?
?
实验一:防火墙直路部署,上下行连接交换机
需求和拓扑
企业的两台FW的业务接口都工作在三层,上下行分别连接二层交换机。上行交换机连接运营商的接入点,运营商为企业分配的IP地址为1.1.1.1。现在希望两台FW以主备备份方式工作。正常情况下,流量通过FW_A转发。当FW_A出现故障时,流量通过FW_B转发,保证业务不中断。
操作步骤
1、配置接口地址和安全区域
注意心跳线要加入同一安全区域,内网设备的默认网关地址是vrrp备份组2的虚拟ip地址。
2、配置路由
f1/f2
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
r1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1//下一跳地址是vrrp备份组1的虚拟ip地址3、配置vgmp组
//f1
interface GigabitEthernet 1/0/1
vrrp vrid 1 virtual-ip 1.1.1.1 24 active//如果接口真实地址与vrrp备份组地址不在同一网段,需要指定掩码
interface GigabitEthernet 1/0/0
vrrp vrid 2 virtual-ip 10.3.0.3 24 active
//f2
interface GigabitEthernet 1/0/1
vrrp vrid 1 virtual-ip 1.1.1.1 24 standby//如果接口真实地址与vrrp备份组地址不在同一网段,需要指定掩码
interface GigabitEthernet 1/0/0
vrrp vrid 2 virtual-ip 10.3.0.3 24 standby4、指定心跳口并启用双机热备功能
//f1
hrp interface GigabitEthernet 1/0/6 remote 10.10.0.2
hrp enable
//f2
hrp interface GigabitEthernet 1/0/6 remote 10.10.0.1
hrp enable 5、仅在fw1上配置安全策略,双机热备状态成功建立后,fw1的安全策略会自动备份到fw2上
security-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit
6、仅在fw1上配置源nat策略,双机热备状态成功建立后,fw1的安全策略会自动备份到fw2上
//配置公网地址池
nat address-group 1 0
mode pat
route enable
section 0 1.1.1.2 1.1.1.5
//配置源nat策略
nat-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action source-nat address-group 1
验证和分析
1、检查vrrp组内接口的状态信息
HRP_S<f2>dis vrrp
2022-02-15 00:52:35.430
GigabitEthernet1/0/1 | Virtual Router 1
State : Backup
Virtual IP : 1.1.1.1
Master IP : 10.2.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-15 00:33:52
Last change time : 2022-02-15 00:33:52
GigabitEthernet1/0/0 | Virtual Router 2
State : Backup
Virtual IP : 10.3.0.3
Master IP : 10.3.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-15 00:34:03
Last change time : 2022-02-15 00:34:03
可见fw2的上下行接口都处于backup状态,表示vrrp组建立成功。fw1的查看方式类似。
2、检查当前vgmp组的状态
HRP_M<f1>dis hrp state verbose
2022-02-15 00:56:40.090
Role: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 21 minutes
Last state change information: 2022-02-15 0:35:19 HRP link changes to up.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: active
GigabitEthernet1/0/0 vrrp vrid 2: active
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
HRP_S<f2>dis hrp state verbose
2022-02-15 00:55:15.890
Role: standby, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 19 minutes
Last state change information: 2022-02-15 0:35:19 HRP link changes to up.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: standby
GigabitEthernet1/0/0 vrrp vrid 2: standby
ospf-cost: +65500
ospfv3-cost: +65500
bgp-cost: +100
可见主备的优先级是相同的,但是active设备的ospf-cost、bgp-cost等都是为0的,而standby设备的则是65500,这样在配置了动态路由后,路由选路的时候就会优选active设备了。
3、使用pc ping公网设备r1的环回口11.11.11.11,检查会话表项
//f1
HRP_M<f1>dis fire session table
2022-02-15 01:04:23.230
Current Total Sessions : 6
udp VPN: public --> public 10.10.0.2:16384 --> 10.10.0.1:18514
udp VPN: public --> public 10.10.0.1:49152 --> 10.10.0.2:18514
