场景说明:H3C F1000系列防火墙堆叠,主备使用,上下行连接交换机,交换机为锐捷交换机。流量正常通过左边链路转发,左边上下任意链路故障后,走右边链路。
思路:期初打算双活配置防火墙,在防火墙双活二层透明的配置后会对DPI功能损耗,也就是华为的统一UTM功能,AV、IPS这些功能,因此采用了主备方式,再就是由于上联是锐捷交换机,锐捷交换机不支持LACP下设置最大活动端口数的功能,因此上下联交换机不能配置聚合,锐捷采用REUP功能来实现链路主备,也就是华三这边的Smart-link功能,因此在模拟器中上下联的交换机采用Smart-Link配置。防火墙中聚合配置采用静态聚合。
防火墙配置:
# sysname FW-1 # irf domain 10 irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 32 irf member 2 priority 30 # vlan 1 # vlan 10 # irf-port 1/2 port group interface GigabitEthernet1/0/1 port group interface GigabitEthernet1/0/2 # irf-port 2/1 port group interface GigabitEthernet2/0/1 port group interface GigabitEthernet2/0/2 # collaboration-group 1 //配置接口联动组1,主要针对左边端口 # collaboration-group 2 //配置接口联动组1,主要针对右边端口 # interface Bridge-Aggregation1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation selected-port maximum 1 //配置对上联聚合端口下最大活动端口数量为1 # interface Bridge-Aggregation2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation selected-port maximum 1 //配置下联聚合端口下最大活动端口数量为1 # interface Route-Aggregation1 mad bfd enable mad ip address 1.1.1.1 255.255.255.252 member 1 mad ip address 1.1.1.2 255.255.255.252 member 2 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet2/0/0 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet1/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 1 link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select port link-aggregation group 1 # interface GigabitEthernet1/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 1 link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select port link-aggregation group 2 # interface GigabitEthernet2/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 2 port link-aggregation group 1 # interface GigabitEthernet2/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 2 port link-aggregation group 2 # security-zone name Local # security-zone name Trust import interface Bridge-Aggregation2 vlan 10 # security-zone name DMZ # security-zone name Untrust import interface Bridge-Aggregation1 vlan 10 # security-zone name Management # session synchronization enable session synchronization dns http # ip http enable ip https enable # security-policy ip rule 0 name Trust_Untrust_VLAN-10 action pass source-zone Trust destination-zone Untrust #
SW-3/SW-4配置:
# sysname SW-3 vlan 1 # vlan 10 # stp global enable # smart-link group 1 preemption mode role //开启Smart-link抢占模式 protected-vlan reference-instance 0 # interface NULL0 # interface Vlan-interface10 ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber undo stp enable port smart-link group 1 primary # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber undo stp enable port smart-link group 1 secondary # return
防火墙聚合口状态:
交换机Smart-link状态:
此时通讯正常,关闭防火墙端口GE1/0/3,将流量由左边切换到右边。
SW-3/SW-4 smart-link状态
此时通讯状态:
此时将GE1/0/3接口恢复,1秒后发生抢占,流量从右边切换到左边。
总结:本次针对特殊场景和特殊需求进行的实验,主要是华三防火墙是个堆叠场景,实际可以通过H3C防火墙新版的HA配置方式来解决该问题,配置可以简单一些。