17-1 VRRP抓包理解
实验一
配置VRRP命令
理解VRRP的主备选取流程
理解主备切换
理解STP根交换机为什么要和VRRP的MASTER路由器为同一台
拓扑
要求
配置LSW1和LSW2为VRRP组,其中LSW1的角色为Master,LSW2为Backup
LSW1,LSW2,LSW3配置STP协议,LSW2为根桥
AR1,LSW1,LSW2配置OSPF,使PC1可以和AR1的环回口通信
基础配置(OSPF,VLAN,STP)
PC1配置
LSW3配置
<Huawei>
<Huawei>sys
[Huawei]sys LSW3
[LSW3]vlan batch 10
[LSW3]inte gi 0/0/3
[LSW3-GigabitEthernet0/0/3]port link-type access
[LSW3-GigabitEthernet0/0/3]port default vlan 10
[LSW3-GigabitEthernet0/0/3]inte gi 0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW3-GigabitEthernet0/0/1]inte gi 0/0/2
[LSW3-GigabitEthernet0/0/2]port link-type trunk
[LSW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW3-GigabitEthernet0/0/2]q
[LSW3]stp mode stp
LSW1配置
<Huawei>sys
[Huawei]sys LSW1
[LSW1]vlan batch 10
[LSW1]inte gi 0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/2]inte gi 0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]q
[LSW1]stp mode stp
[LSW1]inte gi 0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type access
[LSW1-GigabitEthernet0/0/3]port default vlan 1
[LSW1-GigabitEthernet0/0/3]inte vlan 10
[LSW1-Vlanif10]ip addr 192.168.1.252 255.255.255.0
[LSW1-Vlanif10]inte vlan 1
[LSW1-Vlanif1]ip addr 12.1.1.1 255.255.255.0
[LSW1-Vlanif1]q
[LSW1]ospf 1 router-id 1.1.1.1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 12.1.1.1 0.0.0.0
[LSW1-ospf-1-area-0.0.0.0]network 192.168.1.252 0.0.0.0 //宣告虚拟IP路由
LSW2配置
<Huawei>
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys LSW2
[LSW2]vlan 10
[LSW2-vlan10]inte gi 0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW2-GigabitEthernet0/0/2]inte gi 0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type trunk
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW2-GigabitEthernet0/0/2]q
[LSW2]stp priority 4096
[LSW2]inte gi 0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 1
[LSW2-GigabitEthernet0/0/3]inte vlan 10
[LSW2-Vlanif10]ip addr 192.168.1.253 255.255.255.0
[LSW2-Vlanif10]inte vlan 1
[LSW2-Vlanif1]ip addr 12.1.2.1 255.255.255.0
[LSW2-Vlanif1]q
[LSW2]ospf 1 router-id 2.2.2.2
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 12.1.2.1 0.0.0.0
[LSW2-ospf-1-area-0.0.0.0]network 192.168.1.253 0.0.0.0 //宣告虚拟IP路由
AR1配置
<Huawei>sys
[Huawei]sys AR1
[AR1]inte gi 0/0/0
[AR1-GigabitEthernet0/0/0]ip addr 12.1.1.2 255.255.255.0
[AR1-GigabitEthernet0/0/0]inte gi 0/0/1
[AR1-GigabitEthernet0/0/1]ip addr 12.1.2.2 255.255.255.0
[AR1-GigabitEthernet0/0/1]inte lo 1
[AR1-LoopBack1]ip addr 8.8.8.8 255.255.255.255
[AR1-LoopBack1]q
[AR1]ospf 1 router-id 8.8.8.8
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 12.1.1.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 12.1.2.2 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 8.8.8.8 0.0.0.0
配置VRRP
LSW2配置
[LSW2]inte vlan 10
[LSW2-Vlanif10]vrrp vrid 1 virtual-ip 192.168.1.254 //在VLANIF10接口开启VRRP,VRID号为1(此号标识VRRP同一组的标识),虚拟IP为192.168.1.254
[LSW2-Vlanif10]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.1.254
----------------------------------------------------------------
Total:1 Master:1 Backup:0 Non-active:0
在MASTER_DOWN超时后,LSW2成为Master,并且发送VRRP报文,在LSW2的GE0/0/2口抓包
LSW1配置
[LSW1]inte vlan 10
[LSW1-Vlanif10]vrrp vrid 1 virtual-ip 192.168.1.254
[LSW1-Vlanif10]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif10 Normal 192.168.1.254
----------------------------------------------------------------
Total:1 Master:0 Backup:1 Non-active:0
LSW1的VLANIF10接口配置VRRP后角色为BACKUP,监听到来自LSW2的VRRP报文,在经过对比后发现优先级相同(LSW1和LSW2都没有配置优先级,所以默认都为100),备份路由器不会比较接口IP地址大小,所以发现优先级相同后,不会去竞争MASTER,所以在LSW2的GE0/0/1接口抓包还是LSW2在发送VRRP报文
LSW1配置优先级
[LSW1-Vlanif10]vrrp vrid 1 priority 200
LSW1配置优先级为200后,监听到来自LSW2的VRRP中的优先级为100,小于自己的优先级,VRRP默认模式为抢夺模式,所以发送VRRP开始抢夺Master,LSW2接收到来自LSW1的VRRP报文,发现优先级大于自己,切换模式为BACKUP,此时在LSW2的GE0/0/2接口抓包,发现发送VRRP的对象变成了LSW1
