手册下载
最佳实践(V7)
Copyright © 2023 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
SecBlade插卡是一款单板形态的安全类产品(包括防火墙、IPS、ADE等类型的安全插卡类产品),可以应用于H3C交换机/路由器产品中,为原本不携带安全功能的交换机/路由器提供攻击检测、防病毒、内容过滤、内容识别、URL过滤、攻击防范等安全功能。SecBlade插卡通过单板的内联以太网接口(以下简称内联口)与所插的设备进行数据交互。管理SecBlade插卡需要使用SecBlade插卡面板上的串口或管理网口,SecBlade插卡所在的设备不能管理SecBlade插卡,它们在逻辑上是两个独立的设备。
SecBlade插卡部署在交换机或路由器上的实际效果如下图所示。
图1-1 SecBlade插卡部署示意图
SecBlade插卡为原有网络提供安全功能时的流量走向如下图所示。
图1-2 SecBlade插卡部署业务流量示意图
SecBlade插卡硬件安装以LSQM2FWDSC0插卡安装为例,该插卡集成防火墙、VPN、内容过滤、内容识别、URL过滤和NAT地址转换等功能,在不改变网络拓扑的情况下,通过在交换机上安装LSQM2FWDSC0插卡,可以提升交换机的安全防护能力,为用户提供全面、可靠的安全保护。LSQM2FWDSC0插卡提供1个Console接口、2个USB接口、2对千兆Combo接口、4个10GBASE-R光接口和一个硬盘插槽。
图1-3 LSQM2FWDSC0插卡前面板
(1) 松不脱螺钉 |
(2) 扳手 |
(3) 硬盘插槽 |
(4) 10GBASE-R光接口 |
(5) 10GBASE-R光接口指示灯 |
(6) Console接口(CONSOLE) |
(7) USB接口 |
(8) 硬盘指示灯(HD) |
(9) 系统运行指示灯(SYS) |
(10) Combo电接口(10/100/1000BASE-T) |
(11) Combo电接口指示灯(LINK/ACT) |
(12) Combo光接口(1000BASE-X) |
(13) Combo光接口指示灯(LINK/ACT) |
|
请按照如下步骤完成LSQM2FWDSC0插卡的安装:
· 佩戴防静电腕带,保证防静电腕带已正确接地。
· 操作者正对设备的前面板,拆卸目标插槽上的业务板假面板。
· 将LSQM2FWDSC0插卡以器件侧朝上的方式水平放置,打开扳手,将LSQM2FWDSC0插卡沿着插槽导轨平稳插入插槽。
· 将扳手向内合拢,使LSQM2FWDSC0插卡与背板紧密接触。
· 用十字螺丝刀沿顺时针方向拧紧LSQM2FWDSC0插卡上的松不脱螺钉。
设备在出厂前,已配置管理网口的IP地址为192.168.0.1/24,并设置了默认的Web登录信息,用户可以直接使用该默认信息登录Web界面。默认Web登录信息请参见下表。
登录信息项 |
默认配置 |
用户名 |
admin |
密码 |
admin |
管理网口的IP地址 |
192.168.0.1/24 |
· 连接设备和PC:
用以太网线将PC和设备的以太网管理口相连。
· 为PC配置IP地址,确保能与设备互通:
修改IP地址为192.168.0.0/24(除192.168.0.1)子网内任意地址,例如192.168.0.2。
· 启动浏览器,输入登录信息:
在PC上启动浏览器,在地址栏中输入IP地址“192.168.0.1”后回车,即可进入设备的Web登录页面,输入设备默认的用户名和密码,单击<登录>按钮即可登录。
· 用户首次登录Web界面时可以使用缺省账号或通过命令行创建新的Web登录账号进行登录。
· 使用缺省账号登录完成后为了确保设备的安全性,建议立即修改默认登录密码或创建新的管理员账号并删除设备缺省账号。
在通过Console口搭建本地配置环境时,需要通过超级终端或PuTTY等终端仿真程序与设备建立连接。用户可以运行这些程序来连接网络设备、Telnet或SSH站点,这些程序的详细介绍和使用方法请参见该程序的使用指导。
用户首次登录设备时,可以通过Console口登录。登录时缺省认证方式为scheme(用户名和密码为admin)。
打开终端仿真程序后,请按如下要求设置终端参数:
· 波特率:9600
· 数据位:8
· 停止位:1
· 奇偶校验:无
· 流量控制:无
采用Telnet方式登录设备的步骤如下:
· 使用Console口连接到设备,在系统视图下使用telnet server enable命令开启Telnet功能。
· 在VTY用户线视图下,配置用户的认证方式、用户角色及公共属性。缺省情况下,认证方式为scheme,用户名为admin,密码为admin。
· 在设备出厂前,已配置管理网口的IP地址为192.168.0.1/24。用户需设置PC网口IP地址,确保设备与用户PC之间路由可达。
· 在PC上运行Telnet客户端,输入缺省的登录信息后,即可登录到设备。
登录设备的详细介绍,请参见设备配套的配置指导与命令参考。
部署SecBlade插卡涉及以下几种技术:
· VLAN:VLAN(Virtual Local Area Network,虚拟局域网)技术把一个物理LAN划分成多个逻辑的LAN——VLAN,处于同一VLAN的主机能直接互通,而处于不同VLAN的主机则不能直接互通。
· 跨VLAN模式Bridge转发:跨VLAN模式Bridge转发是在数据链路层完成不同VLAN间通信的一种技术,可以使两个不同的VLAN实现二层互通。
· QoS流量重定向:QoS流量重定向就是将符合流分类的流重定向到其他地方进行处理的技术,根据流分类的不同可以灵活的选择需要重定向的流量。
· VPN技术:VPN实例又称为VRF(Virtual Routing and Forwarding,虚拟路由和转发)实例。不同VPN之间的路由隔离通过VPN实例(VPN-instance)实现,每个VPN实例都有相对独立的路由表和LFIB(Label Forwarding Information Base,标签转发信息库),确保VPN数据的独立性和安全性。
· 策略路由:策略路由是一种依据用户制定的策略进行路由转发的技术。策略路由可以对于满足一定条件(ACL规则、报文长度等)的报文,执行指定的操作(设置报文的下一跳、出接口、SRv6 TE Policy、缺省下一跳、缺省出接口和缺省SRv6 TE Policy等)。
· 镜像:端口镜像通过将指定端口、VLAN或CPU的报文复制到与数据监测设备相连的端口,使用户可以利用数据监测设备分析这些复制过来的报文,以进行网络监控和故障排除的技术。
· 双机热备(RBM):双机热备(RBM)是一种通过我司私有的RBM(Remote Backup Management,远端备份管理)协议,实现设备级的高可靠性(High Availability,简称HA)的技术。此技术能够在通信线路或设备产生故障时提供备用方案,当其中一个网络节点发生故障时,另一个网络节点可以接替故障节点继续工作。
为了让SecBlade插卡实现安全功能,必须首先将业务流量引入SecBlade插卡,实现交换机/路由器与SecBlade插卡的数据连通。交换机/路由器具体有如下几种引流方式:
· 策略路由引流:交换机/路由器上下行接口工作在三层,配置策略路由将报文的下一跳设置为SecBlade插卡,实现上下行流量引入SecBlade插卡。
· 划分VRF隔离,三层引流:交换机/路由器上下行接口工作在三层并划分在不同VRF,引流口和业务口划分在相同VRF,配置静态路由将报文的下一跳设置为SecBlade插卡,实现上下行流量引入SecBlade插卡。
· QoS策略引流:交换机/路由器上下行接口工作在二层并划分在相同VLAN,配置QoS策略将流量重定向到SecBlade插卡,实现上下行流量引入SecBlade插卡。
· 划分VLAN隔离,二层引流:交换机/路由器上下行接口工作在二层并划分在不同VLAN,引流口和业务口划分在相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· 端口镜像引流:交换机/路由器上下行接口工作在二层/三层均可(但需要与镜像接口类型一致),交换机/路由器配置端口镜像将上下行流量复制到SecBlade插卡。
SecBlade插卡对收到的报文在处理完安全业务后需要重新回注到交换机/路由器或者丢弃,对报文的处理方式由SecBlade插卡的工作模式决定。SecBlade插卡支持的工作模式有如下几种:
· 路由模式:SecBlade插卡业务口工作在三层,报文查路由表转发。
· 透明模式:SecBlade插卡业务口工作在二层,报文查MAC地址表转发。
· 跨VLAN模式Bridge:SecBlade插卡业务口工作在二层,报文通过查MAC地址表转发,并通过跨VLAN模式Bridge转换上下行报文的VLAN。
· 黑洞模式:SecBlade插卡业务口工作在二层或三层,报文在处理完安全业务后丢弃。
SecBlade插卡可以选择一台或两台进行部署,根据部署数量和方式的不同,SecBlade插卡的备份模式有如下几种:
· 单机部署:一台部署,SecBlade插卡没有备份。
· 主备部署:两台部署,SecBlade插卡主设备处理业务,备设备作为备份,当主设备链路或者整机故障后备设备可以将业务接管过来,保证业务不中断。
· 双主部署:两台部署,两台SecBlade插卡设备均处理业务,当一台设备链路或者整机故障后另一台设备可以将业务接管过来,保证业务不中断。
根据SecBlade插卡的工作模式、备份模式和交换机或路由器的引流方式不同,有如下几种典型的部署方案。在应用中可以根据实际情况进行选择。
表1-1 SecBlade插卡部署方案简述表
SecBlade插卡部署方案 |
交换机/路由器引流方式 |
SecBlade插卡工作模式 |
SecBlade插卡备份模式 |
旁挂部署三层引流 |
策略路由引流 |
路由模式 |
单机部署 |
三层直路部署(划分VRF) |
划分VRF隔离,三层引流 |
路由模式 |
单机部署 |
三层直路部署(划分VLAN) |
划分VLAN隔离,二层引流 |
路由模式 |
单机部署 |
旁挂部署二层引流 |
QoS策略引流 |
透明模式 |
单机部署 |
透明直路部署 |
划分VLAN隔离,二层引流 |
跨VLAN模式Bridge |
单机部署 |
旁挂部署镜像引流 |
端口镜像引流 |
黑洞模式 |
单机部署 |
旁挂主备部署三层引流 |
策略路由引流 |
路由模式 |
主备部署 |
三层直路主备部署(划分VRF) |
划分VRF隔离,三层引流 |
路由模式 |
主备部署 |
三层直路主备部署(划分VLAN) |
划分VLAN隔离,二层引流 |
路由模式 |
主备部署 |
旁挂主备部署二层引流 |
QoS策略引流 |
透明模式 |
主备部署 |
透明直路主备部署 |
划分VLAN隔离,二层引流 |
跨VLAN模式Bridge |
主备部署 |
旁挂双主部署三层引流 |
策略路由引流 |
路由模式 |
双主部署 |
三层直路双主部署(划分VRF) |
划分VRF隔离,三层引流 |
路由模式 |
双主部署 |
三层直路双主部署(划分VLAN) |
划分VLAN隔离,二层引流 |
路由模式 |
双主部署 |
旁挂双主部署二层引流 |
QoS策略引流 |
透明模式 |
双主部署 |
透明直路双主部署 |
划分VLAN隔离,二层引流 |
跨VLAN模式Bridge |
双主部署 |
M-LAG环境下的SecBlade插卡主备部署 |
策略路由引流 |
路由模式 |
主备部署 |
M-LAG环境下的SecBlade插卡双主部署 |
策略路由引流 |
路由模式 |
双主部署 |
· 对于内联口数量为三个的SecBlade插卡进行主备或双主部署时需要使用内联口作为RBM的HA通道。
· 对内联口数量为两个的SecBlade插卡进行主备或双主部署时需要使用面板口作为RBM的HA通道。
· 对内联口数量为一个的SecBlade插卡进行三层部署时需要划分子接口,二层部署时不支持旁挂部署二层引流。不支持主备和双主部署。
不同型号的SecBlade插卡对内联口支持情况不同,在应用中可以根据实际情况进行选择。
表1-2 SecBlade插卡内联口规格说明表
BOM编码 |
产品型号 |
内联口支持情况 |
0231A2QL |
LSU3FWCEA0 |
4*10GE |
0231A4BM |
LSUM1FWCEAB0 |
4*10GE |
0231A2QM |
LSU1NSCEA0 |
4*10GE |
0231A2RU |
LSX1FWCEA1 |
4*10GE |
0231A2RV |
LSX1NSCEA1 |
4*10GE |
0231A4NQ |
LSUM1FWDEC0 |
3*40GE |
0231A4PU |
LSQM1FWDSC0 |
1*40GE |
0231A6PV |
LSQM2FWDSC0 |
4*10GE |
0231AC7J |
LSQM2FWDSC8 |
4*10GE |
0231A5XH |
LSQM1IPSDSC0 |
1*40GE |
0231A5XK |
LSQM2ACGDSC0 |
1*40GE |
0231A5XJ |
LSQM1ADEDSC0 |
1*40GE |
0231A4NR |
LSUM1NSDEC0 |
3*40GE |
0231A4PV |
LSQM1NSDSC0 |
1*40GE |
0231A4ES |
LSWM1FWD0 |
3*40GE |
0231A3MA |
LSXM1FWDF1 |
3*40GE |
0231A4Q8 |
LSXM1NSDF1 |
3*40GE |
0231A4F7 |
LSPM6FWD |
2*10GE |
0231AC7K |
LSPM6FWD8 |
2*10GE |
0231AH8J |
LSPM6FWDB |
2*10GE |
0231A5KC |
LSWM1IPSD0 |
3*40GE |
0231A5KB |
LSWM1ADED0 |
3*40GE |
0231AK4W |
LSCM1FWDSD0 |
1*40GE |
0231AK4X |
LSCM2FWDSD0 |
4*10GE |
0231A5TY |
IM-NGFWX-IV |
2*40GE |
0231A5XL |
IM-IPSX-IV |
2*40GE |
0231A5XM |
IM-ACGX-IV |
2*40GE |
0231A2FY |
LSUM1ADECEA0 |
4*10GE |
旁挂部署三层引流是一种三层的SecBlade插卡部署方式,这种部署方式路由器采用策略路由引流,SecBlade插卡工作模式为路由模式。该部署方式一般用在上下游不同网段且不希望改变原有组网的场景下。
如下图所示,SecBlade插卡安装在路由器的2号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,路由器做它们的网关。
图1-5 旁挂部署三层引流逻辑图
旁挂部署三层引流的工作方式:
· 路由器上下行接口划分在不同网段,通过配置策略路由将上下行流量的下一跳指向SecBlade插卡。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· 路由器收到SecBlade插卡回注流量后三层转发给上下游设备。
旁挂部署三层引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能的业务,其它流量仍按原路径转发,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:引流策略复杂,增加了维护难度,不能和快速转发负载分担功能同时使用。
三层直路部署(划分VRF)是一种三层的SecBlade插卡部署方式,这种部署方式路由器采用划分VRF隔离后三层引流,SecBlade插卡工作模式为路由模式。该部署方式一般用在上下游不同网段且可以改变原有组网的场景下。
如下图所示,SecBlade插卡安装在路由器的2号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,路由器做它们的网关。
图1-6 三层直路部署(划分VRF)逻辑图
三层直路部署(划分VRF)的工作方式:
· 路由器上下行接口工作在三层并划分在不同VRF,引流口和业务口划分在相同VRF,通过静态路由将上下行流量引入SecBlade插卡。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· 路由器收到SecBlade插卡回注流量后三层转发给上下游设备。
三层直路部署(划分VRF)的优缺点:
· 优点:无需配置和维护复杂的策略路由,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:需要额外规划网络地址,部署时需改变已有的网络拓扑。
三层直路部署(划分VLAN)是一种三层的SecBlade插卡部署方式,这种部署方式交换机采用划分VLAN后二层引流,SecBlade插卡工作模式为路由模式。该部署方式一般用在上下游不同网段不同VLAN的场景下。
如下图所示,SecBlade插卡安装在交换机的2号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,SecBlade插卡做它们的网关。
图1-7 三层直路部署(划分VLAN)逻辑图
三层直路部署(划分VLAN)的工作方式:
· 交换机上下行接口工作在二层并划分在不同VLAN,引流口和业务口划分在相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· 交换机收到SecBlade插卡回注流量后二层转发给上下游设备。
三层直路部署(划分VLAN)的优缺点:
· 优点:无需配置和维护复杂的策略路由,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:需要额外规划网络地址,部署时需改变已有的网络拓扑。
旁挂部署二层引流是一种二层的SecBlade插卡部署方式,这种部署方式交换机采用QoS策略引流,SecBlade插卡工作模式为透明模式。该部署方式一般用在上下游同网段同VLAN且不希望改变原有组网的场景下。
如下图所示,SecBlade插卡安装在交换机的2号槽位,需要对VLAN10的流量做安全检测。VLAN10处于同一网段。
图1-8 旁挂部署二层引流逻辑图
旁挂部署二层引流的工作方式:
· 交换机上下行接口划分在相同VLAN,通过QoS策略将流量重定向到SecBlade插卡。
· SecBlade插卡接口工作在二层,报文通过查MAC地址表转发。
· 交换机收到SecBlade插卡回注流量后通过QoS策略将流量重定向到上下游设备。
旁挂部署二层引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能处理的业务,其它流量仍按原路径转发。
· 缺点:引流策略复杂,增加了维护难度,不支持路由功能,仅支持少量安全功能。
透明直路部署是一种二层的SecBlade插卡部署方式,这种部署方式交换机采用划分VLAN引流,SecBlade插卡工作模式为跨VLAN模式Bridge。该部署方式一般用在上下游同网段不同VLAN的场景下。
如下图所示,SecBlade插卡安装在交换机的2号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于同一网段。
图1-9 透明直路部署逻辑图
透明直路部署的工作方式:
· 交换机上下行接口工作在二层并划分在不同VLAN,引流口和业务口划分在相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· SecBlade插卡接口工作在二层,报文通过查MAC地址表转发,并通过跨VLAN模式Bridge转换上下行报文的VLAN。
· 交换机收到SecBlade插卡回注流量后二层转发给上下游设备。
透明直路部署的优缺点:
· 优点:配置逻辑简单,无需复杂QoS策略引流配置,故障处理简单,可以只引流需要安全业务处理的业务,其它流量仍按原路径转发。
· 缺点:不支持路由功能,仅支持少量安全功能,部署时需改变已有的网络拓扑,一个业务需要两个VLAN才能部署,支持的业务数量减半。
旁挂部署镜像引流是一种二层/三层均支持的SecBlade插卡部署方式,这种部署方式交换机采用端口镜像引流,SecBlade插卡工作模式为黑洞模式。这种部署方式一般用在上下行流量只需要做审计,不需要做阻断的场景下。
如下图所示,SecBlade插卡安装在交换机的2号槽位,需要对上下行流量做审计。
图1-10 旁挂部署镜像引流逻辑图
旁挂部署镜像引流的工作方式:
· 路由器上下行业务路径不变,通过端口镜像将流量复制一份到SecBlade插卡。
· SecBlade插卡接口工作在二层/三层(此处以三层为例),报文处理完安全业务后丢弃。
旁挂部署镜像引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡。
· 缺点:没有阻断可疑流量的能力,只支持少数安全功能。
旁挂主备部署三层引流是一种三层的SecBlade插卡部署方式,这种部署方式路由器采用策略路由引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为主备模式。该部署方式一般用在上下游不同网段且不希望改变原有组网的场景下。
如下图所示,两个SecBlade插卡安装在路由器的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,路由器做它们的网关。
图1-11 旁挂主备部署三层引流逻辑图
旁挂主备部署三层引流的工作方式:
· 路由器上下行接口划分在不同网段,通过配置策略路由将上下行流量的下一跳指向SecBlade插卡。
· 路由器通过VRRP优选主SecBlade插卡处理业务。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· SecBlade插卡通过RBM联动VRRP实现主备备份。
· 路由器收到SecBlade插卡回注流量后三层转发给上下游设备。
旁挂主备部署三层引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能的业务,其它流量仍按原路径转发,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:引流策略复杂,增加了维护难度,不能和快速转发负载分担功能同时使用。
三层直路主备部署(划分VRF)是一种三层的SecBlade插卡部署方式,这种部署方式路由器采用划分VRF隔离后三层引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为主备模式。该部署方式一般用在上下游不同网段且可以改变原有组网的场景下。
如下图所示,两个SecBlade插卡安装在路由器的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,路由器做它们的网关。
图1-12 三层直路主备部署(划分VRF)逻辑图
三层直路主备部署(划分VRF)的工作方式:
· 路由器上下行接口工作在三层并划分在不同VRF,引流口和业务口划分在相同VRF,通过静态路由将上下行流量引入SecBlade插卡。
· 路由器通过VRRP优选主SecBlade插卡处理业务。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· SecBlade插卡通过RBM联动VRRP实现主备备份。
· 路由器收到SecBlade插卡回注流量后三层转发给上下游设备。
三层直路主备部署(划分VRF)的优缺点:
· 优点:支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等,无需配置和维护复杂的策略路由。
· 缺点:需要额外规划网络地址,部署时需改变已有的网络拓扑。
三层直路主备部署(划分VLAN)是一种三层的SecBlade插卡部署方式,这种部署方式交换机采用划分VLAN后二层引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为主备模式。该部署方式一般用在上下游不同网段不同VLAN的场景下。
如下图所示,两个SecBlade插卡安装在交换机的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,SecBlade插卡做它们的网关。
图1-13 三层直路主备部署(划分VLAN)逻辑图
三层直路主备部署(划分VLAN)的工作方式:
· 交换机上下行接口工作在二层并划分在不同VLAN,将引流口和业务口划分在相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· 上下行设备通过VRRP优选主SecBlade插卡处理业务。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· SecBlade插卡通过RBM联动VRRP实现主备备份。
· 交换机收到SecBlade插卡回注流量后二层转发给上下游设备。
三层直路主备部署(划分VLAN)的优缺点:
· 优点:支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等,无需配置和维护复杂的策略路由。
· 缺点:需要额外规划网络地址,部署时需改变已有的网络拓扑。
旁挂主备部署二层引流是一种二层的SecBlade插卡部署方式,这种部署方式交换机采用QoS策略引流,SecBlade插卡工作模式为透明模式,SecBlade插卡备份模式为主备模式。该部署方式一般用在上下游同网段同VLAN且不希望改变原有组网的场景下。
如下图所示,两个SecBlade插卡安装在交换机的2号和3号槽位,需要对VLAN10的流量做安全检测。VLAN10处于同一网段。
图1-14 旁挂主备部署二层引流逻辑图
旁挂主备部署二层引流的工作方式:
· 交换机上下行接口划分在相同VLAN,通过QoS策略将流量重定向到SecBlade插卡。
· 交换机通过配置聚合组中的最大选中端口数和端口优先级优选主SecBlade插卡处理业务。
· SecBlade插卡接口工作在二层,报文通过查MAC地址表转发。
· SecBlade插卡通过RBM联动接口状态实现主备备份。
· 交换机收到SecBlade插卡回注流量后通过QoS策略将流量重定向到上下游设备。
旁挂主备部署二层引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能处理的业务,其它流量仍按原路径转发。
· 缺点:引流策略复杂,增加了维护难度,不支持路由功能,仅支持少量安全功能。
透明直路主备部署是一种二层的SecBlade插卡部署方式,这种部署方式交换机采用划分VLAN引流,SecBlade插卡工作模式为跨VLAN模式Bridge,SecBlade插卡备份模式为主备模式。该部署方式一般用在上下游同网段不同VLAN的场景下。
如下图所示,两个SecBlade插卡安装在交换机的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于同一网段。
图1-15 透明直路主备部署逻辑图
透明直路主备部署的工作方式:
· 交换机上下行接口工作在二层并划分在不同VLAN,将引流口和业务口划分进相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· 交换机通过配置聚合组中的最大选中端口数和端口优先级优选主SecBlade插卡处理业务。
· SecBlade插卡接口工作在二层,报文通过查MAC地址表转发,并通过跨VLAN模式Bridge转换上下行报文的VLAN。
· SecBlade插卡通过RBM联动接口状态实现主备备份。
· 交换机收到SecBlade插卡回注流量后二层转发给上下游设备。
透明直路主备部署的优缺点:
· 优点:配置逻辑简单,无需复杂QoS策略引流配置,故障处理简单,可以只引流需要安全业务处理的业务,其它流量仍按原路径转发。
· 缺点:不支持路由功能,仅支持少量安全功能,部署时需改变已有的网络拓扑,一个业务需要两个VLAN才能部署,支持的业务数量减半。
旁挂双主部署三层引流是一种三层的SecBlade插卡部署方式,这种部署方式路由器采用策略路由引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为双主模式。该部署方式一般用在上下游不同网段且不希望改变原有组网的场景下。
如下图所示,两个SecBlade插卡安装在路由器的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,路由器做它们的网关。
图1-16 旁挂双主三层引流逻辑图
旁挂双主部署三层引流的工作方式:
· 路由器上下行接口划分在不同网段,通过配置策略路由将上下行流量的下一跳指向SecBlade插卡。
· 路由器通过策略路由同权重多跳下一跳与双VRRP实现负载分担。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· SecBlade插卡通过RBM联动VRRP实现相互备份。
· 路由器收到SecBlade插卡回注流量后三层转发给上下游设备。
旁挂双主部署三层引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能的业务,其它流量仍按原路径转发,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:引流策略复杂,增加了维护难度,不能和快速转发负载分担功能同时使用。
三层直路双主部署(划分VRF)是一种三层的SecBlade插卡部署方式,这种部署方式路由器采用划分VRF隔离后三层引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为双主模式。该部署方式一般用在上下游不同网段且可以改变原有组网的场景下。
如下图所示,两个SecBlade插卡安装在路由器的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,路由器做它们的网关。
图1-17 三层直路双主部署(划分VRF)逻辑图
三层直路双主部署(划分VRF)的工作方式:
· 路由器上下行接口工作在三层并划分在不同VRF,引流口和业务口划分在相同VRF,通过静态路由将上下行流量引入SecBlade插卡。
· 路由器通过等价静态路由与双VRRP实现负载分担。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· SecBlade插卡通过RBM联动VRRP实现相互备份。
· 路由器收到SecBlade插卡回注流量后三层转发给上下游设备。
三层直路双主部署(划分VRF)的优缺点:
· 优点:支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等,无需配置和维护复杂的策略路由。
· 缺点:需要额外规划网络地址,部署时需改变已有的网络拓扑。
三层直路双主部署(划分VLAN)是一种三层的SecBlade插卡部署方式,这种部署方式交换机采用划分VLAN后二层引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为双主模式。该部署方式一般用在上下游不同网段不同VLAN的场景下。
如下图所示,两个SecBlade插卡安装在交换机的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,上下游路由器做他们的网关。
图1-18 三层直路双主部署(划分VLAN)逻辑图
三层直路双主部署(划分VLAN)的工作方式:
· 交换机上下行接口工作在二层并划分在不同VLAN,将引流口和业务口划分在相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· 上下行设备通过等价静态路由与双VRRP实现负载分担。
· SecBlade插卡接口工作在三层,报文通过查路由表转发。
· SecBlade插卡通过RBM联动VRRP实现相互备份。
· 交换机收到SecBlade插卡回注流量后二层转发给上下游设备。
三层直路双主部署(划分VLAN)的优缺点:
· 优点:支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等,无需配置和维护复杂的策略路由。
· 缺点:需要额外规划网络地址,部署时需改变已有的网络拓扑。
旁挂双主部署二层引流是一种二层的SecBlade插卡部署方式,这种部署方式交换机采用QoS策略引流,SecBlade插卡工作模式为透明模式,SecBlade插卡备份模式为双主模式。该部署方式一般用在上下游同网段同VLAN且不希望改变原有组网的场景下。
如下图所示,两个SecBlade插卡安装在交换机的2号和3号槽位,需要对VLAN10的流量做安全检测。VLAN10处于同一网段。
图1-19 旁挂双主部署二层引流逻辑图
旁挂双主部署二层引流的工作方式:
· 交换机上下行接口划分在相同VLAN,通过QoS策略将流量重定向到SecBlade插卡。
· 交换机通过接口聚合实现负载分担。
· SecBlade插卡接口工作在二层,报文通过查MAC地址表转发。
· SecBlade插卡通过RBM联动接口状态实现相互备份。
· 交换机收到SecBlade插卡回注流量后通过QoS策略将流量重定向到上下游设备。
旁挂双主部署二层引流的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能处理的业务,其它流量仍按原路径转发。
· 缺点:引流策略复杂,增加了维护难度,不支持路由功能,仅支持少量安全功能。
透明直路双主部署是一种二层的SecBlade插卡部署方式,这种部署方式交换机采用划分VLAN引流,SecBlade插卡工作模式为跨VLAN模式Bridge,SecBlade插卡备份模式为双主模式。该部署方式一般用在上下游同网段不同VLAN的场景下。
如下图所示,两个SecBlade插卡安装在交换机的2号和3号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于同一网段。
图1-20 透明直路双主部署逻辑图
交换机通过接口聚合实现负载分担,SecBlade插卡通过RBM联动接口状态实现互相备份。
透明直路双主部署的工作方式:
· 交换机上下行接口工作在二层并划分在不同VLAN,将引流口和业务口划分进相同VLAN,同VLAN二层互通,实现上下行流量引入SecBlade插卡。
· 交换机通过接口聚合实现负载分担。
· SecBlade插卡接口工作在二层,报文通过查MAC地址表转发,并通过跨VLAN模式Bridge转换上下行报文的VLAN。
· SecBlade插卡通过RBM联动接口状态实现相互备份。
· 交换机收到SecBlade插卡回注流量后二层转发给上下游设备。
透明直路双主部署的优缺点:
· 优点:配置逻辑简单,无需复杂QoS策略引流配置,故障处理简单,可以只引流需要安全业务处理的业务,其它流量仍按原路径转发。
· 缺点:不支持路由功能,仅支持少量安全功能,部署时需改变已有的网络拓扑,一个业务需要两个VLAN才能部署,支持的业务数量减半。
M-LAG环境下的SecBlade插卡主备部署是一种三层的SecBlade插卡部署方式,这种部署方式交换机采用策略路由引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为主备模式。该部署方式一般用在上下游不同网段且不希望改变原有组网的场景下。
如下图所示,两个SecBlade插卡分别安装在Switch A和Switch B的2号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,交换机做它们的网关。
图1-21 M-LAG环境下的SecBlade插卡主备部署逻辑图
M-LAG环境下的SecBlade插卡主备部署的工作方式:
· Switch A和Switch B两台交换机组成M-LAG系统。
· 两台Device之间不需要单独接线,而是通过Switch A、Switch B的内联口和peer-link通道作为RBM通道。进行RBM运行状态、关键配置和业务表项等信息的传输。
· 将双机热备配置成主备模式,正常情况下由Device A处理业务,Device B不处理业务。
· 在Switch A、Switch B上配置策略路由,业务流量进入Switch A、Switch B后会通过内联口进入到Device A、Device B中进行安全业务的处理,之后又经过内联口回到Switch A、Switch B进行转发。
¡ Switch A、Switch B上下行跨框聚合连接到Switch C和Switch D上,Switch C连接Router,Switch D连接Host:
¡ 将Switch A上与Switch C相连的接口XGE1/6/0/2配置VLAN 30并将接口加入到聚合组30。
¡ 将Switch B上与Switch C相连的接口XGE1/6/0/2配置VLAN 30并将接口加入到聚合组30。
¡ 将Switch A上与Switch D相连的接口XGE1/6/0/1配置VLAN 40并将接口加入聚合组40。
¡ 将Switch B上与Switch D相连的接口XGE1/6/0/1配置VLAN 40并将接口加入聚合组40。
¡ 将Switch C上与Switch A、Switch B相连的接口XGE1/0/1、XGE1/0/2配置VLAN 30并将接口加入聚合组50。
¡ 将Switch D上与Switch A、Switch B相连的接口XGE1/0/1、XGE1/0/2配置VLAN 40并将接口加入聚合组60。
M-LAG环境下的SecBlade插卡主备部署的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能的业务,其它流量仍按原路径转发,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:引流策略复杂,增加了维护难度,不能和快速转发负载分担功能同时使用。
M-LAG环境下的SecBlade插卡双主部署是一种三层的SecBlade插卡部署方式,这种部署方式交换机采用策略路由引流,SecBlade插卡工作模式为路由模式,SecBlade插卡备份模式为双主模式。该部署方式一般用在上下游不同网段且不希望改变原有组网的场景下。
如下图所示,两个SecBlade插卡分别安装在Switch A和Switch B的2号槽位,需要对Host和Internet之间的流量做安全检测。两个网络处于不同网段,交换机做它们的网关。
图1-22 M-LAG环境下的SecBlade插卡双主部署逻辑图
M-LAG环境下的SecBlade插卡双主部署的工作方式:
· Switch A和Switch B两台交换机组成M-LAG系统。
· 两台Device之间不需要单独接线,而是通过Switch A、Switch B的内联口和peer-link通道作为RBM通道。进行RBM运行状态、关键配置和业务表项等信息的传输。
· 将双机热备配置成双主模式,正常情况下两台设备共同处理业务。
· 在Switch A、Switch B上配置策略路由,业务流量进入Switch A、Switch B后会通过内联口进入到Device A、Device B中进行安全业务的处理,之后又经过内联口回到Switch A、Switch B进行转发。
· Switch A、Switch B上下行跨框聚合连接到Switch C和Switch D上,Switch C连接Router,Switch D连接Host:
¡ 将Switch A上与Switch C相连的接口XGE1/6/0/2配置VLAN 30并将接口加入到聚合组30。
¡ 将Switch B上与Switch C相连的接口XGE1/6/0/2配置VLAN 30并将接口加入到聚合组30。
¡ 将Switch A上与Switch D相连的接口XGE1/6/0/1配置VLAN 40并将接口加入聚合组40。
¡ 将Switch B上与Switch D相连的接口XGE1/6/0/1配置VLAN 40并将接口加入聚合组40。
¡ 将Switch C上与Switch A、Switch B相连的接口XGE1/0/1、XGE1/0/2配置VLAN 30并将接口加入聚合组50。
¡ 将Switch D上与Switch A、Switch B相连的接口XGE1/0/1、XGE1/0/2配置VLAN 40并将接口加入聚合组60。
M-LAG环境下的SecBlade插卡双主部署的优缺点:
· 优点:部署时无需改变已有的网络拓扑,可以更快部署SecBlade插卡,可以只引流需要安全功能的业务,其它流量仍按原路径转发,支持丰富的路由和安全功能,比如OSPF、NAT、LB、SecPolicy和DPI等。
· 缺点:引流策略复杂,增加了维护难度,不能和快速转发负载分担功能同时使用。
LSQM1ADEDSC0、LSWM1ADED0、LSUM1ADECEA0三款SecBlade插卡是负载均衡类产品,由于负载均衡设备默认对所有接口流量放行,因此不需要配置安全域和安全策略。本节中插卡部署均配置了安全域和安全策略,对于上述产品请按需对安全域和安全策略进行配置。
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署SecBlade插卡Device起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,将上下行流量通过策略路由重定向到Device,对Device转发回来的流量查路由表转发。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量。
图2-1 旁挂部署SecBlade插卡三层引流组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device |
RAGG1.100 |
10.1.1.2/30 |
Host B |
- |
192.168.20.15/24 |
|
RAGG1.200 |
10.1.1.5/30 |
Host C |
- |
192.168.30.15/24 |
|
|
|
Router |
GE1/0/1.10 |
192.168.10.1/24 |
|
|
|
|
GE1/0/1.20 |
192.168.20.1/24 |
|
|
|
|
GE1/0/1.30 |
192.168.30.1/24 |
|
|
|
|
RAGG1.100 |
10.1.1.1/30 |
|
|
|
|
RAGG1.200 |
10.1.1.6/30 |
|
|
|
|
GE1/0/2 |
20.1.1.1/24 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[Switch-GigabitEthernet1/0/4] quit
# 配置GigabitEthernet1/0/2接口IP。
<Router> system-view
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 创建三层聚合接口1。
[Router] interface route-aggregation 1
[Router-Route-Aggregation1] quit
# 创建三层聚合子接口Route-Aggregation1.100和Route-Aggregation1.200,开启Dot1q终结功能,分别终结VLAN 100和VLAN 200,并配置接口IP。
[Router] interface route-aggregation 1.100
[Router-Route-Aggregation1.100] vlan-type dot1q vid 100
[Router-Route-Aggregation1.100] ip address 10.1.1.1 30
[Router-Route-Aggregation1.100] quit
[Router] interface route-aggregation 1.200
[Router-Route-Aggregation1.200] vlan-type dot1q vid 200
[Router-Route-Aggregation1.200] ip address 10.1.1.6 30
[Router-Route-Aggregation1.200] quit
# 将FortyGigE2/0/1和FortyGigE2/0/2加入到聚合组1中。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2
[Router-if-range] port link-aggregation group 1
[Router-if-range] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 关闭快转负载分担功能(防止三层环路)。
[Router] undo ip fast-forwarding load-sharing
# 创建IPv4高级ACL匹配上下行流量。
[Router] acl advanced 3001
[Router-acl-ipv4-adv-3001] rule permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3001] quit
[Router] acl advanced 3002
[Router-acl-ipv4-adv-3002] rule permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3002] quit
[Router] acl advanced 3003
[Router-acl-ipv4-adv-3003] rule permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3003] quit
[Router] acl advanced 3004
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[Router-acl-ipv4-adv-3004] quit
# 配置策略路由,并将策略路由绑定到接口上。
[Router] policy-based-route vlan10out permit node 10
[Router-pbr-vlan10out-10] if-match acl 3001
[Router-pbr-vlan10out-10] apply next-hop 10.1.1.2
[Router-pbr-vlan10out-10] quit
[Router] policy-based-route vlan20out permit node 10
[Router-pbr-vlan20out-10] if-match acl 3002
[Router-pbr-vlan20out-10] apply next-hop 10.1.1.2
[Router-pbr-vlan20out-10] quit
[Router] policy-based-route vlan30out permit node 10
[Router-pbr-vlan30out-10] if-match acl 3003
[Router-pbr-vlan30out-10] apply next-hop 10.1.1.2
[Router-pbr-vlan30out-10] quit
[Router] policy-based-route internetin permit node 10
[Router-pbr-internetin-10] if-match acl 3004
[Router-pbr-internetin-10] apply next-hop 10.1.1.5
[Router-pbr-internetin-10] quit
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] ip policy-based-route vlan10out
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] ip policy-based-route vlan20out
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] ip policy-based-route vlan30out
[Router-GigabitEthernet1/0/1.30] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip policy-based-route internetin
[Router-GigabitEthernet1/0/2] quit
# 创建三层聚合接口1。
<Device> system-view
[Device] interface route-aggregation 1
[Device-Route-Aggregation1] quit
# 创建三层聚合子接口Route-Aggregation1.100和Route-Aggregation1.200,开启Dot1q终结功能,分别终结VLAN 100和VLAN 200,并配置接口IP。
[Device] interface route-aggregation 1.100
[Device-Route-Aggregation1.100] vlan-type dot1q vid 100
[Device-Route-Aggregation1.100] ip address 10.1.1.2 30
[Device-Route-Aggregation1.100] quit
[Device] interface route-aggregation 1.200
[Device-Route-Aggregation1.200] vlan-type dot1q vid 200
[Device-Route-Aggregation1.200] ip address 10.1.1.5 30
[Device-Route-Aggregation1.200] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2加入到聚合组1中。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-aggregation group 1
[Device-if-range] quit
# 将Route-Aggregation1.100和Route-Aggregation1.200分别加入安全域Trust和Untrust中。
[Device] security-zone name trust
[Device-security-zone-Trust] import interface route-aggregation 1.100
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface route-aggregation 1.200
[Device-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-0-trust-untrust] action pass
[Device-security-policy-ip-0-trust-untrust] source-zone trust
[Device-security-policy-ip-0-trust-untrust] destination-zone untrust
[Device-security-policy-ip-0-trust-untrust] quit
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-1-untrust-trust] action pass
[Device-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-security-policy-ip-1-untrust-trust] quit
[Device-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[Device] ip route-static 192.168.10.0 24 10.1.1.1
[Device] ip route-static 192.168.20.0 24 10.1.1.1
[Device] ip route-static 192.168.30.0 24 10.1.1.1
[Device] ip route-static 20.1.1.0 24 10.1.1.6
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
[Device] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
undo ip fast-forwarding load-sharing
#
policy-based-route internetin permit node 10
if-match acl 3004
apply next-hop 10.1.1.5
#
policy-based-route vlan10out permit node 10
if-match acl 3001
apply next-hop 10.1.1.2
