




已阅读5页,还剩23页未读, 继续免费阅读
版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
在核心交换机不做堆叠的情况下防火墙热备的案例1、 需求分析 数据中心建设高可用的网络架构,但是考虑到成本和运维,想选择一种经济实惠但是稳定可靠的架构2、 设计思路 1.为了节约公网IP地址所以在防火墙接口上面配置IP地址为内网地址,同时将公网IP地址设置成为VRRP组中的虚拟地址 2.在防火墙A和防火墙B上使用双链路做聚合,再将聚合端口配置好IP地址加入到HRP安全域中并指为HRP心跳检测端口 3.核心交换机A和核心交换机B使用多链路做聚合,再将聚合端口配置为trunk属性透传业务vlan,在核心交换机A上配置业务VLAN的网关并为VRRP组中的master 在核心交换机B上配置vlan的网关并作为VRRP组中的slave同时交换机上的DHCP分配都采用全局地址池的方式并指定虚拟IP地址为业务网关。 4.核心交换机与接入交换机之间采用多链路互联,并部署MSTP保证二层链路的冗余(如果考虑到业务的负载均衡可以将不同的vlan划分到不同的mstp实例中去,这里就按单实例部署)5. 正常情况下流量由核心交换机A和防火墙A做处理,当防火墙故障或者核心交换机故障都会触发主备的切换6. 防火墙A上通过配置IP-link监控外网链路或者端口状态同时与HRP主备进行联动(防火墙上的业务端口down了或者失效的情况触发HRP主备切换)7. 核心交换机A上通过配置vrrp组与上行端口进行联动(一旦与防火墙互联的端口down掉或者失效将会触发vrrp主备切换)三、设计拓扑4、 实验拓扑5、 主备切换测试1.正常情况下的流量走向2.主防火墙故障的情况内网一台主机ping外网的测试(掉了几个包,真实情况收敛速度会快点)备防火墙替代主防火墙的业务,快速会话同步防火墙B上的日志(主防火墙down掉,备防火墙承担业务)-%2015-12-23 14:24:27 FW-B %01IFNET/4/LINK_STATE(l): Line protocol on interface GigabitEthernet0/0/2 has turned into DOWN state.%2015-12-23 14:24:25 FW-B %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/0, Virtual Router 1 : BACKUP changed to MASTER!%2015-12-23 14:24:25 FW-B %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/1, Virtual Router 2 : BACKUP changed to MASTER!%2015-12-23 14:24:25 FW-B %01VGMP/4/STATE(l): Virtual Router Management Group SLAVE : SLAVE - MASTER-防火墙B上的HRP状态-HRP_Mdisplay hrp state14:29:10 2015/12/23 The firewalls config state is: MASTER Current state of virtual routers configured as slave: GigabitEthernet0/0/1 vrid 2 : master (peer down) GigabitEthernet0/0/0 vrid 1 : master (peer down)-防火墙上B的会话表(实时同步防火墙A上的会话表,保证业务的连续性)-HRP_Mdisplay firewall session table14:30:18 2015/12/23 Current Total Sessions : 5 icmp VPN:public - public 53:30527:2092-:2048 icmp VPN:public - public 53:30783:2093-:2048 icmp VPN:public - public 53:31039:2094-:2048 icmp VPN:public - public 53:31295:2095-:2048 icmp VPN:public - public 53:31551:2096-:2048-核心交换A和B上的vrrp主备情况(因为和防火墙A的互联端口联动,如果防火墙A的状态异常会触发核心交换机VRRP组的切换)-display vrrp brief VRID State Interface Type Virtual IP -1 Backup Vlanif2 Normal 3 Backup Vlanif3 Normal 54 4 Backup Vlanif4 Normal 54 -Total:3 Master:0 Backup:3 Non-active:0 display vrrp brief VRID State Interface Type Virtual IP -1 Master Vlanif2 Normal 3 Master Vlanif3 Normal 54 4 Master Vlanif4 Normal 54 -Total:3 -此时的流量走向情况3. 主核心交换机故障的情况 内网主机ping外网测试的情况(由于核心交换机A故障会触发STP的计算,所以收敛速度相比交换机stack和css的速度是要慢点,真实情况会在15秒左右)核心交换机B上的vrrp情况(由于核心交换机A异常,触发核心交换机B抢占VRRP组的master)-dis vrrp brief VRID State Interface Type Virtual IP -1 Master Vlanif2 Normal 3 Master Vlanif3 Normal 54 4 Master Vlanif4 Normal 54 -Total:3 Master:3 Backup:0 Non-active:0 -防火墙A和防火墙B上的HRP主备情况-HRP_M2015-12-23 14:46:28 FW-A %01IFNET/4/LINK_STATE(l): Line protocol on interface GigabitEthernet0/0/1 has turned into DOWN state.2015-12-23 14:46:28 FW-A %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/1, Virtual Router 2 : MASTER changed to INITIALIZE!2015-12-23 14:46:28 FW-A %01VGMP/4/STATE(l): Virtual Router Management Group MASTER : MASTER - MASTER_TO_SLAVE2015-12-23 14:46:28 FW-A %01VGMP/4/STATE(l): Virtual Router Management Group MASTER : MASTER_TO_SLAVE - SLAVE2015-12-23 14:46:28 FW-A %01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/0/0, Virtual Router 1 : MASTER changed to BACKUP!HRP_SHRP_Sdisplay hrp state14:53:36 2015/12/23 The firewalls config state is: SLAVE Current state of virtual routers configured as master: GigabitEthernet0/0/1 vrid 2 : initialize (down) GigabitEthernet0/0/0 vrid 1 : slaveHRP_Mdisplay hrp state14:55:16 2015/12/23 The firewalls config state is: MASTER Current state of virtual routers configured as slave: GigabitEthernet0/0/1 vrid 2 : master (peer down) GigabitEthernet0/0/0 vrid 1 : master-这种情况下流量的走向情况4. 