防火墙堆叠
- 0关注
- 1收藏,1453浏览
最佳答案
H3C NGFW设备跨设备聚合透明主备方案配置举例
|
Copyright © 2016杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
目 录
1 简介
本文档介绍跨设备聚合透明主备方案配置,防火墙设备只做二层透传。
2 配置前提
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解IRF特性、冗余组特性、链路聚合特性、安全域。
3 使用限制
·
·
·
4 配置举例
4.1 组网需求
如图1所示,具体应用需求如下:
·
·
·
·
4.2 配置思路
1、两台F10X0/F50X0组成IRF组网,与下游设备单臂互联,配置为纯二层;
2、互联链路可以是物理链路、子接口、vlan-interface,两台设备各出一个接口组成聚合口,设置聚合组中的最大选中端口数为1,同时设置主设备接口的聚合成员优先级高,此时备机的聚合成员接口down;
3、上下游设备通过活动成员链路上送主设备;
4、F10X0/F50X0上配置链路聚合本地优先,对于本地转发流量优先从本框出,避免横向流量,缺省情况下,聚合负载分担采用本地转发优先,对应命令link-aggregation load-sharing mode local-first;
5、配置冗余组,主备设备track本设备聚合成员接口;
6、上下行设备配置OSPF的情况下,单纯聚合口切换不会导致OSPF路由重新收敛。
4.3 使用版本
本举例是在SecPath F1050 Ess 9310P11版本上进行配置和验证的。
4.4 配置注意事项
·
·
·
·
4.5 配置步骤
4.5.1 配置SW5560
(1)
# 创建三层路由聚合口,配置IP地址。
<SW5560_1> system-view
[SW5560_1] interface Route-Aggregation 1
[SW5560_1-Route-Aggregation1] ip address 10.1.255.69 255.255.255.252
# 配置聚合链路成员口最大选中数为1。
[SW5560_1-Route-Aggregation1] link-aggregation selected-port maximum 1
[SW5560_1-Route-Aggregation1] quit
# 配置物理接口。
[SW5560_1] interface GigabitEthernet 1/0/12
[SW5560_1-GigabitEthernet1/0/12] port link-mode route
# 配置高优先级10。
[SW5560_1-GigabitEthernet1/0/12] link-aggregation port-priority 10
# 加入三层聚合口1中。
[SW5560_1-GigabitEthernet1/0/12] port link-aggregation group 1
# 配置另一个物理接口。
[SW5560_1] interface GigabitEthernet1/0/13
[SW5560_1-GigabitEthernet1/0/13] port link-mode route
# 配置低优先级100。
[SW5560_1-GigabitEthernet1/0/13] link-aggregation port-priority 100
# 加入三层聚合口1中。
[SW5560_1-GigabitEthernet1/0/12] port link-aggregation group 1
[SW5560_1-GigabitEthernet1/0/12] quit
(2) 配置本地LoopBack口,用来做ping和ftp测试。
[SW5560_1] interface LoopBack1
[SW5560_1-LoopBack1] ip address 192.168.0.1 255.255.255.255
[SW5560_1-LoopBack1] quit
(3)
[SW5560_1] ospf 64
[SW5560_1-ospf-64] area 0.0.0.0
[SW5560_1-ospf-64-area-0.0.0.0] network 10.1.255.68 0.0.0.3
[SW5560_1-ospf-64-area-0.0.0.0] network 192.168.0.1 0.0.0.0
[SW5560_1-ospf-64-area-0.0.0.0] quit
[SW5560_1-ospf-64] quit
4.5.2 配置FW1050
(1)
# 配置Device A。
<Sysname> system-view
# 配置IRF高优先级。
[Sysname] irf member 1 priority 10
# 配置IRF端口1/2,并将它与物理端口GigabitEthernet1/0/1绑定,并保存配置。
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] shutdown
[Sysname-GigabitEthernet1/0/1] quit
[Sysname] irf-port 1/2
[Sysname-irf-port1/2] port group interface gigabitethernet 1/0/1
[Sysname-irf-port1/2] quit
[Sysname] interface gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] undo shutdown
[Sysname-Ten-GigabitEthernet1/0/1] quit
[Sysname] save
# 激活IRF端口下的配置。
[Sysname] irf-port-configuration active
# 配置Device B
# 将Device B的成员编号配置为2,并重启设备使新编号生效,irf member 2优先级为默认1。
<Sysname> system-view
[Sysname] irf member 1 renumber 2
Warning: Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y
[Sysname] quit
<Sysname> reboot
# 设备之间进行IRF物理连线。
# 重新登录到设备,配置IRF端口2/1,并将它与物理端口GigabitEthernet2/0/1绑定,并保存配置。
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] shutdown
[Sysname-GigabitEthernet2/0/1] quit
[Sysname] irf-port 2/1
[Sysname-irf-port2/1] port group interface gigabitethernet 2/0/1
[Sysname-irf-port2/1] quit
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] undo shutdown
[Sysname-GigabitEthernet2/0/1] quit
[Sysname] save
# 激活IRF端口下的配置。
[Sysname] irf-port-configuration active