#
policy-based-route vlan20out permit node 10
if-match acl 3002
apply next-hop 10.1.1.2
#
policy-based-route vlan30out permit node 10
if-match acl 3003
apply next-hop 10.1.1.2
#
interface Route-Aggregation1
#
interface Route-Aggregation1.100
ip address 10.1.1.1 255.255.255.252
vlan-type dot1q vid 100
#
interface Route-Aggregation1.200
ip address 10.1.1.6 255.255.255.252
vlan-type dot1q vid 200
#
interface GigabitEthernet1/0/1.10
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
ip policy-based-route vlan10out
#
interface GigabitEthernet1/0/1.20
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
ip policy-based-route vlan20out
#
interface GigabitEthernet1/0/1.30
ip address 192.168.30.1 255.255.255.0
vlan-type dot1q vid 30
ip policy-based-route vlan30out
#
interface GigabitEthernet1/0/2
ip address 20.1.1.1 255.255.255.0
ip policy-based-route internetin
#
interface FortyGigE2/0/1
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-aggregation group 1
#
acl advanced 3001
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3002
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3003
rule 0 permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3004
rule 0 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 5 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
#
#
interface Route-Aggregation1
#
interface Route-Aggregation1.100
ip address 10.1.1.2 255.255.255.252
vlan-type dot1q vid 100
#
interface Route-Aggregation1.200
ip address 10.1.1.5 255.255.255.252
vlan-type dot1q vid 200
#
interface FortyGigE1/0/1
port link-aggregation group 1
#
interface FortyGigE1/0/2
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.100
#
security-zone name Untrust
import interface Route-Aggregation1.200
#
ip route-static 20.1.1.0 24 10.1.1.6
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署SecBlade插卡Device起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,下行口和Route-Aggregation1.100划分在VPN host,上行口和Route-Aggregation1.200划分在VPN internet,查静态路由表转发Host与Internet之间的流量。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量。
图2-2 三层直路部署SecBlade插卡(划分VRF)组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device |
RAGG1.100 |
10.1.1.2/30 |
Host B |
- |
192.168.20.15/24 |
|
RAGG1.200 |
10.1.1.5/30 |
Host C |
- |
192.168.30.15/24 |
|
|
|
Router |
GE1/0/1.10 |
192.168.10.1/24 |
|
|
|
|
GE1/0/1.20 |
192.168.20.1/24 |
|
|
|
|
GE1/0/1.30 |
192.168.30.1/24 |
|
|
|
|
RAGG1.100 |
10.1.1.1/30 |
|
|
|
|
RAGG1.200 |
10.1.1.6/30 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[Switch-GigabitEthernet1/0/4] quit
# 创建VPN实例host与internet。
[Router] ip vpn-instance host
[Router-vpn-instance-host] quit
[Router] ip vpn-instance internet
[Router-vpn-instance-internet] quit
# 创建三层聚合接口1。
[Router] interface route-aggregation 1
[Router-Route-Aggregation1] quit
# 创建三层聚合子接口Route-Aggregation1.100和Route-Aggregation1.200,开启Dot1q终结功能,分别终结VLAN 100和VLAN 200,绑定VPN实例并配置接口IP。
[Router] interface route-aggregation 1.100
[Router-Route-Aggregation1.100] vlan-type dot1q vid 100
[Router-Route-Aggregation1.100] ip binding vpn-instance host
[Router-Route-Aggregation1.100] ip address 10.1.1.1 30
[Router-Route-Aggregation1.100] quit
[Router] interface route-aggregation 1.200
[Router-Route-Aggregation1.200] vlan-type dot1q vid 200
[Router-Route-Aggregation1.200] ip binding vpn-instance internet
[Router-Route-Aggregation1.200] ip address 10.1.1.6 30
[Router-Route-Aggregation1.200] quit
# 将FortyGigE2/0/1和FortyGigE2/0/2加入到聚合组1中。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2
[Router-if-range] port link-aggregation group 1
[Router-if-range] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,绑定VPN实例并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 配置GigabitEthernet1/0/2接口IP,绑定VPN实例。
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip binding vpn-instance internet
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 配置静态路由指导上下行流量转发。
[Router] ip route-static vpn-instance host 20.1.1.0 24 vpn-instance host 10.1.1.2
[Router] ip route-static vpn-instance internet 192.168.10.0 24 vpn-instance internet 10.1.1.5
[Router] ip route-static vpn-instance internet 192.168.20.0 24 vpn-instance internet 10.1.1.5
[Router] ip route-static vpn-instance internet 192.168.30.0 24 vpn-instance internet 10.1.1.5
# 创建三层聚合接口1。
<Device> system-view
[Device] interface route-aggregation 1
[Device-Route-Aggregation1] quit
# 创建三层聚合子接口Route-Aggregation1.100和Route-Aggregation1.200,开启Dot1q终结功能,分别终结VLAN 100和VLAN 200,并配置接口IP。
[Device] interface route-aggregation 1.100
[Device-Route-Aggregation1.100] vlan-type dot1q vid 100
[Device-Route-Aggregation1.100] ip address 10.1.1.2 30
[Device-Route-Aggregation1.100] quit
[Device] interface route-aggregation 1.200
[Device-Route-Aggregation1.200] vlan-type dot1q vid 200
[Device-Route-Aggregation1.200] ip address 10.1.1.5 30
[Device-Route-Aggregation1.200] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2加入到聚合组1中。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-aggregation group 1
[Device-if-range] quit
# 将Route-Aggregation1.100和Route-Aggregation1.200分别加入安全域Trust和Untrust中。
[Device] security-zone name trust
[Device-security-zone-Trust] import interface route-aggregation 1.100
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface route-aggregation 1.200
[Device-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-0-trust-untrust] action pass
[Device-security-policy-ip-0-trust-untrust] source-zone trust
[Device-security-policy-ip-0-trust-untrust] destination-zone untrust
[Device-security-policy-ip-0-trust-untrust] quit
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-1-untrust-trust] action pass
[Device-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-security-policy-ip-1-untrust-trust] quit
[Device-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[Device] ip route-static 192.168.10.0 24 10.1.1.1
[Device] ip route-static 192.168.20.0 24 10.1.1.1
[Device] ip route-static 192.168.30.0 24 10.1.1.1
[Device] ip route-static 20.1.1.0 24 10.1.1.6
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
[Device] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
ip vpn-instance host
#
ip vpn-instance internet
#
interface Route-Aggregation1
#
interface Route-Aggregation1.100
ip binding vpn-instance host
ip address 10.1.1.1 255.255.255.252
vlan-type dot1q vid 100
#
interface Route-Aggregation1.200
ip binding vpn-instance internet
ip address 10.1.1.6 255.255.255.252
vlan-type dot1q vid 200
#
interface GigabitEthernet1/0/1.10
ip binding vpn-instance host
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
#
interface GigabitEthernet1/0/1.20
ip binding vpn-instance host
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/1.30
ip binding vpn-instance host
ip address 192.168.30.1 255.255.255.0
vlan-type dot1q vid 30
#
interface GigabitEthernet1/0/2
ip binding vpn-instance internet
ip address 20.1.1.1 255.255.255.0
#
interface FortyGigE2/0/1
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-aggregation group 1
#
ip route-static vpn-instance host 20.1.1.0 24 10.1.1.2
ip route-static vpn-instance internet 192.168.10.0 24 10.1.1.5
ip route-static vpn-instance internet 192.168.20.0 24 10.1.1.5
ip route-static vpn-instance internet 192.168.30.0 24 10.1.1.5
#
#
interface Route-Aggregation1
#
interface Route-Aggregation1.100
ip address 10.1.1.2 255.255.255.252
vlan-type dot1q vid 100
#
interface Route-Aggregation1.200
ip address 10.1.1.5 255.255.255.252
vlan-type dot1q vid 200
#
interface FortyGigE1/0/1
port link-aggregation group 1
#
interface FortyGigE1/0/2
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.100
#
security-zone name Untrust
import interface Route-Aggregation1.200
#
ip route-static 20.1.1.0 24 10.1.1.6
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署SecBlade插卡Device起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30并作它们的网关,查静态路由表转发Host到Internet的流量。
· Switch B将下行业务口划分在VLAN 100,上行业务口划分在VLAN 200,与Device的互连口划分在VLAN 100和VLAN 200,上下行透传Host与Internet之间的流量到Device。
· Device与Switch B二层对接,与Switch A和Switch C三层对接,查静态路由表转发Host与Internet之间的流量。
· Switch C与Device三层对接,查静态路由表转发Internet到Host的流量。
图2-3 三层直路部署SecBlade插卡(划分VLAN)组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device |
RAGG1.100 |
10.1.1.2/30 |
Host B |
- |
192.168.20.15/24 |
|
RAGG1.200 |
10.1.1.5/30 |
Host C |
- |
192.168.30.15/24 |
Switch C |
GE1/0/1 |
10.1.1.6/30 |
Switch A |
GE1/0/4 |
10.1.1.1/30 |
|
GE1/0/2 |
20.1.1.1/24 |
|
Vlan-interface 10 |
192.168.10.1/24 |
|
|
|
|
Vlan-interface 20 |
192.168.20.1/24 |
|
|
|
|
Vlan-interface 30 |
192.168.30.1/24 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 创建VLAN 10、VLAN 20和VLAN 30的接口并配置IP地址。
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 192.168.10.1 24
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 20
[SwitchA-Vlan-interface20] ip address 192.168.20.1 24
[SwitchA-Vlan-interface20] quit
[SwitchA] interface vlan-interface 30
[SwitchA-Vlan-interface30] ip address 192.168.30.1 24
[SwitchA-Vlan-interface30] quit
# 切换GigabitEthernet1/0/4的工作模式为三层模式并配置IP地址。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchA-GigabitEthernet1/0/4] ip address 10.1.1.1 30
[SwitchA-GigabitEthernet1/0/4] quit
# 配置静态路由指导上行流量转发。
[SwitchA] ip route-static 20.1.1.0 24 10.1.1.2
# 创建VLAN 100和VLAN 200,将GigabitEthernet1/0/1和GigabitEthernet1/0/2分别加入VLAN 100和VLAN 200。
<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan100] port gigabitethernet 1/0/1
[SwitchB-vlan100] quit
[SwitchB] vlan 200
[SwitchB-vlan200] port gigabitethernet 1/0/2
[SwitchB-vlan200] quit
# 创建二层聚合接口1为Trunk端口,并允许VLAN 100、VLAN 200的报文通过。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] port link-type trunk
[SwitchB-Bridge-Aggregation1] port trunk permit vlan 100 200
[SwitchB-Bridge-Aggregation1] quit
# 将端口FortyGigE2/0/1和FortyGigE2/0/2加入到聚合组1中。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
# 切换GigabitEthernet1/0/1的工作模式为三层模式并配置IP地址。
<SwitchC> system-view
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchC-GigabitEthernet1/0/1] ip address 10.1.1.6 30
[SwitchC-GigabitEthernet1/0/1] quit
# 切换GigabitEthernet1/0/2的工作模式为三层模式并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 配置静态路由指导下行流量转发。
[SwitchC] ip route-static 192.168.10.0 24 10.1.1.5
[SwitchC] ip route-static 192.168.20.0 24 10.1.1.5
[SwitchC] ip route-static 192.168.30.0 24 10.1.1.5
# 创建三层聚合接口1。
<Device> system-view
[Device] interface route-aggregation 1
[Device-Route-Aggregation1] quit
# 创建三层聚合子接口Route-Aggregation1.100和Route-Aggregation1.200,开启Dot1q终结功能,分别终结VLAN 100和VLAN 200,并配置接口IP。
[Device] interface route-aggregation 1.100
[Device-Route-Aggregation1.100] vlan-type dot1q vid 100
[Device-Route-Aggregation1.100] ip address 10.1.1.2 30
[Device-Route-Aggregation1.100] quit
[Device] interface route-aggregation 1.200
[Device-Route-Aggregation1.200] vlan-type dot1q vid 200
[Device-Route-Aggregation1.200] ip address 10.1.1.5 30
[Device-Route-Aggregation1.200] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2加入到聚合组1中。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-aggregation group 1
[Device-if-range] quit
# 将Route-Aggregation1.100和Route-Aggregation1.200分别加入安全域Trust和Untrust中。
[Device] security-zone name trust
[Device-security-zone-Trust] import interface route-aggregation 1.100
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface route-aggregation 1.200
[Device-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-0-trust-untrust] action pass
[Device-security-policy-ip-0-trust-untrust] source-zone trust
[Device-security-policy-ip-0-trust-untrust] destination-zone untrust
[Device-security-policy-ip-0-trust-untrust] quit
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-1-untrust-trust] action pass
[Device-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-security-policy-ip-1-untrust-trust] quit
[Device-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[Device] ip route-static 192.168.10.0 24 10.1.1.1
[Device] ip route-static 192.168.20.0 24 10.1.1.1
[Device] ip route-static 192.168.30.0 24 10.1.1.1
[Device] ip route-static 20.1.1.0 24 10.1.1.6
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
[Device] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.100
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
ip route-static 20.1.1.0 24 10.1.1.2
#
#
vlan 100
#
vlan 200
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 100 200
#
interface FortyGigE2/0/1
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-aggregation group 1
#
interface GigabitEthernet1/0/1
port access vlan 100
#
interface GigabitEthernet1/0/2
port access vlan 200
#
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 10.1.1.6 255.255.255.252
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
ip route-static 192.168.10.0 24 10.1.1.5
ip route-static 192.168.20.0 24 10.1.1.5
ip route-static 192.168.30.0 24 10.1.1.5
#
#
interface Route-Aggregation1
#
interface Route-Aggregation1.100
ip address 10.1.1.2 255.255.255.252
vlan-type dot1q vid 100
#
interface Route-Aggregation1.200
ip address 10.1.1.5 255.255.255.252
vlan-type dot1q vid 200
#
interface FortyGigE1/0/1
port link-aggregation group 1
#
interface FortyGigE1/0/2
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.100
#
security-zone name Untrust
import interface Route-Aggregation1.200
#
ip route-static 20.1.1.0 24 10.1.1.6
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署SecBlade插卡Device起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch B将上下行业务口划分在VLAN 10、VLAN 20和VLAN 30,与Device的互连口划分在VLAN 10、VLAN 20、VLAN 30,QoS重定向Host与Internet的上下行流量到Device,回程流量按照相反方向QoS重定向。
· Device上下行业务口划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch C做Host A、Host B和Host C的网关,查路由表转发Host与Internet之间的流量。
图2-4 旁挂部署SecBlade插卡二层引流组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch C |
Vlan-interface10 |
192.168.10.1/24 |
|
Vlan-interface20 |
192.168.20.1/24 |
|
Vlan-interface30 |
192.168.30.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
# 创建VLAN 10、VLAN 20和VLAN 30。将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VLAN 10、VLAN 20、VLAN 30。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
# 将FortyGigE2/0/1和FortyGigE2/0/2端口的MAC地址学习功能关闭(防止MAC漂移)。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] undo mac-address mac-learning enable
[SwitchB-if-range] quit
# 将FortyGigE2/0/1和FortyGigE2/0/2端口的生成树协议关闭(防止STP协议关闭端口转发和接收报文的能力)。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] undo stp enable
[SwitchB-if-range] quit
# 将GigabitEthernet1/0/1、FortyGigE2/0/1、FortyGigE2/0/2和GigabitEthernet1/0/2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchB] interface range gigabitEthernet 1/0/1 gigabitEthernet 1/0/2 fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] port link-type trunk
[SwitchB-if-range] port trunk permit vlan 10 20 30
[SwitchB-if-range] quit
# 定义类,匹配VLAN 10、VLAN 20和VLAN 30。
[SwitchB] traffic classifier servicevlan
[SwitchB-classifier-host-out] if-match service-vlan-id 10 20 30
[SwitchB-classifier-host-out] quit
# 定义流行为,动作为重定向至相应接口。
[SwitchB] traffic behavior gigabitethernet1/0/1
[SwitchB-behavior-gigabitethernet1/0/1] redirect interface gigabitethernet 1/0/1
[SwitchB-behavior-gigabitethernet1/0/1] quit
[SwitchB] traffic behavior gigabitethernet1/0/2
[SwitchB-behavior-gigabitethernet1/0/2] redirect interface gigabitethernet 1/0/2
[SwitchB-behavior-gigabitethernet1/0/2] quit
[SwitchB] traffic behavior fortygige2/0/1
[SwitchB-behavior-fortygige2/0/1] redirect interface fortygige 2/0/1
[SwitchB-behavior-fortygige2/0/1] quit
[SwitchB] traffic behavior fortygige2/0/2
[SwitchB-behavior-fortygige2/0/2] redirect interface fortygige 2/0/2
[SwitchB-behavior-fortygige2/0/2] quit
# 定义策略,为类指定流行为。
[SwitchB] qos policy gigabitethernet1/0/1
[SwitchB-qospolicy-gigabitethernet1/0/1] classifier servicevlan behavior gigabitethernet1/0/1
[SwitchB-qospolicy-gigabitethernet1/0/1] quit
[SwitchB] qos policy gigabitethernet1/0/2
[SwitchB-qospolicy-gigabitethernet1/0/2] classifier servicevlan behavior gigabitethernet1/0/2
[SwitchB-qospolicy-gigabitethernet1/0/2] quit
[SwitchB] qos policy fortygige2/0/1
[SwitchB-qospolicy-fortygige2/0/1] classifier servicevlan behavior fortygige2/0/1
[SwitchB-qospolicy-fortygige2/0/1] quit
[SwitchB] qos policy fortygige2/0/2
[SwitchB-qospolicy-fortygige2/0/2] classifier servicevlan behavior fortygige2/0/2
[SwitchB-qospolicy-fortygige2/0/2] quit
# 将策略应用到端口的入方向上。
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] qos apply policy fortygige2/0/1 inbound
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] qos apply policy fortygige2/0/2 inbound
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface fortygige 2/0/1
[SwitchB-GigabitEthernet1/0/1] qos apply policy gigabitethernet1/0/1 inbound
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface fortygige 2/0/2
[SwitchB-GigabitEthernet1/0/2] qos apply policy gigabitethernet1/0/2 inbound
[SwitchB-GigabitEthernet1/0/2] quit
# 创建VLAN 10、VLAN 20、VLAN 20。
<SwitchC> system-view
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] vlan 20
[SwitchC-vlan20] quit
[SwitchC] vlan 30
[SwitchC-vlan30] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 20的报文通过。
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30
[SwitchC-GigabitEthernet1/0/1] quit
# 创建VLAN 10、VLAN 20和VLAN 30接口,配置VLAN接口的IP地址。
[SwitchC] interface vlan-interface 10
[SwitchC-Vlan-interface10] ip address 192.168.10.1 24
[SwitchC-Vlan-interface10] quit
[SwitchC] interface vlan-interface 20
[SwitchC-Vlan-interface20] ip address 192.168.20.1 24
[SwitchC-Vlan-interface20] quit
[SwitchC] interface vlan-interface 30
[SwitchC-Vlan-interface30] ip address 192.168.30.1 24
[SwitchC-Vlan-interface30] quit
# 切换GigabitEthernet1/0/2的工作模式为三层,并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N]:y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 创建VLAN10、VLAN20、VLAN30。
<Device> system-view
[Device] vlan 10
[Device-vlan10] quit
[Device] vlan 20
[Device-vlan20] quit
[Device] vlan 30
[Device-vlan30] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层模式。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-mode bridge
[Device-if-range] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-type trunk
[Device-if-range] port trunk permit vlan 10 20 30
[Device-if-range] quit
# 将FortyGigE1/0/1的VLAN10、VLAN20、VLAN30加入安全域Trust,FortyGigE1/0/2的VLAN10、VLAN20、VLAN30加入安全域Untrust。
[Device] security-zone name trust
[Device-security-zone-Trust] import interface fortygige 1/0/1 vlan 10 20 30
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface fortygige 1/0/2 vlan 10 20 30
[Device-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-0-trust-untrust] action pass
[Device-security-policy-ip-0-trust-untrust] source-zone trust
[Device-security-policy-ip-0-trust-untrust] destination-zone untrust
[Device-security-policy-ip-0-trust-untrust] quit
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-1-untrust-trust] action pass
[Device-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-security-policy-ip-1-untrust-trust] quit
[Device-security-policy-ip] quit
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
[Device] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/10/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/20/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/30/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
traffic classifier servicevlan
if-match service-vlan-id 10 20 30
#
traffic behavior gigabitethernet1/0/1
redirect interface gigabitethernet 1/0/1
#
traffic behavior gigabitethernet1/0/2
redirect interface gigabitethernet 1/0/2
#
traffic behavior fortygige2/0/1
redirect interface fortygige 2/0/1
#
traffic behavior fortygige2/0/2
redirect interface fortygige 2/0/2
#
qos policy gigabitethernet1/0/1
classifier servicevlan behavior gigabitethernet1/0/1
#
qos policy gigabitethernet1/0/2
classifier servicevlan behavior gigabitethernet1/0/2
#
qos policy fortygige2/0/1
classifier servicevlan behavior fortygige2/0/1
#
qos policy fortygige2/0/2
classifier servicevlan behavior fortygige2/0/2
#
interface FortyGigE2/0/1
port link-type trunk
port trunk permit vlan 10 20 30
undo stp enable
undo mac-address mac-learning enable
qos apply policy gigabitethernet1/0/1 inbound
#
interface FortyGigE2/0/2
port link-type trunk
port trunk permit vlan 10 20 30
undo stp enable
undo mac-address mac-learning enable
qos apply policy gigabitethernet1/0/2 inbound
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy fortygige2/0/1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy fortygige2/0/2 inbound
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
security-zone name Trust
import interface FortyGigE1/0/1 vlan 10 20 30
#
security-zone name Untrust
import interface FortyGigE1/0/2 vlan 10 20 30
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署SecBlade插卡Device起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch B将下行业务口划分在VLAN 10、VLAN 20和VLAN 30,上行业务口划分在VLAN 40、VLAN 50和VLAN 60,与Device的互连口划分在VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50和VLAN 60,上下行透传Host与Internet的流量到Device。
· Device下行业务划分在VLAN 10、VLAN 20和VLAN 30,上行业务划分在VLAN 40、VLAN 50和VLAN 60。Device跨VLAN转发Host与Internet之间流量。
· Switch C做Host A、Host B和Host C的网关,查路由表转发Host与Internet之间的流量。
图2-5 透明直路部署SecBlade插卡组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch C |
Vlan-interface40 |
192.168.10.1/24 |
|
Vlan-interface50 |
192.168.20.1/24 |
|
Vlan-interface60 |
192.168.30.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
# 创建VLAN 10、VLAN 20和VLAN 30。将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
[SwitchB] vlan 40
[SwitchB-vlan40] quit
[SwitchB] vlan 50
[SwitchB-vlan50] quit
[SwitchB] vlan 60
[SwitchB-vlan60] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30
[SwitchB-GigabitEthernet1/0/1] quit
# 将GigabitEthernet1/0/2的链路类型配置为Trunk,并允许VLAN 40、VLAN 50和VLAN 60的报文通过。
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 40 50 60
[SwitchB-GigabitEthernet1/0/2] quit
# 创建二层聚合接口1为Trunk端口,并允许VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60的报文通过。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] port link-type trunk
[SwitchB-Bridge-Aggregation1] port trunk permit vlan 10 20 30 40 50 60
[SwitchB-Bridge-Aggregation1] quit
# 将端口FortyGigE2/0/1和FortyGigE2/0/2加入到聚合组1中。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
# 创建VLAN 40、VLAN 50、VLAN 60。
<SwitchC> system-view
[SwitchC] vlan 40
[SwitchC-vlan40] quit
[SwitchC] vlan 50
[SwitchC-vlan50] quit
[SwitchC] vlan 60
[SwitchC-vlan60] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 40、VLAN 50和VLAN 60的报文通过。
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 40 50 60
[SwitchC-GigabitEthernet1/0/1] quit
# 创建VLAN 40、VLAN 50和VLAN 60接口,配置VLAN接口的IP地址。
[SwitchC] interface vlan-interface 40
[SwitchC-Vlan-interface40] ip address 192.168.10.1 24
[SwitchC-Vlan-interface40] quit
[SwitchC] interface vlan-interface 50
[SwitchC-Vlan-interface50] ip address 192.168.20.1 24
[SwitchC-Vlan-interface50] quit
[SwitchC] interface vlan-interface 60
[SwitchC-Vlan-interface60] ip address 192.168.30.1 24
[SwitchC-Vlan-interface60] quit
# 切换GigabitEthernet1/0/2的工作模式为三层,并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N]:y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 创建VLAN10、VLAN20、VLAN30、VLAN40、VLAN50、VLAN60。
<Device> system-view
[Device] vlan 10
[Device-vlan10] quit
[Device] vlan 20
[Device-vlan20] quit
[Device] vlan 30
[Device-vlan30] quit
[Device] vlan 40
[Device-vlan40] quit
[Device] vlan 50
[Device-vlan50] quit
[Device] vlan 60
[Device-vlan60] quit
# 创建二层聚合接口1为Trunk端口,并允许VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60的报文通过。
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] port link-type trunk
