3 ALTE discarding none 199999
disable
1 Eth-Trunk12 ROOT forwarding none 99999
disable
2 GE1/0/3 DESI forwarding none 199999
disable
2 Eth-Trunk12 DESI forwarding none 99999
disable
VRRP:
[CS2]display vrrp
Type:
N: Normal
A: Administrator
M: Member
L: Load-Balance
LM: Load-Balance-Member
Total:6 Master:3 Backup:3 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif10 N 10.1.1.250
2 Master Vlanif10 N 10.1.1.251
3 Backup Vlanif20 N 20.1.1.250
4 Master Vlanif20 N 20.1.1.251
5 Backup Vlanif30 N 30.1.1.250
6 Master Vlanif30 N 30.1.1.251
Eth-Trunk:
[CS2]display eth-trunk 12
Eth-Trunk12's state information is:
Working Mode: Normal Hash Arithmetic: According to flow
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 32
Operating Status: up Number of Up Ports in Trunk: 2
--------------------------------------------------------------------------------
PortName Status Weight
GE1/0/1 Up 1
GE1/0/2 Up 1 AccS:
MSTP配置:
vlan batch 10 20 30
stp region-configuration
region-name huawei
instance 1 vlan 10
instance 2 vlan 20 30
active region-configuration //激活mstp域配置 AccS交換機是S5700,CS交換機是CE12800,是以在MSTP域配置方式上有一點不同。AccS需要使用指令“active region-configuration”才能儲存MSTP配置,否則退出mstp域後配置會被自動清除!
接口配置:
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 30 驗證:
MSTP:
[AccS]display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 DESI FORWARDING NONE
0 GigabitEthernet0/0/4 DESI FORWARDING NONE
0 GigabitEthernet0/0/5 DESI FORWARDING NONE
1 GigabitEthernet0/0/1 ROOT FORWARDING NONE
1 GigabitEthernet0/0/2 DESI FORWARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
2 GigabitEthernet0/0/1 DESI FORWARDING NONE
2 GigabitEthernet0/0/2 ROOT FORWARDING NONE
2 GigabitEthernet0/0/4 DESI FORWARDING NONE
2 GigabitEthernet0/0/5 DESI FORWARDING NONE
接口:
[AccS]display interface brief
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 up up 0% 0% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
GigabitEthernet0/0/3 up up 0% 0% 0 0
GigabitEthernet0/0/4 up up 0% 0% 0 0
GigabitEthernet0/0/5 up up 0% 0% 0 0 AR
接口配置:
interface GigabitEthernet0/0/0
ip address 172.31.1.2 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 172.16.1.2 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 172.10.1.1 255.255.255.0
路由配置:
ip route-static 0.0.0.0 0.0.0.0 172.10.1.2
ip route-static 10.1.1.0 255.255.255.0 172.31.1.1
ip route-static 20.1.1.0 255.255.255.0 172.31.1.1
ip route-static 30.1.1.0 255.255.255.0 172.31.1.1 exAR
接口配置:
interface GigabitEthernet0/0/0
ip address 100.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 172.10.1.2 255.255.255.0 路由配置:
ip route-static 10.1.1.0 255.255.255.0 172.10.1.1
ip route-static 20.1.1.0 255.255.255.0 172.10.1.1
ip route-static 30.1.1.0 255.255.255.0 172.10.1.1
ip route-static 158.1.1.0 255.255.255.0 100.1.1.2
ip route-static 172.16.1.0 255.255.255.0 172.10.1.1
ip route-static 172.31.1.0 255.255.255.0 172.10.1.1
ip route-static 178.1.1.0 255.255.255.0 100.1.1.2
ip route-static 189.1.1.0 255.255.255.0 100.1.1.2 靜态路由需要逐跳進行配置,是以需要的路由條目數量就比較多,并且因為有預設路由的存在,在配置時需要注意掩碼,防止出現路由環路。
NAT配置:
建立ACL:
acl number 2000
rule 5 permit source 10.1.1.0 0.0.0.255
rule 10 permit source 20.1.1.0 0.0.0.255
rule 15 permit source 30.1.1.0 0.0.0.255
rule 20 permit source 172.0.0.0 0.255.255.255 //将内網互聯位址轉換為公網位址
rule 25 deny
acl number 2001
rule 5 permit source 178.1.1.0 0.0.0.255
rule 10 permit source 158.1.1.0 0.0.0.255
rule 15 permit source 189.1.1.0 0.0.0.255
rule 20 permit source 100.0.0.0 0.255.255.255 //将公網互聯位址轉換為内網位址
rule 25 deny
建立位址池:
nat address-group 1 172.10.1.10 172.10.1.15
nat address-group 2 100.1.1.10 100.1.1.15
接口下調用NAT:
interface GigabitEthernet0/0/0
nat outbound 2000 address-group 2
interface GigabitEthernet0/0/1
nat outbound 2001 address-group 1 exAS
VLAN及接口配置:
vlan batch 100 158 178 189 192
interface Vlanif100
ip address 100.1.1.2 255.255.255.0
interface Vlanif158
ip address 158.1.1.254 255.255.255.0
interface Vlanif178
ip address 178.1.1.254 255.255.255.0
interface Vlanif189
ip address 189.1.1.254 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 178
interface GigabitEthernet0/0/2
port link-type access
port default vlan 158
interface GigabitEthernet0/0/3
port link-type access
port default vlan 189
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100 路由配置:
ip route-static 0.0.0.0 0.0.0.0 100.1.1.1 終端配置按照拓撲圖給的位址配置即可。
6.内外網互訪、NAT結果驗證
驗證方式:
1.PC1通路PC2,通過Wireshark抓取資料包檢視;
2.PC2通路PC1,通過Wireshark抓取資料包檢視。
内外網互訪辨別:PC1和PC2能互相通路(ping模拟通路)
NAT命中辨別:
1.源位址和原位址相同則表示NAT未命中;
2.源位址和原位址不同則表示NAT命中。
驗證1:PC1--->PC2,在PC2的Eth0/0/0接口通過Wireshark抓取資料包。圖示如下:
PC2--->PC1
檢視抓取的資料包:
驗證2:PC2--->PC1,在PC1的Eth0/0/0接口通過Wireshark抓取資料包。圖示如下:
PC2--->PC1
檢視抓取的資料包:
以上結果顯示内外網互訪時NAT都能命中,說明NAT位址池及ACL政策都正确。
7.總結
本實驗在配置完成後可以實作需求。在此實驗中,由于VRRP處于TCP/IP模型的2.5層,是以此實驗中的協定基本都是二層協定,對于網絡協定的應用不多,隻用到靜态路由。由于拓撲有限,隻能配置靜态路由。後續我會專門出針對三大路由協定的專題文章,希望和大家一起探讨。