主链路中断的情况 内网主机ping外网地址时候的情况(让主链路中断的情况下,会触发防火墙的hrp主备切换,但是不会触发核心交换机的vrrp主备切换)防火墙A和防火墙B上的HRP主备情况-HRP_Sdisplay hrp state15:05:39 2015/12/23 The firewalls config state is: SLAVE Current state of virtual routers configured as master: GigabitEthernet0/0/1 vrid 2 : slave GigabitEthernet0/0/0 vrid 1 : initialize (down)HRP_SHRP_Mdisplay hrp state 15:07:00 2015/12/23 The firewalls config state is: MASTER Current state of virtual routers configured as slave: GigabitEthernet0/0/1 vrid 2 : master GigabitEthernet0/0/0 vrid 1 : master (peer down)核心交换机A和核心交换机B的vrrp主备情况-display vrrp brief VRID State Interface Type Virtual IP -1 Master Vlanif2 Normal 3 Master Vlanif3 Normal 54 4 Master Vlanif4 Normal 54 -Total:3 Master:3 Backup:0 Non-active:0 display vrrp brief VRID State Interface Type Virtual IP -1 Backup Vlanif2 Normal 3 Backup Vlanif3 Normal 54 4 Backup Vlanif4 Normal 54 -Total:3 Master:0 Backup:3 Non-active:0 -这种情况下的流量走向 六、设备配置1. 防火墙A配置HRP_Mdisplay current-configuration 15:13:44 2015/12/23#stp region-configuration region-name a07fd81520e0 active region-configuration#interface GigabitEthernet0/0/0 alias GE0/MGMT ip address vrrp vrid 1 virtual-ip master vrrp virtual-mac enable#interface GigabitEthernet0/0/1 ip address vrrp vrid 2 virtual-ip 54 master vrrp virtual-mac enable#interface GigabitEthernet0/0/2 ip address 52#interface GigabitEthernet0/0/3#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface NULL0 alias NULL0#firewall zone local set priority 100#firewall zone trust set priority 85 add interface GigabitEthernet0/0/1#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#firewall zone dmz set priority 50#firewall zone name hrp set priority 95 add interface GigabitEthernet0/0/2#aaa local-user admin password cipher %$%$wJn:F9OKIC%K%pW81md%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default #nqa-jitter tag-version 1# ip route-static ip route-static # banner enable#user-interface con 0 authentication-mode noneuser-interface vty 0 4 authentication-mode none protocol inbound all# slb#right-manager server-group# sysname FW-A# l2tp domain suffix-separator # hrp mirror session enable hrp enable hrp interface GigabitEthernet0/0/2# firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone local hrp direction inbound firewall packet-filter default permit interzone local hrp direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone hrp trust direction inbound firewall packet-filter default permit interzone hrp trust direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interzone hrp untrust direction inbound firewall packet-filter default permit interzone hrp untrust direction outbound firewall packet-filter default permit interzone hrp dmz direction inbound firewall packet-filter default permit interzone hrp dmz direction outbound# nat address-group 1 # ip df-unreachables enable# firewall ipv6 session link-state check firewall ipv6 statistic system enable# dns resolve# firewall statistic system enable# pki ocsp response cache refresh interval 0 pki ocsp response cache number 0# undo dns proxy# license-server domain # web-manager enable#nat-policy interzone trust untrust outbound policy 0 action source-nat policy source mask 24 policy source mask 24 address-group 1#returnHRP_M 2. 