• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙堆叠

2022-03-17提问
  • 0关注
  • 1收藏,2330浏览
粉丝:0人 关注:4人

问题描述:

防火墙做完堆叠,在做聚合后,这样是双主嘛,两个都可以转发流量嘛

组网及组网描述:


最佳答案

粉丝:17人 关注:2人

H3C NGFW设备跨设备聚合透明主备方案配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2016杭州华三通信技术有限公司 版权所有,保留一切权利。

非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,

并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。

 



简介

本文档介绍跨设备聚合透明主备方案配置,防火墙设备只做二层透传。

配置前提

本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解IRF特性、冗余组特性、链路聚合特性、安全域。

使用限制

·              F1000&F5000系列防火墙最多支持使用四台设备建立IRF

·              F1000&F5000系列防火墙中,只有相同型号的机型之间才能够建立IRF

·              参与组建IRFF1000&F5000系列防火墙必须使用相同的软件版本。

配置举例

4.1  组网需求

1所示,具体应用需求如下:

·              FW1050设备做纯二层透传,做IRF

·              在正常情况下,FW1050主接口被聚合口选中,同时为冗余组的主设备,流量走FW1050主;

·              当主FW1050的链路出现故障时,聚合口内成员口发生切换,冗余组的主备发生联动切换,流量切至备FW1050

·              当主FW1050的链路故障恢复后,由主FW1050继续承担流量转发功能;

图1 跨设备聚合透明主备方案配置组网图

 

4.2  配置思路

1、两台F10X0/F50X0组成IRF组网,与下游设备单臂互联,配置为纯二层;

2、互联链路可以是物理链路、子接口、vlan-interface,两台设备各出一个接口组成聚合口,设置聚合组中的最大选中端口数为1,同时设置主设备接口的聚合成员优先级高,此时备机的聚合成员接口down

3、上下游设备通过活动成员链路上送主设备;

4F10X0/F50X0上配置链路聚合本地优先,对于本地转发流量优先从本框出,避免横向流量,缺省情况下,聚合负载分担采用本地转发优先,对应命令link-aggregation load-sharing mode local-first

5、配置冗余组,主备设备track本设备聚合成员接口;

6、上下行设备配置OSPF的情况下,单纯聚合口切换不会导致OSPF路由重新收敛。

4.3  使用版本

本举例是在SecPath F1050 Ess 9310P11版本上进行配置和验证的。

4.4  配置注意事项

·              IRF的配置中,做MAD BFD检测vlan-interface1000要加入安全域trust中,否则MAD BFD检测报文不能通过防火墙,MAD BFD检测失败,无法正常工作;

·              防火墙设备上的二层聚合口及其成员口要带具体的vlan加入到对应的安全域中,否则报文无法通过防火墙;

·              防火墙做IRF,要开启会话同步功能,开启本地IP优先转发功能;