# Device A和Device B间将会进行主设备竞选,竞选失败的一方将重启,重启完成后,IRF形成。
(2)
# 创建VLAN 1000,并将Device A(成员编号为1)上的端口1/0/15和Device B(成员编号为2)上的端口2/0/15加入VLAN中。
[Sysname] vlan 1000
[Sysname-vlan3] port gigabitethernet 1/0/15 gigabitethernet 2/0/15
[Sysname-vlan3] quit
# 创建VLAN接口1000,并配置MAD IP地址。
[Sysname] interface Vlan-interface1000
[Sysname-Vlan-interface1000] mad bfd enable
[Sysname-Vlan-interface1000] mad ip address 192.168.100.1 255.255.255.0 member 1
[Sysname-Vlan-interface1000] mad ip address 192.168.100.2 255.255.255.0 member 2
[Sysname-Vlan-interface1000] quit
# 使能全局STP功能
[Sysname] stp global enable
# 因为BFD MAD和生成树功能互斥,所以在GigabitEthernet1/0/15和GigabitEthernet2/0/15上关闭生成树协议。
[Sysname] interface GigabitEthernet1/0/15
[Sysname-gigabitethernet-1/0/15] undo stp enable
[Sysname-gigabitethernet-1/0/15] quit
[Sysname] interface GigabitEthernet2/0/15
[Sysname-gigabitethernet-2/0/15] undo stp enable
[Sysname-gigabitethernet-2/0/15] quit
(3)
[Sysname] ip load-sharing local-first enable
(4)
[Sysname] session synchronization enable
(5)
[Sysname] session statistics enable
(6)
# 创建VLAN 100,FW与上下行设备连接的端口做二层透传。
[Sysname] vlan 100
# 创建二层聚合口1,把FW与上行SW相连的端口加入该聚合口。
[Sysname] interface Bridge-Aggregation1
[Sysname-Bridge-Aggregation1] port access vlan 100
# 配置聚合链路成员口最大选中数为1。
[Sysname-Bridge-Aggregation1] link-aggregation selected-port maximum 1
# 把对应物理口加入二层聚合口1中,并配置链路聚合端口的优先级。
[Sysname] interface GigabitEthernet1/0/13
[Sysname-gigabitethernet-1/0/13] port link-mode bridge
[Sysname-gigabitethernet-1/0/13] port access vlan 100
# 配置端口高优先级10。
[Sysname-gigabitethernet-1/0/13] link-aggregation port-priority 10
# 加入链路聚合口1。
[Sysname-gigabitethernet-1/0/13] port link-aggregation group 1
# 配置备设备上与上行SW连接的端口,加入VLAN 100。
[Sysname] interface GigabitEthernet2/0/13
[Sysname-gigabitethernet-2/0/13] port link-mode bridge
[Sysname-gigabitethernet-2/0/13] port access vlan 100
# 配置低优先级100。
[Sysname-gigabitethernet-2/0/13] link-aggregation port-priority 100
# 加入链路聚合口1。
[Sysname-gigabitethernet-2/0/13] port link-aggregation group 1
[Sysname-gigabitethernet-2/0/13] quit
# 同理,创建二层聚合口2。
[Sysname] interface Bridge-Aggregation2
[Sysname-Bridge-Aggregation2] port access vlan 100
# 配置聚合链路成员口最大选中数为1。
[Sysname-Bridge-Aggregation1] link-aggregation selected-port maximum 1
# 把主FW与下行SW相连的端口加入该聚合口2,并配置成员端口为高优先级。
[Sysname] interface GigabitEthernet1/0/16
[Sysname-gigabitethernet-1/0/16] port link-mode bridge
[Sysname-gigabitethernet-1/0/16] port access vlan 100
[Sysname-gigabitethernet-1/0/16] link-aggregation port-priority 10
[Sysname-gigabitethernet-1/0/16] port link-aggregation group 2
[Sysname-gigabitethernet-1/0/16] quit
# 把备FW与下行SW相连的端口加入该聚合口2,并配置成员端口为低优先级。
[Sysname] interface GigabitEthernet2/0/16
[Sysname-gigabitethernet-2/0/16] port link-mode bridge
[Sysname-gigabitethernet-2/0/16] port access vlan 100
[Sysname-gigabitethernet-2/0/16] link-aggregation port-priority 100
[Sysname-gigabitethernet-2/0/16] port link-aggregation group 2
[Sysname-gigabitethernet-2/0/16] quit
(7)
# 在默认的trust域中添加成员口,二层口要带对应VLAN。
[Sysname] security-zone name Trust
# 把MAD BFD检测的vlan-interface1000加入trust域,否则MAD BFD检测报文无法通过,导致检测失败。
[Sysname-security-zone-Trust] import interface Vlan-interface1000
# 把FW与上行SW连接的二层口加入trust域。
[Sysname-security-zone-Trust] import interface Bridge-Aggregation1 vlan 100
