三層架構：MST+HSRP（後篇）：VRRP和DHCP，以及nat和來回路徑一致的靜態路由

上篇中已經做好了接入層和匯聚層，接下來考慮核心層不用動態路由協議，而寫hsrp將A和B的e0/0,e0/1口看做一條鏈路，然後採用靜態路由使得流量來回路徑一致。

1、首先，在A上起vlan9，

將介面e0/0,e0/1劃入該vlan，B上同理，然後起svi 將A，B上接路由器的兩條線路看成一條，於路由器上R2 ，R3 配地址

A：Vlan9 10.1.9.1 YES NVRAM up up B:Vlan10 10.1.10.1 YES NVRAM up up

2、在R2和R3上做虛擬閘道器，此處使用的是VRRP

R2#show run | s vrrp vrrp 1 ip 10.1.9.4 vrrp 1 priority 120 vrrp 1 track 1 decrement 30 vrrp 1 ip 10.1.10.4 R2#show vrrp brief Interface Grp Pri Time Own Pre State Master addr Group addr Fa0/1 1 120 3531 Y Master 10.1.9.2 10.1.9.4 Fa1/0 1 100 3609 Y Backup 10.1.10.3 10.1.10.4 R3#show run | s vrrp

vrrp 1 ip 10.1.10.4 vrrp 1 priority 120 vrrp 1 track 1 decrement 30 vrrp 1 ip 10.1.9.4 R3#show vrrp br Interface Grp Pri Time Own Pre State Master addr Group addr Fa1/0 1 100 3609 Y Backup 10.1.9.2 10.1.9.4 Fa0/1 1 120 3531 Y Master 10.1.10.3 10.1.10.4

3、

此時A，B去往路由器的線路冗餘就完成了，在A，B上寫靜態預設指向虛擬閘道器，從A上出去的優先走R2 ，R3 備份，B上出去先R3 同理。所以在寫預設的時候指向虛擬閘道器就可以，vrrp的優先順序如上自會選路 A：ip route 0.0.0.0 0.0.0.0 10.1.9.4 B：ip route 0.0.0.0 0.0.0.0 10.1.10.4 分析路由 如圖，每種顏色表示一種選路方式，在黃色線路斷裂情況下走紅色，以此類推，保證來回路徑一致，則在R2上寫靜態回程路由時也優先黃色，紅色metric稍大，R3同理 然後R2，R3上預設指向R1 R2：ip route 0.0.0.0 0.0.0.0 12.1.1.1 ip route 10.1.0.0 255.255.0.0 10.1.9.4 ip route 10.1.0.0 255.255.0.0 10.1.10.1 2 R3:ip route 0.0.0.0 0.0.0.0 13.1.1.1 ip route 10.1.0.0 255.255.0.0 10.1.10.1 ip route 10.1.0.0 255.255.0.0 10.1.9.1 2 來看一下路由表 **A：*S 0.0.0.0/0 [1/0] via 10.1.9.4 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks *B：S 0.0.0.0/0 [1/0] via 10.1.10.4 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks R2： 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.10.0/24 is directly connected, FastEthernet1/0 C 10.1.9.0/24 is directly connected, FastEthernet0/1 S 10.1.0.0/16 [1/0] via 10.1.9.1 12.0.0.0/24 is subnetted, 1 subnets C 12.1.1.0 is directly connected, FastEthernet0/0 S 0.0.0.0/0 [1/0] via 12.1.1.1 R3: 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.1.10.0/24 is directly connected, FastEthernet0/1 C 10.1.9.0/24 is directly connected, FastEthernet1/0 S 10.1.0.0/16 [1/0] via 10.1.10.1 13.0.0.0/24 is subnetted, 1 subnets C 13.1.1.0 is directly connected, FastEthernet0/0 S 0.0.0.0/0 [1/0] via 13.1.1.1

4、在R2，R3上做nat

R3#show run | s nat ip nat outside ip nat inside ip nat inside ip nat inside source list 1 interface FastEthernet0/0 overload R3#show access-lists Standard IP access list 1 10 permit 10.1.0.0, wildcard bits 0.0.255.255 (8 matches) R2#show access-lists Standard IP access list 1 10 permit 10.1.0.0, wildcard bits 0.0.255.255 (4 matches) R2#show run | s nat ip nat outside ip nat inside ip nat inside ip nat inside source list 1 interface FastEthernet0/0 overload 測試一下到R1的換回1.1.1.1通不通 R2#ping 1.1.1.1

