實驗一:防火牆直路部署,上下行連接配接交換機
需求和拓撲
企業的兩台FW的業務接口都工作在三層,上下行分别連接配接二層交換機。上行交換機連接配接營運商的接入點,營運商為企業配置設定的IP位址為1.1.1.1。現在希望兩台FW以主備備份方式工作。正常情況下,流量通過FW_A轉發。當FW_A出現故障時,流量通過FW_B轉發,保證業務不中斷。
操作步驟
1、配置接口位址和安全區域
注意心跳線要加入同一安全區域,内網裝置的預設網關位址是vrrp備份組2的虛拟ip位址。
2、配置路由
f1/f2
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
r1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1//下一跳位址是vrrp備份組1的虛拟ip位址 3、配置vgmp組
//f1
interface GigabitEthernet 1/0/1
vrrp vrid 1 virtual-ip 1.1.1.1 24 active//如果接口真實位址與vrrp備份組位址不在同一網段,需要指定掩碼
interface GigabitEthernet 1/0/0
vrrp vrid 2 virtual-ip 10.3.0.3 24 active
//f2
interface GigabitEthernet 1/0/1
vrrp vrid 1 virtual-ip 1.1.1.1 24 standby//如果接口真實位址與vrrp備份組位址不在同一網段,需要指定掩碼
interface GigabitEthernet 1/0/0
vrrp vrid 2 virtual-ip 10.3.0.3 24 standby 4、指定心跳口并啟用雙機熱備功能
//f1
hrp interface GigabitEthernet 1/0/6 remote 10.10.0.2
hrp enable
//f2
hrp interface GigabitEthernet 1/0/6 remote 10.10.0.1
hrp enable 5、僅在fw1上配置安全政策,雙機熱備狀态成功建立後,fw1的安全政策會自動備份到fw2上
security-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit 6、僅在fw1上配置源nat政策,雙機熱備狀态成功建立後,fw1的安全政策會自動備份到fw2上
//配置公網位址池
nat address-group 1 0
mode pat
route enable
section 0 1.1.1.2 1.1.1.5
//配置源nat政策
nat-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action source-nat address-group 1 驗證和分析
1、檢查vrrp組内接口的狀态資訊
HRP_S<f2>dis vrrp
2022-02-15 00:52:35.430
GigabitEthernet1/0/1 | Virtual Router 1
State : Backup
Virtual IP : 1.1.1.1
Master IP : 10.2.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-15 00:33:52
Last change time : 2022-02-15 00:33:52
GigabitEthernet1/0/0 | Virtual Router 2
State : Backup
Virtual IP : 10.3.0.3
Master IP : 10.3.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-15 00:34:03
Last change time : 2022-02-15 00:34:03 可見fw2的上下行接口都處于backup狀态,表示vrrp組建立成功。fw1的檢視方式類似。
2、檢查目前vgmp組的狀态
HRP_M<f1>dis hrp state verbose
2022-02-15 00:56:40.090
Role: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 21 minutes
Last state change information: 2022-02-15 0:35:19 HRP link changes to up.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: active
GigabitEthernet1/0/0 vrrp vrid 2: active
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
HRP_S<f2>dis hrp state verbose
2022-02-15 00:55:15.890
Role: standby, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 19 minutes
Last state change information: 2022-02-15 0:35:19 HRP link changes to up.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: standby
GigabitEthernet1/0/0 vrrp vrid 2: standby
ospf-cost: +65500
ospfv3-cost: +65500
bgp-cost: +100 可見主備的優先級是相同的,但是active裝置的ospf-cost、bgp-cost等都是為0的,而standby裝置的則是65500,這樣在配置了動态路由後,路由選路的時候就會優選active裝置了。
3、使用pc ping公網裝置r1的環回口11.11.11.11,檢查會話表項
//f1
HRP_M<f1>dis fire session table
2022-02-15 01:04:23.230
Current Total Sessions : 6
udp VPN: public --> public 10.10.0.2:16384 --> 10.10.0.1:18514
udp VPN: public --> public 10.10.0.1:49152 --> 10.10.0.2:18514
