双上行链路的热备份网关冗余

双上行的热备份网关冗余

如上图，r9为isp，8.8.8.8为r9的一个环回，模拟为外网网站，r1和r8为公司的内网核心层路由器，配置有nat转换。
r1的公网ip为19.1.1.1/24 r8的公网ip为89.1.1.8 相当于r1链接电信宽带，r8链接联通宽带。在做了热备份以后，可以由r1和r8模拟出2个缺省路由指向的地址，即相当于网关的存在，然后公司的汇聚层交换机sw2和sw3写一条缺省路由指向虚拟网关ip，可实现对虚拟网关的备份，具体可使用hsrp。
sw2为vlan2的树根和网关，vlan3的备份
sw3为vlan3的树根和网关，vlan2的备份
vpc6为vlan2的用户
vpc7为vlan3的用户

R9:

hostname r9
interface Loopback0
ip address 8.8.8.8 255.255.255.0 环回接口
interface Ethernet0/0
ip address 19.1.1.9 255.255.255.0
interface Ethernet0/1
ip address 89.1.1.9 255.255.255.0
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login

R1:

interface Loopback0
ip address 172.16.5.1 255.255.255.0
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby 1 ip 172.16.1.254 作为sw2的缺省路由地址
standby 1 priority 101 修改优先级为101，并对上行链路e0/2口追踪
standby 1 preempt 开启抢占性
standby 1 track 1 decrement 10 当e0/2口的线路协议down后，优先级下降10，降为91，可被r8的100把虚网关的活动状态抢走。
!
interface Ethernet0/1
ip address 172.16.4.1 255.255.255.0
ip nat inside 定义为内网区域
standby 2 ip 172.16.4.254 虚拟为sw3的缺省ip172.16.4.254
standby 2 preempt 开启抢占性 （优先级默认100）
!
interface Ethernet0/2
ip address 19.1.1.1 255.255.255.0
ip nat outside 定义为外网区域
track 1 interface Ethernet0/2 line-protocol 对e0/2口进行上行链路追踪

router ospf 1 起路由保证内网连同性
router-id 1.1.1.1
network 172.16.0.0 0.0.255.255 area 0

access-list 1 permit 172.16.0.0 0.0.255.255 写nat需要转换的acl列表
ip nat inside source list 1 interface Ethernet0/2 overload 端口映射 将内网的ip转化为公网ip

R8:

interface Loopback0
ip address 172.16.8.8 255.255.255.0
interface Ethernet0/0
ip address 172.16.1.8 255.255.255.0
ip nat inside

standby 1 ip 172.16.1.254 作为sw2的备份虚网关
standby 1 preempt

interface Ethernet0/1
ip address 172.16.4.8 255.255.255.0
ip nat inside 定义内网区域

standby 2 ip 172.16.4.254 作为sw3的主（活动）虚网关
standby 2 priority 101 修改优先级为101
standby 2 preempt 开启抢占性
standby 2 track 1 decrement 10 对e0/2口上行链路追踪

interface Ethernet0/2
ip address 89.1.1.8 255.255.255.0
ip nat outside 定义外网区域

router ospf 1 起路由保证内网连通性
router-id 8.8.8.8
network 172.16.0.0 0.0.255.255 area 0

track 1 interface Ethernet0/2 line-protocol 定义追踪列表

access-list 1 permit 172.16.0.0 0.0.255.255 定义转换的acl列表
ip nat inside source list 1 interface Ethernet0/2 overload 端口映射

sw2:

spanning-tree mode mst 运行mst生成树协议
spanning-tree extend system-id
spanning-tree mst configuration
instance 1 vlan 2
instance 2 vlan 3
spanning-tree mst 1 priority 24576
spanning-tree mst 2 priority 28672
定义2个上行追踪列表，可实现断一个链路不切换vlan2的网关，2条链路都断才将网关切到sw3
track 1 interface Ethernet1/1 line-protocol
track 2 interface Ethernet0/0 line-protocol

interface Port-channel1
switchport trunk encapsulation dot1q 修改封装类型为dot1q
switchport mode trunk 建立trunk

将连接r1的e0/0口划分为access接口化为vlan4同时将e1/1口也划分为vlan4，r1可与r8在二层下通信，为hsrp热备份创建同一冲突域的条件。
interface Ethernet0/0
switchport access vlan 4
switchport mode access
interface Ethernet1/1
switchport access vlan 4
switchport mode access