[Sysname-security-zone-Trust] import interface GigabitEthernet1/0/13 vlan 100
[Sysname-security-zone-Trust] import interface GigabitEthernet2/0/13 vlan 100
[Sysname-security-zone-Trust] quit
# 把FW与下行SW连接的二层口加入untrust域。
[Sysname] security-zone name Untrust
[Sysname-security-zone-Untrust] import interface Bridge-Aggregation2 vlan 100
[Sysname-security-zone-Untrust] import interface GigabitEthernet1/0/16 vlan 100
[Sysname-security-zone-Untrust] import interface GigabitEthernet2/0/16 vlan 100
[Sysname-security-zone-Untrust] quit
# 默认Management域,把管理口加入管理域中。
[Sysname] security-zone name Management
[Sysname-security-zone-Management] import interface GigabitEthernet1/0/0
[Sysname-security-zone-Management] quit
(8)
[Sysname] object-policy ip Local-Trust
[Sysname-object-policy-ip-Local-Trust] rule 0 pass
[Sysname-object-policy-ip-Local-Trust] quit
# 其他对象策略同上
[Sysname] object-policy ip Local-Untrust
[Sysname-object-policy-ip-Local-Untrust] rule 0 pass
[Sysname-object-policy-ip-Local-Untrust] quit
[Sysname] object-policy ip Management-Local
[Sysname-object-policy-ip- Management-Local] rule 0 pass
[Sysname-object-policy-ip- Management-Local] quit
[Sysname] object-policy ip Trust-Local
[Sysname-object-policy-ip-Trust -Local] rule 0 pass
[Sysname-object-policy-ip-Trust -Local] quit
[Sysname]object-policy ip Trust-Untrust
[Sysname-object-policy-ip-Trust - Untrust]rule 0 pass
[Sysname-object-policy-ip-Trust - Untrust]quit
[Sysname] object-policy ip Untrust-Local
[Sysname-object-policy-ip- Untrust-Local] rule 0 pass
[Sysname-object-policy-ip- Untrust-Local] quit
[Sysname] object-policy ip Untrust-Trust
[Sysname-object-policy-ip- Untrust-Trust] rule 0 pass
[Sysname-object-policy-ip- Untrust-Trust] quit
# 配置域间策略,应用相应的对象策略。
[Sysname] zone-pair security source Local destination Trust
[Sysname-zone-pair-security-Local-Trust] object-policy apply ip Local-Trust
[Sysname-zone-pair-security-Local-Trust] quit
[Sysname] zone-pair security source Local destination Untrust
[Sysname-zone-pair-security-Local-Untrust] object-policy apply ip Local-Untrust
[Sysname-zone-pair-security-Local-Untrust] quit
[Sysname] zone-pair security source Management destination Local
[Sysname-zone-pair-security- Management-Local] object-policy apply ip Management-Local
[Sysname-zone-pair-security- Management-Local] quit
[Sysname] zone-pair security source Trust destination Local
[Sysname-zone-pair-security- Trust-Local] object-policy apply ip Trust-Local
[Sysname-zone-pair-security- Trust-Local] quit
[Sysname] zone-pair security source Trust destination Untrust
[Sysname-zone-pair-security- Trust- Untrust] object-policy apply ip Trust-Untrust
[Sysname-zone-pair-security- Trust- Untrust] quit
[Sysname] zone-pair security source Untrust destination Local
[Sysname-zone-pair-security- Untrust- Local] object-policy apply ip Untrust-Local
[Sysname-zone-pair-security- Untrust- Local] quit
[Sysname] zone-pair security source Untrust destination Trust
[Sysname-zone-pair-security- Untrust- Trust] object-policy apply ip Untrust-Trust
[Sysname-zone-pair-security- Untrust- Trust] quit
(9) 配置track项,track物理接口
[Sysname] track 7 interface GigabitEthernet2/0/13 physical
[Sysname] track 8 interface GigabitEthernet2/0/16 physical
[Sysname] track 9 interface GigabitEthernet1/0/13 physical