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/115/280 ms 好了，nat可以

5、在A和B上做dhcp

要讓vlan2和vlan3都可以從A，B拿到地址，而且從A拿到或者B拿到不衝突，可以將dhcp地址池一分為二 A#show run | s dhcp ip dhcp excluded-address 10.1.2.129 10.1.2.254 ip dhcp excluded-address 10.1.3.129 10.1.3.254 ip dhcp pool vlan2 network 10.1.2.0 255.255.255.0 default-router 10.1.2.252 ip dhcp pool vlan3 network 10.1.3.0 255.255.255.0 default-router 10.1.3.252 B#show run | s dhcp ip dhcp excluded-address 10.1.2.1 10.1.2.128 ip dhcp excluded-address 10.1.3.1 10.1.3.128 ip dhcp pool vlan2 network 10.1.2.0 255.255.255.0 default-router 10.1.2.252 ip dhcp pool vlan3 network 10.1.3.0 255.255.255.0 default-router 10.1.3.252 看一下拿到地址了嗎 VPCS> ip dhcp DDORA IP 10.1.3.129/24 GW 10.1.3.252

VPCS> ip dhcp -r DDORA IP 10.1.2.3/24 GW 10.1.2.252 好 那麼先從vlan2上的pc1開始測試 ping閘道器： VPCS> ping 10.1.2.252 84 bytes from 10.1.2.252 icmp_seq=1 ttl=255 time=404.814 ms 84 bytes from 10.1.2.252 icmp_seq=2 ttl=255 time=42.463 ms 84 bytes from 10.1.2.252 icmp_seq=3 ttl=255 time=207.108 ms 84 bytes from 10.1.2.252 icmp_seq=4 ttl=255 time=684.351 ms 84 bytes from 10.1.2.252 icmp_seq=5 ttl=255 time=713.638 ms emmmmmmm·······這個延時，先湊合一下 從vlan3上trace一下1.1.1.1： VPCS> trace 1.1.1.1 -P 1 trace to 1.1.1.1, 8 hops max (ICMP), press Ctrl+C to stop 1 * *10.1.3.254 124.650 ms 2 * * * 3 * * * 4 * * * 5 *1.1.1.1 309.880 ms 101.548 ms emmmmmm······從A上看吧，接入層和匯聚層和上篇一樣的 A#traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 * 10.1.9.2 53 msec 23 msec 2 12.1.1.1 519 msec 387 msec 正常走的是R2 上去，若是B，流量從R3走，驗證一下 B#traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.10.3 190 msec 44 msec 19 msec 2 13.1.1.1 92 msec * 1276 msec 沒問題，接下來斷掉黃色線路（圖在上面） A#trace 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.9.3 29 msec 24 msec 588 msec 2 13.1.1.1 513 msec 40 msec * 這時候就走了紅色線路，R2想到A就要繞一下 R2#traceroute 10.1.9.1 Type escape sequence to abort. Tracing the route to 10.1.9.1 1 10.1.10.1 0 msec 2 10.1.10.3 472 msec * 3 10.1.9.1 168 msec 斷掉綠色線路看一下 B#traceroute 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 VRF info: (vrf in name/id, vrf out name/id) 1 10.1.10.2 30 msec 48 msec 325 msec 2 12.1.1.1 741 msec 738 msec * 就走的旁邊

還存在的問題：

由於延時太大pc一直timeout，就先這樣看一下，還有其他一些問題：R2上的vrrp狀態一直不停的切換 *Mar 1 04:11:21.446: %VRRP-6-STATECHANGE: Fa1/0 Grp 1 state Backup -> Master *Mar 1 04:11:22.406: %VRRP-6-STATECHANGE: Fa1/0 Grp 1 state Master -> Backup 每隔一段時間就傳送這個，然後A和B上一直在刷屏 A# *Sep 20 11:23:53.208: %AMDP2_FE-6-EXCESSCOLL: Ethernet1/1 TDR=0, TRC=0 A# *Sep 20 11:24:23.967: %AMDP2_FE-6-EXCESSCOLL: Ethernet1/1 TDR=0, TRC=0 A# *Sep 20 11:24:54.363: %AMDP2_FE-6-EXCESSCOLL: Ethernet1/1 TDR=0, TRC=0 A# *Sep 20 11:25:28.242: %AMDP2_FE-6-EXCESSCOLL: Ethernet1/1 TDR=0, TRC=0 不知道為什麼·····哪位大佬知道的話還請幫忙解答一二，在下先謝過了QwQ

可能還有不正確的部分，在下暫時看不出來，再學習一下回來改正 下一篇大概要討論交換安全。 以上。