局域网中的用户终端通常采用配置一个默认网关的形式访问外部网络,如果默认网关设备发生故障,那么所有用户终端访问外部网络的流量将会中断。可以通过部署多个网关的方式来解决单点故障,但是需要解决多个网关之间的冲突问题。
VRRP(Virtual Router Redundancy Protocol,虚拟路由器冗余协议)既能够实现网关的备份,又能解决多个网关之间互相冲突的问题,从而提高网络可靠性。
当网关Router出现故障时,本网段内以该设备为网关的主机都不能与Internet进行通信。
VRRP概述
通过把几台路由设备联合组成一台虚拟的“路由设备”,使用一定的机制保证当主机的下一跳路由设备出现故障时,及时将业务切换到备份路由设备,从而保持通讯的连续性和可靠性:
1)实现网关备份;
2)解决多个网关之间IP互相冲突问题
3)VRRP虚拟出一个ID作为终端的网关,从而提高网络可靠性
(PS:此处与堆叠逻辑不同,堆叠是将机器整合成逻辑一台,堆叠成员的接口均参与数据转发,但VRRP虚拟出来的路由设备只有Master设备进行数据转发,而Backup设备不参与,Backup设备只做监听作用,如果未收到Master设备发过来的 VRRP 报文*3,则自动接管,成为Master设备,直至原Master设备启动)
VRRP术语
VRRP路由器:运行VRRP协议的路由器(不仅是路由器,三层交换机也支持)。注意VRRP是基于接口配置,如果在交换机中配置,则需要在vlanif中配置。
VRID虚拟路由器ID:VRID类似一个“组”编号,运行VRRP协议时,VRID一定要一致,否则将出现IP冲突。(很像MSTP域名)VRID不是只有本地意义,需全局一致。属于同一个VRRP组的路由器之间交互VRRP协议报文并产生一台虚拟“路由器”。一个VRRP组中只能出现一台Master路由器。 
虚拟路由器:VRRP为每一个组抽象出一台虚拟“路由器”(Virtual Router),该路由器并非真实存在的物理设备,而是由VRRP虚拟出来的逻辑设备。一个VRRP组只会产生一台虚拟路由器。
虚拟IP地址及虚拟MAC地址:虚拟路由器拥有自己的IP地址以及MAC地址,其中IP地址由网络管理员在配置VRRP时指定,一台虚拟路由器可以有一个或多个IP地址,通常情况下用户使用该地址作为网关地址。而虚拟MAC地址的格式是“0000-5e00-01xx”,其中xx为VRID。例如:VRID 5则虚拟mac地址为 0000-5e00-0105
Master路由器:“Master路由器”在一个VRRP组中承担报文转发任务。
1.1)周期性发送VRRP报文(1S一个);
1.2)进行网关ARP的响应;
1.3)转发流量;
Backup路由器:也被称为备份路由器。
2.1)监听VRRP主的通告报文,如果正常。不参与流量转发和网关ARP响应;
2.2)如果无法监听到VRRP主设备发送的通告报文,(超时时间3S)VRRP备升级为VRRP的主设备。
Priority:优先级值是选举Master路由器和Backup路由器的依据,优先级取值范围0-255,值越大越优先。
3.1)其中可手动配置的值范围为1-254。0和255是特殊优先级。当Master设备设置为0,则立即判定为设备不在线,则backup 交换机立即接管成为Master交换机,不用在等待3S接收VRRP报文;当网络设备的接口IP地址是虚拟路由器的IP地址时,则自动设置优先级为255且无法修改;
3.2)值相等则比较接口IP地址大小,大者优先。默认情况下优先级为100,可以设置优先级,越高的成为VRRP的主设备;
3.3)如果优先级相同,比较IP地址,越大的IP成为VRRP的主设备。
VRRP虚拟IP拥有者
物理 IP和虚拟 IP相同时,自动成为虚拟IP的拥有者。此时优先级将变成255.不需要进行选举。
VRRP抢占
抢占主设备需多少时间后再抢占,主要是为了等待网络拓扑收敛。
配置命令为:
[sw1]interface g 0/0/0
[sw1-g 0/0/0]vrrp vrid preempt-mode timer delay 30 //在Master 主设备中配置,此时30秒后才会变成主设备
vrrp退组
当主设备发送优先级为0的vrrp报文,则备设备直接接管成为主设备。
VRRP报文格式
VRRP只有一种报文,即Advertisement报文,基于组播方式发送,因此只能在同一个广播域传递。 Advertisement报文的目的组播地址为224.0.0.18。如主设备关机或挂掉,重启恢复后,需要33秒时间进行恢复。30s 为stp 选举时间,3s为发送vrrp报文时间.
