旁挂组网双机热备负载分担
旁挂组网双机热备负载分担
拓扑图
旁挂的优点:
1.在不影响物理拓扑的情况下,将防火墙加入到现有网络中
2.可以有选择的将流量引导到防火墙进行安全检测
通过静态路由方式,将流经核心交换机的流量引导至防火墙,需要在核心交换机上配置静态路由————>下一跳为防火墙的地址
问题:一般核心交换机会和上下游设备共同运行OSPF协议,而OSPF协议优先级高于静态路由,导致前面配置的静态路由失效,及流量无法被引导到防火墙。
解决办法:在核心交换机上配置VRF功能---虚拟路由转发实例
将一台设备虚拟成多台交换机
将一台设备进行分割,变为多台设备,并且虚拟出来的设备与原本的设备是 相互完全隔离,路由之间互不干扰,接口之间互不干扰。
为了实现流量的转发,需要在交换机的VRF和Public上配置静态路由,下一跳为VRRP备份组1和VPPR的备份组2的虚拟IP地址。因为流量有去有回,所以防火墙上也要配置两条静态的回程路由,下一跳分别是VRF和Public的VRP组的虚拟IP地址。
需求:
1.SW3的流量
正常情况:SW1_VRF--FW1--SW1_Public--R5
故障情况:SW2_VRF--FW2--SW2_Public--R6
2.SW4的流量
正常情况:SW2_VRF--FW2--SW2_Public--R6
故障情况:SW1_VRF--FW1--SW1_Public--R5
3.交换网络负载均衡
二层交换配置
使用传统三层架构中MSTP+VRRP组网形式
VLAN 2--->SW3,S4作为备份
VLAN 3--->SW4,SW3作为备份
MSTP设计--->SW3、4、5运行
实例1:VLAN 2
实例2:VLAN 3
SW3是实例1的主根,实例2的备份根
SW4是实例2的主根,实例1的备份根
IP地址规划:
SW3:
VLAN 2:192.168.2.1/24
VLAN 3:192.168.3.1/24
SW4:
VLAN 2:192.168.2.2/24
VLAN 3:192.168.3.2/24
虚拟IP:
VLAN 2:192.168.2.254/24
VLAN 3:192.168.3.254/24
[sw3]vlan batch 2 3
[sw3]int g0/0/3
[sw3-GigabitEthernet0/0/3]po li t
[sw3-GigabitEthernet0/0/3]po t all v 2 3
[sw3]int g0/0/4
[sw3-GigabitEthernet0/0/4]po li t
[sw3-GigabitEthernet0/0/4]po t all v 2 3
MSTP配置
[sw3]stp enable
[sw3]stp mode mstp
[sw3]stp region-configuration
[sw3-mst-region]region-name aa
[sw3-mst-region]instance 1 vlan 2
[sw3-mst-region]instance 2 vlan 3
[sw3-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw3-mst-region]q
[sw3]stp instance 1 root primary ---实例1作为主根
[sw3]stp instance 2 root secondary --实例2为备份根
[sw3]interface Vlanif 2
[sw3-Vlanif2]ip add 192.168.2.1 24
[sw3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[sw3-Vlanif2]vrrp vrid 1 priority 120---修改优先级
抢占延时
[sw3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20
上行链路的监控
[sw3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[sw3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
vlanif 3
[sw3]interface Vlanif 3
[sw3-Vlanif3]ip add 192.168.3.1 24
[sw3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[sw4]vlan batch 2 3
[sw4]
[sw4]int g
[sw4]int GigabitEthernet 0/0/3
[sw4-GigabitEthernet0/0/3]PO li t
[sw4-GigabitEthernet0/0/3]po t all v 2 3
[sw4-GigabitEthernet0/0/3]int g0/0/4
[sw4-GigabitEthernet0/0/4]po li t
[sw4-GigabitEthernet0/0/4]po t all v 2 3
[sw4]stp enable
[sw4]stp mode mstp
[sw4]stp region-configuration
[sw4-mst-region]region-name aa
[sw4-mst-region]instance 1 vlan 2
[sw4-mst-region]instance 2 vlan 3
[sw4-mst-region]active region-configuration
[sw4]stp instance 1 root secondary ---实例1 备份根
[sw4]stp instance 2 root primary -----实例2 主根
[sw4]interface Vlanif 2
[sw4-Vlanif2]ip add 192.168.2.2 24
[sw4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[sw4]interface Vlanif 3
[sw4-Vlanif3]ip add 192.168.3.2 24
[sw4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[sw4-Vlanif3]vrrp vrid 1 priority 120
[sw4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[sw4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[sw4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[sw5]vlan batch 2 3
[sw5]int g 0/0/3
