两台核心都有板卡防火墙如何引流
- 0关注
- 0收藏,59浏览
两台做RBM后引流,主备和主主组网都可以引流。
参考案例:
3 SecBlade插卡主备部署配置举例
LSQM1ADEDSC0、LSWM1ADED0、LSUM1ADECEA0三款SecBlade插卡是负载均衡类产品,由于负载均衡设备默认对所有接口流量放行,因此不需要配置安全域和安全策略。本节中插卡部署均配置了安全域和安全策略,对于上述产品请按需对安全域和安全策略进行配置。
3.1 旁挂主备部署SecBlade插卡三层引流
3.1.1 组网需求
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,将上下行流量通过策略路由重定向到Device,对Device转发回来的流量查路由表转发。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做主备备份。
图3-1 旁挂主备部署SecBlade插卡三层引流组网图
图3-2 旁挂主备部署SecBlade插卡三层引流逻辑组网图
设备 | 接口 | IP地址 | 设备 | 接口 | IP地址 |
Host A | - | 192.168.10.15/24 | Device A | FGE1/0/1 | 10.1.1.2/24 |
Host B | - | 192.168.20.15/24 |
| FGE1/0/2 | 10.1.2.2/24 |
Host C | - | 192.168.30.15/24 |
| FGE1/0/3 | 1.1.1.1/30 |
Router | GE1/0/1.10 | 192.168.10.1/24 | Device B | FGE1/0/1 | 10.1.1.3/24 |
| GE1/0/1.20 | 192.168.20.1/24 |
| FGE1/0/2 | 10.1.2.3/24 |
| GE1/0/1.30 | 192.168.30.1/24 |
| FGE1/0/3 | 1.1.1.2/30 |
| GE1/0/2 | 20.1.1.1/24 |
|
|
|
| Vlan-interface40 | 10.1.1.1/24 |
|
|
|
| Vlan-interface50 | 10.1.2.1/24 |
|
|
|
3.1.2 配置步骤
1. 配置Switch
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[Switch-GigabitEthernet1/0/4] quit
2. 配置Router
# 配置GigabitEthernet1/0/2接口IP。
<Router> system-view
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 切换FortyGigE2/0/1、FortyGigE2/0/2、FortyGigE2/0/3、FortyGigE3/0/1、FortyGigE3/0/2和FortyGigE3/0/3的工作模式为二层模式。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2 fortygige 2/0/3 fortygige 3/0/1 fortygige 3/0/2 fortygige 3/0/3
[Router-if-range] port link-mode bridge
[Router-if-range] quit
# 创建VLAN 40、VLAN 50和VLAN 1111。将FortyGigE2/0/1、FortyGigE3/0/1加入VLAN 40,FortyGigE2/0/2、FortyGigE3/0/2加入VLAN 50,FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
[Router] vlan 40
[Router-vlan40] port fortygige 2/0/1 fortygige 3/0/1
[Router-vlan40] quit
[Router] vlan 50
[Router-vlan50] port fortygige 2/0/2 fortygige 3/0/2
[Router-vlan50] quit
[Router] vlan 1111
[Router-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[Router-vlan1111] quit
# 创建VLAN 40、VLAN 50接口,配置接口IP。
[Router] interface vlan-interface 40
[Router-Vlan-interface40] ip address 10.1.1.1 24
[Router-Vlan-interface40] quit
[Router] interface vlan-interface 50
[Router-Vlan-interface50] ip address 10.1.2.1 24
[Router-Vlan-interface50] quit
# 关闭快转负载分担功能(防止三层环路)。
[Router] undo ip fast-forwarding load-sharing
# 创建IPv4高级ACL匹配上下行流量。
[Router] acl advanced 3001
[Router-acl-ipv4-adv-3001] rule permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3001] quit
[Router] acl advanced 3002
[Router-acl-ipv4-adv-3002] rule permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3002] quit
[Router] acl advanced 3003
[Router-acl-ipv4-adv-3003] rule permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3003] quit
