• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 全部
  • 全部
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
高级搜索

V7防火墙插卡IRF组网案例

2015-10-30 发表
  • 10关注
  • 17收藏,2491浏览
粉丝: 关注:

                      ·在两台S105交换机之间建立堆叠。

·  在两台FW板卡之间建立堆叠,FW1的堆叠口为:G1/0/2FW2的堆叠口为:G2/0/2

·   为了防止万一IRF链路故障导致IRF分裂,网络中存在两个配置冲突的IRF,因此启用MAD检测功能。将FW1G1/0/1FW2G2/0/1连接用作BFD MAD检测。

·  创建冗余口Reth2Reth3分别对应于两条link

·   创建冗余组1,包含冗余成员:Reth1Reth2Reth3等。

 


 


运营商交换机的配置

·              配置接FWLB  Link1对应的下一跳:把Ten1/2/16Ten1/2/18允许vlan 4011vlan interface 作为网关

[H3Cvlan4011                                                                                                                                                                                               

[H3C]interface Vlan-interface4011                                              

[H3C-Vlan-interface4011]ip address 222.173.111.49 255.255.255.252

[H3C-Vlan-interface4011]quit                                   

#                                 

[H3C]interface Ten-GigabitEthernet 1/2/16

[H3C-Ten-GigabitEthernet1/2/16]port link-type trunk                                                          

[H3C-Ten-GigabitEthernet1/2/16]port trunk permit vlan 4011 

[H3C]interface Ten-GigabitEthernet 1/2/18

[H3C-Ten-GigabitEthernet1/2/18]port link-type trunk                                                          

[H3C-Ten-GigabitEthernet1/2/18]port trunk permit vlan 4011

·              配置接FWLB  Link2对应的下一跳:把Ten1/2/17Ten1/2/19允许vlan 4012vlan interface 作为网关

[H3C]vlan4012

[H3C]interface Vlan-interface 4012                                              

[H3C-Vlan-interface4012]ip address 222.173.112.99 255.255.255.248

[H3C-Vlan-interface4012]quit                                     

# 

[H3C]interface Ten-GigabitEthernet 1/2/17

[H3C-Ten-GigabitEthernet1/2/17]port link-type trunk                                                          

[H3C-Ten-GigabitEthernet1/2/17]port trunk permit vlan 4012 

[H3C]interface Ten-GigabitEthernet 1/2/19

[H3C-Ten-GigabitEthernet1/2/19]port link-type trunk                                                          

[H3C-Ten-GigabitEthernet1/2/19]port trunk permit vlan 4012

1.5.2 S105交换机的配置步骤

(1)   IRF的配置:

·       S105交换机 1的配置:

# 配置成员号和优先级。

 [H3C] irf member 1 priority 32

#配置Chassis 1,配置IRF端口1/1,并将它与物理端口Ten-GigabitEthernet1/7/0/1绑定,并保存配置,激活IRF端口下的配置。

[H3C]interface Ten-GigabitEthernet 1/7/0/1                                     

[H3C-Ten-GigabitEthernet1/7/0/1]shutdown     

[H3C-Ten-GigabitEthernet1/7/0/1] quit

[H3C] irf-port 1/1

[H3C-irf-port1/1]port group interface Ten-GigabitEthernet 1/7/0/1 

[H3C-irf-port1/1] quit

[H3C] interface Ten-GigabitEthernet 1/7/0/1

[H3C-Ten-GigabitEthernet1/7/0/1] undo shutdown

[H3C-Ten-GigabitEthernet1/7/0/1] quit

[H3C]save

[H3C]irf-port-configuration active

·       S105交换机2的配置

# 配置成员号和优先级。

[H3C]irf member 2 priority 1

#配置Chassis 2, S105交换机2的成员编号配置为2,并重启设备使新编号生效。

[H3C]irf member 1 renumber 2

Warning: Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y

[H3C]quit

< H3C > reboot

#S105交换机2重新起来后,登录设备,配置IRF端口2/2,并将它与物理端口Ten-GigabitEthernet2/7/0/3绑定,并保存配置,激活IRF端口下的配置。

[H3C]interface Ten-GigabitEthernet 2/7/0/3                                     

[H3C-Ten-GigabitEthernet2/7/0/3]shutdown

[H3C-Ten- GigabitEthernet2/7/0/3]quit

[H3C]irf-port 2/2

[H3C-irf-port2/2] port group interface Ten-GigabitEthernet 2/7/0/3

[H3C-irf-port2/2] quit

[H3C]interface Ten-GigabitEthernet 2/7/0/3                                     

[H3C-Ten-GigabitEthernet2/7/0/3]undo shutdown

[H3C-Ten-GigabitEthernet2/7/0/3]quit

[H3C]save

[H3C]irf-port-configuration active                         

(2)   接口配置:

