当配置完静态路由之后,为什么还是不能实现主备切换呢?NQA要如何与静态路由联动呢?
今天手把手教你如何实现,保姆及教程,小白也能看得懂!!!
步骤一:
首先,创建一个拓扑图·
[SW1]vlan batch 10 20 30
[SW1]int vlan 10
[SW1-Vlanif10]ip add 192.168.1.2 24
[SW1-Vlanif10]int vlan 20
[SW1-Vlanif20]ip add 10.1.1.1 24
[SW1-Vlanif20]int vlan 30
[SW1-Vlanif30]ip add 10.1.4.1 24
[SW1-Vlanif30]int g0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]p de vlan 10
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]p de vlan 20
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]p de vlan 30
[SW3]vlan batch 10 20
[SW3]int vlan 10
[SW3-Vlanif10]ip add 10.1.1.2 24
[SW3]int vlan 20
[SW3-Vlanif20]ip add 10.1.2.1 24
[SW3-Vlanif20]int g0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 10
[SW3-GigabitEthernet0/0/1]int g0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 20
Username:admin
Password:Admin@123
Please enter new password:Huawei@123
[FW1]int g0/0/0
[FW1-GigabitEthernet0/0/0]ip add 10.1.2.2 24
[FW1-GigabitEthernet0/0/0]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.1.3.1 24
[SW2]vlan b 10 20 30
[SW2]int vlan 10
[SW2-Vlanif10]ip add 10.1.3.2 24
[SW2-Vlanif10]int vlan 20
[SW2-Vlanif20]ip add 10.1.6.2 24
[SW2-Vlanif20]int vlan 30
[SW2-Vlanif30]ip add 192.168.2.2 24
[SW2-Vlanif30]int g0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 10
[SW2-GigabitEthernet0/0/1]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type access
[SW2-GigabitEthernet0/0/2]port default vlan 20
[SW2-GigabitEthernet0/0/3]port link-type access
[SW2-GigabitEthernet0/0/3]port default vlan 30
[SW4]vlan b 10 20
[SW4]int vlan 10
[SW4-Vlanif10]ip add 10.1.4.2 24
[SW4]int vlan 20
[SW4-Vlanif20]ip add 10.1.5.1 24
[SW4-Vlanif20]int g0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 10
[SW4-GigabitEthernet0/0/1]int g0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 20
Username:admin
Password:Admin@123
Please enter new password:Huawei@123
[FW2]int g0/0/0
[FW2-GigabitEthernet0/0/0]ip add 10.1.5.2 24
[FW2-GigabitEthernet0/0/0]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.1.6.1 2 24
步骤二:
在防火墙的接口中把ping功能开启,以及配置安全访问策略
[FW1]int g0/0/0 //在接口中加入ping功能
[FW1-GigabitEthernet0/0/0]service-manage ping permit
[FW1-GigabitEthernet0/0/0]int g1/0/0
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1]firewall zone trust //在防火墙安全区域中加入相对于的接口
[FW1-zone-trust]add interface g0/0/0
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/0
[FW2]int g0/0/0 //FW2同FW1
[FW2-GigabitEthernet0/0/0]service-manage ping permit
[FW2-GigabitEthernet0/0/0]int g1/0/0
[FW2-GigabitEthernet1/0/0]service-manage ping permit
[FW2]firewall zone trust
[FW2-zone-trust]add interface g0/0/0
[FW2-zone-trust]q
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface g1/0/0
[FW1]security-policy // 设置FW1的安全访问策略,使trust区域可以访问untrust区域
[FW1-policy-security]rule name tr-un
[FW1-policy-security-rule-tr-un]source-zone trust
[FW1-policy-security-rule-tr-un]destination-zone untrust
[FW1-policy-security-rule-tr-un]source-address 192.168.1.0 24
[FW1-policy-security-rule-tr-un]destination-address 10.1.3.2 32
[FW1-policy-security-rule-tr-un]destination-address 192.168.2.0 24
[FW1-policy-security-rule-tr-un]action permit
[FW2]security-policy //FW2配置同FW1
[FW2-policy-security]rule name tr-un
[FW2-policy-security-rule-tr-un]source-zone trust
[FW2-policy-security-rule-tr-un]destination-zone untrust
[FW2-policy-security-rule-tr-un]source-address 192.168.1.0 24
[FW2-policy-security-rule-tr-un]destination-address 10.1.6.2 32
[FW2-policy-security-rule-tr-un]destination-address 192.168.2.0 24