·              防火墙上要开启会话数据统计功能。

4.5  配置步骤

4.5.1  配置SW5560

(1)      创建聚合口,配置物理口并加入到聚合口中

# 创建三层路由聚合口,配置IP地址。

<SW5560_1> system-view

[SW5560_1] interface Route-Aggregation 1

[SW5560_1-Route-Aggregation1] ip address 10.1.255.69 255.255.255.252

# 配置聚合链路成员口最大选中数为1

[SW5560_1-Route-Aggregation1] link-aggregation selected-port maximum 1

[SW5560_1-Route-Aggregation1] quit

# 配置物理接口。

[SW5560_1] interface GigabitEthernet 1/0/12

[SW5560_1-GigabitEthernet1/0/12] port link-mode route

# 配置高优先级10

[SW5560_1-GigabitEthernet1/0/12] link-aggregation port-priority 10

# 加入三层聚合口1中。

[SW5560_1-GigabitEthernet1/0/12] port link-aggregation group 1

# 配置另一个物理接口。

[SW5560_1] interface GigabitEthernet1/0/13

[SW5560_1-GigabitEthernet1/0/13] port link-mode route

# 配置低优先级100

[SW5560_1-GigabitEthernet1/0/13] link-aggregation port-priority 100

# 加入三层聚合口1中。

[SW5560_1-GigabitEthernet1/0/12] port link-aggregation group 1

[SW5560_1-GigabitEthernet1/0/12] quit

(2)      配置本地LoopBack口,用来做pingftp测试。

[SW5560_1] interface LoopBack1

[SW5560_1-LoopBack1] ip address 192.168.0.1 255.255.255.255

[SW5560_1-LoopBack1] quit

(3)      配置OSPF进程并把对应网段路由加入OSPF进程中。

[SW5560_1] ospf 64

[SW5560_1-ospf-64] area 0.0.0.0

[SW5560_1-ospf-64-area-0.0.0.0] network 10.1.255.68 0.0.0.3

[SW5560_1-ospf-64-area-0.0.0.0] network 192.168.0.1 0.0.0.0

[SW5560_1-ospf-64-area-0.0.0.0] quit

[SW5560_1-ospf-64] quit

4.5.2  配置FW1050

(1)      FWIRF

# 配置Device A

<Sysname> system-view

# 配置IRF高优先级。

[Sysname] irf member 1 priority 10

# 配置IRF端口1/2,并将它与物理端口GigabitEthernet1/0/1绑定,并保存配置。

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] shutdown

[Sysname-GigabitEthernet1/0/1] quit

[Sysname] irf-port 1/2

[Sysname-irf-port1/2] port group interface gigabitethernet 1/0/1

[Sysname-irf-port1/2] quit

[Sysname] interface gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] undo shutdown

