High reliability of vrrp LAN layer-3 devices

I. Experiment principle vro redundancy protocol (VRRP) is a selection protocol that dynamically allocates the responsibility of a vro to one of the VRRP routers on the LAN. The VRRP router that controls the IP address of a vro is called the primary router. It forwards packets to these virtual IP addresses. Once the primary router is unavailable, this selection process provides a dynamic failover mechanism, which allows the IP address of the virtual router to act as the default first hop router of the terminal host. The advantage of using VRRP is higher availability of default paths without configuring dynamic routing or routing discovery protocols on each terminal host. The VRRP package is encapsulated and sent in the IP package. Www.2cto.com 2. experiment Topology 3. experimental Equipment F3 firewall H3C securiway F-100F2 firewall H3C securiway F-100F4 firewall H3C securiway F-100SW15 switch DIS 3950SW14 switch DIS 3950 4. experiment configuration concepts and commands 1. the firewall interface and the regional firewall interface must be added to a region. The firewall has different rules and security applications for each region. The H3C firewall includes the "trust, untrust, DMZ region ". 2. The sub-interfaces of the H3C firewall are different from those of the Huawei router. The "undo insulation" command must be used in global configuration mode ". Disable port separation. In this case, the firewall may shut down the interfaces 0/1, 0/2, and 0/3, which cannot be used in the experiment. Leave two interfaces: 0/0 and 0/4 (wan port. 5. experiment configuration 1. f3 configuration // by default, all configurations in this experiment start in configuration mode (except for continuous execution) ①. configure the interface ip address and loopback test interface Ethernet0/0 // enter the interface configuration mode ip address 192.168.101.3 255.255.255.0 // configure ipLoopback for the interface // configure the interface to loopback mode, test interface Ethernet0/1 // configure ipip address 192.168.1.1 255.255.0interface Ethernet0/2 // configure ipip address 192.168.2.1 255.255.255.0 ② For the interface. add the interface to the region firewall zone trust // enter the firewall's trust area add interface Ethernet0/1 // add the 0/1 port to the trust area add interfa Ce Ethernet0/2 // Add 0/2 ports to the Trusted Zone 2. f2 configuration ①. add the interface to the region firewall zone trust // enter the firewall region configuration mode add interface Ethernet0/4 // add interface 0/4 to the trust region add interface Ethernet0/0.10 // add interface 0/0. 10 add interface Ethernet0/0.20 to the trust Region // add interface 0/0. 20 join the trust area ②. create a sub-interface, configure the interface ip address, encapsulate vlan, enable the sub-interface to take effect. interface Ethernet0/0.10 // in the sub-interface configuration mode, ip address 192.168.10.1 255.255.255.0 // Add an ip address vlan-type dot1q vid 10 to the sub-interface. // on the interface add the vlan10 label interface Ethernet0/0.20 // In interface configuration mode, ip address 192.168.20.1 255.255.0 // Add the ip address vlan-type dot1q vid 20 to the sub-interface. // use the Undo insulation label vlan10 on the interface. // disable the interface separation, make the interface configuration take effect ③. enable vrrp ping-enableVrrp ping-enable // envrrp ping-enable ④. enable the virtual-ip address of vrrp in the interface and adjust the priority interface Ethernet0/0.10 // In interface configuration mode vrrp vrid 10 virtual-ip 192.168.10.254 // configure vrrp vrid 10 priority 120 on the interface // The default priority is 100 interface Ethernet0/0.20 // In interface configuration mode, vrrp vrid 20 virtual-ip 192.168. 20.254 // configure virtual-ip on the Interface ⑤. enable monitoring interface Ethernet0/0.10 vrrp vrid 10 track Ethernet0/4 reduced 30 // set monitoring port 0/4 interface Ethernet0/0.20 vrrp vrid 20 track Ethernet0/4 reduced 30 // set monitoring port 0/4 in the sub-interface. create an acl rule, configure an IP address on an interface, and apply the acl. Acl number 2000 // create a basic acl list numbered 2000 rule 0 permit source 192.168.10.0 0.0.255 // data packets whose source address is 192.168.10.0 CIDR Block pass through rule 1 permit source 192.168.20.0 0.0.0.255 // The allowed source address is packets in the 192.168.20.0 network segment are denied through rule 2 deny // finally, all interfaces Ethernet0/4 // configure ipip address 192.168.1.2 255.255.255.0 for the interface // apply the nat rule nat outbound 2000 on the interface. create a static default route ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 // Add a default route 3. f4 configuration ①. add the interface to the region firewall zone trust // enter Add interface Ethernet0/4 in the firewall region configuration mode // add interface 0/4 to the trust region add interface Ethernet0/0.10 // add interface 0/0. 10 add interface Ethernet0/0.20 to the trust Region // add interface 0/0. 