防火墙插卡如何做堆叠,交换机需要做配置吗?
- 0关注
- 0收藏,1303浏览
问题描述:
防火墙插卡如何做堆叠,交换机需要做配置吗?
组网及组网描述:
- 2023-02-02提问
- 举报
-
(0)
最佳答案
你好:
可以参考如下案例:
·在两台S105交换机之间建立堆叠。
· 在两台FW板卡之间建立堆叠,FW1的堆叠口为:G1/0/2,FW2的堆叠口为:G2/0/2。
· 为了防止万一IRF链路故障导致IRF分裂,网络中存在两个配置冲突的IRF,因此启用MAD检测功能。将FW1的G1/0/1和FW2的G2/0/1连接用作BFD MAD检测。
· 创建冗余口Reth2和Reth3分别对应于两条link。
· 创建冗余组1,包含冗余成员:Reth1、Reth2、Reth3等。
运营商交换机的配置
· 配置接FW上LB Link1对应的下一跳:把Ten1/2/16、Ten1/2/18允许vlan 4011,用vlan interface 作为网关
[H3Cvlan4011
[H3C]interface Vlan-interface4011
[H3C-Vlan-interface4011]ip address 222.173.111.49 255.255.255.252
[H3C-Vlan-interface4011]quit
#
[H3C]interface Ten-GigabitEthernet 1/2/16
[H3C-Ten-GigabitEthernet1/2/16]port link-type trunk
[H3C-Ten-GigabitEthernet1/2/16]port trunk permit vlan 4011
[H3C]interface Ten-GigabitEthernet 1/2/18
[H3C-Ten-GigabitEthernet1/2/18]port link-type trunk
[H3C-Ten-GigabitEthernet1/2/18]port trunk permit vlan 4011
· 配置接FW上LB Link2对应的下一跳:把Ten1/2/17、Ten1/2/19允许vlan 4012,用vlan interface 作为网关
[H3C]vlan4012
[H3C]interface Vlan-interface 4012
[H3C-Vlan-interface4012]ip address 222.173.112.99 255.255.255.248
[H3C-Vlan-interface4012]quit
#
[H3C]interface Ten-GigabitEthernet 1/2/17
[H3C-Ten-GigabitEthernet1/2/17]port link-type trunk
[H3C-Ten-GigabitEthernet1/2/17]port trunk permit vlan 4012
[H3C]interface Ten-GigabitEthernet 1/2/19
[H3C-Ten-GigabitEthernet1/2/19]port link-type trunk
[H3C-Ten-GigabitEthernet1/2/19]port trunk permit vlan 4012
1.5.2 S105交换机的配置步骤
(1) IRF的配置:
· S105交换机 1的配置:
# 配置成员号和优先级。
[H3C] irf member 1 priority 32
#配置Chassis 1,配置IRF端口1/1,并将它与物理端口Ten-GigabitEthernet1/7/0/1绑定,并保存配置,激活IRF端口下的配置。
[H3C]interface Ten-GigabitEthernet 1/7/0/1
[H3C-Ten-GigabitEthernet1/7/0/1]shutdown
[H3C-Ten-GigabitEthernet1/7/0/1] quit
[H3C] irf-port 1/1
[H3C-irf-port1/1]port group interface Ten-GigabitEthernet 1/7/0/1
[H3C-irf-port1/1] quit
[H3C] interface Ten-GigabitEthernet 1/7/0/1
[H3C-Ten-GigabitEthernet1/7/0/1] undo shutdown
[H3C-Ten-GigabitEthernet1/7/0/1] quit
[H3C]save
[H3C]irf-port-configuration active
· S105交换机2的配置:
# 配置成员号和优先级。
[H3C]irf member 2 priority 1
#配置Chassis 2, 将S105交换机2的成员编号配置为2,并重启设备使新编号生效。
[H3C]irf member 1 renumber 2
Warning: Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y
[H3C]quit
< H3C > reboot
#S105交换机2重新起来后,登录设备,配置IRF端口2/2,并将它与物理端口Ten-GigabitEthernet2/7/0/3绑定,并保存配置,激活IRF端口下的配置。
[H3C]interface Ten-GigabitEthernet 2/7/0/3
[H3C-Ten-GigabitEthernet2/7/0/3]shutdown
[H3C-Ten- GigabitEthernet2/7/0/3]quit
[H3C]irf-port 2/2
[H3C-irf-port2/2] port group interface Ten-GigabitEthernet 2/7/0/3
[H3C-irf-port2/2] quit
[H3C]interface Ten-GigabitEthernet 2/7/0/3
[H3C-Ten-GigabitEthernet2/7/0/3]undo shutdown
[H3C-Ten-GigabitEthernet2/7/0/3]quit
[H3C]save
[H3C]irf-port-configuration active
(2) 接口配置:
#Chassi1连接运营商交换机Ten1/2/16的接口Ten1/6/0/34
