- 项目拓扑与项目需求
项目需求:某公司内部为了实现高冗余性,部署了两台汇聚交换机,分别为LSW1、LSW2,AR1为公司的出口设备。公司内部有两个部门,分别划分在vlan10和vlan20。现在需要实现以下需求:
- 由于汇聚层和接入层采用二层组网,需要使用MSTP防止环路。
- LSW1和LSW2作为内部设备的网关,使用VRRP技术实现网关冗余,效果为LSW1为vlan10的主网关,LSW2为vlan20的主网关。
- 在LSW1和LSW2 的OSPF进程上引入vlan10和vlan20的IP网段时,使用route-policy(if-match不同的vlanif,设置不同的cost值),效果为PC1回包流量路径规划如下:
PC2访问PC1的回包路径为PC1-AR2-AR1-LSW1-LSW3-PC2,PC3的回包路径为PC1-AR2-LSW2-LSW4-PC3。
- 当LSW1的上行链路故障时,PC2访问外网的路径为PC2-LSW3-LSW2-AR1,LSW2的上行链路故障时,PC3访问外网的路径为PC3-LSW4-LSW2-AR1。
- 实验步骤
步骤1:配置MSTP
1)配置MSTP
[LSW1]stp region-configuration
[LSW1-mst-region]region-name huawei
[LSW1-mst-region]revision-level 1
[LSW1-mst-region]instance 10 vlan 10
[LSW1-mst-region]instance 20 vlan 20
[LSW1-mst-region]active region-configuration
其他交换机同理,不做赘述
2)在交换机上划分vlan,并配置接口链路类型
此时配置的实例生效:
[LSW1]display brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 ALTE DISCARDING NONE
0 GigabitEthernet0/0/4 ROOT FORWARDING NONE
10 GigabitEthernet0/0/2 DESI FORWARDING NONE
10 GigabitEthernet0/0/3 ALTE DISCARDING NONE
10 GigabitEthernet0/0/4 ROOT FORWARDING NONE
20 GigabitEthernet0/0/2 DESI FORWARDING NONE
20 GigabitEthernet0/0/3 ALTE DISCARDING NONE
20 GigabitEthernet0/0/4 ROOT FORWARDING NONE
可得LSW1 不为根桥,修改 LSW1 为vlan10的主网关,避免引起次优路径的问题
配置LSW1为实例10的根桥
[LSW1]stp instance 10 root primary
[LSW1]stp instance 20 root secondary
配置LSW2为vlan的主网关,不做赘述
查看配置:
[LSW1]display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 ALTE DISCARDING NONE
0 GigabitEthernet0/0/4 ROOT FORWARDING NONE
10 GigabitEthernet0/0/2 DESI FORWARDING NONE
10 GigabitEthernet0/0/3 DESI FORWARDING NONE
10 GigabitEthernet0/0/4 DESI FORWARDING NONE
20 GigabitEthernet0/0/2 DESI LEARNING NONE
20 GigabitEthernet0/0/3 ROOT FORWARDING NONE
20 GigabitEthernet0/0/4 DESI FORWARDING NONE
配置成功
步骤2:配置VRRP
- 配置主网关
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip address 10.1.1.252 24
[LSW1]interface Vlanif 20
[LSW1-Vlanif20]ip address 20.1.1.252 24
[LSW2]interface Vlanif 10
[LSW2-Vlanif10]ip address 10.1.1.253 24
[LSW2]interface Vlanif 20
[LSW2-Vlanif20]ip address 20.1.1.253 24
- 修改优先级主备切换
LSW1的配置:
[LSW1]interface Vlanif10
[LSW1-Vlanif10]ip address 10.1.1.252 255.255.255.0
[LSW1-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254
[LSW1-Vlanif10]vrrp vrid 1 priority 120
[LSW1]interface Vlanif20
[LSW1-Vlanif20]ip address 20.1.1.252 255.255.255.0
[LSW1-Vlanif20]vrrp vrid 2 virtual-ip 20.1.1.254
LSW2的配置:
[LSW2]interface Vlanif10
[LSW2-Vlanif10]ip address 10.1.1.253 255.255.255.0
[LSW2-Vlanif10]vrrp vrid 1 virtual-ip 10.1.1.254
[LSW2]interface Vlanif20
[LSW2-Vlanif20]ip address 20.1.1.253 255.255.255.0
[LSW2-Vlanif20]vrrp vrid 2 virtual-ip 20.1.1.254
[LSW2-Vlanif20]vrrp vrid 2 priority 120
- 测试
查看VRRP配置:
[LSW1]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 10.1.1.254
2 Backup Vlanif20 Normal 20.1.1.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
测试网络连通性:
PC>ping 10.1.1.254
Ping 10.1.1.254: 32 data bytes, Press Ctrl_C to break
From 10.1.1.254: bytes=32 seq=1 ttl=255 time=78 ms
From 10.1.1.254: bytes=32 seq=2 ttl=255 time=47 ms
From 10.1.1.254: bytes=32 seq=3 ttl=255 time=31 ms
From 10.1.1.254: bytes=32 seq=4 ttl=255 time=47 ms
From 10.1.1.254: bytes=32 seq=5 ttl=255 time=47 ms
--- 10.1.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/50/78 ms
PC>
步骤3:运行OSPF,并配置NAT,实现网络互联互通
- 配置OSPF
LSW1的配置:
[LSW1-Vlanif1]ip address 10.0.11.2 24
[LSW1]ospf 1
[LSW1-ospf-1]import-route direct //以路由引入的方式,方便做选路
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255 //只宣告一个网段
LSW2的配置:
[LSW2-Vlanif1]ip address 10.0.12.2 24
[LSW2]ospf 1
[LSW2-ospf-1]import-route direct
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
AR1的配置:
[AR1]ospf 1
[AR1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
查看协议:
[AR1]display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 4 Routes : 6
