防火墙旁挂rbm 案例
- 0关注
- 0收藏,486浏览
问题描述:
那里有核心 旁挂防火墙RBM,或是数据中心防火墙旁挂的案例
- 2025-04-22提问
- 举报
-
(0)
最佳答案
有的,给你找一下
参考:
组网说明:
1.FW_01和FW_02采用RBM双机主备部署,交叉互联旁挂在Border上。对接方式和案例(https://zhiliao.h3c.com/theme/details/223781)类似,可以参考。
2.FW使用三层聚合(动态链路聚合)子接口和Border对接,RAGG1.100位于Trust安全域;RAGG1.101位于Untrust安全域。实际组网中建议使用RAGG接口而不是vlan-if接口。
3.Border_01和Border_02 M-LAG双归接入三层网络。配置VRF隔离,分别和FW建立不同的OSPF进程。
4.Border上vlan-if10对接ASW,vlan-if100对接FW Trust域,vlan-if101对接FW Untrust域,vlan-if200对接上行Internet。
5.ASW模拟接入交换机,配置缺省路由下一跳为Border设备VRRP虚地址。模拟测试为访问互联网Internet。
6.防火墙聚合接口编号为1,并非10。图示有点问题懒得改了。
配置步骤
防火墙相关配置:
| FW1 | FW2 |
RBM基础配置 | # interface GigabitEthernet1/0/0 port link-mode route combo enable copper port link-aggregation group 64 # interface Route-Aggregation64 ip address 192.168.12.1 255.255.255.252 link-aggregation mode dynamic # remote-backup group data-channel interface Route-Aggregation64 configuration sync-check interval 12 delay-time 30 adjust-cost ospf enable absolute 65535 track 1 track 2 local-ip 192.168.12.1 remote-ip 192.168.12.2 device-role primary # | # interface GigabitEthernet1/0/0 port link-mode route combo enable copper port link-aggregation group 64 # interface Route-Aggregation64 ip address 192.168.12.2 255.255.255.252 link-aggregation mode dynamic # remote-backup group data-channel interface Route-Aggregation64 configuration sync-check interval 12 delay-time 30 adjust-cost ospf enable absolute 65535 track 1 track 2 local-ip 192.168.12.2 remote-ip 192.168.12.1 device-role secondary # |
业务接口,安全域,策略 | # interface GigabitEthernet1/0/1 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet1/0/2 port link-mode route combo enable copper port link-aggregation group 1 # interface Route-Aggregation1 link-aggregation mode dynamic # interface Route-Aggregation1.100 description to_border_v1 ip address 10.134.100.1 255.255.255.0 vlan-type dot1q vid 100 # interface Route-Aggregation1.101 description to_border_v2 ip address 10.134.101.1 255.255.255.0 ospf bfd enable vlan-type dot1q vid 101 # security-zone name Trust import interface Route-Aggregation1.100 # security-zone name Untrust import interface Route-Aggregation1.101 # security-policy ip rule 0 name ospf action pass service ospf rule 1 name ping action pass service ping # | # interface GigabitEthernet1/0/1 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet1/0/2 port link-mode route combo enable copper port link-aggregation group 1 # interface Route-Aggregation1 link-aggregation mode dynamic # interface Route-Aggregation1.100 description to_border_v1 ip address 10.134.100.2 255.255.255.0 vlan-type dot1q vid 100 # interface Route-Aggregation1.101 description to_border_v2 ip address 10.134.101.2 255.255.255.0 ospf bfd enable vlan-type dot1q vid 101 # security-zone name Trust import interface Route-Aggregation1.100 # security-zone name Untrust import interface Route-Aggregation1.101 # security-policy ip rule 0 name ospf action pass service ospf rule 1 name ping action pass service ping # |
路由配置 | # interface LoopBack0 description ospf_r_id ip address 1.1.1.1 255.255.255.255 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.134.100.0 0.0.0.255 network 10.134.101.0 0.0.0.255 # | # interface LoopBack0 description ospf_r_id ip address 2.2.2.2 255.255.255.255 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 10.134.100.0 0.0.0.255 network 10.134.101.0 0.0.0.255 # |
可靠性 | # track 1 interface Route-Aggregation1.100 # track 2 interface Route-Aggregation1.101 # | # track 1 interface Route-Aggregation1.100 # track 2 interface Route-Aggregation1.101 # |
===============================================================================================
交换机相关配置:
| Border_01 | Border_02 |