[Sysname-Ten-GigabitEthernet1/0/1] quit

[Sysname] save

# 激活IRF端口下的配置。

[Sysname] irf-port-configuration active

# 配置Device B

# Device B的成员编号配置为2,并重启设备使新编号生效,irf member 2优先级为默认1

<Sysname> system-view

[Sysname] irf member 1 renumber 2

Warning: Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y

[Sysname] quit

<Sysname> reboot

# 设备之间进行IRF物理连线。

# 重新登录到设备,配置IRF端口2/1,并将它与物理端口GigabitEthernet2/0/1绑定,并保存配置。

<Sysname> system-view

[Sysname] interface gigabitethernet 2/0/1

[Sysname-GigabitEthernet2/0/1] shutdown

[Sysname-GigabitEthernet2/0/1] quit

[Sysname] irf-port 2/1

[Sysname-irf-port2/1] port group interface gigabitethernet 2/0/1

[Sysname-irf-port2/1] quit

[Sysname] interface gigabitethernet 2/0/1

[Sysname-GigabitEthernet2/0/1] undo shutdown

[Sysname-GigabitEthernet2/0/1] quit

[Sysname] save

# 激活IRF端口下的配置。

[Sysname] irf-port-configuration active

# Device ADevice B间将会进行主设备竞选,竞选失败的一方将重启,重启完成后,IRF形成。

(2)      配置MAD BFD检测方式来监测IRF的状态

# 创建VLAN 1000,并将Device A(成员编号为1)上的端口1/0/15Device B(成员编号为2)上的端口2/0/15加入VLAN中。

[Sysname] vlan 1000

[Sysname-vlan3] port gigabitethernet 1/0/15 gigabitethernet 2/0/15

[Sysname-vlan3] quit

# 创建VLAN接口1000,并配置MAD IP地址。

[Sysname] interface Vlan-interface1000

[Sysname-Vlan-interface1000] mad bfd enable

[Sysname-Vlan-interface1000] mad ip address 192.168.100.1 255.255.255.0 member 1

[Sysname-Vlan-interface1000] mad ip address 192.168.100.2 255.255.255.0 member 2

[Sysname-Vlan-interface1000] quit

# 使能全局STP功能

[Sysname] stp global enable

# 因为BFD MAD和生成树功能互斥,所以在GigabitEthernet1/0/15GigabitEthernet2/0/15上关闭生成树协议。

[Sysname] interface GigabitEthernet1/0/15

[Sysname-gigabitethernet-1/0/15] undo stp enable

[Sysname-gigabitethernet-1/0/15] quit

[Sysname] interface GigabitEthernet2/0/15

[Sysname-gigabitethernet-2/0/15] undo stp enable

[Sysname-gigabitethernet-2/0/15] quit

(3)      开启本地IP优先转发功能

[Sysname] ip load-sharing local-first enable

(4)      开启会话同步功能

[Sysname] session synchronization enable

(5)      开启会话数据统计功能

[Sysname] session statistics enable

(6)      创建聚合口,配置物理口并加入到对应聚合口中。

# 创建VLAN 100FW与上下行设备连接的端口做二层透传。

[Sysname] vlan 100

# 创建二层聚合口1,把FW与上行SW相连的端口加入该聚合口。

[Sysname] interface Bridge-Aggregation1

[Sysname-Bridge-Aggregation1] port access vlan 100

# 配置聚合链路成员口最大选中数为1

[Sysname-Bridge-Aggregation1] link-aggregation selected-port maximum 1

# 把对应物理口加入二层聚合口1中,并配置链路聚合端口的优先级。

[Sysname] interface GigabitEthernet1/0/13

[Sysname-gigabitethernet-1/0/13] port link-mode bridge

[Sysname-gigabitethernet-1/0/13] port access vlan 100

# 配置端口高优先级10

[Sysname-gigabitethernet-1/0/13] link-aggregation port-priority 10

# 加入链路聚合口1

[Sysname-gigabitethernet-1/0/13] port link-aggregation group 1

# 配置备设备上与上行SW连接的端口,加入VLAN 100

[Sysname] interface GigabitEthernet2/0/13

[Sysname-gigabitethernet-2/0/13] port link-mode bridge

[Sysname-gigabitethernet-2/0/13] port access vlan 100

# 配置低优先级100

[Sysname-gigabitethernet-2/0/13] link-aggregation port-priority 100

# 加入链路聚合口1

[Sysname-gigabitethernet-2/0/13] port link-aggregation group 1

[Sysname-gigabitethernet-2/0/13] quit

# 同理,创建二层聚合口2

[Sysname] interface Bridge-Aggregation2

[Sysname-Bridge-Aggregation2] port access vlan 100

# 配置聚合链路成员口最大选中数为1

[Sysname-Bridge-Aggregation1] link-aggregation selected-port maximum 1

# 把主FW与下行SW相连的端口加入该聚合口2,并配置成员端口为高优先级。

[Sysname] interface GigabitEthernet1/0/16

[Sysname-gigabitethernet-1/0/16] port link-mode bridge

[Sysname-gigabitethernet-1/0/16] port access vlan 100

[Sysname-gigabitethernet-1/0/16] link-aggregation port-priority 10

[Sysname-gigabitethernet-1/0/16] port link-aggregation group 2

[Sysname-gigabitethernet-1/0/16] quit

# 把备FW与下行SW相连的端口加入该聚合口2,并配置成员端口为低优先级。

[Sysname] interface GigabitEthernet2/0/16

