H3C防火墙堆叠后使用以太网冗余口和冗余组进行主备组网的实验

上张贴CrossGrave4条评论

拓扑描述:上下行使用交换机模拟链路,中间F1060交换机做堆叠(目前只见过华三的安全设备可以进行堆叠,路由器也能,万物皆可堆叠)在防火墙上做冗余备份组进行主备通讯,正常情况选择F1060_1进行流量转发,当链路发生故障后,使用F1060_2进行转发。

防火墙配置:

#
sysname FW-A_B
#这里是堆叠配置
irf domain 10
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 32
irf member 2 priority 1
#这里分别track上行和下行1、3作为上行,2、4作为下行
track 1 interface GigabitEthernet1/0/1 physical
#
track 2 interface GigabitEthernet1/0/2 physical
#
track 3 interface GigabitEthernet2/0/1 physical
#
track 4 interface GigabitEthernet2/0/2 physical
#这里是堆叠配置
irf-port 1/2
port group interface GigabitEthernet1/0/22
port group interface GigabitEthernet1/0/23
#
irf-port 2/1
port group interface GigabitEthernet2/0/22
port group interface GigabitEthernet2/0/23
#冗余备份组配置上行接口
interface Reth1
description uT:UP-LINK
member interface GigabitEthernet1/0/1 priority 255
member interface GigabitEthernet2/0/1 priority 200
#冗余备份组配置下行接口
interface Reth2
description dT:Down-Link
member interface GigabitEthernet1/0/2 priority 255
member interface GigabitEthernet2/0/2 priority 200
#MAD BFD配置,防止堆叠分裂
interface Route-Aggregation64
mad bfd enable
mad ip address 1.1.1.1 255.255.255.252 member 1
mad ip address 1.1.1.2 255.255.255.252 member 2
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
port link-aggregation group 64
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
port link-aggregation group 64
#
interface GigabitEthernet2/0/20
port link-mode route
combo enable copper
port link-aggregation group 64
#
interface GigabitEthernet2/0/21
port link-mode route
combo enable copper
port link-aggregation group 64
#冗余组配置,node1作为主设备,node2作为备设备
redundancy group 1
member interface Reth1
member interface Reth2
node 1
bind slot 1
priority 255
track 1 interface GigabitEthernet1/0/1
track 2 interface GigabitEthernet1/0/2
node 2
bind slot 2
priority 200
track 3 interface GigabitEthernet2/0/1
track 4 interface GigabitEthernet2/0/2
#
return
# sysname FW-A_B #这里是堆叠配置 irf domain 10 irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 32 irf member 2 priority 1 #这里分别track上行和下行1、3作为上行,2、4作为下行 track 1 interface GigabitEthernet1/0/1 physical # track 2 interface GigabitEthernet1/0/2 physical # track 3 interface GigabitEthernet2/0/1 physical # track 4 interface GigabitEthernet2/0/2 physical #这里是堆叠配置 irf-port 1/2 port group interface GigabitEthernet1/0/22 port group interface GigabitEthernet1/0/23 # irf-port 2/1 port group interface GigabitEthernet2/0/22 port group interface GigabitEthernet2/0/23 #冗余备份组配置上行接口 interface Reth1 description uT:UP-LINK member interface GigabitEthernet1/0/1 priority 255 member interface GigabitEthernet2/0/1 priority 200 #冗余备份组配置下行接口 interface Reth2 description dT:Down-Link member interface GigabitEthernet1/0/2 priority 255 member interface GigabitEthernet2/0/2 priority 200 #MAD BFD配置,防止堆叠分裂 interface Route-Aggregation64 mad bfd enable mad ip address 1.1.1.1 255.255.255.252 member 1 mad ip address 1.1.1.2 255.255.255.252 member 2 # interface GigabitEthernet1/0/20 port link-mode route combo enable copper port link-aggregation group 64 # interface GigabitEthernet1/0/21 port link-mode route combo enable copper port link-aggregation group 64 # interface GigabitEthernet2/0/20 port link-mode route combo enable copper port link-aggregation group 64 # interface GigabitEthernet2/0/21 port link-mode route combo enable copper port link-aggregation group 64 #冗余组配置,node1作为主设备,node2作为备设备 redundancy group 1 member interface Reth1 member interface Reth2 node 1 bind slot 1 priority 255 track 1 interface GigabitEthernet1/0/1 track 2 interface GigabitEthernet1/0/2 node 2 bind slot 2 priority 200 track 3 interface GigabitEthernet2/0/1 track 4 interface GigabitEthernet2/0/2 # return
#
 sysname FW-A_B
#这里是堆叠配置
 irf domain 10
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 32
 irf member 2 priority 1
#这里分别track上行和下行1、3作为上行,2、4作为下行
track 1 interface GigabitEthernet1/0/1 physical
#
track 2 interface GigabitEthernet1/0/2 physical
#
track 3 interface GigabitEthernet2/0/1 physical
#
track 4 interface GigabitEthernet2/0/2 physical
#这里是堆叠配置
irf-port 1/2
 port group interface GigabitEthernet1/0/22
 port group interface GigabitEthernet1/0/23
#
irf-port 2/1
 port group interface GigabitEthernet2/0/22
 port group interface GigabitEthernet2/0/23
#冗余备份组配置上行接口
interface Reth1
 description uT:UP-LINK
 member interface GigabitEthernet1/0/1 priority 255
 member interface GigabitEthernet2/0/1 priority 200
#冗余备份组配置下行接口
interface Reth2
 description dT:Down-Link
 member interface GigabitEthernet1/0/2 priority 255
 member interface GigabitEthernet2/0/2 priority 200
#MAD BFD配置,防止堆叠分裂
interface Route-Aggregation64
 mad bfd enable
 mad ip address 1.1.1.1 255.255.255.252 member 1
 mad ip address 1.1.1.2 255.255.255.252 member 2
#
interface GigabitEthernet1/0/20
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet1/0/21
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet2/0/20
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#
interface GigabitEthernet2/0/21
 port link-mode route
 combo enable copper
 port link-aggregation group 64
#冗余组配置,node1作为主设备,node2作为备设备
redundancy group 1
 member interface Reth1
 member interface Reth2
 node 1
  bind slot 1
  priority 255
  track 1 interface GigabitEthernet1/0/1
  track 2 interface GigabitEthernet1/0/2
 node 2
  bind slot 2
  priority 200
  track 3 interface GigabitEthernet2/0/1
  track 4 interface GigabitEthernet2/0/2
#
return

实验步骤:中断主设备任意链路,这里是在交换机上关闭接口实现。

中断前的以太网冗余口的状态
冗余组状态

此时断掉上联交换机的GE1/0/1接口,观察冗余备份口和冗余备份组的状态

此时流量已经切换为备机
冗余组中,因为track的失效减少了255的权重值,因此发生了切换

总结:华三备份组默认是开启抢占的,如果是框机还需要track Blade接口监控业务板的和CPU的工作状态,一旦发生故障就进行切换。华三默认抢占的延迟的1min。当链路恢复后,1min后流量会自动回切到主设备上。

注:华三的HCL模拟器有BUG,其中防火墙采用vlan方式进行MAD BFD检测会导致设备死机,还有就是RETH口无法正常通讯,不可以ping通。

H3C防火墙堆叠后使用以太网冗余口和冗余组进行主备组网的实验》有4个想法

anfws进行回复 取消回复

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据