第一二天作业-分流互备静态做法

最新推荐文章于 2024-02-29 18:41:37 发布

菠萝果冻

最新推荐文章于 2024-02-29 18:41:37 发布

阅读量358

点赞数

文章标签：网络

本文链接：https://blog.youkuaiyun.com/wdmzjzblgd/article/details/112559432

版权

一：分流互备静态做法

1-此做法适用于采用专线或交换机上不能运行动态路由的环境，因为此做法没有用动态路由，所以线路之间出现故障不能自动切换，所以利用双层VRRP来实现选路

2-在两个核心交换机之间利用第一层VRRP来自动切换网关来实现上行线路切换，

3-把边界路由器和核心交换机连接到同一个VLAN网段实现互通，在两个上层边界路由器之间启用第二层VRRP来继续实现自动网关切换上行线路

4-在核心交换机上配置指向各自边界路由器VRRP虚拟网关的静态路由来实现流量的上行

5-在边界路由器通往ISP运营商网络的接口上启用NAT来实现流量的发送和返回，但是因为边界路由器上没有返回内部VLAN的路由，所以流量无法返回

6-再在边界路由器上配置指向内部VLAN的静态路由，返回流量向下返回内部

7-在单个核心交换机上行链路故障的时候，第一层VRRP开始工作，切换虚拟网关到另一个核心交换机上，所以流量从另一个核心交换机处上行

8-在单个边界路由器上行链路故障的时候，第二层VRRP开始工作，切换虚拟网关到另一台边界路由器上，流量通过另一个边界路由器访问外部ISP网络

9-在底下的交换网络，启用对应不同VLAN的STP实例空间，不同STP实例之间的根主备配置和VRRP主备配置保持一致，STP的主备根和VRRP虚拟网关需同步设置在核心交换机上

10-在接入层交换机连接PC的接口上配置边缘接口，加快收敛速度，同时设置BPDU保护，防护违规交换机接入形成环路

11-在VRRP之间进行认证配置以保障安全，防止PC用户模拟VRRP设备建立违法连接

12-核心交换机之间的心跳线，最大化发挥核心交换机的转发能力，减少交换机的转发压力，增加额外的冗余备份线路

13-配置VRRP的抢占延时时间，避免短时间内上行监控链路频繁断开导致频繁抢占网关导致网络动荡

- 分流互备静态做法配置命令 -

在接入层交换机SW3上配置VLAN和STP

[SW3]dis this
#
vlan batch 2 to 3
#
stp bpdu-protection - 设置BPDU保护

[SW3-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
stp edged-port enable - 设置边缘端口

[SW3-GigabitEthernet0/0/2]dis this
#
interface GigabitEthernet0/0/2 - 设置连接PC的接口
port link-type access
port default vlan 3
stp edged-port enable

[SW3-GigabitEthernet0/0/11]dis this - 设置互联交换机的干道接口
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW3-GigabitEthernet0/0/21]dis this - 设置互联交换机的干道接口
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW3-mst-region]dis this
#
stp region-configuration - 设置两个STP实例空间
region-name sw
revision-level 1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration

在接入层交换机SW3上配置VLAN和STP

[SW4]dis this
#
vlan batch 2 to 3
#
stp bpdu-protection

[SW4-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
stp edged-port enable

[SW4-GigabitEthernet0/0/2]dis this
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 3
stp edged-port enable

[SW4-GigabitEthernet0/0/11]dis this
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW4-GigabitEthernet0/0/22]dis this
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW4-mst-region]dis this
#
stp region-configuration
region-name sw
revision-level 1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration

在核心层交换机SW1上配置VLAN，STP和VRRP，静态路由，Eth-Trunk

[SW1-Eth-Trunk1]trunkport g0/0/23
[SW1-Eth-Trunk1]trunkport g0/0/24

[SW1]dis this
#
vlan batch 2 to 3 123
#
stp instance 0 root primary - 设置各STP实例空间的主备根位置
stp instance 1 root primary
stp instance 2 root secondary
#
ip route-static 0.0.0.0 0.0.0.0 123.1.1.254 - 设置出向静态路由