[H3C]interface Ten-GigabitEthernet 1/6/0/34
[H3C-Ten-GigabitEthernet1/6/0/34] port link-type trunk
[H3C-Ten-GigabitEthernet1/6/0/34]port trunk permit vlan 4011
[H3C-Ten-GigabitEthernet1/6/0/34]quit
#Chassi1连接运营商交换机Ten1/2/17的接口Ten1/6/0/35
[H3C]interface Ten-GigabitEthernet 1/6/0/35
[H3C-Ten-GigabitEthernet1/6/0/35]port link-type trunk
[H3C-Ten-GigabitEthernet1/6/0/35]port trunk permit vlan 4012
[H3C-Ten-GigabitEthernet1/6/0/35]quit
#Chassi2连接运营商交换机Ten1/2/18的接口Ten2/6/0/34
[H3C]interface Ten-GigabitEthernet 2/6/0/34
[H3C-Ten-GigabitEthernet2/6/0/34]port link-type trunk
[H3C-Ten-GigabitEthernet2/6/0/34]port trunk permit vlan 4011
[H3C-Ten-GigabitEthernet2/6/0/34]quit
#Chassi2连接运营商交换机Ten1/2/19的接口Ten2/6/0/35
[H3C]interface Ten-GigabitEthernet 2/6/0/35
[H3C-Ten-GigabitEthernet2/6/0/35]port link-type trunk
[H3C-Ten-GigabitEthernet2/6/0/35]port trunk permit vlan 4012
[H3C-Ten-GigabitEthernet2/6/0/35]quit
#S105交换机连接到内部用户的接口允许vlan 4010的报文。接口配置略。
#Chassi1连接SecBlade III FW1的内联口组成聚合口BAG1,vlan 4010为连接内部用户的vlan。
#
[H3C]interface Bridge-Aggregation1
[H3C-Bridge-Aggregation1]quit
[H3C]interface Ten-GigabitEthernet 1/1/0/1
[H3C-Ten-GigabitEthernet1/1/0/1]port link-mode bridge
[H3C-Ten-GigabitEthernet1/1/0/1] port link-aggregation group 1
[H3C-Ten-GigabitEthernet1/1/0/1]quit
依此再将Ten1/1/0/2,Ten1/1/0/3,Ten1/1/0/4都加入聚合组1。
[H3C]interface Bridge-Aggregation1
[H3C-Bridge-Aggregation1]port link-type trunk
[H3C-Bridge-Aggregation1]undo port trunk permit vlan 1
[H3C-Bridge-Aggregation1]port trunk permit vlan 4010 to 4012
#Chassi2连接SecBlade III FW2的内联口组成聚合口BAG2
[H3C]interface Bridge-Aggregation2
[H3C-Bridge-Aggregation2]quit
[H3C]interface Ten-GigabitEthernet 2/2/0/1
[H3C-Ten-GigabitEthernet2/2/0/1]port link-mode bridge
[H3C-Ten-GigabitEthernet2/2/0/1] port link-aggregation group 2
[H3C-Ten-GigabitEthernet2/2/0/1]quit
依此再将Ten2/2/0/2,Ten2/2/0/3,Ten2/2/0/4都加入聚合组2。
[H3C]interface Bridge-Aggregation2
[H3C-Bridge-Aggregation2]port link-type trunk
[H3C-Bridge-Aggregation2]undo port trunk permit vlan 1
[H3C-Bridge-Aggregation2]port trunk permit vlan 4010 to 4012
1.5.3 SecBlade III FW的IRF和MAD检测配置步骤
(1) SecBlade III FW1的IRF配置步骤
# 配置成员号和优先级。
[H3C] irf member 1 priority 32
#配置FW1,配置IRF端口1/2,并将它与物理端口GigabitEthernet1/0/2绑定,并保存配置,激活IRF端口下的配置。
[H3C] interface GigabitEthernet1/0/2
[H3C- GigabitEthernet1/0/2] shutdown
[H3C- GigabitEthernet1/0/2] quit
[H3C] irf-port 1/2
[H3C-irf-port1/2] port group interface GigabitEthernet1/0/2
[H3C-irf-port1/2] quit
[H3C] interface GigabitEthernet1/0/2
[H3C-GigabitEthernet1/0/2] undo shutdown
[H3C-GigabitEthernet1/0/2] quit
[H3C]save
[H3C]irf-port-configuration active
(2) SecBlade III FW2的IRF配置步骤
# 配置成员号和优先级。
[H3C]irf member 2 priority 1
#配置FW2, 将FW2的成员编号配置为2,并重启设备使新编号生效。
