Chào các bạn.Nếu bạn vừa học thi xong CCNA xong, hoặc thâm chí thi xong CCNP dùng dump có sẵn thì kiến thức khi bạn đi làm sẽ rất hổng. Ví dụ trường hợp sếp bạn yêu cầu cấu hình VRRP trên 02 router để đảm bảo tính dự phòng. Sau đó cấu hình xong mà dịch vụ ko chạy. thì mình nghĩ lúc đó chứng chỉ CCNP cũng ko giúp gì nhiều. Vì vậy cách tốt nhất là thủ sẵn những thủ tục cấu hình và troubleshoot để phòng thân .Tài liệu này do mình mua ở trên trang networklessons.com. Anh này hướng dẫn rất dễ hiểu và đơn giản, mình xem có thể thực hành chuẩn luôn.
Trang 11 Cấu hình VRRP
VRRP (Virtual Router Redundancy
Protocol)
VRRP (Virtual Router Redundancy Protocol) is very similar to HSRP (Hot Standby
Routing Protocol) and can be used to create a virtual gateway If you don’t know why we
use virtual gateways then I suggest to read my Introduction to virtual gateways first Also
make sure you check the HSRP lesson first since many of the things I describe there
also apply to VRRP
VRRP is very similar to HSRP; if you understood HSRP you’ll have no trouble with
VRRP which is a standard protocol defined by the IETF in RFC 3768
Configuration-wise it’s pretty much the same but there are a couple of differences
Let’s start with an overview:
Active/Standby 1 active, 1 standby and multiple candidates 1 active and several backups
Virtual IP Address Different from real IP addresses on interfaces Can be the same as the real IP address on an interface
Timers Hello timer 3 seconds, hold time 10 seconds Hello timer 1 second, hold time 3 seconds
Trang 2As you can see there are a number of differences between HSRP and VRRP Nothing too fancy however HSRP is a cisco proprietary protocol so you can only use it between Cisco devices
Let’s see if we can configure it…
Configuration
This is the topology that I will use:
Trang 3SwitchA and SwitchB are multilayer switches and their interfaces are configured as routed ports We will create a virtual gateway using VRRP on the interfaces facing SwitchC:
SwitchA(config)#interface fa0/17
SwitchA(config-if)#vrrp 1 ip 192.168.1.3
SwitchA(config-if)#vrrp 1 priority 150
SwitchA(config-if)#vrrp 1 authentication md5 key-string mykey SwitchB(config-if)#interface fa0/19
Trang 4SwitchB(config-if)#vrrp 1 ip 192.168.1.3
SwitchB(config-if)#vrrp 1 authentication md5 key-string mykey
Here’s an example how to configure VRRP You can see the commands are pretty much the same but I didn’t type “standby” but vrrp I have changed the priority on SwitchA to 150 and I’ve enabled MD5 authentication on both switches
SwitchA#
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Init -> Backup
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Backup -> Master
SwitchB#
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Init -> Backup
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Backup -> Master
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Master -> Backup
You will see these messages pop-up in your console VRRP uses different terminology than HSRP SwitchA has the best priority and will become the master router SwitchB will become a standby router Let’s see what else we have:
SwitchA#show vrrp
FastEthernet0/17 - Group 1
State is Master
Secondary Virtual IP address is 192.168.1.4
Advertisement interval is 1.000 sec
Master Router is 192.168.1.1 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec
SwitchB#show vrrp
FastEthernet0/19 - Group 1
State is Backup
Advertisement interval is 1.000 sec
Priority is 100
Authentication MD5, key-string "mykey"
Master Router is 192.168.1.1, priority is 150
Master Advertisement interval is 1.000 sec
Trang 5Master Down interval is 3.609 sec (expires in 3.065 sec)
Use show vrrp to verify your configuration The output looks similar to HSRP; one of the differences is that VRRP uses another virtual MAC address:
0000.5e00.01XX (where X = group number)
SwitchA(config)#interface fa0/17
SwitchA(config-if)#shutdown
We can shut the interface on SwitchA so we can see that SwitchB will take over
SwitchA#
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Master -> Init
SwitchB#
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Backup -> Master
Same principle…different terminology!
