CLI方式：虚拟化Context场景RBM+OSPF主备组网典型配置

使用版本

本举例是在M9000-AI-E8的R9071版本上进行配置和验证的。

组网需求

如下图所示，某公司以Device设备作为云计算中心的出口网关，对内部网络的信息安全进行防护，为了满足多租户需求，可将Device设备虚拟成多台逻辑设备，每台虚拟设备相互独立，拥有各自的安全策略。同时为了提高业务稳定性，使用两台Device设备进行RBM的双机热备组网，具体组网需求如下：

• 在两台Device设备上分别创建两个非缺省Context，并以共享接口方式使用GigabitEthernet1/0/1和GigabitEthernet1/0/2。

• 正常情况下，Device A处理业务，Device B不处理，当其中主设备出现故障时，所有业务转移到备设备上，备设备能正常处理业务。

主设备恢复正常后，流量重新切回原主，备设备不处理业务，原主设备正常处理业务。

图-1 虚拟化Context环境中RBM+OSPF实现云计算中心网关双机热备部署配置组网图

图-2 通过Context cnt1实现云计算中心网关双机热备部署配置的逻辑组网图

图-3 通过Context cnt2实现云计算中心网关双机热备部署配置的逻辑组网图

‌

注意事项

硬件环境一致

部署HA前，请先保证主/备设备硬件环境的一致性，具体要求如下：

• 主/备设备的型号必须一致。

• 主/备设备主控板的位置、数量和类型必须一致。

• 主/备设备业务板的位置、数量和类型必须一致。

• 主/备设备交换网板的位置、数量和类型必须一致。

• 主/备设备接口板的位置、数量和类型必须一致。

• 主/备设备上管理接口、业务接口、HA通道接口需要分别使用相互独立的接口，且所使用的接口编号和类型必须一致。

• 主/备设备上硬盘的位置、数量和类型建议一致。未安装硬盘的设备日志存储量将远低于安装了硬盘的设备，而且部分日志和报表功能不可用。

软件环境一致

部署HA前，请先保证主/备设备软件环境的一致性，具体要求如下：

• 主/备设备的系统软件环境及其版本必须一致，如：Boot包、System包、Feature包和补丁包等等。

• 主/备设备上被授权的特征库和特性环境必须一致，如：特征库的种类，每类特征库的版本、授权时间范围、授权的资源数等等。

• 主/备设备的接口编号必须一致。

• 主/备设备之间建立HA通道的接口类型、速率和编号等信息必须一致，推荐使用聚合接口。

• 主/备设备上聚合接口的编号、成员接口编号必须一致。

• 主/备设备相同位置的接口必须加入到相同的安全域。

• 主/备设备的HASH选择CPU模式以及HASH因子都必须相同（即forwarding policy命令）。

配置步骤

配置Router A

1. 配置接口IP地址

# 根据组网图中规划的信息，配置业务口的IPv4地址，具体配置步骤如下。

<RouterA> system-view

[RouterA] interface gigabitethernet 1/0/1.10

[RouterA-GigabitEthernet1/0/1.10] ip address 2.1.1.2 255.255.255.0

[RouterA-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10

[RouterA-GigabitEthernet1/0/1.10] quit

[RouterA] interface gigabitethernet 1/0/2.10

[RouterA-GigabitEthernet1/0/2.10] ip address 2.1.10.2 255.255.255.0

[RouterA-GigabitEthernet1/0/2.10] vlan-type dot1q vid 10

[RouterA-GigabitEthernet1/0/2.10] quit

[RouterA] interface gigabitethernet 1/0/1.20

[RouterA-GigabitEthernet1/0/1.20] ip address 2.1.2.2 255.255.255.0

[RouterA-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20

[RouterA-GigabitEthernet1/0/1.20] quit

[RouterA] interface gigabitethernet 1/0/2.20

[RouterA-GigabitEthernet1/0/2.20] ip address 2.1.12.2 255.255.255.0

[RouterA-GigabitEthernet1/0/2.20] vlan-type dot1q vid 20

[RouterA-GigabitEthernet1/0/2.20] quit

[RouterA] interface gigabitethernet 1/0/13

[RouterA-GigabitEthernet1/0/13] ip address 21.1.1.1 255.255.255.0

[RouterA-GigabitEthernet1/0/13] quit

[RouterA] interface gigabitethernet 1/0/14

[RouterA-GigabitEthernet1/0/14] ip address 21.1.2.1 255.255.255.0

[RouterA-GigabitEthernet1/0/14] quit

2. 配置静态路由

# 假设云计算服务器Server 1到达外网的目的地址为30.1.1.1，下一跳IPv4地址为21.1.1.15，Server 2到达外网的目的地址为30.1.2.1，下一跳IPv4地址为21.1.2.15，实际环境中请以具体组网情况为准，配置步骤如下。

[RouterA] ip route-static 30.1.1.0 255.255.255.0 21.1.1.15

[RouterA] ip route-static 30.1.2.0 255.255.255.0 21.1.2.15

3. 配置OSPF协议，并引入静态路由

# 指定运行OSPF协议接口的IP地址位于网段2.1.1.0/24，2.1.2.0/24，2.1.10.0/24，2.1.12.0/24，21.1.1.0/24，21.1.2.0/24，接口所在的OSPF区域ID为0。

[RouterA] ospf 1 router-id 2.1.1.2

[RouterA-ospf-1] area 0.0.0.0

[RouterA-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 2.1.2.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 2.1.10.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 2.1.12.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 21.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] network 21.1.2.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] quit

