Đang tải... (xem toàn văn)
Chào các bạn.Nếu bạn vừa học thi xong CCNA xong, hoặc thâm chí thi xong CCNP dùng dump có sẵn thì kiến thức khi bạn đi làm sẽ rất hổng. Ví dụ trường hợp sếp bạn yêu cầu cấu hình VRRP trên 02 router để đảm bảo tính dự phòng. Sau đó cấu hình xong mà dịch vụ ko chạy. thì mình nghĩ lúc đó chứng chỉ CCNP cũng ko giúp gì nhiều. Vì vậy cách tốt nhất là thủ sẵn những thủ tục cấu hình và troubleshoot để phòng thân .Tài liệu này do mình mua ở trên trang networklessons.com. Anh này hướng dẫn rất dễ hiểu và đơn giản, mình xem có thể thực hành chuẩn luôn.
1 Cấu hình VRRP VRRP (Virtual Router Redundancy Protocol) VRRP (Virtual Router Redundancy Protocol) is very similar to HSRP (Hot Standby Routing Protocol) and can be used to create a virtual gateway If you don’t know why we use virtual gateways then I suggest to read my Introduction to virtual gateways first Also make sure you check the HSRP lesson first since many of the things I describe there also apply to VRRP VRRP is very similar to HSRP; if you understood HSRP you’ll have no trouble with VRRP which is a standard protocol defined by the IETF in RFC 3768 Configurationwise it’s pretty much the same but there are a couple of differences Let’s start with an overview: HSRP Protocol Cisco proprietary Number of groups 16 groups maximum Active/Standby active, standby and multiple candidates Virtual IP Address Different from real IP addresses on interfaces Multicast address 224.0.0.2 Tracking Interfaces or Objects Timers Hello timer seconds, hold time 10 seconds Authentication Supported As you can see there are a number of differences between HSRP and VRRP Nothing too fancy however HSRP is a cisco proprietary protocol so you can only use it between Cisco devices Let’s see if we can configure it… Configuration This is the topology that I will use: SwitchA and SwitchB are multilayer switches and their interfaces are configured as routed ports We will create a virtual gateway using VRRP on the interfaces facing SwitchC: SwitchA(config)#interface fa0/17 SwitchA(config-if)#vrrp ip 192.168.1.3 SwitchA(config-if)#vrrp priority 150 SwitchA(config-if)#vrrp authentication md5 key-string mykey SwitchB(config-if)#interface fa0/19 SwitchB(config-if)#vrrp ip 192.168.1.3 SwitchB(config-if)#vrrp authentication md5 key-string mykey Here’s an example how to configure VRRP You can see the commands are pretty much the same but I didn’t type “standby” but vrrp I have changed the priority on SwitchA to 150 and I’ve enabled MD5 authentication on both switches SwitchA# %VRRP-6-STATECHANGE: %VRRP-6-STATECHANGE: SwitchB# %VRRP-6-STATECHANGE: %VRRP-6-STATECHANGE: %VRRP-6-STATECHANGE: Fa0/17 Grp state Init -> Backup Fa0/17 Grp state Backup -> Master Fa0/19 Grp state Init -> Backup Fa0/19 Grp state Backup -> Master Fa0/19 Grp state Master -> Backup You will see these messages pop-up in your console VRRP uses different terminology than HSRP SwitchA has the best priority and will become the master router SwitchB will become a standby router Let’s see what else we have: SwitchA#show vrrp FastEthernet0/17 - Group State is Master Virtual IP address is 192.168.1.3 Secondary Virtual IP address is 192.168.1.4 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 150 Authentication MD5, key-string "mykey" Master Router is 192.168.1.1 (local), priority is 150 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec SwitchB#show vrrp FastEthernet0/19 - Group State is Backup Virtual IP address is 192.168.1.3 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Authentication MD5, key-string "mykey" Master Router is 192.168.1.1, priority is 150 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.065 sec) Use show vrrp to verify your configuration The output looks similar to HSRP; one of the differences is that VRRP uses another virtual MAC address: 0000.5e00.01XX (where X = group number) SwitchA(config)#interface fa0/17 SwitchA(config-if)#shutdown We can shut the interface on SwitchA so we can see that SwitchB will take over SwitchA# %VRRP-6-STATECHANGE: Fa0/17 Grp state Master -> Init SwitchB# %VRRP-6-STATECHANGE: Fa0/19 Grp state Backup -> Master Same principle…different terminology! It is possible to configure load balancing for VRRP (or HSRP) but it doesn't work on a "per packet" schedule or something Instead, we have to use multiple group numbers Let me show what I'm talking about: SwitchA(config)#interface fa0/17 SwitchA(config-if)#vrrp ip 192.168.1.3 SwitchA(config-if)#vrrp priority 150 SwitchA(config-if)#vrrp ip 192.168.1.4 SwitchB(config-if)#interface fa0/19 SwitchB(config-if)#vrrp ip 192.168.1.3 SwitchB(config-if)#vrrp ip 192.168.1.4 SwitchB(config-if)#vrrp priority 150 I created two groups so we have two virtual IP addresses: • 192.168.1.3 and 192.168.1.4 are both virtual IP addresses we can use as a gateway • SwitchA has the highest priority (150) for virtual IP address 192.168.1.3 • SwitchB has the highest priority (150) for virtual IP address 192.168.1.4 You can now use 192.168.1.3 and 192.168.1.4 as default gateways for your computers