与sw3连接的e0/1和e0/2口开启trunk 并聚合为channel接口
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
向下用dtp协议建立trunk
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode dynamic desirable

interface Ethernet1/0
switchport trunk encapsulation dot1q
switchport mode dynamic desirable

interface Vlan2
ip address 172.16.2.1 255.255.255.0
standby 1 ip 172.16.2.254 虚拟vlan2的网关172.16.2.254
standby 1 priority 111 修改优先级为111，一条链路断后降为101，2条都断后降为91，2条都断才会被sw3把vlan2的网关抢去
standby 1 preempt
standby 1 track 1 decrement 10
standby 1 track 2 decrement 10
!
interface Vlan3
ip address 172.16.3.2 255.255.255.0
standby 2 ip 172.16.3.254 虚拟vlan3的网关172.16.3.254 并作为备份
standby 2 preempt

interface Vlan4
ip address 172.16.1.100 255.255.255.0

启动ospf路由，在内网通信时，不同vlan通信需要三层通信，必须有路由条目
router ospf 1
router-id 2.2.2.2
network 172.16.0.0 0.0.255.255 area 0

ip route 0.0.0.0 0.0.0.0 172.16.1.254 ！！！将缺省路由指向172.16.1.254，r1和r8虚拟出的内外网网关，r1为172.16.1.254的主

sw3:

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
instance 1 vlan 2
instance 2 vlan 3
!
spanning-tree mst 1 priority 28672
spanning-tree mst 2 priority 24576

track 1 interface Ethernet0/0 line-protocol
track 2 interface Ethernet1/1 line-protocol

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk

interface Ethernet0/0
switchport access vlan 4
switchport mode access
!
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
!
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
!
interface Ethernet1/0
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
!
interface Ethernet1/1
switchport access vlan 4
switchport mode access

interface Vlan2
ip address 172.16.2.2 255.255.255.0
standby 1 ip 172.16.2.254 虚拟vlan2的网关伟172.16.2.254，sw3为备份，sw2为主
standby 1 preempt

interface Vlan3
ip address 172.16.3.1 255.255.255.0
standby 2 ip 172.16.3.254 虚拟vlan3的网关为172.16.3.254
standby 2 priority 111 修改优先级为111，一条链路断后降为101，2条都断后降为91，2条都断才会被sw2把vlan3的网关抢去
standby 2 preempt
standby 2 track 1 decrement 10
standby 2 track 2 decrement 10
!

interface Vlan4
ip address 172.16.4.100 255.255.255.0

router ospf 1
router-id 3.3.3.3
network 172.16.0.0 0.0.255.255 area 0

ip route 0.0.0.0 0.0.0.0 172.16.4.254 ！！！将缺省路由指向172.16.4.254，r1和r8虚拟出的内外网网关，r8为172.16.4.254的主

sw4:

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
instance 1 vlan 2
instance 2 vlan 3

interface Ethernet0/2 将vpc6划入vlan2
switchport access vlan 2
switchport mode access

sw5:

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
instance 1 vlan 2
instance 2 vlan 3

interface Ethernet0/2 将vpc7划入vlan3
switchport access vlan 3
switchport mode access

vpc6：

NAME : VPCS[1]
IP/MASK : 172.16.2.5/24
GATEWAY : 172.16.2.254
DNS :
MAC : 00:50:79:66:68:06
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500

vpc7:

VPCS> show ip

NAME : VPCS[1]
IP/MASK : 172.16.3.5/24
GATEWAY : 172.16.3.254
DNS :
MAC : 00:50:79:66:68:07
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500