OSPF routing table status : <Active>
Destinations : 4 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 O_ASE 150 1 D 10.0.11.2 GigabitEthernet
0/0/0
O_ASE 150 1 D 10.0.12.2 GigabitEthernet
0/0/1
10.1.1.254/32 O_ASE 150 1 D 10.0.11.2 GigabitEthernet
0/0/0
20.1.1.0/24 O_ASE 150 1 D 10.0.11.2 GigabitEthernet
0/0/0
O_ASE 150 1 D 10.0.12.2 GigabitEthernet
0/0/1
20.1.1.254/32 O_ASE 150 1 D 10.0.12.2 GigabitEthernet
0/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
(2)NAT配置
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source any
[AR1-acl-basic-2000]interface g0/0/2
[AR1-GigabitEthernet0/0/2]nat outbound 2000
[AR1-GigabitEthernet0/0/2]quit
配置AR1去往外网的路由:
[AR1]ip route-static 0.0.0.0 0 64.1.1.2 //配置去往外网路由
[AR1]ping 100.1.1.1
PING 100.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.1: bytes=56 Sequence=1 ttl=127 time=20 ms
Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=127 time=30 ms
Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=127 time=20 ms
Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=127 time=20 ms
Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=127 time=20 ms
--- 100.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/22/30 ms
配置PC端去往外网的路由:
[AR1-ospf-1]default-route-advertise //下发默认路由
PC>ping 100.1.1.1
Ping 100.1.1.1: 32 data bytes, Press Ctrl_C to break
From 100.1.1.1: bytes=32 seq=1 ttl=125 time=62 ms
From 100.1.1.1: bytes=32 seq=2 ttl=125 time=63 ms
From 100.1.1.1: bytes=32 seq=3 ttl=125 time=78 ms
From 100.1.1.1: bytes=32 seq=4 ttl=125 time=47 ms
From 100.1.1.1: bytes=32 seq=5 ttl=125 time=62 ms
--- 100.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/62/78 ms
PC>
步骤4:按需求写路由策略,实现PC2访问PC1的回包路径为PC1-AR2-AR1-LSW1-LSW3-PC2,PC3的回包路径为PC1-AR2-LSW2-LSW4-PC3
LSW1的配置
[LSW1-route-policy]route-policy 1 permit node 10
[LSW1-route-policy]if-match interface Vlanif20
[LSW1-route-policy]apply cost 100
[LSW1]route-policy 1 permit node 20
Info: New Sequence of this List.
[LSW1-ospf-1]import-route direct route-policy 1 //调用策略
查看路由表:
<AR1>dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 4 Routes : 5
OSPF routing table status : <Active>
Destinations : 4 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 O_ASE 150 1 D 10.0.11.2 GigabitEthernet
0/0/0
O_ASE 150 1 D 10.0.12.2 GigabitEthernet
0/0/1
10.1.1.254/32 O_ASE 150 1 D 10.0.11.2 GigabitEthernet
0/0/0
20.1.1.0/24 O_ASE 150 1 D 10.0.12.2 GigabitEthernet
0/0/1
20.1.1.254/32 O_ASE 150 1 D 10.0.12.2 GigabitEthernet
0/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
由表可知去往20网段下一跳相同
LSW2的配置
[LSW2] route-policy 1 permit node 10
[LSW2-route-policy]if-match interface Vlanif10
[LSW2-route-policy]apply cost 100
[LSW2]route-policy 1 permit node 20
[LSW2-ospf-1]import-route direct route-policy 1
步骤5:配置上行链路故障联动下行,实现需求4
LSW1的配置:
[LSW1]display vrrp
Vlanif10 | Virtual Router 1
State : Backup
Virtual IP : 10.1.1.254
Master IP : 10.1.1.253
PriorityRun : 80 //减少40
PriorityConfig : 120//配置120
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Track IF : GigabitEthernet0/0/1 Priority reduced : 40
IF state : DOWN
Create time : 2023-07-25 15:28:52 UTC-08:00
联动接口:
[LSW1]monitor-link group 1
[LSW1-mtlk-group1]port GigabitEthernet 0/0/1 uplink
[LSW1-mtlk-group1]port GigabitEthernet 0/0/2 downlink //上行链路故障联动下行链路断开
LSW2的配置:
[LSW2-Vlanif20]ip address 20.1.1.253 255.255.255.0
[LSW2-Vlanif20]vrrp vrid 2 virtual-ip 20.1.1.254
[LSW2-Vlanif20]vrrp vrid 2 priority 120
[LSW2-Vlanif20]vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 80
联动接口:
[LSW2]monitor-link group 1
[LSW2-mtlk-group1]port GigabitEthernet 0/0/1 uplink
[LSW2-mtlk-group1]port GigabitEthernet 0/0/3 downlink
补充:配置抢占延时,使得G0/0/1恢复时重新学习OSPF路由期间,流量正常访问
LSW1的配置:
[LSW1-Vlanif10]vrrp vrid 1 preempt-mode timer delay 60
LSW2同理。