系统参数 | # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber ip address 192.168.34.3 255.255.255.0 # m-lag mad exclude interface GigabitEthernet1/0/1 m-lag system-mac 0034-0034-0034 m-lag system-number 1 m-lag consistency-check disable m-lag standalone enable m-lag keepalive ip destination 192.168.34.4 source 192.168.34.3 # | # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber ip address 192.168.34.4 255.255.255.0 # m-lag mad exclude interface GigabitEthernet1/0/1 m-lag role priority 65535 m-lag system-mac 0034-0034-0034 m-lag system-number 2 m-lag consistency-check disable m-lag standalone enable m-lag keepalive ip destination 192.168.34.3 source 192.168.34.4
|
peer-link接口 | # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 100 to 101 200 combo enable fiber port link-aggregation group 1024 # interface Bridge-Aggregation1024 description peerlink port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 100 to 101 200 link-aggregation mode dynamic port m-lag peer-link 1 undo mac-address static source-check enable # | # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 100 to 101 200 combo enable fiber port link-aggregation group 1024 # interface Bridge-Aggregation1024 description peerlink port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 100 to 101 200 link-aggregation mode dynamic port m-lag peer-link 1 undo mac-address static source-check enable # |
m-lag接口 | # interface GigabitEthernet1/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 combo enable fiber port link-aggregation group 10 # interface GigabitEthernet1/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 combo enable fiber port link-aggregation group 11 # interface GigabitEthernet1/0/5 port link-mode bridge port access vlan 200 combo enable fiber port link-aggregation group 100 # interface GigabitEthernet1/0/6 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber port link-aggregation group 1 # interface Bridge-Aggregation1 description to_asw port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation mode dynamic port lacp system-priority 32 port m-lag group 1 # interface Bridge-Aggregation10 description to_fw01 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 link-aggregation mode dynamic port lacp system-priority 32 port m-lag group 10 # interface Bridge-Aggregation11 description to_fw02 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 link-aggregation mode dynamic port lacp system-priority 32 port m-lag group 11 # interface Bridge-Aggregation100 description to_internet port access vlan 200 link-aggregation mode dynamic port lacp system-priority 32 port m-lag group 100 # | # interface GigabitEthernet1/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 combo enable fiber port link-aggregation group 11 # interface GigabitEthernet1/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 combo enable fiber port link-aggregation group 10 # interface GigabitEthernet1/0/5 port link-mode bridge port access vlan 200 combo enable fiber port link-aggregation group 100 # interface GigabitEthernet1/0/6 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber port link-aggregation group 1 # interface Bridge-Aggregation1 description to_asw port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation mode dynamic port m-lag group 1 # interface Bridge-Aggregation10 description to_fw01 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 link-aggregation mode dynamic port m-lag group 10 # interface Bridge-Aggregation11 description to_fw02 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 101 link-aggregation mode dynamic port m-lag group 11 # interface Bridge-Aggregation100 description to_internet port access vlan 200 link-aggregation mode dynamic port m-lag group 100 # |