测试：先用vpc6 ping 8.8.8.8 然后关闭sw2的e0/0口 然后关闭sw2的e1/1口 然后关闭sw3的e1/1口以检测vlan2的备份情况：

84 bytes from 8.8.8.8 icmp_seq=1 ttl=253 time=2.491 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=253 time=11.634 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=253 time=5.541 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=253 time=11.073 ms 正常情况下可以ping通
84 bytes from 8.8.8.8 icmp_seq=8 ttl=253 time=9.661 ms
84 bytes from 8.8.8.8 icmp_seq=9 ttl=253 time=2.930 ms
8.8.8.8 icmp_seq=10 timeout sw2的e0/0口关闭 切换中
8.8.8.8 icmp_seq=11 timeout
8.8.8.8 icmp_seq=12 timeout
8.8.8.8 icmp_seq=13 timeout
8.8.8.8 icmp_seq=14 timeout
84 bytes from 8.8.8.8 icmp_seq=15 ttl=253 time=3.743 ms 切换到sw2的e1/1口
84 bytes from 8.8.8.8 icmp_seq=16 ttl=253 time=3.320 mss
84 bytes from 8.8.8.8 icmp_seq=18 ttl=253 time=9.783 ms
84 bytes from 8.8.8.8 icmp_seq=19 ttl=253 time=8.727 ms
8.8.8.8 icmp_seq=20 timeout sw2的e1/1口关闭 切换vlan2的网关到sw3
84 bytes from 8.8.8.8 icmp_seq=21 ttl=253 time=3.583 ms
84 bytes from 8.8.8.8 icmp_seq=22 ttl=253 time=4.622 ms
84 bytes from 8.8.8.8 icmp_seq=28 ttl=253 time=3.579 ms 切换成功 网关为sw3
84 bytes from 8.8.8.8 icmp_seq=30 ttl=253 time=9.523 ms
84 bytes from 8.8.8.8 icmp_seq=31 ttl=253 time=9.445 ms
8.8.8.8 icmp_seq=32 timeout 关闭sw3的e1/1口 切换到e0/0口
8.8.8.8 icmp_seq=33 timeout
8.8.8.8 icmp_seq=34 timeout
8.8.8.8 icmp_seq=35 timeout
8.8.8.8 icmp_seq=36 timeout
84 bytes from 8.8.8.8 icmp_seq=37 ttl=253 time=5.043 ms
84 bytes from 8.8.8.8 icmp_seq=38 ttl=253 time=9.316 ms
84 bytes from 8.8.8.8 icmp_seq=39 ttl=253 time=6.617 ms 切换成功
84 bytes from 8.8.8.8 icmp_seq=40 ttl=253 time=3.890 ms
84 bytes from 8.8.8.8 icmp_seq=41 ttl=253 time=6.340 ms

先用vpc7 ping 8.8.8.8 然后关闭sw3的e1/1口 然后关闭sw3的e0/0口 然后关闭sw2的e0/0口以检测vlan3的备份情况：

vpc7:
84 bytes from 8.8.8.8 icmp_seq=2 ttl=253 time=2.901 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=253 time=7.527 ms 正常情况下可以ping通
84 bytes from 8.8.8.8 icmp_seq=5 ttl=253 time=7.845 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=253 time=4.367 ms
84 bytes from 8.8.8.8 icmp_seq=7 ttl=253 time=2.544 ms
84 bytes from 8.8.8.8 icmp_seq=8 ttl=253 time=7.339 ms
84 bytes from 8.8.8.8 icmp_seq=9 ttl=253 time=8.954 ms
84 bytes from 8.8.8.8 icmp_seq=10 ttl=253 time=8.961 ms
84 bytes from 8.8.8.8 icmp_seq=11 ttl=253 time=3.850 ms
84 bytes from 8.8.8.8 icmp_seq=12 ttl=253 time=4.344 ms
84 bytes from 8.8.8.8 icmp_seq=13 ttl=253 time=3.215 ms
84 bytes from 8.8.8.8 icmp_seq=14 ttl=253 time=5.376 ms
8.8.8.8 icmp_seq=15 timeout
8.8.8.8 icmp_seq=16 timeout sw3的e1/1口关闭 切换中
8.8.8.8 icmp_seq=17 timeout
8.8.8.8 icmp_seq=18 timeout
84 bytes from 8.8.8.8 icmp_seq=19 ttl=253 time=3.335 ms 切换到sw3的e0/0口
84 bytes from 8.8.8.8 icmp_seq=20 ttl=253 time=7.560 ms
84 bytes from 8.8.8.8 icmp_seq=21 ttl=253 time=13.036 ms
84 bytes from 8.8.8.8 icmp_seq=22 ttl=253 time=3.071 ms
84 bytes from 8.8.8.8 icmp_seq=23 ttl=253 time=6.625 ms
84 bytes from 8.8.8.8 icmp_seq=25 ttl=253 time=7.870 ms
8.8.8.8 icmp_seq=26 timeout sw3的e0/0口关闭 切换vlan3的网关到sw2
8.8.8.8 icmp_seq=27 timeout
8.8.8.8 icmp_seq=28 timeout
8.8.8.8 icmp_seq=29 timeout
8.8.8.8 icmp_seq=30 timeout
8.8.8.8 icmp_seq=31 timeout
8.8.8.8 icmp_seq=32 timeout
8.8.8.8 icmp_seq=42 timeout
8.8.8.8 icmp_seq=43 timeout
84 bytes from 8.8.8.8 icmp_seq=44 ttl=253 time=9.832 ms 切换成功 网关为sw2
84 bytes from 8.8.8.8 icmp_seq=45 ttl=253 time=7.751 ms
84 bytes from 8.8.8.8 icmp_seq=46 ttl=253 time=5.898 ms
84 bytes from 8.8.8.8 icmp_seq=47 ttl=253 time=4.153 ms
84 bytes from 8.8.8.8 icmp_seq=49 ttl=253 time=3.697 ms
84 bytes from 8.8.8.8 icmp_seq=50 ttl=253 time=4.934 ms
84 bytes from 8.8.8.8 icmp_seq=51 ttl=253 time=8.375 ms
8.8.8.8 icmp_seq=52 timeout 关闭sw2的e0/0口 切换到e1/1口
8.8.8.8 icmp_seq=53 timeout
8.8.8.8 icmp_seq=54 timeout
8.8.8.8 icmp_seq=55 timeout
8.8.8.8 icmp_seq=56 timeout
8.8.8.8 icmp_seq=57 timeout
8.8.8.8 icmp_seq=58 timeout
84 bytes from 8.8.8.8 icmp_seq=59 ttl=253 time=4.356 ms 切换成功
84 bytes from 8.8.8.8 icmp_seq=63 ttl=253 time=12.860 ms
84 bytes from 8.8.8.8 icmp_seq=64 ttl=253 time=15.578 ms
84 bytes from 8.8.8.8 icmp_seq=67 ttl=253 time=6.494 ms
84 bytes from 8.8.8.8 icmp_seq=68 ttl=253 time=10.027 ms

