问题描述:
防火墙二层主备组网,上接路由器(起二层),下连核心交换机,其中路由器和交换机进行堆叠。
请问谁有案例
组网及组网描述:
- 2020-11-18提问
- 举报
-
(0)
最佳答案
某局点部署安全生产专网,业务网关在下联汇聚交换机上,在网关和上联核心交换机中间部署防火墙作安全审计,要求做纯二层透传,并且结合IRF和冗余组提高网络可靠性。
1、FW1060设备做纯二层透传,做IRF;
2、在正常情况下,FW1060主接口被聚合口选中,同时为冗余组的主设备,流量走FW1060主;
3、当主FW1060的链路出现故障时,聚合口内成员口发生切换,冗余组的主备发生联动切换,流量切至备FW1060
4、当主FW1060的链路故障恢复后,由主FW1060继续承担流量转发功能;
配置思路
1、两台F1060做堆叠,与下游设备单臂互联,配置为纯二层;
2、互联链路可以是物理链路、子接口、vlan-interface,两台设备各出一个接口组成聚合口,设置聚合组中的最大选中端口数为1,同时设置主设备接口的聚合成员优先级高,此时备机的聚合成员接口down;
3、上下游设备通过活动成员链路上送主设备;
4、配置冗余组,主备设备track本设备聚合成员接口;
5、上下行设备配置OSPF的情况下,单纯聚合口切换不会导致OSPF路由重新收敛。
一、配置核心交换机
(1) 创建聚合口,配置物理口并加入到聚合口中
# 创建三层路由聚合口,配置IP地址。
<H3C> system-view
[H3C] interface Route-Aggregation 1
[H3C-Route-Aggregation1] ip address 172.19.47.1 255.255.255.252
# 配置聚合链路成员口最大选中数为1。
[H3C-Route-Aggregation1] link-aggregation selected-port maximum 1
[H3C-Route-Aggregation1] quit
# 配置物理接口。
[H3C] interface GigabitEthernet 1/0/12
[H3C-GigabitEthernet1/0/12] port link-mode route
# 配置高优先级10。
[H3C-GigabitEthernet1/0/12] link-aggregation port-priority 10
# 加入三层聚合口中
[H3C-GigabitEthernet1/0/12] port link-aggregation group 1
# 配置另一个物理接口。
[H3C]interface GigabitEthernet1/0/13
[H3C-GigabitEthernet1/0/13] port link-mode route
# 配置低优先级100。
[H3C-GigabitEthernet1/0/13] link-aggregation port-priority 100
# 加入三层聚合口1中。
[H3C-GigabitEthernet1/0/12] port link-aggregation group 1
[H3C-GigabitEthernet1/0/12] quit
(2) 配置本地LoopBack口。
[H3C] interface LoopBack1
[H3C-LoopBack1] ip address 192.168.0.1 255.255.255.255
[H3C-LoopBack1] quit
(3) 配置OSPF进程并把对应网段路由加入OSPF进程中。
[H3C] ospf 47
[H3C-ospf-47] area 0.0.0.0
[H3C-ospf-47-area-0.0.0.0] network 172.19.47.1 0.0.0.3
[H3C-ospf-47-area-0.0.0.0] network 192.168.0.1 0.0.0.0
[H3C-ospf-47-area-0.0.0.0] quit
[H3C-ospf-47] quit
二、配置防火墙
(1)FW做堆叠和BFD MAD(略)
(2)开启会话同步功能
[H3C] session synchronization enable
(3)创建聚合口,配置物理口并加入到对应聚合口中
# 创建VLAN 100,FW与上下行设备连接的端口做二层透传。
[H3C] vlan 100
# 创建二层聚合口1,把FW与上行SW相连的端口加入该聚合口。
[H3C] interface Bridge-Aggregation1
[H3C-Bridge-Aggregation1] port access vlan 100
# 配置聚合链路成员口最大选中数为1。
[H3C-Bridge-Aggregation1] link-aggregation selected-port maximum 1
# 把对应物理口加入二层聚合口1中,并配置链路聚合端口的优先级。
[H3C] interface GigabitEthernet1/0/13
[H3C-gigabitethernet-1/0/13] port link-mode bridge
[H3C-gigabitethernet-1/0/13] port access vlan 100
# 配置端口高优先级10。
[H3C-gigabitethernet-1/0/13] link-aggregation port-priority 10
# 加入链路聚合口1。
[H3C-gigabitethernet-1/0/13] port link-aggregation group 1
# 配置备设备上与上行SW连接的端口,加入VLAN 100。
[H3C] interface GigabitEthernet2/0/13
[H3C-gigabitethernet-2/0/13] port link-mode bridge
[H3C-gigabitethernet-2/0/13] port access vlan 100
# 配置低优先级100。
[H3C-gigabitethernet-2/0/13] link-aggregation port-priority 100
# 加入链路聚合口1。
[H3C-gigabitethernet-2/0/13] port link-aggregation group 1
[H3C-gigabitethernet-2/0/13] quit
# 同理,创建二层聚合口2。
[H3C] interface Bridge-Aggregation2
[H3C-Bridge-Aggregation2] port access vlan 100
# 配置聚合链路成员口最大选中数为1。
[H3C-Bridge-Aggregation1] link-aggregation selected-port maximum 1