[RouterA-ospf-1] import-route static

[RouterA-ospf-1] quit

配置Router B

1. 配置接口IP地址

# 根据组网图中规划的信息，配置业务口的IPv4地址，具体配置步骤如下。

<RouterB> system-view

[RouterB] interface gigabitethernet 1/0/1.10

[RouterB-GigabitEthernet1/0/1.10] ip address 10.1.1.2 255.255.255.0

[RouterB-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10

[RouterB-GigabitEthernet1/0/1.10] quit

[RouterB] interface gigabitethernet 1/0/2.10

[RouterB-GigabitEthernet1/0/2.10] ip address 10.1.10.2 255.255.255.0

[RouterB-GigabitEthernet1/0/2.10] vlan-type dot1q vid 10

[RouterB-GigabitEthernet1/0/2.10] quit

[RouterB] interface gigabitethernet 1/0/13

[RouterB-GigabitEthernet1/0/13] ip address 20.1.1.1 255.255.255.0

[RouterB-GigabitEthernet1/0/13] quit

[RouterB] interface gigabitethernet 1/0/1.20

[RouterB-GigabitEthernet1/0/1.20] ip address 10.1.2.2 255.255.255.0

[RouterB-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20

[RouterB-GigabitEthernet1/0/1.20] quit

[RouterB] interface gigabitethernet 1/0/2.20

[RouterB-GigabitEthernet1/0/2.20] ip address 10.1.12.2 255.255.255.0

[RouterB-GigabitEthernet1/0/2.20] vlan-type dot1q vid 20

[RouterB-GigabitEthernet1/0/2.20] quit

[RouterB] interface gigabitethernet 1/0/14

[RouterB-GigabitEthernet1/0/14] ip address 20.1.2.1 255.255.255.0

[RouterB-GigabitEthernet1/0/14] quit

2. 配置OSPF协议

# 指定运行OSPF协议接口的IP地址位于网段10.1.1.0/24，10.1.10.0/24，20.1.1.0/24，10.1.2.0/24，10.1.12.0/24，20.1.2.0/24接口所在的OSPF区域ID为0。

[RouterB] ospf 1 router-id 10.1.1.2

[RouterB-ospf-1] area 0.0.0.0

[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[RouterB-ospf-1-area-0.0.0.0] quit

[RouterB] ospf 2 router-id 10.1.2.2

[RouterB-ospf-2] area 0.0.0.0

[RouterB-ospf-2-area-0.0.0.0] network 10.1.2.0 0.0.0.255

[RouterB-ospf-2-area-0.0.0.0] network 10.1.12.0 0.0.0.255

[RouterB-ospf-2-area-0.0.0.0] network 20.1.2.0 0.0.0.255

[RouterB-ospf-2-area-0.0.0.0] quit

配置Device A

1. 配置非缺省Context cnt1

1. 配置非缺省Context cnt1

# Context创建后必须进驻安全引擎（通过将Context进驻安全引擎组来实现），才有实际运行的环境，才能运行业务。本举例以进驻缺省安全引擎组为例。

<DeviceA> system-view

[DeviceA] context cnt1

[DeviceA-context-2-cnt1] location blade-controller-team 1

[DeviceA-context-2-cnt1] allocate interface gigabitethernet 1/0/1 share

[DeviceA-context-2-cnt1] allocate interface gigabitethernet 1/0/2 share

[DeviceA-context-2-cnt1] context start

[DeviceA-context-2-cnt1] quit

2. 在非缺省Context cnt1下配置接口IP地址

# 根据组网图中规划的信息，配置业务口的IPv4地址，以太网子接口只有在关联了VLAN后才能正常收发报文，开启子接口的Dot1q终结功能，实现VLAN间流量互通，具体配置步骤如下。

[DeviceA] switchto context cnt1

<DeviceA> system-view

[DeviceA] sysname DeviceA_cnt1

[DeviceA_cnt1] interface gigabitethernet1/0/1.10

[DeviceA_cnt1-GigabitEthernet1/0/1.10] ip address 2.1.1.1 255.255.255.0

[DeviceA_cnt1-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10

[DeviceA_cnt1-GigabitEthernet1/0/1.10] quit

[DeviceA_cnt1] interface gigabitethernet1/0/2.10

[DeviceA_cnt1-GigabitEthernet1/0/2.10] ip address 10.1.1.1 255.255.255.0

[DeviceA_cnt1-GigabitEthernet1/0/2.10] vlan-type dot1q vid 10

[DeviceA_cnt1-GigabitEthernet1/0/2.10] quit

3. 配置接口加入安全域

# 根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[DeviceA_cnt1] security-zone name untrust

[DeviceA_cnt1-security-zone-Untrust] import interface gigabitethernet 1/0/1.10

[DeviceA_cnt1-security-zone-Untrust] quit

[DeviceA_cnt1] security-zone name trust

[DeviceA_cnt1-security-zone-Trust] import interface gigabitethernet 1/0/2.10

[DeviceA_cnt1-security-zone-Trust] quit

4. 配置OSPF，保证路由可达

[DeviceA_cnt1] ospf 1 router-id 2.1.1.1

[DeviceA_cnt1-ospf-1] area 0.0.0.0

[DeviceA_cnt1-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255

[DeviceA_cnt1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[DeviceA_cnt1-ospf-1-area-0.0.0.0] quit

