资源描述
在核心交换机不做堆叠的情况下防火墙热备的案例
一、 需求分析
数据中心建设高可用的网络架构,但是考虑到成本和运维,想选择一种经济实惠但是稳定可靠的架构
二、 设计思路
1.为了节约公网IP地址所以在防火墙接口上面配置IP地址为内网地址,同时将公网IP地址设置成为VRRP组中的虚拟地址
2.在防火墙A和防火墙B上使用双链路做聚合,再将聚合端口配置好IP地址加入到HRP安全域中并指为HRP心跳检测端口
3.核心交换机A和核心交换机B使用多链路做聚合,再将聚合端口配置为trunk属性透传业务vlan,在核心交换机A上配置业务VLAN的网关并为VRRP组中的master 在核心交换机B上配置vlan的网关并作为VRRP组中的slave同时交换机上的DHCP分配都采用全局地址池的方式并指定虚拟IP地址为业务网关。
4.核心交换机与接入交换机之间采用多链路互联,并部署MSTP保证二层链路的冗余(如果考虑到业务的负载均衡可以将不同的vlan划分到不同的mstp实例中去,这里就按单实例部署)
5. 正常情况下流量由核心交换机A和防火墙A做处理,当防火墙故障或者核心交换机故障都会触发主备的切换
6. 防火墙A上通过配置IP-link监控外网链路或者端口状态同时与HRP主备进行联动(防火墙上的业务端口down了或者失效的情况触发HRP主备切换)
7. 核心交换机A上通过配置vrrp组与上行端口进行联动(一旦与防火墙互联的端口down掉或者失效将会触发vrrp主备切换)
三、设计拓扑
四、 实验拓扑
五、 主备切换测试
1.正常情况下的流量走向
2.主防火墙故障的情况
内网一台主机ping外网的测试(掉了几个包,真实情况收敛速度会快点)
备防火墙替代主防火墙的业务,快速会话同步
防火墙B上的日志(主防火墙down掉,备防火墙承担业务)
------------------------------------------------------------------------------------------------------------------------
%2015-12-23 14:24:27 FW-B %%01IFNET/4/LINK_STATE(l): Line protocol on interface G
igabitEthernet0/0/2 has turned into DOWN state.
%2015-12-23 14:24:25 FW-B %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0
/0/0, Virtual Router 1 : BACKUP changed to MASTER!
%2015-12-23 14:24:25 FW-B %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0
/0/1, Virtual Router 2 : BACKUP changed to MASTER!
%2015-12-23 14:24:25 FW-B %%01VGMP/4/STATE(l): Virtual Router Management Group SL
AVE : SLAVE --> MASTER
-------------------------------------------------------------------------------------------------------------------------
防火墙B上的HRP状态
------------------------------------------------------------------------------------------------------------------------
HRP_M<FW-B>display hrp state
14:29:10 2015/12/23
The firewall's config state is: MASTER
Current state of virtual routers configured as slave:
GigabitEthernet0/0/1 vrid 2 : master (peer down)
GigabitEthernet0/0/0 vrid 1 : master (peer down)
------------------------------------------------------------------------------------------------------------------------
防火墙上B的会话表(实时同步防火墙A上的会话表,保证业务的连续性)
----------------------------------------------------------------------------------------------------------------------
HRP_M<FW-B>display firewall session table
14:30:18 2015/12/23
Current Total Sessions : 5
icmp VPN:public --> public 192.168.3.253:30527[222.222.222.2:2092]-->222.222.2
22.1:2048
icmp VPN:public --> public 192.168.3.253:30783[222.222.222.2:2093]-->222.222.2
22.1:2048
icmp VPN:public --> public 192.168.3.253:31039[222.222.222.2:2094]-->222.222.2
22.1:2048
icmp VPN:public --> public 192.168.3.253:31295[222.222.222.2:2095]-->222.222.2
22.1:2048
icmp VPN:public --> public 192.168.3.253:31551[222.222.222.2:2096]-->222.222.2
22.1:2048
------------------------------------------------------------------------------------------------------------------------
核心交换A和B上的vrrp主备情况(因为和防火墙A的互联端口联动,如果防火墙A的状态异常会触发核心交换机VRRP组的切换)
--------------------------------------------------------------------------------------------------------------------------------
<Core-A>display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif2 Normal 10.0.0.1
3 Backup Vlanif3 Normal 192.168.3.254
4 Backup Vlanif4 Normal 192.168.4.254
----------------------------------------------------------------
Total:3 Master:0 Backup:3 Non-active:0
<Core-A>
<Core-B>display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif2 Normal 10.0.0.1
3 Master Vlanif3 Normal 192.168.3.254
4 Master Vlanif4 Normal 192.168.4.254
----------------------------------------------------------------
Total:3
----------------------------------------------------------------------------------------------------------------------------
此时的流量走向情况
3. 主核心交换机故障的情况
内网主机ping外网测试的情况(由于核心交换机A故障会触发STP的计算,所以收敛速度相比交换机stack和css的速度是要慢点,真实情况会在15秒左右)
核心交换机B上的vrrp情况(由于核心交换机A异常,触发核心交换机B抢占VRRP组的master)
------------------------------------------------------------------------------------------------------------------------------
<Core-B>dis vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif2 Normal 10.0.0.1
3 Master Vlanif3 Normal 192.168.3.254
4 Master Vlanif4 Normal 192.168.4.254
----------------------------------------------------------------
Total:3 Master:3 Backup:0 Non-active:0
-------------------------------------------------------------------------------------------------------------------------------
防火墙A和防火墙B上的HRP主备情况
------------------------------------------------------------------------------------------------------------------------------
HRP_M<FW-A>
2015-12-23 14:46:28 FW-A %%01IFNET/4/LINK_STATE(l): Line protocol on interface Gi
gabitEthernet0/0/1 has turned into DOWN state.