# 把主FW与下行SW相连的端口加入该聚合口2,并配置成员端口为高优先级。
[H3C] interface GigabitEthernet1/0/16
[H3C-gigabitethernet-1/0/16] port link-mode bridge
[H3C-gigabitethernet-1/0/16] port access vlan 100
[H3C-gigabitethernet-1/0/16] link-aggregation port-priority 10
[H3C-gigabitethernet-1/0/16] port link-aggregation group 2
[H3C-gigabitethernet-1/0/16] quit
# 把备FW与下行SW相连的端口加入该聚合口2,并配置成员端口为低优先级。
[H3C]interface GigabitEthernet2/0/16
[H3C-gigabitethernet-2/0/16] port link-mode bridge
[H3C-gigabitethernet-2/0/16] port access vlan 100
[H3C-gigabitethernet-2/0/16] link-aggregation port-priority 100
[H3C-gigabitethernet-2/0/16] port link-aggregation group 2
[H3C-gigabitethernet-2/0/16] quit
(4)配置安全域
具体安全域配置不做详细赘述,主体思路是将上联口加入trust域,将下联口加入untrust域,但是要注意把MAD BFD检测的vlan-interface1000加入trust域,否则MAD BFD检测报文无法通过,导致检测失败。
(5)配置track项,track物理接口
[H3C] track 7 interface GigabitEthernet2/0/13 physical
[H3C] track 8 interface GigabitEthernet2/0/16 physical
[H3C] track 9 interface GigabitEthernet1/0/13 physical
[H3C] track 10 interface GigabitEthernet1/0/16 physical
(6)配置冗余组
[H3C] redundancy group 2
# 添加node1。
[H3C-redundancy-group-2] node 1
[H3C-redundancy-group-2-node-1] bind slot 1
# 配置为高优先级。
[H3C-redundancy-group-2-node-1] priority 100
# node1节点里track对应接口。
[H3C-redundancy-group-2-node-1] track 9 interface GigabitEthernet1/0/13
[H3C-redundancy-group-2-node-1] track 10 interface GigabitEthernet1/0/16
[H3C-redundancy-group-2-node-1] node-member interface GigabitEthernet1/0/13
[H3C-redundancy-group-2-node-1] node-member interface GigabitEthernet1/0/16
[H3C-redundancy-group-2-node-1] quit
# 添加node2。
[H3C-redundancy-group-2] node 2
[H3C-redundancy-group-2-node-2] bind slot 2
# 配置为低优先级。
[H3C-redundancy-group-2-node-2] priority 50
# node2节点里track对应接口。
[H3C-redundancy-group-2-node-2] track 7 interface GigabitEthernet2/0/13
[H3C-redundancy-group-2-node-2] track 8 interface GigabitEthernet2/0/16
[H3C-redundancy-group-2-node-2] node-member interface GigabitEthernet2/0/13
[H3C-redundancy-group-2-node-2] node-member interface GigabitEthernet2/0/16
[H3C-redundancy-group-2-node-2] quit
[H3C-redundancy-group-2] quit
三、配置汇聚交换机
(1)配置IRF和BFD MAD(略)
(2)接口配置,包括二层聚合口和成员端口配置
# 创建vlan200。
<H3C> system-view
[H3C] vlan 200
# 创建vlan-ingterface200。
[H3C]interface Vlan-interface200
[H3C-Vlan-interface200] ip address 172.19.47.2 255.255.255.252
[H3C-Vlan-interface200] quit
# 创建二层聚合口2,并加入vlan200,配置链路聚合最大选中端口数为1。
[H3C] interface Bridge-Aggregation2
[H3C-Bridge-Aggregation2] port access vlan 200
[H3C-Bridge-Aggregation2] link-aggregation selected-port maximum 1
# 配置LoopBack1地址。
[H3C] interface LoopBack1
[H3C-LoopBack1] ip address 192.168.0.2 255.255.255.255
# 添加聚合成员口,配置成员口高低优先级。
[H3C] interface GigabitEthernet1/1/3
[H3C-GigabitEthernet1/1/3] port link-mode bridge
[H3C-GigabitEthernet1/1/3] port access vlan 200
# 主SW与主FW连接的接口配置为高优先级。
[H3C-GigabitEthernet1/1/3] link-aggregation port-priority 10
[H3C-GigabitEthernet1/1/3] port link-aggregation group 2