[Sysname-gigabitethernet-2/0/16] port link-mode bridge

[Sysname-gigabitethernet-2/0/16] port access vlan 100

[Sysname-gigabitethernet-2/0/16] link-aggregation port-priority 100

[Sysname-gigabitethernet-2/0/16] port link-aggregation group 2

[Sysname-gigabitethernet-2/0/16] quit

(7)      配置安全域,并把端口加入到对应的安全域中。

# 在默认的trust域中添加成员口,二层口要带对应VLAN

[Sysname] security-zone name Trust

# MAD BFD检测的vlan-interface1000加入trust域,否则MAD BFD检测报文无法通过,导致检测失败。

[Sysname-security-zone-Trust] import interface Vlan-interface1000

# FW与上行SW连接的二层口加入trust域。

[Sysname-security-zone-Trust] import interface Bridge-Aggregation1 vlan 100

[Sysname-security-zone-Trust] import interface GigabitEthernet1/0/13 vlan 100

[Sysname-security-zone-Trust] import interface GigabitEthernet2/0/13 vlan 100

[Sysname-security-zone-Trust] quit

# FW与下行SW连接的二层口加入untrust域。

[Sysname] security-zone name Untrust

[Sysname-security-zone-Untrust] import interface Bridge-Aggregation2 vlan 100

[Sysname-security-zone-Untrust] import interface GigabitEthernet1/0/16 vlan 100

[Sysname-security-zone-Untrust] import interface GigabitEthernet2/0/16 vlan 100

[Sysname-security-zone-Untrust] quit

# 默认Management域,把管理口加入管理域中。

[Sysname] security-zone name Management

[Sysname-security-zone-Management] import interface GigabitEthernet1/0/0

[Sysname-security-zone-Management] quit

(8)      配置对象策略为全放行,域间策略里应用相应的对象策略

[Sysname] object-policy ip Local-Trust

[Sysname-object-policy-ip-Local-Trust] rule 0 pass

[Sysname-object-policy-ip-Local-Trust] quit

# 其他对象策略同上

[Sysname] object-policy ip Local-Untrust

[Sysname-object-policy-ip-Local-Untrust] rule 0 pass

[Sysname-object-policy-ip-Local-Untrust] quit

[Sysname] object-policy ip Management-Local

[Sysname-object-policy-ip- Management-Local] rule 0 pass

[Sysname-object-policy-ip- Management-Local] quit

[Sysname] object-policy ip Trust-Local

[Sysname-object-policy-ip-Trust -Local] rule 0 pass

[Sysname-object-policy-ip-Trust -Local] quit

[Sysname]object-policy ip Trust-Untrust

[Sysname-object-policy-ip-Trust - Untrust]rule 0 pass

[Sysname-object-policy-ip-Trust - Untrust]quit

[Sysname] object-policy ip Untrust-Local

[Sysname-object-policy-ip- Untrust-Local] rule 0 pass

[Sysname-object-policy-ip- Untrust-Local] quit

[Sysname] object-policy ip Untrust-Trust

[Sysname-object-policy-ip- Untrust-Trust] rule 0 pass

[Sysname-object-policy-ip- Untrust-Trust] quit

# 配置域间策略,应用相应的对象策略。

[Sysname] zone-pair security source Local destination Trust

[Sysname-zone-pair-security-Local-Trust] object-policy apply ip Local-Trust

[Sysname-zone-pair-security-Local-Trust] quit

[Sysname] zone-pair security source Local destination Untrust

[Sysname-zone-pair-security-Local-Untrust] object-policy apply ip Local-Untrust

[Sysname-zone-pair-security-Local-Untrust] quit

[Sysname] zone-pair security source Management destination Local

[Sysname-zone-pair-security- Management-Local] object-policy apply ip Management-Local

[Sysname-zone-pair-security- Management-Local] quit

[Sysname] zone-pair security source Trust destination Local

[Sysname-zone-pair-security- Trust-Local] object-policy apply ip Trust-Local

[Sysname-zone-pair-security- Trust-Local] quit

[Sysname] zone-pair security source Trust destination Untrust

[Sysname-zone-pair-security- Trust- Untrust] object-policy apply ip Trust-Untrust

[Sysname-zone-pair-security- Trust- Untrust] quit

[Sysname] zone-pair security source Untrust destination Local

[Sysname-zone-pair-security- Untrust- Local] object-policy apply ip Untrust-Local

[Sysname-zone-pair-security- Untrust- Local] quit

[Sysname] zone-pair security source Untrust destination Trust

[Sysname-zone-pair-security- Untrust- Trust] object-policy apply ip Untrust-Trust