#Chassi1连接运营商交换机Ten1/2/16的接口Ten1/6/0/34

[H3C]interface Ten-GigabitEthernet 1/6/0/34                                    

[H3C-Ten-GigabitEthernet1/6/0/34] port link-type trunk

[H3C-Ten-GigabitEthernet1/6/0/34]port trunk permit vlan 4011

[H3C-Ten-GigabitEthernet1/6/0/34]quit      

#Chassi1连接运营商交换机Ten1/2/17的接口Ten1/6/0/35

[H3C]interface Ten-GigabitEthernet 1/6/0/35                                    

[H3C-Ten-GigabitEthernet1/6/0/35]port link-type trunk

[H3C-Ten-GigabitEthernet1/6/0/35]port trunk permit vlan 4012       

[H3C-Ten-GigabitEthernet1/6/0/35]quit

#Chassi2连接运营商交换机Ten1/2/18的接口Ten2/6/0/34

[H3C]interface Ten-GigabitEthernet 2/6/0/34                                    

[H3C-Ten-GigabitEthernet2/6/0/34]port link-type trunk

[H3C-Ten-GigabitEthernet2/6/0/34]port trunk permit vlan 4011

[H3C-Ten-GigabitEthernet2/6/0/34]quit  

#Chassi2连接运营商交换机Ten1/2/19的接口Ten2/6/0/35

[H3C]interface Ten-GigabitEthernet 2/6/0/35                                    

[H3C-Ten-GigabitEthernet2/6/0/35]port link-type trunk

[H3C-Ten-GigabitEthernet2/6/0/35]port trunk permit vlan 4012       

[H3C-Ten-GigabitEthernet2/6/0/35]quit

#S105交换机连接到内部用户的接口允许vlan 4010的报文。接口配置略。

#Chassi1连接SecBlade III FW1内联口组成聚合口BAG1vlan 4010为连接内部用户的vlan

#                                                                              

[H3C]interface Bridge-Aggregation1  

[H3C-Bridge-Aggregation1]quit

[H3C]interface Ten-GigabitEthernet 1/1/0/1

[H3C-Ten-GigabitEthernet1/1/0/1]port link-mode bridge                                      

[H3C-Ten-GigabitEthernet1/1/0/1] port link-aggregation group 1 

[H3C-Ten-GigabitEthernet1/1/0/1]quit

依此再将Ten1/1/0/2Ten1/1/0/3Ten1/1/0/4都加入聚合组1

[H3C]interface Bridge-Aggregation1  

[H3C-Bridge-Aggregation1]port link-type trunk                                                          

[H3C-Bridge-Aggregation1]undo port trunk permit vlan 1                                                 

[H3C-Bridge-Aggregation1]port trunk permit vlan 4010 to 4012

#Chassi2连接SecBlade III FW2内联口组成聚合口BAG2

[H3C]interface Bridge-Aggregation2  

[H3C-Bridge-Aggregation2]quit

[H3C]interface Ten-GigabitEthernet 2/2/0/1

[H3C-Ten-GigabitEthernet2/2/0/1]port link-mode bridge                                     

[H3C-Ten-GigabitEthernet2/2/0/1] port link-aggregation group 2 

[H3C-Ten-GigabitEthernet2/2/0/1]quit

依此再将Ten2/2/0/2Ten2/2/0/3Ten2/2/0/4都加入聚合组2

[H3C]interface Bridge-Aggregation2  

[H3C-Bridge-Aggregation2]port link-type trunk                                                          

[H3C-Bridge-Aggregation2]undo port trunk permit vlan 1                                                 

[H3C-Bridge-Aggregation2]port trunk permit vlan 4010 to 4012

1.5.3 SecBlade III FWIRFMAD检测配置步骤

(1)   SecBlade III FW1IRF配置步骤

# 配置成员号和优先级。

 [H3C] irf member 1 priority 32

#配置FW1,配置IRF端口1/2,并将它与物理端口GigabitEthernet1/0/2绑定,并保存配置,激活IRF端口下的配置。

[H3C] interface GigabitEthernet1/0/2  

[H3C- GigabitEthernet1/0/2] shutdown

[H3C- GigabitEthernet1/0/2] quit

[H3C] irf-port 1/2

[H3C-irf-port1/2] port group interface GigabitEthernet1/0/2

[H3C-irf-port1/2] quit

[H3C] interface GigabitEthernet1/0/2

[H3C-GigabitEthernet1/0/2] undo shutdown

[H3C-GigabitEthernet1/0/2] quit

[H3C]save

[H3C]irf-port-configuration active

(2)   SecBlade III FW2IRF配置步骤

# 配置成员号和优先级。

[H3C]irf member 2 priority 1

