1.實驗拓撲圖:
2.ip規劃:
eth1 :192.168.101.68/24
eth3 : 192.168.100.10/24
3.裝置描述:
trust區域使用的交換機為神州數位DCS-3950S
untrust區域的交換機為H3C的quidwayS3526E
防火牆:Juniper的Netscreen-25
4.裝置配置
4.1 第一台防火牆ns-a的配置
login: netscreen
password:
NS-A(M)-> get system
Product Name: NetScreen-25
Serial Number: 0096052007001238, Control Number: 00000000
Hardware Version: 4010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r6.0, Type: Firewall+×××
Compiled by build_master at: Tue Nov 28 15:14:46 PST 2006
Base Mac: 0019.e240.67d0
File Name: ns50ns25.5.3.0r6.0, Checksum: 966acd5c
Date 11/15/2012 19:45:39, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 51 minutes 30 seconds Since 15Nov2012:18:54:09
Total Device Resets: 48, Last Device Reset at: 11/15/2012 15:21:15
System in NAT/route mode.
NS-A(M)-> exit
login: 0096052007001238
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue? y/[n] y
!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y
In reset ...
Start deactivate session...
0 sessions deactivated
NetScreen NS-25/50 Boot Loader Version 3.0.0 (Checksum: D1C6421F)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.
Total physical memory: 128MB
Test - Pass
Initialization - Done
ns25-> set hostname ns-a
ns-a-> set interface eth1 ip 192.168.101.68 255.255.255.0
ns-a-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-a-> set int eth4 zone
Null Null zone
Trust Trust zone
Untrust Untrust zone
Self Self zone
Global Global zone
HA HA zone
MGT MGT zone
Untrust-Tun Untrust-Tun zone
v1-Null v1-Null zone
V1-Trust V1-Trust zone
V1-Untrust V1-Untrust zone
DMZ DMZ zone
V1-DMZ V1-DMZ zone
VLAN VLAN zone
ns-a-> set int eth4 zone HA 心跳探測(eth4)
ns-a-> set nsrp cl
cluster config cluster id/name
ns-a-> set nsrp cluster id
<number> NSRP cluster ID (range: 1 - 7)
ns-a-> set nsrp cluster id 1
ns-a(B)-> Unit becomes master of NSRP vsd-group 0
ns-a(M)-> set nsrp vsd-group id 0
ns-a(M)-> set nsrp vsd-group id
<number> vsd group ID (range: 0 - 7) 最多8個故障轉移域
ns-a(M)-> set nsrp vsd-group id 0 pr
preempt allow to preempt a lower priority master
priority priority for this vsd group
<return>
ns-a(M)-> set nsrp vsd-group id 0 priority 50
ns-a(M)-> set nsrp vsd-group id 0 preempt
ns-a(M)-> set nsrp vsd-group id 0 monitor inter
interface interface to be monitored 監控端口
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth1
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth3
ns-a(M)-> get config 檢視配置
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1
set nsrp vsd-group id 0 monitor interface ethernet3
ns-a(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id: 4220880, ctrl mac: 0019e24067d7, index: 1, unit id: 4220080, ctrl mac: 0019e24064b7, data mac: ffffffffffff
total number of units: 2
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none 4220080(inoperable)
ns-a(M)-> save
Save System Configuration ...
Done
4.2 第二台防火牆的配置
先用序列号清除配置!
ns25-> set hostname ns-b
ns-b-> set int eth1 ip 192.168.101.68 255.255.255.0
ns-b-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-b-> set int eth4 zone HA
ns-b-> set nsrp cluster id 1
ns-b(B)-> set nsrp vsd-group id 0
ns-b(B)-> set nsrp vsd-group id 0 priority 100
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth1
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth3
ns-b(I)-> get nsrp
local unit id: 4220080
index: 0, unit id: 4220080, ctrl mac: 0019e24064b7, index: 1, unit id: 4220880, ctrl mac: 0019e24067d7, data mac: ffffffffffff
0 100 no 3 no 4220880 none myself(inoperable)
ns-b(I)-> save
4.3 神州數位交換機的配置如下:
sw14#show version
DCS-3950S Device, Aug 27 2004 11:14:24
HardWare version is 2.10, SoftWare version is DCNOS-4.1.5, BootRom version is 1.2.1
Copyright (C) 2001-2004 by Digital China Networks Limited.
All rights reserved.
sw14>enable
sw14#config
sw14(Config)#exit
sw14#show running-config
Current configuration:
!
hostname sw14
sw14(Config)#int vlan 1
sw14(Config-If-Vlan1)#ip add 192.168.101.20 255.255.255.0
sw14# ping 192.168.101.68
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#show ip route
Codes: C - connected, S - static, R - RIP derived, O - OSPF derived
A - OSPF ASE, B - BGP derived, D - DVMRP derived
Destination Mask Nexthop Interface Preference
C 192.168.101.0 255.255.255.0 0.0.0.0 Vlan1 0
4.4 web方式配置通路政策
在交換機上檢視指令的變化
ns-a(M)-> get config
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
在ns-b上檢視是否已同步
ns-b(B)-> get config
檢測配置是否同步?
ns-b(B)-> exec nsrp sync global-config check-sum
ns-b(B)-> configuration in sync
在sw14上做測試:
sw14#ping 192.168.101.68
sw14#ping 192.168.100.10
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
sw14#ping 192.168.100.20
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
發現192.168.100.10 ping不通,發現其ping功能沒有開啟
檢視并開啟ping功能:
ns-a(M)-> get interface eth3
Interface ethernet3(VSI):
description ethernet3
number 6, if_info 1248, if_index 0, mode route
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr, vsd 0
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.100.10/24 mac 0010.dbff.2060
*manage ip 192.168.100.10, mac 0019.e240.67d6
route-deny disable
pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
band physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
DHCP-Relay disabled
DHCP-server disabled
Number of SW session: 32063, hw sess err cnt 0
ns-a(M)-> set interface eth3 manage ping
4.5 測試:
高可用性測試:
把eth1的線拔掉,進行相應的測試,觀看其狀态!
把ns-a的eth1接口拔掉:
ns-a(M)-> ethernet1 interface change state to Down
2 sessions deactivated
ns-a(I)-> get nsrp
0 50 yes 3 no 4220080 none myself(inoperable)
ns-b(M)-> get nsrp
0 100 no 3 no myself none 4220880(inoperable)
如果eth1的線又好了,由于啟動了搶占模式,則觀看如下:
ns-b(B)-> get nsrp
0 100 no 3 no 4220880 myself
0 50 yes 3 no myself 4220080
沒有出現丢包現象!
如果eth3端開,會出現上面同樣的現象!
如果備份防火牆eth1 和 eth3 及心跳線eth4都已斷開
index: 0, unit id: 4220880, total number of units: 1
0 50 yes 3 no myself none
total number of vsd groups: 1
Total iteration=6917,time=97434286,max=75534,min=5702,average=14086
index: 0, unit id: 4220080, total number of units: 1
0 100 no 3 no none none myself(inoperable
4.6 untrust區域内的三層交換機的配置:
int vlan 1
ip add 192.168.100.20 255.255.255.0
注意:trust區域的交換機要指定網關!(測試時)