1. 作业要求:
参照拓扑:
利用跟踪技术实现链路的安全备份,达到让用户安全上网的需求!
1.1 正常情况vlan10的用户走左侧链路(即通过s1 访问internet)
Vlan20的用户走右侧链路(即通过s0 访问internet)
1.2 当S1链路断掉后,VLAN10也走右侧通过S0上网(R5的vlan10、20成为master)
1.3 当S1链路复原之后,vlan10还自动切回这条路(链路分流,提升速度)
1.4 提示:R14上监控S1 ,R5上监控S0
2. 拓扑图
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454589629uqq.jpg"></a>
IP地址分配表:
路由器 端口 ip地址及子网掩码 网关 DNS
R7 S1 192.168.1.1/24
S0 192.168.2.1/24
E1 192.168.101.222/24
R14 S1 192.168.1.2/24 192.168.1.1
R5 S0 192.168.2.2/24 192.168.2.1
V10 E0/4 192.168.10.8/24 192.168.101.24 222.88.88.88
V20 E0/14 192.168.20.10/24 192.168.101.24 222.88.88.88
注意:v10指的是vlan10内的主机 v20指的是vlan20内的主机
其他设备为本局域网上网用的,直接连上即可(可上网网关为192.168.101.254/24
主DNS为:222.88.88.88 辅助DNS:222.85.85.85 )
3. 设备描述:
路由器:H3C Quidway R2621(3台)
交换机:H3C Quidway S 3526E (2台)
4. 配置命令及注意事项:
4.1 <b>配ip+</b><b>启动gvrp</b><b>(vlan</b><b>同步)+</b><b>做通道+</b><b>启动STP</b>
<b>配基本ip</b>
[R14]int s1
[R14-Serial1]ip add 192.168.1.2 24
[R14-Serial1]int e1.10
[R14-Ethernet1.10]vlan-type dot1q vid 10
[R14-Ethernet1.10]ip address 192.168.10.1 24
[R14-Ethernet1.10]int e1.20
[R14-Ethernet1.20]vlan-type dot1q vid 20
[R14-Ethernet1.20]ip address 192.168.20.1 24
[R5]int s0
[R5-Serial0]ip add 192.168.2.2 24
[R5-Serial0]int e1.10
[R5-Ethernet1.10]vlan-type dot1q vid 10
[R5-Ethernet1.10]ip add 192.168.10.2 24
[R5-Ethernet1.10]int e1.20
[R5-Ethernet1.20]vlan-type dot1q vid 20
[R5-Ethernet1.20]ip add 192.168.20.2 24
<b>启动gvrp</b><b>协议并做trunk</b><b>链路</b>
[S10]gvrp //该协议目的达到交换机上vlan信息同步
GVRP is enabled globally.
[S10]stp enable //启用生成树协议
[S10]int e 0/1
[S10-Ethernet0/1]port link-type trunk
[S10-Ethernet0/1]port trunk permit vlan all
Please wait........................................... Done.
[S10-Ethernet0/1]quit
[S10]vlan 10
[S10-vlan10]port e0/4 to e 0/5
[S10-vlan10]vlan 20
[S10-vlan20]port e0/11 to e 0/15
<b> </b><b>通道:通过链路聚合实现(要求百兆全双工链路)</b>
[S10]link-aggregation eth 0/9 to et0/10 ingress
The duplex of aggregating ports should be full mode!
[S10]int e0/9
[S10-Ethernet0/9]duplex full
[S10-Ethernet0/9]speed 100
[S10]int e0/10
[S10-Ethernet0/10]duplex full
[S10-Ethernet0/10]
%Aug 19 17:50:25 2012 S10 L2INF/5/PORT LINK STATUS CHANGE:
Ethernet0/10: turns into DOWN state
%Aug 19 17:50:26 2012 S10 L2INF/5/PORT LINK STATUS CHANGE:
Ethernet0/10: turns into UP state
[S10-Ethernet0/10]speed 100
<b>Gvrp </b><b>协议应用于接口</b>
[S10-Ethernet0/9]port link-type trunk
[S10-Ethernet0/9]port trunk permit vlan all
[S10-Ethernet0/9]gvrp
GVRP is enabled on port Ethernet0/9.
[S10-Ethernet0/9]int e0/10
[S10-Ethernet0/10]port link-type trunk
[S10-Ethernet0/10]port trunk permit vlan all
[S10-Ethernet0/10]gvrp
GVRP is enabled on port Ethernet0/10.