[Device-Bridge-Aggregation1] port trunk permit vlan 10 20 30 40 50 60
[Device-Bridge-Aggregation1] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层,并加入到聚合组1中。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-mode bridge
[Device-if-range] port link-aggregation group 1
[Device-if-range] quit
# 将VLAN10、VLAN20、VLAN30加入安全域Trust,VLAN40、VLAN50、VLAN60加入安全域Untrust。
[Device] security-zone name trust
[Device-security-zone-Trust] import vlan 10 20 30
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import vlan 40 50 60
[Device-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[Device] security-policy ip
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-0-trust-untrust] action pass
[Device-security-policy-ip-0-trust-untrust] source-zone trust
[Device-security-policy-ip-0-trust-untrust] destination-zone untrust
[Device-security-policy-ip-0-trust-untrust] quit
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-1-untrust-trust] action pass
[Device-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-security-policy-ip-1-untrust-trust] quit
[Device-security-policy-ip] quit
# 创建跨VLAN转发模式的转发实例Bridge 1、Bridge 2和Bridge 3,并分别添加需要相互通信的VLAN到实例中。
[Device] bridge 1 inter-vlan
[Device-bridge-1-inter-vlan] add vlan 10 40
[Device-bridge-1-inter-vlan] quit
[Device] bridge 2 inter-vlan
[Device-bridge-2-inter-vlan] add vlan 20 50
[Device-bridge-2-inter-vlan] quit
[Device] bridge 3 inter-vlan
[Device-bridge-3-inter-vlan] add vlan 30 60
[Device-bridge-3-inter-vlan] quit
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
[Device] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/10/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/20/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/30/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
#
interface FortyGigE2/0/1
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-aggregation group 1
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 40 50 60
#
#
vlan 40
#
vlan 50
#
vlan 60
#
interface Vlan-interface40
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface60
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 40 50 60
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
bridge 1 inter-vlan
add vlan 10 40
#
bridge 2 inter-vlan
add vlan 20 50
#
bridge 3 inter-vlan
add vlan 30 60
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
#
interface FortyGigE1/0/1
port link-mode bridge
port link-aggregation group 1
#
interface FortyGigE1/0/2
port link-mode bridge
port link-aggregation group 1
#
security-zone name Trust
import vlan 10 20 30
#
security-zone name Untrust
import vlan 40 50 60
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署SecBlade插卡Device进行流量监控,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30并作它们的网关,查路由表转发Host到Internet的流量。
· Switch B与Switch A、Switch B和Device二层对接,上下行透传Host与Internet之间的流量,并通过端口镜像复制一份流量到Device。
· Device与Switch B二层对接,对收到的镜像流量进行相关业务处理,处理完成后由黑洞模式Bridge丢弃。
· Switch C与Switch A三层对接,查路由表转发Host与Internet之间的流量。
图2-6 旁挂部署SecBlade插卡端口镜像组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch A |
GE1/0/4 |
10.1.1.1/30 |
|
Vlan-interface 10 |
192.168.10.1/24 |
|
Vlan-interface 20 |
192.168.20.1/24 |
|
Vlan-interface 30 |
192.168.30.1/24 |
Switch C |
GE1/0/1 |
10.1.1.2/30 |
|
GE1/0/2 |
20.1.1.1/24 |
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 创建VLAN 10、VLAN 20和VLAN 30的接口并配置IP地址。
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 192.168.10.1 24
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 20
[SwitchA-Vlan-interface20] ip address 192.168.20.1 24
[SwitchA-Vlan-interface20] quit
[SwitchA] interface vlan-interface 30
[SwitchA-Vlan-interface30] ip address 192.168.30.1 24
[SwitchA-Vlan-interface30] quit
# 切换GigabitEthernet1/0/4的工作模式为三层模式并配置IP地址。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchA-GigabitEthernet1/0/4] ip address 10.1.1.1 30
[SwitchA-GigabitEthernet1/0/4] quit
# 配置静态路由指导上行流量转发。
[SwitchA] ip route-static 20.1.1.0 24 10.1.1.2
# 创建二层聚合接口1。
<SwitchB> system-view
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] quit
# 将FortyGigE2/0/1和FortyGigE2/0/2加入到聚合组1中。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
# 配置端口镜像,将流量复制一份到二层聚合接口1。
[SwitchB] mirroring-group 1 local
[SwitchB] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound
[SwitchB] mirroring-group 1 mirroring-port gigabitethernet 1/0/2 inbound
[SwitchB] mirroring-group 1 monitor-port bridge-aggregation 1
# 切换GigabitEthernet1/0/1的工作模式为三层模式并配置IP地址。
<SwitchC> system-view
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchC-GigabitEthernet1/0/1] ip address 10.1.1.2 30
[SwitchC-GigabitEthernet1/0/1] quit
# 切换GigabitEthernet1/0/2的工作模式为三层模式并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 配置静态路由指导下行流量转发。
[SwitchC] ip route-static 192.168.10.0 24 10.1.1.1
[SwitchC] ip route-static 192.168.20.0 24 10.1.1.1
[SwitchC] ip route-static 192.168.30.0 24 10.1.1.1
# 创建二层聚合接口1。
<Device> system-view
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] quit
#切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层,将FortyGigE1/0/1和FortyGigE1/0/2加入到聚合组1中。
[Device] interface range fortygige 1/0/1 fortygige 1/0/2
[Device-if-range] port link-mode bridge
[Device-if-range] port link-aggregation group 1
[Device-if-range] quit
# 将BAGG1的VLAN 1加入安全域Untrust
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface bridge-aggregation 1 vlan 1
[Device-security-zone-Untrust] quit
# 创建黑洞模式的Bridge转发实例1,并向该实例添加接口BAGG1。
[Device] bridge 1 blackhole
[Device-bridge-1-blackhole] add interface bridge-aggregation 1
[Device-bridge-1-blackhole] quit
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查与Switch B对接的端口,单播数据包个数随Host上ping测次数增加而增加。
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
ip route-static 20.1.1.0 24 10.1.1.2
#
#
mirroring-group 1 local
#
interface Bridge-Aggregation1
mirroring-group 1 monitor-port
#
interface GigabitEthernet1/0/1
mirroring-group 1 mirroring-port inbound
#
interface GigabitEthernet1/0/2
mirroring-group 1 mirroring-port inbound
#
interface FortyGigE2/0/1
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-aggregation group 1
#
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
#
bridge 1 blackhole
add interface Bridge-Aggregation1
#
interface Bridge-Aggregation1
#
interface FortyGigE1/0/1
port link-mode bridge
port link-aggregation group 1
#
interface FortyGigE1/0/2
port link-mode bridge
port link-aggregation group 1
#
security-zone name Untrust
import interface Bridge-Aggregation1 vlan 1
#
LSQM1ADEDSC0、LSWM1ADED0、LSUM1ADECEA0三款SecBlade插卡是负载均衡类产品,由于负载均衡设备默认对所有接口流量放行,因此不需要配置安全域和安全策略。本节中插卡部署均配置了安全域和安全策略,对于上述产品请按需对安全域和安全策略进行配置。
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,将上下行流量通过策略路由重定向到Device,对Device转发回来的流量查路由表转发。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做主备备份。
图3-1 旁挂主备部署SecBlade插卡三层引流组网图
图3-2 旁挂主备部署SecBlade插卡三层引流逻辑组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device A |
FGE1/0/1 |
10.1.1.2/24 |
Host B |
- |
192.168.20.15/24 |
|
FGE1/0/2 |
10.1.2.2/24 |
Host C |
- |
192.168.30.15/24 |
|
FGE1/0/3 |
1.1.1.1/30 |
Router |
GE1/0/1.10 |
192.168.10.1/24 |
Device B |
FGE1/0/1 |
10.1.1.3/24 |
|
GE1/0/1.20 |
192.168.20.1/24 |
|
FGE1/0/2 |
10.1.2.3/24 |
|
GE1/0/1.30 |
192.168.30.1/24 |
|
FGE1/0/3 |
1.1.1.2/30 |
|
GE1/0/2 |
20.1.1.1/24 |
|
|
|
|
Vlan-interface40 |
10.1.1.1/24 |
|
|
|
|
Vlan-interface50 |
10.1.2.1/24 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[Switch-GigabitEthernet1/0/4] quit
# 配置GigabitEthernet1/0/2接口IP。
<Router> system-view
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 切换FortyGigE2/0/1、FortyGigE2/0/2、FortyGigE2/0/3、FortyGigE3/0/1、FortyGigE3/0/2和FortyGigE3/0/3的工作模式为二层模式。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2 fortygige 2/0/3 fortygige 3/0/1 fortygige 3/0/2 fortygige 3/0/3
[Router-if-range] port link-mode bridge
[Router-if-range] quit
# 创建VLAN 40、VLAN 50和VLAN 1111。将FortyGigE2/0/1、FortyGigE3/0/1加入VLAN 40,FortyGigE2/0/2、FortyGigE3/0/2加入VLAN 50,FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
[Router] vlan 40
[Router-vlan40] port fortygige 2/0/1 fortygige 3/0/1
[Router-vlan40] quit
[Router] vlan 50
[Router-vlan50] port fortygige 2/0/2 fortygige 3/0/2
[Router-vlan50] quit
[Router] vlan 1111
[Router-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[Router-vlan1111] quit
# 创建VLAN 40、VLAN 50接口,配置接口IP。
[Router] interface vlan-interface 40
[Router-Vlan-interface40] ip address 10.1.1.1 24
[Router-Vlan-interface40] quit
[Router] interface vlan-interface 50
[Router-Vlan-interface50] ip address 10.1.2.1 24
[Router-Vlan-interface50] quit
# 关闭快转负载分担功能(防止三层环路)。
[Router] undo ip fast-forwarding load-sharing
# 创建IPv4高级ACL匹配上下行流量。
[Router] acl advanced 3001
[Router-acl-ipv4-adv-3001] rule permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3001] quit
[Router] acl advanced 3002
[Router-acl-ipv4-adv-3002] rule permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3002] quit
[Router] acl advanced 3003
[Router-acl-ipv4-adv-3003] rule permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3003] quit
[Router] acl advanced 3004
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[Router-acl-ipv4-adv-3004] quit
# 配置策略路由,并将策略路由绑定到接口上。
[Router] policy-based-route vlan10out permit node 10
[Router-pbr-vlan10out-10] if-match acl 3001
[Router-pbr-vlan10out-10] apply next-hop 10.1.1.4
[Router-pbr-vlan10out-10] quit
[Router] policy-based-route vlan20out permit node 10
[Router-pbr-vlan20out-10] if-match acl 3002
[Router-pbr-vlan20out-10] apply next-hop 10.1.1.4
[Router-pbr-vlan20out-10] quit
[Router] policy-based-route vlan30out permit node 10
[Router-pbr-vlan30out-10] if-match acl 3003
[Router-pbr-vlan30out-10] apply next-hop 10.1.1.4
[Router-pbr-vlan30out-10] quit
[Router] policy-based-route internetin permit node 10
[Router-pbr-internetin-10] if-match acl 3004
[Router-pbr-internetin-10] apply next-hop 10.1.2.4
[Router-pbr-internetin-10] quit
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] ip policy-based-route vlan10out
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] ip policy-based-route vlan20out
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] ip policy-based-route vlan30out
[Router-GigabitEthernet1/0/1.30] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip policy-based-route internetin
[Router-GigabitEthernet1/0/2] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/2 2 Master 100 100 None 10.1.2.4
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Standby Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/2 2 Backup 100 100 None 10.1.2.4
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
undo ip fast-forwarding load-sharing
#
vlan 40
#
vlan 50
#
vlan 1111
#
policy-based-route internetin permit node 10
if-match acl 3004
apply next-hop 10.1.2.4
#
policy-based-route vlan10out permit node 10
if-match acl 3001
apply next-hop 10.1.1.4
#
policy-based-route vlan20out permit node 10
if-match acl 3002
apply next-hop 10.1.1.4
#
policy-based-route vlan30out permit node 10
if-match acl 3003
apply next-hop 10.1.1.4
#
interface Vlan-interface40
ip address 10.1.1.1 255.255.255.0
#
interface Vlan-interface50
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1.10
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
ip policy-based-route vlan10out
#
interface GigabitEthernet1/0/1.20
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
ip policy-based-route vlan20out
#
interface GigabitEthernet1/0/1.30
ip address 192.168.30.1 255.255.255.0
vlan-type dot1q vid 30
ip policy-based-route vlan30out
#
interface GigabitEthernet1/0/2
ip address 20.1.1.1 255.255.255.0
ip policy-based-route internetin
#
interface FortyGigE2/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGigE2/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGigE2/0/3
port link-mode bridge
port access vlan 1111
#
interface FortyGigE3/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGigE3/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGigE3/0/3
port link-mode bridge
port access vlan 1111
#
acl advanced 3001
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3002
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3003
rule 0 permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3004
rule 0 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 5 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
#
#
interface FortyGigE1/0/1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 active
#
interface FortyGigE1/0/2
ip address 10.1.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.4 active
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
interface FortyGigE1/0/1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 standby
#
interface FortyGigE1/0/2
ip address 10.1.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.4 standby
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,下行口和Vlan-interface40划分在VPN host,上行口和Vlan-interface50划分在VPN internet,查静态路由表转发Host与Internet之间的流量。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做主备备份。
图3-3 三层直路主备部署SecBlade插卡(划分VRF)组网图
图3-4 三层直路主备部署SecBlade插卡(划分VRF)逻辑组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device A |
FGE1/0/1 |
10.1.1.2/30 |
Host B |
- |
192.168.20.15/24 |
|
FGE1/0/2 |
10.1.2.2/30 |
Host C |
- |
192.168.30.15/24 |
|
FGE1/0/3 |
1.1.1.1/30 |
Router |
GE1/0/1.10 |
192.168.10.1/24 |
Device B |
FGE1/0/1 |
10.1.1.3/30 |
|
GE1/0/1.20 |
192.168.20.1/24 |
|
FGE1/0/2 |
10.1.2.3/30 |
|
GE1/0/1.30 |
192.168.30.1/24 |
|
FGE1/0/3 |
1.1.1.2/30 |
|
Vlan-interface40 |
10.1.1.1/24 |
|
|
|
|
Vlan-interface50 |
10.1.2.1/24 |
|
|
|
|
GE1/0/2 |
20.1.1.1/24 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VPN实例host与internet。
<Router> system-view
[Router] ip vpn-instance host
[Router-vpn-instance-host] quit
[Router] ip vpn-instance internet
[Router-vpn-instance-internet] quit
# 切换FortyGigE2/0/1、FortyGigE2/0/2、FortyGigE2/0/3、FortyGigE3/0/1、FortyGigE3/0/2和FortyGigE3/0/3接口的工作模式为二层。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2 fortygige 2/0/3 fortygige 3/0/1 fortygige 3/0/2 fortygige 3/0/3
[Router-if-range] port link-mode bridge
[Router-if-range] quit
# 创建VLAN 40、VLAN 50和VLAN 1111。将FortyGigE2/0/1、FortyGigE3/0/1加入VLAN 40,FortyGigE2/0/2、FortyGigE3/0/2加入VLAN 50,FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
[Router] vlan 40
[Router-vlan40] port fortygige 2/0/1 fortygige 3/0/1
[Router-vlan40] quit
[Router] vlan 50
[Router-vlan50] port fortygige 2/0/2 fortygige 3/0/2
[Router-vlan50] quit
[Router] vlan 1111
[Router-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[Router-vlan1111] quit
# 创建VLAN 40、VLAN 50接口,绑定VPN实例并配置VLAN接口的IP地址。
[Router] interface vlan-interface 40
[Router-Vlan-interface40] ip binding vpn-instance host
[Router-Vlan-interface40] ip address 10.1.1.1 24
[Router-Vlan-interface40] quit
[Router] interface vlan-interface 50
[Router-Vlan-interface50] ip binding vpn-instance internet
[Router-Vlan-interface50] ip address 10.1.2.1 24
[Router-Vlan-interface50] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,绑定VPN实例并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 配置GigabitEthernet1/0/2接口IP,绑定VPN实例。
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip binding vpn-instance internet
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 配置静态路由指导上下行流量转发。
[Router] ip route-static vpn-instance host 20.1.1.0 24 vpn-instance host 10.1.1.4
[Router] ip route-static vpn-instance internet 192.168.10.0 24 vpn-instance internet 10.1.2.4
[Router] ip route-static vpn-instance internet 192.168.20.0 24 vpn-instance internet 10.1.2.4
[Router] ip route-static vpn-instance internet 192.168.30.0 24 vpn-instance internet 10.1.2.4
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/2 2 Master 100 100 None 10.1.2.4
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Standby Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/2 2 Backup 100 100 None 10.1.2.4
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
ip vpn-instance host
#
ip vpn-instance internet
#
vlan 40
#
vlan 50
#
vlan 1111
#
interface Vlan-interface40
ip binding vpn-instance host
ip address 10.1.1.1 255.255.255.0
#
interface Vlan-interface50
ip binding vpn-instance internet
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/1.10
ip binding vpn-instance host
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
#
interface GigabitEthernet1/0/1.20
ip binding vpn-instance host
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/1.30
ip binding vpn-instance host
ip address 192.168.30.1 255.255.255.0
vlan-type dot1q vid 30
#
interface GigabitEthernet1/0/2
ip binding vpn-instance internet
ip address 20.1.1.1 255.255.255.0
#
interface FortyGige2/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGige2/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGige2/0/3
port link-mode bridge
port access vlan 1111
#
interface FortyGige3/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGige3/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGige3/0/3
port link-mode bridge
port access vlan 1111
#
ip route-static vpn-instance host 20.1.1.0 24 10.1.1.4
ip route-static vpn-instance internet 192.168.10.0 24 10.1.2.4
ip route-static vpn-instance internet 192.168.20.0 24 10.1.2.4
ip route-static vpn-instance internet 192.168.30.0 24 10.1.2.4
#
#
interface FortyGigE1/0/1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 active
#
interface FortyGigE1/0/2
ip address 10.1.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.4 active
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
interface FortyGigE1/0/1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 standby
#
interface FortyGigE1/0/2
ip address 10.1.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.4 standby
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30并作它们的网关,查静态路由表转发Host到Internet的流量。
· Switch B将下行业务口划分在VLAN 40,上行业务口划分在VLAN 50,与Device的互连口分别划分在VLAN 40和VLAN 50,上下行透传Host与Internet之间的流量到Device。
· Device与Switch A和Switch C三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做主备备份。
· Switch C与Device三层对接,查静态路由表转发Internet到Host的流量。
图3-5 三层直路主备部署SecBlade插卡(划分VLAN)组网图
图3-6 三层直路主备部署SecBlade插卡(划分VLAN)逻辑组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device B |
FGE1/0/1 |
10.1.1.3/24 |
Host B |
- |
192.168.20.15/24 |
|
FGE1/0/2 |
10.1.2.3/24 |
Host C |
- |
192.168.30.15/24 |
|
FGE1/0/3 |
1.1.1.2/30 |
Switch A |
GE1/0/4 |
10.1.1.1/24 |
Switch C |
GE1/0/1 |
10.1.2.1/24 |
|
Vlan-interface 10 |
192.168.10.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
|
Vlan-interface 20 |
192.168.20.1/24 |
|
|
|
|
Vlan-interface 30 |
192.168.30.1/24 |
|
|
|
Device A |
FGE1/0/1 |
10.1.1.2/24 |
|
|
|
|
FGE1/0/2 |
10.1.2.2/24 |
|
|
|
|
FGE1/0/3 |
1.1.1.1/30 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 创建VLAN 10、VLAN 20和VLAN 30的接口并配置IP地址。
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 192.168.10.1 24
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 20
[SwitchA-Vlan-interface20] ip address 192.168.20.1 24
[SwitchA-Vlan-interface20] quit
[SwitchA] interface vlan-interface 30
[SwitchA-Vlan-interface30] ip address 192.168.30.1 24
[SwitchA-Vlan-interface30] quit
# 切换GigabitEthernet1/0/4的工作模式为三层模式并配置IP地址。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchA-GigabitEthernet1/0/4] ip address 10.1.1.1 24
[SwitchA-GigabitEthernet1/0/4] quit
# 配置静态路由指导上行流量转发。
[SwitchA] ip route-static 20.1.1.0 24 10.1.1.4
# 创建VLAN 40、VLAN 50和VLAN 1111,将GigabitEthernet1/0/1、FortyGigE2/0/1和FortyGigE3/0/1加入VLAN 40,将GigabitEthernet1/0/2、FortyGigE2/0/2和FortyGigE3/0/2加入VLAN 50,将FortyGigE2/0/3和FortyGigE3/0/3加入VLAN 1111。
<SwitchB> system-view
[SwitchB] vlan 40
[SwitchB-vlan40] port GigabitEthernet 1/0/1 fortygige 2/0/1 fortygige 3/0/1
[SwitchB-vlan40] quit
[SwitchB] vlan 50
[SwitchB-vlan50] port GigabitEthernet 1/0/2 fortygige 2/0/2 fortygige 3/0/2
[SwitchB-vlan50] quit
[SwitchB] vlan 1111
[SwitchB-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[SwitchB-vlan1111] quit
# 切换GigabitEthernet1/0/1的工作模式为三层模式并配置IP地址。
<SwitchC> system-view
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchC-GigabitEthernet1/0/1] ip address 10.1.2.1 24
[SwitchC-GigabitEthernet1/0/1] quit
# 切换GigabitEthernet1/0/2的工作模式为三层模式并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N] :y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 配置静态路由指导下行流量转发。
[SwitchC] ip route-static 192.168.10.0 24 10.1.2.4
[SwitchC] ip route-static 192.168.20.0 24 10.1.2.4
[SwitchC] ip route-static 192.168.30.0 24 10.1.2.4
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1和2,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 2 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/2 2 Master 100 100 None 10.1.2.4
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Standby Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/2 2 Backup 100 100 None 10.1.2.4
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
ip route-static 20.1.1.0 24 10.1.1.4
#
#
vlan 40
#
vlan 50
#
vlan 1111
#
interface GigabitEthernet1/0/1
port access vlan 40
#
interface GigabitEthernet1/0/2
port access vlan 50
#
interface FortyGigE2/0/1
port access vlan 40
#
interface FortyGigE2/0/2
port access vlan 50
#
interface FortyGigE2/0/3
port access vlan 1111
#
interface FortyGigE3/0/1
port access vlan 40
#
interface FortyGigE3/0/2
port access vlan 50
#
interface FortyGigE3/0/3
port access vlan 1111
#
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
ip route-static 192.168.10.0 24 10.1.2.4
ip route-static 192.168.20.0 24 10.1.2.4
ip route-static 192.168.30.0 24 10.1.2.4
#
#
interface FortyGigE1/0/1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 active
#
interface FortyGigE1/0/2
ip address 10.1.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.4 active
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
interface FortyGigE1/0/1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 standby
#
interface FortyGigE1/0/2
ip address 10.1.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.2.4 standby
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch B将上下行业务口划分在VLAN 10、VLAN 20和VLAN 30,与Device的互连口划分在VLAN 10、VLAN 20、VLAN 30,QoS重定向Host与Internet的上下行流量到Device,回程流量按照相反方向QoS重定向。
· Device上下行业务口划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量,Device A和Device B做主备备份。
· Switch C做Host A、Host B和Host C的网关,查路由表转发Host与Internet之间的流量。
图3-7 旁挂主备部署SecBlade插卡二层引流组网图
图3-8 旁挂主备部署SecBlade插卡二层引流逻辑组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch C |
Vlan-interface10 |
192.168.10.1/24 |
|
Vlan-interface20 |
192.168.20.1/24 |
|
Vlan-interface30 |
192.168.30.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
Device A |
FGE1/0/3 |
1.1.1.1/30 |
Device B |
FGE1/0/3 |
1.1.1.2/30 |
# 创建VLAN 10、VLAN 20和VLAN 30。将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VLAN 10、VLAN 20、VLAN 30和VLAN 1111,将FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
[SwitchB] vlan 1111
[SwitchB-vlan1111] port fortygige 2/0/3 fortygige3/0/3
[SwitchB-vlan1111] quit
# 创建二层聚合接口1和2,将端口FortyGigE2/0/1和FortyGigE3/0/1加入到聚合组1中,端口FortyGigE2/0/2和FortyGigE3/0/2加入到聚合组2中。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] quit
[SwitchB] interface bridge-aggregation 2
[SwitchB-Bridge-Aggregation2] quit
[SwitchB] interface range fortygige 2/0/1 fortygige 3/0/1
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
[SwitchB] interface range fortygige 2/0/2 fortygige 3/0/2
[SwitchB-if-range] port link-aggregation group 2
[SwitchB-if-range] quit
# 将二层聚合接口1和2的MAC地址学习功能关闭(防止MAC漂移),并将生成树协议关闭(防止STP协议关闭端口转发和接收报文的能力),配置聚合组的最大选中端口数为1。
[SwitchB] interface range bridge-aggregation 1 bridge-aggregation 2
