H3C防火墙旁挂HA主备组网实验

上张贴CrossGrave发表回复

场景说明:防火墙旁挂核心交换机主备组网,考虑到部分设备网关可能部署在防火墙上,因此互联地址分配采用/29的掩码,防火墙运行VRRP。如果不考虑网关部署在防火墙的场景可以将互联地址修改为/30的掩码,防火墙分别连接核心交换机的两个方向分别为租户A方向和Internet方向。双方运行OSPF协议,由核心交换机侧Internet方向下发默认路由引导流量转发。

核心交换机配置:

#
 sysname CSW
#
ip vpn-instance A
 route-distinguisher 1:1
 vpn-target 1:1 import-extcommunity
 vpn-target 1:1 export-extcommunity
#
ip vpn-instance Internet
 route-distinguisher 1:2
 vpn-target 1:2 import-extcommunity
 vpn-target 1:2 export-extcommunity
#
ospf 1 vpn-instance A
 area 0.0.0.0
  network 10.0.10.0 0.0.0.7
  network 10.0.11.100 0.0.0.0
#
ospf 2 vpn-instance Internet
 default-route-advertise always
 area 0.0.0.0
  network 10.0.11.0 0.0.0.7
#
vlan 10 to 11
#
interface Bridge-Aggregation1
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 11
 link-aggregation mode dynamic
 stp edged-port //当链路故障时,不会影响STP计算,加速端口收敛速度
#
interface Bridge-Aggregation2
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 11
 link-aggregation mode dynamic
 stp edged-port
#
interface LoopBack0
 ip binding vpn-instance A
 ip address 10.0.11.100 255.255.255.255
#
interface LoopBack1
 ip binding vpn-instance Internet
 ip address 100.0.11.100 255.255.255.255
#
interface Vlan-interface10
 ip binding vpn-instance A
 ip address 10.0.10.1 255.255.255.248
#
interface Vlan-interface11
 ip binding vpn-instance Internet
 ip address 10.0.11.1 255.255.255.248
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 11
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 11
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 11
 combo enable fiber
 port link-aggregation group 2
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 11
 combo enable fiber
 port link-aggregation group 2
#
return

防火墙配置:

#
 sysname FW-A
#
track 1 interface Route-Aggregation1  //监控与防火墙互联的接口,如果是聚合成员发生变化也需要进行主备切换,就track成员接口即可
#
ospf 1 router-id 1.1.1.1
 area 0.0.0.0
  network 10.0.10.0 0.0.0.7
  network 10.0.11.0 0.0.0.7
#
interface Route-Aggregation1
 link-aggregation mode dynamic
#
interface Route-Aggregation1.10
 ip address 10.0.10.3 255.255.255.248
 vrrp vrid 100 virtual-ip 10.0.10.2 active  //考虑网关有可能放置在防火墙上的场景,因此防火墙配置VRRP虚地址引导客户端流量至主设备
 vlan-type dot1q vid 10
#
interface Route-Aggregation1.11
 ip address 10.0.11.3 255.255.255.248
 vrrp vrid 101 virtual-ip 10.0.11.2 active
 vlan-type dot1q vid 11
#
interface Route-Aggregation64
 ip address 1.1.1.1 255.255.255.252
 link-aggregation mode dynamic
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet1/0/22
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet1/0/23
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
security-zone name Local
#
security-zone name Trust
 import interface Route-Aggregation1.10
#
security-zone name Untrust
 import interface Route-Aggregation1.11
#
security-policy ip
 rule 0 name Trust_Untrsut_Permit
  action pass
  source-zone Trust
  destination-zone Untrust
 rule 1 name Trust&Untrust_Local_OSPF
  action pass
  source-zone Trust
  source-zone Untrust
  destination-zone local
  service ospf
 rule 2 name Local_Trust&Untrust_OSPF
  action pass
  source-zone Local
  destination-zone Untrust
  destination-zone Trust
  service ospf
 rule 4 name Local_Trust&Untrust_VRRP
  action pass
  source-zone Local
  destination-zone Trust
  destination-zone Untrust
  service vrrp
 rule 5 name Trust&Untrust_Local_VRRP
  action pass
  source-zone Untrust
  source-zone Trust
  destination-zone Local
  service vrrp
#
remote-backup group   //HA配置,华三新出的方式
 data-channel interface Route-Aggregation64  //表示HA同步的接口
 delay-time 1 //表示抢占的时间,单位是min,默认不抢占
 adjust-cost ospf enable absolute 65535 //配置备设备发送的动态路由协议的绝对值为65535
 track 1 //设置track组1
 local-ip 1.1.1.1
 remote-ip 1.1.1.2
 device-role primary //设置本设备为主设备
#
return

实验结果:

结尾:以前H3C的防火墙双机热备的方法都是采用堆叠+以太网冗余组来实现,M9000系列防火墙还需要使用备份组来调整引擎版的主备关系,还存在多个业务板卡NAT地址的问题。本次采用H3C后续一直比较推荐的HA方式组网,相对来说配置方式比堆叠+reth的方式配置要更加简单。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据