华为防火墙热备的案例.doc

在核心交换机不做堆叠的情况下防火墙热备的案例1、 需求分析 数据中心建设高可用的网络架构，但是考虑到成本和运维，想选择一种经济实惠但是稳定可靠的架构2、 设计思路 1.为了节约公网IP地址所以在防火墙接口上面配置IP地址为内网地址，同时将公网IP地址设置成为VRRP组中的虚拟地址 2.在防火墙A和防火墙B上使用双链路做聚合，再将聚合端口配置好IP地址加入到HRP安全域中并指为HRP心跳检测端口 3.核心交换机A和核心交换机B使用多链路做聚合，再将聚合端口配置为trunk属性透传业务vlan，在核心交换机A上配置业务VLAN的网关并为VRRP组中的master 在核心交换机B上配置vlan的网关并作为VRRP组中的slave同时交换机上的DHCP分配都采用全局地址池的方式并指定虚拟IP地址为业务网关。 4.核心交换机与接入交换机之间采用多链路互联，并部署MSTP保证二层链路的冗余（如果考虑到业务的负载均衡可以将不同的vlan划分到不同的mstp实例中去，这里就按单实例部署）5. 正常情况下流量由核心交换机A和防火墙A做处理，当防火墙故障或者核心交换机故障都会触发主备的切换6. 防火墙A上通过配置IP-link监控外网链路或者端口状态同时与HRP主备进行联动（防火墙上的业务端口down了或者失效的情况触发HRP主备切换）7. 核心交换机A上通过配置vrrp组与上行端口进行联动（一旦与防火墙互联的端口down掉或者失效将会触发vrrp主备切换）三、设计拓扑4、 实验拓扑5、 主备切换测试1.正常情况下的流量走向2.主防火墙故障的情况内网一台主机ping外网的测试（掉了几个包，真实情况收敛速度会快点）备防火墙替代主防火墙的业务，快速会话同步防火墙B上的日志（主防火墙down掉，备防火墙承担业务）-%2015-12-23 14:24:27 FW-B %01IFNET/4/LINK_STATE(l): Line protocol on interface GigabitEthernet0/0/2 has turned into DOWN state.%2015-12-23 14:24:25 FW-B %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/0, Virtual Router 1 : BACKUP changed to MASTER!%2015-12-23 14:24:25 FW-B %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/1, Virtual Router 2 : BACKUP changed to MASTER!%2015-12-23 14:24:25 FW-B %01VGMP/4/STATE(l): Virtual Router Management Group SLAVE : SLAVE - MASTER-防火墙B上的HRP状态-HRP_Mdisplay hrp state14:29:10 2015/12/23 The firewalls config state is: MASTER Current state of virtual routers configured as slave: GigabitEthernet0/0/1 vrid 2 : master (peer down) GigabitEthernet0/0/0 vrid 1 : master (peer down)-防火墙上B的会话表（实时同步防火墙A上的会话表，保证业务的连续性）-HRP_Mdisplay firewall session table14:30:18 2015/12/23 Current Total Sessions : 5 icmp VPN:public - public 53:30527:2092-:2048 icmp VPN:public - public 53:30783:2093-:2048 icmp VPN:public - public 53:31039:2094-:2048 icmp VPN:public - public 53:31295:2095-:2048 icmp VPN:public - public 53:31551:2096-:2048-核心交换A和B上的vrrp主备情况（因为和防火墙A的互联端口联动，如果防火墙A的状态异常会触发核心交换机VRRP组的切换）-display vrrp brief VRID State Interface Type Virtual IP -1 Backup Vlanif2 Normal 3 Backup Vlanif3 Normal 54 4 Backup Vlanif4 Normal 54 -Total:3 Master:0 Backup:3 Non-active:0 display vrrp brief VRID State Interface Type Virtual IP -1 Master Vlanif2 Normal 3 Master Vlanif3 Normal 54 4 Master Vlanif4 Normal 54 -Total:3 -此时的流量走向情况3. 主核心交换机故障的情况 内网主机ping外网测试的情况（由于核心交换机A故障会触发STP的计算，所以收敛速度相比交换机stack和css的速度是要慢点，真实情况会在15秒左右）核心交换机B上的vrrp情况（由于核心交换机A异常，触发核心交换机B抢占VRRP组的master）-dis vrrp brief VRID State Interface Type Virtual IP -1 Master Vlanif2 Normal 3 Master Vlanif3 Normal 54 4 Master Vlanif4 Normal 54 -Total:3 Master:3 Backup:0 Non-active:0 -防火墙A和防火墙B上的HRP主备情况-HRP_M2015-12-23 14:46:28 FW-A %01IFNET/4/LINK_STATE(l): Line protocol on interface GigabitEthernet0/0/1 has turned into DOWN state.2015-12-23 14:46:28 FW-A %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/1, Virtual Router 2 : MASTER changed to INITIALIZE!2015-12-23 14:46:28 FW-A %01VGMP/4/STATE(l): Virtual Router Management Group MASTER : MASTER - MASTER_TO_SLAVE2015-12-23 14:46:28 FW-A %01VGMP/4/STATE(l): Virtual Router Management Group MASTER : MASTER_TO_SLAVE - SLAVE2015-12-23 14:46:28 FW-A %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/0, Virtual Router 1 : MASTER changed to BACKUP!HRP_SHRP_Sdisplay hrp state14:53:36 2015/12/23 The firewalls config state is: SLAVE Current state of virtual routers configured as master: GigabitEthernet0/0/1 vrid 2 : initialize (down) GigabitEthernet0/0/0 vrid 1 : slaveHRP_Mdisplay hrp state14:55:16 2015/12/23 The firewalls config state is: MASTER Current state of virtual routers configured as slave: GigabitEthernet0/0/1 vrid 2 : master (peer down) GigabitEthernet0/0/0 vrid 1 : master-这种情况下流量的走向情况4. 