[H3C-GigabitEthernet1/1/3] quit
[H3C] interface GigabitEthernet2/1/3
[H3C-GigabitEthernet2/1/3] port link-mode bridge
[H3C-GigabitEthernet2/1/3] port access vlan 200
# 备SW与备FW连接的接口配置为低优先级。
[H3C-GigabitEthernet2/1/3] link-aggregation port-priority 100
[H3C-GigabitEthernet2/1/3] port link-aggregation group 2
[H3C-GigabitEthernet2/1/3] quit
(1) 配置ospf进程并把对应网段路由加入OSPF进程中
[H3C] ospf 47
[H3C-ospf-47] area 0.0.0.0
[H3C-ospf-47-area-0.0.0.0] network 172.19.47.2 0.0.0.3
[H3C-ospf-47-area-0.0.0.0] network 192.168.0.2 0.0.0.0
[H3C-ospf-47-area-0.0.0.0] quit
1、IRF的配置中,做BFD MAD检测的vlan-interface1000要加入安全域trust中,否则MAD BFD检测报文不能通过防火墙,MAD BFD检测失败,无法正常工作;
2、防火墙设备上的二层聚合口及其成员口要带具体的vlan加入到对应的安全域中,否则报文无法通过防火墙;
3、防火墙做IRF,要开启会话同步功能。
- 2020-11-18回答
- 评论(0)
- 举报
-
(0)
组网图
配置步骤
2 配置步骤
2.1 核心交换机配置
#创建三层聚合接口并设置IP地址。
<H3C>system
[H3C]interface Route-Aggregation 1
[H3C-Route-Aggregation1]ip address 192.168.1.1 255.255.255.0
[H3C-Route-Aggregation1]link-aggregation selected-port maximum 1
[H3C-Route-Aggregation1]quit
#将1/0/1接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]link-aggregation port-priority 10
[H3C-GigabitEthernet1/0/1]port link-aggregation group 1
[H3C-GigabitEthernet1/0/1]quit
#将1/0/2接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 1/0/2
[H3C-GigabitEthernet1/0/2]link-aggregation port-priority 100
[H3C-GigabitEthernet1/0/2]port link-aggregation group 1
[H3C-GigabitEthernet1/0/2]quit
2.2 防火墙配置
2.2.1 FWA与FWB建立堆叠并配置BFD MAD检测
具体配置可参考防火墙虚拟化配置举例,本章不做介绍。
2.2.2 防火墙开启会话同步并关闭本框优先命令
#开启本地IP优先转发功能
[Sysname] ip load-sharing local-first enable
#开启会话同步功能
[Sysname] session synchronization enable
#开启会话数据统计功能
[Sysname] session statistics enable
2.2.3 防火墙聚合配置
1. 防火墙上行接口聚合配置
#创建二层聚合接口并设置聚合最大选中个数。
<H3C>system
[H3C]interface Bridge-Aggregation 1
[H3C-Bridge-Aggregation1]link-aggregation selected-port maximum 1
[H3C-Bridge-Aggregation1]quit
#将1/0/1接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]link-aggregation port-priority 10
[H3C-GigabitEthernet1/0/1]port link-aggregation group 1
[H3C-GigabitEthernet1/0/1]quit
#将2/0/2接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 2/0/2
[H3C-GigabitEthernet2/0/2]link-aggregation port-priority 100
[H3C-GigabitEthernet2/0/2]port link-aggregation group 1
[H3C-GigabitEthernet2/0/2]quit
2. 防火墙下行接口聚合配置
#创建二层聚合接口并设置聚合最大选中个数。
<H3C>system
[H3C]interface Bridge-Aggregation 2
[H3C-Bridge-Aggregation2]link-aggregation selected-port maximum 1
[H3C-Bridge-Aggregation2]quit
#将1/0/1接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 1/0/3
[H3C-GigabitEthernet1/0/3]link-aggregation port-priority 10
[H3C-GigabitEthernet1/0/3]port link-aggregation group 2
[H3C-GigabitEthernet1/0/3]quit
#将2/0/3接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 2/0/3
[H3C-GigabitEthernet2/0/3]link-aggregation port-priority 100
[H3C-GigabitEthernet2/0/3]port link-aggregation group 2
[H3C-GigabitEthernet2/0/3]quit
2.2.4 防火墙安全域配置
#将防火墙上行接口接入Untrust区域
[H3C]security-zone name Untrust