[DeviceA_cnt1-ospf-1] quit

5. 配置安全策略，允许所需的业务报文通过

此部分安全策略只需在主管理设备配置，双机热备组网完成后，从管理设备会自动同步这些安全策略配置信息。

# 配置名称为trust-untrust的安全策略规则，使内网用户可以主动访问Internet，但是Internet上的用户不能访问内网，具体配置步骤如下。

[DeviceA_cnt1] security-policy ip

[DeviceA_cnt1-security-policy-ip] rule 0 name trust-untrust

[DeviceA_cnt1-security-policy-ip-0-trust-untrust] source-zone trust

[DeviceA_cnt1-security-policy-ip-0-trust-untrust] destination-zone untrust

[DeviceA_cnt1-security-policy-ip-0-trust-untrust] source-ip-subnet 20.1.1.0 24

[DeviceA_cnt1-security-policy-ip-0-trust-untrust] action pass

[DeviceA_cnt1-security-policy-ip-0-trust-untrust] quit

# 配置安全策略规则，允许OSPF协议报文通过，保证OSPF邻居的建立和路由的学习。

[DeviceA_cnt1-security-policy-ip] rule 1 name ospf1

[DeviceA_cnt1-security-policy-ip-1-ospf1] source-zone trust

[DeviceA_cnt1-security-policy-ip-1-ospf1] destination-zone local

[DeviceA_cnt1-security-policy-ip-1-ospf1] action pass

[DeviceA_cnt1-security-policy-ip-1-ospf1] service ospf

[DeviceA_cnt1-security-policy-ip-1-ospf1] quit

[DeviceA_cnt1-security-policy-ip] rule 2 name ospf2

[DeviceA_cnt1-security-policy-ip-2-ospf2] source-zone local

[DeviceA_cnt1-security-policy-ip-2-ospf2] destination-zone trust

[DeviceA_cnt1-security-policy-ip-2-ospf2] action pass

[DeviceA_cnt1-security-policy-ip-2-ospf2] service ospf

[DeviceA_cnt1-security-policy-ip-2-ospf2] quit

[DeviceA_cnt1-security-policy-ip] rule 3 name ospf3

[DeviceA_cnt1-security-policy-ip-3-ospf3] source-zone untrust

[DeviceA_cnt1-security-policy-ip-3-ospf3] destination-zone local

[DeviceA_cnt1-security-policy-ip-3-ospf3] action pass

[DeviceA_cnt1-security-policy-ip-3-ospf3] service ospf

[DeviceA_cnt1-security-policy-ip-3-ospf3] quit

[DeviceA_cnt1-security-policy-ip] rule 4 name ospf4

[DeviceA_cnt1-security-policy-ip-4-ospf4] source-zone local

[DeviceA_cnt1-security-policy-ip-4-ospf4] destination-zone untrust

[DeviceA_cnt1-security-policy-ip-4-ospf4] action pass

[DeviceA_cnt1-security-policy-ip-4-ospf4] service ospf

[DeviceA_cnt1-security-policy-ip-4-ospf4] quit

[DeviceA_cnt1-security-policy-ip] quit

[DeviceA_cnt1] quit

<DeviceA_cnt1> quit

2. 配置非缺省Context cnt2

1. 配置非缺省Context cnt2

# 将Context进驻缺省安全引擎组。

<DeviceA> system-view

[DeviceA] context cnt2

[DeviceA-context-3-cnt2] location blade-controller-team 1

[DeviceA-context-3-cnt2] allocate interface gigabitethernet 1/0/1 share

[DeviceA-context-3-cnt2] allocate interface gigabitethernet 1/0/2 share

[DeviceA-context-3-cnt2] context start

[DeviceA-context-3-cnt2] quit

2. 在非缺省Context cnt2下配置接口IP地址

# 根据组网图中规划的信息，配置业务口的IPv4地址，以太网子接口只有在关联了VLAN后才能正常收发报文，开启子接口的Dot1q终结功能，实现VLAN间流量互通，具体配置步骤如下。

[DeviceA] switchto context cnt2

<DeviceA> system-view

[DeviceA] sysname DeviceA_cnt2

[DeviceA_cnt2] interface gigabitethernet1/0/1.20

[DeviceA_cnt2-GigabitEthernet1/0/1.20] ip address 2.1.2.1 255.255.255.0

[DeviceA_cnt2-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20

[DeviceA_cnt2-GigabitEthernet1/0/1.20] quit

[DeviceA_cnt2] interface gigabitethernet1/0/2.20

[DeviceA_cnt2-GigabitEthernet1/0/2.20] ip address 10.1.2.1 255.255.255.0