[Sysname-zone-pair-security- Untrust- Trust] quit

(9)      配置track项,track物理接口

[Sysname] track 7 interface GigabitEthernet2/0/13 physical

[Sysname] track 8 interface GigabitEthernet2/0/16 physical

[Sysname] track 9 interface GigabitEthernet1/0/13 physical

[Sysname] track 10 interface GigabitEthernet1/0/16 physical

(10)   配置冗余组

[Sysname] redundancy group 2

# 添加node1

[Sysname-redundancy-group-2] node 1

[Sysname-redundancy-group-2-node-1] bind slot 1

# 配置为高优先级。

[Sysname-redundancy-group-2-node-1] priority 100

# node1节点里track对应接口。

[Sysname-redundancy-group-2-node-1] track 9 interface GigabitEthernet1/0/13

[Sysname-redundancy-group-2-node-1] track 10 interface GigabitEthernet1/0/16

[Sysname-redundancy-group-2-node-1] node-member interface GigabitEthernet1/0/13

[Sysname-redundancy-group-2-node-1] node-member interface GigabitEthernet1/0/16

[Sysname-redundancy-group-2-node-1] quit

# 添加node2

[Sysname-redundancy-group-2] node 2

[Sysname-redundancy-group-2-node-2] bind slot 2

# 配置为低优先级。

[Sysname-redundancy-group-2-node-2] priority 50

# node2节点里track对应接口。

[Sysname-redundancy-group-2-node-2] track 7 interface GigabitEthernet2/0/13

[Sysname-redundancy-group-2-node-2] track 8 interface GigabitEthernet2/0/16

[Sysname-redundancy-group-2-node-2] node-member interface GigabitEthernet2/0/13

[Sysname-redundancy-group-2-node-2] node-member interface GigabitEthernet2/0/16

[Sysname-redundancy-group-2-node-2] quit

[Sysname-redundancy-group-2] quit

4.5.3  配置SW6800

(1)      SWIRF,配置BFD MAD

FW,此处略

(2)      接口配置,包括二层聚合口和成员口配置

# 创建vlan581

<SW6800_IRF> system-view

[SW6800_IRF] vlan 581

# 创建vlan-ingterface581

[SW6800_IRF] interface Vlan-interface581

[SW6800_IRF-Vlan-interface581] description to fw-1

[SW6800_IRF-Vlan-interface581] ip address 10.1.255.70 255.255.255.252

[SW6800_IRF-Vlan-interface581] quit

# 创建二层聚合口2,并加入vlan581,配置链路聚合最大选中端口数为1

[SW6800_IRF] interface Bridge-Aggregation2

[SW6800_IRF-Bridge-Aggregation2] port access vlan 581

[SW6800_IRF-Bridge-Aggregation2] link-aggregation selected-port maximum 1

# 配置LoopBack1地址。

[SW6800_IRF] interface LoopBack1

[SW6800_IRF-LoopBack1] ip address 192.168.0.2 255.255.255.255

# 添加聚合成员口,配置成员口高低优先级。

[SW6800_IRF] interface Ten-GigabitEthernet1/1/3

[SW6800_IRF-Ten-GigabitEthernet1/1/3] port link-mode bridge

[SW6800_IRF-Ten-GigabitEthernet1/1/3] port access vlan 581

# SW与主FW连接的接口配置为高优先级。

[SW6800_IRF-Ten-GigabitEthernet1/1/3] link-aggregation port-priority 10

[SW6800_IRF-Ten-GigabitEthernet1/1/3] port link-aggregation group 2

[SW6800_IRF-Ten-GigabitEthernet1/1/3] quit

#

[SW6800_IRF] interface Ten-GigabitEthernet2/1/3

[SW6800_IRF-Ten-GigabitEthernet2/1/3] port link-mode bridge

[SW6800_IRF-Ten-GigabitEthernet2/1/3] port access vlan 581

# SW与备FW连接的接口配置为低优先级。

[SW6800_IRF-Ten-GigabitEthernet2/1/3] link-aggregation port-priority 100

[SW6800_IRF-Ten-GigabitEthernet2/1/3] port link-aggregation group 2

[SW6800_IRF-Ten-GigabitEthernet2/1/3] quit

(3)      配置ospf进程并把对应网段路由加入OSPF进程中

[SW6800_IRF] ospf 64

[SW6800_IRF-ospf-64] area 0.0.0.0

[SW6800_IRF-ospf-64-area-0.0.0.0] network 10.1.255.68 0.0.0.3

[SW6800_IRF-ospf-64-area-0.0.0.0] network 192.168.0.2 0.0.0.0

[SW6800_IRF-ospf-64-area-0.0.0.0] quit

[SW6800_IRF-ospf-64] quit

4.6  验证配置

(1)      无故障,(主走slot1

<SW6800_IRF>display ospf peer

 

                  OSPF Process 64 with Router ID 192.168.0.2

                        Neighbor Brief Information

 

 Area: 0.0.0.0

 Router ID       Address         Pri Dead-Time  State             Interface

 192.168.0.1     10.1.255.69     1   32         Full/BDR          Vlan581

<SW6800_IRF>ping -c 10000 -a 192.168.0.2 192.168.0.1

<133_1060_IRF_1050>display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: ICMP_REPLY

Application: OTHER

Start time: 2015-12-11 18:53:47  TTL: 29s

Initiator->Responder:          129 packets      12642 bytes

Responder->Initiator:          129 packets      12642 bytes

 

Total sessions found: 1

 

Slot 2:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: INACTIVE

Application: OTHER

Start time: 2015-12-11 18:53:47  TTL: 274s

Initiator->Responder:            0 packets          0 bytes

Responder->Initiator:            0 packets          0 bytes

 

Total sessions found: 1

(2)      主链路故障:(ospf peer始终保持一个,流量切至slot2ping包丢一个

[133_1060_IRF_1050-GigabitEthernet1/0/16]shut

<SW6800_IRF>display ospf peer

 

