前言
在现代网络环境中,随着数据流量的不断增加和应用需求的多样化,网络的可靠性和稳定性显得尤为重要。为了应对日益复杂的网络挑战,许多先进的网络协议和技术应运而生。其中,DHCP(动态主机配置协议)、MSTP(多生成树协议)、**VRRP(虚拟路由冗余协议)和BFD(双向转发检测)**是确保网络高效稳定运行的核心组成部分。
DHCP 作为网络中的自动地址分配协议,极大地简化了设备的接入过程,同时提高了网络管理的效率。MSTP 则通过优化生成树的使用,实现了更高效的带宽利用和更可靠的网络冗余。VRRP 提供了一种灵活的路由冗余机制,确保在主路由器故障时,网络依然能够保持连通性。同时,BFD 作为一种快速故障检测协议,能够以毫秒级的速度发现链路的异常状态,为网络安全提供了强有力的保障。
实验拓扑图
在上面实验中我们通过DHCP给各终端自动分配IP地址,不同的VLAN获取到不同的IP地址。并在二层交换机设置相关配置,为防范DHCP仿冒和DHCP地址欺骗的问题。
接着,在交换机中部署MSTP,以实现负载均衡,并与VRRP协同工作。
最后使用BFD检测链路故障,并实现VRRP的快速切换。
DHCP分配IP地址
DHCP服务器
#
sysname DHCP
#
dhcp enable
#
ip pool p1
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool p2
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
dns-list 8.8.8.8
#
interface GigabitEthernet0/0/0
ip address 192.168.100.3 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/2
ip address 192.168.200.3 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
ip route-static 0.0.0.0 0.0.0.0 192.168.200.1
#
S1
#
sysname SW1
#
vlan batch 10 20 100
#
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.100.3
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.100.3
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
#
检测是否能够与DHCP服务器通信。
<SW1>ping 192.168.100.3
PING 192.168.100.3: 56 data bytes, press CTRL_C to break
Reply from 192.168.100.3: bytes=56 Sequence=1 ttl=255 time=80 ms
Reply from 192.168.100.3: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 192.168.100.3: bytes=56 Sequence=3 ttl=255 time=30 ms
S2
#
sysname SW2
#
undo info-center enable
#
vlan batch 10 20 100
#
dhcp enable
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.200.3
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.200.3
#
interface Vlanif100
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
#
检测是否能够与DHCP服务器通信。
<SW2>ping 192.168.200.3
PING 192.168.200.3: 56 data bytes, press CTRL_C to break
Reply from 192.168.200.3: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 192.168.200.3: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 192.168.200.3: bytes=56 Sequence=3 ttl=255 time=20 ms
S3
#
sysname S3
#
undo info-center enable
#
vlan batch 10 20
#
dhcp enable
#
dhcp snooping enable
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
dhcp snooping enable
dhcp snooping check dhcp-chaddr enable
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
dhcp snooping enable
dhcp snooping check dhcp-chaddr enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
dhcp snooping trusted
#
S4
#
sysname S4
#
undo info-center enable
#
vlan batch 10 20
#
dhcp enable
#
dhcp snooping enable
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
dhcp snooping enable
dhcp snooping check dhcp-chaddr enable
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
dhcp snooping enable
dhcp snooping check dhcp-chaddr enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
dhcp snooping trusted
#
dhcp snooping enable
启用DHCP Snooping:首先,在交换机上启用DHCP Snooping功能。该特性能够检查并过滤通过网络传输的DHCP消息,确保只有信任的DHCP服务器能够向客户端发送有效的IP配置。
dhcp snooping trusted
配置信任端口:将连接到受信任DHCP服务器的交换机端口配置为信任端口。同时,将接入普通用户或客户端设备的端口设置为不信任端口。这种配置能够阻止不受信任的设备发送DHCP响应,从而降低被攻击的风险。
dhcp snooping check dhcp-chaddr enable