[H3C]irf member 1 renumber 2
Warning: Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y
[H3C]quit
< H3C > reboot
#FW2重新起来后,登录设备,配置IRF端口2/1,并将它与物理端口GigabitEthernet2/0/2绑定,并保存配置,激活IRF端口下的配置。
[H3C]interface GigabitEthernet2/0/2
[H3C-GigabitEthernet2/0/2]shutdown
[H3C-GigabitEthernet2/0/2]quit
[H3C]irf-port 2/1
[H3C-irf-port2/1] port group interface GigabitEthernet2/0/2
[H3C-irf-port2/1] quit
[H3C]interface GigabitEthernet2/0/2
[H3C-GigabitEthernet2/0/2]undo shutdown
[H3C-GigabitEthernet2/0/2]quit
[H3C]save
[H3C]irf-port-configuration active
#FW1和FW2间将会进行主设备竞选,竞选失败的一方将重启,重启完成后,IRF形成。
(3) 配置BFD MAD检测
# 创建VLAN 3,并将FW1(成员编号为1)上的端口1/0/1和FW2(成员编号为2)上的端口2/0/1加入VLAN中。
[H3C] vlan 3
[H3C-vlan3] quit
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]port link-mode bridge
[H3C-GigabitEthernet1/0/1]port access vlan 3
[H3C-GigabitEthernet1/0/1]quit
[H3C]interface GigabitEthernet 2/0/1
[H3C-GigabitEthernet2/0/1]port link-mode bridge
[H3C-GigabitEthernet2/0/1]port access vlan 3
[H3C-GigabitEthernet2/0/1]quit
# 创建VLAN接口3,并配置MAD IP地址。
[H3C] interface vlan-interface 3
[H3C-Vlan-interface3] mad bfd enable
[H3C-Vlan-interface3] mad ip address 192.168.2.1 24 member 1
[H3C-Vlan-interface3] mad ip address 192.168.2.2 24 member 2
[H3C-Vlan-interface3] quit
# 因为BFD MAD和生成树功能互斥,所以在GigabitEthernet1/0/1和GigabitEthernet2/0/1上关闭生成树协议。
[H3C] interface gigabitethernet 1/0/1
[H3C-gigabitethernet-1/0/1] undo stp enable
[H3C-gigabitethernet-1/0/1] quit
[H3C] interface gigabitethernet 2/0/1
[H3C-gigabitethernet-2/0/1] undo stp enable
# 将接口vlan-interface 3加入安全域trust(步骤略),并配置源域为local,目的为trust的域间策略 。
创建对象组
[H3C]object-group ip address mad
[H3C-obj-grp-ip-mad] 0 network subnet 192.168.2.0 255.255.255.0
[H3C-obj-grp-ip-mad] quit
创建域间策略对象
[H3C]object-policy ip local-trust
[H3C-object-policy-ip-local-trust]rule 1 pass source-ip mad destination-ip mad
[H3C-object-policy-ip-local-trust]quit
创建域间策略,并引用域间策略对象
[H3C]zone-pair security source local destination trust
[H3C-zone-pair-security-Local-Trust]object-policy apply ip local-trust
[H3C-zone-pair-security-Local-Trust]quit
1.5.4 SecBlade III FW的接口及LB的配置步骤
(1) 创建ACL,允许内网10.1.0.0/16网段地址
[H3C] acl advanced 3500
[H3C-acl-ipv4-adv-3500] rule 0 permit ip source 10.1.0.0 0.0.255.255
[H3C-acl-ipv4-adv-3500]quit
(2) 创建聚合口RAG1和RAG2,将Slot 1和Slot 2的4个内联口分别加入聚合口RAG1和RAG2
[H3C]interface Route-Aggregation 1
[H3C-Route-Aggregation1]quit
[H3C]interface Ten-GigabitEthernet 1/0/1
[H3C-Ten-GigabitEthernet1/0/1]port link-aggregation group 1
[H3C-Ten-GigabitEthernet1/0/1]quit
依次将Ten1/0/2,Ten1/0/3,Ten1/0/4都加入聚合组RAG1
#
[H3C]interface Route-Aggregation 2
[H3C-Route-Aggregation2]quit
[H3C]interface Ten-GigabitEthernet 2/0/1
[H3C-Ten-GigabitEthernet2/0/1]port link-aggregation group 2