[Sysname] track 10 interface GigabitEthernet1/0/16 physical
(10) 配置冗余组
[Sysname] redundancy group 2
# 添加node1。
[Sysname-redundancy-group-2] node 1
[Sysname-redundancy-group-2-node-1] bind slot 1
# 配置为高优先级。
[Sysname-redundancy-group-2-node-1] priority 100
# node1节点里track对应接口。
[Sysname-redundancy-group-2-node-1] track 9 interface GigabitEthernet1/0/13
[Sysname-redundancy-group-2-node-1] track 10 interface GigabitEthernet1/0/16
[Sysname-redundancy-group-2-node-1] node-member interface GigabitEthernet1/0/13
[Sysname-redundancy-group-2-node-1] node-member interface GigabitEthernet1/0/16
[Sysname-redundancy-group-2-node-1] quit
# 添加node2。
[Sysname-redundancy-group-2] node 2
[Sysname-redundancy-group-2-node-2] bind slot 2
# 配置为低优先级。
[Sysname-redundancy-group-2-node-2] priority 50
# node2节点里track对应接口。
[Sysname-redundancy-group-2-node-2] track 7 interface GigabitEthernet2/0/13
[Sysname-redundancy-group-2-node-2] track 8 interface GigabitEthernet2/0/16
[Sysname-redundancy-group-2-node-2] node-member interface GigabitEthernet2/0/13
[Sysname-redundancy-group-2-node-2] node-member interface GigabitEthernet2/0/16
[Sysname-redundancy-group-2-node-2] quit
[Sysname-redundancy-group-2] quit
4.5.3 配置SW6800
(1)
同FW,此处略
(2) 接口配置,包括二层聚合口和成员口配置
# 创建vlan581。
<SW6800_IRF> system-view
[SW6800_IRF] vlan 581
# 创建vlan-ingterface581。
[SW6800_IRF] interface Vlan-interface581
[SW6800_IRF-Vlan-interface581] description to fw-1
[SW6800_IRF-Vlan-interface581] ip address 10.1.255.70 255.255.255.252
[SW6800_IRF-Vlan-interface581] quit
# 创建二层聚合口2,并加入vlan581,配置链路聚合最大选中端口数为1。
[SW6800_IRF] interface Bridge-Aggregation2
[SW6800_IRF-Bridge-Aggregation2] port access vlan 581
[SW6800_IRF-Bridge-Aggregation2] link-aggregation selected-port maximum 1
# 配置LoopBack1地址。
[SW6800_IRF] interface LoopBack1
[SW6800_IRF-LoopBack1] ip address 192.168.0.2 255.255.255.255
# 添加聚合成员口,配置成员口高低优先级。
[SW6800_IRF] interface Ten-GigabitEthernet1/1/3
[SW6800_IRF-Ten-GigabitEthernet1/1/3] port link-mode bridge
[SW6800_IRF-Ten-GigabitEthernet1/1/3] port access vlan 581
# 主SW与主FW连接的接口配置为高优先级。
[SW6800_IRF-Ten-GigabitEthernet1/1/3] link-aggregation port-priority 10
[SW6800_IRF-Ten-GigabitEthernet1/1/3] port link-aggregation group 2
[SW6800_IRF-Ten-GigabitEthernet1/1/3] quit
#
[SW6800_IRF] interface Ten-GigabitEthernet2/1/3
[SW6800_IRF-Ten-GigabitEthernet2/1/3] port link-mode bridge
[SW6800_IRF-Ten-GigabitEthernet2/1/3] port access vlan 581
# 备SW与备FW连接的接口配置为低优先级。
[SW6800_IRF-Ten-GigabitEthernet2/1/3] link-aggregation port-priority 100
[SW6800_IRF-Ten-GigabitEthernet2/1/3] port link-aggregation group 2
[SW6800_IRF-Ten-GigabitEthernet2/1/3] quit
(3)
[SW6800_IRF] ospf 64
[SW6800_IRF-ospf-64] area 0.0.0.0
[SW6800_IRF-ospf-64-area-0.0.0.0] network 10.1.255.68 0.0.0.3
[SW6800_IRF-ospf-64-area-0.0.0.0] network 192.168.0.2 0.0.0.0
[SW6800_IRF-ospf-64-area-0.0.0.0] quit
[SW6800_IRF-ospf-64] quit
4.6 验证配置
(1) 无故障,(主走slot1)
<SW6800_IRF>display ospf peer
OSPF Process 64 with Router ID 192.168.0.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
192.168.0.1 10.1.255.69 1 32 Full/BDR Vlan581
<SW6800_IRF>ping -c 10000 -a 192.168.0.2 192.168.0.1
<133_1060_IRF_1050>display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: OTHER
Start time: 2015-12-11 18:53:47 TTL: 29s
Initiator->Responder: 129 packets 12642 bytes
