场景说明:防火墙旁挂核心交换机主备组网,考虑到部分设备网关可能部署在防火墙上,因此互联地址分配采用/29的掩码,防火墙运行VRRP。如果不考虑网关部署在防火墙的场景可以将互联地址修改为/30的掩码,防火墙分别连接核心交换机的两个方向分别为租户A方向和Internet方向。双方运行OSPF协议,由核心交换机侧Internet方向下发默认路由引导流量转发。
核心交换机配置:
# sysname CSW # ip vpn-instance A route-distinguisher 1:1 vpn-target 1:1 import-extcommunity vpn-target 1:1 export-extcommunity # ip vpn-instance Internet route-distinguisher 1:2 vpn-target 1:2 import-extcommunity vpn-target 1:2 export-extcommunity # ospf 1 vpn-instance A area 0.0.0.0 network 10.0.10.0 0.0.0.7 network 10.0.11.100 0.0.0.0 # ospf 2 vpn-instance Internet default-route-advertise always area 0.0.0.0 network 10.0.11.0 0.0.0.7 # vlan 10 to 11 # interface Bridge-Aggregation1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 to 11 link-aggregation mode dynamic stp edged-port //当链路故障时,不会影响STP计算,加速端口收敛速度 # interface Bridge-Aggregation2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 to 11 link-aggregation mode dynamic stp edged-port # interface LoopBack0 ip binding vpn-instance A ip address 10.0.11.100 255.255.255.255 # interface LoopBack1 ip binding vpn-instance Internet ip address 100.0.11.100 255.255.255.255 # interface Vlan-interface10 ip binding vpn-instance A ip address 10.0.10.1 255.255.255.248 # interface Vlan-interface11 ip binding vpn-instance Internet ip address 10.0.11.1 255.255.255.248 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 to 11 combo enable fiber port link-aggregation group 1 # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 to 11 combo enable fiber port link-aggregation group 1 # interface GigabitEthernet1/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 to 11 combo enable fiber port link-aggregation group 2 # interface GigabitEthernet1/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 to 11 combo enable fiber port link-aggregation group 2 # return
防火墙配置:
# sysname FW-A # track 1 interface Route-Aggregation1 //监控与防火墙互联的接口,如果是聚合成员发生变化也需要进行主备切换,就track成员接口即可 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.0.10.0 0.0.0.7 network 10.0.11.0 0.0.0.7 # interface Route-Aggregation1 link-aggregation mode dynamic # interface Route-Aggregation1.10 ip address 10.0.10.3 255.255.255.248 vrrp vrid 100 virtual-ip 10.0.10.2 active //考虑网关有可能放置在防火墙上的场景,因此防火墙配置VRRP虚地址引导客户端流量至主设备 vlan-type dot1q vid 10 # interface Route-Aggregation1.11 ip address 10.0.11.3 255.255.255.248 vrrp vrid 101 virtual-ip 10.0.11.2 active vlan-type dot1q vid 11 # interface Route-Aggregation64 ip address 1.1.1.1 255.255.255.252 link-aggregation mode dynamic # interface GigabitEthernet1/0/1 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet1/0/2 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet1/0/22 port link-mode route combo enable copper port link-aggregation group 64 # interface GigabitEthernet1/0/23 port link-mode route combo enable copper port link-aggregation group 64 # security-zone name Local # security-zone name Trust import interface Route-Aggregation1.10 # security-zone name Untrust import interface Route-Aggregation1.11 # security-policy ip rule 0 name Trust_Untrsut_Permit action pass source-zone Trust destination-zone Untrust rule 1 name Trust&Untrust_Local_OSPF action pass source-zone Trust source-zone Untrust destination-zone local service ospf rule 2 name Local_Trust&Untrust_OSPF action pass source-zone Local destination-zone Untrust destination-zone Trust service ospf rule 4 name Local_Trust&Untrust_VRRP action pass source-zone Local destination-zone Trust destination-zone Untrust service vrrp rule 5 name Trust&Untrust_Local_VRRP action pass source-zone Untrust source-zone Trust destination-zone Local service vrrp # remote-backup group //HA配置,华三新出的方式 data-channel interface Route-Aggregation64 //表示HA同步的接口 delay-time 1 //表示抢占的时间,单位是min,默认不抢占 adjust-cost ospf enable absolute 65535 //配置备设备发送的动态路由协议的绝对值为65535 track 1 //设置track组1 local-ip 1.1.1.1 remote-ip 1.1.1.2 device-role primary //设置本设备为主设备 # return
实验结果:
结尾:以前H3C的防火墙双机热备的方法都是采用堆叠+以太网冗余组来实现,M9000系列防火墙还需要使用备份组来调整引擎版的主备关系,还存在多个业务板卡NAT地址的问题。本次采用H3C后续一直比较推荐的HA方式组网,相对来说配置方式比堆叠+reth的方式配置要更加简单。