Topology
The topology can be saved locally, and then enlarged to view, so that it can be seen more clearly. (Drag to a new window to open it)
User experience of dual ISP switching and VRRP switching
You can see the VRRP status of core A and B, and now VLAN 20 is Core-B as the Master.
Question: When the link between the core switch B and the firewall fails, what are the consequences?
Analysis: When deploying VRRP before, we defined a track function, track uplink. When the uplink fails, the priority is automatically reduced by 10, that is, the priority becomes 95. In this case, Through VRRP negotiation, then A will become the Master. In this way, the normal forwarding of traffic can be guaranteed, including from the entire internal network and external network.
test
Now keep Ping, and then check the session information of the firewall. The large delay here is that the normal firewall and PC are both virtual machines, and the real machine only has a switch.
You can see that all Core-A has become Master.
It can be seen that a few packets were lost, and then they started to forward normally. In practice, the convergence is faster, and it can also cooperate with BFD and other functions.
Now we are still using the Unicom link,
Test the link failure of China Unicom
You can see that the link has failed and the ip-link has failed.
It can be seen that this speed switch is very fast, only one packet is lost, and the stateful information immediately becomes an outlet for telecommunications.
The flow of the entire data packet
1. Under normal circumstances, the PC passes through the high-level personnel switch, and then forwards the traffic with Core-B to Core-B [This process is determined by STP, because the root of VLAN 20 is on Core-B, so take this link 】
2. The core switch B sends the data packet from the uplink link to the firewall.
3. The firewall directly sent to China Unicom ISP through the judgment of policy routing.
When there is a failure.
1. Under normal circumstances, the PC passes through the high-level personnel switch, and then forwards the traffic with Core-B to Core-B [This process is determined by STP, because the root of VLAN 20 is on Core-B, so take this link Although the uplink is down, STP will not be affected]
2. The core switch B sends the data packet from the link with the core A switch to the core switch A, because the uplink detected by the core switch appears at this time Because of the failure, it is no longer the master of VRRP, but core A is, so it must be handed over to core A for processing.
3. The core switch A delivers the data packet to the egress firewall.
3. The firewall directly sends the data packet to China Unicom ISP through the judgment of policy routing.
4. If an ISP link of the firewall fails, causing the ip-link to fail, the corresponding policy routing will also fail, and the normal default route will be used.
Analysis: Here you can see how important it is to bundle the two lines between the core switches. It usually acts as a heartbeat line and also acts as a forwarding role for inter-VLAN traffic. Now when some links fail, it also forwards access. Internet traffic.
This article was first published on the public account: Network Road Blog