场景说明:H3C F1000系列防火墙堆叠,主备使用,上下行连接交换机,交换机为锐捷交换机。流量正常通过左边链路转发,左边上下任意链路故障后,走右边链路。
思路:期初打算双活配置防火墙,在防火墙双活二层透明的配置后会对DPI功能损耗,也就是华为的统一UTM功能,AV、IPS这些功能,因此采用了主备方式,再就是由于上联是锐捷交换机,锐捷交换机不支持LACP下设置最大活动端口数的功能,因此上下联交换机不能配置聚合,锐捷采用REUP功能来实现链路主备,也就是华三这边的Smart-link功能,因此在模拟器中上下联的交换机采用Smart-Link配置。防火墙中聚合配置采用静态聚合。
防火墙配置:
#
sysname FW-1
#
irf domain 10
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 32
irf member 2 priority 30
#
vlan 1
#
vlan 10
#
irf-port 1/2
port group interface GigabitEthernet1/0/1
port group interface GigabitEthernet1/0/2
#
irf-port 2/1
port group interface GigabitEthernet2/0/1
port group interface GigabitEthernet2/0/2
#
collaboration-group 1 //配置接口联动组1,主要针对左边端口
#
collaboration-group 2 //配置接口联动组1,主要针对右边端口
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
link-aggregation selected-port maximum 1 //配置对上联聚合端口下最大活动端口数量为1
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
link-aggregation selected-port maximum 1 //配置下联聚合端口下最大活动端口数量为1
#
interface Route-Aggregation1
mad bfd enable
mad ip address 1.1.1.1 255.255.255.252 member 1
mad ip address 1.1.1.2 255.255.255.252 member 2
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
port link-aggregation group 1
#
interface GigabitEthernet2/0/0
port link-mode route
combo enable copper
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 1
link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 1
link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select
port link-aggregation group 2
#
interface GigabitEthernet2/0/3
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 2
port link-aggregation group 1
#
interface GigabitEthernet2/0/4
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 2
port link-aggregation group 2
#
security-zone name Local
#
security-zone name Trust
import interface Bridge-Aggregation2 vlan 10
#
security-zone name DMZ
#
security-zone name Untrust
import interface Bridge-Aggregation1 vlan 10
#
security-zone name Management
#
session synchronization enable
session synchronization dns http
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name Trust_Untrust_VLAN-10
action pass
source-zone Trust
destination-zone Untrust
#
#
sysname FW-1
#
irf domain 10
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 32
irf member 2 priority 30
#
vlan 1
#
vlan 10
#
irf-port 1/2
port group interface GigabitEthernet1/0/1
port group interface GigabitEthernet1/0/2
#
irf-port 2/1
port group interface GigabitEthernet2/0/1
port group interface GigabitEthernet2/0/2
#
collaboration-group 1 //配置接口联动组1,主要针对左边端口
#
collaboration-group 2 //配置接口联动组1,主要针对右边端口
#
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
link-aggregation selected-port maximum 1 //配置对上联聚合端口下最大活动端口数量为1
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
link-aggregation selected-port maximum 1 //配置下联聚合端口下最大活动端口数量为1
#
interface Route-Aggregation1
mad bfd enable
mad ip address 1.1.1.1 255.255.255.252 member 1
mad ip address 1.1.1.2 255.255.255.252 member 2
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
port link-aggregation group 1
#
interface GigabitEthernet2/0/0
port link-mode route
combo enable copper
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 1
link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 1
link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select
port link-aggregation group 2
#
interface GigabitEthernet2/0/3
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 2
port link-aggregation group 1
#
interface GigabitEthernet2/0/4
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 2
port link-aggregation group 2
#
security-zone name Local
#
security-zone name Trust
import interface Bridge-Aggregation2 vlan 10
#
security-zone name DMZ
#
security-zone name Untrust
import interface Bridge-Aggregation1 vlan 10
#
security-zone name Management
#
session synchronization enable
session synchronization dns http
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name Trust_Untrust_VLAN-10
action pass
source-zone Trust
destination-zone Untrust
#
# sysname FW-1 # irf domain 10 irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 32 irf member 2 priority 30 # vlan 1 # vlan 10 # irf-port 1/2 port group interface GigabitEthernet1/0/1 port group interface GigabitEthernet1/0/2 # irf-port 2/1 port group interface GigabitEthernet2/0/1 port group interface GigabitEthernet2/0/2 # collaboration-group 1 //配置接口联动组1,主要针对左边端口 # collaboration-group 2 //配置接口联动组1,主要针对右边端口 # interface Bridge-Aggregation1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation selected-port maximum 1 //配置对上联聚合端口下最大活动端口数量为1 # interface Bridge-Aggregation2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 link-aggregation selected-port maximum 1 //配置下联聚合端口下最大活动端口数量为1 # interface Route-Aggregation1 mad bfd enable mad ip address 1.1.1.1 255.255.255.252 member 1 mad ip address 1.1.1.2 255.255.255.252 member 2 # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet2/0/0 port link-mode route combo enable copper port link-aggregation group 1 # interface GigabitEthernet1/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 1 link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select port link-aggregation group 1 # interface GigabitEthernet1/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 1 link-aggregation port-priority 4096 //提升接口优先级,让其在聚合中被select port link-aggregation group 2 # interface GigabitEthernet2/0/3 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 2 port link-aggregation group 1 # interface GigabitEthernet2/0/4 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable copper port collaboration-group 2 port link-aggregation group 2 # security-zone name Local # security-zone name Trust import interface Bridge-Aggregation2 vlan 10 # security-zone name DMZ # security-zone name Untrust import interface Bridge-Aggregation1 vlan 10 # security-zone name Management # session synchronization enable session synchronization dns http # ip http enable ip https enable # security-policy ip rule 0 name Trust_Untrust_VLAN-10 action pass source-zone Trust destination-zone Untrust #
SW-3/SW-4配置:
#
sysname SW-3
vlan 1
#
vlan 10
#
stp global enable
#
smart-link group 1
preemption mode role //开启Smart-link抢占模式
protected-vlan reference-instance 0
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
undo stp enable
port smart-link group 1 primary
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
undo stp enable
port smart-link group 1 secondary
#
return
#
sysname SW-3
vlan 1
#
vlan 10
#
stp global enable
#
smart-link group 1
preemption mode role //开启Smart-link抢占模式
protected-vlan reference-instance 0
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
undo stp enable
port smart-link group 1 primary
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
undo stp enable
port smart-link group 1 secondary
#
return
# sysname SW-3 vlan 1 # vlan 10 # stp global enable # smart-link group 1 preemption mode role //开启Smart-link抢占模式 protected-vlan reference-instance 0 # interface NULL0 # interface Vlan-interface10 ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber undo stp enable port smart-link group 1 primary # interface GigabitEthernet1/0/2 port link-mode bridge port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 10 combo enable fiber undo stp enable port smart-link group 1 secondary # return
防火墙聚合口状态:
交换机Smart-link状态:
此时通讯正常,关闭防火墙端口GE1/0/3,将流量由左边切换到右边。
SW-3/SW-4 smart-link状态
此时通讯状态:
此时将GE1/0/3接口恢复,1秒后发生抢占,流量从右边切换到左边。
总结:本次针对特殊场景和特殊需求进行的实验,主要是华三防火墙是个堆叠场景,实际可以通过H3C防火墙新版的HA配置方式来解决该问题,配置可以简单一些。