Responder->Initiator: 129 packets 12642 bytes
Total sessions found: 1
Slot 2:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: INACTIVE
Application: OTHER
Start time: 2015-12-11 18:53:47 TTL: 274s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
(2) 主链路故障:(ospf peer始终保持一个,流量切至slot2,ping包丢一个)
[133_1060_IRF_1050-GigabitEthernet1/0/16]shut
<SW6800_IRF>display ospf peer
OSPF Process 64 with Router ID 192.168.0.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
192.168.0.1 10.1.255.69 1 37 Full/BDR Vlan581
[133_1060_IRF_1050-GigabitEthernet1/0/16]display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: OTHER
Start time: 2015-12-11 18:53:47 TTL: 11s
Initiator->Responder: 787 packets 77126 bytes
Responder->Initiator: 787 packets 77126 bytes
Total sessions found: 1
Slot 2:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: OTHER
Start time: 2015-12-11 18:53:47 TTL: 29s
Initiator->Responder: 79 packets 7742 bytes
Responder->Initiator: 79 packets 7742 bytes
Total sessions found: 1
[133_1060_IRF_1050-GigabitEthernet1/0/16]
[133_1060_IRF_1050-GigabitEthernet1/0/16]display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: OTHER
Start time: 2015-12-11 18:53:47 TTL: 8s
Initiator->Responder: 787 packets 77126 bytes //包数不增长
Responder->Initiator: 787 packets 77126 bytes
Total sessions found: 1
Slot 2:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: OTHER
Start time: 2015-12-11 18:53:47 TTL: 29s
Initiator->Responder: 92 packets 9016 bytes //包数增长
Responder->Initiator: 92 packets 9016 bytes
Total sessions found: 1
[133_1060_IRF_1050]display redundancy group 2
Redundancy group 2 (ID 2):
Node ID Slot Priority Status Track weight
1 Slot1 100 Secondary -255
2 Slot2 50 Primary 255
Preempt delay time remained : 0 min
Preempt delay timer setting : 1 min
Remaining hold-down time : 0 sec
Hold-down timer setting : 1 sec
Manual switchover request : No
Member interfaces:
Node 1:
Node member Physical status
GE1/0/13 DOWN(redundancy down)
GE1/0/16 DOWN
Track info:
Track Status Reduced weight Interface
9 Negative 255 GE1/0/13
10 Negative 255 GE1/0/16(Fault)
Node 2:
Node member Physical status
GE2/0/13 UP
GE2/0/16 UP
Track info:
Track Status Reduced weight Interface
7 Positive 255 GE2/0/13
8 Positive 255 GE2/0/16
(3)
[133_1060_IRF_1050-GigabitEthernet1/0/16]display session table ipv4 source-ip 192.168.0.2 destination-ip 192.168.0.1 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: ICMP_REPLY
Application: OTHER
Start time: 2015-12-11 18:58:42 TTL: 29s
Initiator->Responder: 499 packets 48902 bytes
Responder->Initiator: 499 packets 48902 bytes
Total sessions found: 1
Slot 2:
Initiator:
Source IP/port: 192.168.0.2/995
Destination IP/port: 192.168.0.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation2
Source security zone: Untrust
Responder:
Source IP/port: 192.168.0.1/995
Destination IP/port: 192.168.0.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/100/-
Protocol: ICMP(1)
Inbound interface: Bridge-Aggregation1
Source security zone: Trust
State: INACTIVE
Application: OTHER
Start time: 2015-12-11 18:58:42 TTL: 199s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
4.7 配置文件
(1)
<SW5560_1>
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ospf 64
area 0.0.0.0
network 10.1.255.68 0.0.0.3
