VyOSでVRRPとSTP

Posted on 4 mins read

VyOSでVRRPとSTP

ひさしぶりにVyOSでネットワーク基本の勉強した。作った構成はこちら。

ネットワーク図

Vagrantファイルはこれです。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

Vagrant.configure("2") do |config|
  config.vm.box = "vyos/current"

  config.vm.define :router1 do |rt|
    rt.vm.hostname = "router1"
    rt.vm.network :private_network, virtualbox__intnet: "peering"
    rt.vm.network :private_network, virtualbox__intnet: "rt1-sw1"

    rt.vm.provider :virtualbox do |vb|
      (1..rt.vm.networks.count).each do |i|
        vb.customize ["modifyvm", :id, "--nicpromisc#{i+1}", "allow-vms"]
      end
    end
  end
  config.vm.define :router2 do |rt|
    rt.vm.hostname = "router2"
    rt.vm.network :private_network, virtualbox__intnet: "peering"
    rt.vm.network :private_network, virtualbox__intnet: "rt2-sw2"

    rt.vm.provider :virtualbox do |vb|
      (1..rt.vm.networks.count).each do |i|
        vb.customize ["modifyvm", :id, "--nicpromisc#{i+1}", "allow-vms"]
      end
    end
  end

  config.vm.define :sw1 do |sw|
    sw.vm.hostname = "sw1"
    sw.vm.network :private_network, virtualbox__intnet: "rt1-sw1"
    sw.vm.network :private_network, virtualbox__intnet: "sw3-sw1"
    sw.vm.network :private_network, virtualbox__intnet: "sw1-sw2"
    sw.vm.provider :virtualbox do |vb|
      (1..sw.vm.networks.count).each do |i|
        vb.customize ["modifyvm", :id, "--nicpromisc#{i+1}", "allow-vms"]
      end
    end
  end
  config.vm.define :sw2 do |sw|
    sw.vm.hostname = "sw2"
    sw.vm.network :private_network, virtualbox__intnet: "rt2-sw2"
    sw.vm.network :private_network, virtualbox__intnet: "sw2-sw3"
    sw.vm.network :private_network, virtualbox__intnet: "sw1-sw2"
    sw.vm.provider :virtualbox do |vb|
      (1..sw.vm.networks.count).each do |i|
        vb.customize ["modifyvm", :id, "--nicpromisc#{i+1}", "allow-vms"]
      end
    end
  end
  config.vm.define :sw3 do |sw|
    sw.vm.hostname = "sw3"
    sw.vm.network :private_network, virtualbox__intnet: "sw3-sw1"
    sw.vm.network :private_network, virtualbox__intnet: "sw2-sw3"
    sw.vm.network :private_network, virtualbox__intnet: "dmz"
    sw.vm.provider :virtualbox do |vb|
      (1..sw.vm.networks.count).each do |i|
        vb.customize ["modifyvm", :id, "--nicpromisc#{i+1}", "allow-vms"]
      end
    end
  end

  config.vm.define :deb0 do | deb |
    deb.vm.box = "debian/bullseye64"
    deb.vm.hostname = "deb0"
    deb.vm.network :private_network, ip: "10.1.10.10", virtualbox__intnet: "dmz"
  end
  config.vm.define :deb1 do | deb |
    deb.vm.box = "debian/bullseye64"
    deb.vm.hostname = "deb1"
    deb.vm.network :private_network, ip: "10.2.10.10", virtualbox__intnet: "peering"
  end
end

VRRPためす

VRRPでVIPを使って経路の冗長化をした。sync-groupで WAN/LAN側を連携させました。 これでNIC故障やリンク切れが起きても両方で一緒に切り替わるので経路が失われないで済みます。 sync-group がない場合は片方のセグメントだけでVIPが切り替わるため、切り替わらなかったセグメントからのパケットが疎通しないといった問題がおきます。

設定

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

configure
set interfaces ethernet eth1
set interfaces ethernet eth2
set interfaces ethernet eth1 address 10.2.10.2/24
set interfaces ethernet eth2 address 10.1.10.3/24

set high-availability vrrp group Peering vrid 10
set high-availability vrrp group Peering interface eth1
set high-availability vrrp group Peering address 10.2.10.1/24

set high-availability vrrp group DMZ
set high-availability vrrp group DMZ vrid 20
set high-availability vrrp group DMZ interface eth2
set high-availability vrrp group DMZ address 10.1.10.1/24

set high-availability vrrp sync-group MAIN member DMZ
set high-availability vrrp sync-group MAIN member Peering
commit
save

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

configure
set interfaces ethernet eth1
set interfaces ethernet eth2
set interfaces ethernet eth1 address 10.2.10.3/24
set interfaces ethernet eth2 address 10.1.10.6/24

set high-availability vrrp group Peering vrid 10
set high-availability vrrp group Peering interface eth1
set high-availability vrrp group Peering address 10.2.10.1/24
set high-availability vrrp group Peering priority 99

set high-availability vrrp group DMZ
set high-availability vrrp group DMZ vrid 20
set high-availability vrrp group DMZ interface eth2
set high-availability vrrp group DMZ address 10.1.10.1/24

set high-availability vrrp sync-group MAIN member DMZ
set high-availability vrrp sync-group MAIN member Peering
commit

set high-availability vrrp group Peering priority 200
commit
save

STPためす

L2スイッチがループしてるとブロードキャストストームが起きる。 そういった問題を防ぐためにSTPを有効にした。VyOSで有効にするのはブリッジインタフェースにstpをセットするだけでした。 稼働状況の確認に show bridge br0 spanning-tree を使ってる記事を見かけたのですが、latest(1.4) では使えませんでした。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

configure
set interfaces bridge br0
set interfaces bridge br0 address 10.1.10.3/24
set interfaces bridge br0 stp

set interfaces ethernet eth1
set interfaces ethernet eth2
set interfaces ethernet eth3
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface eth3
commit
save

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

configure
set interfaces bridge br0
set interfaces bridge br0 address 10.1.10.4/24
set interfaces bridge br0 stp

set interfaces ethernet eth1
set interfaces ethernet eth2
set interfaces ethernet eth3
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface eth3
commit
save

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

configure
set interfaces bridge br0
set interfaces bridge br0 address 10.1.10.5/24
set interfaces bridge br0 stp

set interfaces ethernet eth1
set interfaces ethernet eth2
set interfaces ethernet eth3
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface eth3
commit
save
comments powered by Disqus