[DeviceA_cnt2-GigabitEthernet1/0/2.20] vlan-type dot1q vid 20

[DeviceA_cnt2-GigabitEthernet1/0/2.20] quit

3. 配置接口加入安全域

# 根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[DeviceA_cnt2] security-zone name untrust

[DeviceA_cnt2-security-zone-Untrust] import interface gigabitethernet 1/0/1.20

[DeviceA_cnt2-security-zone-Untrust] quit

[DeviceA_cnt2] security-zone name trust

[DeviceA_cnt2-security-zone-Trust] import interface gigabitethernet 1/0/2.20

[DeviceA_cnt2-security-zone-Trust] quit

4. 配置OSPF，保证路由可达

[DeviceA_cnt2] ospf 2 router-id 2.1.2.1

[DeviceA_cnt2-ospf-2] area 0.0.0.0

[DeviceA_cnt2-ospf-2-area-0.0.0.0] network 2.1.2.0 0.0.0.255

[DeviceA_cnt2-ospf-2-area-0.0.0.0] network 10.1.2.0 0.0.0.255

[DeviceA_cnt2-ospf-2-area-0.0.0.0] quit

[DeviceA_cnt2-ospf-2] quit

5. 配置安全策略，允许所需的业务报文通过

此部分安全策略只需在主管理设备配置，双机热备组网完成后，从管理设备会自动同步这些安全策略配置信息。

# 配置名称为trust-untrust的安全策略规则，使内网用户可以主动访问Internet，但是Internet上的用户不能访问内网，具体配置步骤如下。

[DeviceA_cnt2] security-policy ip

[DeviceA_cnt2-security-policy-ip] rule 0 name trust-untrust

[DeviceA_cnt2-security-policy-ip-0-trust-untrust] source-zone trust

[DeviceA_cnt2-security-policy-ip-0-trust-untrust] destination-zone untrust

[DeviceA_cnt2-security-policy-ip-0-trust-untrust] source-ip-subnet 20.1.2.0 24

[DeviceA_cnt2-security-policy-ip-0-trust-untrust] action pass

[DeviceA_cnt2-security-policy-ip-0-trust-untrust] quit

# 配置安全策略规则，允许OSPF协议报文通过，保证OSPF邻居的建立和路由的学习。

[DeviceA_cnt2-security-policy-ip] rule 1 name ospf1

[DeviceA_cnt2-security-policy-ip-1-ospf1] source-zone trust

[DeviceA_cnt2-security-policy-ip-1-ospf1] destination-zone local

[DeviceA_cnt2-security-policy-ip-1-ospf1] action pass

[DeviceA_cnt2-security-policy-ip-1-ospf1] service ospf

[DeviceA_cnt2-security-policy-ip-1-ospf1] quit

[DeviceA_cnt2-security-policy-ip] rule 2 name ospf2

[DeviceA_cnt2-security-policy-ip-2-ospf2] source-zone local

[DeviceA_cnt2-security-policy-ip-2-ospf2] destination-zone trust

[DeviceA_cnt2-security-policy-ip-2-ospf2] action pass

[DeviceA_cnt2-security-policy-ip-2-ospf2] service ospf

[DeviceA_cnt2-security-policy-ip-2-ospf2] quit

[DeviceA_cnt2-security-policy-ip] rule 3 name ospf3

[DeviceA_cnt2-security-policy-ip-3-ospf3] source-zone untrust

[DeviceA_cnt2-security-policy-ip-3-ospf3] destination-zone local

[DeviceA_cnt2-security-policy-ip-3-ospf3] action pass

[DeviceA_cnt2-security-policy-ip-3-ospf3] service ospf

[DeviceA_cnt2-security-policy-ip-3-ospf3] quit

[DeviceA_cnt2-security-policy-ip] rule 4 name ospf4

[DeviceA_cnt2-security-policy-ip-4-ospf4] source-zone local

[DeviceA_cnt2-security-policy-ip-4-ospf4] destination-zone untrust

[DeviceA_cnt2-security-policy-ip-4-ospf4] action pass

[DeviceA_cnt2-security-policy-ip-4-ospf4] service ospf

[DeviceA_cnt2-security-policy-ip-4-ospf4] quit

[DeviceA_cnt2-security-policy-ip] quit

[DeviceA_cnt2] quit

<DeviceA_cnt2> quit

3. 配置双机热备

1. 配置双机热备

# 配置RBM通道接口IP地址

[DeviceA] interface gigabitethernet 1/0/6

[DeviceA-GigabitEthernet1/0/6] ip address 10.2.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/6] quit