udp VPN: public --> public 10.10.0.2:49152 --> 10.10.0.1:18514
icmp VPN: public --> public 10.3.0.100:2812[1.1.1.3:2053] --> 11.11.11.11:2048
icmp VPN: public --> public 10.3.0.100:3324[1.1.1.3:2055] --> 11.11.11.11:2048
icmp VPN: public --> public 10.3.0.100:3068[1.1.1.3:2054] --> 11.11.11.11:2048
//f2
HRP_S<f2>dis fire session table
2022-02-15 01:04:10.630
Current Total Sessions : 6
udp VPN: public --> public 10.10.0.1:49152 --> 10.10.0.2:18514
udp VPN: public --> public 10.10.0.2:49152 --> 10.10.0.1:18514
udp VPN: public --> public 10.10.0.1:16384 --> 10.10.0.2:18514
icmp VPN: public --> public Remote 10.3.0.100:2812[1.1.1.3:2053] --> 11.11.11.11:2048
icmp VPN: public --> public Remote 10.3.0.100:3324[1.1.1.3:2055] --> 11.11.11.11:2048
icmp VPN: public --> public Remote 10.3.0.100:3068[1.1.1.3:2054] --> 11.11.11.11:2048
udp报文是hrp报文,用于fw之间同步表项以及关键配置。
icmp报文是ping包建立的会话,f2存在带有remote标记的会话,这些会话内容和f1是同步的.
4、使用pc长ping公网设备r1的环回口11.11.11.11,将fw1的上行接口拔出,观察防火墙状态切换及ping包丢包情况,再将其插回,观察防火墙状态切换及ping包丢包情况。
HRP_S[f1]dis hrp state verbose
2022-02-15 01:10:07.130
Role: standby, peer: active (should be "active-standby")
Running priority: 44998, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2022-02-15 1:09:09 HRP core state changed, old_s
tate = normal, new_state = abnormal(standby), local_priority = 44998, peer_prior
ity = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: Initialize
GigabitEthernet1/0/0 vrrp vrid 2: standby (should be "active")
ospf-cost: +65500 (should be "+0")
ospfv3-cost: +65500 (should be "+0")
bgp-cost: +100 (should be "+0")
HRP_M<f2>dis hrp state verbose
2022-02-15 01:11:09.590
Role: active, peer: standby (should be "standby-active")
Running priority: 45000, peer: 44998
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 2 minutes
Last state change information: 2022-02-15 1:09:08 HRP core state changed, old_s
tate = normal, new_state = abnormal(active), local_priority = 45000, peer_priori
ty = 44998.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: active (should be "standby")
GigabitEthernet1/0/0 vrrp vrid 2: active (should be "standby")
ospf-cost: +0 (should be "+65500")
ospfv3-cost: +0 (should be "+65500")
bgp-cost: +0 (should be "+100")
原来的active设备由于出现了故障,则其优先级减2,成为了44998,故障接口变成了init状态,正常的下行接口被vgmp组从active变成了standby,而原来的standby设备上位成了active,同时将加入vgmp组的两个接口也变成了active。这样上下行接口的状态又一次同步,流量的源进源出得以保证。
这说明vgmp组控制了vrrp备份组的状态,在交换机或者路由器上,vrrp备份组的状态由vrrp优先级大小决定,防火墙的vrrp备份组状态则不是由vrrp优先级大小决定,而且通过实验我们发现,fw的vrrp优先级是不可以配置的,fw启用双机热备功能后,vrrp优先级固定为120.
在fw上,接口故障时,接口下vrrp备份组状态为init,接口无故障时,接口下的vrrp备份组状态由vgmp组的状态决定,具体是
- 当VGMP组状态为active时,VRRP备份组的状态都是Master。
- 当VGMP组状态为standby时,VRRP备份组的状态都是Backup。
-
当VGMP组状态为load-balance时,VRRP备份组状态由VRRP备份组的配置决定。即
vrrp vrid virtual-router-id virtual-ip virtual-address { active | standby }
a?ctive表示指定vrrp备份组的状态为master,standby表示指定vrrp备份组的状态为backup。
丢包情况
出现了丢包,但数量很少。