                  OSPF Process 64 with Router ID 192.168.0.2

                        Neighbor Brief Information

 

 Area: 0.0.0.0

 Router ID       Address         Pri Dead-Time  State             Interface

 192.168.0.1     10.1.255.69     1   37         Full/BDR          Vlan581

[133_1060_IRF_1050-GigabitEthernet1/0/16]display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: ICMP_REPLY

Application: OTHER

Start time: 2015-12-11 18:53:47  TTL: 11s

Initiator->Responder:          787 packets      77126 bytes

Responder->Initiator:          787 packets      77126 bytes

 

Total sessions found: 1

 

Slot 2:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: ICMP_REPLY

Application: OTHER

Start time: 2015-12-11 18:53:47  TTL: 29s

Initiator->Responder:           79 packets       7742 bytes

Responder->Initiator:           79 packets       7742 bytes

 

Total sessions found: 1

[133_1060_IRF_1050-GigabitEthernet1/0/16]

[133_1060_IRF_1050-GigabitEthernet1/0/16]display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: ICMP_REPLY

Application: OTHER

Start time: 2015-12-11 18:53:47  TTL: 8s

Initiator->Responder:          787 packets      77126 bytes    //包数不增长

Responder->Initiator:          787 packets      77126 bytes

 

Total sessions found: 1

 

Slot 2:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: ICMP_REPLY

Application: OTHER

Start time: 2015-12-11 18:53:47  TTL: 29s

Initiator->Responder:           92 packets       9016 bytes     //包数增长

Responder->Initiator:           92 packets       9016 bytes

 

Total sessions found: 1

[133_1060_IRF_1050]display redundancy group 2

Redundancy group 2 (ID 2):

  Node ID      Slot          Priority   Status        Track weight

  1            Slot1         100        Secondary     -255

  2            Slot2         50         Primary       255

 

Preempt delay time remained     : 0    min

Preempt delay timer setting     : 1    min

Remaining hold-down time        : 0    sec

Hold-down timer setting         : 1    sec

Manual switchover request       : No

 

Member interfaces:

 

Node 1:

  Node member     Physical status

    GE1/0/13      DOWN(redundancy down)

    GE1/0/16      DOWN

  Track info:

    Track    Status       Reduced weight     Interface

    9        Negative     255                GE1/0/13

    10       Negative     255                GE1/0/16(Fault)

Node 2:

  Node member     Physical status

    GE2/0/13      UP

    GE2/0/16      UP

  Track info:

    Track    Status       Reduced weight     Interface

    7        Positive     255                GE2/0/13

8        Positive     255                GE2/0/16

(3)      主链路故障故障恢复:(流量恢复走slot1ping包丢一至两个)

[133_1060_IRF_1050-GigabitEthernet1/0/16]display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: ICMP_REPLY

Application: OTHER

Start time: 2015-12-11 18:58:42  TTL: 29s

Initiator->Responder:          499 packets      48902 bytes

Responder->Initiator:          499 packets      48902 bytes

 

Total sessions found: 1

 

Slot 2:

Initiator:

  Source      IP/port: 192.168.0.2/995

  Destination IP/port: 192.168.0.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation2

  Source security zone: Untrust

Responder:

  Source      IP/port: 192.168.0.1/995

  Destination IP/port: 192.168.0.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/100/-

  Protocol: ICMP(1)

  Inbound interface: Bridge-Aggregation1

  Source security zone: Trust

State: INACTIVE

Application: OTHER

Start time: 2015-12-11 18:58:42  TTL: 199s

Initiator->Responder:            0 packets          0 bytes

Responder->Initiator:            0 packets          0 bytes

 