OSPF | # ip vpn-instance v1 # ip vpn-instance v2 # interface LoopBack0 description ospf_v1_r_id ip address 3.3.3.3 255.255.255.255 # interface LoopBack10 description ospf_v2_r_id ip address 13.13.13.13 255.255.255.255 # interface Vlan-interface10 ip binding vpn-instance v1 ip address 10.1.10.3 255.255.255.0 vrrp vrid 10 virtual-ip 10.1.10.10 vrrp vrid 10 priority 254 # interface Vlan-interface100 ip binding vpn-instance v1 ip address 10.134.100.10 255.255.255.0 ospf dr-priority 255 ospf peer sub-address enable 10.134.100.13 port m-lag virtual-ip 10.134.100.13 255.255.255.0 active mac-address 0001-0001-0001 # interface Vlan-interface101 ip binding vpn-instance v2 ip address 10.134.101.10 255.255.255.0 ospf dr-priority 255 ospf bfd enable ospf peer sub-address enable 10.134.101.13 port m-lag virtual-ip 10.134.101.13 255.255.255.0 active mac-address 0002-0002-0002 # interface Vlan-interface200 ip binding vpn-instance v2 ip address 10.1.200.10 255.255.255.0 ospf dr-priority 255 ospf bfd enable ospf peer sub-address enable 10.1.200.13 port m-lag virtual-ip 10.1.200.13 255.255.255.0 active mac-address 0003-0003-0003 # ospf 1 router-id 3.3.3.3 vpn-instance v1 area 0.0.0.0 network 10.1.10.0 0.0.0.255 network 10.134.100.0 0.0.0.255 # ospf 13 router-id 13.13.13.13 vpn-instance v2 area 0.0.0.0 network 10.1.200.0 0.0.0.255 network 10.134.101.0 0.0.0.255 # | # ip vpn-instance v1 # ip vpn-instance v2 # interface LoopBack0 description ospf_v1_r_id ip address 4.4.4.4 255.255.255.255 # interface LoopBack10 description ospf_v2_r_id ip address 14.14.14.14 255.255.255.255 # interface Vlan-interface10 ip binding vpn-instance v1 ip address 10.1.10.4 255.255.255.0 vrrp vrid 10 virtual-ip 10.1.10.10 # interface Vlan-interface100 ip binding vpn-instance v1 ip address 10.134.100.10 255.255.255.0 ospf dr-priority 25 ospf peer sub-address enable 10.134.100.14 port m-lag virtual-ip 10.134.100.14 255.255.255.0 active mac-address 0001-0001-0001 # interface Vlan-interface101 ip binding vpn-instance v2 ip address 10.134.101.10 255.255.255.0 ospf dr-priority 25 ospf bfd enable ospf peer sub-address enable 10.134.101.14 port m-lag virtual-ip 10.134.101.14 255.255.255.0 active mac-address 0002-0002-0002 # interface Vlan-interface200 ip binding vpn-instance v2 ip address 10.1.200.10 255.255.255.0 ospf bfd enable ospf peer sub-address enable 10.1.200.14 port m-lag virtual-ip 10.1.200.14 255.255.255.0 active mac-address 0003-0003-0003 # ospf 1 router-id 4.4.4.4 vpn-instance v1 area 0.0.0.0 network 10.1.10.0 0.0.0.255 network 10.134.100.0 0.0.0.255 # ospf 3 router-id 14.14.14.14 vpn-instance v2 area 0.0.0.0 network 10.1.200.0 0.0.0.255 network 10.134.101.0 0.0.0.255 # |
============================================================================================
接入交换机和公网模拟配置:
ASW | Internet |
# interface Bridge-Aggregation10 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation mode dynamic # interface Vlan-interface10 ip address 10.1.10.5 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber port link-aggregation group 10 # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber port link-aggregation group 10 ip route-static 0.0.0.0 0 10.1.10.10 description to_border # | # interface LoopBack0 description ospf_r_id ip address 6.6.6.6 255.255.255.255 # interface LoopBack1 description internet ip address 114.114.114.114 255.255.255.255 # interface Route-Aggregation1 ip address 10.1.200.6 255.255.255.0 link-aggregation mode dynamic # interface GigabitEthernet0/0 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet0/1 port link-mode route combo enable copper port link-aggregation group 1 # ospf 1 router-id 6.6.6.6 default-route-advertise always area 0.0.0.0 network 10.1.200.0 0.0.0.255 #
|