主链路中断的情况 内网主机ping外网地址时候的情况（让主链路中断的情况下，会触发防火墙的hrp主备切换，但是不会触发核心交换机的vrrp主备切换）防火墙A和防火墙B上的HRP主备情况-HRP_Sdisplay hrp state15:05:39 2015/12/23 The firewalls config state is: SLAVE Current state of virtual routers configured as master: GigabitEthernet0/0/1 vrid 2 : slave GigabitEthernet0/0/0 vrid 1 : initialize (down)HRP_SHRP_Mdisplay hrp state 15:07:00 2015/12/23 The firewalls config state is: MASTER Current state of virtual routers configured as slave: GigabitEthernet0/0/1 vrid 2 : master GigabitEthernet0/0/0 vrid 1 : master (peer down)核心交换机A和核心交换机B的vrrp主备情况-display vrrp brief VRID State Interface Type Virtual IP -1 Master Vlanif2 Normal 3 Master Vlanif3 Normal 54 4 Master Vlanif4 Normal 54 -Total:3 Master:3 Backup:0 Non-active:0 display vrrp brief VRID State Interface Type Virtual IP -1 Backup Vlanif2 Normal 3 Backup Vlanif3 Normal 54 4 Backup Vlanif4 Normal 54 -Total:3 Master:0 Backup:3 Non-active:0 -这种情况下的流量走向 六、设备配置1. 防火墙A配置HRP_Mdisplay current-configuration 15:13:44 2015/12/23#stp region-configuration region-name a07fd81520e0 active region-configuration#interface GigabitEthernet0/0/0 alias GE0/MGMT ip address vrrp vrid 1 virtual-ip master vrrp virtual-mac enable#interface GigabitEthernet0/0/1 ip address vrrp vrid 2 virtual-ip 54 master vrrp virtual-mac enable#interface GigabitEthernet0/0/2 ip address 52#interface GigabitEthernet0/0/3#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface NULL0 alias NULL0#firewall zone local set priority 100#firewall zone trust set priority 85 add interface GigabitEthernet0/0/1#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#firewall zone dmz set priority 50#firewall zone name hrp set priority 95 add interface GigabitEthernet0/0/2#aaa local-user admin password cipher %$%$wJn:F9OKIC%K%pW81md%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default #nqa-jitter tag-version 1# ip route-static ip route-static # banner enable#user-interface con 0 authentication-mode noneuser-interface vty 0 4 authentication-mode none protocol inbound all# slb#right-manager server-group# sysname FW-A# l2tp domain suffix-separator # hrp mirror session enable hrp enable hrp interface GigabitEthernet0/0/2# firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone local hrp direction inbound firewall packet-filter default permit interzone local hrp direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone hrp trust direction inbound firewall packet-filter default permit interzone hrp trust direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interzone hrp untrust direction inbound firewall packet-filter default permit interzone hrp untrust direction outbound firewall packet-filter default permit interzone hrp dmz direction inbound firewall packet-filter default permit interzone hrp dmz direction outbound# nat address-group 1 # ip df-unreachables enable# firewall ipv6 session link-state check firewall ipv6 statistic system enable# dns resolve# firewall statistic system enable# pki ocsp response cache refresh interval 0 pki ocsp response cache number 0# undo dns proxy# license-server domain # web-manager enable#nat-policy interzone trust untrust outbound policy 0 action source-nat policy source mask 24 policy source mask 24 address-group 1#returnHRP_M 2. 