热备份+nat+vrrp和端口跟踪.doc

热备份加nat转换及端口跟踪实验环境：一台防火墙，两台pc机，两台路由器，两台交换机（连接外网的可以使防火墙可以使路由器）配置防火墙：r1fire packet default permitr1firewall zone trustr1-zone-trustadd inter e0/0r1-zone-trustadd inter e0/1r1-zone-trustadd inter e0/2r1-zone-trustinter eth0/0r1-Ethernet0/0ip address 192.168.5.1 255.255.255.0r1-Ethernet0/0inter eth0/1 r1-Ethernet0/1ip address 192.168.4.1 255.255.255.0r1-zone-trustinter eth0/2 r1-Ethernet0/2ip address 192.168.3.1 255.255.255.0r1-Ethernet0/2loopback配置r2：r2-Ethernet0inter e1r2-Ethernet1ip address 192.168.4.2 255.255.255.0r2-Ethernet0inter e0.10r2-Ethernet0.10vlan-type dot1q vid 10r2-Ethernet0.10ip address 192.168.10.1 255.255.255.0r2-Ethernet0.10inter e0.20r2-Ethernet0.20vlan-type dot1q vid 20r2-Ethernet0.20ip address 192.168.20.1 255.255.255.0配置静态路由：r2ip route 0.0.0.0 0.0.0.0 192.168.4.1R2做nat转换：r2acl 2000r2-acl-2000rule permit source anyr2inter e1r2-Ethernet1nat outbound 2000 interface配置r3：r3ip route 0.0.0.0 0.0.0.0 192.168.5.1r3inter e0r3-Ethernet0ip address 192.168.5.2 255.255.255.0r3-Ethernet0%01:20:09: Line protocol ip on the interface Ethernet0 is UPr3-Ethernet0undo shutr3inter eth1.10r3-Ethernet1.10vlan-type do1q vid 10 Incorrect commandr3-Ethernet1.10vlan-type dot1q vid 10r3-Ethernet1.10ip address 192.168.10.2 255.255.255.0r3-Ethernet1.10inter eth0.20r3-Ethernet1.20vlan-type dot1q vid 20r3-Ethernet1.20ip address 192.168.20.2 255.255.255.0Nat转换：r3acl 2000r3-acl-2000rule permit source any Rule has been added to normal packet-filtering rulesr3-acl-2000inter e0r3-Ethernet0nat outbound 2000 interfaceSw1配置：sw1vlan 10sw1-vlan10port e0/10sw1-vlan10vlan 20sw1-vlan20port e0/20sw1inter e0/1sw1-Ethernet0/1port link-type trunksw1-Ethernet0/1port trunk permit vlan all Please wait. Done.sw1-Ethernet0/5port link-type trunk sw1-Ethernet0/5port trunk permit vlan all Please wait. Done.Sw2配置：sw2vlan 10sw2-vlan10port e0/10sw2-vlan10vlan 20sw2-vlan20port e0/20sw2inter e0/1sw2-Ethernet0/1port link-type trunksw2-Ethernet0/1port trunk permit vlan all Please wait. Done.sw2-Ethernet0/5port link-type trunk sw2-Ethernet0/5port trunk permit vlan all Please wait. Done.用pc机（vlan10192.168.10.100）测试：C:UsersAdministratorping 192.168.10.1正在 Ping 192.168.10.1 具有 32 字节的数据:来自 192.168.10.1 的回复: 字节=32 时间1ms TTL=255来自 192.168.10.1 的回复: 字节=32 时间1ms TTL=255来自 192.168.10.1 的回复: 字节=32 时间1ms TTL=255来自 192.168.10.1 的回复: 字节=32 时间ping 192.168.3.1正在 Ping 192.168.3.1 具有 32 字节的数据:来自 192.168.3.1 的回复: 字节=32 时间=2ms TTL=254来自 192.168.3.1 的回复: 字节=32 时间=2ms TTL=254来自 192.168.3.1 的回复: 字节=32 时间=2ms TTL=254来自 192.168.3.1 的回复: 字节=32 时间=3ms TTL=254192.168.3.1 的 Ping 统计信息: 数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，往返行程的估计时间(以毫秒为单位): 最短 = 2ms，最长 = 3ms，平均 = 2ms说明nat转换成功测试：C:Documents and Settings杨震宇ping 192.168.3.1Pinging 192.168.3.1 with 32 bytes of data:Reply from 192.168.3.1: bytes=32 time=2ms TTL=254Reply from 192.168.3.1: bytes=32 time=2ms TTL=254Reply from 192.168.3.1: bytes=32 time=3ms TTL=254Reply from 192.168.3.1: bytes=32 time=4ms TTL=254Ping statistics for 192.168.3.