#配置FW2, FW2的成员编号配置为2,并重启设备使新编号生效。

[H3C]irf member 1 renumber 2

Warning: Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y

[H3C]quit

< H3C > reboot

#FW2重新起来后,登录设备,配置IRF端口2/1,并将它与物理端口GigabitEthernet2/0/2绑定,并保存配置,激活IRF端口下的配置。

[H3C]interface GigabitEthernet2/0/2

[H3C-GigabitEthernet2/0/2]shutdown

[H3C-GigabitEthernet2/0/2]quit

[H3C]irf-port 2/1

[H3C-irf-port2/1] port group interface GigabitEthernet2/0/2

[H3C-irf-port2/1] quit

[H3C]interface GigabitEthernet2/0/2

[H3C-GigabitEthernet2/0/2]undo shutdown

[H3C-GigabitEthernet2/0/2]quit

[H3C]save

[H3C]irf-port-configuration active

#FW1FW2间将会进行主设备竞选,竞选失败的一方将重启,重启完成后,IRF形成。

(3)    配置BFD MAD检测

# 创建VLAN 3,并将FW1(成员编号为1)上的端口1/0/1FW2(成员编号为2)上的端口2/0/1加入VLAN中。

system-view

[H3C] vlan 3

[H3C-vlan3] quit

[H3C]interface GigabitEthernet 1/0/1                                           

[H3C-GigabitEthernet1/0/1]port link-mode bridge                                                         

[H3C-GigabitEthernet1/0/1]port access vlan 3

[H3C-GigabitEthernet1/0/1]quit

[H3C]interface GigabitEthernet 2/0/1                                           

[H3C-GigabitEthernet2/0/1]port link-mode bridge                                                         

[H3C-GigabitEthernet2/0/1]port access vlan 3

[H3C-GigabitEthernet2/0/1]quit

# 创建VLAN接口3,并配置MAD IP地址。

[H3C] interface vlan-interface 3

[H3C-Vlan-interface3] mad bfd enable

[H3C-Vlan-interface3] mad ip address 192.168.2.1 24 member 1

[H3C-Vlan-interface3] mad ip address 192.168.2.2 24 member 2

[H3C-Vlan-interface3] quit

# 因为BFD MAD和生成树功能互斥,所以在GigabitEthernet1/0/1GigabitEthernet2/0/1上关闭生成树协议。

[H3C] interface gigabitethernet 1/0/1

[H3C-gigabitethernet-1/0/1] undo stp enable

[H3C-gigabitethernet-1/0/1] quit

[H3C] interface gigabitethernet 2/0/1

[H3C-gigabitethernet-2/0/1] undo stp enable

# 将接口vlan-interface 3加入安全域trust(步骤略),并配置源域为local,目的为trust的域间策略 

创建对象组

[H3C]object-group ip address mad                                               

[H3C-obj-grp-ip-mad] 0 network subnet 192.168.2.0 255.255.255.0

[H3C-obj-grp-ip-mad] quit

创建域间策略对象

[H3C]object-policy ip local-trust                                              

[H3C-object-policy-ip-local-trust]rule 1 pass source-ip mad destination-ip mad

[H3C-object-policy-ip-local-trust]quit

创建域间策略,并引用域间策略对象

[H3C]zone-pair security source local destination trust                         

[H3C-zone-pair-security-Local-Trust]object-policy apply ip local-trust

[H3C-zone-pair-security-Local-Trust]quit

1.5.4 SecBlade III FW的接口及LB的配置步骤

(1)   创建ACL,允许内网10.1.0.0/16段地址                              

[H3C] acl advanced 3500

[H3C-acl-ipv4-adv-3500] rule 0 permit ip source 10.1.0.0 0.0.255.255

[H3C-acl-ipv4-adv-3500]quit

(2)   创建聚合口RAG1RAG2,将Slot 1Slot 24个内联口分别加入聚合口RAG1RAG2

[H3C]interface Route-Aggregation 1                                             

[H3C-Route-Aggregation1]quit

[H3C]interface Ten-GigabitEthernet 1/0/1                                        

[H3C-Ten-GigabitEthernet1/0/1]port link-aggregation group 1                                            

[H3C-Ten-GigabitEthernet1/0/1]quit

依次将Ten1/0/2Ten1/0/3Ten1/0/4都加入聚合组RAG1

#

[H3C]interface Route-Aggregation 2                                             

[H3C-Route-Aggregation2]quit