[sw5-GigabitEthernet0/0/3]po li a
[sw5-GigabitEthernet0/0/3]po de v 2
[sw5-GigabitEthernet0/0/3]int g 0/0/4
[sw5-GigabitEthernet0/0/4]po li a
[sw5-GigabitEthernet0/0/4]po de v 3
[sw5]int g0/0/1
[sw5-GigabitEthernet0/0/1]po li t
[sw5-GigabitEthernet0/0/1]po t all vlan 2 3
[sw5-GigabitEthernet0/0/1]int g0/0/2
[sw5-GigabitEthernet0/0/2]po li t
[sw5-GigabitEthernet0/0/2]po t all vlan 2 3
[sw5]stp en
[sw5]stp enable
[sw5]stp mode mstp
[sw5]stp re
[sw5-mst-region]region-name aa
[sw5-mst-region]instance 1 vlan 2
[sw5-mst-region]instance 2 vlan 3
[sw5-mst-region]active region-configuration
核心层路由配置
SW1-SW2:VLAN 102---10.10.2.0/24
SW1-SW3:VLAN 103---10.10.3.0/24
SW1-SW4:VLAN 104---10.10.4,0/24
SW2-SW3:VLAN 203---10.20.3.0/24
SW2-SW4:VLAN 204---10.20.4.0/24
[sw3]vlan b 103 203
[sw3]int g0/0/1
[sw3-GigabitEthernet0/0/1]po li a
[sw3-GigabitEthernet0/0/1]po de v 103
[sw3-GigabitEthernet0/0/1]undo stp enable
[sw3]int g0/0/2
[sw3-GigabitEthernet0/0/2]po li a
[sw3-GigabitEthernet0/0/2]po de v 203
[sw3-GigabitEthernet0/0/2]undo stp enable
[sw3]int Vlanif 103
[sw3-Vlanif103]ip add 10.10.3.3 24
[sw3-Vlanif103]int vlanif 203
[sw3-Vlanif203]ip add 10.20.3.3 24
[sw3]ospf 1 router-id 3.3.3.3
[sw3-ospf-1]a 0
[sw3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[sw4]vlan batch 104 204
[sw4]int g0/0/1
[sw4-GigabitEthernet0/0/1]po li a
[sw4-GigabitEthernet0/0/1]po de v 204
[sw4-GigabitEthernet0/0/1]undo stp enable
[sw4]int g0/0/2
[sw4-GigabitEthernet0/0/2]po li a
[sw4-GigabitEthernet0/0/2]po de v 104
[sw4-GigabitEthernet0/0/2]undo stp enable
[sw4]int Vlanif 104
[sw4-Vlanif104]ip add 10.10.4.4 24
[sw4-Vlanif104]int vlanif 204
[sw4-Vlanif204]ip add 10.20.4.4 24
[sw4]ospf 1 router-id 4.4.4.4
[sw4-ospf-1]a 0
[sw4-ospf-1-area-0.0.0.0]netw 10.10.4.4 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]netw 10.20.4.4 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]netw 192.168.2.2 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]netw 192.168.3.2 0.0.0.0
禁末接口---让SW3和SW4不要建立连接
[sw3]ospf 1
[sw3-ospf-1]silent-interface Vlanif 2
[sw3-ospf-1]silent-interface Vlanif 3
[sw4]ospf 1
[sw4-ospf-1]silent-interface Vlanif 2
[sw4-ospf-1]silent-interface Vlanif 3
因为SW1 SW2需要被分割为两台设备,分别与上下行设备连接,故先创建VRF空间,其中接口3、4、5、6属于VRF
1、2属于public
VRF空间配置信息:
名称:VRF
RD:100:1
RT:100:1
[sw1]IP vpn-instance VRF ---创建VRF空间
[sw1-vpn-instance-VRF]route-distinguisher 100:1 ---设定RD值
[sw1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both ---设定RT值
[sw2]IP vpn-instance VRF ---创建VRF空间
[sw2-vpn-instance-VRF]route-distinguisher 100:1 ---设定RD值
[sw2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both ---设定RT值
[sw1]vlan batch 102 103 104
[sw1]int g0/0/5
[sw1-GigabitEthernet0/0/5]po li a
[sw1-GigabitEthernet0/0/5]po de v 103
[sw1-GigabitEthernet0/0/5]undo stp enable
[sw1-GigabitEthernet0/0/5]int g0/0/4
[sw1-GigabitEthernet0/0/4]po li t
[sw1-GigabitEthernet0/0/4]undo po t all v 1
[sw1-GigabitEthernet0/0/4]po t all v 102
[sw1-GigabitEthernet0/0/4]undo stp enable
[sw1-GigabitEthernet0/0/4]int g0/0/6