network 192.168.0.1 0.0.0.0
#
interface Route-Aggregation1
ip address 10.1.255.69 255.255.255.252
link-aggregation selected-port maximum 1
#
interface NULL0
#
interface LoopBack1
ip address 192.168.0.1 255.255.255.255
#
interface GigabitEthernet1/0/12
port link-mode route
link-aggregation port-priority 10
port link-aggregation group 1
#
interface GigabitEthernet1/0/13
port link-mode route
link-aggregation port-priority 100
port link-aggregation group 1
(2)
<133_1060_IRF_1050>
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 10
irf member 2 priority 1
#
ip load-sharing local-first enable
#
vlan 100
#
vlan 1000
#
irf-port 1/2
port group interface GigabitEthernet1/0/1
#
irf-port 2/1
port group interface GigabitEthernet2/0/1
#
stp global enable
#
interface Bridge-Aggregation1
port access vlan 100
link-aggregation selected-port maximum 1
#
interface Bridge-Aggregation2
port access vlan 100
link-aggregation selected-port maximum 1
#
interface Vlan-interface1000
mad bfd enable
mad ip address 192.168.100.1 255.255.255.0 member 1
mad ip address 192.168.100.2 255.255.255.0 member 2
#
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 100
link-aggregation port-priority 10
port link-aggregation group 1
#
interface GigabitEthernet1/0/15
port link-mode bridge
description ***bfd mad***
port access vlan 1000
undo stp enable
#
interface GigabitEthernet1/0/16
port link-mode bridge
port access vlan 100
link-aggregation port-priority 10
port link-aggregation group 2
#
interface GigabitEthernet2/0/13
port link-mode bridge
port access vlan 100
link-aggregation port-priority 100
port link-aggregation group 1
#
interface GigabitEthernet2/0/15
port link-mode bridge
description ***bfd mad***
port access vlan 1000
undo stp enable
#
interface GigabitEthernet2/0/16
port link-mode bridge
port access vlan 100
link-aggregation port-priority 100
port link-aggregation group 2
#
object-policy ip Local-Trust
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Management-Local
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass
#
object-policy ip Untrust-Local
rule 0 pass
#
object-policy ip Untrust-Trust
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1000
import interface Bridge-Aggregation1 vlan 100
import interface GigabitEthernet1/0/13 vlan 100
import interface GigabitEthernet2/0/13 vlan 100
#
security-zone name DMZ
#
security-zone name Untrust
import interface Bridge-Aggregation2 vlan 100
import interface GigabitEthernet1/0/16 vlan 100
import interface GigabitEthernet2/0/16 vlan 100
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
#
zone-pair security source Management destination Local
object-policy apply ip Management-Local
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
redundancy group 2
node 1
bind slot 1
priority 100
track 9 interface GigabitEthernet1/0/13
track 10 interface GigabitEthernet1/0/16
node-member interface GigabitEthernet1/0/13
node-member interface GigabitEthernet1/0/16
node 2
bind slot 2
priority 50
track 7 interface GigabitEthernet2/0/13
track 8 interface GigabitEthernet2/0/16
node-member interface GigabitEthernet2/0/13
node-member interface GigabitEthernet2/0/16
#
session statistics enable
session synchronization enable
#
track 7 interface GigabitEthernet2/0/13 physical