# 配置Track项监控接口状态。

[DeviceA] track 1 interface gigabitethernet 1/0/1

[DeviceA-track-1] quit

[DeviceA] track 2 interface gigabitethernet 1/0/2

[DeviceA-track-2] quit

# 使用两台Device进行双机热备组网，Device A作为主设备，Device B作为备设备。当Device A或其链路发生故障时，由Device B接替Device A继续工作，保证业务不中断。

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/6

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] undo backup-mode

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] delay-time 1

# 开启双机热备调整备设备上动态路由协议OSPF的开销值功能，并以绝对方式对外通告开销值，绝对值为6000。

RBM_P[DeviceA-remote-backup-group] adjust-cost ospf enable absolute 6000

# 配置双机热备与Track项联动。

RBM_P[DeviceA-remote-backup-group] track 1

RBM_P[DeviceA-remote-backup-group] track 2

RBM_P[DeviceA-remote-backup-group] quit

2. 配置安全业务

# 以上有关双机热备的配置部署完成后，可以配置各种安全业务。对于双机热备支持配置信息备份的功能模块仅需要在此主管理设备上（Device A）进行配置即可。

配置Device B

1. 配置非缺省Context cnt1

1. 配置非缺省Context cnt1

# 将Context进驻缺省安全引擎组。

<DeviceB> system-view

[DeviceB] context cnt1

[DeviceB-context-2-cnt1] location blade-controller-team 1

[DeviceB-context-2-cnt1] allocate interface gigabitethernet 1/0/1 share

[DeviceB-context-2-cnt1] allocate interface gigabitethernet 1/0/2 share

[DeviceB-context-2-cnt1] context start

[DeviceB-context-2-cnt1] quit

2. 在非缺省Context cnt1下配置接口IP地址

# 根据组网图中规划的信息，配置业务口的IPv4地址，以太网子接口只有在关联了VLAN后才能正常收发报文，开启子接口的Dot1q终结功能，实现VLAN间流量互通，具体配置步骤如下。

[DeviceB] switchto context cnt1

<DeviceB> system-view

[DeviceB] sysname DeviceB_cnt1

[DeviceB_cnt1] interface gigabitethernet1/0/1.10

[DeviceB_cnt1-GigabitEthernet1/0/1.10] ip address 2.1.10.1 255.255.255.0

[DeviceB_cnt1-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10

[DeviceB_cnt1-GigabitEthernet1/0/1.10] quit

[DeviceB_cnt1] interface gigabitethernet1/0/2.10

[DeviceB_cnt1-GigabitEthernet1/0/2.10] ip address 10.1.10.1 255.255.255.0

[DeviceB_cnt1-GigabitEthernet1/0/2.10] vlan-type dot1q vid 10

[DeviceB_cnt1-GigabitEthernet1/0/2.10] quit

3. 配置接口加入安全域

# 根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[DeviceB_cnt1] security-zone name untrust

[DeviceB_cnt1-security-zone-Untrust] import interface gigabitethernet 1/0/1.10

[DeviceB_cnt1-security-zone-Untrust] quit

[DeviceB_cnt1] security-zone name trust

[DeviceB_cnt1-security-zone-Trust] import interface gigabitethernet 1/0/2.10

[DeviceB_cnt1-security-zone-Trust] quit

4. 配置OSPF，保证路由可达

[DeviceB_cnt1] ospf 1 router-id 2.1.10.1

[DeviceB_cnt1-ospf-1] area 0.0.0.0

[DeviceB_cnt1-ospf-1-area-0.0.0.0] network 2.1.10.0 0.0.0.255

[DeviceB_cnt1-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255

[DeviceB_cnt1-ospf-1-area-0.0.0.0] quit

2. 配置非缺省Context cnt2

1. 配置非缺省Context cnt2

# 将Context进驻缺省安全引擎组。

<DeviceB> system-view

[DeviceB] context cnt2

[DeviceB-context-3-cnt2] location blade-controller-team 1

[DeviceB-context-3-cnt2] allocate interface gigabitethernet 1/0/1 share

[DeviceB-context-3-cnt2] allocate interface gigabitethernet 1/0/2 share

[DeviceB-context-3-cnt2] context start

[DeviceB-context-3-cnt2] quit

2. 在非缺省Context cnt2下配置接口IP地址

# 根据组网图中规划的信息，配置业务口的IPv4地址，以太网子接口只有在关联了VLAN后才能正常收发报文，开启子接口的Dot1q终结功能，实现VLAN间流量互通，具体配置步骤如下。

[DeviceB] switchto context cnt2

<DeviceB> system-view

[DeviceB] sysname DeviceB_cnt2

[DeviceB_cnt2] interface gigabitethernet1/0/1.20

[DeviceB_cnt2-GigabitEthernet1/0/1.20] ip address 2.1.12.1 255.255.255.0

[DeviceB_cnt2-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20

[DeviceB_cnt2-GigabitEthernet1/0/1.20] quit

[DeviceB_cnt2] interface gigabitethernet1/0/2.20

[DeviceB_cnt2-GigabitEthernet1/0/2.20] ip address 10.1.12.1 255.255.255.0

[DeviceB_cnt2-GigabitEthernet1/0/2.20] vlan-type dot1q vid 20

[DeviceB_cnt2-GigabitEthernet1/0/2.20] quit

3. 配置接口加入安全域

# 根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[DeviceB_cnt2] security-zone name untrust

[DeviceB_cnt2-security-zone-Untrust] import interface gigabitethernet 1/0/1.20

[DeviceB_cnt2-security-zone-Untrust] quit

[DeviceB_cnt2] security-zone name trust

[DeviceB_cnt2-security-zone-Trust] import interface gigabitethernet 1/0/2.20

[DeviceB_cnt2-security-zone-Trust] quit

4. 配置OSPF，保证路由可达

[DeviceB_cnt2] ospf 2 router-id 2.1.12.1

[DeviceB_cnt2-ospf-2] area 0.0.0.0

[DeviceB_cnt2-ospf-2-area-0.0.0.0] network 2.1.12.0 0.0.0.255

[DeviceB_cnt2-ospf-2-area-0.0.0.0] network 10.1.12.0 0.0.0.255

[DeviceB_cnt2-ospf-2-area-0.0.0.0] quit

3. 配置双机热备

# 配置RBM通道接口IP地址

[DeviceB] interface gigabitethernet 1/0/6

[DeviceB-GigabitEthernet1/0/6] ip address 10.2.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/6] quit