[sw1-GigabitEthernet0/0/6]po li a
[sw1-GigabitEthernet0/0/6]po de vlan 104
[sw1-GigabitEthernet0/0/6]undo stp enable
配置接口
[sw1]interface vlan
[sw1]interface Vlanif 102
[sw1-Vlanif102]ip binding vpn-instance VRF ---将接口划入到VRF这个交换机中,在接口进行配置之前进行
[sw1-Vlanif102]ip add 10.10.2.1 24
[sw1-Vlanif102]int vlanif 103
[sw1-Vlanif103]ip binding vpn-instance VRF
[sw1-Vlanif103]ip add 10.10.3.1 24
[sw1-Vlanif103]int v 104
[sw1-Vlanif104]ip binding vpn-instance VRF
[sw1-Vlanif104]ip add 10.10.4.1 24
[sw2]vlan batch 102 203 204
[sw2]int g0/0/5
[sw2-GigabitEthernet0/0/5]po li a
[sw2-GigabitEthernet0/0/5]po de v 204
[sw2-GigabitEthernet0/0/5]undo stp enable
[sw2-GigabitEthernet0/0/5]int g0/0/6
[sw2-GigabitEthernet0/0/6]po li a
[sw2-GigabitEthernet0/0/6]po de v 203
[sw2-GigabitEthernet0/0/6]undo stp enable
[sw2-GigabitEthernet0/0/6]int g0/0/4
[sw2-GigabitEthernet0/0/4]po li t
[sw2-GigabitEthernet0/0/4]po t all vlan 102
[sw2-GigabitEthernet0/0/4]undo po t all v 1
[sw2-GigabitEthernet0/0/4]undo stp enable
配置接口
[sw2]int v 102
[sw2-Vlanif102]ip binding vpn-instance VRF
[sw2-Vlanif102]ip add 10.10.2.2 24
[sw2-Vlanif102]int v 203
[sw2-Vlanif203]ip binding vpn-instance VRF
[sw2-Vlanif203]IP ADD 10.20.3.2 24
[sw2-Vlanif203]INT v 204
[sw2-Vlanif204]ip binding vpn-instance VRF
[sw2-Vlanif204]ip add 10.20.4.2 24
测试
[sw1]ping -vpn-instance VRF 10.10.2.1
因为VPN实例域物理设备之间是完全相互独立的,所以路由表、MAC地址表等各类信息也是独立的互不干扰的,所以在进行配置时,需要携带vpn-instance参数,设备才会知道使用哪个表单。
配置ospf
[sw1]ospf 1 router-id 1.1.1.1 vpn-instance VRF ---代表在名称为VPN
[sw1-ospf-1]a 0
[sw1-ospf-1-area-0.0.0.0]net 10.10.2.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net 10.10.3.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net 10.10.4.1 0.0.0.0
[sw2]ospf 1 router-id 2.2.2.2 vpn-instance VRF
[sw2-ospf-1]a 0
[sw2-ospf-1-area-0.0.0.0]net 10.10.2.2 0.0.0.0
[sw2-ospf-1-area-0.0.0.0]net 10.20.3.2 0.0.0.0
[sw2-ospf-1-area-0.0.0.0]net 10.20.4.2 0.0.0.0
此时回程流量是等价路由,负载均衡,不符合来回路径一致要求。故需要进行路由干涉,使用路由策略
SW3:
主要流量发给SW1,备份发给SW2
SW4:
主要流量发给SW1,备份发给SW2
SW1:
192.168.2.0/24--->主要发给SW3,备份发给SW4
192.168.3.0/24--->主要发给SW4,备份发给SW3
SW2:
192.168.2.0/24--->主要发给SW3,备份发给SW4
192.168.3.0/24--->主要发给SW4,备份发给SW3
SW3 SW4只需要修改接口cost数值,让SW3优选从SW1学习到的路由即可,让SW4优选从SW2学习到的路由。
[sw3]int v 203
[sw3-Vlanif203]ospf cost 5 ---增大开销
[sw4]int v104
[sw4-Vlanif104]ospf cost 5
SW3:
将SW3本地发送的192.168.3.0/24的路由开销值增大
192.168.2.0/24 的路由开销不变
通过重发布,来调用路由策略
重发布时,不要引入其他路由信息
[sw3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0
1.抓流量
[sw3]ip ip-prefix aa permit 192.168.3.0 24
[sw3]ip ip-prefix bb permit 192.168.2.0 24
2.做策略
[sw3]route-policy aa permit node 10
[sw3-route-policy]if-match ip-prefix aa
[sw3-route-policy]apply cost 5
[sw3-route-policy]q
[sw3]route-policy aa permit node 20
[sw3-route-policy]if-match ip-prefix bb
3.调用
[sw3-ospf-1]import-route direct route-policy aa
SW4:
将SW4本地发送的192.168.2.0/24的路由开销值增大
192.168.3.0/24 的路由开销不变
通过重发布,来调用路由策略
重发布时,不要引入其他路由信息
[sw4]ip ip-prefix aa permit 192.168.2.0 24
[sw4]ip ip-prefix bb permit 192.168.3.0 24
[sw4]route-policy aa permit node 10