and SwitchA and SwitchB will share the load You can use this like I did to have load balancing within a VLAN or you can this on a per VLAN basis 2 TROUBLESHOOT VRRP CISCO In a previous lesson I demonstrated how to troubleshoot a HSRP issue This time we’ll troubleshoot VRRP These two protocols have many similarities, if you can troubleshoot one then the other shouldn’t be a problem Let’s take a look, I will use the following topology: The router on the left is our “client” device, R2 and R3 are configured for VRRP The goal is to reach 4.4.4.4 from the client Unfortunately, this is not working: Client#ping 4.4.4.4 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is seconds: U.!!! Success rate is 60 percent (3/5), round-trip min/avg/max = 8/13/20 ms Some of the IP packets are not arriving at 4.4.4.4 Let’s check what default gateway our client is using: Client#show ip route Default gateway is 192.168.123.254 Host Gateway Interface ICMP redirect cache is empty Last Use Total Uses IP routing has been disabled and the client is using gateway IP address 192.168.123.254 Let’s check if we can reach this address: Client#ping 192.168.123.254 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.123.254, timeout is seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/20 ms Pinging the gateway address is no problem Are our two VRRP routers able to reach 4.4.4.4 ? Let’s try that: R2#ping 4.4.4.4 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is seconds: Success rate is percent (0/5) R3#ping 4.4.4.4 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/20 ms R2 is unable to reach 4.4.4.4 but R3 has no issues Before we continue checking why R2 is unable to reach 4.4.4.4 we’ll take a look at the VRRP configuration to see which router is the master: R2#show vrrp FastEthernet0/0 - Group State is Master Virtual IP address is 192.168.123.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Authentication MD5, key-string "WRONGPASS" Master Router is 192.168.123.2 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec R3#show vrrp FastEthernet0/0 - Group State is Master Virtual IP address is 192.168.123.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Authentication MD5, key-string "SECRET" Master Router is 192.168.123.3 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec The output of show vrrp is interesting Both routers think they are active and if you look closely you can see why Authentication has been enabled and there is a mismatch in the key-string Since both routers are active half of the packets will end up at R2 and the rest at R3 This is why our client sees some packets arriving and others not Let’s fix our authentication: R2(config)#interface FastEthernet 0/0 R2(config-if)#vrrp authentication md5 key-string SECRET We’ll make sure the key-string is the same Now you’ll see something on the console: R2# %VRRP-6-STATECHANGE: Fa0/0 Grp state Master -> Backup This message on the console of R2 is promising R3 has become the master: R2#show vrrp | include Master Master Router is 192.168.123.3, priority is 100 R3#show vrrp | include Master State is Master Master Router is 192.168.123.3 (local), priority is 100 R3 has been elected as the master router Now let’s find out why R2 was unable to reach 4.4.4.4: R2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS level-2 ia - IS-IS inter area, * - candidate default, U -per-user static o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 192.168.123.0/24 is directly connected, FastEthernet0/0 Hmm R2 only shows a single entry in the routing table, something is wrong with FastEthernet 1/0 Let's check the interface: R2#show ip interface brief Interface IP-Address Protocol OK? Method Status FastEthernet0/0 up FastEthernet1/0 down down 192.168.123.2 YES NVRAM up 192.168.24.2 YES NVRAM administratively The interface has been shut Keep in mind this could be anything else…access-lists blocking traffic between R2 and R4, port-security (if there was a switch in the middle), interfaces in err-disabled mode, wrong IP addresses and more Check everything! Let's enable this interface: R2(config)#interface fastEthernet 1/0 R2(config-if)#no shutdown Now R2 should be able to reach 4.4.4.4 Just in case, let's try another ping from the client: Client#ping 4.4.4.4 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16 ms Problem solved! Lesson learned: Make sure the VRRP routers are able to reach each other ... but vrrp I have changed the priority on SwitchA to 150 and I’ve enabled MD5 authentication on both switches SwitchA# %VRRP- 6-STATECHANGE: %VRRP- 6-STATECHANGE: SwitchB# %VRRP- 6-STATECHANGE: %VRRP- 6-STATECHANGE:... SwitchA(config-if) #vrrp ip 192.168.1.3 SwitchA(config-if) #vrrp priority 150 SwitchA(config-if) #vrrp ip 192.168.1.4 SwitchB(config-if)#interface fa0/19 SwitchB(config-if) #vrrp ip 192.168.1.3 SwitchB(config-if) #vrrp. .. console VRRP uses different terminology than HSRP SwitchA has the best priority and will become the master router SwitchB will become a standby router Let’s see what else we have: SwitchA#show vrrp