# 配置Track项监控接口状态。

[DeviceB] track 1 interface gigabitethernet 1/0/1

[DeviceB-track-1] quit

[DeviceB] track 2 interface gigabitethernet 1/0/2

[DeviceB-track-2] quit

# 使用两台Device进行双机热备组网，Device A作为主设备，Device B作为备设备。当Device A或其链路发生故障时，由Device B接替Device A继续工作，保证业务不中断。

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/6

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] undo backup-mode

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] delay-time 1

# 开启双机热备调整备设备上动态路由协议OSPF的开销值功能，并以绝对方式对外通告开销值，绝对值为6000。

RBM_S[DeviceB-remote-backup-group] adjust-cost ospf enable absolute 6000

# 配置双机热备与序号为1和2的Track项联动。

RBM_S[DeviceB-remote-backup-group] track 1

RBM_S[DeviceB-remote-backup-group] track 2

RBM_S[DeviceB-remote-backup-group] quit

验证配置

Device A

# 以上配置完成后，通过执行以下显示命令可查看双机热备配置已生效，RBM通道已建立。

RBM_P<DeviceA> display remote-backup-group status

Remote backup group information:

  Backup mode: Active/standby

  Device management role: Primary

  Device running status: Active

  Data channel interface: GigE1/0/6

  Local IP: 10.2.1.1

  Remote IP: 10.2.1.2    Destination port: 60064

  Control channel status: Connected

  Keepalive interval: 1s

  Keepalive count: 10

  Configuration consistency check interval: 12 hour

  Configuration consistency check result: Not Performed

  Configuration backup status: Auto sync enabled

  Session backup status: Hot backup enabled

  Delay-time: 1 min

  Uptime since last switchover: 0 days, 0 hours, 58 minutes

  Switchover records:

    Time                  Status change        Cause

    2022-11-06 15:12:01   Initial to Active    Interface status changed

1. Device A Context cnt1

# 以上配置完成后，通过查看Device A Context cnt1的OSPF路由信息，可看到Device A Context cnt1的Cost值小于Device B Context cnt1，上下行流量经过Device A的Context cnt1转发。

RBM_P<DeviceA_cnt1> display ospf interface

          OSPF Process 1 with Router ID 2.1.1.1

                  Interfaces

 Area: 0.0.0.0

 IP Address      Type      State    Cost  Pri   DR              BDR

 2.1.1.1         Broadcast BDR      1     1     2.1.1.2         2.1.1.1

 10.1.1.1        Broadcast BDR      1     1     10.1.1.2        10.1.1.1

2. Device A Context cnt2

# 以上配置完成后，通过查看Device A Context cnt2的OSPF路由信息，可看到Device A Context cnt2的Cost值小于Device B Context cnt2，上下行流量经过Device A的Context cnt2转发。

RBM_P<DeviceA_cnt2> display ospf interface

          OSPF Process 1 with Router ID 2.1.2.1

                  Interfaces

 Area: 0.0.0.0

 IP Address      Type      State    Cost  Pri   DR              BDR

 2.1.2.1         Broadcast DR       1     1     2.1.2.1         2.1.2.2

 10.1.2.1        Broadcast DR       1     1     10.1.2.1        10.1.2.2

Device B

# 以上配置完成后，通过执行以下显示命令可查看双机热备配置已生效，RBM通道已建立。

RBM_S<DeviceB> display remote-backup-group status

Remote backup group information:

  Backup mode: Active/standby

  Device management role: Secondary

  Device running status: Standby

  Data channel interface: GigE1/0/6

  Local IP: 10.2.1.2

  Remote IP: 10.2.1.1    Destination port: 60064

  Control channel status: Connected

  Keepalive interval: 1s

  Keepalive count: 10

  Configuration consistency check interval: 12 hour

  Configuration consistency check result: Not Performed

  Configuration backup status: Auto sync enabled

  Session backup status: Hot backup enabled

  Delay-time: 1 min

  Uptime since last switchover: 0 days, 1 hours, 2 minutes

  Switchover records:

    Time                  Status change        Cause

    2022-11-06 13:48:26   Initial to Standby   Interface status changed

1. Device B Context cnt1

# 以上配置完成后，通过查看Device B Context cnt1的OSPF路由信息，可看到Device A Context cnt1的Cost值小于Device B Context cnt1，上下行流量不经过Device B Context cnt1转发。

RBM_S<DeviceB_cnt1> display ospf interface

          OSPF Process 1 with Router ID 2.1.10.1

                  Interfaces

 Area: 0.0.0.0

 IP Address      Type      State    Cost  Pri   DR              BDR

 2.1.10.1        Broadcast DR       6000  1     2.1.10.1        2.1.10.2

 10.1.10.1       Broadcast BDR      6000  1     10.1.10.2       10.1.10.1

2. Device B Context cnt2

# 以上配置完成后，通过查看Device B Context cnt2的OSPF路由信息，可看到Device A Context cnt2的Cost值小于Device B Context cnt2，上下行流量不经过Device B Context cnt2转发。