VRRP状态机
VRRP协议状态机有三种状态:Initialize(初始状态)、Master(活动状态)、Backup(备份状态)。
VRRP协议状态
免费ARP报文
当一台网络设备成为了Master设备后,则会立即发送免费ARP报文将虚拟MAC地址通告给与它连接的设备和主机。
VRRP 配置
配置命令:
[AR1]int g 0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]vrrp vrid 5 virtual-ip 192.168.1.1
[AR1-GigabitEthernet0/0/0]vrrp vrid 5 priority 150 //设置优先级,使sw1 成为主设备
[AR2]int g 0/0/0
[AR2-GigabitEthernet0/0/0]ip add 192.168.1.3 24
[AR2-GigabitEthernet0/0/0]vrrp vrid 5 virtual-ip 192.168.1.1 //不用设置优先级。使用默认100
[R1]dis vrrp brief (显示master)
[R2]dis vrrp brief (显示backup)
PC设置默认网关为192.168.1.1 并ping 虚拟IP是否正常
vrrp 实现负载分担
(如果是交换机则将下面的g0/0/0修改为vlanif)
<AR1>sys
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.253
[AR1-GigabitEthernet0/0/0]vrrp vrid 1 priority 150
[AR1-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.168.1.254
[AR1-GigabitEthernet0/0/0]quit
[AR1]dis vrrp brief
Total:2 Master:1 Backup:1 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE0/0/0 Normal 192.168.1.253
2 Backup GE0/0/0 Normal 192.168.1.254
<AR2>sys
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 192.168.1.3 24
[AR2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.253
[AR2-GigabitEthernet0/0/0]vrrp vrid 2 virtual-ip 192.168.1.254
[AR2-GigabitEthernet0/0/0]vrrp vrid 2 priority 150
[AR2-GigabitEthernet0/0/0]quit
[AR2]dis vrrp brief
Total:2 Master:1 Backup:1 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE0/0/0 Normal 192.168.1.253
2 Master GE0/0/0 Normal 192.168.1.254
VRRP 和 MSTP 配置
可使用MSTP防止环路,VRRP主备切换相结合,在园区网络中,这是常见的组网方案。
PC1配置如下:
PC2配置如下:
交换机1配置如下:
<Huawei>sys
[Huawei]sys sw1
[sw2]vlan batch 8 9
[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 8 9
[sw1-GigabitEthernet0/0/1]int g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type trunk
[sw1-GigabitEthernet0/0/2]port trunk allow-pass vlan 8 9
[sw1]stp mode mstp
[sw1]stp region-configuration
[sw1-mst-region]region-name yorick
[sw1-mst-region]instance 1 vlan 8
[sw1-mst-region]instance 2 vlan 9
[sw1-mst-region]revision-level 1
[sw1-mst-region]active region-configuration
[sw1-mst-region]quit
[sw1]stp instance 1 priority 0
[sw1]stp instance 2 priority 4096
[sw1]dis stp instance 1 brief
MSTID Port Role STP State Protection
1 GigabitEthernet0/0/1 DESI FORWARDING NONE
1 GigabitEthernet0/0/2 DESI FORWARDING NONE
[sw1]dis stp instance 2 brief
MSTID Port Role STP State Protection
2 GigabitEthernet0/0/1 DESI LEARNING NONE
2 GigabitEthernet0/0/2 ROOT FORWARDING NONE
[sw1]int vlan 8
[sw1-Vlanif8]ip add 192.168.8.2 24
[sw1-Vlanif8]vrrp vrid 8 virtual-ip 192.168.8.1
[sw1-Vlanif8]vrrp vrid 8 priority 110
[sw1-Vlanif8]quit
[sw1]int vlan 9
[sw1-Vlanif9]ip add 192.168.9.2 24
[sw1-Vlanif9]vrrp vrid 9 virtual-ip 192.168.9.1
[sw1-Vlanif9]quit
[sw1]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
8 Master Vlanif8 Normal 192.168.8.1
9 Backup Vlanif9 Normal 192.168.9.1
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
交换机2配置如下:
<Huawei>sys
[Huawei]sys sw2
[sw2]vlan batch 8 9
[sw2]int g0/0/1
[sw2-GigabitEthernet0/0/1]port link-type trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 8 9