防火墙B配置HRP_Sdisplay current-configuration 15:15:31 2015/12/23#stp region-configuration region-name 3070d815b0d0 active region-configuration#interface GigabitEthernet0/0/0 alias GE0/MGMT ip address vrrp vrid 1 virtual-ip slave vrrp virtual-mac enable#interface GigabitEthernet0/0/1 ip address vrrp vrid 2 virtual-ip 54 slave vrrp virtual-mac enable#interface GigabitEthernet0/0/2 ip address 52#interface GigabitEthernet0/0/3#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5#interface GigabitEthernet0/0/6#interface GigabitEthernet0/0/7#interface GigabitEthernet0/0/8#interface NULL0 alias NULL0#firewall zone local set priority 100#firewall zone trust set priority 85 add interface GigabitEthernet0/0/1#firewall zone untrust set priority 5 add interface GigabitEthernet0/0/0#firewall zone dmz set priority 50#firewall zone name hrp set priority 95 add interface GigabitEthernet0/0/2#aaa local-user admin password cipher %$%$e3G/FGNE=,yOG1cZQ%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default #nqa-jitter tag-version 1# ip route-static ip route-static # banner enable#user-interface con 0 authentication-mode noneuser-interface vty 0 4 authentication-mode none protocol inbound all# slb#right-manager server-group# sysname FW-B# l2tp domain suffix-separator # hrp mirror session enable hrp enable hrp interface GigabitEthernet0/0/2# firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone local hrp direction inbound firewall packet-filter default permit interzone local hrp direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone hrp trust direction inbound firewall packet-filter default permit interzone hrp trust direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interzone hrp untrust direction inbound firewall packet-filter default permit interzone hrp untrust direction outbound firewall packet-filter default permit interzone hrp dmz direction inbound firewall packet-filter default permit interzone hrp dmz direction outbound# nat address-group 1 # ip df-unreachables enable# firewall ipv6 session link-state check firewall ipv6 statistic system enable# dns resolve# firewall statistic system enable# pki ocsp response cache refresh interval 0 pki ocsp response cache number 0# undo dns proxy# license-server domain # web-manager enable#nat-policy interzone trust untrust outbound policy 0 action source-nat policy source mask 24 policy source mask 24 address-group 1#returnHRP_S3. 核心交换机A配置display current-configuration #sysname Core-A#vlan batch 2 to 4#cluster enablentdp enablendp enable#drop illegal-mac alarm#dhcp enable#diffserv domain default#drop-profile default#ip pool 3 gateway-list 54 network mask #ip pool 4 gateway-list 54 network mask #aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http#interface Vlanif2 ip address vrrp vrid 1 virtual-ip vrrp vrid 1 priority 120 vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 30#interface Vlanif3 ip address vrrp vrid 3 virtual-ip 54 vrrp vrid 3 priority 120 vrrp vrid 3 track interface GigabitEthernet0/0/1 reduced 30 dhcp select global#interface Vlanif4 ip address vrrp vrid 4 virtual-ip 54 vrrp vrid 4 priority 120 vrrp vrid 4 track interface GigabitEthernet0/0/1 reduced 30 dhcp select global#interface MEth0/0/1#interface GigabitEthernet0/0/1 port link-type access port default vlan 2#
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 合肥市科技馆招聘考试真题2024
- 考点解析人教版八年级上册物理光现象《光的反射》综合训练试题(含答案及解析)
- 2025年福建初级电子商务师(跨境方向)考试真题及答案
- 服务质量保障措施及方案
- 强化训练苏科版八年级物理下册《力与运动》综合训练试卷(解析版含答案)
- 综合解析苏科版八年级物理下册《力》专项练习试题(含答案解析)
- 考点解析人教版八年级上册物理声现象《声音的特性声的利用》定向攻克试卷(含答案详解版)
- 2025年湖北省公路水运工程施工企业安管人员考试(项目负责人B类)水路工程综合能力测试题及答案
- 工程售后服务及培训方案(3篇)
- 2025年海南省煤矿企业主要负责人安全生产知识和管理能力考试冲刺模拟试题及答案
- 退款协议书-英文
- 《冯谖客孟尝君》
- 女生的青春期教育课件
- 储水式电热水器成品检验报告
- 文献信息检索与科技论文写作
- 5-4、MSSP - SOTAR - 泰康人寿 5-4、MSSP - SOTAR - 泰康人寿
- 小餐饮备案承诺书(样式)
- GB/T 8642-2002热喷涂抗拉结合强度的测定
- GA/T 1393-2017信息安全技术主机安全加固系统安全技术要求
- 7园艺植物的植株管理课件
- 道路交通安全知识培训(经典)-课件
评论
0/150
提交评论