测试：用vpc6ping8.8.8.8 中间关闭r1的e0/2口 看能否切换sw2网关为r8:

84 bytes from 8.8.8.8 icmp_seq=1 ttl=253 time=3.659 ms
84 bytes from 8.8.8.8 icmp_seq=16 ttl=253 time=6.953 ms
*172.16.1.1 icmp_seq=17 ttl=254 time=2.462 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.1.1 icmp_seq=18 ttl=254 time=7.438 ms (ICMP type:3, code:1, Destination host unreachable) nat网关由r1切换到r8
*172.16.1.1 icmp_seq=19 ttl=254 time=4.389 ms (ICMP type:3, code:1, Destination host unreachable)
84 bytes from 8.8.8.8 icmp_seq=20 ttl=253 time=3.958 ms
84 bytes from 8.8.8.8 icmp_seq=21 ttl=253 time=8.083 ms
84 bytes from 8.8.8.8 icmp_seq=22 ttl=253 time=3.387 ms

用vpc7ping 8.8.8.8 中间关闭r8的e0/2口 看能否切换sw3网关为r1:
84 bytes from 8.8.8.8 icmp_seq=1 ttl=253 time=3.110 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=253 time=3.120 ms
84 bytes from 8.8.8.8 icmp_seq=7 ttl=253 time=6.918 ms
84 bytes from 8.8.8.8 icmp_seq=8 ttl=253 time=4.089 ms
*172.16.4.8 icmp_seq=9 ttl=254 time=2.206 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.4.8 icmp_seq=10 ttl=254 time=12.947 ms (ICMP type:3, code:1, Destination host unreachable)
*172.16.4.8 icmp_seq=11 ttl=254 time=2.560 ms (ICMP type:3, code:1, Destination host unreachable)
84 bytes from 8.8.8.8 icmp_seq=12 ttl=253 time=4.803 ms
84 bytes from 8.8.8.8 icmp_seq=13 ttl=253 time=3.181 ms
84 bytes from 8.8.8.8 icmp_seq=14 ttl=253 time=3.582 ms
可以看到两个位置的热备份冗余都成功实现。

总结：通过hsrp技术我们可以做到内网的不同vlan的网关的备份，同时，我们也可以实现汇聚层三层交换机对上行的热备份，在核心层有2台路由器的情况下，一条线路断掉后可以通过另一台路由器上外网，2条线路断裂的情况下可以切换二层网关，实现上网。 同时 使用hsrp还可以做到对路由器连接外网的线路的追踪，比路由协议的自动选路更加快速和强大。