[SW1-mst-region]dis this
#
stp region-configuration
region-name sw
revision-level 1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration

[SW1-Eth-Trunk1]dis this
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 3 123 - 聚合trunk通道增加互联VLAN号

[SW1-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW1-GigabitEthernet0/0/22]dis this
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW1-Vlanif2]dis this
#
interface Vlanif2
ip address 10.1.2.101 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.254
vrrp vrid 1 priority 120 - 设置主虚拟网关优先级
vrrp vrid 1 preempt-mode timer delay 5 - 设置网关抢占延时
vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 30 - 设置上行链路监控
vrrp vrid 1 authentication-mode md5 z686*lK:lQ:.`&R&e7S(x~:# - VRRP安全认证

[SW1-Vlanif3]dis this
#
interface Vlanif3 - 备份虚拟网关设置
ip address 10.1.3.101 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.3.254
vrrp vrid 1 authentication-mode md5 Ec:sL$q_I"Wq<}.DH-])=Br#

[SW1-Vlanif123]dis this - 设置上联VLAN接口
#
interface Vlanif123
ip address 123.1.1.1 255.255.255.0

[SW1-GigabitEthernet0/0/2]dis this
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 123

在核心层交换机SW2上配置VLAN，STP和VRRP，静态路由，Eth-Trunk

[SW2-Eth-Trunk1]trunkport g0/0/23
[SW2-Eth-Trunk1]trunkport g0/0/24

[SW2]dis this
#
vlan batch 2 to 3 123
#
stp instance 0 root secondary
stp instance 1 root secondary
stp instance 2 root primary
#
ip route-static 0.0.0.0 0.0.0.0 123.1.1.253

[SW2-mst-region]dis this
#
stp region-configuration
region-name sw
revision-level 1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration

[SW2-Eth-Trunk1]dis this
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 3 123

[SW2-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW2-GigabitEthernet0/0/21]dis this
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 3

[SW2-Vlanif2]dis this
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.254
vrrp vrid 1 authentication-mode md5 k\@/Rs*9'#$+cx#k/mS=t@=#

[SW2-Vlanif3]dis this
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.3.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 5
vrrp vrid 1 track interface GigabitEthernet0/0/3 reduced 30
vrrp vrid 1 authentication-mode md5 Sdx&T<MT^3^QW:LZJi;={CE#

[SW2-Vlanif123]dis this
#
interface Vlanif123
ip address 123.1.1.2 255.255.255.0

[SW2-GigabitEthernet0/0/3]dis this
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 123

在边界路由器R2上设置VRRP，静态路由，NAT

[R2]dis this
#
ip route-static 1.1.1.0 255.255.255.0 101.1.1.1 - 设置出向静态路由
ip route-static 10.1.0.0 255.255.0.0 123.1.1.1 - 设置入向静态路由

[R2-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1 - 第二层VRRP设置
ip address 123.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 123.1.1.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 5
vrrp vrid 2 track interface GigabitEthernet0/0/0 reduced 30
vrrp vrid 3 virtual-ip 123.1.1.253

[R2-acl-basic-2000]dis this
[V200R003C00]
#
acl number 2000
rule 5 permit source 10.1.0.0 0.0.255.255 - 通过acl抓取内部VLAN源IP地址来识别进行NAT转换

[R2-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 101.1.1.1 255.255.255.0
nat outbound 2000 - 出向接口绑定NAT转换设置

在边界路由器R3上设置VRRP，静态路由，NAT

[R3]dis this
#
ip route-static 1.1.1.0 255.255.255.0 102.1.1.1
ip route-static 10.1.0.0 255.255.0.0 123.1.1.2

[R3-GigabitEthernet0/0/1]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/1
ip address 123.1.1.4 255.255.255.0
vrrp vrid 3 virtual-ip 123.1.1.253
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 5
vrrp vrid 3 track interface GigabitEthernet0/0/0 reduced 30
vrrp vrid 2 virtual-ip 123.1.1.254

[R2-acl-basic-2000]dis this
[V200R003C00]
#
acl number 2000
rule 5 permit source 10.1.0.0 0.0.255.255

[R2-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 102.1.1.1 255.255.255.0
nat outbound 2000