[Router] acl advanced 3004
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[Router-acl-ipv4-adv-3004] quit
# 配置策略路由,并将策略路由绑定到接口上。
[Router] policy-based-route vlan10out permit node 10
[Router-pbr-vlan10out-10] if-match acl 3001
[Router-pbr-vlan10out-10] apply next-hop 10.1.1.4
[Router-pbr-vlan10out-10] quit
[Router] policy-based-route vlan20out permit node 10
[Router-pbr-vlan20out-10] if-match acl 3002
[Router-pbr-vlan20out-10] apply next-hop 10.1.1.4
[Router-pbr-vlan20out-10] quit
[Router] policy-based-route vlan30out permit node 10
[Router-pbr-vlan30out-10] if-match acl 3003
[Router-pbr-vlan30out-10] apply next-hop 10.1.1.4
[Router-pbr-vlan30out-10] quit
[Router] policy-based-route internetin permit node 10
[Router-pbr-internetin-10] if-match acl 3004
[Router-pbr-internetin-10] apply next-hop 10.1.2.4
[Router-pbr-internetin-10] quit
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] ip policy-based-route vlan10out
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] ip policy-based-route vlan20out
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] ip policy-based-route vlan30out
[Router-GigabitEthernet1/0/1.30] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip policy-based-route internetin
[Router-GigabitEthernet1/0/2] quit
3. 配置Device A
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] quit
4. 配置Device B
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] quit
3.1.3 验证配置
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/2 2 Master 100 100 None 10.1.2.4
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Standby Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/2 2 Backup 100 100 None 10.1.2.4
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
谢谢,这个有链接文档嘛
对于两台核心交换机均配备板卡防火墙的场景,推荐采用 “二层透明模式”加“主备部署” ,并用链路聚合来引流。
方案速览
工作模式:推荐主备 (Active/Passive),此模式在透明部署下更稳定,也便于故障排查。
部署方式:采用二层透明。不改动网络IP地址,通过硬件内联口及跨VLAN桥接将流量引向防火墙。
引流机制:使用链路聚合 (LACP)。核心侧配置动态链路聚合,防火墙侧配置最大选中数为1,确保流量只经过主设备。
核心配置逻辑详解
你需要登录板卡防火墙的独立Console口进行配置,防火墙并非被核心直接管理,逻辑上相当于“串”在网络中。核心步骤可分为两部分:
第一部分:实现主备与高可用
堆叠:将两台防火墙板卡堆叠(IRF)成一个逻辑设备。
高可用:配置冗余组/会话同步,确保故障时备机能无缝接管。
主备判定:在聚合口设置成员优先级。例如,核心 1 连接的接口优先级更高,来自动选为“主”设备。
故障联动:配置冗余组和Track联动故障检测,保证整框切换。
第二部分:精准引流与放行
创建桥接:在防火墙上为各VLAN创建对应的二层桥接组。
处理流量路径:流量通过内核接口进入防火墙后,处理方式要根据你的交换机版本判断:
新版本交换机(推荐):利用交换机的引流策略,将指定VLAN的流量重定向到连接防火墙板卡的内联口,防火墙处理完后再原路返回交换机继续转发。
老版本交换机(备选):采用“跨VLAN桥接”,即流量从关联的VLAN进入防火墙,处理完毕后映射回原来的业务VLAN,送回到源交换机的原三层网关进行路由。
配置放行:在最终的安全域(如
Trust到Untrust)里放通策略。
排查不通的故障时,建议先关掉“会话同步”,让流量只走一台设备,排除因会话同步导致的跨框丢包。
关键注意事项
版本一致:主备防火墙的软硬件版本要一致。
三层隔离:务必在三层接口上配置
port-isolate enable,防止数据绕过防火墙直接在本地转发VLAN透传:所有被引流的二层VLAN,都需要在核心与防火墙的内联接口上放通。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
谢谢,这个有链接文档嘛