[sw2-GigabitEthernet0/0/1]int g0/0/2
[sw2-GigabitEthernet0/0/2]port link-type trunk
[sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 8 9
[sw2]stp mode mstp
[sw2]stp region-configuration
[sw2-mst-region]region-name yorick
[sw2-mst-region]instance 1 vlan 8
[sw2-mst-region]instance 2 vlan 9
[sw2-mst-region]revision-level 1
[sw2-mst-region]active region-configuration
[sw2-mst-region]quit
[sw2]stp instance 1 priority 4096
[sw2]stp instance 2 priority 0
[sw2]dis stp instance 1 brief
MSTID Port Role STP State Protection
1 GigabitEthernet0/0/1 DESI FORWARDING NONE
1 GigabitEthernet0/0/2 ROOT FORWARDING NONE
[sw2]dis stp instance 2 brief
MSTID Port Role STP State Protection
2 GigabitEthernet0/0/1 DESI FORWARDING NONE
2 GigabitEthernet0/0/2 DESI FORWARDING NONE
[sw2]int vlan 8
[sw2-Vlanif8]ip add 192.168.8.3 24
[sw2-Vlanif8]vrrp vrid 8 virtual-ip 192.168.8.1
[sw2-Vlanif8]int vlan 9
[sw2-Vlanif9]vrrp vrid 9 virtual-ip 192.168.9.1
[sw2-Vlanif9]vrrp vrid 9 priority 110
[sw2-Vlanif9]quit
[sw2]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
8 Backup Vlanif8 Normal 192.168.8.1
9 Master Vlanif9 Normal 192.168.9.1
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
交换机3配置如下:
<Huawei>sys
[Huawei]sys sw3
[sw3]vlan b 8 9
[sw3]int g0/0/1
[sw3-GigabitEthernet0/0/1]port link-type trunk
[sw3-GigabitEthernet0/0/1]port trunk allow-pass vlan 8 9
[sw3-GigabitEthernet0/0/1]int g0/0/2
[sw3-GigabitEthernet0/0/2]port link-type trunk
[sw3-GigabitEthernet0/0/2]port trunk allow-pass vlan 8 9
[sw3-GigabitEthernet0/0/2]int g0/0/3
[sw3-GigabitEthernet0/0/3]port link-type access
[sw3-GigabitEthernet0/0/3]port default vlan 8
[sw3-GigabitEthernet0/0/3]int g0/0/4
[sw3-GigabitEthernet0/0/4]port link-type access
[sw3-GigabitEthernet0/0/4]port default vlan 9
[sw3]stp mode mstp
[sw3]stp region-configuration
[sw3-mst-region]region-name yorick
[sw3-mst-region]instance 1 vlan 8
[sw3-mst-region]instance 2 vlan 9
[sw3-mst-region]revision-level 1
[sw3-mst-region]active region-configuration
[sw3-mst-region]quit
[sw3]dis stp instance 1 brief
MSTID Port Role STP State Protection
1 GigabitEthernet0/0/1 ROOT FORWARDING NONE
1 GigabitEthernet0/0/2 ALTE DISCARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
[sw3]dis stp instance 2 brief
MSTID Port Role STP State Protection
2 GigabitEthernet0/0/1 ALTE DISCARDING NONE
2 GigabitEthernet0/0/2 ROOT FORWARDING NONE
2 GigabitEthernet0/0/4 DESI FORWARDING NONE
最终效果如下:
VRRP track 配置
VRRP可监视(Track)上行端口状态,当设备感知上行端口或者链路发生故障时,可主动降低VRRP优先级,从而保证上行链路正常的Backup设备能够通过选举切换为Master状态,指导报文转发。以下实验中,红色部分为外网部分,蓝色部分为内网部分。
AR1配置如下:
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 12.1.1.2 24
[AR1-GigabitEthernet0/0/0]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 192.168.1.2 24
[AR1-GigabitEthernet0/0/1]quit
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 virtual-ip 192.168.1.1
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 priority 120
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 track interface g0/0/0 reduced 30 //作用为检测跟踪上联端口g 0/0/0,当上联端口g 0/0/0中断后,则会将优先级120减去30,成为90。默认为20,此处手动设置为30.