[H3C-security-zone-Untrust]import interface Bridge-Aggregation1 vlan 1
[H3C-security-zone-Untrust]import interface GigabitEthernet1/0/1 vlan 1
[H3C-security-zone-Untrust]import interface GigabitEthernet2/0/2 vlan 1
[H3C-security-zone-Untrust]quit
#将防火墙下行接口接入trust区域
[H3C]security-zone name Untrust
[H3C-security-zone-Trust]import interface Bridge-Aggregation2 vlan 1
[H3C-security-zone-Trust]import interface GigabitEthernet1/0/3 vlan 1
[H3C-security-zone-Trust]import interface GigabitEthernet2/0/3 vlan 1
[H3C-security-zone-Trust]quit
2.2.5 配置端口冗余组配置
#配置track监控物理端口
[H3C]track 1 interface GigabitEthernet1/0/1 physical
[H3C]track 2 interface GigabitEthernet2/0/2 physical
[H3C]track 3 interface GigabitEthernet1/0/3 physical
[H3C]track 4 interface GigabitEthernet2/0/3 physical
#创建节点1与防火墙A所有接口绑定
[H3C]redundancy group aaa
[H3C-redundancy-group-aaa] node 1
[H3C-redundancy-group-aaa-node1] bind slot 1
[H3C-redundancy-group-aaa-node1] priority 100
[H3C-redundancy-group-aaa-node1] node-member interface gigabitethernet 1/0/1
[H3C-redundancy-group-aaa-node1] node-member interface gigabitethernet 1/0/3
[H3C-redundancy-group-aaa-node1] track 1 interface gigabitethernet 1/0/1
[H3C-redundancy-group-aaa-node1] track 3 interface gigabitethernet 1/0/3
[H3C-redundancy-group-aaa-node1] quit
1. 创建节点2与防火墙B所有接口绑定
[H3C-redundancy-group-aaa] node 2
[H3C-redundancy-group-aaa-node2] bind slot 2
[H3C-redundancy-group-aaa-node2] priority 50
[H3C-redundancy-group-aaa-node2] node-member interface gigabitethernet 2/0/2
[H3C-redundancy-group-aaa-node2] node-member interface gigabitethernet 2/0/3
[H3C-redundancy-group-aaa-node2] track 2 interface gigabitethernet 2/0/2
[H3C-redundancy-group-aaa-node2] track 4 interface gigabitethernet 2/0/3
[H3C-redundancy-group-aaa-node2] quit
2.2.6 安全策略配置
防火墙目前版本存在两套安全策略,请在放通安全策略前确认设备运行那种类型的安全策略?以下配置任选其一。
1. 通过命令“display cu | in security-policy”如果查到命令行存在“security-policy disable”或者没有查到任何信息,则使用下面策略配置。
[H3C]display cu | in security-policy
security-policy disable
#创建对象策略pass。
[H3C]object-policy ip pass
[H3C-object-policy-ip-pass] rule 0 pass
[H3C-object-policy-ip-pass]quit
#创建Trust到Untrust域的域间策略调用pass策略。
[H3C]zone-pair security source Trust destination local
[H3C-zone-pair-security-Trust- local]object-policy apply ip pass
[H3C-zone-pair-security-Trust- local]quit
[H3C]zone-pair security source local destination Trust
[H3C-zone-pair-security-local -trust]object-policy apply ip pass
[H3C-zone-pair-security-local -trust]quit
[H3C]zone-pair security source Untrust destination local
[H3C-zone-pair-security-Untrust- local]object-policy apply ip pass
[H3C-zone-pair-security-Untrust- local]quit
[H3C]zone-pair security source local destination Untrust
[H3C-zone-pair-security-local -Untrust]object-policy apply ip pass
[H3C-zone-pair-security-local -Untrust]quit
[H3C]zone-pair security source Trust destination Untrust
[H3C-zone-pair-security-Trust -Untrust]object-policy apply ip pass
[H3C-zone-pair-security-Trust -Untrust]quit