[FW2-policy-security-rule-tr-un]action permit
步骤三:
在交换机和防火墙中添加路由表条目信息
[SW1]ip route-static 10.1.2.0 24 10.1.1.2 //SW1主链路路由
[SW1]ip route-static 10.1.3.0 24 10.1.1.2
[SW1]ip route-static 192.168.2.0 24 10.1.1.2
[SW1]ip route-static 192.168.2.0 24 10.1.4.2 preference 70 //SW1备份链路路由
[SW1]ip route-static 10.1.6.0 24 10.1.4.2
[SW1]ip route-static 10.1.5.0 24 10.1.4.2
[SW3]ip route-static 192.168.1.0 24 10.1.1.1 //添加SW3路由条目
[SW3]ip route-static 10.1.3.0 24 10.1.2.2
[SW3]ip route-static 192.168.2.0 24 10.1.2.2
[FW1]ip route-static 10.1.1.0 24 10.1.2.1 //添加FW1的路由条目
[FW1]ip route-static 192.168.1.0 24 10.1.2.1
[FW1]ip route-static 192.168.2.0 24 10.1.3.2
[SW2]ip route-static 192.168.1.0 24 10.1.3.1 //SW2上行链路的路由条目
[SW2]ip route-static 10.1.1.0 24 10.1.3.1
[SW2]ip route-static10.1.2.0 24 10.1.3.1
[SW2]ip route-static 192.168.1.0 24 10.1.6.1 preference 70 //备份链路路由条目
[SW2]ip route-static 10.1.4.0 24 10.1.6.1
[SW2]ip route-static 10.1.5.0 24 10.1.6.1
[SW4]ip route-static 192.168.1.0 24 10.1.4.1 //SW4路由条目
[SW4]ip route-static 10.1.6.0 24 10.1.5.2
[SW4]ip route-static 192.168.2.0 24 10.1.5.2
[FW2]ip route-static 192.168.1.0 24 10.1.5.1 //添加FW2的路由条目
[FW2]ip route-static 10.1.4.0 24 10.1.5.1
[FW2]ip route-static 192.168.2.0 24 10.1.6.2
步骤四:
PC1pingPC2测试
查看SW1的路由表项
通过测试可以看出PC1访问PC2走的使上行链路
步骤五:
分析SW1down掉之后,PC1能否通过备份链路访问PC2
1)我们首先把SW2的G0/0/2口down掉
down掉之后PC1ping不通PC2了,正常应该是走下面的备份链路,这是为什么呢?
我们首先来查看SW1的路由表,看它是否切换到了备份链路
SW1已经切换到备份链路,那么我们在来查看SW2的路由表项
通过测试发现,SW2并没有切换到备份链路
2)分析原因
当我们把SW2的上行链路也down掉之后发现,又通了
由此可以得出问题出在SW2的上行链路
我们首先在SW2的G0/0/2口上面抓包分析
发现G0/0/2口只有PC1发送的request请求报文,并没有收到回包信息
我们在通过查看SW2的G0/0/1上的抓包信息
发现reply回复报文走的使SW2的上行链路,而SW1的上行链路被咱们阻塞掉了,它的回复报文并没有从下行链路走,所以导致SW1的上行链路阻塞掉之后ping不通PC2
3)静态路由机制:
静态路由与动态路由不同,它自身没有检测机制,当网络发生故障的时候,需要管理员的介入。
解决办法:NQAfor静态路由特性可为静态路由绑定BFD会话,利用NQA会话来检测静态路由所在链路的状态
步骤六:配置NQA链路检测机制
[SW1]nqa test-instance user 1
[SW1-nqa-user-1]test-type icmp
[SW1-nqa-user-1]destination-address ipv4 10.1.3.1
[SW1-nqa-user-1]frequency 11
[SW1-nqa-user-1]probe-count 2
[SW1-nqa-user-1]interval seconds 5
[SW1-nqa-user-1]timeout 4
[SW1-nqa-user-1]start now
[SW1-nqa-user-1]q
[SW1]nqa test-instance user 2
[SW1-nqa-user-2]test-type icmp 10.1.6.1
[SW1-nqa-user-2]frequency 11
[SW1-nqa-user-2]probe-count 2
[SW1-nqa-user-2]interval seconds 5
[SW1-nqa-user-2]timeout 4
[SW1-nqa-user-2]start now[SW1-nqa-user-2]q
[SW1]ip route-static 192.168.2.0 255.255.255.0 10.1.1.2 track nqa user 1
[SW1]ip route-static 192.168.2.0 255.255.255.0 10.1.4.2 preference 70 track nqa
teat 2
[SW1]display current-configuration | include nqa //查看nqa配置
[SW1]display nqa results test-instance user 1 //测试链路丢包率
[SW2]nqa test-instance user 1
[SW2-nqa-user-1]test-type icmp
[SW2-nqa-user-1]destination-address ipv4 10.1.1.2
[SW2-nqa-user-1]frequency 11
[SW2-nqa-user-1]probe-count 2
[SW2-nqa-user-1]interval seconds 5
[SW2-nqa-user-1]timeout 4
[SW2-nqa-user-1]start now
[SW2-nqa-user-1]q
[SW2]nqa test-instance user 2
[SW2-nqa-user-2]test-type icmp 10.1.4.2
[SW2-nqa-user-2]frequency 11
[SW2-nqa-user-2]probe-count 2
[SW2-nqa-user-2]interval seconds 5
[SW2-nqa-user-2]timeout 4
[SW2-nqa-user-2]start now[SW2-nqa-user-2]q
[SW2]ip route-static 192.168.1.0 255.255.255.0 10.1.3.1 track nqa user 1
[SW2]ip route-static 192.168.1.0 255.255.255.0 10.1.6.1 preference 70 track nqa
user 2
[SW2]display current-configuration | include nqa //查看nqa配置
[SW2]display nqa results test-instance user 1 //测试链路丢包率
之后我们再次把SW1的上行接口down掉
发现PC1可以ping通PC2
我们查看PC1以及SW2的路由表项
通过测试发现PC1的报文链路走的是下行链路,SW2走的也是下行链路