Total sessions found: 1

4.7  配置文件

(1)      设备SW5560

<SW5560_1>

irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 irf member 1 priority 1

#

ospf 64

area 0.0.0.0

  network 10.1.255.68 0.0.0.3

  network 192.168.0.1 0.0.0.0

#

interface Route-Aggregation1

 ip address 10.1.255.69 255.255.255.252

 link-aggregation selected-port maximum 1

#

interface NULL0

#

interface LoopBack1

 ip address 192.168.0.1 255.255.255.255

#

interface GigabitEthernet1/0/12

 port link-mode route

 link-aggregation port-priority 10

 port link-aggregation group 1

#

interface GigabitEthernet1/0/13

 port link-mode route

 link-aggregation port-priority 100

 port link-aggregation group 1

(2)      设备FW1050

<133_1060_IRF_1050>

irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 irf member 1 priority 10

 irf member 2 priority 1

#

 ip load-sharing local-first enable

#

vlan 100

#

vlan 1000

#

irf-port 1/2

 port group interface GigabitEthernet1/0/1

#

irf-port 2/1

 port group interface GigabitEthernet2/0/1

#

 stp global enable

#

interface Bridge-Aggregation1

 port access vlan 100

 link-aggregation selected-port maximum 1

#

interface Bridge-Aggregation2

 port access vlan 100

 link-aggregation selected-port maximum 1

#

interface Vlan-interface1000

 mad bfd enable

 mad ip address 192.168.100.1 255.255.255.0 member 1

 mad ip address 192.168.100.2 255.255.255.0 member 2

#

interface GigabitEthernet1/0/13

 port link-mode bridge

 port access vlan 100

 link-aggregation port-priority 10

 port link-aggregation group 1

#

interface GigabitEthernet1/0/15

 port link-mode bridge

 description ***bfd mad***

 port access vlan 1000

 undo stp enable

#

interface GigabitEthernet1/0/16

 port link-mode bridge

 port access vlan 100

 link-aggregation port-priority 10

 port link-aggregation group 2

#

interface GigabitEthernet2/0/13

 port link-mode bridge

 port access vlan 100

 link-aggregation port-priority 100

 port link-aggregation group 1

#

interface GigabitEthernet2/0/15

 port link-mode bridge

 description ***bfd mad***

 port access vlan 1000

 undo stp enable

#

interface GigabitEthernet2/0/16

 port link-mode bridge

 port access vlan 100

 link-aggregation port-priority 100

 port link-aggregation group 2

#

object-policy ip Local-Trust

 rule 0 pass

#

object-policy ip Local-Untrust

 rule 0 pass

#

object-policy ip Management-Local

 rule 0 pass

#

object-policy ip Trust-Local

 rule 0 pass

#

object-policy ip Trust-Untrust

 rule 0 pass

#

object-policy ip Untrust-Local

 rule 0 pass

#

object-policy ip Untrust-Trust

 rule 0 pass

#

security-zone name Local

#

security-zone name Trust

import interface Vlan-interface1000

import interface Bridge-Aggregation1 vlan 100

 import interface GigabitEthernet1/0/13 vlan 100

 import interface GigabitEthernet2/0/13 vlan 100

#

security-zone name DMZ

#

security-zone name Untrust

import interface Bridge-Aggregation2 vlan 100

 import interface GigabitEthernet1/0/16 vlan 100

 import interface GigabitEthernet2/0/16 vlan 100

#

security-zone name Management

 import interface GigabitEthernet1/0/0

#

zone-pair security source Local destination Trust

 object-policy apply ip Local-Trust

#

zone-pair security source Local destination Untrust

 object-policy apply ip Local-Untrust

#

zone-pair security source Management destination Local

 object-policy apply ip Management-Local

#

zone-pair security source Trust destination Local

 object-policy apply ip Trust-Local

#

zone-pair security source Trust destination Untrust

 object-policy apply ip Trust-Untrust

#

zone-pair security source Untrust destination Local

 object-policy apply ip Untrust-Local

#

zone-pair security source Untrust destination Trust

 object-policy apply ip Untrust-Trust

#

redundancy group 2

 node 1

  bind slot 1

  priority 100

  track 9 interface GigabitEthernet1/0/13

  track 10 interface GigabitEthernet1/0/16

  node-member interface GigabitEthernet1/0/13

  node-member interface GigabitEthernet1/0/16

 node 2

  bind slot 2

  priority 50

  track 7 interface GigabitEthernet2/0/13

  track 8 interface GigabitEthernet2/0/16

  node-member interface GigabitEthernet2/0/13

  node-member interface GigabitEthernet2/0/16

#

session statistics enable

session synchronization enable