[H3C]interface Ten-GigabitEthernet 2/0/1                                       

[H3C-Ten-GigabitEthernet2/0/1]port link-aggregation group 2                                             

[H3C-Ten-GigabitEthernet2/0/1]quit

依次将Ten2/0/2Ten2/0/3Ten2/0/4都加入聚合组RAG2

#

创建聚合子接口RAG1.4011,RAG1.4012,RAG2.4011,RAG2.4012

[H3C]interface Route-Aggregation 1.4011                                        

[H3C-Route-Aggregation1.4011]vlan-type dot1q vid 4011                                             

[H3C-Route-Aggregation1.4011]quit                                             

其他聚合子接口的配置略。 

(3)   创建冗余口并应用NAT和冗余组的配置

#创建冗余口Reth2IP地址为222.173.111.50/ 30,成员接口为RAG1.4011RAG2.4011,其中RAG1.4011的优先级为100RAG2.4011的优先级为50。开启保存上一跳功能。

[H3C] interface Reth 2

[H3C-Reth2] ip address 222.173.111.50 255.255.255.240

[H3C-Reth2] nat outbound 3500 address-group 1

[H3C-Reth2] nat server global 222.173.111.60 inside 10.1.0.6

[H3C-Reth2] member interface Route-Aggregation1.4011 priority 100

[H3C-Reth2] member interface Route-Aggregation2.4011 priority 50

[H3C-Reth2] ip last-hop hold

# 创建冗余口Reth3IP地址为222.173.112.100/28,成员接口为RAG1.4012RAG2.4012,其中RAG1.4012的优先级为100RAG2.4012的优先级为50。开启保存上一跳功能。

[H3C] interface Reth 3

[H3C-Reth3] ip address 222.173.112.100 255.255.255.240

[H3C-Reth3] nat outbound 3500 address-group 2

[H3C-Reth3] member interface Route-Aggregation1.4012 priority 100

[H3C-Reth3] member interface Route-Aggregation2.4012 priority 50

[H3C-Reth3] ip last-hop hold

[H3C-Reth3] quit

# 创建内网入口冗余口Reth1IP地址为10.1.0.1/16,成员接口为RAG1.4010RAG2.4010,其中RAG1.4010的优先级为100RAG2.4010的优先级为50。开启保存上一跳功能。

[H3C] interface Reth 1

[H3C-Reth1] ip address 10.1.0.1 255.255.0.0

[H3C-Reth1] member interface Route-Aggregation1.4010 priority 100                         

[H3C-Reth1] member interface Route-Aggregation2.4010 priority 50

[H3C-Reth1] ip last-hop hold

[H3C-Reth1] quit

#配置track,监测业务端口端口状态。

[H3C] track 1 interface Route-Aggregation1                                          

[H3C] track 2 interface Route-Aggregation2                                     

#配置冗余组1,创建Node 1Node 1FW1绑定,为主节点。关联的Track项为1

[H3C] redundancy group 1

[H3C-redundancy-group-1] node 1

[H3C-redundancy-group-1-node1] bind slot 1

[H3C-redundancy-group-1-node1] priority 100

[H3C-redundancy-group-1-node1] track 1 interface Route-Aggregation1     

#配置冗余组1,创建Node 2Node 2FW2绑定,为备节点。关联的Track项为2

[H3C-redundancy-group-1] node 2

[H3C-redundancy-group-1-node2] bind slot 2

[H3C-redundancy-group-1-node2] priority 50

[H3C-redundancy-group-1-node2] track 2 interface Route-Aggregation2

[H3C-redundancy-group-1-node2] quit

# Reth1Reth2Reth3添加到冗余组中。

[H3C-redundancy-group-1] member interface reth 1

[H3C-redundancy-group-1] member interface reth 2

[H3C-redundancy-group-1] member interface reth 3

[H3C-redundancy-group-1] quit

(4)   将冗余口加入安全域并配置域间策略

#将内网接口Reth1MAD检测接口vlan-interface3加入trust

[H3C]security-zone name Trust                                                

[H3C-security-zone-Trust]import interface reth 1                                

[H3C-security-zone-Trust] import interface Vlan-interface3 

 


堆叠的两台设备需采用相同的型号,使用相同的版本。

SecBlade III FW的堆叠口请使用前面板的光口。

防火墙内联口需要聚合,并配置子接口作为上下行,再做冗余。

目前防火墙插卡不允许跨框流量,需要配置冗余组。


0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +
<

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作