防火墙B配置HRP_Sdisplay current-configuration 15:15:31 2015/12/23#stp region-configuration region-name 3070d815b0d0 active region-configuration#interface GigabitEthernet0/0/0 alias GE0/MGMT ip address vrrp vrid 1 virtual-ip slave vrrp virtual-mac enable#interface GigabitEthernet0/0/1 ip address vrrp vrid 2 virtual-ip 54 slave vrrp virtual-mac enable#interface GigabitEthernet0/0/2 ip address 52#interface GigabitEthernet0/0/3#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface NULL0 alias NULL0#firewall zone local set priority 100#firewall zone trust set priority 85 add interface GigabitEthernet0/0/1#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#firewall zone dmz set priority 50#firewall zone name hrp set priority 95 add interface GigabitEthernet0/0/2#aaa local-user admin password cipher %$%$e3G/FGNE=,yOG1cZQ%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default #nqa-jitter tag-version 1# ip route-static ip route-static # banner enable#user-interface con 0 authentication-mode noneuser-interface vty 0 4 authentication-mode none protocol inbound all# slb#right-manager server-group# sysname FW-B# l2tp domain suffix-separator # hrp mirror session enable hrp enable hrp interface GigabitEthernet0/0/2# firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone local hrp direction inbound firewall packet-filter default permit interzone local hrp direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone hrp trust direction inbound firewall packet-filter default permit interzone hrp trust direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interzone hrp untrust direction inbound firewall packet-filter default permit interzone hrp untrust direction outbound firewall packet-filter default permit interzone hrp dmz direction inbound firewall packet-filter default permit interzone hrp dmz direction outbound# nat address-group 1 # ip df-unreachables enable# firewall ipv6 session link-state check firewall ipv6 statistic system enable# dns resolve# firewall statistic system enable# pki ocsp response cache refresh interval 0 pki ocsp response cache number 0# undo dns proxy# license-server domain # web-manager enable#nat-policy interzone trust untrust outbound policy 0 action source-nat policy source mask 24 policy source mask 24 address-group 1#returnHRP_S3. 核心交换机A配置display current-configuration #sysname Core-A#vlan batch 2 to 4#cluster enablentdp enablendp enable#drop illegal-mac alarm#dhcp enable#diffserv domain default#drop-profile default#ip pool 3 gateway-list 54 network mask #ip pool 4 gateway-list 54 network mask #aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif2 ip address vrrp vrid 1 virtual-ip vrrp vrid 1 priority 120 vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 30#interface Vlanif3 ip address vrrp vrid 3 virtual-ip 54 vrrp vrid 3 priority 120 vrrp vrid 3 track interface GigabitEthernet0/0/1 reduced 30 dhcp select global#interface Vlanif4 ip address vrrp vrid 4 virtual-ip 54 vrrp vrid 4 priority 120 vrrp vrid 4 track interface GigabitEthernet0/0/1 reduced 30 dhcp select global#interface MEth0/0/1#interface GigabitEthernet0/0/1 port link-type access port default vlan 2#