#

track 7 interface GigabitEthernet2/0/13 physical

 track 8 interface GigabitEthernet2/0/16 physical

 track 9 interface GigabitEthernet1/0/13 physical

 track 10 interface GigabitEthernet1/0/16 physical

(3)      设备SW6800

<SW6800_IRF>

#

 irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 irf member 1 priority 10

 irf member 2 priority 1

 irf mode normal

#

ospf 64

 area 0.0.0.0

  network 10.1.255.68 0.0.0.3

  network 192.168.0.2 0.0.0.0

#

vlan 581

#

vlan 3000

#

irf-port 1/2

 port group interface Ten-GigabitEthernet1/1/1

#

irf-port 2/1

 port group interface Ten-GigabitEthernet2/1/1

#

interface Bridge-Aggregation2

 description ithi

 port access vlan 581

 link-aggregation selected-port maximum 1

#

interface LoopBack1

 ip address 192.168.0.2 255.255.255.255

#

interface Vlan-interface581

 description to fw-1

 ip address 10.1.255.70 255.255.255.252

 ospf bfd enable

 bfd min-transmit-interval 500

 bfd min-receive-interval 500

#

interface Vlan-interface3000

 mad bfd enable

 mad ip address 192.168.2.1 255.255.255.0 member 1

 mad ip address 192.168.2.2 255.255.255.0 member 2

#

interface M-GigabitEthernet0/0/0

 ip address 192.168.218.135 255.255.255.0

#

interface Ten-GigabitEthernet1/1/2

 port link-mode bridge

 description bfd mad

 port access vlan 3000

 undo stp enable

#

interface Ten-GigabitEthernet1/1/3

 port link-mode bridge

 port access vlan 581

 link-aggregation port-priority 10

 port link-aggregation group 2

#

interface Ten-GigabitEthernet2/1/2

 port link-mode bridge

 description bfd mad

 port access vlan 3000

 undo stp enable

#

interface Ten-GigabitEthernet2/1/3

 port link-mode bridge

 port access vlan 581

 link-aggregation port-priority 100

 port link-aggregation group 2

故障排除

(1)      检测BFD MAD是否工作正常

<F1050-IRF>display mad verbose

Multi-active recovery state: No

Excluded ports (user-configured):

Excluded ports (system-configured):

  GigabitEthernet1/0/1

  GigabitEthernet2/0/1

MAD ARP disabled.

MAD ND disabled.

MAD LACP disabled.

MAD BFD enabled interface: Vlan-interface1000

  MAD status                 : Normal

  Member ID   MAD IP address       Neighbor   MAD status

  1           192.168.100.1/24     2          Normal

  2           192.168.100.2/24     1          Normal

(2)      检测链路组是否工作正常

<F1050-IRF>display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static

Loadsharing Type: Shar

  Port             Status  Priority Oper-Key

--------------------------------------------------------------------------------

  GE1/0/13         S       10       4

  GE2/0/13         U       100      4

 

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static

Loadsharing Type: Shar

  Port             Status  Priority Oper-Key

--------------------------------------------------------------------------------

  GE1/0/16         S       10       1

  GE2/0/16         U       100      1

(3)      检测冗余组状态是否工作正常

<F1050-IRF>display redundancy group 2

Redundancy group 2 (ID 2):

  Node ID      Slot          Priority   Status        Track weight

  1            Slot1         100        Primary       255

  2            Slot2         50         Secondary     255

 

Preempt delay time remained     : 0    min

Preempt delay timer setting     : 1    min

Remaining hold-down time        : 0    sec

Hold-down timer setting         : 1    sec

Manual switchover request       : No

 

Member interfaces:

 

Node 1:

  Node member     Physical status

    GE1/0/13      UP

    GE1/0/16      UP

  Track info:

    Track    Status       Reduced weight     Interface

    9        Positive     255                GE1/0/13

    10       Positive     255                GE1/0/16

Node 2:

  Node member     Physical status

    GE2/0/13      UP

    GE2/0/16      UP

  Track info:

    Track    Status       Reduced weight     Interface

    7        Positive     255                GE2/0/13

    8        Positive     255                GE2/0/16

暂无评论

1 个回答
知了小白
粉丝: 关注:

# 配置会话同步。
[Sysname]session synchronization enable
[Sysname]session synchronization dns
[Sysname]session synchronization http
# 开启会话的双主功能。
<Sysname> system-view
[Sysname] session dual-active enable
# 配置双主模式下会话的创建方式为哈希算法方式。
[Sysname] session dual-active create-mode hash

暂无评论

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明