[SwitchB-if-range] undo mac-address mac-learning enable
[SwitchB-if-range] undo stp enable
[SwitchB-if-range] link-aggregation selected-port maximum 1
[SwitchB-if-range] quit
# 配置FortyGigE2/0/1、FortyGigE2/0/2的端口优先级为0,使聚合组优选与Device A相连的接口处理业务。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] link-aggregation port-priority 0
[SwitchB-if-range] quit
# 将GigabitEthernet1/0/1、GigabitEthernet1/0/2、二层聚合接口1和2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchB] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 bridge-aggregation 1 bridge-aggregation 2
[SwitchB-if-range] port link-type trunk
[SwitchB-if-range] port trunk permit vlan 10 20 30
[SwitchB-if-range] quit
# 定义类,匹配VLAN 10、VLAN 20和VLAN 30。
[SwitchB] traffic classifier servicevlan
[SwitchB-classifier-host-out] if-match service-vlan-id 10 20 30
[SwitchB-classifier-host-out] quit
# 定义流行为,动作为重定向至相应接口。
[SwitchB] traffic behavior gigabitethernet1/0/1
[SwitchB-behavior-gigabitethernet1/0/1] redirect interface gigabitethernet 1/0/1
[SwitchB-behavior-gigabitethernet1/0/1] quit
[SwitchB] traffic behavior gigabitethernet1/0/2
[SwitchB-behavior-gigabitethernet1/0/2] redirect interface gigabitethernet 1/0/2
[SwitchB-behavior-gigabitethernet1/0/2] quit
[SwitchB] traffic behavior bagg1
[SwitchB-behavior-bagg1] redirect interface bridge-aggregation 1
[SwitchB-behavior-bagg1] quit
[SwitchB] traffic behavior bagg2
[SwitchB-behavior-bagg2] redirect interface bridge-aggregation 2
[SwitchB-behavior-bagg2] quit
# 定义策略,为类指定流行为。
[SwitchB] qos policy gigabitethernet1/0/1
[SwitchB-qospolicy-gigabitethernet1/0/1] classifier servicevlan behavior gigabitethernet1/0/1
[SwitchB-qospolicy-gigabitethernet1/0/1] quit
[SwitchB] qos policy gigabitethernet1/0/2
[SwitchB-qospolicy-gigabitethernet1/0/2] classifier servicevlan behavior gigabitethernet1/0/2
[SwitchB-qospolicy-gigabitethernet1/0/2] quit
[SwitchB] qos policy bagg1
[SwitchB-qospolicy-bagg1] classifier servicevlan behavior bagg1
[SwitchB-qospolicy-bagg1] quit
[SwitchB] qos policy bagg2
[SwitchB-qospolicy-bagg2] classifier servicevlan behavior bagg2
[SwitchB-qospolicy-bagg2] quit
# 将策略应用到端口的入方向上。
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] qos apply policy bagg1 inbound
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] qos apply policy bagg2 inbound
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface fortygige 2/0/1
[SwitchB-FortyGigE2/0/1] qos apply policy gigabitethernet1/0/1 inbound
[SwitchB-FortyGigE2/0/1] quit
[SwitchB] interface fortygige 2/0/2
[SwitchB-FortyGigE2/0/2] qos apply policy gigabitethernet1/0/2 inbound
[SwitchB-FortyGigE2/0/2] quit
[SwitchB] interface fortygige 3/0/1
[SwitchB-FortyGigE3/0/1] qos apply policy gigabitethernet1/0/1 inbound
[SwitchB-FortyGigE3/0/1] quit
[SwitchB] interface fortygige 3/0/2
[SwitchB-FortyGigE3/0/2] qos apply policy gigabitethernet1/0/2 inbound
[SwitchB-FortyGigE3/0/2] quit
# 创建VLAN 10、VLAN 20、VLAN 20。
<SwitchC> system-view
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] vlan 20
[SwitchC-vlan20] quit
[SwitchC] vlan 30
[SwitchC-vlan30] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 20的报文通过。
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30
[SwitchC-GigabitEthernet1/0/1] quit
# 创建VLAN 10、VLAN 20和VLAN 30接口,配置VLAN接口的IP地址。
[SwitchC] interface vlan-interface 10
[SwitchC-Vlan-interface10] ip address 192.168.10.1 24
[SwitchC-Vlan-interface10] quit
[SwitchC] interface vlan-interface 20
[SwitchC-Vlan-interface20] ip address 192.168.20.1 24
[SwitchC-Vlan-interface20] quit
[SwitchC] interface vlan-interface 30
[SwitchC-Vlan-interface30] ip address 192.168.30.1 24
[SwitchC-Vlan-interface30] quit
# 切换GigabitEthernet1/0/2的工作模式为三层,并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N]:y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 创建VLAN10、VLAN20、VLAN30。
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] quit
[DeviceA] vlan 30
[DeviceA-vlan30] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层模式。
[DeviceA] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[DeviceA] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 10 20 30
[DeviceA-if-range] quit
# 将FortyGigE1/0/1的VLAN10、VLAN20、VLAN30加入安全域Trust,FortyGigE1/0/2的VLAN10、VLAN20、VLAN30加入安全域Untrust。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1 vlan 10 20 30
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2 vlan 10 20 30
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置FortyGigE1/0/3的接口IP地址。
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] track interface fortygige 1/0/1
RBM_P[DeviceA-remote-backup-group] track interface fortygige 1/0/2
RBM_P[DeviceA-remote-backup-group] quit
# 创建VLAN10、VLAN20、VLAN30。
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] quit
[DeviceB] vlan 20
[DeviceB-vlan20] quit
[DeviceB] vlan 30
[DeviceB-vlan30] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层模式。
[DeviceB] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceB-if-range] port link-mode bridge
[DeviceB-if-range] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[DeviceB] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceB-if-range] port link-type trunk
[DeviceB-if-range] port trunk permit vlan 10 20 30
[DeviceB-if-range] quit
# 将FortyGigE1/0/1的VLAN10、VLAN20、VLAN30加入安全域Trust,FortyGigE1/0/2的VLAN10、VLAN20、VLAN30加入安全域Untrust。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1 vlan 10 20 30
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2 vlan 10 20 30
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置FortyGigE1/0/3的接口IP地址。
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] track interface fortygige 1/0/1
RBM_S[DeviceB-remote-backup-group] track interface fortygige 1/0/2
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Standby Interface status changed
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/10/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/20/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/30/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 1111
#
traffic classifier servicevlan
if-match service-vlan-id 10 20 30
#
traffic behavior bagg1
redirect interface Bridge-Aggregation1
#
traffic behavior bagg2
redirect interface Bridge-Aggregation2
#
traffic behavior gigabitethernet1/0/1
redirect interface GigabitEthernet1/0/1
#
traffic behavior gigabitethernet1/0/2
redirect interface GigabitEthernet1/0/2
#
qos policy bagg1
classifier servicevlan behavior bagg1
#
qos policy bagg2
classifier servicevlan behavior bagg2
#
qos policy gigabitethernet1/0/1
classifier servicevlan behavior gigabitethernet1/0/1
#
qos policy gigabitethernet1/0/2
classifier servicevlan behavior gigabitethernet1/0/2
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10 20 30
link-aggregation selected-port maximum 1
undo stp enable
undo mac-address mac-learning enable
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan 10 20 30
link-aggregation selected-port maximum 1
undo stp enable
undo mac-address mac-learning enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy bagg1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy bagg2 inbound
#
interface FortyGigE2/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/1 inbound
link-aggregation port-priority 0
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/2 inbound
link-aggregation port-priority 0
port link-aggregation group 1
#
interface FortyGigE2/0/3
port access vlan 1111
#
interface FortyGigE3/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/1 inbound
port link-aggregation group 1
#
interface FortyGigE3/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/2 inbound
port link-aggregation group 2
#
interface FortyGigE3/0/3
port access vlan 1111
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
security-zone name Trust
import interface FortyGigE1/0/1 vlan 10 20 30
#
security-zone name Untrust
import interface FortyGigE1/0/2 vlan 10 20 30
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
security-zone name Trust
import interface FortyGigE1/0/1 vlan 10 20 30
#
security-zone name Untrust
import interface FortyGigE1/0/2 vlan 10 20 30
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch B将下行业务口划分在VLAN 10、VLAN 20和VLAN 30,上行业务口划分在VLAN 40、VLAN 50和VLAN 60,与Device的互连口划分在VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50和VLAN 60,上下行透传Host与Internet的流量到Device。
· Device下行业务划分在VLAN 10、VLAN 20和VLAN 30,上行业务划分在VLAN 40、VLAN 50和VLAN 60。Device跨VLAN转发Host与Internet之间流量,Device A和Device B做主备备份。
· Switch C做Host A、Host B和Host C的网关,查路由表转发Host与Internet之间的流量。
图3-9 透明直路主备部署SecBlade插卡组网图
图3-10 透明直路主备部署SecBlade插卡逻辑组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch C |
Vlan-interface40 |
192.168.10.1/24 |
|
Vlan-interface50 |
192.168.20.1/24 |
|
Vlan-interface60 |
192.168.30.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
Device A |
FGE1/0/3 |
1.1.1.1/30 |
Device B |
FGE1/0/3 |
1.1.1.2/30 |
# 创建VLAN 10、VLAN 20和VLAN 30。将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60、VLAN 1111,将FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
[SwitchB] vlan 40
[SwitchB-vlan40] quit
[SwitchB] vlan 50
[SwitchB-vlan50] quit
[SwitchB] vlan 60
[SwitchB-vlan60] quit
[SwitchB] vlan 1111
[SwitchA-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[SwitchB-vlan1111] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30
[SwitchB-GigabitEthernet1/0/1] quit
# 将GigabitEthernet1/0/2的链路类型配置为Trunk,并允许VLAN 40、VLAN 50和VLAN 60的报文通过。
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 40 50 60
[SwitchB-GigabitEthernet1/0/2] quit
# 创建二层聚合接口1为Trunk端口,并允许VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60的报文通过。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] port link-type trunk
[SwitchB-Bridge-Aggregation1] port trunk permit vlan 10 20 30 40 50 60
[SwitchB-Bridge-Aggregation1] quit
# 将端口FortyGigE2/0/1、FortyGigE2/0/2、FortyGigE3/0/1和FortyGigE3/0/2加入到聚合组1中。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2 fortygige 3/0/1 fortygige 3/0/2
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
# 配置聚合组1的最大选中端口数为2,关闭生成树协议(防止RBM主备切换使stp重新收敛,致使业务短时间受损)。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] link-aggregation selected-port maximum 2
[SwitchB-Bridge-Aggregation1] undo stp enable
[SwitchB-Bridge-Aggregation1] quit
# 配置FortyGigE2/0/1、FortyGigE2/0/2的端口优先级为0,使聚合组优选与Device A相连的接口处理业务。
[SwitchB] interface range fortygige 2/0/1 fortygige 2/0/2
[SwitchB-if-range] link-aggregation port-priority 0
[SwitchB-if-range] quit
# 创建VLAN 40、VLAN 50、VLAN 60。
<SwitchC> system-view
[SwitchC] vlan 40
[SwitchC-vlan40] quit
[SwitchC] vlan 50
[SwitchC-vlan50] quit
[SwitchC] vlan 60
[SwitchC-vlan60] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 40、VLAN 50和VLAN 60的报文通过。
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 40 50 60
[SwitchC-GigabitEthernet1/0/1] quit
# 创建VLAN 40、VLAN 50和VLAN 60接口,配置VLAN接口的IP地址。
[SwitchC] interface vlan-interface 40
[SwitchC-Vlan-interface40] ip address 192.168.10.1 24
[SwitchC-Vlan-interface40] quit
[SwitchC] interface vlan-interface 50
[SwitchC-Vlan-interface50] ip address 192.168.20.1 24
[SwitchC-Vlan-interface50] quit
[SwitchC] interface vlan-interface 60
[SwitchC-Vlan-interface60] ip address 192.168.30.1 24
[SwitchC-Vlan-interface60] quit
# 切换GigabitEthernet1/0/2的工作模式为三层,并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N]:y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 创建VLAN10、VLAN20、VLAN30、VLAN40、VLAN50、VLAN60。
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] quit
[DeviceA] vlan 30
[DeviceA-vlan30] quit
[DeviceA] vlan 40
[DeviceA-vlan40] quit
[DeviceA] vlan 50
[DeviceA-vlan50] quit
[DeviceA] vlan 60
[DeviceA-vlan60] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层并将链路类型配置为Trunk,允许VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60的报文通过。
[DeviceA] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 10 20 30 40 50 60
[DeviceA-if-range] quit
# 配置FortyGigE1/0/3的接口IP。
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将VLAN10、VLAN20、VLAN30加入安全域Trust,VLAN40、VLAN50、VLAN60加入安全域Untrust。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import vlan 10 20 30
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import vlan 40 50 60
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 创建跨VLAN转发模式的转发实例Bridge 1、Bridge 2和Bridge 3,并分别添加需要相互通信的VLAN到实例中。
[DeviceA] bridge 1 inter-vlan
[DeviceA-bridge-1-inter-vlan] add vlan 10 40
[DeviceA-bridge-1-inter-vlan] quit
[DeviceA] bridge 2 inter-vlan
[DeviceA-bridge-2-inter-vlan] add vlan 20 50
[DeviceA-bridge-2-inter-vlan] quit
[DeviceA] bridge 3 inter-vlan
[DeviceA-bridge-3-inter-vlan] add vlan 30 60
[DeviceA-bridge-3-inter-vlan] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface FortyGigE 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] track interface FortyGigE 1/0/1
RBM_P[DeviceA-remote-backup-group] track interface FortyGigE 1/0/2
RBM_P[DeviceA-remote-backup-group] quit
# 创建VLAN10、VLAN20、VLAN30、VLAN40、VLAN50、VLAN60。
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] quit
[DeviceB] vlan 20
[DeviceB-vlan20] quit
[DeviceB] vlan 30
[DeviceB-vlan30] quit
[DeviceB] vlan 40
[DeviceB-vlan40] quit
[DeviceB] vlan 50
[DeviceB-vlan50] quit
[DeviceB] vlan 60
[DeviceB-vlan60] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层并将链路类型配置为Trunk,允许VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60的报文通过。
[DeviceB] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceB-if-range] port link-mode bridge
[DeviceB-if-range] port link-type trunk
[DeviceB-if-range] port trunk permit vlan 10 20 30 40 50 60
[DeviceB-if-range] quit
# 配置FortyGigE1/0/3的接口IP。
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将VLAN10、VLAN20、VLAN30加入安全域Trust,VLAN40、VLAN50、VLAN60加入安全域Untrust。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import vlan 10 20 30
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import vlan 40 50 60
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 创建跨VLAN转发模式的转发实例Bridge 1、Bridge 2和Bridge 3,并分别添加需要相互通信的VLAN到实例中。
[DeviceB] bridge 1 inter-vlan
[DeviceB-bridge-1-inter-vlan] add vlan 10 40
[DeviceB-bridge-1-inter-vlan] quit
[DeviceB] bridge 2 inter-vlan
[DeviceB-bridge-2-inter-vlan] add vlan 20 50
[DeviceB-bridge-2-inter-vlan] quit
[DeviceB] bridge 3 inter-vlan
[DeviceB-bridge-3-inter-vlan] add vlan 30 60
[DeviceB-bridge-3-inter-vlan] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface FortyGigE 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] track interface FortyGigE 1/0/1
RBM_S[DeviceB-remote-backup-group] track interface FortyGigE 1/0/2
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Standby Interface status changed
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/10/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/20/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/30/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
vlan 1111
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
link-aggregation selected-port maximum 2
undo stp enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 40 50 60
#
interface FortyGigE2/0/1
link-aggregation port-priority 0
port link-aggregation group 1
#
interface FortyGigE2/0/2
link-aggregation port-priority 0
port link-aggregation group 1
#
interface FortyGigE2/0/3
port access vlan 1111
#
interface FortyGigE3/0/1
port link-aggregation group 1
#
interface FortyGigE3/0/2
port link-aggregation group 1
#
interface FortyGigE3/0/3
port access vlan 1111
#
#
vlan 40
#
vlan 50
#
vlan 60
#
interface Vlan-interface40
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface60
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 40 50 60
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
bridge 1 inter-vlan
add vlan 10 40
#
bridge 2 inter-vlan
add vlan 20 50
#
bridge 3 inter-vlan
add vlan 30 60
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
#
security-zone name Trust
import vlan 10 20 30
#
security-zone name Untrust
import vlan 40 50 60
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
bridge 1 inter-vlan
add vlan 10 40
#
bridge 2 inter-vlan
add vlan 20 50
#
bridge 3 inter-vlan
add vlan 30 60
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30 40 50 60
#
security-zone name Trust
import vlan 10 20 30
#
security-zone name Untrust
import vlan 40 50 60
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
data-channel interface FortyGigE1/0/3
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
LSQM1ADEDSC0、LSWM1ADED0、LSUM1ADECEA0三款SecBlade插卡是负载均衡类产品,由于负载均衡设备默认对所有接口流量放行,因此不需要配置安全域和安全策略。本节中插卡部署均配置了安全域和安全策略,对于上述产品请按需对安全域和安全策略进行配置。
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,将上下行流量通过策略路由重定向到Device,对Device转发回来的流量查路由表转发。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做双主备份。
图4-1 旁挂双主部署SecBlade插卡三层引流组网图
图4-2 旁挂双主部署SecBlade插卡三层引流逻辑组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device A |
FGE1/0/1 |
10.1.1.2/24 |
Host B |
- |
192.168.20.15/24 |
|
FGE1/0/2 |
10.1.2.2/24 |
Host C |
- |
192.168.30.15/24 |
|
FGE1/0/3 |
1.1.1.1/30 |
Router |
GE1/0/1.10 |
192.168.10.1/24 |
Device B |
FGE1/0/1 |
10.1.1.3/24 |
|
GE1/0/1.20 |
192.168.20.1/24 |
|
FGE1/0/2 |
10.1.2.3/24 |
|
GE1/0/1.30 |
192.168.30.1/24 |
|
FGE1/0/3 |
1.1.1.2/30 |
|
GE1/0/2 |
20.1.1.1/24 |
|
|
|
|
Vlan-interface40 |
10.1.1.1/24 |
|
|
|
|
Vlan-interface50 |
10.1.2.1/24 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] port link-type trunk
[Switch-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[Switch-GigabitEthernet1/0/4] quit
# 配置GigabitEthernet1/0/2接口IP。
<Router> system-view
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 切换FortyGigE2/0/1、FortyGigE2/0/2、FortyGigE2/0/3、FortyGigE3/0/1、FortyGigE3/0/2和FortyGigE3/0/3的工作模式为二层模式。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2 fortygige 2/0/3 fortygige 3/0/1 fortygige 3/0/2 fortygige 3/0/3
[Router-if-range] port link-mode bridge
[Router-if-range] quit
# 创建VLAN 40、VLAN 50和VLAN 1111。将FortyGigE2/0/1、FortyGigE3/0/1加入VLAN 40,FortyGigE2/0/2、FortyGigE3/0/2加入VLAN 50,FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
[Router] vlan 40
[Router-vlan40] port fortygige 2/0/1 fortygige 3/0/1
[Router-vlan40] quit
[Router] vlan 50
[Router-vlan50] port fortygige 2/0/2 fortygige 3/0/2
[Router-vlan50] quit
[Router] vlan 1111
[Router-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[Router-vlan1111] quit
# 创建VLAN 40、VLAN 50接口,配置接口IP,开启转发保持上一跳功能。
[Router] interface vlan-interface 40
[Router-Vlan-interface40] ip address 10.1.1.1 24
[Router-Vlan-interface40] ip last-hop hold
[Router-Vlan-interface40] quit
[Router] interface vlan-interface 50
[Router-Vlan-interface50] ip address 10.1.2.1 24
[Router-Vlan-interface50] ip last-hop hold
[Router-Vlan-interface50] quit
# 关闭快转负载分担功能(防止三层环路)。
[Router] undo ip fast-forwarding load-sharing
# 创建IPv4高级ACL匹配上下行流量。
[Router] acl advanced 3001
[Router-acl-ipv4-adv-3001] rule permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3001] quit
[Router] acl advanced 3002
[Router-acl-ipv4-adv-3002] rule permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3002] quit
[Router] acl advanced 3003
[Router-acl-ipv4-adv-3003] rule permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
[Router-acl-ipv4-adv-3003] quit
[Router] acl advanced 3004
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[Router-acl-ipv4-adv-3004] rule permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[Router-acl-ipv4-adv-3004] quit
# 配置策略路由,并将策略路由绑定到接口上。
[Router] policy-based-route vlan10out permit node 10
[Router-pbr-vlan10out-10] if-match acl 3001
[Router-pbr-vlan10out-10] apply next-hop 10.1.1.4 weight 1
[Router-pbr-vlan10out-10] apply next-hop 10.1.1.5 weight 1
[Router-pbr-vlan10out-10] apply loadshare next-hop
[Router-pbr-vlan10out-10] quit
[Router] policy-based-route vlan20out permit node 10
[Router-pbr-vlan20out-10] if-match acl 3002
[Router-pbr-vlan20out-10] apply next-hop 10.1.1.4 weight 1
[Router-pbr-vlan20out-10] apply next-hop 10.1.1.5 weight 1
[Router-pbr-vlan20out-10] apply loadshare next-hop
[Router-pbr-vlan20out-10] quit
[Router] policy-based-route vlan30out permit node 10
[Router-pbr-vlan30out-10] if-match acl 3003
[Router-pbr-vlan30out-10] apply next-hop 10.1.1.4 weight 1
[Router-pbr-vlan30out-10] apply next-hop 10.1.1.5 weight 1
[Router-pbr-vlan30out-10] apply loadshare next-hop
[Router-pbr-vlan30out-10] quit
[Router] policy-based-route internetin permit node 10
[Router-pbr-internetin-10] if-match acl 3004
[Router-pbr-internetin-10] apply next-hop 10.1.2.4 weight 1
[Router-pbr-internetin-10] apply next-hop 10.1.2.5 weight 1
[Router-pbr-internetin-10] apply loadshare next-hop
[Router-pbr-internetin-10] quit
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] ip policy-based-route vlan10out
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] ip policy-based-route vlan20out
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] ip policy-based-route vlan30out
[Router-GigabitEthernet1/0/1.30] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip policy-based-route internetin
[Router-GigabitEthernet1/0/2] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1、2、3和4,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] vrrp vrid 2 virtual-ip 10.1.1.5 standby
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 3 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] vrrp vrid 4 virtual-ip 10.1.2.5 standby
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1、2、3和4,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] vrrp vrid 2 virtual-ip 10.1.1.5 active
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 3 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] vrrp vrid 4 virtual-ip 10.1.2.5 active
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] backup-mode dual-active
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/1 2 Backup 100 100 None 10.1.1.5
FGE1/0/2 3 Master 100 100 None 10.1.2.4
FGE1/0/2 4 Backup 100 100 None 10.1.2.5
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Secondary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/1 2 Master 100 100 None 10.1.1.5
FGE1/0/2 3 Backup 100 100 None 10.1.2.4
FGE1/0/2 4 Master 100 100 None 10.1.2.5
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
undo ip fast-forwarding load-sharing
#
vlan 40
#
vlan 50
#
vlan 1111
#
policy-based-route internetin permit node 10
if-match acl 3004
apply loadshare next-hold
apply next-hop 10.1.2.4 weight 1
apply next-hop 10.1.2.5 weight 1
#
policy-based-route vlan10out permit node 10
if-match acl 3001
apply loadshare next-hold
apply next-hop 10.1.1.4 weight 1
apply next-hop 10.1.1.5 weight 1
#
policy-based-route vlan20out permit node 10
if-match acl 3002
apply loadshare next-hold
apply next-hop 10.1.1.4 weight 1
apply next-hop 10.1.1.5 weight 1
#
policy-based-route vlan30out permit node 10
if-match acl 3003
apply loadshare next-hold
apply next-hop 10.1.1.4 weight 1
apply next-hop 10.1.1.5 weight 1
#
interface Vlan-interface40
ip address 10.1.1.1 255.255.255.0
ip last-hop hold
#
interface Vlan-interface50
ip address 10.1.2.1 255.255.255.0
ip last-hop hold
#
interface GigabitEthernet1/0/1.10
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
ip policy-based-route vlan10out
#
interface GigabitEthernet1/0/1.20
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
ip policy-based-route vlan20out
#
interface GigabitEthernet1/0/1.30
ip address 192.168.30.1 255.255.255.0
vlan-type dot1q vid 30
ip policy-based-route vlan30out
#
interface GigabitEthernet1/0/2
ip address 20.1.1.1 255.255.255.0
ip policy-based-route internetin
#
interface FortyGigE2/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGigE2/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGigE2/0/3