2. 通过命令“display cu | in security-policy”如果查到命令行存在“security-policy ip”并且没有查到“security-policy disable”,则使用下面策略配置。
[H3C]display cu | in security-policy
security-policy ip
创建安全策略并放通local到trust和trust到local的安全策略。
[H3C]security-policy ip
[H3C-security-policy-ip]rule 10 name test
[H3C-security-policy-ip-10-test]action pass
[H3C-security-policy-ip-10-test]source-zone local
[H3C-security-policy-ip-10-test]source-zone Trust
[H3C-security-policy-ip-10-test]source-zone Untrust
[H3C-security-policy-ip-10-test]destination-zone local
[H3C-security-policy-ip-10-test]destination-zone Trust
[H3C-security-policy-ip-10-test]destination-zone Untrust
[H3C-security-policy-ip-10-test]quit
2.3 汇聚交换机配置
#创建三层聚合接口并设置IP地址。
<H3C>system
[H3C]interface Route-Aggregation 1
[H3C-Route-Aggregation1]ip address 192.168.1.2 255.255.255.0
[H3C-Route-Aggregation1]link-aggregation selected-port maximum 1
[H3C-Route-Aggregation1]quit
#将1/0/4接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4]link-aggregation port-priority 10
[H3C-GigabitEthernet1/0/4]port link-aggregation group 1
[H3C-GigabitEthernet1/0/4]quit
#将1/0/5接口加入聚合组并设置聚合优先级。
[H3C]interface GigabitEthernet 1/0/5
[H3C-GigabitEthernet1/0/5]link-aggregation port-priority 100
[H3C-GigabitEthernet1/0/5]port link-aggregation group 1
[H3C-GigabitEthernet1/0/5]quit
3 检验配置结果
3.1.1 正常时查看冗余组状态
节点1为主用状态,节点二为备用状态。
[H3C-redundancy-group-aaa] display redundancy group aaa
Redundancy group aaa (ID 1):
Node ID Slot Priority Status Track weight
1 Slot1 100 Primary 255
2 Slot2 50 Secondary 255
Preempt delay time remained : 0 min
Preempt delay timer setting : 1 min
Remaining hold-down time : 0 sec
Hold-down timer setting : 1 sec
Manual switchover request : No
Member interfaces:
Node 1:
Node member Physical status
GE1/0/1 UP
GE1/0/3 UP
Track info:
Track Status Reduced weight Interface
1 Positive 255 GE1/0/1
2 Positive 255 GE1/0/3
Node 2:
Node member Physical status
GE2/0/2 UP
GE2/0/3 UP
Track info:
Track Status Reduced weight Interface
3 Positive 255 GE2/0/2
4 Positive 255 GE2/0/3
3.1.2 手动关闭1/0/1接口后时查看冗余组状态
查看到主备状态已经发生了变化,并且1/0/1与1/0/3的物理状态全部置为down。
[H3C] display redundancy group aaa
Redundancy group aaa (ID 1):
Node ID Slot Priority Status Track weight
1 Slot1 100 Secondary -255
2 Slot2 50 Primary 255
Preempt delay time remained : 0 min
Preempt delay timer setting : 1 min
Remaining hold-down time : 0 sec
Hold-down timer setting : 1 sec
Manual switchover request : No
Member interfaces:
Node 1:
Node member Physical status
GE1/0/1 DOWN(redundancy down)
GE1/0/3 DOWN
Track info:
Track Status Reduced weight Interface
1 Negative 255 GE1/0/1
2 Negative 255 GE1/0/2 (Fault)
Node 2:
Node member Physical status
GE2/0/2 UP
GE2/0/3 UP
Track info:
Track Status Reduced weight Interface
3 Positive 255 GE2/0/2
4 Positive 255 GE2/0/3
配置关键点
3.1.3 注意事项
1、配置冗余组后,所有加入冗余组的物理接口状态必须处于UP状态,否则会造成冗余组主备切换异常。
- 2020-11-18回答
- 评论(0)
- 举报
-
(0)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论