[S10-Ethernet0/10]quit
[S38]GVRP
[S38]stp enable //启用生成树协议
[S38]INT E0/1
[S38-Ethernet0/1]port link-type trunk
[S38-Ethernet0/1]port trunk permit vlan all
[S38]link-aggregation eth0/9 to eth0/10 both 改为另一个模式即 ingress
S38]int e0/9
[S38-Ethernet0/9]duplex full
[S38-Ethernet0/9]speed 100
[S38-Ethernet0/9]gvrp
[S38-Ethernet0/9]int e0/10
[S38-Ethernet0/10]
%Aug 19 17:01:54 2012 S38 SYSM/5/MAC MOVE:Slot=1;MAC addr 00e0-fc06-5520 will move to port 9 from port 10
%Aug 19 17:01:54 2012 S38 SYSM/5/MAC MOVE:Slot=1;MAC addr 00e0-fc06-5520 will move to port 10 from port 9
[S38-Ethernet0/10]duplex ful
[S38-Ethernet0/10]speed 100
[S38-Ethernet0/10]gvrp
<b>查看链路捆绑状态</b>
[S38]dis link-aggregation e0/9
Master port: Ethernet0/9
Other sub-ports:
Ethernet0/10
Mode: both
[S38]dis link-aggregation e0/10
This port is not a master port. Its master port is Ethernet0/9.
[S38]dis gvrp status
GVRP is enabled
[S38]dis gvrp statistics
GVRP statistics on port Ethernet0/1
GVRP Status : Disabled
GVRP Failed Registrations : 0
GVRP Last Pdu Origin : 0000-0000-0000
GVRP Registration Type : Normal
GVRP statistics on port Ethernet0/9
GVRP Status : Enabled
GVRP Last Pdu Origin : 00e0-fc06-5520
GVRP statistics on port Ethernet0/10
<b> </b><b>检测gvrp</b><b>是否生效</b>
[S38]dis vlan all
VLAN ID: 1
VLAN Type: static
Route Interface: not configured
Description: VLAN 0001
Tagged Ports: none
Untagged Ports:
Ethernet0/1 Ethernet0/2 Ethernet0/3
Ethernet0/4 Ethernet0/5 Ethernet0/6
Ethernet0/7 Ethernet0/8 Ethernet0/9
Ethernet0/10 Ethernet0/11 Ethernet0/12
Ethernet0/13 Ethernet0/14 Ethernet0/15
Ethernet0/16 Ethernet0/17 Ethernet0/18
Ethernet0/19 Ethernet0/20 Ethernet0/21
Ethernet0/22 Ethernet0/23 Ethernet0/24
VLAN ID: 10
VLAN Type: dynamic
Description: VLAN 0010
Tagged Ports:
Ethernet0/9 Ethernet0/10
Untagged Ports: none
VLAN ID: 20
VLAN Type: dynamic
Route Interface: not configured
Description: VLAN 0020
Tagged Ports:
Untagged Ports: none //证明gvrp已达到同步
<b>给vlan</b><b>划分端口:</b>
[S38]vlan 10
[S38-vlan10]port e0/4 to e0/5
Dynamic VLAN is configured, now changed to static!
[S38-vlan10]vlan 20
[S38-vlan20]port e0/11 to e0/15
[R14]ping 192.168.10.2
PING 192.168.10.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.2: bytes=56 Sequence=0 ttl=255 time = 13 ms
Reply from 192.168.10.2: bytes=56 Sequence=1 ttl=255 time = 2 ms
[R5]ping 192.168.10.1
PING 192.168.10.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time = 2 ms
Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time = 2 ms
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458970LffY.jpg"></a>
<b>4.2 </b><b>配置VRRP </b><b>冗余安全配置:</b>
[R14]vrrp ping-enable //不写不能ping通虚拟ip
[R14]int e1.10
[R14-Ethernet1.10]vrrp vrid 10 virtual-ip 192.168.10.254
[R14-Ethernet1.10]vrrp vrid 10 priority 120 //优先级
[R14-Ethernet1.10]vrrp vrid 10 preempt-mode //权限争夺
[R14-Ethernet1.10]vrrp vrid 10 track serial 1 reduced 40
//跟踪出口,调整浮动值(在优先级的基础上)
[R14-Ethernet1.10]int e1.20 // 优先级默认100
[R14-Ethernet1.20]vrrp vrid 20 virtual-ip 192.168.20.254
[R14-Ethernet1.20]vrrp vrid 20 preempt-mode
[R14-Ethernet1.20]vrrp vrid 20 track serial 1 reduced 40
[R14]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 //静态路由
[R5]int e1.10
[R5-Ethernet1.10]vrrp vrid 10 virtual-ip 192.168.10.254
[R5-Ethernet1.10]vrrp vrid 10 preempt-mode
[R5-Ethernet1.10]vrrp vrid 10 track s0 reduced 40
[R5-Ethernet1.10]int e1.20
[R5-Ethernet1.20]vrrp vrid 20 virtual-ip 192.168.20.254
[R5-Ethernet1.20]vrrp vrid 20 priority 120
[R5-Ethernet1.20]vrrp vrid 20 preempt-mode
[R5-Ethernet1.20]vrrp vrid 20 track s0 reduce 40
[R5]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
[R5]ping -C 2000 192.168.20.2
PING 192.168.20.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.20.2: bytes=56 Sequence=0 ttl=255 time = 1 ms
Reply from 192.168.20.2: bytes=56 Sequence=1 ttl=255 time = 2 ms
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458975Fll6.jpg"></a>
[R7]int s0
[R7-Serial0]ip add 192.168.2.1 24
[R7-Serial0]
%01:04:55: Line protocol ip on the interface Serial0 is UP
[R7-Serial0]shutdown
% Interface Serial0 is down
%01:05:01: Interface Serial0 is DOWN
[R7-Serial0]undo shutdown
% Interface Serial0 is reset
[R7]int s1
[R7-Serial1]ip add 192.168.1.1 24
[R7-Serial1]
%01:08:14: Line protocol ip on the interface Serial1 is UP
[R7-Serial1]shutdown //串行端口的另一端要复位!