验证客户端硬件地址:此选项后,交换机会验证DHCP请求的chaddr字段是否匹配其相应接口的MAC地址。这有助于确保只有合法的客户端能够收到IP地址,防止恶意设备伪造DHCP请求。
以上都可以增强网络的DHCP安全性和可靠性。
最后,检查IP地址是否成功分配,以及ping不同网络的IP地址以确定它们是否可以通信。
运行MSTP(多生成树协议)
S1
#
stp instance 1 root primary ##实列1为根桥
stp instance 2 root secondary ##实列2为备份根桥
#
stp region-configuration
region-name SW
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
S2
#
stp instance 1 root secondary
stp instance 2 root primary
#
stp region-configuration
region-name SW
revision-level 1
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
查看配置效果
<SW1>display stp region-configuration
Oper configuration
Format selector :0
Region name :SW
Revision level :1
Instance VLANs Mapped
0 1 to 9, 11 to 19, 21 to 4094
1 10
2 20
<SW1>display stp instance 1 brief
MSTID Port Role STP State Protection
1 GigabitEthernet0/0/1 DESI FORWARDING NONE
1 GigabitEthernet0/0/3 DESI FORWARDING NONE
1 GigabitEthernet0/0/4 DESI FORWARDING NONE
<SW2>display stp instance 2 brief
MSTID Port Role STP State Protection
2 GigabitEthernet0/0/1 DESI FORWARDING NONE
2 GigabitEthernet0/0/3 DESI FORWARDING NONE
2 GigabitEthernet0/0/4 DESI FORWARDING NONE
确保了两个交换机在不同的STP实例中拥有主备角色,从而提高了网络的冗余性和容错能力。所有相关端口都能正常转发流量,且配置的一致性通过区域名称和修订级别得以维持。能有效增强网络的整体稳定性和效率。
运行VRRP(虚拟路由冗余协议)
S1
#
interface Vlanif10
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 150
vrrp vrid 10 preempt-mode timer delay 5 ##开启延迟5s抢占模式
vrrp vrid 10 track interface GigabitEthernet0/0/2 reduced 60 ##监控上行链路,当发生故障时自动降低优先级值(150-60)
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
#
S2
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 150
vrrp vrid 20 preempt-mode timer delay 5
#
查看效果
在S1上关闭vlan 10,假装发生故障
#
interface Vlanif10
shutdown
#
此时S2上,vlan 10 和vlan 20成为master,为下方分配IP地址。
<SW2>display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Master Vlanif10 Normal 192.168.10.254
20 Master Vlanif20 Normal 192.168.20.254
----------------------------------------------------------------
Total:2 Master:2 Backup:0 Non-active:0
在S1上恢复故障
[SW1-Vlanif10]undo shutdown
[SW1-Vlanif10]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Backup Vlanif10 Normal 192.168.10.254
20 Backup Vlanif20 Normal 192.168.20.254
----------------------------------------------------------------
Total:2 Master:0 Backup:2 Non-active:0
[SW1-Vlanif10]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Master Vlanif10 Normal 192.168.10.254
20 Backup Vlanif20 Normal 192.168.20.254
----------------------------------------------------------------
Total:2 Master:1 Backup:1 Non-active:0
此时会延迟5s抢占master。
关闭上行链路看下,来检查VRRP的状态
[SW1-GigabitEthernet0/0/2]shutdown
[SW1-GigabitEthernet0/0/2]display vrrp binding
[SW1-GigabitEthernet0/0/2]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Backup Vlanif10 Normal 192.168.10.254
20 Backup Vlanif20 Normal 192.168.20.254
----------------------------------------------------------------
Total:2 Master:0 Backup:2 Non-active:0
[SW1-GigabitEthernet0/0/2]display vrrp
Vlanif10 | Virtual Router 10
State : Backup
Virtual IP : 192.168.10.254
Master IP : 192.168.10.2
PriorityRun : 90 ##此时降低了60
PriorityConfig : 150
MasterPriority : 100
Preempt : YES Delay Time : 5 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-010a
