vgmp與vrrp的配合隻适用于防火牆連接配接二層裝置的組網,如果上下行裝置是路由器,就不能使用vrrp備份組,這時vgmp組直接監控接口狀态來進行故障監控。具體是直接将接口加入vgmp組,當vgmp組中的接口故障時,vgmp組會直接感覺到接口狀态變化,進而降低自身優先級。
實驗二:防火牆直路部署,上下行連接配接路由器
需求和拓撲
兩台FW的業務接口都工作在三層,上下行分别連接配接路由器。FW與上下行路由器之間運作OSPF協定。現在希望兩台FW以主備備份方式工作。正常情況下,流量通過FW_A轉發。當FW_A出現故障時,流量通過FW_B轉發,保證業務不中斷。
操作步驟
1、配置接口ip和安全區域
2、配置ospf路由
r1/r2/r3/r4/f1/f2開啟ospf程序1,将相連網段加入區域0
3、配置雙機熱備功能
3.1 配置vgmp組監控上下行業務接口
//f1/f2
hrp track interface GigabitEthernet1/0/0
hrp track interface GigabitEthernet1/0/1 3.2 配置根據vgmp狀态調整ospf cost值功能,配置這個指令後,fw釋出ospf路由時,會判斷自身是主用裝置還是備用裝置,如果是主用裝置,fw會把學習到的路由直接釋出出去,如果是備用裝置,fw會增加cost值後再将路由釋出出去,這樣上下行路由器在計算路由時,就能将下一跳指向主用裝置,并把封包轉發到主用裝置上。
//f1/f2
hrp adjust ospf-cost enable 3.3 指定心跳口并啟用雙機熱備功能
f1/f2
hrp interface g1/0/6 remote 10.10.0.1/2
hrp enable 4、配置安全政策
4.1 允許fw與上下行路由器互動ospf封包
//f1配置,f2自動同步
security-policy
rule name 1
source-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
rule name 2
source-zone untrust
destination-zone local
service ospf
action permit 4.2 允許内網使用者通路外網
rule name 3
source-zone trust
destination-zone untrust
source-address 10.3.2.0 mask 255.255.255.0
source-address 10.3.3.0 mask 255.255.255.0
action permit 驗證和分析
1、檢查fw1和fw2的ospf鄰居建立關系
//f1
dis ospf peer brief
2022-02-16 00:14:41.880
OSPF Process 1 with Router ID 11.11.11.11
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/0 3.3.3.3 Full
0.0.0.0 GigabitEthernet1/0/1 1.1.1.1 Full
----------------------------------------------------------------------------
Total Peer(s): 2
//f2
dis ospf peer brief
2022-02-16 00:18:02.950
OSPF Process 1 with Router ID 22.22.22.22
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/0 4.4.4.4 Full
0.0.0.0 GigabitEthernet1/0/1 2.2.2.2 Full
----------------------------------------------------------------------------
Total Peer(s): 2 2、檢查上下行路由器路由開銷
[r3]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 8 Routes : 8
OSPF routing table status : <Active>
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
5.5.5.5/32 OSPF 10 3 D 10.3.0.1 GigabitEthernet0/0/1
10.2.0.0/24 OSPF 10 2 D 10.3.0.1 GigabitEthernet0/0/1
10.2.1.0/24 OSPF 10 4 D 10.3.0.1 GigabitEthernet0/0/1
10.3.1.0/24 OSPF 10 2 D 34.1.1.4 GigabitEthernet0/0/0
10.3.3.0/24 OSPF 10 2 D 34.1.1.4 GigabitEthernet0/0/0
12.1.1.0/24 OSPF 10 3 D 10.3.0.1 GigabitEthernet0/0/1
15.1.1.0/24 OSPF 10 3 D 10.3.0.1 GigabitEthernet0/0/1
25.1.1.0/24 OSPF 10 4 D 10.3.0.1 GigabitEthernet0/0/1
<r4>dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 8 Routes : 8
OSPF routing table status : <Active>
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
5.5.5.5/32 OSPF 10 4 D 34.1.1.3 GigabitEthernet0/0/0
10.2.0.0/24 OSPF 10 3 D 34.1.1.3 GigabitEthernet0/0/0
10.2.1.0/24 OSPF 10 5 D 34.1.1.3 GigabitEthernet0/0/0
10.3.0.0/24 OSPF 10 2 D 34.1.1.3 GigabitEthernet0/0/0
10.3.2.0/24 OSPF 10 2 D 34.1.1.3 GigabitEthernet0/0/0
12.1.1.0/24 OSPF 10 4 D 34.1.1.3 GigabitEthernet0/0/0
15.1.1.0/24 OSPF 10 4 D 34.1.1.3 GigabitEthernet0/0/0
25.1.1.0/24 OSPF 10 5 D 34.1.1.3 GigabitEthernet0/0/0
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0 可見經過r3通路r5開銷小于r4,r4的開銷比r3大1,這個1是因為從r4通路r5經過r3,為什麼不經過fw2呢?因為經過fw2的開銷太大了 。
dis ip routing-table protocol ospf | include 5.5.5.5
2022-02-16 00:38:09.180
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 9 Routes : 9
OSPF routing table status : <Active>
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
5.5.5.5/32 OSPF 10 65501 D 10.2.1.2 GigabitEthernet1/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0 如果fw1故障,業務會被上下行路由器的路由資訊引導到fw2上,fw2上有同步過fw1的會話表項,是以業務得以正常傳輸。
HRP_M<f1>dis fire session table
2022-02-16 00:49:33.150
Current Total Sessions : 4
udp VPN: public --> public 10.10.0.2:16384 --> 10.10.0.1:18514
udp VPN: public --> public 10.10.0.1:49152 --> 10.10.0.2:18514
udp VPN: public --> public 10.10.0.2:49152 --> 10.10.0.1:18514
telnet VPN: public --> public 10.3.0.2:49804 --> 5.5.5.5:23
HRP_S<f2>dis fire sess table
2022-02-16 00:50:01.270
Current Total Sessions : 4
udp VPN: public --> public 10.10.0.1:49152 --> 10.10.0.2:18514
udp VPN: public --> public 10.10.0.2:49152 --> 10.10.0.1:18514
udp VPN: public --> public 10.10.0.1:16384 --> 10.10.0.2:18514
telnet VPN: public --> public Remote 10.3.0.2:49804 --> 5.5.5.5:23
HRP_S<f2>