nqa+track下一跳实现防火墙主备切换

组网以及说明：

组网要求：客户现网是F1070的防火墙做了IRF，双出口电信、联通接在堆叠防火墙上行交换机上，现在想配置冗余组实现主备切换，另外客户反馈想通过对上行检测下一跳地址来切换而不仅仅是接口物理状态。

1、防火墙堆叠配置，交换机上的ip地址、vlan接口配置、路由等自行配置

2、在防火墙上下行各自配置冗余口，放入冗余组中，以便进行track联动实现主备切换

3、track项为track下一跳的地址，连续四次不可达则启动链路切换

配置如下

#堆叠防火墙上配置

#track项配置

track 1 nqa entry admin test1 reaction 1  //nqa与track 联动，检测上行链路下一跳是否可达

#

track 2 interface GigabitEthernet1/0/3 physical  //track防火墙下行链路物理状态

#

track 3 nqa entry admin test2 reaction 2  //nqa与track 联动，检测上行链路下一跳是否可达

#

track 4 interface GigabitEthernet2/0/3 physical   //track防火墙下行链路物理状态

#

#

nqa entry admin test1 //配置nqa检测项，检测下一跳地址为电信网段地址，频率为100ms一次，连续探测失败达到4次阈值时，就触track模块联动。

 type icmp-echo

  destination ip 10.1.1.1

  frequency 100

  reaction 1 checked-element probe-fail threshold-type consecutive 4 action-type trigger-only

#

nqa entry admin test2

 type icmp-echo

  destination ip 20.1.1.1

  frequency 100

  reaction 2 checked-element probe-fail threshold-type consecutive 4 action-type trigger-only

#

 nqa schedule admin test1 start-time now lifetime forever  //用来配置测试组的启动时间为当前和持续时间为永久。

 nqa schedule admin test2 start-time now lifetime forever

#

interface Reth1    //配置防火墙上下行冗余口与其成员接口

 ip address 30.1.1.2 255.255.255.0

 member interface GigabitEthernet1/0/7 priority 255

 member interface GigabitEthernet2/0/7 priority 50

#

interface Reth2

 ip address 40.1.1.2 255.255.255.0

 member interface GigabitEthernet1/0/3 priority 255

 member interface GigabitEthernet2/0/3 priority 50

#安全域配置

security-zone name Trust

 import interface Reth1

 import interface Reth2

#路由配置

 ip route-static 0.0.0.0 0 30.1.1.1

 ip route-static 40.1.1.0 24 40.1.1.1

#冗余组配置

redundancy group aaa

 member interface Reth1

 member interface Reth2

 node 1

  bind slot 1

  priority 100

  track 1 interface GigabitEthernet1/0/7

  track 2 interface GigabitEthernet1/0/3

 node 2

  bind slot 2

  priority 50

  track 3 interface GigabitEthernet2/0/7

  track 4 interface GigabitEthernet2/0/3

#安全策略放通

security-policy ip

 rule 0 name irflocalout

  action pass

  source-zone local

  destination-zone trust

 rule 1 name irflocalin

  action pass

  source-zone trust

  destination-zone local

 rule 2 name cqm

  action pass

  source-zone trust

  destination-zone trust

 测试过程：

[H3C]dis redundancy group

Redundancy group aaa (ID 1):

  Node ID      Slot          Priority   Status        Track weight

  1            Slot1         100        Primary       255

  2            Slot2         50         Secondary     255

Preempt delay time remained     : 0    sec

Preempt delay timer setting     : 60   sec

Remaining hold-down time        : 0    sec

Hold-down timer setting         : 1    sec

Manual switchover request       : No

Member interfaces:

    Reth2                 Reth1

Node 1:

  Track info:

    Track    Status           Reduced weight     Interface

    1        Positive         255                GE1/0/7

    2        Positive         255                GE1/0/3

Node 2:

  Track info:

    Track    Status           Reduced weight     Interface

    3        Positive         255                GE2/0/7

    4        Positive         255                GE2/0/3

[H3C]dis reth int reth 1

Reth1 :

  Redundancy group  : aaa

  Member           Physical status         Forwarding status   Presence status

  GE1/0/7          UP                      Active              Normal

  GE2/0/7          UP                      Inactive            Normal

[H3C]dis reth int reth 2

Reth2 :

  Redundancy group  : aaa

  Member           Physical status         Forwarding status   Presence status

  GE1/0/3          UP                      Active              Normal

  GE2/0/3          UP                      Inactive            Normal

在上行交换机中取消下一条的ip地址模拟链路故障，下一跳不可达

[sw1-GigabitEthernet1/0/1]undo ip add 10.1.1.1 24//取消下一跳的ip地址

[sw1-GigabitEthernet1/0/1]quit

[H3C]

[H3C]dis ret%Jan 22 21:59:26:362 2021 H3C NQA/6/NQA_ENTRY_PROBE_RESULT: -COntext=1; Reaction entry 1 of NQA entry admin-name admin operation-tag test1: probe-fail.//触发NQA

%Jan 22 21:59:26:371 2021 H3C RDDC/5/RDDC_ACTIVENODE_CHANGE: -COntext=1; Redundancy group aaa active node changed to node 2 (slot 2), because of node's weight changed.//改变权重值，冗余组发生切换

%Jan 22 21:59:26:629 2021 H3C IFNET/3/PHY_UPDOWN: -COntext=1; Physical state on the interface GigabitEthernet1/0/3 changed to down.

%Jan 22 21:59:26:636 2021 H3C IFNET/5/LINK_UPDOWN: -COntext=1; Line protocol state on the interface GigabitEthernet1/0/3 changed to down.

[H3C]dis redundancy group

Redundancy group aaa (ID 1):

  Node ID      Slot          Priority   Status        Track weight

  1            Slot1         100        Secondary     -255

  2            Slot2         50         Primary       255

Preempt delay time remained     : 0    sec

Preempt delay timer setting     : 60   sec

Remaining hold-down time        : 0    sec

Hold-down timer setting         : 1    sec

Manual switchover request       : No

Member interfaces:

    Reth2                 Reth1

Node 1:

  Track info:

    Track    Status           Reduced weight     Interface

    1        Negative(Faulty) 255                GE1/0/7

    2        Negative         255                GE1/0/3

Node 2:

  Track info:

    Track    Status           Reduced weight     Interface

    3        Positive         255                GE2/0/7

    4        Positive         255                GE2/0/3

[H3C]dis reth int reth 2

Reth2 :

  Redundancy group  : aaa

  Member           Physical status         Forwarding status   Presence status

  GE1/0/3          DOWN(redundancy down)   Inactive            Normal

  GE2/0/3          UP                      Active              Normal

 [H3C]dis reth int reth1

Reth1 :

  Redundancy group  : aaa

  Member           Physical status         Forwarding status   Presence status

  GE1/0/7          UP                      Inactive            Normal

  GE2/0/7          UP                      Active              Normal

[H3C]

 实验截图如下：