Check TTL : YES
Config type : normal-vrrp
Track IF : GigabitEthernet0/0/2 Priority reduced : 60
IF state : DOWN
Create time : 2024-08-11 14:58:59 UTC-08:00
Last change time : 2024-08-11 15:08:09 UTC-08:00
Vlanif20 | Virtual Router 20
State : Backup
Virtual IP : 192.168.20.254
Master IP : 192.168.20.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 150
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0114
Check TTL : YES
Config type : normal-vrrp
Track BFD : 11 Priority increased : 60
BFD-session state : UP
Create time : 2024-08-11 14:58:59 UTC-08:00
Last change time : 2024-08-11 15:06:32 UTC-08:00
配置BFD(双向转发检测)
S1
#
bfd vlan10 bind peer-ip 192.168.10.2 interface Vlanif10
##在VLAN 10的Vlanif10接口上绑定BFD会话,设置对端IP地址为192.168.10.2
discriminator local 1 ##设置本地鉴别符为1。
discriminator remote 2 ##设置远程鉴别符为2。
min-tx-interval 100 ##设置最小发送间隔为100毫秒。
min-rx-interval 100 ##设置最小接受间隔为100毫秒。
commit ##保存配置
#
bfd vlan20 bind peer-ip 192.168.20.2 interface Vlanif20
discriminator local 11
discriminator remote 22
min-tx-interval 100
min-rx-interval 100
commit
S2
#
bfd vlan10 bind peer-ip 192.168.10.1 interface Vlanif10
discriminator local 2
discriminator remote 1
min-tx-interval 100
min-rx-interval 100
commit
#
bfd vlan20 bind peer-ip 192.168.20.1 interface Vlanif20
discriminator local 22
discriminator remote 11
min-tx-interval 100
min-rx-interval 100
commit
#
建立BFD会话状态
[SW1]display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 192.168.10.2 Up S_IP_IF Vlanif10
11 22 192.168.20.2 Up S_IP_IF Vlanif20
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 2/0
<SW2>display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
2 1 192.168.10.1 Up S_IP_IF Vlanif10
22 11 192.168.20.1 Up S_IP_IF Vlanif20
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 2/0
此时状态都为up,表示bfd会话建立成功。
在接口上调用刚刚创建的bfd
S1
#
interface Vlanif20
vrrp vrid 20 track bfd-session 11 increased 60
#
S2
#
interface Vlanif10
vrrp vrid 10 track bfd-session 2 increased 60
假如在S1上vlan 10上出现故障。
[SW1-Vlanif10]shutdown
<SW2>display vrrp
Vlanif10 | Virtual Router 10
State : Master
Virtual IP : 192.168.10.254
Master IP : 192.168.10.2
PriorityRun : 160
PriorityConfig : 100
MasterPriority : 160
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-010a
Check TTL : YES
Config type : normal-vrrp
Track BFD : 2 Priority increased : 60
BFD-session state : DOWN
Create time : 2024-08-11 14:59:01 UTC-08:00
Last change time : 2024-08-11 15:08:09 UTC-08:00
Vlanif20 | Virtual Router 20
State : Master
Virtual IP : 192.168.20.254
Master IP : 192.168.20.2
PriorityRun : 150
PriorityConfig : 150
MasterPriority : 150
Preempt : YES Delay Time : 5 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0114
Check TTL : YES
Config type : normal-vrrp
Create time : 2024-08-11 14:59:01 UTC-08:00
Last change time : 2024-08-11 15:06:31 UTC-08:00
[SW2-Vlanif20]display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Master Vlanif10 Normal 192.168.10.254
20 Master Vlanif20 Normal 192.168.20.254
----------------------------------------------------------------
Total:2 Master:2 Backup:0 Non-active:0
此时S2中的vlan 10 优先级增大到160。
扫一扫
1290
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