% Interface Serial1 is down
%01:08:20: Interface Serial1 is DOWN
[R7-Serial1]undo shutdown
% Interface Serial1 is reset
[R7-Serial1]int e 1
[R7-Ethernet1]ip add 192.168.101.222 24
[R7]acl 2000
[R7-acl-2000]rule permit source any
Rule has been added to normal packet-filtering rules
[R7-acl-2000]int e1
[R7-Ethernet1]nat outbound 2000 interface
[R7-Ethernet1]quit
[R7]ip route-static 0.0.0.0 0.0.0.0 192.168.101.254
查看配置:display cu
ip route-static 0.0.0.0 0.0.0.0 192.168.101.254 preference 60 //默认60
ip route-static 192.168.10.0 255.255.255.0 192.168.1.2 preference 40 //该路正常就走1.2
ip route-static 192.168.10.0 255.255.255.0 192.168.2.2 preference 50 断掉,走2.2
ip route-static 192.168.20.0 255.255.255.0 192.168.2.2 preference 40
ip route-static 192.168.20.0 255.255.255.0 192.168.1.2 preference 50 !
return
[R7]display ip routing
Routing Tables:
Destination/Mask Proto Pref Metric Nexthop Interface
0.0.0.0/0 Static 60 0 192.168.101.254 Ethernet1
127.0.0.0/8 Direct 0 0 127.0.0.1 LoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.0/24 Direct 0 0 192.168.1.2 Serial1
192.168.1.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.1.2/32 Direct 0 0 192.168.1.2 Serial1
192.168.2.0/24 Direct 0 0 192.168.2.2 Serial0
192.168.2.1/32 Direct 0 0 127.0.0.1 LoopBack0
192.168.2.2/32 Direct 0 0 192.168.2.2 Serial0
192.168.10.0/24 Static 40 0 192.168.1.2 Serial1
192.168.20.0/24 Static 40 0 192.168.2.2 Serial0
192.168.101.0/24 Direct 0 0 192.168.101.222 Ethernet1
192.168.101.222/32 Direct 0 0 127.0.0.1 LoopBack0
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458979OQVQ.jpg"></a>
拔掉(shutdown)R14与R7之间的链路!状态发生了改变!
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454589858zhJ.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458991j0b8.jpg"></a>
测试:客户机:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345458996BDPj.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459009Sspx.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459016gjkc.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454590272OcF.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459036mSxQ.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459039QW7c.jpg"></a>
走的是右侧的路!
断开R5 与 R7之间的串行链路,测试:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_13454590440KVw.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459047Ho73.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459051AZhD.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459054vO9z.jpg"></a>
没有丢包!
<b>断开R14</b><b>与R7</b><b>之间的链路:</b>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459056s8w6.jpg"></a>
<b>Vlan20 </b><b>的机器还能和vlan10</b><b>中的pc</b><b>正常通信!</b>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459058E5vD.jpg"></a>
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459061DKET.jpg"></a>
Vlan10 中的机器:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459065nGl3.jpg"></a>
主Dns即 222.88.88.88 辅助dns: 222.85.85.85
正常上网:
走的是左侧:
经过:192.168.10.1
192.168.1.1
192.168.101.254
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459068A370.jpg"></a>
如果S1断掉:
<a href="http://5645432.blog.51cto.com/attachment/201208/20/5635432_1345459072oMmK.jpg"></a>
本文转自 gjp0731 51CTO博客,原文链接:http://blog.51cto.com/guojiping/967608
走的是右侧的路,成功!
![图解HTTP八:确认访问用户身份的认证[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)