[sw4-route-policy]if-match ip-prefix aa
[sw4-route-policy]apply cost 5
[sw4-route-policy]q
[sw4]route-policy aa permit node 20
[sw4-route-policy]if-match ip-prefix bb
[sw4]ospf 1
[sw4-ospf-1]import-route direct route-policy aa
VRF交换机和防火墙的路由交互
防火墙和VRF交换机各自建立一个VRRP组,且两个组之间不想管,但相互对称
[sw1] vlan b 401 402
[sw1]int g0/0/3
[sw1-GigabitEthernet0/0/3]po li t
[sw1-GigabitEthernet0/0/3]po t all v 401 402
[sw1-GigabitEthernet0/0/3]int g 0/0/4
[sw1-GigabitEthernet0/0/4]po li t
[sw1-GigabitEthernet0/0/4]po t all v 401 402
[sw1]int Vlanif 401
[sw1-Vlanif401]ip binding vpn-instance VRF
[sw1-Vlanif401]ip add 10.40.1.1 24
[sw1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[sw1-Vlanif401]vrrp vrid 1 priority 120
[sw1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[sw1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/3 reduced 30
[sw1]int v 402
[sw1-Vlanif402]ip binding vpn-instance VRF
[sw1-Vlanif402]ip add 10.40.2.1 24
[sw1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[sw2]vlan b 401 402
[sw2]int g0/0/3
[sw2-GigabitEthernet0/0/3]po li t
[sw2-GigabitEthernet0/0/3]po t all v 401 402
[sw2-GigabitEthernet0/0/3]q
[sw2]int g0/0/4
[sw2-GigabitEthernet0/0/4]po li t
[sw2-GigabitEthernet0/0/4]po t all v 401 402
[sw2-Vlanif401]ip b vpn-instance VRF
[sw2-Vlanif401]ip add 10.40.1.2 24
[sw2-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[sw2-Vlanif402]vrrp vrid 2 priority 120
[sw2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[sw2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30
[FW1]vlan b 401 402 403 404
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.10.10.1 30
[FW1-GigabitEthernet1/0/2]int g1/0/2.401
[FW1-GigabitEthernet1/0/2.401]ip add 10.40.1.10 24
[FW1-GigabitEthernet1/0/2.401]vlan-type dot1q 401
[FW1-GigabitEthernet1/0/2.401]int g1/0/2.402
[FW1-GigabitEthernet1/0/2.402]ip add 10.40.2.10 24
[FW1-GigabitEthernet1/0/2.402]vlan-type dot1q 402
[FW1-GigabitEthernet1/0/2.402]int g1/0/3.403
[FW1-GigabitEthernet1/0/3.403]ip add 10.40.3.10 24
[FW1-GigabitEthernet1/0/3.403]vlan-type dot1q 403
[FW1-GigabitEthernet1/0/3.403]int g1/0/3.404
[FW1-GigabitEthernet1/0/3.404]ip add 10.40.4.10 24
[FW1-GigabitEthernet1/0/3.404]vlan-type dot1q 404
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW1-zone-trust]add interface GigabitEthernet 1/0/2.402
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/3.403
[FW1-zone-untrust]add interface GigabitEthernet 1/0/3.404
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface g1/0/0
[FW1]int g1/0/2.401
[FW1-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 ac
[FW1-GigabitEthernet1/0/2.401]int g1/0/2.402
[FW1-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby
[FW1-GigabitEthernet1/0/2.402]int g1/0/3.403
[FW1-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 ac
[FW1-GigabitEthernet1/0/3.403]int g1/0/3.404
[FW1-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby
[FW1]hrp mirror session enable ---快速备份
[FW1] hrp int g1/0/0 remote 10.10.10.2
[FW1] hrp ena
