H3C防火墙堆叠后使用以太网冗余口和冗余组进行主备组网的实验

拓扑描述:上下行使用交换机模拟链路,中间F1060交换机做堆叠(目前只见过华三的安全设备可以进行堆叠,路由器也能,万物皆可堆叠)在防火墙上做冗余备份组进行主备通讯,正常情况选择F1060_1进行流量转发,当链路发生故障后,使用F1060_2进行转发。

防火墙配置:

#
 sysname FW-A_B
#这里是堆叠配置
 irf domain 10
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 32
 irf member 2 priority 1
#这里分别track上行和下行1、3作为上行,2、4作为下行
track 1 interface GigabitEthernet1/0/1 physical
#
track 2 interface GigabitEthernet1/0/2 physical
#
track 3 interface GigabitEthernet2/0/1 physical
#
track 4 interface GigabitEthernet2/0/2 physical
#这里是堆叠配置
irf-port 1/2
 port group interface GigabitEthernet1/0/22
 port group interface GigabitEthernet1/0/23
#
irf-port 2/1
 port group interface GigabitEthernet2/0/22
 port group interface GigabitEthernet2/0/23
#冗余备份组配置上行接口
interface Reth1
 description uT:UP-LINK
 member interface GigabitEthernet1/0/1 priority 255
 member interface GigabitEthernet2/0/1 priority 200
#冗余备份组配置下行接口
interface Reth2
 description dT:Down-Link
 member interface GigabitEthernet1/0/2 priority 255
 member interface GigabitEthernet2/0/2 priority 200
#MAD BFD配置,防止堆叠分裂
interface Route-Aggregation64
 mad bfd enable
 mad ip address 1.1.1.1 255.255.255.252 member 1
 mad ip address 1.1.1.2 255.255.255.252 member 2
#
interface GigabitEthernet1/0/20
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet1/0/21
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet2/0/20
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet2/0/21
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#冗余组配置,node1作为主设备,node2作为备设备
redundancy group 1
 member interface Reth1
 member interface Reth2
 node 1
  bind slot 1
  priority 255
  track 1 interface GigabitEthernet1/0/1
  track 2 interface GigabitEthernet1/0/2
 node 2
  bind slot 2
  priority 200
  track 3 interface GigabitEthernet2/0/1
  track 4 interface GigabitEthernet2/0/2
#
return

实验步骤:中断主设备任意链路,这里是在交换机上关闭接口实现。

中断前的以太网冗余口的状态
冗余组状态

此时断掉上联交换机的GE1/0/1接口,观察冗余备份口和冗余备份组的状态

此时流量已经切换为备机
冗余组中,因为track的失效减少了255的权重值,因此发生了切换

总结:华三备份组默认是开启抢占的,如果是框机还需要track Blade接口监控业务板的和CPU的工作状态,一旦发生故障就进行切换。华三默认抢占的延迟的1min。当链路恢复后,1min后流量会自动回切到主设备上。

注:华三的HCL模拟器有BUG,其中防火墙采用vlan方式进行MAD BFD检测会导致设备死机,还有就是RETH口无法正常通讯,不可以ping通。

H3C防火墙堆叠后使用以太网冗余口和冗余组进行主备组网的实验》有4个想法

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据