port link-mode bridge
port access vlan 1111
#
interface FortyGigE3/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGigE3/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGigE3/0/3
port link-mode bridge
port access vlan 1111
#
acl advanced 3001
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3002
rule 0 permit ip source 192.168.20.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3003
rule 0 permit ip source 192.168.30.0 0.0.0.255 destination 20.1.1.0 0.0.0.255
#
acl advanced 3004
rule 0 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 5 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 permit ip source 20.1.1.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
#
#
interface FortyGigE1/0/1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 active
vrrp vrid 2 virtual-ip 10.1.1.5 standby
#
interface FortyGigE1/0/2
ip address 10.1.2.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.2.4 active
vrrp vrid 4 virtual-ip 10.1.2.5 standby
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
interface FortyGigE1/0/1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 standby
vrrp vrid 2 virtual-ip 10.1.1.5 active
#
interface FortyGigE1/0/2
ip address 10.1.2.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.2.4 standby
vrrp vrid 4 virtual-ip 10.1.2.5 active
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch、路由器Router与Internet通信。出于安全考虑,需要在路由器Router上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Router与Host、Internet和Device三层对接,下行口和Vlan-interface40划分在VPN host,上行口和Vlan-interface50划分在VPN internet,查静态路由表转发Host与Internet之间的流量。
· Device与Router三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做双主备份。
图4-3 三层直路双主部署SecBlade插卡(划分VRF)组网图
图4-4 三层直路双主部署SecBlade插卡(划分VRF)逻辑组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device A |
FGE1/0/1 |
10.1.1.2/30 |
Host B |
- |
192.168.20.15/24 |
|
FGE1/0/2 |
10.1.2.2/30 |
Host C |
- |
192.168.30.15/24 |
|
FGE1/0/3 |
1.1.1.1/30 |
Router |
GE1/0/1.10 |
192.168.10.1/24 |
Device B |
FGE1/0/1 |
10.1.1.3/30 |
|
GE1/0/1.20 |
192.168.20.1/24 |
|
FGE1/0/2 |
10.1.2.3/30 |
|
GE1/0/1.30 |
192.168.30.1/24 |
|
FGE1/0/3 |
1.1.1.2/30 |
|
Vlan-interface40 |
10.1.1.1/24 |
|
|
|
|
Vlan-interface50 |
10.1.2.1/24 |
|
|
|
|
GE1/0/2 |
20.1.1.1/24 |
|
|
|
# 创建VLAN 10、VLAN 20和VLAN 30,将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] port gigabitethernet 1/0/1
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] port gigabitethernet 1/0/2
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] port gigabitethernet 1/0/3
[Switch-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VPN实例host与internet。
[Router] ip vpn-instance host
[Router-vpn-instance-host] quit
[Router] ip vpn-instance internet
[Router-vpn-instance-internet] quit
# 切换FortyGigE2/0/1、FortyGigE2/0/2、FortyGigE2/0/3、FortyGigE3/0/1、FortyGigE3/0/2和FortyGigE3/0/3接口的工作模式为二层。
[Router] interface range fortygige 2/0/1 fortygige 2/0/2 fortygige 2/0/3 fortygige 3/0/1 fortygige 3/0/2 fortygige 3/0/3
[Router-if-range] port link-mode bridge
[Router-if-range] quit
# 创建VLAN 40、VLAN 50和VLAN 1111。将FortyGigE2/0/1、FortyGigE3/0/1加入VLAN 40,FortyGigE2/0/2、FortyGigE3/0/2加入VLAN 50,FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
[Router] vlan 40
[Router-vlan40] port fortygige 2/0/1 fortygige 3/0/1
[Router-vlan40] quit
[Router] vlan 50
[Router-vlan50] port fortygige 2/0/2 fortygige 3/0/2
[Router-vlan50] quit
[Router] vlan 1111
[Router-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[Router-vlan1111] quit
# 创建VLAN 40、VLAN 50接口,绑定VPN实例并配置VLAN接口的IP地址,开启转发保持上一跳功能。
[Router] interface vlan-interface 40
[Router-Vlan-interface40] ip binding vpn-instance host
[Router-Vlan-interface40] ip address 10.1.1.1 24
[Router-Vlan-interface40] ip last-hop hold
[Router-Vlan-interface40] quit
[Router] interface vlan-interface 50
[Router-Vlan-interface50] ip binding vpn-instance internet
[Router-Vlan-interface50] ip address 10.1.2.1 24
[Router-Vlan-interface50] ip last-hop hold
[Router-Vlan-interface50] quit
# 创建三层子接口GigabitEthernet1/0/1.10、GigabitEthernet1/0/1.20和GigabitEthernet1/0/1.30,开启Dot1q终结功能,分别终结VLAN 10、VLAN 20和VLAN 30,绑定VPN实例并配置接口IP。
[Router] interface gigabitethernet 1/0/1.10
[Router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[Router-GigabitEthernet1/0/1.10] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24
[Router-GigabitEthernet1/0/1.10] quit
[Router] interface gigabitethernet 1/0/1.20
[Router-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[Router-GigabitEthernet1/0/1.20] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.20] ip address 192.168.20.1 24
[Router-GigabitEthernet1/0/1.20] quit
[Router] interface gigabitethernet 1/0/1.30
[Router-GigabitEthernet1/0/1.30] vlan-type dot1q vid 30
[Router-GigabitEthernet1/0/1.30] ip binding vpn-instance host
[Router-GigabitEthernet1/0/1.30] ip address 192.168.30.1 24
[Router-GigabitEthernet1/0/1.30] quit
# 配置GigabitEthernet1/0/2接口IP,绑定VPN实例。
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip binding vpn-instance internet
[Router-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[Router-GigabitEthernet1/0/2] quit
# 配置等价静态路由指导上下行流量转发。
[Router] ip route-static vpn-instance host 20.1.1.0 24 vpn-instance host 10.1.1.4
[Router] ip route-static vpn-instance host 20.1.1.0 24 vpn-instance host 10.1.1.5
[Router] ip route-static vpn-instance internet 192.168.10.0 24 vpn-instance internet 10.1.2.4
[Router] ip route-static vpn-instance internet 192.168.20.0 24 vpn-instance internet 10.1.2.4
[Router] ip route-static vpn-instance internet 192.168.30.0 24 vpn-instance internet 10.1.2.4
[Router] ip route-static vpn-instance internet 192.168.10.0 24 vpn-instance internet 10.1.2.5
[Router] ip route-static vpn-instance internet 192.168.20.0 24 vpn-instance internet 10.1.2.5
[Router] ip route-static vpn-instance internet 192.168.30.0 24 vpn-instance internet 10.1.2.5
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1、2、3和4,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] vrrp vrid 2 virtual-ip 10.1.1.5 standby
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 3 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] vrrp vrid 4 virtual-ip 10.1.2.5 standby
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1、2、3和4,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] vrrp vrid 2 virtual-ip 10.1.1.5 active
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 3 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] vrrp vrid 4 virtual-ip 10.1.2.5 active
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] backup-mode dual-active
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/1 2 Backup 100 100 None 10.1.1.5
FGE1/0/2 3 Master 100 100 None 10.1.2.4
FGE1/0/2 4 Backup 100 100 None 10.1.2.5
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Secondary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/1 2 Master 100 100 None 10.1.1.5
FGE1/0/2 3 Backup 100 100 None 10.1.2.4
FGE1/0/2 4 Master 100 100 None 10.1.2.5
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
ip vpn-instance host
#
ip vpn-instance internet
#
vlan 40
#
vlan 50
#
vlan 1111
#
interface Vlan-interface40
ip binding vpn-instance host
ip address 10.1.1.1 255.255.255.0
ip last-hop hold
#
interface Vlan-interface50
ip binding vpn-instance internet
ip address 10.1.2.1 255.255.255.0
ip last-hop hold
#
interface GigabitEthernet1/0/1.10
ip binding vpn-instance host
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
#
interface GigabitEthernet1/0/1.20
ip binding vpn-instance host
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/1.30
ip binding vpn-instance host
ip address 192.168.30.1 255.255.255.0
vlan-type dot1q vid 30
#
interface GigabitEthernet1/0/2
ip binding vpn-instance internet
ip address 20.1.1.1 255.255.255.0
#
interface FortyGige2/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGige2/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGige2/0/3
port link-mode bridge
port access vlan 1111
#
interface FortyGige3/0/1
port link-mode bridge
port access vlan 40
#
interface FortyGige3/0/2
port link-mode bridge
port access vlan 50
#
interface FortyGige3/0/3
port link-mode bridge
port access vlan 1111
#
ip route-static vpn-instance host 20.1.1.0 24 10.1.1.4
ip route-static vpn-instance host 20.1.1.0 24 10.1.1.5
ip route-static vpn-instance internet 192.168.10.0 24 10.1.2.4
ip route-static vpn-instance internet 192.168.20.0 24 10.1.2.4
ip route-static vpn-instance internet 192.168.30.0 24 10.1.2.4
ip route-static vpn-instance internet 192.168.10.0 24 10.1.2.5
ip route-static vpn-instance internet 192.168.20.0 24 10.1.2.5
ip route-static vpn-instance internet 192.168.30.0 24 10.1.2.5
#
#
interface FortyGigE1/0/1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 active
vrrp vrid 2 virtual-ip 10.1.1.5 standby
#
interface FortyGigE1/0/2
ip address 10.1.2.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.2.4 active
vrrp vrid 4 virtual-ip 10.1.2.5 standby
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
interface FortyGigE1/0/1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 standby
vrrp vrid 2 virtual-ip 10.1.1.5 active
#
interface FortyGigE1/0/2
ip address 10.1.2.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.2.4 standby
vrrp vrid 4 virtual-ip 10.1.2.5 active
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入路由器Router A、汇聚交换机Switch和核心路由器Router B与Internet通信。出于安全考虑,需要在汇聚交换机Switch上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Router A做Host A、Host B和Host C的网关,查静态路由表转发Host到Internet的流量。
· Switch将下行业务口划分在VLAN 40,上行业务口划分在VLAN 50,与Device的互连口划分在VLAN 40和VLAN 50,上下行透传Host与Internet之间的流量到Device。
· Device与Router A和Router B三层对接,查静态路由表转发Host与Internet之间的流量,Device A和Device B做双主备份。
· Router B与Device三层对接,查静态路由表转发Internet到Host的流量。
图4-5 三层直路双主部署SecBlade插卡(划分VLAN)组网图
图4-6 三层直路双主部署SecBlade插卡(划分VLAN)逻辑组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Device B |
FGE1/0/1 |
10.1.1.3/24 |
Host B |
- |
192.168.20.15/24 |
|
FGE1/0/2 |
10.1.2.3/24 |
Host C |
- |
192.168.30.15/24 |
|
FGE1/0/3 |
1.1.1.2/30 |
Router A |
GE1/0/1 |
192.168.10.1/24 |
Router B |
GE1/0/1 |
10.1.2.1/24 |
|
GE1/0/2 |
192.168.20.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
|
GE1/0/3 |
192.168.30.1/24 |
|
|
|
|
GE1/0/4 |
10.1.1.1/24 |
|
|
|
Device A |
FGE1/0/1 |
10.1.1.2/24 |
|
|
|
|
FGE1/0/2 |
10.1.2.2/24 |
|
|
|
|
FGE1/0/3 |
1.1.1.1/30 |
|
|
|
# 配置GigabitEthernet1/0/1、GigabitEthernet1/0/2、GigabitEthernet1/0/3和GigabitEthernet1/0/4接口IP,开启GigabitEthernet1/0/4转发保持上一跳功能。
<RouterA> system-view
[RouterA] interface GigabitEthernet 1/0/1
[RouterA-GigabitEthernet1/0/1] ip address 192.168.10.1 24
[RouterA-GigabitEthernet1/0/1] quit
[RouterA] interface GigabitEthernet 1/0/2
[RouterA-GigabitEthernet1/0/2] ip address 192.168.20.1 24
[RouterA-GigabitEthernet1/0/2] quit
[RouterA] interface GigabitEthernet 1/0/3
[RouterA-GigabitEthernet1/0/3] ip address 192.168.30.1 24
[RouterA-GigabitEthernet1/0/3] quit
[RouterA] interface GigabitEthernet 1/0/4
[RouterA-GigabitEthernet1/0/4] ip address 10.1.1.1 24
[RouterA-GigabitEthernet1/0/4] ip last-hop hold
[RouterA-GigabitEthernet1/0/4] quit
# 配置等价静态路由指导上行流量转发。
[SwitchA] ip route-static 20.1.1.0 24 10.1.1.4
[SwitchA] ip route-static 20.1.1.0 24 10.1.1.5
# 创建VLAN 40、VLAN 50和VLAN 1111,将GigabitEthernet1/0/1、FortyGigE2/0/1和FortyGigE3/0/1加入VLAN 40,将GigabitEthernet1/0/2、FortyGigE2/0/2和FortyGigE3/0/2加入VLAN 50,将FortyGigE2/0/3和FortyGigE3/0/3加入VLAN 1111。
<Switch> system-view
[Switch] vlan 40
[Switch-vlan40] port GigabitEthernet 1/0/1 fortygige 2/0/1 fortygige 3/0/1
[Switch-vlan40] quit
[Switch] vlan 50
[Switch-vlan50] port GigabitEthernet 1/0/2 fortygige 2/0/2 fortygige 3/0/2
[Switch-vlan50] quit
[Switch] vlan 1111
[Switch-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[Switch-vlan1111] quit
# 配置GigabitEthernet1/0/1、GigabitEthernet1/0/2接口IP,开启GigabitEthernet1/0/1转发保持上一跳功能。
<RouterB> system-view
[RouterB] interface GigabitEthernet 1/0/1
[RouterB-GigabitEthernet1/0/1] ip address 10.1.2.1 24
[RouterB-GigabitEthernet1/0/1] ip last-hop hold
[RouterB-GigabitEthernet1/0/1] quit
[RouterB] interface GigabitEthernet 1/0/2
[RouterB-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[RouterB-GigabitEthernet1/0/2] quit
# 配置等价静态路由指导下行流量转发。
[RouterB] ip route-static 192.168.10.0 24 10.1.2.4
[RouterB] ip route-static 192.168.10.0 24 10.1.2.5
[RouterB] ip route-static 192.168.20.0 24 10.1.2.4
[RouterB] ip route-static 192.168.20.0 24 10.1.2.5
[RouterB] ip route-static 192.168.30.0 24 10.1.2.4
[RouterB] ip route-static 192.168.30.0 24 10.1.2.5
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1、2、3和4,并与HA关联。
<DeviceA> system-view
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] ip address 10.1.1.2 24
[DeviceA-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 active
[DeviceA-FortyGigE1/0/1] vrrp vrid 2 virtual-ip 10.1.1.5 standby
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] ip address 10.1.2.2 24
[DeviceA-FortyGigE1/0/2] vrrp vrid 3 virtual-ip 10.1.2.4 active
[DeviceA-FortyGigE1/0/2] vrrp vrid 4 virtual-ip 10.1.2.5 standby
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceA] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceA] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceA] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 配置FortyGigE1/0/1、FortyGigE1/0/2和FortyGigE1/0/3的接口IP,配置VRRP备份组1、2、3和4,并与HA关联。
<DeviceB> system-view
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] ip address 10.1.1.3 24
[DeviceB-FortyGigE1/0/1] vrrp vrid 1 virtual-ip 10.1.1.4 standby
[DeviceB-FortyGigE1/0/1] vrrp vrid 2 virtual-ip 10.1.1.5 active
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] ip address 10.1.2.3 24
[DeviceB-FortyGigE1/0/2] vrrp vrid 3 virtual-ip 10.1.2.4 standby
[DeviceB-FortyGigE1/0/2] vrrp vrid 4 virtual-ip 10.1.2.5 active
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2分别加入安全域Trust和Untrust中。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置静态路由指导上下行流量转发。
[DeviceB] ip route-static 192.168.10.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.20.0 24 10.1.1.1
[DeviceB] ip route-static 192.168.30.0 24 10.1.1.1
[DeviceB] ip route-static 20.1.1.0 24 10.1.2.1
# 配置高可靠性RBM。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] backup-mode dual-active
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device A上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Master 100 100 None 10.1.1.4
FGE1/0/1 2 Backup 100 100 None 10.1.1.5
FGE1/0/2 3 Master 100 100 None 10.1.2.4
FGE1/0/2 4 Backup 100 100 None 10.1.2.5
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Secondary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
FGE1/0/1 1 Backup 100 100 None 10.1.1.4
FGE1/0/1 2 Master 100 100 None 10.1.1.5
FGE1/0/2 3 Backup 100 100 None 10.1.2.4
FGE1/0/2 4 Master 100 100 None 10.1.2.5
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
interface GigabitEthernet1/0/1
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/4
ip address 10.1.1.1 255.255.255.0
ip last-hop hold
#
ip route-static 20.1.1.0 24 10.1.1.4
ip route-static 20.1.1.0 24 10.1.1.5
#
#
vlan 40
#
vlan 50
#
vlan 1111
#
interface GigabitEthernet1/0/1
port access vlan 40
#
interface GigabitEthernet1/0/2
port access vlan 50
#
interface FortyGigE2/0/1
port access vlan 40
#
interface FortyGigE2/0/2
port access vlan 50
#
interface FortyGigE2/0/3
port access vlan 1111
#
interface FortyGigE3/0/1
port access vlan 40
#
interface FortyGigE3/0/2
port access vlan 50
#
interface FortyGigE3/0/3
port access vlan 1111
#
#
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 20.1.1.1 255.255.255.0
ip last-hop hold
#
ip route-static 192.168.10.0 24 10.1.2.4
ip route-static 192.168.10.0 24 10.1.2.5
ip route-static 192.168.20.0 24 10.1.2.4
ip route-static 192.168.20.0 24 10.1.2.5
ip route-static 192.168.30.0 24 10.1.2.4
ip route-static 192.168.30.0 24 10.1.2.5
#
#
interface FortyGigE1/0/1
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 active
vrrp vrid 2 virtual-ip 10.1.1.5 standby
#
interface FortyGigE1/0/2
ip address 10.1.2.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.2.4 active
vrrp vrid 4 virtual-ip 10.1.2.5 standby
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
interface FortyGigE1/0/1
ip address 10.1.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.4 standby
vrrp vrid 2 virtual-ip 10.1.1.5 active
#
interface FortyGigE1/0/2
ip address 10.1.2.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.2.4 standby
vrrp vrid 4 virtual-ip 10.1.2.5 active
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
security-zone name Trust
import interface FortyGigE1/0/1
#
security-zone name Untrust
import interface FortyGigE1/0/2
#
ip route-static 20.1.1.0 24 10.1.2.1
ip route-static 192.168.10.0 24 10.1.1.1
ip route-static 192.168.20.0 24 10.1.1.1
ip route-static 192.168.30.0 24 10.1.1.1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch B将上下行业务口划分在VLAN 10、VLAN 20和VLAN 30,与Device的互连口划分在VLAN 10、VLAN 20、VLAN 30,QoS重定向Host与Internet的上下行流量到Device,回程流量按照相反方向QoS重定向。
· Device上下行业务口划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量,Device A和Device B做双主备份。
· Switch C做Host A、Host B和Host C的网关,查路由表转发Host与Internet之间的流量。
图4-7 旁挂双主部署SecBlade插卡二层引流组网图
图4-8 旁挂双主部署SecBlade插卡二层引流逻辑组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch C |
Vlan-interface10 |
192.168.10.1/24 |
|
Vlan-interface20 |
192.168.20.1/24 |
|
Vlan-interface30 |
192.168.30.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
Device A |
FGE1/0/3 |
1.1.1.1/30 |
Device B |
FGE1/0/3 |
1.1.1.2/30 |
# 创建VLAN 10、VLAN 20和VLAN 30。将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VLAN 10、VLAN 20、VLAN 30和VLAN 1111,将FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
[SwitchB] vlan 1111
[SwitchB-vlan1111] port fortygige 2/0/3 fortygige3/0/3
[SwitchB-vlan1111] quit
# 创建二层聚合接口1和2,配置二层聚合接口1对应的聚合组内按照报文源IP地址进行聚合负载分担,配置二层聚合接口2对应的聚合组内按照报文目的IP地址进行聚合负载分担(确保同一条数据流的来回路径一致),将端口FortyGigE2/0/1和FortyGigE3/0/1加入到聚合组1中。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] link-aggregation load-sharing mode source-ip
[SwitchB-Bridge-Aggregation1] quit
[SwitchB] interface bridge-aggregation 2
[SwitchB-Bridge-Aggregation2] link-aggregation load-sharing mode destination-ip
[SwitchB-Bridge-Aggregation2] quit
[SwitchB] interface range fortygige 2/0/1 fortygige 3/0/1
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
[SwitchB] interface range fortygige 2/0/2 fortygige 3/0/2
[SwitchB-if-range] port link-aggregation group 2
[SwitchB-if-range] quit
# 将二层聚合接口1和2的MAC地址学习功能关闭(防止MAC漂移),并将生成树协议关闭(防止STP协议关闭端口转发和接收报文的能力)。
[SwitchB] interface range bridge-aggregation 1 bridge-aggregation 2
[SwitchB-if-range] undo mac-address mac-learning enable
[SwitchB-if-range] undo stp enable
[SwitchB-if-range] quit
# 将GigabitEthernet1/0/1、GigabitEthernet1/0/2、二层聚合接口1和2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchB] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 bridge-aggregation 1 bridge-aggregation 2
[SwitchB-if-range] port link-type trunk
[SwitchB-if-range] port trunk permit vlan 10 20 30
[SwitchB-if-range] quit
# 定义类,匹配VLAN 10、VLAN 20和VLAN 30。
[SwitchB] traffic classifier servicevlan
[SwitchB-classifier-host-out] if-match service-vlan-id 10 20 30
[SwitchB-classifier-host-out] quit
# 定义流行为,动作为重定向至相应接口。
[SwitchB] traffic behavior gigabitethernet1/0/1
[SwitchB-behavior-gigabitethernet1/0/1] redirect interface gigabitethernet 1/0/1
[SwitchB-behavior-gigabitethernet1/0/1] quit
[SwitchB] traffic behavior gigabitethernet1/0/2
[SwitchB-behavior-gigabitethernet1/0/2] redirect interface gigabitethernet 1/0/2
[SwitchB-behavior-gigabitethernet1/0/2] quit
[SwitchB] traffic behavior bagg1
[SwitchB-behavior-bagg1] redirect interface bridge-aggregation 1
[SwitchB-behavior-bagg1] quit
[SwitchB] traffic behavior bagg2
[SwitchB-behavior-bagg2] redirect interface bridge-aggregation 2
[SwitchB-behavior-bagg2] quit
# 定义策略,为类指定流行为。
[SwitchB] qos policy gigabitethernet1/0/1
[SwitchB-qospolicy-gigabitethernet1/0/1] classifier servicevlan behavior gigabitethernet1/0/1
[SwitchB-qospolicy-gigabitethernet1/0/1] quit
[SwitchB] qos policy gigabitethernet1/0/2
[SwitchB-qospolicy-gigabitethernet1/0/2] classifier servicevlan behavior gigabitethernet1/0/2
[SwitchB-qospolicy-gigabitethernet1/0/2] quit
[SwitchB] qos policy bagg1
[SwitchB-qospolicy-bagg1] classifier servicevlan behavior bagg1
[SwitchB-qospolicy-bagg1] quit
[SwitchB] qos policy bagg2
[SwitchB-qospolicy-bagg2] classifier servicevlan behavior bagg2
[SwitchB-qospolicy-bagg2] quit
# 将策略应用到端口的入方向上。
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] qos apply policy bagg1 inbound
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] qos apply policy bagg2 inbound
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface fortygige 2/0/1
[SwitchB-FortyGigE2/0/1] qos apply policy gigabitethernet1/0/1 inbound
[SwitchB-FortyGigE2/0/1] quit
[SwitchB] interface fortygige 2/0/2
[SwitchB-FortyGigE2/0/2] qos apply policy gigabitethernet1/0/2 inbound
[SwitchB-FortyGigE2/0/2] quit
[SwitchB] interface fortygige 3/0/1
[SwitchB-FortyGigE3/0/1] qos apply policy gigabitethernet1/0/1 inbound
[SwitchB-FortyGigE3/0/1] quit
[SwitchB] interface fortygige 3/0/2
[SwitchB-FortyGigE3/0/2] qos apply policy gigabitethernet1/0/2 inbound
[SwitchB-FortyGigE3/0/2] quit
# 创建VLAN 10、VLAN 20、VLAN 20。
<SwitchC> system-view
[SwitchC] vlan 10
[SwitchC-vlan40] quit
[SwitchC] vlan 20
[SwitchC-vlan50] quit
[SwitchC] vlan 30
[SwitchC-vlan60] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 20的报文通过。
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30
[SwitchC-GigabitEthernet1/0/1] quit
# 创建VLAN 10、VLAN 20和VLAN 30接口,配置VLAN接口的IP地址。
[SwitchC] interface vlan-interface 10
[SwitchC-Vlan-interface40] ip address 192.168.10.1 24
[SwitchC-Vlan-interface40] quit
[SwitchC] interface vlan-interface 20
[SwitchC-Vlan-interface50] ip address 192.168.20.1 24
[SwitchC-Vlan-interface50] quit
[SwitchC] interface vlan-interface 30
[SwitchC-Vlan-interface60] ip address 192.168.30.1 24
[SwitchC-Vlan-interface60] quit
# 切换GigabitEthernet1/0/2的工作模式为三层,并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N]:y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 创建VLAN10、VLAN20、VLAN30。
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] quit
[DeviceA] vlan 30
[DeviceA-vlan30] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层模式。
[DeviceA] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[DeviceA] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 10 20 30
[DeviceA-if-range] quit
# 将FortyGigE1/0/1的VLAN10、VLAN20、VLAN30加入安全域Trust,FortyGigE1/0/2的VLAN10、VLAN20、VLAN30加入安全域Untrust。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface fortygige 1/0/1 vlan 10 20 30
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface fortygige 1/0/2 vlan 10 20 30
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 配置FortyGigE1/0/3的接口IP地址。
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] track interface fortygige 1/0/1
RBM_P[DeviceA-remote-backup-group] track interface fortygige 1/0/2
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 创建VLAN10、VLAN20、VLAN30。
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] quit
[DeviceB] vlan 20
[DeviceB-vlan20] quit
[DeviceB] vlan 30
[DeviceB-vlan30] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层模式。
[DeviceB] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceB-if-range] port link-mode bridge
[DeviceB-if-range] quit