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.1.100
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70
[FW2]vlan batch 401 402 403 404
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.10.10.2 30
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]ip address 10.40.1.20 24
[FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]ip add 10.40.2.20 24
[FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]ip add 10.40.3.20 24
[FW2-GigabitEthernet1/0/1.403]vlan-type dot1q 403
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]ip add 10.40.4.20 24
[FW2-GigabitEthernet1/0/1.404]vlan-type dot1q 404
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.402
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.403
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.404
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/0
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 active
[FW2]hrp mirror session enable
[FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[FW2]hrp enable
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70
[SW1]vlan batch 403 404
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW1]interface Vlanif 403
[SW1-Vlanif403]ip address 10.40.3.1 24
[SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW1-Vlanif403]vrrp vrid 3 priority 120
[SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60
[SW1-Vlanif403]vrrp vrid 3 track interface GigabitEthernet 0/0/3 reduced 30
[SW1]interface Vlanif 404
[SW1-Vlanif404]ip add 10.40.4.1 24
[SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2]vlan batch 403 404
[SW2]interface GigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW2]interface Vlanif 403
[SW2-Vlanif403]ip address 10.40.3.2 24
[SW2-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW2]interface Vlanif 404
[SW2-Vlanif404]ip address 10.40.4.2 24
[SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2-Vlanif404]vrrp vrid 4 priority 120
[SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60
[SW2-Vlanif404]vrrp vrid 4 track interface GigabitEthernet 0/0/2 reduced 30
R1
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.11.1.2 24
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ip add 12.0.0.1 24
[R1]ip route-static 0.0.0.0 0 12.0.0.100
[R1-ospf-1]default-route-advertise
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000
R2
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.22.2.2 24
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14
[R2]ospf 1 router-id 4.4.4.4
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.22.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.12.2.2 0.0.0.0
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[R2]ip route-static 0.0.0.0 0 13.0.0.100
[R2-ospf-1]default-route-advertise
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R2]int g 0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2000
ISP
[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip add 100.1.1.1 24
[SW1-ospf-2]import-route static
[SW2-ospf-2]import-route static
测试