track 8 interface GigabitEthernet2/0/16 physical
track 9 interface GigabitEthernet1/0/13 physical
track 10 interface GigabitEthernet1/0/16 physical
(3)
<SW6800_IRF>
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 10
irf member 2 priority 1
irf mode normal
#
ospf 64
area 0.0.0.0
network 10.1.255.68 0.0.0.3
network 192.168.0.2 0.0.0.0
#
vlan 581
#
vlan 3000
#
irf-port 1/2
port group interface Ten-GigabitEthernet1/1/1
#
irf-port 2/1
port group interface Ten-GigabitEthernet2/1/1
#
interface Bridge-Aggregation2
description ithi
port access vlan 581
link-aggregation selected-port maximum 1
#
interface LoopBack1
ip address 192.168.0.2 255.255.255.255
#
interface Vlan-interface581
description to fw-1
ip address 10.1.255.70 255.255.255.252
ospf bfd enable
bfd min-transmit-interval 500
bfd min-receive-interval 500
#
interface Vlan-interface3000
mad bfd enable
mad ip address 192.168.2.1 255.255.255.0 member 1
mad ip address 192.168.2.2 255.255.255.0 member 2
#
interface M-GigabitEthernet0/0/0
ip address 192.168.218.135 255.255.255.0
#
interface Ten-GigabitEthernet1/1/2
port link-mode bridge
description bfd mad
port access vlan 3000
undo stp enable
#
interface Ten-GigabitEthernet1/1/3
port link-mode bridge
port access vlan 581
link-aggregation port-priority 10
port link-aggregation group 2
#
interface Ten-GigabitEthernet2/1/2
port link-mode bridge
description bfd mad
port access vlan 3000
undo stp enable
#
interface Ten-GigabitEthernet2/1/3
port link-mode bridge
port access vlan 581
link-aggregation port-priority 100
port link-aggregation group 2
5 故障排除
(1) 检测BFD MAD是否工作正常
<F1050-IRF>display mad verbose
Multi-active recovery state: No
Excluded ports (user-configured):
Excluded ports (system-configured):
GigabitEthernet1/0/1
GigabitEthernet2/0/1
MAD ARP disabled.
MAD ND disabled.
MAD LACP disabled.
MAD BFD enabled interface: Vlan-interface1000
MAD status : Normal
Member ID MAD IP address Neighbor MAD status
1 192.168.100.1/24 2 Normal
2 192.168.100.2/24 1 Normal
<F1050-IRF>display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/13 S 10 4
GE2/0/13 U 100 4
Aggregate Interface: Bridge-Aggregation2
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/16 S 10 1
GE2/0/16 U 100 1
(3) 检测冗余组状态是否工作正常
<F1050-IRF>display redundancy group 2
Redundancy group 2 (ID 2):
Node ID Slot Priority Status Track weight
1 Slot1 100 Primary 255
2 Slot2 50 Secondary 255
Preempt delay time remained : 0 min
Preempt delay timer setting : 1 min
Remaining hold-down time : 0 sec
Hold-down timer setting : 1 sec
Manual switchover request : No
Member interfaces:
Node 1:
Node member Physical status
GE1/0/13 UP
GE1/0/16 UP
Track info:
Track Status Reduced weight Interface
9 Positive 255 GE1/0/13
10 Positive 255 GE1/0/16
Node 2:
Node member Physical status
GE2/0/13 UP
GE2/0/16 UP
Track info:
Track Status Reduced weight Interface
7 Positive 255 GE2/0/13
8 Positive 255 GE2/0/16
- 2022-03-17回答
- 评论(0)
- 举报
-
(0)
# 配置会话同步。
[Sysname]session synchronization enable
[Sysname]session synchronization dns
[Sysname]session synchronization http
# 开启会话的双主功能。
<Sysname> system-view
[Sysname] session dual-active enable
# 配置双主模式下会话的创建方式为哈希算法方式。
[Sysname] session dual-active create-mode hash
- 2022-03-17回答
- 评论(0)
- 举报
-
(1)
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论