[H3C-Ten-GigabitEthernet2/0/1]quit
依次将Ten2/0/2,Ten2/0/3,Ten2/0/4都加入聚合组RAG2
#
创建聚合子接口RAG1.4011,RAG1.4012,RAG2.4011,RAG2.4012
[H3C]interface Route-Aggregation 1.4011
[H3C-Route-Aggregation1.4011]vlan-type dot1q vid 4011
[H3C-Route-Aggregation1.4011]quit
其他聚合子接口的配置略。
(3) 创建冗余口并应用NAT和冗余组的配置
#创建冗余口Reth2,IP地址为222.173.111.50/ 30,成员接口为RAG1.4011和RAG2.4011,其中RAG1.4011的优先级为100,RAG2.4011的优先级为50。开启保存上一跳功能。
[H3C] interface Reth 2
[H3C-Reth2] ip address 222.173.111.50 255.255.255.240
[H3C-Reth2] nat outbound 3500 address-group 1
[H3C-Reth2] nat server global 222.173.111.60 inside 10.1.0.6
[H3C-Reth2] member interface Route-Aggregation1.4011 priority 100
[H3C-Reth2] member interface Route-Aggregation2.4011 priority 50
[H3C-Reth2] ip last-hop hold
# 创建冗余口Reth3,IP地址为222.173.112.100/28,成员接口为RAG1.4012和RAG2.4012,其中RAG1.4012的优先级为100,RAG2.4012的优先级为50。开启保存上一跳功能。
[H3C] interface Reth 3
[H3C-Reth3] ip address 222.173.112.100 255.255.255.240
[H3C-Reth3] nat outbound 3500 address-group 2
[H3C-Reth3] member interface Route-Aggregation1.4012 priority 100
[H3C-Reth3] member interface Route-Aggregation2.4012 priority 50
[H3C-Reth3] ip last-hop hold
[H3C-Reth3] quit
# 创建内网入口冗余口Reth1,IP地址为10.1.0.1/16,成员接口为RAG1.4010和RAG2.4010,其中RAG1.4010的优先级为100,RAG2.4010的优先级为50。开启保存上一跳功能。
[H3C] interface Reth 1
[H3C-Reth1] ip address 10.1.0.1 255.255.0.0
[H3C-Reth1] member interface Route-Aggregation1.4010 priority 100
[H3C-Reth1] member interface Route-Aggregation2.4010 priority 50
[H3C-Reth1] ip last-hop hold
[H3C-Reth1] quit
#配置track,监测业务端口端口状态。
[H3C] track 1 interface Route-Aggregation1
[H3C] track 2 interface Route-Aggregation2
#配置冗余组1,创建Node 1,Node 1和FW1绑定,为主节点。关联的Track项为1。
[H3C] redundancy group 1
[H3C-redundancy-group-1] node 1
[H3C-redundancy-group-1-node1] bind slot 1
[H3C-redundancy-group-1-node1] priority 100
[H3C-redundancy-group-1-node1] track 1 interface Route-Aggregation1
#配置冗余组1,创建Node 2,Node 2和FW2绑定,为备节点。关联的Track项为2。
[H3C-redundancy-group-1] node 2
[H3C-redundancy-group-1-node2] bind slot 2
[H3C-redundancy-group-1-node2] priority 50
[H3C-redundancy-group-1-node2] track 2 interface Route-Aggregation2
[H3C-redundancy-group-1-node2] quit
# 将Reth1、Reth2和Reth3添加到冗余组中。
[H3C-redundancy-group-1] member interface reth 1
[H3C-redundancy-group-1] member interface reth 2
[H3C-redundancy-group-1] member interface reth 3
[H3C-redundancy-group-1] quit
(4) 将冗余口加入安全域并配置域间策略
#将内网接口Reth1和MAD检测接口vlan-interface3加入trust域
[H3C]security-zone name Trust
[H3C-security-zone-Trust]import interface reth 1
[H3C-security-zone-Trust] import interface Vlan-interface3
堆叠的两台设备需采用相同的型号,使用相同的版本。
SecBlade III FW的堆叠口请使用前面板的光口。
防火墙内联口需要聚合,并配置子接口作为上下行,再做冗余。
目前防火墙插卡不允许跨框流量,需要配置冗余组。
- 2023-02-02回答
- 评论(0)
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论