NGFW-双机热备-三层接口上下行连接交换机

一,三层接口上下行连接交换机

1.1拓扑(主备模式)

 

1.2底层配置

设备 VLAN 接口
SW1 10 GE0/0/1
GE0/0/2
GE0/0/3
20 GE0/0/4
GE0/0/5
GE0/0/6

 

 

 

 

 

 

 

设备 接口 地址
FW1 GE0/0/0 192.168.0.10/24
GE1/0/0 10.1.1.10/24
GE1/0/1 202.100.1.10/24
GE1/0/2 172.16.1.10/24
FW2 GE0/0/0 192.168.0.11/24
GE1/0/0 10.1.1.11/24
GE1/0/1 202.100.1.11/24
GE1/0/2 172.16.1.11/24
R1 GE0/0/0 202.100.1.254
PC1 Ethernet0/0/1 10.1.1.1/24
MGMT_PC Ethernet0/0/1 192.168.1.100/24

 

 

 

 

 

 

 

 

 

 

  

1.3双机热备配置

#FW1

1.配置VRRP备份组1

[FW1-GigabitEthernet1/0/1]vrrp vrid  1 virtual-ip 202.100.1.100 active

2.配置VRRP备份组2

[FW1-GigabitEthernet1/0/0]vrrp  vrid 2 virtual-ip  10.1.1.254 active

3.配置心跳接口

[FW1]hrp interface  GigabitEthernet  1/0/2 remote  172.16.1.11

4.启用HRP

[FW1]hrp enable

#FW2

1.配置VRRP 备份组1

[FW2-GigabitEthernet1/0/1]vrrp vrid  1 virtual-ip  202.100.1.100 standby

2.配置VRRP备份组2

[FW2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.254 standby

3.配置心跳接口

[FW2]hrp interface  GigabitEthernet  1/0/2 remote  172.16.1.10

4.启用HRP

[FW2]hrp enable

1.4现象解析

1.从日志看出FW1和FW2的状态机都已从initial先转到standby(abnormal有:standby和active),最后由standby转为normal:load-balance。

[FW1]hrp enable
Info: NAT IP detect function is disabled.
HRP_S[FW1]
Sep 12 2022 07:06:22 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep 12 2022 07:06:22 FW1 %%01HRPI/4/CORE_STATE(l)[5]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
HRP_S[FW1]
Sep 12 2022 07:06:29 FW1 HRPI/6/DEVICEIDOK:1.3.6.1.4.1.2011.6.122.51.2.2.7 HRP link changes to up. Local device ID is 00-e0-fc-04-7f-d2, peer device ID is 00-e0-fc-8a-6d-ae.
Sep 12 2022 07:06:29 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Sep 12 2022 07:06:29 FW1 %%01HRPI/4/CORE_STATE(l)[6]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)
[FW2]hrp enable
Info: NAT IP detect function is disabled.
HRP_S[FW2]
Sep 12 2022 07:06:26 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep 12 2022 07:06:26 FW2 %%01HRPI/4/CORE_STATE(l)[5]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep 12 2022 07:06:26 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Sep 12 2022 07:06:26 FW2 %%01HRPI/4/CORE_STATE(l)[6]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)

2.查看HRP状态,双机优先级相同,FW1角色为active(主设备),FW2角色为standby(备设备)。(设备角色standby≠状态机状态standby)

HRP_M[FW1]display  hrp  state
2022-09-12 07:16:54.530 
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 10 minutes
 Last state change information: 2022-09-12 7:06:29 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.
HRP_S[FW2]display  hrp state
2022-09-12 07:20:16.980 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 13 minutes
 Last state change information: 2022-09-12 7:06:29 HRP link changes to up.

3.配置安全策略放行trust到untrust的流量,只能在FW1上配置,自动同步到FW2。(+B及自动同步)

HRP_M[FW1]security-policy  (+B)
HRP_M[FW1-policy-security]rule name pc (+B)
HRP_M[FW1-policy-security-rule-pc]source-zone trust (+B)
HRP_M[FW1-policy-security-rule-pc]destination-zone untrust (+B)
HRP_M[FW1-policy-security-rule-pc]action permit (+B)

4.使用PC1pingR1,在SW1的GE0/0/4抓包,FW1会发送免费ARP,通告虚拟网关10.1.1.254。

 

 

 

 

[SW1]display mac-address
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI                                              MAC-Tunnel  
-------------------------------------------------------------------------------
0050-56c0-0001 10          -      -      GE0/0/3         dynamic   0/-         
00e0-fc8a-6dae 10          -      -      GE0/0/2         dynamic   0/-         
00e0-fc04-7fd2 10          -      -      GE0/0/1         dynamic   0/-         
0000-5e00-0102 11          -      -      GE0/0/4         dynamic   0/-
00e0-fc04-7fd3 11          -      -      GE0/0/4         dynamic   0/-         
5489-98d4-4b44 11          -      -      GE0/0/6         dynamic   0/-         
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 6

5.ping命令加上参数t后断开SW2的GE0/0/1,观察现象。PC1丢包两个,FW2切换为主设备状态机由normal:load-balance转为abnormal:active而FW1由normal:load-balance转为abnormal:standby。(在双机优先级相同时是正常的状态,状态机为load-balance。有一方优先级改变,那就是不正常的状态,所以active和standby都是abnormal。)