2015-12-23 14:46:28 FW-A %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/
0/1, Virtual Router 2 : MASTER changed to INITIALIZE!
2015-12-23 14:46:28 FW-A %%01VGMP/4/STATE(l): Virtual Router Management Group MAS
TER : MASTER --> MASTER_TO_SLAVE
2015-12-23 14:46:28 FW-A %%01VGMP/4/STATE(l): Virtual Router Management Group MAS
TER : MASTER_TO_SLAVE --> SLAVE
2015-12-23 14:46:28 FW-A %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet0/
0/0, Virtual Router 1 : MASTER changed to BACKUP!
HRP_S<FW-A>
HRP_S<FW-A>display hrp state
14:53:36 2015/12/23
The firewall's config state is: SLAVE
Current state of virtual routers configured as master:
GigabitEthernet0/0/1 vrid 2 : initialize (down)
GigabitEthernet0/0/0 vrid 1 : slave
HRP_M<FW-B>display hrp state
14:55:16 2015/12/23
The firewall's config state is: MASTER
Current state of virtual routers configured as slave:
GigabitEthernet0/0/1 vrid 2 : master (peer down)
GigabitEthernet0/0/0 vrid 1 : master
-------------------------------------------------------------------------------------------------------------------------
这种情况下流量的走向情况
4. 主链路中断的情况
内网主机ping外网地址时候的情况(让主链路中断的情况下,会触发防火墙的hrp主备切换,但是不会触发核心交换机的vrrp主备切换)
防火墙A和防火墙B上的HRP主备情况
-------------------------------------------------------------------------------------------------------------------------------
HRP_S<FW-A>display hrp state
15:05:39 2015/12/23
The firewall's config state is: SLAVE
Current state of virtual routers configured as master:
GigabitEthernet0/0/1 vrid 2 : slave
GigabitEthernet0/0/0 vrid 1 : initialize (down)
HRP_S<FW-A>
HRP_M<FW-B>display hrp state
15:07:00 2015/12/23
The firewall's config state is: MASTER
Current state of virtual routers configured as slave:
GigabitEthernet0/0/1 vrid 2 : master
GigabitEthernet0/0/0 vrid 1 : master (peer down)
核心交换机A和核心交换机B的vrrp主备情况
---------------------------------------------------------------------------------------------------------------------------------
<Core-A>display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master Vlanif2 Normal 10.0.0.1
3 Master Vlanif3 Normal 192.168.3.254
4 Master Vlanif4 Normal 192.168.4.254
----------------------------------------------------------------
Total:3 Master:3 Backup:0 Non-active:0
<Core-B>display vrrp brief
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup Vlanif2 Normal 10.0.0.1
3 Backup Vlanif3 Normal 192.168.3.254
4 Backup Vlanif4 Normal 192.168.4.254
----------------------------------------------------------------
Total:3 Master:0 Backup:3 Non-active:0
<Core-B>
---------------------------------------------------------------------------------------------------------------------------------
这种情况下的流量走向
六、设备配置
1. 防火墙A配置
HRP_M<FW-A>display current-configuration
15:13:44 2015/12/23
#
stp region-configuration
region-name a07fd81520e0
active region-configuration
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 172.31.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 222.222.222.2 255.255.255.0 master
vrrp virtual-mac enable
#
interface GigabitEthernet0/0/1
ip address 10.0.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.0.254 master
vrrp virtual-mac enable
#
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.252
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone name hrp
set priority 95
add interface GigabitEthernet0/0/2
#
aaa
local-user admin password cipher %$%$wJn>:F9}OK>IC%K%pW8"1md[%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 192.168.3.0 255.255.255.0 10.0.0.1
ip route-static 192.168.4.0 255.255.255.0 10.0.0.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW-A
#
l2tp domain suffix-separator @
#
hrp mirror session enable
hrp enable
hrp interface GigabitEthernet0/0/2
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local hrp direction inbound
firewall packet-filter default permit interzone local hrp direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone hrp trust direction inbound
firewall packet-filter default permit interzone hrp trust direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone hrp untrust direction inbound
firewall packet-filter default permit interzone hrp untrust direction outbound
firewall packet-filter default permit interzone hrp dmz direction inbound
firewall packet-filter default permit interzone hrp dmz direction outbound
#
nat address-group 1 222.222.222.2 222.222.222.2
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain
#
web-manager enable
#
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source 192.168.3.0 mask 24
policy source 192.168.4.0 mask 24
address-group 1
#
return
HRP_M<FW-A>
2. 防火墙B配置
HRP_S<FW-B>display current-configuration
15:15:31 2015/12/23
#
stp region-configuration
region-name 3070d815b0d0
active region-configuration
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 172.31.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 222.222.222.2 255.255.255.0 slave
vrrp virtual-mac enable
#
interface GigabitEthernet0/0/1
ip address 10.0.0.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.0.254 slave
vrrp virtual-mac enable
#
interface GigabitEthernet0/0/2
ip address 1.1.1.2 255.255.255.252
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone name hrp
set priority 95
add interface GigabitEthernet0/0/2
#
aaa
local-user admin password cipher %$%$e~3G@/}FG"N@E]=,y}OG1cZQ%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 192.168.3.0 255.255.255.0 10.0.0.1
ip route-static 192.168.4.0 255.255.255.0 10.0.0.1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW-B
#
l2tp domain suffix-separator @
#
hrp mirror session enable
hrp enable
hrp interface GigabitEthernet0/0/2
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone loca
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