# 将FortyGigE1/0/1和FortyGigE1/0/2的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[DeviceB] interface range fortygige 1/0/1 fortygige 1/0/2
[DeviceB-if-range] port link-type trunk
[DeviceB-if-range] port trunk permit vlan 10 20 30
[DeviceB-if-range] quit
# 将FortyGigE1/0/1的VLAN10、VLAN20、VLAN30加入安全域Trust,FortyGigE1/0/2的VLAN10、VLAN20、VLAN30加入安全域Untrust。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface fortygige 1/0/1 vlan 10 20 30
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface fortygige 1/0/2 vlan 10 20 30
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 配置FortyGigE1/0/3的接口IP地址。
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface fortygige 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] backup-mode dual-active
RBM_S[DeviceB-remote-backup-group] track interface fortygige 1/0/1
RBM_S[DeviceB-remote-backup-group] track interface fortygige 1/0/2
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Secondary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Active Interface status changed
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/10/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/20/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/30/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 1111
#
traffic classifier servicevlan
if-match service-vlan-id 10 20 30
#
traffic behavior bagg1
redirect interface Bridge-Aggregation1
#
traffic behavior bagg2
redirect interface Bridge-Aggregation2
#
traffic behavior gigabitethernet1/0/1
redirect interface GigabitEthernet1/0/1
#
traffic behavior gigabitethernet1/0/2
redirect interface GigabitEthernet1/0/2
#
qos policy bagg1
classifier servicevlan behavior bagg1
#
qos policy bagg2
classifier servicevlan behavior bagg2
#
qos policy gigabitethernet1/0/1
classifier servicevlan behavior gigabitethernet1/0/1
#
qos policy gigabitethernet1/0/2
classifier servicevlan behavior gigabitethernet1/0/2
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10 20 30
link-aggregation load-sharing mode source-ip
undo stp enable
undo mac-address mac-learning enable
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan 10 20 30
link-aggregation load-sharing mode destination-ip
undo stp enable
undo mac-address mac-learning enable
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy bagg1 inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy bagg2 inbound
#
interface FortyGigE2/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/1 inbound
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/2 inbound
port link-aggregation group 2
#
interface FortyGigE2/0/3
port access vlan 1111
#
interface FortyGigE3/0/1
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/1 inbound
port link-aggregation group 1
#
interface FortyGigE3/0/2
port link-type trunk
port trunk permit vlan 10 20 30
qos apply policy gigabitethernet1/0/2 inbound
port link-aggregation group 2
#
interface FortyGigE3/0/3
port access vlan 1111
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 40 50 60
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
security-zone name Trust
import interface FortyGigE1/0/1 vlan 10 20 30
#
security-zone name Untrust
import interface FortyGigE1/0/2 vlan 10 20 30
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
vlan 10
#
vlan 20
#
vlan 30
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
security-zone name Trust
import interface FortyGigE1/0/1 vlan 10 20 30
#
security-zone name Untrust
import interface FortyGigE1/0/2 vlan 10 20 30
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
Host A、Host B和Host C通过接入交换机Switch A、汇聚交换机Switch B和核心交换机Switch C与Internet通信。出于安全考虑,需要在汇聚交换机Switch B上部署两个SecBlade插卡Device A和Device B起安全防护作用,应用需求如下:
· Switch A将Host A、Host B和Host C分别划分在VLAN 10、VLAN 20和VLAN 30,透传Host与Internet之间的流量。
· Switch B将下行业务口划分在VLAN 10、VLAN 20和VLAN 30,上行业务口划分在VLAN 40、VLAN 50和VLAN 60,与Device的上行互连口划分在VLAN 10、VLAN 20和VLAN 30,与Device的下行互连口划分在VLAN 40、VLAN 50和VLAN 60,上下行透传Host与Internet的流量到Device。
· Device下行业务划分在VLAN 10、VLAN 20和VLAN 30,上行业务划分在VLAN 40、VLAN 50和VLAN 60。Device跨VLAN转发Host与Internet之间流量,Device A和Device B做双主备份。
· Switch C做Host A、Host B和Host C的网关,查路由表转发Host与Internet之间的流量。
图4-9 透明直路双主部署SecBlade插卡组网图
图4-10 透明直路双主部署SecBlade插卡逻辑组网图
设备 |
接口 |
IP地址 |
Host A |
- |
192.168.10.15/24 |
Host B |
- |
192.168.20.15/24 |
Host C |
- |
192.168.30.15/24 |
Switch C |
Vlan-interface40 |
192.168.10.1/24 |
|
Vlan-interface50 |
192.168.20.1/24 |
|
Vlan-interface60 |
192.168.30.1/24 |
|
GE1/0/2 |
20.1.1.1/24 |
Device A |
FGE1/0/3 |
1.1.1.1/30 |
Device B |
FGE1/0/3 |
1.1.1.2/30 |
# 创建VLAN 10、VLAN 20和VLAN 30。将GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3分别加入VLAN 10、VLAN 20和VLAN 30。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/1
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] port gigabitethernet 1/0/2
[SwitchA-vlan20] quit
[SwitchA] vlan 30
[SwitchA-vlan30] port gigabitethernet 1/0/3
[SwitchA-vlan30] quit
# 将GigabitEthernet1/0/4的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchA] interface gigabitethernet 1/0/4
[SwitchA-GigabitEthernet1/0/4] port link-type trunk
[SwitchA-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30
[SwitchA-GigabitEthernet1/0/4] quit
# 创建VLAN 10、VLAN 20、VLAN 30、VLAN 40、VLAN 50、VLAN 60、VLAN 1111,将FortyGigE2/0/3、FortyGigE3/0/3加入VLAN 1111。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] vlan 30
[SwitchB-vlan30] quit
[SwitchB] vlan 40
[SwitchB-vlan40] quit
[SwitchB] vlan 50
[SwitchB-vlan50] quit
[SwitchB] vlan 60
[SwitchB-vlan60] quit
[SwitchB] vlan 1111
[SwitchA-vlan1111] port fortygige 2/0/3 fortygige 3/0/3
[SwitchB-vlan1111] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 10、VLAN 20和VLAN 30的报文通过。
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 20 30
[SwitchB-GigabitEthernet1/0/1] quit
# 将GigabitEthernet1/0/2的链路类型配置为Trunk,并允许VLAN 40、VLAN 50和VLAN 60的报文通过。
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 40 50 60
[SwitchB-GigabitEthernet1/0/2] quit
# 创建二层聚合接口1为Trunk端口,并允许VLAN 10、VLAN 20和VLAN 30的报文通过,创建二层聚合接口2为Trunk端口,并允许VLAN 40、VLAN 50和VLAN 60的报文通过,配置二层聚合接口1对应的聚合组内按照报文源IP地址进行聚合负载分担,配置二层聚合接口2对应的聚合组内按照报文目的IP地址进行聚合负载分担(确保同一条数据流的来回路径一致)。
[SwitchB] interface bridge-aggregation 1
[SwitchB-Bridge-Aggregation1] port link-type trunk
[SwitchB-Bridge-Aggregation1] port trunk permit vlan 10 20 30
[SwitchB-Bridge-Aggregation1] link-aggregation load-sharing mode source-ip
[SwitchB-Bridge-Aggregation1] quit
[SwitchB] interface bridge-aggregation 2
[SwitchB-Bridge-Aggregation2] port link-type trunk
[SwitchB-Bridge-Aggregation2] port trunk permit vlan 40 50 60
[SwitchB-Bridge-Aggregation2] link-aggregation load-sharing mode destination-ip
[SwitchB-Bridge-Aggregation2] quit
# 将端口FortyGigE2/0/1、FortyGigE3/0/1加入到聚合组1中,端口FortyGigE2/0/2、FortyGigE3/0/2加入到聚合组2中。
[SwitchB] interface range fortygige 2/0/1 fortygige 3/0/1
[SwitchB-if-range] port link-aggregation group 1
[SwitchB-if-range] quit
[SwitchB] interface range fortygige 2/0/2 fortygige 3/0/2
[SwitchB-if-range] port link-aggregation group 2
[SwitchB-if-range] quit
# 创建VLAN 40、VLAN 50、VLAN 60。
<SwitchC> system-view
[SwitchC] vlan 40
[SwitchC-vlan40] quit
[SwitchC] vlan 50
[SwitchC-vlan50] quit
[SwitchC] vlan 60
[SwitchC-vlan60] quit
# 将GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 40、VLAN 50和VLAN 60的报文通过。
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 40 50 60
[SwitchC-GigabitEthernet1/0/1] quit
# 创建VLAN 40、VLAN 50和VLAN 60接口,配置VLAN接口的IP地址。
[SwitchC] interface vlan-interface 40
[SwitchC-Vlan-interface40] ip address 192.168.10.1 24
[SwitchC-Vlan-interface40] quit
[SwitchC] interface vlan-interface 50
[SwitchC-Vlan-interface50] ip address 192.168.20.1 24
[SwitchC-Vlan-interface50] quit
[SwitchC] interface vlan-interface 60
[SwitchC-Vlan-interface60] ip address 192.168.30.1 24
[SwitchC-Vlan-interface60] quit
# 切换GigabitEthernet1/0/2的工作模式为三层,并配置IP地址。
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-mode route
The configuration of the interface will be restored to the default. Continue? [Y/N]:y
[SwitchC-GigabitEthernet1/0/2] ip address 20.1.1.1 24
[SwitchC-GigabitEthernet1/0/2] quit
# 创建VLAN10、VLAN20、VLAN30、VLAN40、VLAN50、VLAN60。
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] quit
[DeviceA] vlan 30
[DeviceA-vlan30] quit
[DeviceA] vlan 40
[DeviceA-vlan40] quit
[DeviceA] vlan 50
[DeviceA-vlan50] quit
[DeviceA] vlan 60
[DeviceA-vlan60] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层并将链路类型配置为Trunk,FortyGigE1/0/1允许VLAN 10、VLAN 20、VLAN 30的报文通过,FortyGigE1/0/2允许VLAN 40、VLAN 50、VLAN 60的报文通过。
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] port link-mode bridge
[DeviceA-FortyGigE1/0/1] port link-type trunk
[DeviceA-FortyGigE1/0/1] port trunk permit vlan 10 20 30
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] port link-mode bridge
[DeviceA-FortyGigE1/0/2] port link-type trunk
[DeviceA-FortyGigE1/0/2] port trunk permit vlan 40 50 60
[DeviceA-FortyGigE1/0/2] quit
# 配置FortyGigE1/0/3的接口IP。
[DeviceA] interface fortygige 1/0/3
[DeviceA-FortyGigE1/0/3] ip address 1.1.1.1 30
[DeviceA-FortyGigE1/0/3] quit
# 将VLAN10、VLAN20、VLAN30加入安全域Trust,VLAN40、VLAN50、VLAN60加入安全域Untrust。
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import vlan 10 20 30
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import vlan 40 50 60
[DeviceA-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] quit
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
# 创建跨VLAN转发模式的转发实例Bridge 1、Bridge 2和Bridge 3,并分别添加需要相互通信的VLAN到实例中。
[DeviceA] bridge 1 inter-vlan
[DeviceA-bridge-1-inter-vlan] add vlan 10 40
[DeviceA-bridge-1-inter-vlan] quit
[DeviceA] bridge 2 inter-vlan
[DeviceA-bridge-2-inter-vlan] add vlan 20 50
[DeviceA-bridge-2-inter-vlan] quit
[DeviceA] bridge 3 inter-vlan
[DeviceA-bridge-3-inter-vlan] add vlan 30 60
[DeviceA-bridge-3-inter-vlan] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.1.1.2
[DeviceA-remote-backup-group] local-ip 1.1.1.1
[DeviceA-remote-backup-group] data-channel interface FortyGigE 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] track interface FortyGigE 1/0/1
RBM_P[DeviceA-remote-backup-group] track interface FortyGigE 1/0/2
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 创建VLAN10、VLAN20、VLAN30、VLAN40、VLAN50、VLAN60。
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] quit
[DeviceB] vlan 20
[DeviceB-vlan20] quit
[DeviceB] vlan 30
[DeviceB-vlan30] quit
[DeviceB] vlan 40
[DeviceB-vlan40] quit
[DeviceB] vlan 50
[DeviceB-vlan50] quit
[DeviceB] vlan 60
[DeviceB-vlan60] quit
# 切换FortyGigE1/0/1和FortyGigE1/0/2的工作模式为二层并将链路类型配置为Trunk,FortyGigE1/0/1允许VLAN 10、VLAN 20、VLAN 30的报文通过,FortyGigE1/0/2允许VLAN 40、VLAN 50、VLAN 60的报文通过。
[DeviceA] interface fortygige 1/0/1
[DeviceA-FortyGigE1/0/1] port link-mode bridge
[DeviceA-FortyGigE1/0/1] port link-type trunk
[DeviceA-FortyGigE1/0/1] port trunk permit vlan 10 20 30
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/1] port link-mode bridge
[DeviceA-FortyGigE1/0/1] port link-type trunk
[DeviceA-FortyGigE1/0/1] port trunk permit vlan 40 50 60
[DeviceA-FortyGigE1/0/1] quit
# 配置FortyGigE1/0/3的接口IP。
[DeviceB] interface fortygige 1/0/3
[DeviceB-FortyGigE1/0/3] ip address 1.1.1.2 30
[DeviceB-FortyGigE1/0/3] quit
# 将VLAN10、VLAN20、VLAN30加入安全域Trust,VLAN40、VLAN50、VLAN60加入安全域Untrust。
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import vlan 10 20 30
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import vlan 40 50 60
[DeviceB-security-zone-Untrust] quit
# 配置安全策略允许域间报文通过。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-0-trust-untrust] action pass
[DeviceB-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-0-trust-untrust] quit
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-1-untrust-trust] action pass
[DeviceB-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-1-untrust-trust] quit
[DeviceB-security-policy-ip] quit
# 创建跨VLAN转发模式的转发实例Bridge 1、Bridge 2和Bridge 3,并分别添加需要相互通信的VLAN到实例中。
[DeviceB] bridge 1 inter-vlan
[DeviceB-bridge-1-inter-vlan] add vlan 10 40
[DeviceB-bridge-1-inter-vlan] quit
[DeviceB] bridge 2 inter-vlan
[DeviceB-bridge-2-inter-vlan] add vlan 20 50
[DeviceB-bridge-2-inter-vlan] quit
[DeviceB] bridge 3 inter-vlan
[DeviceB-bridge-3-inter-vlan] add vlan 30 60
[DeviceB-bridge-3-inter-vlan] quit
# 配置高可靠性RBM,监控FortyGigE1/0/1和FortyGigE1/0/2接口状态。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.1.1.1
[DeviceB-remote-backup-group] local-ip 1.1.1.2
[DeviceB-remote-backup-group] data-channel interface FortyGigE 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] backup-mode dual-active
RBM_S[DeviceB-remote-backup-group] track interface FortyGigE 1/0/1
RBM_S[DeviceB-remote-backup-group] track interface FortyGigE 1/0/2
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 在Device A上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.1
Remote IP: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# 在Device B上执行以下显示命令可查看HA配置是否生效,HA通道是否建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Secondary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.1.1.2
Remote IP: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 3 hours, 12 minutes
Switchover records:
Time Status change Cause
2022-06-22 13:34:34 Initial to Active Interface status changed
# Host A上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host B上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# Host C上ping测试Internet的连通性,可以ping通Internet地址20.1.1.1。
C:\>ping 20.1.1.1
Pinging 20.1.1.1 with 32 bytes of data:
Reply from 20.1.1.1: bytes=32 time=3ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Reply from 20.1.1.1: bytes=32 time=1ms TTL=254
Reply from 20.1.1.1: bytes=32 time=2ms TTL=254
Ping statistics for 20.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
# 在Device上检查会话表,存在Host与20.1.1.1的会话表。
RBM_P[DeviceA] display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.10.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/10/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.20.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/20/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.30.15/12005
Destination IP/port: 20.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/30/-
Protocol: ICMP(1)
Inbound interface: FortyGigE1/0/1
Source security zone: Trust
#
vlan 10
#
vlan 20
#
vlan 30
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 20
#
interface GigabitEthernet1/0/3
port access vlan 30
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 10 20 30
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
vlan 1111
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 10 20 30
link-aggregation load-sharing mode source-ip
#
interface Bridge-Aggregation2
port link-type trunk
port trunk permit vlan 40 50 60
link-aggregation load-sharing mode destination-ip
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 10 20 30
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 40 50 60
#
interface FortyGigE2/0/1
port link-aggregation group 1
#
interface FortyGigE2/0/2
port link-aggregation group 2
#
interface FortyGigE2/0/3
port access vlan 1111
#
interface FortyGigE3/0/1
port link-aggregation group 1
#
interface FortyGigE3/0/2
port link-aggregation group 2
#
interface FortyGigE3/0/3
port access vlan 1111
#
#
vlan 40
#
vlan 50
#
vlan 60
#
interface Vlan-interface40
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.20.1 255.255.255.0
#
interface Vlan-interface60
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan 40 50 60
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
bridge 1 inter-vlan
add vlan 10 40
#
bridge 2 inter-vlan
add vlan 20 50
#
bridge 3 inter-vlan
add vlan 30 60
#
interface FortyGigE1/0/3
ip address 1.1.1.1 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 40 50 60
#
security-zone name Trust
import vlan 10 20 30
#
security-zone name Untrust
import vlan 40 50 60
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.1
remote-ip 1.1.1.2
device-role primary
#
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
vlan 50
#
vlan 60
#
bridge 1 inter-vlan
add vlan 10 40
#
bridge 2 inter-vlan
add vlan 20 50
#
bridge 3 inter-vlan
add vlan 30 60
#
interface FortyGigE1/0/3
ip address 1.1.1.2 255.255.255.252
#
interface FortyGigE1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20 30
#
interface FortyGigE1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 40 50 60
#
security-zone name Trust
import vlan 10 20 30
#
security-zone name Untrust
import vlan 40 50 60
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
delay-time 1
track interface FortyGigE1/0/1
track interface FortyGigE1/0/2
local-ip 1.1.1.2
remote-ip 1.1.1.1
device-role secondary
#
LSQM1ADEDSC0、LSWM1ADED0、LSUM1ADECEA0三款SecBlade插卡是负载均衡类产品,由于负载均衡设备默认对所有接口流量放行,因此不需要配置安全域和安全策略。本节中插卡部署均配置了安全域和安全策略,对于上述产品请按需对安全域和安全策略进行配置。
如下图所示,某公司为确保业务的稳定运行,已使用两台交换机进行M-LAG组网。为确保网络的安全防护,该公司还需要在已有的交换机上部署SecBlade插卡作为网络边界的安全防护设备并进行双机热备组网,连接公司内部网络和Internet。具体需要实现如下需求:
· 正常情况下,主设备Device A处理业务,备设备Device B不处理业务。
· 当其中主设备出现故障时,所有业务转移到备设备上;备设备能正常处理业务。
· 主设备恢复正常后,流量重新切回原主,备设备不处理业务,原主设备正常处理业务。
图5-1 M-LAG环境下的SecBlade插卡主备部署组网图
图5-2 M-LAG环境下的SecBlade插卡主备部署逻辑图
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置各接口的IPv4地址,具体配置步骤如下。
<Router> system-view
[Router] interface Ten-GigabitEthernet1/0/1
[Router-Ten-GigabitEthernet1/0/1] ip address 100.1.1.1 255.255.255.0
[Router-Ten-GigabitEthernet1/0/1] quit
[Router] interface Ten-GigabitEthernet1/0/24
[Router-Ten-GigabitEthernet1/0/2] ip address 200.1.1.1 255.255.255.0
[Router-Ten-GigabitEthernet1/0/2] quit
(2) 配置静态路由,保证网络路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由。本举例假设去往内网流量的下一跳IPv4地址为100.1.1.2,去往Internet流量的下一跳IPv4地址为200.1.1.3,实际环境中请以具体组网情况为准,具体配置步骤如下。
[Router] ip route-static 192.168.10.0 255.255.255.0 100.1.1.2
[Router] ip route-static 0.0.0.0 0.0.0.0 200.1.1.3
(1) 创建VLAN
# 根据组网图中规划的信息,创建VLAN2、3、10、20、30、40,具体配置步骤如下。
<SwitchA> system-view
[SwitchA] vlan 2 3 10 20 30 40
(2) 配置M-LAG
# M-LAG系统配置。
[SwitchA] m-lag restore-delay 180
[SwitchA] m-lag system-mac 1-1-1
[SwitchA] m-lag system-number 1
[SwitchA] m-lag system-priority 123
[SwitchA] m-lag mad default-action none
# 配置Keepalive报文的目的IP地址和源IP地址。
[SwitchA] m-lag keepalive ip destination 2.1.1.2 source 2.1.1.1
# 配置接口Ten-GigabitEthernet1/6/0/3工作在三层模式,并配置IP地址为Keepalive报文的源IP地址。
[SwitchA] interface Ten-GigabitEthernet1/6/0/3
[SwitchA-Ten-GigabitEthernet1/6/0/3] port link-mode route
[SwitchA-Ten-GigabitEthernet1/6/0/3] ip address 2.1.1.1 255.255.255.0
[SwitchA-Ten-GigabitEthernet1/6/0/3] quit
# 创建聚合接口3。
[SwitchA] interface Bridge-Aggregation3
[SwitchA-Bridge-Aggregation3] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation3] quit
# 分别将接口Ten-GigabitEthernet1/6/0/4和Ten-GigabitEthernet1/6/0/5加入到聚合组3中。
[SwitchA] interface Ten-GigabitEthernet1/6/0/4
[SwitchA-Ten-GigabitEthernet1/6/0/4] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/4] port link-aggregation group 3
[SwitchA-Ten-GigabitEthernet1/6/0/4] quit
[SwitchA] interface Ten-GigabitEthernet1/6/0/5
[SwitchA-Ten-GigabitEthernet1/6/0/5] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/5] port link-aggregation group 3
[SwitchA-Ten-GigabitEthernet1/6/0/5] quit
# 将聚合接口3配置为peer-link接口。
[SwitchA] interface bridge-aggregation 3
[SwitchA-Bridge-Aggregation3] port m-lag peer-link 1
[SwitchA-Bridge-Aggregation3] undo mac-address static source-check enable
[SwitchA-Bridge-Aggregation3] quit
# 创建聚合接口30,并配置该接口为M-LAG接口30。
[SwitchA] interface bridge-aggregation 30
[SwitchA-Bridge-Aggregation30] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation30] port m-lag group 30
[SwitchA-Bridge-Aggregation30] quit
# 将接口Ten-GigabitEthernet1/6/0/2加入到聚合组30中。
[SwitchA] interface Ten-GigabitEthernet1/6/0/2
[SwitchA-Ten-GigabitEthernet1/6/0/2] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/2] port link-aggregation group 30
[SwitchA-Ten-GigabitEthernet1/6/0/2] quit
# 进入聚合接口30,将聚合接口30的链路类型配置为Trunk,并允许VLAN 30的报文通过。
[SwitchA] interface bridge-aggregation 30
[SwitchA-Bridge-Aggregation30] port link-type trunk
[SwitchA-Bridge-Aggregation30] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation30] port trunk permit vlan 30
[SwitchA-Bridge-Aggregation30] quit
# 创建聚合接口40,并配置该接口为M-LAG接口40。
[SwitchA] interface bridge-aggregation 40
[SwitchA-Bridge-Aggregation40] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation40] port m-lag group 40
[SwitchA-Bridge-Aggregation40] quit
# 将接口Ten-GigabitEthernet1/6/0/1加入到聚合组40中。
[SwitchA] interface Ten-GigabitEthernet1/6/0/1
[SwitchA-Ten-GigabitEthernet1/6/0/1] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/1] port link-aggregation group 40
[SwitchA-Ten-GigabitEthernet1/6/0/1] quit
# 进入聚合接口40,将聚合接口40的链路类型配置为Trunk,并允许VLAN 40的报文通过。
[SwitchA] interface bridge-aggregation 40
[SwitchA-Bridge-Aggregation40] port link-type trunk
[SwitchA-Bridge-Aggregation40] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation40] port trunk permit vlan 40
[SwitchA-Bridge-Aggregation40] quit
# 创建接口Vlan-interface30和Vlan-interface40,并配置其IP地址。
[SwitchA] interface Vlan-interface30
[SwitchA-Vlan-interface30] ip address 100.1.2.1 255.255.255.0
[SwitchA-Vlan-interface30] quit
[SwitchA] interface Vlan-interface40
[SwitchA-Vlan-interface40] ip address 172.1.3.1 255.255.255.0
[SwitchA-Vlan-interface40] quit
(3) 配置ACL和策略路由
# 根据组网图中规划的信息,配置ACL和策略路由。具体配置步骤如下。
[SwitchA] acl advanced 3101
[SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 192.168.10.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3101] quit
[SwitchA] acl advanced 3102
[SwitchA-acl-ipv4-adv-3102] rule 0 permit ip destination 192.168.10.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3102] quit
[SwitchA] policy-based-route aaa permit node 5
[SwitchA-pbr-aaa-5] if-match acl 3101
[SwitchA-pbr-aaa-5] apply next-hop 172.1.2.3
[SwitchA-pbr-aaa-5] quit
[SwitchA] policy-based-route bbb permit node 5
[SwitchA-pbr-bbb-5] if-match acl 3102
[SwitchA-pbr-bbb-5] apply next-hop 172.1.1.3
[SwitchA-pbr-bbb-5] quit
# 在Vlan-interface30和Vlan-interface40中引用策略路由,将业务流量引到Device进行处理
[SwitchA] interface Vlan-interface30
[SwitchA-Vlan-interface30] ip policy-based-route bbb
[SwitchA-Vlan-interface30] quit
[SwitchA] interface Vlan-interface40
[SwitchA-Vlan-interface40] ip policy-based-route aaa
[SwitchA-Vlan-interface40] quit
(4) 配置内联接口与Device连通
# 根据组网图中规划的信息,配置聚合接口10、20,并分别配置聚合接口为M-LAG接口,具体配置步骤如下。
[SwitchA] interface Bridge-Aggregation10
[SwitchA-Bridge-Aggregation10] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation10] port m-lag group 10
[SwitchA-Bridge-Aggregation10] quit
[SwitchA] interface Bridge-Aggregation20
[SwitchA-Bridge-Aggregation20] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation20] port m-lag group 20
[SwitchA-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置内联口并将内联口加入到对应的聚合组,具体配置步骤如下。
[SwitchA] interface FortyGigE1/2/0/1
[SwitchA-FortyGigE1/2/0/1] port link-mode bridge
[SwitchA-FortyGigE1/2/0/1] port link-aggregation group 10
[SwitchA-FortyGigE1/2/0/1] quit
[SwitchA] interface FortyGigE1/2/0/2
[SwitchA-FortyGigE1/2/0/2] port link-mode bridge
[SwitchA-FortyGigE1/2/0/2] port link-aggregation group 20
[SwitchA-FortyGigE1/2/0/2] quit
[SwitchA] interface FortyGigE1/2/0/3
[SwitchA-FortyGigE1/2/0/3] port link-mode bridge
[SwitchA-FortyGigE1/2/0/3] port access vlan 2
[SwitchA-FortyGigE1/2/0/3] quit
# 根据组网图中规划的信息,进入聚合接口10、20,将聚合接口的链路类型配置为Trunk,并允许对应VLAN的报文通过。
[SwitchA] interface Bridge-Aggregation10
[SwitchA-Bridge-Aggregation10] port link-type trunk
[SwitchA-Bridge-Aggregation10] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation10] port trunk permit vlan 10
[SwitchA-Bridge-Aggregation10] quit
[SwitchA] interface Bridge-Aggregation20
[SwitchA-Bridge-Aggregation20] port link-type trunk