[AR1-GigabitEthernet0/0/1]quit
[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]nat outbound 2000
[AR1-GigabitEthernet0/0/0]quit
[AR1]ip route-static 0.0.0.0 0 12.1.1.1
此时AR2 ping ISP 8.8.8.8可正常通信
[AR1]ping 8.8.8.8
PING 8.8.8.8: 56 data bytes, press CTRL_C to break
Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 8.8.8.8: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 8.8.8.8 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/16/20 ms
AR2 Backup 设备配置:
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 13.1.1.2 24
[AR2-GigabitEthernet0/0/0]int g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 192.168.1.3 24
[AR2-GigabitEthernet0/0/1]vrrp vrid 1 virtual-ip 192.168.1.1
[AR2-GigabitEthernet0/0/1]quit
[AR2]acl 2000
[AR2-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[AR2-acl-basic-2000]int g0/0/0
[AR2-GigabitEthernet0/0/0]nat outbound 2000
[AR2-GigabitEthernet0/0/0]quit
[AR2]ip route-static 0.0.0.0 0.0.0.0 13.1.1.1
此时AR2 ping ISP 8.8.8.8可正常通信
[AR2]ping 8.8.8.8
PING 8.8.8.8: 56 data bytes, press CTRL_C to break
Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 8.8.8.8: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 8.8.8.8 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/32/70 ms
此时AR1 为Master 设备,AR2 为 Backup 备设备:
[AR1]dis vrrp brief
Total:1 Master:1 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE0/0/1 Normal 192.168.1.1
[AR2]dis vrrp brief
Total:1 Master:0 Backup:1 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE0/0/1 Normal 192.168.1.1
此时关闭AR1上行链路后重新查看vrrp 状态,AR1 上行链路中断后,优先级降低30 ,所以AR2成为新的Master 主设备,而AR1 成为Backup 备设备。
AR1 关闭上联接口并查看VRRP状态
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]shutdown
[AR1-GigabitEthernet0/0/0]quit
[AR1]dis vrrp brief
Total:1 Master:0 Backup:1 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE0/0/1 Normal 192.168.1.1
AR2查看VRRP状态
[AR2]dis vrrp brief
Total:1 Master:1 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE0/0/1 Normal 192.168.1.1
AR1 重新打开上联端口,则会恢复至最初状态,
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]undo shutdown
[AR1-GigabitEthernet0/0/0]quit
[AR1]dis vrrp brief
Total:1 Master:1 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE0/0/1 Normal 192.168.1.1
AR2 随着AR1的上联接口打开,被抢占后又变成Backup 备接口
[AR2]dis vrrp brief
Total:1 Master:0 Backup:1 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE0/0/1 Normal 192.168.1.1
本文由 yorickbao 创作,采用 知识共享署名4.0 国际许可协议进行许可。
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名。