查看LSW1和LSW2的接口角色状态
[LSW1-Vlanif10]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.1.254 //LSW1抢夺了Master
----------------------------------------------------------------
Total:1 Master:1 Backup:0 Non-active:0
[LSW2-Vlanif10]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif10 Normal 192.168.1.254
----------------------------------------------------------------
Total:1 Master:0 Backup:1 Non-active:0
真理:STP的根桥和VRRP的Master机器为何要是一台
在配置时,经过设置桥优先级,使LSW2成为根桥,通过设置VRRP优先级使LSW1成为Master,查看状态验证
LSW2树根验证
[LSW2]dis stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge :4096 .4c1f-cc01-1a97
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :4096 .4c1f-cc01-1a97 / 0 //根桥ID就是自己的桥ID
CIST RegRoot/IRPC :4096 .4c1f-cc01-1a97 / 0
CIST RootPortId :0.0
BPDU-Protection :Disabled
TC or TCN received :13
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:27m:36s
Number of TC :15
Last TC occurred :GigabitEthernet0/0/2
LSW1 Master验证
[LSW1]dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.1.254
----------------------------------------------------------------
Total:1 Master:1 Backup:0 Non-active:0
经过STP计算,LSW3的GE0/0/1口被阻塞(验证)
[LSW3]dis stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ALTE DISCARDING NONE //1口被STP计算阻塞
0 GigabitEthernet0/0/2 ROOT FORWARDING NONE
0 GigabitEthernet0/0/3 DESI FORWARDING NONE
此时PC1 ping AR1的环回口8.8.8.8,在LSW2的GE0/0/2口抓包,LSW1的GE0/0/3口抓包
PC>ping 8.8.8.8
Ping 8.8.8.8: 32 data bytes, Press Ctrl_C to break
From 8.8.8.8: bytes=32 seq=1 ttl=254 time=140 ms
From 8.8.8.8: bytes=32 seq=2 ttl=254 time=79 ms
From 8.8.8.8: bytes=32 seq=3 ttl=254 time=94 ms
From 8.8.8.8: bytes=32 seq=4 ttl=254 time=94 ms
From 8.8.8.8: bytes=32 seq=5 ttl=254 time=78 ms
--- 8.8.8.8 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/97/140 ms
LSW2的GE0/0/1口
LSW1的GE0/0/3口
由此抓包可得知PC1 ping AR1的ICMP路径为如下,导致如此绕的原因就是STP的树根和VRRP的VRRP协议的MASTER不一致,导致通信的线路如此曲折
将树根更改为LSW1
[LSW1]stp priority 0
[LSW1]dis stp
-------[CIST Global Info][Mode STP]-------
CIST Bridge :0 .4c1f-cc16-213e
Config Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
Active Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :0 .4c1f-cc16-213e / 0 //根桥的桥ID和自己的桥ID一样
CIST RegRoot/IRPC :0 .4c1f-cc16-213e / 0
CIST RootPortId :0.0
BPDU-Protection :Disabled
TC or TCN received :77
TC count per hello :0
STP Converge Mode :Normal
Time since last TC :0 days 0h:44m:42s
Number of TC :13
Last TC occurred :GigabitEthernet0/0/1
此时经过STP计算,被封锁的口应该为LSW3的GE0/0/2口,此时再用PC1 ping AR1的环回口路线就变成如下,在LSW1的GE0/0/2口抓包验证
LSW1的GE0/0/2口抓包
验证主备切换
一,Master主动放弃身份
LSW1配置主动放弃MASTER身份,接口退出VRRP
[LSW1-Vlanif10]undo vrrp vrid 1
在LSW1的GE0/0/1口抓包,发现LSW1发送了一个VRRP优先级为0的数据包,当组内其他的VRRP路由器接受到后会瞬间转换为Master
此时查看LSW2的VRRP角色转变为Master
[LSW2]dis vrrp b
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.1.254
----------------------------------------------------------------
Total:1 Master:1 Backup:0 Non-active:0
二,Master设备出现问题导致无法正常发送VRRP报文(链路断掉了或者直接设备关机了)
LSW1关闭接口
[LSW1]inte gi 0/0/1
[LSW1-GigabitEthernet0/0/1]shutdown
[LSW1-GigabitEthernet0/0/1]inte gi 0/0/2
[LSW1-GigabitEthernet0/0/2]shutdown
查看LSW2的VRRP角色,LSW2的计时器Master_Down时间内接受不到来自MASTER的VRRP报文,自己将会变成MASTER
[LSW2]dis vrrp b
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif10 Normal 192.168.1.254 //角色转换为Master
----------------------------------------------------------------
Total:1 Master:1 Backup:0 Non-active:0
[LSW2]
验证通信
通信正常
PC>ping 8.8.8.8
Ping 8.8.8.8: 32 data bytes, Press Ctrl_C to break
From 8.8.8.8: bytes=32 seq=1 ttl=254 time=110 ms
From 8.8.8.8: bytes=32 seq=2 ttl=254 time=47 ms
--- 8.8.8.8 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/78/110 ms
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 使用C#创建一个MCP客户端
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现