1.实验拓扑图:
2.ip规划:
eth1 :192.168.101.68/24
eth3 : 192.168.100.10/24
3.设备描述:
trust区域使用的交换机为神州数码DCS-3950S
untrust区域的交换机为H3C的quidwayS3526E
防火墙:Juniper的Netscreen-25
4.设备配置
4.1 第一台防火墙ns-a的配置
login: netscreen
password:
NS-A(M)-> get system
Product Name: NetScreen-25
Serial Number: 0096052007001238, Control Number: 00000000
Hardware Version: 4010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r6.0, Type: Firewall+×××
Compiled by build_master at: Tue Nov 28 15:14:46 PST 2006
Base Mac: 0019.e240.67d0
File Name: ns50ns25.5.3.0r6.0, Checksum: 966acd5c
Date 11/15/2012 19:45:39, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 51 minutes 30 seconds Since 15Nov2012:18:54:09
Total Device Resets: 48, Last Device Reset at: 11/15/2012 15:21:15
System in NAT/route mode.
NS-A(M)-> exit
login: 0096052007001238
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue? y/[n] y
!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y
In reset ...
Start deactivate session...
0 sessions deactivated
NetScreen NS-25/50 Boot Loader Version 3.0.0 (Checksum: D1C6421F)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.
Total physical memory: 128MB
Test - Pass
Initialization - Done
ns25-> set hostname ns-a
ns-a-> set interface eth1 ip 192.168.101.68 255.255.255.0
ns-a-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-a-> set int eth4 zone
Null Null zone
Trust Trust zone
Untrust Untrust zone
Self Self zone
Global Global zone
HA HA zone
MGT MGT zone
Untrust-Tun Untrust-Tun zone
v1-Null v1-Null zone
V1-Trust V1-Trust zone
V1-Untrust V1-Untrust zone
DMZ DMZ zone
V1-DMZ V1-DMZ zone
VLAN VLAN zone
ns-a-> set int eth4 zone HA 心跳探测(eth4)
ns-a-> set nsrp cl
cluster config cluster id/name
ns-a-> set nsrp cluster id
<number> NSRP cluster ID (range: 1 - 7)
ns-a-> set nsrp cluster id 1
ns-a(B)-> Unit becomes master of NSRP vsd-group 0
ns-a(M)-> set nsrp vsd-group id 0
ns-a(M)-> set nsrp vsd-group id
<number> vsd group ID (range: 0 - 7) 最多8个故障转移域
ns-a(M)-> set nsrp vsd-group id 0 pr
preempt allow to preempt a lower priority master
priority priority for this vsd group
<return>
ns-a(M)-> set nsrp vsd-group id 0 priority 50
ns-a(M)-> set nsrp vsd-group id 0 preempt
ns-a(M)-> set nsrp vsd-group id 0 monitor inter
interface interface to be monitored 监控端口
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth1
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth3
ns-a(M)-> get config 查看配置
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1
set nsrp vsd-group id 0 monitor interface ethernet3
ns-a(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id: 4220880, ctrl mac: 0019e24067d7, index: 1, unit id: 4220080, ctrl mac: 0019e24064b7, data mac: ffffffffffff
total number of units: 2
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none 4220080(inoperable)
ns-a(M)-> save
Save System Configuration ...
Done
4.2 第二台防火墙的配置
先用序列号清除配置!
ns25-> set hostname ns-b
ns-b-> set int eth1 ip 192.168.101.68 255.255.255.0
ns-b-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-b-> set int eth4 zone HA
ns-b-> set nsrp cluster id 1
ns-b(B)-> set nsrp vsd-group id 0
ns-b(B)-> set nsrp vsd-group id 0 priority 100
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth1
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth3
ns-b(I)-> get nsrp
local unit id: 4220080
index: 0, unit id: 4220080, ctrl mac: 0019e24064b7, index: 1, unit id: 4220880, ctrl mac: 0019e24067d7, data mac: ffffffffffff
0 100 no 3 no 4220880 none myself(inoperable)
ns-b(I)-> save
4.3 神州数码交换机的配置如下:
sw14#show version
DCS-3950S Device, Aug 27 2004 11:14:24
HardWare version is 2.10, SoftWare version is DCNOS-4.1.5, BootRom version is 1.2.1
Copyright (C) 2001-2004 by Digital China Networks Limited.
All rights reserved.
sw14>enable
sw14#config
sw14(Config)#exit
sw14#show running-config
Current configuration:
!
hostname sw14
sw14(Config)#int vlan 1
sw14(Config-If-Vlan1)#ip add 192.168.101.20 255.255.255.0
sw14# ping 192.168.101.68
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#show ip route
Codes: C - connected, S - static, R - RIP derived, O - OSPF derived
A - OSPF ASE, B - BGP derived, D - DVMRP derived
Destination Mask Nexthop Interface Preference
C 192.168.101.0 255.255.255.0 0.0.0.0 Vlan1 0
4.4 web方式配置访问策略
在交换机上查看命令的变化
ns-a(M)-> get config
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
在ns-b上查看是否已同步
ns-b(B)-> get config
检测配置是否同步?
ns-b(B)-> exec nsrp sync global-config check-sum
ns-b(B)-> configuration in sync
在sw14上做测试:
sw14#ping 192.168.101.68
sw14#ping 192.168.100.10
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
sw14#ping 192.168.100.20
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
发现192.168.100.10 ping不通,发现其ping功能没有开启
查看并开启ping功能:
ns-a(M)-> get interface eth3
Interface ethernet3(VSI):
description ethernet3
number 6, if_info 1248, if_index 0, mode route
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr, vsd 0
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.100.10/24 mac 0010.dbff.2060
*manage ip 192.168.100.10, mac 0019.e240.67d6
route-deny disable
pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
band physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
DHCP-Relay disabled
DHCP-server disabled
Number of SW session: 32063, hw sess err cnt 0
ns-a(M)-> set interface eth3 manage ping
4.5 测试:
高可用性测试:
把eth1的线拔掉,进行相应的测试,观看其状态!
把ns-a的eth1接口拔掉:
ns-a(M)-> ethernet1 interface change state to Down
2 sessions deactivated
ns-a(I)-> get nsrp
0 50 yes 3 no 4220080 none myself(inoperable)
ns-b(M)-> get nsrp
0 100 no 3 no myself none 4220880(inoperable)
如果eth1的线又好了,由于启动了抢占模式,则观看如下:
ns-b(B)-> get nsrp
0 100 no 3 no 4220880 myself
0 50 yes 3 no myself 4220080
没有出现丢包现象!
如果eth3端开,会出现上面同样的现象!
如果备份防火墙eth1 和 eth3 及心跳线eth4都已断开
index: 0, unit id: 4220880, total number of units: 1
0 50 yes 3 no myself none
total number of vsd groups: 1
Total iteration=6917,time=97434286,max=75534,min=5702,average=14086
index: 0, unit id: 4220080, total number of units: 1
0 100 no 3 no none none myself(inoperable
4.6 untrust区域内的三层交换机的配置:
int vlan 1
ip add 192.168.100.20 255.255.255.0
注意:trust区域的交换机要指定网关!(测试时)