RBM_S<DeviceB_cnt2> display ospf interface

          OSPF Process 1 with Router ID 2.1.12.1

                  Interfaces

 Area: 0.0.0.0

 IP Address      Type      State    Cost  Pri   DR              BDR

 2.1.12.1        Broadcast DR       6000  1     2.1.12.1        2.1.12.2       

 10.1.12.1       Broadcast BDR      6000  1     10.1.12.2       10.1.12.1

模拟主设备故障

1. 模拟Device A Context cnt1故障

# 设备正常运行情况下，将主管理设备接口关闭，主设备通过RBM通道将业务切换到对端处理，保证业务不中断，Device B Context cnt1上的会话信息:

RBM_S<DeviceB_cnt1> display session table ipv4 source-ip 20.1.1.100 verbose

Slot 1:

Initiator:

  Source      IP/port: 20.1.1.100/5154

  Destination IP/port: 21.1.1.100/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigE1/0/2.10

  Source security zone: Trust

Responder:

  Source      IP/port: 21.1.1.100/2048

  Destination IP/port: 20.1.1.100/5154

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigE1/0/1.10

  Source security zone: Untrust

State: ICMP_REPLY

Application: ICMP

Rule ID: 0

Rule name: trust-untrust

Start time: 2022-11-06 16:41:48  TTL: 29s

Initiator->Responder:           59 packets       4956 bytes

Responder->Initiator:           59 packets       4956 bytes

2. 模拟Device A Context cnt2故障

# 设备正常运行情况下，将主管理设备接口关闭，主设备通过RBM通道将业务切换到对端处理，保证业务不中断，Device B Context cnt2上的会话信息:

RBM_S<DeviceB_cnt2> display session table ipv4 source-ip 20.1.2.100 verbose

Slot 1:

Initiator:

  Source      IP/port: 20.1.2.100/5154

  Destination IP/port: 21.1.2.100/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigE1/0/2.20

  Source security zone: Trust

Responder:

  Source      IP/port: 21.1.2.100/2048

  Destination IP/port: 20.1.2.100/5154

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigE1/0/1.20

  Source security zone: Untrust

State: ICMP_REPLY

Application: ICMP

Rule ID: 0

Rule name: trust-untrust

Start time: 2022-11-06 15:30:48  TTL: 30s

Initiator->Responder:           59 packets       5556 bytes

Responder->Initiator:           59 packets       5556 bytes

配置文件

• Router A

#

interface GigabitEthernet1/0/1.10

 port link-mode route

 ip address 2.1.1.2 255.255.255.0

 vlan-type dot1q vid 10

#

interface GigabitEthernet1/0/2.10

 port link-mode route

 ip address 2.1.10.2 255.255.255.0

 vlan-type dot1q vid 10

#

interface GigabitEthernet1/0/1.20

 port link-mode route

 ip address 2.1.2.2 255.255.255.0

 vlan-type dot1q vid 20

#

interface GigabitEthernet1/0/2.20

 port link-mode route

 ip address 2.1.12.2 255.255.255.0

 vlan-type dot1q vid 20

#

interface GigabitEthernet1/0/13

 port link-mode route

 ip address 21.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/14

 port link-mode route

 ip address 21.1.2.1 255.255.255.0

#

ospf 1 router-id 2.1.1.2

 import-route static

 area 0.0.0.0

  network 2.1.1.0 0.0.0.255

  network 2.1.2.0 0.0.0.255

  network 2.1.10.0 0.0.0.255

  network 2.1.12.0 0.0.0.255

  network 21.1.1.0 0.0.0.255

  network 21.1.2.0 0.0.0.255

#

 ip route-static 30.1.1.0 24 21.1.1.15

 ip route-static 30.1.2.0 24 21.1.2.15

#

• Router B

#

interface GigabitEthernet1/0/1.10

 port link-mode route

 ip address 10.1.1.2 255.255.255.0

 vlan-type dot1q vid 10

#

interface GigabitEthernet1/0/2.10

 port link-mode route

 ip address 10.1.10.2 255.255.255.0

 vlan-type dot1q vid 10

#

interface GigabitEthernet1/0/13

 port link-mode route

 ip address 20.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1.20

 port link-mode route

 ip address 10.1.2.2 255.255.255.0

 vlan-type dot1q vid 20

#

interface GigabitEthernet1/0/2.20

 port link-mode route

 ip address 10.1.12.2 255.255.255.0

 vlan-type dot1q vid 20

#

interface GigabitEthernet1/0/14

 port link-mode route

 ip address 20.1.2.1 255.255.255.0

#

ospf 1 router-id 10.1.1.2

 area 0.0.0.0

  network 10.1.1.0 0.0.0.255

  network 10.1.10.0 0.0.0.255

  network 20.1.1.0 0.0.0.255

#

ospf 2 router-id 10.1.2.2

 area 0.0.0.0

  network 10.1.2.0 0.0.0.255

  network 10.1.12.0 0.0.0.255

  network 20.1.2.0 0.0.0.255

#

• Device A

#

context cnt1 id 2

 context start

 location blade-controller-team 1

 allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share

#

context cnt2 id 3

 context start

 location blade-controller-team 1

 allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share

#

track 1 interface GigabitEthernet1/0/1

#

track 2 interface GigabitEthernet1/0/2

#

interface GigabitEthernet1/0/6

 port link-mode route

 ip address 10.2.1.1 255.255.255.0

#

remote-backup group

 data-channel interface GigabitEthernet1/0/6

 configuration sync-check interval 12

 delay-time 1

 adjust-cost ospf enable absolute 6000

 track 1

 track 2

 local-ip 10.2.1.1

 remote-ip 10.2.1.2

 device-role primary

#

• Device A-Context cnt1

#

ospf 1 router-id 2.1.1.1

 area 0.0.0.0

  network 2.1.1.0 0.0.0.255

  network 10.1.1.0 0.0.0.255

#

interface GigabitEthernet1/0/1.10

 ip address 2.1.1.1 255.255.255.0

 vlan-type dot1q vid 10

#

interface GigabitEthernet1/0/2.10

 ip address 10.1.1.1 255.255.255.0

 vlan-type dot1q vid 10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1.10

#

security-zone name Trust

 import interface GigabitEthernet1/0/2.10

#

security-policy ip

 rule 0 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 20.1.1.0 255.255.255.0

 rule 1 name ospf1

  action pass

  source-zone trust

  destination-zone local

  service ospf

 rule 2 name ospf2

  action pass

  source-zone local

  destination-zone trust

  service ospf

 rule 3 name ospf3

  action pass

  source-zone untrust

  destination-zone local

  service ospf

 rule 4 name ospf4

  action pass

  source-zone local

  destination-zone untrust

  service ospf

#

• Device A-Context cnt2

#

ospf 1 router-id 2.1.2.1

 area 0.0.0.0

  network 2.1.2.0 0.0.0.255

  network 10.1.2.0 0.0.0.255

#

interface GigabitEthernet1/0/1.20

 ip address 2.1.2.1 255.255.255.0

 vlan-type dot1q vid 20

#

interface GigabitEthernet1/0/2.20

 ip address 10.1.2.1 255.255.255.0

 vlan-type dot1q vid 20

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1.20

#

security-zone name Trust

 import interface GigabitEthernet1/0/2.20

#

security-policy ip

 rule 0 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 20.1.2.0 255.255.255.0

 rule 1 name ospf1

  action pass

  source-zone trust

  destination-zone local

  service ospf

 rule 2 name ospf2

  action pass

  source-zone local

  destination-zone trust

  service ospf

 rule 3 name ospf3

  action pass

  source-zone untrust

  destination-zone local

  service ospf

 rule 4 name ospf4

  action pass

  source-zone local

  destination-zone untrust

  service ospf

#

• Device B

#

context cnt1 id 2

 context start

 location blade-controller-team 1

 allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share

#

context cnt2 id 3

 context start

 location blade-controller-team 1

 allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share

#

track 1 interface GigabitEthernet1/0/1

#

track 2 interface GigabitEthernet1/0/2

#

interface GigabitEthernet1/0/6

 port link-mode route

 ip address 10.2.1.2 255.255.255.0

#

remote-backup group

 data-channel interface GigabitEthernet1/0/6

 configuration sync-check interval 12

 delay-time 1

 adjust-cost ospf enable absolute 6000

 track 1

 track 2

 local-ip 10.2.1.2

 remote-ip 10.2.1.1

 device-role secondary

#

• Device B-Context cnt1

#

ospf 1 router-id 2.1.10.1

 area 0.0.0.0

  network 2.1.10.0 0.0.0.255

  network 10.1.10.0 0.0.0.255

#

interface GigabitEthernet1/0/1.10

 ip address 2.1.10.1 255.255.255.0

 vlan-type dot1q vid 10

#

interface GigabitEthernet1/0/2.10

 ip address 10.1.10.1 255.255.255.0

 vlan-type dot1q vid 10

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1.10

#

security-zone name Trust

 import interface GigabitEthernet1/0/2.10

#

security-policy ip

 rule 0 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 20.1.1.0 255.255.255.0

 rule 1 name ospf1

  action pass

  source-zone trust

  destination-zone local

  service ospf

 rule 2 name ospf2

  action pass

  source-zone local

  destination-zone trust

  service ospf

 rule 3 name ospf3

  action pass

  source-zone untrust

  destination-zone local

  service ospf

 rule 4 name ospf4

  action pass

  source-zone local

  destination-zone untrust

  service ospf

#

• Device B-Context cnt2

#

ospf 1 router-id 2.1.12.1

 area 0.0.0.0

  network 2.1.12.0 0.0.0.255

  network 10.1.12.0 0.0.0.255

#

interface GigabitEthernet1/0/1.20

 ip address 2.1.12.1 255.255.255.0

 vlan-type dot1q vid 20

#

interface GigabitEthernet1/0/2.20

 ip address 10.1.12.1 255.255.255.0

 vlan-type dot1q vid 20

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1.20

#

security-zone name Trust

 import interface GigabitEthernet1/0/2.20

#

security-policy ip

 rule 0 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 20.1.2.0 255.255.255.0

 rule 1 name ospf1

  action pass

  source-zone trust

  destination-zone local

  service ospf

 rule 2 name ospf2

  action pass

  source-zone local

  destination-zone trust

  service ospf

 rule 3 name ospf3

  action pass

  source-zone untrust

  destination-zone local

  service ospf

 rule 4 name ospf4

  action pass

  source-zone local

  destination-zone untrust

  service ospf

#