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 4ms, Average = 2ms测试成功，说明nat转换成功。在进入r2：r2inter eth0.10r2-Ethernet0.10vrrp vrid 10 virtual-ip 192.168.10.254 （做虚拟路由）r2-Ethernet0.10inter eth0.20 r2-Ethernet0.20vrrp vrid 20 virtual-ip 192.168.20.254 （做虚拟路由）r2-Ethernet0.20inter eth0.10r2-Ethernet0.10vrrp vrid 10 priority 120 (设置优先级为120)r2-Ethernet0.10vrrp vrid 10 preempt （设置抢占）r2-Ethernet0.10vrrp vrid 10 track eth0.10 reduced 30 （设置为一旦被抢占优先级自动减30）r2-Ethernet0.10inter e0.20r2-Ethernet0.20vrrp vrid 20 preempt（设置抢占进入r3：r3inter e1.10r3-Ethernet1.10vrrp vrid 10 virtual 192.168.10.254（做虚拟路由）r3-Ethernet1.10inter e0%02:29:07: Interface Ethernet1 is DOWN.20r3-Ethernet1.20inter e0.20r3-Ethernet1.20%02:29:12: Interface Ethernet1 is UP r3-Ethernet1.20vrrp vrid 20 priority 120 (设置优先级为120) r3-Ethernet1.20vrrp vrid 20 virtual 192.168.20.254（做虚拟路由）r3-Ethernet1.20vrrp vrid 20 preempt（设置抢占）r3-Ethernet1.20vrrp vrid 20 track e1.20 reduced 30（设置为一旦被抢占优先级自动减30）r3-Ethernet1.20inter e1.10r3-Ethernet1.10vrrp vrid 10 preempt（设置抢占R3上显示vrrp：r3dis vrrp Ethernet1.20 | Virtual Router 20 state : Master Virtual IP : 192.168.20.254 Priority : 120 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NO Track IF : Ethernet1.20 Priority reduced : 30 Ethernet1.10 | Virtual Router 10 state : Backup Virtual IP : 192.168.10.254 Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NOR2上显示vrrp：r2dis vrrp Ethernet0.10 | Virtual Router 10 state : Master Virtual IP : 192.168.10.254 Priority : 120 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NO Track IF : Ethernet0.10 Priority reduced : 10 Ethernet0.20 | Virtual Router 20 state : Backup Virtual IP : 192.168.20.254 Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NOVlan10（192.168.10.100）访问192.168.20.100C:UsersAdministratortracert 192.168.20.100通过最多 30 个跃点跟踪到 杨震宇 192.168.20.100 的路由: 1 1 ms 1 ms 1 毫秒 192.168.10.1 2 1 毫秒 1 毫秒 tracert 192.168.20.100通过最多 30 个跃点跟踪到 杨震宇 192.168.20.100 的路由: 1 1 毫秒 1 毫秒 1 毫秒 192.168.10.2 2 1 毫秒 1 毫秒 tracert 192.168.10.100Tracing route to 192.168.10.100 over a maximum of 30 hops 1 2 ms 1 ms 1 ms 192.168.20.2 2 1 ms tracert 192.168.10.100Tracing route to 192.168.10.100 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.20.1 2 1 ms 1 ms 1 ms 192.168.10.100Trace complete.在测试r3vrrp：r3-Ethernet1dis vrrp Ethernet1.20 | Virtual Router 20 state : Initialize （因为是关闭e1所以这样显示） Virtual IP : 19