[SwitchA-Bridge-Aggregation20] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation20] port trunk permit vlan 20
[SwitchA-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchA] interface Vlan-interface10
[SwitchA-Vlan-interface10] ip address 172.1.1.5 255.255.255.0
[SwitchA-Vlan-interface10] quit
[SwitchA] interface Vlan-interface20
[SwitchA-Vlan-interface20] ip address 172.1.2.5 255.255.255.0
[SwitchA-Vlan-interface20] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 100.1.2.2
[SwitchA] ip route-static 192.168.10.0 255.255.255.0 172.1.3.2
(1) 创建VLAN
# 根据组网图中规划的信息,创建VLAN2、3、10、20、30、40,具体配置步骤如下。
<SwitchB> system-view
[SwitchB] vlan 2 3 10 20 30 40
(2) 配置M-LAG
# M-LAG系统配置。
[SwitchB] m-lag restore-delay 180
[SwitchB] m-lag system-mac 1-1-1
[SwitchB] m-lag system-number 2
[SwitchB] m-lag system-priority 123
[SwitchB] m-lag mad default-action none
# 配置Keepalive报文的目的IP地址和源IP地址。
[SwitchB] m-lag keepalive ip destination 2.1.1.1 source 2.1.1.2
# 配置接口Ten-GigabitEthernet1/6/0/3工作在三层模式,并配置IP地址为Keepalive报文的源IP地址。
[SwitchB] interface Ten-GigabitEthernet1/6/0/3
[SwitchB-Ten-GigabitEthernet1/6/0/3] port link-mode route
[SwitchB-Ten-GigabitEthernet1/6/0/3] ip address 2.1.1.2 255.255.255.0
[SwitchB-Ten-GigabitEthernet1/6/0/3] quit
# 创建聚合接口3。
[SwitchB] interface Bridge-Aggregation3
[SwitchB-Bridge-Aggregation3] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation3] quit
# 分别将接口Ten-GigabitEthernet1/6/0/4和Ten-GigabitEthernet1/6/0/5加入到聚合组3中。
[SwitchB] interface Ten-GigabitEthernet1/6/0/4
[SwitchB-Ten-GigabitEthernet1/6/0/4] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/4] port link-aggregation group 3
[SwitchB-Ten-GigabitEthernet1/6/0/4] quit
[SwitchB] interface Ten-GigabitEthernet1/6/0/5
[SwitchB-Ten-GigabitEthernet1/6/0/5] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/5] port link-aggregation group 3
[SwitchB-Ten-GigabitEthernet1/6/0/5] quit
# 将聚合接口3配置为peer-link接口。
[SwitchB] interface bridge-aggregation 3
[SwitchB-Bridge-Aggregation3] port m-lag peer-link 1
[SwitchB-Bridge-Aggregation3] undo mac-address static source-check enable
[SwitchB-Bridge-Aggregation3] quit
# 创建聚合接口30,并配置该接口为M-LAG接口30。
[SwitchB] interface bridge-aggregation 30
[SwitchB-Bridge-Aggregation30] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation30] port m-lag group 30
[SwitchB-Bridge-Aggregation30] quit
# 将接口Ten-GigabitEthernet1/6/0/2加入到聚合组30中。
[SwitchB] interface Ten-GigabitEthernet1/6/0/2
[SwitchB-Ten-GigabitEthernet1/6/0/2] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/2] port link-aggregation group 30
[SwitchB-Ten-GigabitEthernet1/6/0/2] quit
# 进入聚合接口30,将聚合接口30的链路类型配置为Trunk,并允许VLAN 30的报文通过。
[SwitchB] interface bridge-aggregation 30
[SwitchB-Bridge-Aggregation30] port link-type trunk
[SwitchB-Bridge-Aggregation30] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation30] port trunk permit vlan 30
[SwitchB-Bridge-Aggregation30] quit
# 创建聚合接口40,并配置该接口为M-LAG接口40。
[SwitchB] interface bridge-aggregation 40
[SwitchB-Bridge-Aggregation40] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation40] port m-lag group 40
[SwitchB-Bridge-Aggregation40] quit
# 将接口Ten-GigabitEthernet1/6/0/1加入到聚合组40中。
[SwitchB] interface Ten-GigabitEthernet1/6/0/1
[SwitchB-Ten-GigabitEthernet1/6/0/1] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/1] port link-aggregation group 40
[SwitchB-Ten-GigabitEthernet1/6/0/1] quit
# 进入聚合接口40,将聚合接口40的链路类型配置为Trunk,并允许VLAN 40的报文通过。
[SwitchB] interface bridge-aggregation 40
[SwitchB-Bridge-Aggregation40] port link-type trunk
[SwitchB-Bridge-Aggregation40] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation40] port trunk permit vlan 40
[SwitchB-Bridge-Aggregation40] quit
# 创建接口Vlan-interface30和Vlan-interface40,并配置其IP地址。
[SwitchB] interface Vlan-interface30
[SwitchB-Vlan-interface30] ip address 100.1.2.1 255.255.255.0
[SwitchB-Vlan-interface30] quit
[SwitchB] interface Vlan-interface40
[SwitchB-Vlan-interface40] ip address 172.1.3.1 255.255.255.0
[SwitchB-Vlan-interface40] quit
(3) 配置ACL和策略路由
# 根据组网图中规划的信息,配置ACL和策略路由。具体配置步骤如下。
[SwitchB] acl advanced 3101
[SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 192.168.10.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3101] quit
[SwitchB] acl advanced 3102
[SwitchB-acl-ipv4-adv-3102] rule 0 permit ip destination 192.168.10.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3102] quit
[SwitchB] policy-based-route aaa permit node 5
[SwitchB-pbr-aaa-5] if-match acl 3101
[SwitchB-pbr-aaa-5] apply next-hop 172.1.2.3
[SwitchB-pbr-aaa-5] quit
[SwitchB] policy-based-route bbb permit node 5
[SwitchB-pbr-bbb-5] if-match acl 3102
[SwitchB-pbr-bbb-5] apply next-hop 172.1.1.3
[SwitchB-pbr-bbb-5] quit
# 在Vlan-interface30和Vlan-interface40中引用策略路由,将业务流量引到Device进行处理
[SwitchB] interface Vlan-interface30
[SwitchB-Vlan-interface30] ip policy-based-route bbb
[SwitchB-Vlan-interface30] quit
[SwitchB] interface Vlan-interface40
[SwitchB-Vlan-interface40] ip policy-based-route aaa
[SwitchB-Vlan-interface40] quit
(4) 配置内联接口与Device连通
# 根据组网图中规划的信息,配置聚合接口10、20,并分别配置聚合接口为M-LAG接口,具体配置步骤如下。
[SwitchB] interface Bridge-Aggregation10
[SwitchB-Bridge-Aggregation10] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation10] port m-lag group 10
[SwitchB-Bridge-Aggregation10] quit
[SwitchB] interface Bridge-Aggregation20
[SwitchB-Bridge-Aggregation20] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation20] port m-lag group 20
[SwitchB-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置内联口并将内联口加入到对应的聚合组,具体配置步骤如下。
[SwitchB] interface FortyGigE1/2/0/1
[SwitchB-FortyGigE1/2/0/1] port link-mode bridge
[SwitchB-FortyGigE1/2/0/1] port link-aggregation group 10
[SwitchB-FortyGigE1/2/0/1] quit
[SwitchB] interface FortyGigE1/2/0/2
[SwitchB-FortyGigE1/2/0/2] port link-mode bridge
[SwitchB-FortyGigE1/2/0/2] port link-aggregation group 20
[SwitchB-FortyGigE1/2/0/2] quit
[SwitchB] interface FortyGigE1/2/0/3
[SwitchB-FortyGigE1/2/0/3] port link-mode bridge
[SwitchB-FortyGigE1/2/0/3] port access vlan 2
[SwitchB-FortyGigE1/2/0/3] quit
# 根据组网图中规划的信息,进入聚合接口10、20,将聚合接口的链路类型配置为Trunk,并允许对应VLAN的报文通过。
[SwitchB] interface Bridge-Aggregation10
[SwitchB-Bridge-Aggregation10] port link-type trunk
[SwitchB-Bridge-Aggregation10] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation10] port trunk permit vlan 10
[SwitchB-Bridge-Aggregation10] quit
[SwitchB] interface Bridge-Aggregation20
[SwitchB-Bridge-Aggregation20] port link-type trunk
[SwitchB-Bridge-Aggregation20] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation20] port trunk permit vlan 20
[SwitchB-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchB] interface Vlan-interface10
[SwitchB-Vlan-interface10] ip address 172.1.1.5 255.255.255.0
[SwitchB-Vlan-interface10] quit
[SwitchB] interface Vlan-interface20
[SwitchB-Vlan-interface20] ip address 172.1.2.5 255.255.255.0
[SwitchB-Vlan-interface20] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 100.1.2.2
[SwitchB] ip route-static 192.168.10.0 255.255.255.0 172.1.3.2
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置接口的IPv4地址,具体配置步骤如下。
<SwitchC> system-view
[SwitchC] interface Ten-GigabitEthernet1/0/3
[SwitchC-Ten-GigabitEthernet1/0/3] port link-mode route
[SwitchC-Ten-GigabitEthernet1/0/3] ip address 100.1.1.2 255.255.255.0
[SwitchC-Ten-GigabitEthernet1/0/3] quit
(2) 创建VLAN
# 根据组网图中规划的信息,创建VLAN30,具体配置步骤如下。
[SwitchC] vlan 30
[SwitchC-vlan30] quit
(3) 配置聚合口及允许的VLAN
# 根据组网图中规划的信息,创建聚合接口50,具体配置步骤如下。
[SwitchC] interface Bridge-Aggregation50
[SwitchC-Bridge-Aggregation50] link-aggregation mode dynamic
[SwitchC-Bridge-Aggregation50] quit
# 将接口Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2加入到聚合组50中,具体配置步骤如下。
[SwitchC] interface Ten-GigabitEthernet1/0/1
[SwitchC-Ten-GigabitEthernet1/0/1] port link-mode bridge
[SwitchC-Ten-GigabitEthernet1/0/1] port link-aggregation group 50
[SwitchC-Ten-GigabitEthernet1/0/1] quit
[SwitchC] interface Ten-GigabitEthernet1/0/2
[SwitchC-Ten-GigabitEthernet1/0/2] port link-mode bridge
[SwitchC-Ten-GigabitEthernet1/0/2] port link-aggregation group 50
[SwitchC-Ten-GigabitEthernet1/0/2] quit
# 进入聚合接口50,将聚合接口50的链路类型配置为Trunk,并允许VLAN 30的报文通过。
[SwitchC] interface Bridge-Aggregation50
[SwitchC-Bridge-Aggregation50] port link-type trunk
[SwitchC-Bridge-Aggregation50] undo port trunk permit vlan 1
[SwitchC-Bridge-Aggregation50] port trunk permit vlan 30
[SwitchC-Bridge-Aggregation50] quit
(4) 配置vlan-interface
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchC] interface Vlan-interface30
[SwitchC-Vlan-interface30] ip address 100.1.2.2 255.255.255.0
[SwitchC-Vlan-interface30] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchC] ip route-static 192.168.10.0 255.255.255.0 100.1.2.1
[SwitchC] ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置接口的IPv4地址,具体配置步骤如下。
<SwitchD> system-view
[SwitchD] interface Ten-GigabitEthernet1/0/3
[SwitchD-Ten-GigabitEthernet1/0/3] port link-mode route
[SwitchD-Ten-GigabitEthernet1/0/3] ip address 192.168.10.1 255.255.255.0
[SwitchD-Ten-GigabitEthernet1/0/3] quit
(2) 创建VLAN
# 根据组网图中规划的信息,创建VLAN40,具体配置步骤如下。
[SwitchD] vlan 40
[SwitchD-vlan40] quit
(3) 配置聚合口及允许的VLAN
# 根据组网图中规划的信息,创建聚合接口60,具体配置步骤如下。
[SwitchD] interface Bridge-Aggregation60
[SwitchD-Bridge-Aggregation60] link-aggregation mode dynamic
[SwitchD-Bridge-Aggregation60] quit
# 将接口Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2加入到聚合组60中,具体配置步骤如下。
[SwitchD] interface Ten-GigabitEthernet1/0/1
[SwitchD-Ten-GigabitEthernet1/0/1] port link-mode bridge
[SwitchD-Ten-GigabitEthernet1/0/1] port link-aggregation group 60
[SwitchD-Ten-GigabitEthernet1/0/1] quit
[SwitchD] interface Ten-GigabitEthernet1/0/2
[SwitchD-Ten-GigabitEthernet1/0/2] port link-mode bridge
[SwitchD-Ten-GigabitEthernet1/0/2] port link-aggregation group 60
[SwitchD-Ten-GigabitEthernet1/0/2] quit
# 进入聚合接口60,将聚合接口60的链路类型配置为Trunk,并允许VLAN 40的报文通过。
[SwitchD] interface Bridge-Aggregation60
[SwitchD-Bridge-Aggregation60] port link-type trunk
[SwitchD-Bridge-Aggregation60] undo port trunk permit vlan 1
[SwitchD-Bridge-Aggregation60] port trunk permit vlan 40
[SwitchD-Bridge-Aggregation60] quit
(4) 配置vlan-interface
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchD] interface Vlan-interface40
[SwitchD-Vlan-interface40] 172.1.3.2 255.255.255.0
[SwitchD-Vlan-interface40] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchD] ip route-static 0.0.0.0 0.0.0.0 172.1.3.1
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置各接口的IPv4地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface FortyGigE1/0/1
[DeviceA-FortyGigE1/0/1] port link-mode route
[DeviceA-FortyGigE1/0/1] ip address 172.1.1.1 255.255.255.0
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface FortyGigE1/0/2
[DeviceA-FortyGigE1/0/2] port link-mode route
[DeviceA-FortyGigE1/0/2] ip address 172.1.2.1 255.255.255.0
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface FortyGigE1/0/3
[DeviceA-FortyGigE1/0/3] port link-mode route
[DeviceA-FortyGigE1/0/3] ip address 1.0.0.1 255.255.255.0
[DeviceA-FortyGigE1/0/3] quit
(2) 配置接口加入安全域
此部分只需在主管理设备配置,RBM组网完成后,从管理设备会自动同步这些安全策略配置信息。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface FortyGigE1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface FortyGigE1/0/2
[DeviceA-security-zone-Trust] quit
(3) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 172.1.1.5
[DeviceA] ip route-static 192.168.10.0 255.255.255.0 172.1.2.5
(4) 配置安全策略,允许所需的业务报文通过
此部分安全策略只需在主管理设备配置,RBM组网完成后,从管理设备会自动同步这些安全策略配置信息。
# 配置名称为trust-untrust的安全策略规则,使内网用户可以主动访问Internet,但是Internet上的用户不能访问内网,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] quit
# 配置安全策略规则,允许VRRP协议报文通过。当RBM通道断开时,使Device A与Device B之间可以交换VRRP报文,进行VRRP角色竞选,保证网络互通。
[DeviceA-security-policy-ip] rule name vrrp1
[DeviceA-security-policy-ip-1-vrrp1] source-zone trust
[DeviceA-security-policy-ip-1-vrrp1] destination-zone local
[DeviceA-security-policy-ip-1-vrrp1] service vrrp
[DeviceA-security-policy-ip-1-vrrp1] action pass
[DeviceA-security-policy-ip-1-vrrp1] quit
[DeviceA-security-policy-ip] rule name vrrp2
[DeviceA-security-policy-ip-2-vrrp2] source-zone local
[DeviceA-security-policy-ip-2-vrrp2] destination-zone trust
[DeviceA-security-policy-ip-2-vrrp2] service vrrp
[DeviceA-security-policy-ip-2-vrrp2] action pass
[DeviceA-security-policy-ip-2-vrrp2] quit
[DeviceA-security-policy-ip] rule name vrrp3
[DeviceA-security-policy-ip-3-vrrp3] source-zone untrust
[DeviceA-security-policy-ip-3-vrrp3] destination-zone local
[DeviceA-security-policy-ip-3-vrrp3] service vrrp
[DeviceA-security-policy-ip-3-vrrp3] action pass
[DeviceA-security-policy-ip-3-vrrp3] quit
[DeviceA-security-policy-ip] rule name vrrp4
[DeviceA-security-policy-ip-4-vrrp4] source-zone local
[DeviceA-security-policy-ip-4-vrrp4] destination-zone untrust
[DeviceA-security-policy-ip-4-vrrp4] service vrrp
[DeviceA-security-policy-ip-4-vrrp4] action pass
[DeviceA-security-policy-ip-4-vrrp4] quit
[DeviceA-security-policy-ip] quit
(5) 配置双机热备
# 使用两台Device进行RBM组网,Device A作为主设备,Device B作为备设备。当Device A或其链路发生故障时,由Device B接替Device A继续工作,保证业务不中断。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.0.0.2
[DeviceA-remote-backup-group] local-ip 1.0.0.1
[DeviceA-remote-backup-group] data-channel interface FortyGigE1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] undo backup-mode
RBM_P[DeviceA-remote-backup-group] hot-backup enable
RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 1
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 配置VRRP备份组,并与RBM关联。实现RBM对VRRP备份组的统一管理和流量引导。
RBM_P[DeviceA] interface FortyGigE1/0/1
RBM_P[DeviceA-FortyGigE1/0/1] vrrp vrid 11 virtual-ip 172.1.1.3 active
RBM_P[DeviceA-FortyGigE1/0/1] quit
RBM_P[DeviceA] interface FortyGigE1/0/2
RBM_P[DeviceA-FortyGigE1/0/2] vrrp vrid 12 virtual-ip 172.1.2.3 active
RBM_P[DeviceA-FortyGigE1/0/2] quit
(6) 配置安全业务
# 以上有关RBM的配置部署完成后,可以配置各种安全业务。对于RBM支持配置信息备份的功能模块仅需要在此主管理设备上(Device A)进行配置即可。
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置各接口的IPv4地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface FortyGigE1/0/1
[DeviceB-FortyGigE1/0/1] port link-mode route
[DeviceB-FortyGigE1/0/1] ip address 172.1.1.2 255.255.255.0
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface FortyGigE1/0/2
[DeviceB-FortyGigE1/0/2] port link-mode route
[DeviceB-FortyGigE1/0/2] ip address 172.1.2.2 255.255.255.0
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface FortyGigE1/0/3
[DeviceB-FortyGigE1/0/3] port link-mode route
[DeviceB-FortyGigE1/0/3] ip address 1.0.0.2 255.255.255.0
[DeviceB-FortyGigE1/0/3] quit
(2) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[DeviceB] ip route-static 0.0.0.0 0.0.0.0 172.1.1.5
[DeviceB] ip route-static 192.168.10.0 255.255.255.0 172.1.2.5
(3) 配置双机热备
# 使用两台Device进行RBM组网,Device A作为主设备,Device B作为备设备。当Device A或其链路发生故障时,由Device B接替Device A继续工作,保证业务不中断。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.0.0.1
[DeviceB-remote-backup-group] local-ip 1.0.0.2
[DeviceB-remote-backup-group] data-channel interface FortyGigE1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] undo backup-mode
RBM_S[DeviceB-remote-backup-group] hot-backup enable
RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable
RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 1
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 配置VRRP备份组,并与RBM关联。实现RBM对VRRP备份组的统一管理和流量引导。
RBM_S[DeviceB] interface FortyGigE1/0/1
RBM_S[DeviceB-FortyGigE1/0/1] vrrp vrid 11 virtual-ip 172.1.1.3 standby
RBM_S[DeviceB-FortyGigE1/0/1] quit
RBM_S[DeviceB] interface FortyGigE1/0/2
RBM_S[DeviceB-FortyGigE1/0/2] vrrp vrid 12 virtual-ip 172.1.2.3 standby
RBM_S[DeviceB-FortyGigE1/0/2] quit
(1) Device A
# 查看RBM状态
RBM_P<DeviceA> display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 10.0.0.1
Remote IP: 10.0.0.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 1 hour
Configuration consistency check result: Consistent(2023-05-06 14:25:21)
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 58 minutes
Switchover records:
Time Status change Cause
2023-05-06 15:13:11 Initial to Active Interface status changed
# 查看VRRP状态
RBM_P<DeviceA> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Master 100 100 None 172.1.1.3
FGE1/0/2 12 Master 100 100 None 172.1.2.3
(2) Device B
# 查看RBM状态
RBM_S<DeviceB> display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: FortyGigE1/0/3
Local IP: 10.0.0.2
Remote IP: 10.0.0.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 1 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 58 minutes
Switchover records:
Time Status change Cause
2023-05-06 15:13:11 Initial to Standby Interface status changed
# 查看VRRP状态
RBM_S<DeviceB> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Backup 100 100 None 172.1.1.3
FGE1/0/2 12 Backup 100 100 None 172.1.2.3
Host访问200.1.1.1,可以成功访问,在Device A和Device B上都能查看到会话信息,其中Device B上会话为备,当Device A上链路down掉后,Device B上会话状态切换为主,仍然可以正常访问。
(1) Device A上的会话信息:
RBM_P<DeviceA> display session table ipv4 source-ip 192.168.10.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.10.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.10.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: UDP_OPEN
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 23s
Initiator->Responder: 34 packets 7658 bytes
Responder->Initiator: 34 packets 7658 bytes
Total sessions found: 1
(2) Device B上的会话信息:
RBM_S<DeviceB> display session table ipv4 source-ip 192.168.10.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.10.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.10.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: INACTIVE
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 230s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
(3) 链路切换
# Down掉Device A上的FGE1/0/1接口后,Device B上对应会话切换为主:
RBM_S<DeviceB> display session table ipv4 source-ip 192.168.10.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.10.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.10.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: UDP_READY
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 29s
Initiator->Responder: 38 packets 8541 bytes
Responder->Initiator: 38 packets 8541 bytes
Total sessions found: 1
# VRRP状态如下:
Device A上,Shutdown的接口状态为Initialize,其他接口状态为Backup。
RBM_P<DeviceA> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Initialize 100 100 None 172.1.1.3
FGE1/0/2 12 Backup 100 100 None 172.1.2.3
Device B上,所有接口都变为Master状态。
RBM_S<DeviceB> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Master 100 100 None 172.1.1.3
FGE1/0/2 12 Master 100 100 None 172.1.2.3
#
interface Ten-GigabitEthernet1/0/1
port link-mode route
ip address 100.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/24
port link-mode route
ip address 200.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0 200.1.1.3
ip route-static 192.168.10.0 24 100.1.1.2
#
vlan 2 to 3
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
policy-based-route aaa permit node 5
if-match acl 3101
apply next-hop 172.1.2.3
#
policy-based-route bbb permit node 5
if-match acl 3102
apply next-hop 172.1.1.3
#
interface Bridge-Aggregation3
link-aggregation mode dynamic
port m-lag peer-link 1
undo mac-address static source-check enable
#
interface Bridge-Aggregation10
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port m-lag group 10
link-aggregation mode dynamic
#
interface Bridge-Aggregation20
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port m-lag group 20
link-aggregation mode dynamic
#
interface Bridge-Aggregation30
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port m-lag group 30
link-aggregation mode dynamic
#
interface Bridge-Aggregation40
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
link-aggregation mode dynamic
port m-lag group 40
#
interface Vlan-interface10
ip address 172.1.1.5 255.255.255.0
#
interface Vlan-interface20
ip address 172.1.2.5 255.255.255.0
#
interface Vlan-interface30
ip address 100.1.2.1 255.255.255.0
ip policy-based-route bbb
#
interface Vlan-interface40
ip address 172.1.3.1 255.255.255.0
ip policy-based-route aaa
#
interface FortyGigE1/2/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port link-aggregation group 10
#
interface FortyGigE1/2/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port link-aggregation group 20
#
interface FortyGigE1/2/0/3
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/6/0/3
port link-mode route
ip address 2.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/6/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 40
#
interface Ten-GigabitEthernet1/6/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 30
#
interface Ten-GigabitEthernet1/6/0/4
port link-mode bridge
port link-aggregation group 3
#
interface Ten-GigabitEthernet1/6/0/5
port link-mode bridge
port link-aggregation group 3
#
m-lag restore-delay 180
m-lag system-mac 0001-0001-0001
m-lag system-number 1
m-lag system-priority 123
m-lag mad default-action none
m-lag keepalive ip destination 2.1.1.2 source 2.1.1.1
#
ip route-static 0.0.0.0 0 100.1.2.2
ip route-static 192.168.10.0 24 172.1.3.2
#
acl advanced 3101
rule 0 permit ip source 192.168.10.0 0.0.0.255
#
acl advanced 3102
rule 0 permit ip destination 192.168.10.0 0.0.0.255
#
vlan 2 to 3
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
policy-based-route aaa permit node 5
if-match acl 3101
apply next-hop 172.1.2.3
#
policy-based-route bbb permit node 5
if-match acl 3102
apply next-hop 172.1.1.3
#
interface Bridge-Aggregation3
link-aggregation mode dynamic
port m-lag peer-link 1
undo mac-address static source-check enable
#
interface Bridge-Aggregation10
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port m-lag group 10
link-aggregation mode dynamic
#
interface Bridge-Aggregation20
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port m-lag group 20
link-aggregation mode dynamic
#
interface Bridge-Aggregation30
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port m-lag group 30
link-aggregation mode dynamic
#
interface Bridge-Aggregation40
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
link-aggregation mode dynamic
port m-lag group 40
#
interface Vlan-interface10
ip address 172.1.1.5 255.255.255.0
#
interface Vlan-interface20
ip address 172.1.2.5 255.255.255.0
#
interface Vlan-interface30
ip address 100.1.2.1 255.255.255.0
ip policy-based-route bbb
#
interface Vlan-interface40
ip address 172.1.3.1 255.255.255.0
ip policy-based-route aaa
#
interface FortyGigE1/2/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port link-aggregation group 10
#
interface FortyGigE1/2/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port link-aggregation group 20
#
interface FortyGigE1/2/0/3
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/6/0/3
port link-mode route
ip address 2.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/6/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 40
#
interface Ten-GigabitEthernet1/6/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 30
#
interface Ten-GigabitEthernet1/6/0/4
port link-mode bridge
port link-aggregation group 3
#
interface Ten-GigabitEthernet1/6/0/5
port link-mode bridge
port link-aggregation group 3
#
m-lag restore-delay 180
m-lag system-mac 0001-0001-0001
m-lag system-number 2
m-lag system-priority 123
m-lag mad default-action none
m-lag keepalive ip destination 2.1.1.1 source 2.1.1.2
#
ip route-static 0.0.0.0 0 100.1.2.2
ip route-static 192.168.10.0 24 172.1.3.2
#
acl advanced 3101
rule 0 permit ip source 192.168.10.0 0.0.0.255
#
acl advanced 3102
rule 0 permit ip destination 192.168.10.0 0.0.0.255