udp VPN: public --> public 10.10.0.2:49152 --> 10.10.0.1:18514
icmp VPN: public --> public 10.3.0.100:2812[1.1.1.3:2053] --> 11.11.11.11:2048
icmp VPN: public --> public 10.3.0.100:3324[1.1.1.3:2055] --> 11.11.11.11:2048
icmp VPN: public --> public 10.3.0.100:3068[1.1.1.3:2054] --> 11.11.11.11:2048
//f2
HRP_S<f2>dis fire session table
2022-02-15 01:04:10.630
Current Total Sessions : 6
udp VPN: public --> public 10.10.0.1:49152 --> 10.10.0.2:18514
udp VPN: public --> public 10.10.0.2:49152 --> 10.10.0.1:18514
udp VPN: public --> public 10.10.0.1:16384 --> 10.10.0.2:18514
icmp VPN: public --> public Remote 10.3.0.100:2812[1.1.1.3:2053] --> 11.11.11.11:2048
icmp VPN: public --> public Remote 10.3.0.100:3324[1.1.1.3:2055] --> 11.11.11.11:2048
icmp VPN: public --> public Remote 10.3.0.100:3068[1.1.1.3:2054] --> 11.11.11.11:2048 udp封包是hrp封包,用于fw之間同步表項以及關鍵配置。
icmp封包是ping包建立的會話,f2存在帶有remote标記的會話,這些會話内容和f1是同步的.
4、使用pc長ping公網裝置r1的環回口11.11.11.11,将fw1的上行接口拔出,觀察防火牆狀态切換及ping包丢包情況,再将其插回,觀察防火牆狀态切換及ping包丢包情況。
HRP_S[f1]dis hrp state verbose
2022-02-15 01:10:07.130
Role: standby, peer: active (should be "active-standby")
Running priority: 44998, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2022-02-15 1:09:09 HRP core state changed, old_s
tate = normal, new_state = abnormal(standby), local_priority = 44998, peer_prior
ity = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: Initialize
GigabitEthernet1/0/0 vrrp vrid 2: standby (should be "active")
ospf-cost: +65500 (should be "+0")
ospfv3-cost: +65500 (should be "+0")
bgp-cost: +100 (should be "+0")
HRP_M<f2>dis hrp state verbose
2022-02-15 01:11:09.590
Role: active, peer: standby (should be "standby-active")
Running priority: 45000, peer: 44998
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 2 minutes
Last state change information: 2022-02-15 1:09:08 HRP core state changed, old_s
tate = normal, new_state = abnormal(active), local_priority = 45000, peer_priori
ty = 44998.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: active (should be "standby")
GigabitEthernet1/0/0 vrrp vrid 2: active (should be "standby")
ospf-cost: +0 (should be "+65500")
ospfv3-cost: +0 (should be "+65500")
bgp-cost: +0 (should be "+100") 原來的active裝置由于出現了故障,則其優先級減2,成為了44998,故障接口變成了init狀态,正常的下行接口被vgmp組從active變成了standby,而原來的standby裝置上位成了active,同時将加入vgmp組的兩個接口也變成了active。這樣上下行接口的狀态又一次同步,流量的源進源出得以保證。
這說明vgmp組控制了vrrp備份組的狀态,在交換機或者路由器上,vrrp備份組的狀态由vrrp優先級大小決定,防火牆的vrrp備份組狀态則不是由vrrp優先級大小決定,而且通過實驗我們發現,fw的vrrp優先級是不可以配置的,fw啟用雙機熱備功能後,vrrp優先級固定為120.
在fw上,接口故障時,接口下vrrp備份組狀态為init,接口無故障時,接口下的vrrp備份組狀态由vgmp組的狀态決定,具體是
- 當VGMP組狀态為active時,VRRP備份組的狀态都是Master。
- 當VGMP組狀态為standby時,VRRP備份組的狀态都是Backup。
- 當VGMP組狀态為load-balance時,VRRP備份組狀态由VRRP備份組的配置決定。即
vrrp vrid virtual-router-id virtual-ip virtual-address { active | standby } a ctive表示指定vrrp備份組的狀态為master,standby表示指定vrrp備份組的狀态為backup。
丢包情況