一. 实验目的
验证VRRP 端口认证,路由跟踪
二,实验拓扑
三. 路由器配置
3.1 端口认证
认证目的:
默认情况下,设备对要发送和接收的VRRP报文不进行任何认证处理,认为收到的都是真实的、合法的VRRP报文。
为了使VRRP运行更加安全和稳定,可以配置VRRP 的认证。端口认证(主备路由都要设置)
主路由器:
[R1]int gig0/0/0
[R1-GigabitEthernet0/0/0]vrrp vrid 1 authentication-mode md5 111 #配置端口认证,MD5加密,密码:111
[R1-GigabitEthernet0/0/0]q
[R1]dis vrrp #显示配置情况
GigabitEthernet0/0/0 | Virtual Router 1
State : Master
Virtual IP : 192.168.10.250
Master IP : 192.168.10.251
PriorityRun : 200
PriorityConfig : 200
MasterPriority : 200
Preempt : YES Delay Time : 5 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : MD5 Auth key : f1>u$|O0`:jKUGU-KkpB4y>#
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2022-08-01 14:17:13 UTC-08:00
Last change time : 2022-08-01 14:22:44 UTC-08:00
备份路由器:
[R2]int gig0/0/0
[R2-GigabitEthernet0/0/0]vrrp vrid 1 authentication-mode md5 111 #配置端口认证,MD5加密,密码:111
[R2-GigabitEthernet0/0/0]q
[R2]dis vrrp #显示配置情况
GigabitEthernet0/0/0 | Virtual Router 1
State : Backup
Virtual IP : 192.168.10.250
Master IP : 192.168.10.251
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 200
Preempt : YES Delay Time : 0 s
TimerRun : 2 s
TimerConfig : 1 s
Auth type : MD5 Auth key : jBdDC,V0|/bL^B&WSBiQSz0#
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2022-08-01 12:11:36 UTC-08:00
Last change time : 2022-08-01 16:59:23 UTC-08:00
vrrp 常见故障
1. 多master ,认证密码一个设置,一个没有设置 (vrrp 认证不成功)
2. 多个真实网关必须互通
3. 两边配置的vrid 值不同
4. 两边配置的虚拟的ip不同
3.2 路由跟踪 (只在主的路由上做)
[R1]int gig0/0/0
[R1-GigabitEthernet0/0/0]vrrp vrid 1 track interface gig0/0/1 reduced 150 #调整优先级,200-150=50 ,流量走R2
[R1-GigabitEthernet0/0/0]q
[R1]display vrrp
GigabitEthernet0/0/0 | Virtual Router 1
State : Master
Virtual IP : 192.168.10.250
Master IP : 192.168.10.251
PriorityRun : 200
PriorityConfig : 200
MasterPriority : 200
Preempt : YES Delay Time : 5 s
TimerRun : 2 s
TimerConfig : 2 s
Auth type : MD5 Auth key : f1>u$|O0`:jKUGU-KkpB4y>#
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Track IF : GigabitEthernet0/0/1 Priority reduced : 150
IF state : UP
Create time : 2022-08-01 14:17:13 UTC-08:00
Last change time : 2022-08-01 17:51:28 UTC-08:00
3.2.1 关闭外网端口,模拟测试
[R1]int gig0/0/1
[R1-GigabitEthernet0/0/1]shutdown
[R1-GigabitEthernet0/0/1]display ip interface brief
*down: administratively down
!down: FIB overload down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 9
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 9
Interface IP Address/Mask Physical Protocol
Ethernet0/0/0 unassigned down down
Ethernet0/0/1 unassigned down down
GigabitEthernet0/0/0 192.168.10.251/24 up up
GigabitEthernet0/0/1 192.168.100.2/24 *down down #此处表明是人为关闭。
GigabitEthernet0/0/2 unassigned down down
GigabitEthernet0/0/3 unassigned down down
NULL0 unassigned up up(s)
Serial0/0/0 unassigned down down
Serial0/0/1 unassigned down down
Serial0/0/2 unassigned down down
Serial0/0/3 unassigned down down
[R1-GigabitEthernet0/0/1]q
[R1]display vrrp
GigabitEthernet0/0/0 | Virtual Router 1
State : Backup #此时变成备份的路由器
Virtual IP : 192.168.10.250
Master IP : 192.168.10.252
PriorityRun : 50 #此时优先级降到50了。
PriorityConfig : 200
MasterPriority : 100
Preempt : YES Delay Time : 5 s
TimerRun : 1 s
TimerConfig : 2 s
Auth type : MD5 Auth key : f1>u$|O0`:jKUGU-KkpB4y>#
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Track IF : GigabitEthernet0/0/1 Priority reduced : 150
IF state : DOWN
Create time : 2022-08-01 14:17:13 UTC-08:00
Last change time : 2022-08-02 11:02:01 UTC-08:00