===============================================================================================
以上案例没有考虑出口做NAT的场景,公网侧可以直接学习到私网侧的路由。实际现网中出口设备做NAT,将NAT地址池中路由发布到公网即可。
案例模拟测试ASW ping测试Internet侧环回口地址114.114.114.114即可
公网侧路由:
<internet>disp ip routing-table protocol ospf
Summary count : 9
OSPF Routing table status : <Active>
Summary count : 8
Destination/Mask Proto Pre Cost NextHop Interface
10.1.10.0/24 O_INTRA 10 4 10.1.200.13 RAGG1
O_INTRA 10 4 10.1.200.14 RAGG1
10.134.100.0/24 O_INTRA 10 3 10.1.200.13 RAGG1
O_INTRA 10 3 10.1.200.14 RAGG1
10.134.101.0/24 O_INTRA 10 2 10.1.200.13 RAGG1
O_INTRA 10 2 10.1.200.14 RAGG1
相关表项查看:
| |||||||
|
配置关键点
1.FW并非所有配置都是同步的,常见的:安全域和安全策略可以从RBM_P同步到RBM_S,有些配置无法同步(如接口地址,Track,路由配置等),配置的时候需要对比所有相关配置防止遗漏。
2.FW 安全策略需要针对基础协议OSPF单独放通,否则导致OSPF邻居建立失败。
3.FW使用三层子接口必须配置vlan终结命令,需要对端发出的报文携带对应的vlan标签。如果对端发出的报文不带vlan标签,则使用聚合口对接。
4.Border peer-link链路两端端口上关闭报文入接口与静态MAC地址表项匹配检查功能,以确保三层单播流量转发正常。
5.两台Border作为双活网关时,vlan-if接口存在相同的IP地址和MAC地址,需要配置M-LAG虚拟IP地址建立OSPF邻居,并指定active参数。否则则该虚拟IPv4地址只在角色为Primary的M-LAG设备上处于可用状态。
6.Border配置m-lag独立工作模式,并配置lacp系统优先级。应对peer-link链路和Keepalive链路均发生故障场景。这个感兴趣的可以模拟测试。
- 2025-04-22回答
- 评论(0)
- 举报
-
(0)
防火墙旁挂rbm对接核心堆叠
https://zhiliao.h3c.com/questions/dispcont/226023
配置步骤
防火墙主配置:
track 1 interface GigabitEthernet1/0/0
interface GigabitEthernet1/0/0
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 192.168.0.2 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface Vlan-interface10
#
ip route-static 0.0.0.0 0 192.168.20.2
#
security-policy ip
rule 1 name 1
action pass
#
remote-backup group
data-channel interface GigabitEthernet1/0/1
configuration sync-check interval 12
delay-time 1
track 1
local-ip 192.168.0.2
remote-ip 192.168.0.1
device-role primary
防火墙备配置:
track 1 interface GigabitEthernet1/0/0
#
interface GigabitEthernet1/0/0
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 192.168.0.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface Vlan-interface10
#
ip route-static 0.0.0.0 0 192.168.30.2
#
security-policy ip
rule 1 name 1
action pass
#
remote-backup group
data-channel interface GigabitEthernet1/0/1
configuration sync-check interval 12
delay-time 1
track 1
local-ip 192.168.0.1
remote-ip 192.168.0.2
device-role secondary
交换机配置堆叠和策略路由:
undo ip fast-forwarding load-sharing
irf-port 1/1
port group interface Ten-GigabitEthernet1/0/49
irf-port 2/2
port group interface Ten-GigabitEthernet2/0/49
#
policy-based-route 1 permit node 1
if-match acl 3001
apply next-hop 192.168.20.1 track 1
apply next-hop 192.168.30.1
#
policy-based-route 2 permit node 1
if-match acl 3002
apply next-hop 192.168.20.1 track 1
apply next-hop 192.168.30.1
#
nqa entry admin test
type icmp-echo
destination ip 192.168.20.1
fre 100
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa schedule admin test start-time now lifetime forever
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 50
#
interface Vlan-interface10
ip address 192.168.10.2 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.2 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.2 255.255.255.0
#
interface Vlan-interface40
ip address 10.1.1.1 255.255.255.0
ip policy-based-route 1
#
interface Vlan-interface50
ip address 1.1.1.1 255.255.255.0
ip policy-based-route 2
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 50
combo enable fiber
port link-aggregation group 2
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 20
#
ip route-static 0.0.0.0 0 1.1.1.2
#
acl advanced 3001
rule 12 permit ip source 10.1.1.0 0.0.0.255
#
acl advanced 3002
rule 12 permit ip destination 10.1.1.0 0.0.0.255
- 2025-05-12回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论