It is possible to configure load balancing for VRRP (or HSRP) but it doesn't work on a
"per packet" schedule or something Instead, we have to use multiple group numbers Let me show what I'm talking about:
SwitchA(config)#interface fa0/17
SwitchA(config-if)#vrrp 1 ip 192.168.1.3
SwitchA(config-if)#vrrp 1 priority 150
SwitchA(config-if)#vrrp 2 ip 192.168.1.4
SwitchB(config-if)#interface fa0/19
SwitchB(config-if)#vrrp 1 ip 192.168.1.3
SwitchB(config-if)#vrrp 2 ip 192.168.1.4
SwitchB(config-if)#vrrp 2 priority 150
I created two groups so we have two virtual IP addresses:
• 192.168.1.3 and 192.168.1.4 are both virtual IP addresses we can use as a gateway
• SwitchA has the highest priority (150) for virtual IP address 192.168.1.3
• SwitchB has the highest priority (150) for virtual IP address 192.168.1.4
Trang 6You can now use 192.168.1.3 and 192.168.1.4 as default gateways for your computers and SwitchA and SwitchB will share the load You can use this like I did to have load balancing within a VLAN or you can do this on a per VLAN basis
Trang 72 TROUBLESHOOT VRRP CISCO
In a previous lesson I demonstrated how to troubleshoot a HSRP issue This time we’ll
troubleshoot VRRP These two protocols have many similarities, if you can troubleshoot
one then the other shouldn’t be a problem
Let’s take a look, I will use the following topology:
Trang 8The router on the left is our “client” device, R2 and R3 are configured for VRRP The goal is
to reach 4.4.4.4 from the client Unfortunately, this is not working:
Client#ping 4.4.4.4
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.!!!
ms
Some of the IP packets are not arriving at 4.4.4.4 Let’s check what default gateway our client is using:
Client#show ip route
Default gateway is 192.168.123.254
Host Gateway Last Use Total Uses
Interface
ICMP redirect cache is empty
IP routing has been disabled and the client is using gateway IP address 192.168.123.254 Let’s check if we can reach this address:
Client#ping 192.168.123.254
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 192.168.123.254, timeout is 2 seconds:
!!!!!
ms
Pinging the gateway address is no problem Are our two VRRP routers able to reach 4.4.4.4
? Let’s try that:
R2#ping 4.4.4.4
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Trang 9Success rate is 0 percent (0/5)
R3#ping 4.4.4.4
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
ms
R2 is unable to reach 4.4.4.4 but R3 has no issues Before we continue checking why R2 is unable to reach 4.4.4.4 we’ll take a look at the VRRP configuration to see which router is the master:
R2#show vrrp
FastEthernet0/0 - Group 1
Virtual IP address is 192.168.123.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
R3#show vrrp
FastEthernet0/0 - Group 1
Virtual IP address is 192.168.123.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
The output of show vrrp is interesting Both routers think they are active and if you look closely you can see why Authentication has been enabled and there is a mismatch in the key-string Since both routers are active half of the packets will end up at R2 and the rest at R3 This is why our client sees some packets arriving and others not Let’s fix our
authentication:
Trang 10R2(config)#interface FastEthernet 0/0
R2(config-if)#vrrp 1 authentication md5 key-string SECRET
We’ll make sure the key-string is the same Now you’ll see something on the console:
R2# %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup
This message on the console of R2 is promising R3 has become the master:
R2#show vrrp | include Master
R3#show vrrp | include Master
R3 has been elected as the master router Now let’s find out why R2 was unable to reach
4.4.4.4:
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type
2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U -per-user
static
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.123.0/24 is directly connected, FastEthernet0/0
Hmm R2 only shows a single entry in the routing table, something is wrong with
FastEthernet 1/0 Let's check the interface:
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Trang 11FastEthernet0/0 192.168.123.2 YES NVRAM up
up
FastEthernet1/0 192.168.24.2 YES NVRAM administratively
down down
The interface has been shut Keep in mind this could be anything else…access-lists
blocking traffic between R2 and R4, port-security (if there was a switch in the middle),
interfaces in err-disabled mode, wrong IP addresses and more Check everything! Let's
enable this interface:
R2(config)#interface fastEthernet 1/0
R2(config-if)#no shutdown
Now R2 should be able to reach 4.4.4.4 Just in case, let's try another ping from the client:
Client#ping 4.4.4.4
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
ms
Problem solved!
Lesson learned: Make sure the VRRP routers are able to reach each other