20 join the trust area ②. create a sub-interface, configure the interface ip address, encapsulate vlan, and enable the sub-interface to take effect interface Ethernet0/0.10 // in the sub-interface configuration mode, ip address 192.168.10.2 255.255.255.0 // Add an ip address vlan-type dot1q vid 10 to the sub-interface // on the interface vlan10 label interface Ethernet0/0.20 // in sub-interface configuration mode, ip address 192.168.20.2 255.255.255.0 // Add an ip address vlan-t to the sub-interface Ype dot1q vid 20 // use the Undo insulation label "Undo insulation" of vlan10 on the interface to enable the interface configuration to take effect. enable vrrp ping-enableVrrp ping-enable // envrrp ping-enable ④. enable virtual-ip of vrrp in the interface and adjust the priority interface Ethernet0/0.10 // In interface configuration mode vrrp vrid 10 virtual-ip 192.168.10.254 // configure ipinterface Ethernet0/0.20/on the interface/ /In interface configuration mode, vrrp vrid 20 virtual-ip 192.168.255.254 // configure virtual-router RRP vrid 20 priority 120 on the Interface // The default priority is 100 ⑤. enable monitoring interface Ethernet0/0.10 vrrp vr Id 10 track Ethernet0/4 reduced 30 // set monitoring port 0/4 interface Ethernet0/0.20 vrrp vrid 20 track Ethernet0/4 reduced 30 // set monitoring port 0/4 in the sub interface port 6. create an acl rule, configure an IP address on an interface, and apply the acl. Acl number 2000 // create a basic acl list numbered 2000 rule 0 permit source 192.168.10.0 0.0.255 // data packets whose source address is 192.168.10.0 CIDR Block pass through rule 1 permit source 192.168.20.0 0.0.0.255 // The allowed source address is packets in the 192.168.20.0 network segment are denied through rule 2 deny // finally, all www.2cto.com interfaces Ethernet0/4 // configure ipip address 192.168.2.2 255.255.255.0 for the interface // apply the nat rule nat outbound 2000 on the interface. create a static default route ip route-static 0.0.0.0 0.0.0.0 192.168.2.14.SW15 configuration ①. create a vlan and divide the interface Vlan 10 // create Create vlan 10 Port interface Ethernet1/0/1 to interface Ethernet1/0/5 // Add Port Vlan 20 to vlan10 // create vlan20Port interface Ethernet1/0/6 to interface Ethernet1/0/10 // forward to vlan20 add the port Undo insulation // close the interface to separate ②. configure the trunk interface Port interface Ethernet1/0/23 // Port link-type trunk in Port mode // set the Port type to trunkPort interface Ethernet1/0/24 // Port link-in Port Mode- type trunk // set the port type to trunk ③. allow all vlanPort interfaces Ethernet1/0/41/ /Port trunk permit vlan all in Port mode // set to allow all VLANs to use the trunk Port interface Ethernet1/0/24 // Port trunk permit vlan all in Port mode // set to allow all VLANs pass through the trunk port. SW14 configuration ①. create vlan, and divide interface Vlan 10 // create vlan 10 Port interface Ethernet1/0/1 to interface Ethernet1/0/5 // Add Port Vlan 20 to vlan10 // create vlan20Port interface Ethernet1/0/6 to interface Ethernet1 /0/10 // Add Port 2 to vlan20. configure the trunk interface Port interface Ethernet1/0/23 // Port link in Port Mode -Type trunk // set the Port type to trunkPort interface Ethernet1/0/24 // in Port mode, Port link-type trunk // set the Port type to trunk ③. allow all vlanPort interfaces Ethernet1/0/23 on the trunk interface // Port trunk permit vlan all in Port mode // set to allow all VLANs to Port interface Ethernet1/0/24 through the trunk Port in Port mode, the Port trunk permit vlan all // allows all VLANs to pass through the trunk Port six. problems encountered during the test 1. link aggregation on a vswitch may occur when the link is unstable. Packet loss occurs during testing. The packet loss rate exceeds 75%. No solution. I directly modified the aggregation link to a single line. Www.2cto.com 2. If you use an ethernet port to replace the serial port, you must delete the ip address and acl rules on the serial port. Otherwise, the configuration will not work properly. The Serial port is special. 3. If the network is disconnected, we recommend that you run the save command ". Then shut down and restart all instances. 4. There is no default route. If you view the vro configuration, the corresponding route table is configured. However, when viewing the route table. The corresponding route table is not displayed. One explanation is: "The Physical Interface related to this route table is in the down state ". Check the line. Line feed. If this is not the case, change the interface. 7. test and test "ping 192.168.2.1"... successfully test "ping 192.168.2.2"... successfully test "ping 192.168.101.3"... successfully test "ping 192.168 .. 2 "... successfully tested "ping 192.168.1 "... successfully tested "ping 192.168.10.254 "... test "tracert 192.168.101.3" route tracing when the network connection is normal: www.2cto.com traces the network cable on the eth4 port of the F4 firewall after it is manually unplugged as follows: The test is completed and the target is set to be reached.