HRP_S[FW2]
Sep 12 2022 07:34:15 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=normal,new_state=abnormal(active), local_priority=45000, peer_priority=44998)
Sep 12 2022 07:34:15 FW2 %%01HRPI/4/CORE_STATE(l)[9]:The HRP core state changed due to "Unknown". (old_state=normal, new_state=abnormal(active), local_priority=45000, peer_priority=44998)
Sep 12 2022 07:34:15 FW1 %%01IFNET/4/LINK_STATE(l)[8]:The line protocol IP on the interface GigabitEthernet1/0/1 has entered the DOWN state.
Sep 12 2022 07:34:15 FW1 %%01HRPI/4/PRIORITY_CHANGE(l)[9]:The priority of the local VGMP group changed. (change_reason="VRRP change to down.", local_old_priority=45000, local_new_priority=44998)
Sep 12 2022 07:34:15 FW1 %%01HRPI/4/CORE_STATE(l)[10]:The HRP core state changed due to "VRRP change to Down". (old_state=normal, new_state=abnormal(standby), local_priority=44998, peer_priority=45000)

1.5主备改为负载均衡

添加

  ·AR2:202.100.1.253/24,缺省路由指向202.100.1.101

  ·PC2:10.1.1.2/24,网关指向10.1.1.253

1.6修改双机热备配置

1.关闭HRP

HRP_M[FW1]undo hrp enable

2.增加VRRP备份组3和4

#FW1

[FW1-GigabitEthernet1/0/1]vrrp vrid 3 virtual-ip   202.100.1.101 standby 
[FW1-GigabitEthernet1/0/0]vrrp vrid 4 virtual-ip  10.1.1.253 standby

#FW2

[FW2-GigabitEthernet1/0/1]vrrp vrid 3 virtual-ip  202.100.1.101 active 
[FW2-GigabitEthernet1/0/0]vrrp vrid 4 virtual-ip  10.1.1.253 active

3.启用HRP

[FW1]hrp enable
[FW2]hrp enable

1.7负载均衡现象解析

1.协商后,FW1和FW2状态机稳定在load-balance。

[FW1]hrp enable
Info: NAT IP detect function is disabled.
HRP_S[FW1]
Sep 12 2022 08:11:56 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep 12 2022 08:11:56 FW1 %%01HRPI/4/CORE_STATE(l)[18]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
HRP_S[FW1]
Sep 12 2022 08:11:56 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Sep 12 2022 08:11:56 FW1 %%01HRPI/4/CORE_STATE(l)[19]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)
HRP_S[FW1]
Sep 12 2022 08:11:58 FW1 HRPI/6/DEVICEIDOK:1.3.6.1.4.1.2011.6.122.51.2.2.7 HRP link changes to up. Local device ID is 00-e0-fc-04-7f-d2, peer device ID is 00-e0-fc-8a-6d-ae.
[FW2]hrp enable
Info: NAT IP detect function is disabled.
HRP_S[FW2]
Sep 12 2022 08:11:56 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep 12 2022 08:11:56 FW2 %%01HRPI/4/CORE_STATE(l)[15]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
HRP_S[FW2]
Sep 12 2022 08:11:57 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=abnormal(active), local_priority=45000, peer_priority=unknown)
Sep 12 2022 08:11:57 FW2 %%01HRPI/4/CORE_STATE(l)[16]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=abnormal(active), local_priority=45000, peer_priority=unknown)
HRP_M[FW2]
Sep 12 2022 08:11:57 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(active),new_state=normal, local_priority=45000, peer_priority=45000)
Sep 12 2022 08:11:57 FW2 %%01HRPI/4/CORE_STATE(l)[17]:The HRP core state changed due to "Unknown". (old_state=abnormal(active), new_state=normal, local_priority=45000, peer_priority=45000)
Sep 12 2022 08:11:58 FW2 HRPI/6/DEVICEIDOK:1.3.6.1.4.1.2011.6.122.51.2.2.7 HRP link changes to up. Local device ID is 00-e0-fc-8a-6d-ae, peer device ID is 00-e0-fc-04-7f-d2.

2.查看VRRP表,FW1和FW2分别为配置了不同网关的设备转发流量,也互为对方的备设备,即为负载均衡

HRP_M[FW1]display  vrrp  brief  
2022-09-12 08:16:51.730 
Total:4     Master:2     Backup:2     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/1                  Vgmp     202.100.1.100  
2     Master       GE1/0/0                  Vgmp     10.1.1.254     
3     Backup       GE1/0/1                  Vgmp     202.100.1.101  
4     Backup       GE1/0/0                  Vgmp     10.1.1.253    
HRP_S[FW2]display  vrrp brief 
2022-09-12 08:17:59.800 
Total:4     Master:2     Backup:2     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Backup       GE1/0/1                  Vgmp     202.100.1.100  
2     Backup       GE1/0/0                  Vgmp     10.1.1.254     
3     Master       GE1/0/1                  Vgmp     202.100.1.101  
4     Master       GE1/0/0                  Vgmp     10.1.1.253

3.PC1pingAR1,PC2pingAR2,但是PC1不能ping通AR2,PC2不能ping通,AR1。因为来回路径不一致。

4.断开SW2的GE0/0/1查看现象

 

 

HRP_S[FW1]display  vrrp brief  
2022-09-12 08:33:02.290 
Total:4     Master:0     Backup:2     Non-active:2      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Initialize   GE1/0/1                  Vgmp     202.100.1.100  
2     Backup       GE1/0/0                  Vgmp     10.1.1.254     
3     Initialize   GE1/0/1                  Vgmp     202.100.1.101  
4     Backup       GE1/0/0                  Vgmp     10.1.1.253  
HRP_M[FW2]display  vrrp brief  
2022-09-12 08:34:16.470 
Total:4     Master:4     Backup:0     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/1                  Vgmp     202.100.1.100  
2     Master       GE1/0/0                  Vgmp     10.1.1.254     
3     Master       GE1/0/1                  Vgmp     202.100.1.101  
4     Master       GE1/0/0                  Vgmp     10.1.1.253

 

posted @ 2022-09-12 16:35  L_F_A_L  阅读(407)  评论(0编辑  收藏  举报