第 I 条
#
vlan 30
#
interface Bridge-Aggregation50
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
link-aggregation mode dynamic
#
interface Vlan-interface30
ip address 100.1.2.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/3
port link-mode route
ip address 100.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 50
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 50
#
ip route-static 0.0.0.0 0 100.1.1.1
ip route-static 192.168.10.0 24 100.1.2.1
#
vlan 40
#
interface Bridge-Aggregation60
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
link-aggregation mode dynamic
#
interface Vlan-interface40
ip address 172.1.3.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/3
port link-mode route
ip address 192.168.10.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 60
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 60
#
ip route-static 0.0.0.0 0 172.1.3.1
#
remote-backup group
data-channel interface FortyGigE1/0/3
configuration sync-check interval 1
delay-time 1
local-ip 1.0.0.1
remote-ip 1.0.0.2
device-role primary
#
interface FortyGigE1/0/1
port link-mode route
ip address 172.1.1.1 255.255.255.0
vrrp vrid 11 virtual-ip 172.1.1.3 active
#
interface FortyGigE1/0/2
port link-mode route
ip address 172.1.2.1 255.255.255.0
vrrp vrid 12 virtual-ip 172.1.2.3 active
#
interface FortyGigE1/0/3
port link-mode route
ip address 1.0.0.1 255.255.255.0
#
security-zone name Trust
import interface FortyGigE1/0/2
#
security-zone name Untrust
import interface FortyGigE1/0/1
#
ip route-static 0.0.0.0 0 172.1.1.5
ip route-static 192.168.10.0 24 172.1.2.5
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name vrrp1
action pass
source-zone trust
destination-zone local
service vrrp
rule 2 name vrrp2
action pass
source-zone local
destination-zone trust
service vrrp
rule 3 name vrrp3
action pass
source-zone untrust
destination-zone local
service vrrp
rule 4 name vrrp4
action pass
source-zone local
destination-zone untrust
service vrrp
#
remote-backup group
data-channel interface FortyGigE1/0/3
configuration sync-check interval 1
delay-time 1
local-ip 1.0.0.2
remote-ip 1.0.0.1
device-role secondary
#
interface FortyGigE1/0/1
port link-mode route
ip address 172.1.1.2 255.255.255.0
vrrp vrid 11 virtual-ip 172.1.1.3 standby
#
interface FortyGigE1/0/2
port link-mode route
ip address 172.1.2.2 255.255.255.0
vrrp vrid 12 virtual-ip 172.1.2.3 standby
#
interface FortyGigE1/0/3
port link-mode route
ip address 1.0.0.2 255.255.255.0
#
ip route-static 0.0.0.0 0 172.1.1.5
ip route-static 192.168.10.0 24 172.1.2.5
如下图所示,某公司为确保业务的稳定运行,已使用两台交换机进行M-LAG组网。为确保网络的安全防护,该公司还需要在已有的交换机上部署SecBlade插卡作为网络边界的安全防护设备并进行双机热备组网,连接公司内部网络和Internet。具体需要实现如下需求:
· 正常情况下,两台设备都需要处理业务。
· 当其中一台设备或链路出现故障时,可以将业务流量平滑迁移到另一设备进行处理。
· 设备或链路恢复正常后,变为两台设备处理业务流量。
图5-3 M-LAG环境下的SecBlade插卡双主部署组网图
图5-4 M-LAG环境下的SecBlade插卡双主部署逻辑图
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置各接口的IPv4地址,具体配置步骤如下。
<Router> system-view
[Router] interface Ten-GigabitEthernet1/0/1
[Router-Ten-GigabitEthernet1/0/1] ip address 100.1.1.1 255.255.255.0
[Router-Ten-GigabitEthernet1/0/1] quit
[Router] interface Ten-GigabitEthernet1/0/24
[Router-Ten-GigabitEthernet1/0/2] ip address 200.1.1.1 255.255.255.0
[Router-Ten-GigabitEthernet1/0/2] quit
(2) 配置静态路由,保证网络路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由。本举例假设去往内网流量的下一跳IPv4地址为100.1.1.2,去往Internet流量的下一跳IPv4地址为200.1.1.3,实际环境中请以具体组网情况为准,具体配置步骤如下。
[Router] ip route-static 192.168.10.0 255.255.255.0 100.1.1.2
[Router] ip route-static 192.168.11.0 255.255.255.0 100.1.1.2
[Router] ip route-static 0.0.0.0 0.0.0.0 200.1.1.3
(1) 创建VLAN
# 根据组网图中规划的信息,创建VLAN2、3、10、20、30、40,具体配置步骤如下。
<SwitchA> system-view
[SwitchA] vlan 2 3 10 20 30 40
(2) 配置M-LAG
# M-LAG系统配置。
[SwitchA] m-lag restore-delay 180
[SwitchA] m-lag system-mac 1-1-1
[SwitchA] m-lag system-number 1
[SwitchA] m-lag system-priority 123
[SwitchA] m-lag mad default-action none
# 配置Keepalive报文的目的IP地址和源IP地址。
[SwitchA] m-lag keepalive ip destination 2.1.1.2 source 2.1.1.1
# 配置接口Ten-GigabitEthernet1/6/0/3工作在三层模式,并配置IP地址为Keepalive报文的源IP地址。
[SwitchA] interface Ten-GigabitEthernet1/6/0/3
[SwitchA-Ten-GigabitEthernet1/6/0/3] port link-mode route
[SwitchA-Ten-GigabitEthernet1/6/0/3] ip address 2.1.1.1 255.255.255.0
[SwitchA-Ten-GigabitEthernet1/6/0/3] quit
# 创建聚合接口3。
[SwitchA] interface Bridge-Aggregation3
[SwitchA-Bridge-Aggregation3] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation3] quit
# 分别将接口Ten-GigabitEthernet1/6/0/4和Ten-GigabitEthernet1/6/0/5加入到聚合组3中。
[SwitchA] interface Ten-GigabitEthernet1/6/0/4
[SwitchA-Ten-GigabitEthernet1/6/0/4] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/4] port link-aggregation group 3
[SwitchA-Ten-GigabitEthernet1/6/0/4] quit
[SwitchA] interface Ten-GigabitEthernet1/6/0/5
[SwitchA-Ten-GigabitEthernet1/6/0/5] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/5] port link-aggregation group 3
[SwitchA-Ten-GigabitEthernet1/6/0/5] quit
# 将聚合接口3配置为peer-link接口。
[SwitchA] interface bridge-aggregation 3
[SwitchA-Bridge-Aggregation3] port m-lag peer-link 1
[SwitchA-Bridge-Aggregation3] undo mac-address static source-check enable
[SwitchA-Bridge-Aggregation3] quit
# 创建聚合接口30,并配置该接口为M-LAG接口30。
[SwitchA] interface bridge-aggregation 30
[SwitchA-Bridge-Aggregation30] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation30] port m-lag group 30
[SwitchA-Bridge-Aggregation30] quit
# 将接口Ten-GigabitEthernet1/6/0/2加入到聚合组30中。
[SwitchA] interface Ten-GigabitEthernet1/6/0/2
[SwitchA-Ten-GigabitEthernet1/6/0/2] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/2] port link-aggregation group 30
[SwitchA-Ten-GigabitEthernet1/6/0/2] quit
# 进入聚合接口30,将聚合接口30的链路类型配置为Trunk,并允许VLAN 30的报文通过。
[SwitchA] interface bridge-aggregation 30
[SwitchA-Bridge-Aggregation30] port link-type trunk
[SwitchA-Bridge-Aggregation30] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation30] port trunk permit vlan 30
[SwitchA-Bridge-Aggregation30] quit
# 创建聚合接口40,并配置该接口为M-LAG接口40。
[SwitchA] interface bridge-aggregation 40
[SwitchA-Bridge-Aggregation40] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation40] port m-lag group 40
[SwitchA-Bridge-Aggregation40] quit
# 将接口Ten-GigabitEthernet1/6/0/1加入到聚合组40中。
[SwitchA] interface Ten-GigabitEthernet1/6/0/1
[SwitchA-Ten-GigabitEthernet1/6/0/1] port link-mode bridge
[SwitchA-Ten-GigabitEthernet1/6/0/1] port link-aggregation group 40
[SwitchA-Ten-GigabitEthernet1/6/0/1] quit
# 进入聚合接口40,将聚合接口40的链路类型配置为Trunk,并允许VLAN 40的报文通过。
[SwitchA] interface bridge-aggregation 40
[SwitchA-Bridge-Aggregation40] port link-type trunk
[SwitchA-Bridge-Aggregation40] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation40] port trunk permit vlan 40
[SwitchA-Bridge-Aggregation40] quit
# 创建接口Vlan-interface30和Vlan-interface40,并配置其IP地址。
[SwitchA] interface Vlan-interface30
[SwitchA-Vlan-interface30] ip address 100.1.2.1 255.255.255.0
[SwitchA-Vlan-interface30] quit
[SwitchA] interface Vlan-interface40
[SwitchA-Vlan-interface40] ip address 172.1.3.1 255.255.255.0
[SwitchA-Vlan-interface40] quit
(3) 配置ACL和策略路由
# 根据组网图中规划的信息,配置ACL和策略路由。具体配置步骤如下。
[SwitchA] acl advanced 3101
[SwitchA-acl-ipv4-adv-3101] rule 0 permit ip source 192.168.10.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3101] quit
[SwitchA] acl advanced 3102
[SwitchA-acl-ipv4-adv-3102] rule 0 permit ip destination 192.168.10.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3102] quit
[SwitchA] acl advanced 3103
[SwitchA-acl-ipv4-adv-3103] rule 0 permit ip source 192.168.11.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3103] quit
[SwitchA] acl advanced 3104
[SwitchA-acl-ipv4-adv-3104] rule 0 permit ip destination 192.168.11.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3104] quit
[SwitchA] policy-based-route aaa permit node 5
[SwitchA-pbr-aaa-5] if-match acl 3101
[SwitchA-pbr-aaa-5] apply next-hop 172.1.2.3
[SwitchA-pbr-aaa-5] quit
[SwitchA] policy-based-route bbb permit node 5
[SwitchA-pbr-bbb-5] if-match acl 3102
[SwitchA-pbr-bbb-5] apply next-hop 172.1.1.3
[SwitchA-pbr-bbb-5] quit
[SwitchA] policy-based-route aaa permit node 6
[SwitchA-pbr-aaa-6] if-match acl 3103
[SwitchA-pbr-aaa-6] apply next-hop 172.1.2.4
[SwitchA-pbr-aaa-6] quit
[SwitchA] policy-based-route bbb permit node 6
[SwitchA-pbr-bbb-6] if-match acl 3104
[SwitchA-pbr-bbb-6] apply next-hop 172.1.1.4
[SwitchA-pbr-bbb-6] quit
# 在Vlan-interface30和Vlan-interface40中引用策略路由,将业务流量引到Device进行处理
[SwitchA] interface Vlan-interface30
[SwitchA-Vlan-interface30] ip policy-based-route bbb
[SwitchA-Vlan-interface30] quit
[SwitchA] interface Vlan-interface40
[SwitchA-Vlan-interface40] ip policy-based-route aaa
[SwitchA-Vlan-interface40] quit
(4) 配置内联接口与Device连通
# 根据组网图中规划的信息,配置聚合接口10、20,并分别配置聚合接口为M-LAG接口,具体配置步骤如下。
[SwitchA] interface Bridge-Aggregation10
[SwitchA-Bridge-Aggregation10] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation10] port m-lag group 10
[SwitchA-Bridge-Aggregation10] quit
[SwitchA] interface Bridge-Aggregation20
[SwitchA-Bridge-Aggregation20] link-aggregation mode dynamic
[SwitchA-Bridge-Aggregation20] port m-lag group 20
[SwitchA-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置内联口并将内联口加入到对应的聚合组,具体配置步骤如下。
[SwitchA] interface FortyGigE1/2/0/1
[SwitchA-FortyGigE1/2/0/1] port link-mode bridge
[SwitchA-FortyGigE1/2/0/1] port link-aggregation group 10
[SwitchA-FortyGigE1/2/0/1] quit
[SwitchA] interface FortyGigE1/2/0/2
[SwitchA-FortyGigE1/2/0/2] port link-mode bridge
[SwitchA-FortyGigE1/2/0/2] port link-aggregation group 20
[SwitchA-FortyGigE1/2/0/2] quit
[SwitchA] interface FortyGigE1/2/0/3
[SwitchA-FortyGigE1/2/0/3] port link-mode bridge
[SwitchA-FortyGigE1/2/0/3] port access vlan 2
[SwitchA-FortyGigE1/2/0/3] quit
# 根据组网图中规划的信息,进入聚合接口10、20,将聚合接口的链路类型配置为Trunk,并允许对应VLAN的报文通过。
[SwitchA] interface Bridge-Aggregation10
[SwitchA-Bridge-Aggregation10] port link-type trunk
[SwitchA-Bridge-Aggregation10] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation10] port trunk permit vlan 10
[SwitchA-Bridge-Aggregation10] quit
[SwitchA] interface Bridge-Aggregation20
[SwitchA-Bridge-Aggregation20] port link-type trunk
[SwitchA-Bridge-Aggregation20] undo port trunk permit vlan 1
[SwitchA-Bridge-Aggregation20] port trunk permit vlan 20
[SwitchA-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchA] interface Vlan-interface10
[SwitchA-Vlan-interface10] ip address 172.1.1.5 255.255.255.0
[SwitchA-Vlan-interface10] quit
[SwitchA] interface Vlan-interface20
[SwitchA-Vlan-interface20] ip address 172.1.2.5 255.255.255.0
[SwitchA-Vlan-interface20] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 100.1.2.2
[SwitchA] ip route-static 192.168.10.0 255.255.255.0 172.1.3.2
[SwitchA] ip route-static 192.168.11.0 255.255.255.0 172.1.3.2
(1) 创建VLAN
# 根据组网图中规划的信息,创建VLAN2、3、10、20、30、40,具体配置步骤如下。
<SwitchB> system-view
[SwitchB] vlan 2 3 10 20 30 40
(2) 配置M-LAG
# M-LAG系统配置。
[SwitchB] m-lag restore-delay 180
[SwitchB] m-lag system-mac 1-1-1
[SwitchB] m-lag system-number 2
[SwitchB] m-lag system-priority 123
[SwitchB] m-lag mad default-action none
# 配置Keepalive报文的目的IP地址和源IP地址。
[SwitchB] m-lag keepalive ip destination 2.1.1.1 source 2.1.1.2
# 配置接口Ten-GigabitEthernet1/6/0/3工作在三层模式,并配置IP地址为Keepalive报文的源IP地址。
[SwitchB] interface Ten-GigabitEthernet1/6/0/3
[SwitchB-Ten-GigabitEthernet1/6/0/3] port link-mode route
[SwitchB-Ten-GigabitEthernet1/6/0/3] ip address 2.1.1.2 255.255.255.0
[SwitchB-Ten-GigabitEthernet1/6/0/3] quit
# 创建聚合接口3。
[SwitchB] interface Bridge-Aggregation3
[SwitchB-Bridge-Aggregation3] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation3] quit
# 分别将接口Ten-GigabitEthernet1/6/0/4和Ten-GigabitEthernet1/6/0/5加入到聚合组3中。
[SwitchB] interface Ten-GigabitEthernet1/6/0/4
[SwitchB-Ten-GigabitEthernet1/6/0/4] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/4] port link-aggregation group 3
[SwitchB-Ten-GigabitEthernet1/6/0/4] quit
[SwitchB] interface Ten-GigabitEthernet1/6/0/5
[SwitchB-Ten-GigabitEthernet1/6/0/5] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/5] port link-aggregation group 3
[SwitchB-Ten-GigabitEthernet1/6/0/5] quit
# 将聚合接口3配置为peer-link接口。
[SwitchB] interface bridge-aggregation 3
[SwitchB-Bridge-Aggregation3] port m-lag peer-link 1
[SwitchB-Bridge-Aggregation3] undo mac-address static source-check enable
[SwitchB-Bridge-Aggregation3] quit
# 创建聚合接口30,并配置该接口为M-LAG接口30。
[SwitchB] interface bridge-aggregation 30
[SwitchB-Bridge-Aggregation30] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation30] port m-lag group 30
[SwitchB-Bridge-Aggregation30] quit
# 将接口Ten-GigabitEthernet1/6/0/2加入到聚合组30中。
[SwitchB] interface Ten-GigabitEthernet1/6/0/2
[SwitchB-Ten-GigabitEthernet1/6/0/2] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/2] port link-aggregation group 30
[SwitchB-Ten-GigabitEthernet1/6/0/2] quit
# 进入聚合接口30,将聚合接口30的链路类型配置为Trunk,并允许VLAN 30的报文通过。
[SwitchB] interface bridge-aggregation 30
[SwitchB-Bridge-Aggregation30] port link-type trunk
[SwitchB-Bridge-Aggregation30] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation30] port trunk permit vlan 30
[SwitchB-Bridge-Aggregation30] quit
# 创建聚合接口40,并配置该接口为M-LAG接口40。
[SwitchB] interface bridge-aggregation 40
[SwitchB-Bridge-Aggregation40] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation40] port m-lag group 40
[SwitchB-Bridge-Aggregation40] quit
# 将接口Ten-GigabitEthernet1/6/0/1加入到聚合组40中。
[SwitchB] interface Ten-GigabitEthernet1/6/0/1
[SwitchB-Ten-GigabitEthernet1/6/0/1] port link-mode bridge
[SwitchB-Ten-GigabitEthernet1/6/0/1] port link-aggregation group 40
[SwitchB-Ten-GigabitEthernet1/6/0/1] quit
# 进入聚合接口40,将聚合接口40的链路类型配置为Trunk,并允许VLAN 40的报文通过。
[SwitchB] interface bridge-aggregation 40
[SwitchB-Bridge-Aggregation40] port link-type trunk
[SwitchB-Bridge-Aggregation40] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation40] port trunk permit vlan 40
[SwitchB-Bridge-Aggregation40] quit
# 创建接口Vlan-interface30和Vlan-interface40,并配置其IP地址。
[SwitchB] interface Vlan-interface30
[SwitchB-Vlan-interface30] ip address 100.1.2.1 255.255.255.0
[SwitchB-Vlan-interface30] quit
[SwitchB] interface Vlan-interface40
[SwitchB-Vlan-interface40] ip address 172.1.3.1 255.255.255.0
[SwitchB-Vlan-interface40] quit
(3) 配置ACL和策略路由
# 根据组网图中规划的信息,配置ACL和策略路由。具体配置步骤如下。
[SwitchB] acl advanced 3101
[SwitchB-acl-ipv4-adv-3101] rule 0 permit ip source 192.168.10.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3101] quit
[SwitchB] acl advanced 3102
[SwitchB-acl-ipv4-adv-3102] rule 0 permit ip destination 192.168.10.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3102] quit
[SwitchB] acl advanced 3103
[SwitchB-acl-ipv4-adv-3103] rule 0 permit ip source 192.168.11.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3103] quit
[SwitchB] acl advanced 3104
[SwitchB-acl-ipv4-adv-3104] rule 0 permit ip destination 192.168.11.0 0.0.0.255
[SwitchB-acl-ipv4-adv-3104] quit
[SwitchB] policy-based-route aaa permit node 5
[SwitchB-pbr-aaa-5] if-match acl 3101
[SwitchB-pbr-aaa-5] apply next-hop 172.1.2.3
[SwitchB-pbr-aaa-5] quit
[SwitchB] policy-based-route bbb permit node 5
[SwitchB-pbr-bbb-5] if-match acl 3102
[SwitchB-pbr-bbb-5] apply next-hop 172.1.1.3
[SwitchB-pbr-bbb-5] quit
[SwitchB] policy-based-route aaa permit node 6
[SwitchB-pbr-aaa-6] if-match acl 3103
[SwitchB-pbr-aaa-6] apply next-hop 172.1.2.4
[SwitchB-pbr-aaa-6] quit
[SwitchB] policy-based-route bbb permit node 6
[SwitchB-pbr-bbb-6] if-match acl 3104
[SwitchB-pbr-bbb-6] apply next-hop 172.1.1.4
[SwitchB-pbr-bbb-6] quit
# 在Vlan-interface30和Vlan-interface40中引用策略路由,将业务流量引到Device进行处理
[SwitchB] interface Vlan-interface30
[SwitchB-Vlan-interface30] ip policy-based-route bbb
[SwitchB-Vlan-interface30] quit
[SwitchB] interface Vlan-interface40
[SwitchB-Vlan-interface40] ip policy-based-route aaa
[SwitchB-Vlan-interface40] quit
(4) 配置内联接口与Device连通
# 根据组网图中规划的信息,配置聚合接口10、20,并分别配置聚合接口为M-LAG接口,具体配置步骤如下。
[SwitchB] interface Bridge-Aggregation10
[SwitchB-Bridge-Aggregation10] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation10] port m-lag group 10
[SwitchB-Bridge-Aggregation10] quit
[SwitchB] interface Bridge-Aggregation20
[SwitchB-Bridge-Aggregation20] link-aggregation mode dynamic
[SwitchB-Bridge-Aggregation20] port m-lag group 20
[SwitchB-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置内联口并将内联口加入到对应的聚合组,具体配置步骤如下。
[SwitchB] interface FortyGigE1/2/0/1
[SwitchB-FortyGigE1/2/0/1] port link-mode bridge
[SwitchB-FortyGigE1/2/0/1] port link-aggregation group 10
[SwitchB-FortyGigE1/2/0/1] quit
[SwitchB] interface FortyGigE1/2/0/2
[SwitchB-FortyGigE1/2/0/2] port link-mode bridge
[SwitchB-FortyGigE1/2/0/2] port link-aggregation group 20
[SwitchB-FortyGigE1/2/0/2] quit
[SwitchB] interface FortyGigE1/2/0/3
[SwitchB-FortyGigE1/2/0/3] port link-mode bridge
[SwitchB-FortyGigE1/2/0/3] port access vlan 2
[SwitchB-FortyGigE1/2/0/3] quit
# 根据组网图中规划的信息,进入聚合接口10、20,将聚合接口的链路类型配置为Trunk,并允许对应VLAN的报文通过。
[SwitchB] interface Bridge-Aggregation10
[SwitchB-Bridge-Aggregation10] port link-type trunk
[SwitchB-Bridge-Aggregation10] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation10] port trunk permit vlan 10
[SwitchB-Bridge-Aggregation10] quit
[SwitchB] interface Bridge-Aggregation20
[SwitchB-Bridge-Aggregation20] port link-type trunk
[SwitchB-Bridge-Aggregation20] undo port trunk permit vlan 1
[SwitchB-Bridge-Aggregation20] port trunk permit vlan 20
[SwitchB-Bridge-Aggregation20] quit
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchB] interface Vlan-interface10
[SwitchB-Vlan-interface10] ip address 172.1.1.5 255.255.255.0
[SwitchB-Vlan-interface10] quit
[SwitchB] interface Vlan-interface20
[SwitchB-Vlan-interface20] ip address 172.1.2.5 255.255.255.0
[SwitchB-Vlan-interface20] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 100.1.2.2
[SwitchB] ip route-static 192.168.10.0 255.255.255.0 172.1.3.2
[SwitchB] ip route-static 192.168.11.0 255.255.255.0 172.1.3.2
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置接口的IPv4地址,具体配置步骤如下。
<SwitchC> system-view
[SwitchC] interface Ten-GigabitEthernet1/0/3
[SwitchC-Ten-GigabitEthernet1/0/3] port link-mode route
[SwitchC-Ten-GigabitEthernet1/0/3] ip address 100.1.1.2 255.255.255.0
[SwitchC-Ten-GigabitEthernet1/0/3] quit
(2) 创建VLAN
# 根据组网图中规划的信息,创建VLAN30,具体配置步骤如下。
[SwitchC] vlan 30
[SwitchC-vlan30] quit
(3) 配置聚合口及允许的VLAN
# 根据组网图中规划的信息,创建聚合接口50,具体配置步骤如下。
[SwitchC] interface Bridge-Aggregation50
[SwitchC-Bridge-Aggregation50] link-aggregation mode dynamic
[SwitchC-Bridge-Aggregation50] quit
# 将接口Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2加入到聚合组50中,具体配置步骤如下。
[SwitchC] interface Ten-GigabitEthernet1/0/1
[SwitchC-Ten-GigabitEthernet1/0/1] port link-mode bridge
[SwitchC-Ten-GigabitEthernet1/0/1] port link-aggregation group 50
[SwitchC-Ten-GigabitEthernet1/0/1] quit
[SwitchC] interface Ten-GigabitEthernet1/0/2
[SwitchC-Ten-GigabitEthernet1/0/2] port link-mode bridge
[SwitchC-Ten-GigabitEthernet1/0/2] port link-aggregation group 50
[SwitchC-Ten-GigabitEthernet1/0/2] quit
# 进入聚合接口50,将聚合接口50的链路类型配置为Trunk,并允许VLAN 30的报文通过。
[SwitchC] interface Bridge-Aggregation50
[SwitchC-Bridge-Aggregation50] port link-type trunk
[SwitchC-Bridge-Aggregation50] undo port trunk permit vlan 1
[SwitchC-Bridge-Aggregation50] port trunk permit vlan 30
[SwitchC-Bridge-Aggregation50] quit
(4) 配置vlan-interface
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchC] interface Vlan-interface30
[SwitchC-Vlan-interface30] ip address 100.1.2.2 255.255.255.0
[SwitchC-Vlan-interface30] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchC] ip route-static 192.168.10.0 255.255.255.0 100.1.2.1
[SwitchC] ip route-static 192.168.11.0 255.255.255.0 100.1.2.1
[SwitchC] ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置接口的IPv4地址,具体配置步骤如下。
<SwitchD> system-view
[SwitchD] interface Ten-GigabitEthernet1/0/3
[SwitchD-Ten-GigabitEthernet1/0/3] port link-mode route
[SwitchD-Ten-GigabitEthernet1/0/3] ip address 192.168.10.1 255.255.255.0
[SwitchD-Ten-GigabitEthernet1/0/3] quit
[SwitchD] interface Ten-GigabitEthernet1/0/4
[SwitchD-Ten-GigabitEthernet1/0/4] port link-mode route
[SwitchD-Ten-GigabitEthernet1/0/4] ip address 192.168.11.1 255.255.255.0
[SwitchD-Ten-GigabitEthernet1/0/4] quit
(2) 创建VLAN
# 根据组网图中规划的信息,创建VLAN40,具体配置步骤如下。
[SwitchD] vlan 40
[SwitchD-vlan40] quit
(3) 配置聚合口及允许的VLAN
# 根据组网图中规划的信息,创建聚合接口60,具体配置步骤如下。
[SwitchD] interface Bridge-Aggregation60
[SwitchD-Bridge-Aggregation60] link-aggregation mode dynamic
[SwitchD-Bridge-Aggregation60] quit
# 将接口Ten-GigabitEthernet1/0/1和Ten-GigabitEthernet1/0/2加入到聚合组60中,具体配置步骤如下。
[SwitchD] interface Ten-GigabitEthernet1/0/1
[SwitchD-Ten-GigabitEthernet1/0/1] port link-mode bridge
[SwitchD-Ten-GigabitEthernet1/0/1] port link-aggregation group 60
[SwitchD-Ten-GigabitEthernet1/0/1] quit
[SwitchD] interface Ten-GigabitEthernet1/0/2
[SwitchD-Ten-GigabitEthernet1/0/2] port link-mode bridge
[SwitchD-Ten-GigabitEthernet1/0/2] port link-aggregation group 60
[SwitchD-Ten-GigabitEthernet1/0/2] quit
# 进入聚合接口60,将聚合接口60的链路类型配置为Trunk,并允许VLAN 40的报文通过。
[SwitchD] interface Bridge-Aggregation60
[SwitchD-Bridge-Aggregation60] port link-type trunk
[SwitchD-Bridge-Aggregation60] undo port trunk permit vlan 1
[SwitchD-Bridge-Aggregation60] port trunk permit vlan 40
[SwitchD-Bridge-Aggregation60] quit
(4) 配置vlan-interface
# 根据组网图中规划的信息,配置vlan-interface及IP地址,具体配置步骤如下。
[SwitchD] interface Vlan-interface40
[SwitchD-Vlan-interface40] 172.1.3.2 255.255.255.0
[SwitchD-Vlan-interface40] quit
(5) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[SwitchD] ip route-static 0.0.0.0 0.0.0.0 172.1.3.1
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置各接口的IPv4地址,具体配置步骤如下。
<DeviceA> system-view
[DeviceA] interface FortyGigE1/0/1
[DeviceA-FortyGigE1/0/1] port link-mode route
[DeviceA-FortyGigE1/0/1] ip address 172.1.1.1 255.255.255.0
[DeviceA-FortyGigE1/0/1] quit
[DeviceA] interface FortyGigE1/0/2
[DeviceA-FortyGigE1/0/2] port link-mode route
[DeviceA-FortyGigE1/0/2] ip address 172.1.2.1 255.255.255.0
[DeviceA-FortyGigE1/0/2] quit
[DeviceA] interface FortyGigE1/0/3
[DeviceA-FortyGigE1/0/3] port link-mode route
[DeviceA-FortyGigE1/0/3] ip address 1.0.0.1 255.255.255.0
[DeviceA-FortyGigE1/0/3] quit
(2) 配置接口加入安全域
此部分只需在主管理设备配置,RBM组网完成后,从管理设备会自动同步这些安全策略配置信息。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface FortyGigE1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface FortyGigE1/0/2
[DeviceA-security-zone-Trust] quit
(3) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 172.1.1.5
[DeviceA] ip route-static 192.168.10.0 255.255.255.0 172.1.2.5
[DeviceA] ip route-static 192.168.11.0 255.255.255.0 172.1.2.5
(4) 配置安全策略,允许所需的业务报文通过
此部分安全策略只需在主管理设备配置,RBM组网完成后,从管理设备会自动同步这些安全策略配置信息。
# 配置名称为trust-untrust的安全策略规则,使内网用户可以主动访问Internet,但是Internet上的用户不能访问内网,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] quit
# 配置安全策略规则,允许VRRP协议报文通过。当RBM通道断开时,使Device A与Device B之间可以交换VRRP报文,进行VRRP角色竞选,保证网络互通。
[DeviceA-security-policy-ip] rule name vrrp1
[DeviceA-security-policy-ip-1-vrrp1] source-zone trust
[DeviceA-security-policy-ip-1-vrrp1] destination-zone local
[DeviceA-security-policy-ip-1-vrrp1] service vrrp
[DeviceA-security-policy-ip-1-vrrp1] action pass
[DeviceA-security-policy-ip-1-vrrp1] quit
[DeviceA-security-policy-ip] rule name vrrp2
[DeviceA-security-policy-ip-2-vrrp2] source-zone local
[DeviceA-security-policy-ip-2-vrrp2] destination-zone trust
[DeviceA-security-policy-ip-2-vrrp2] service vrrp
[DeviceA-security-policy-ip-2-vrrp2] action pass
[DeviceA-security-policy-ip-2-vrrp2] quit
[DeviceA-security-policy-ip] rule name vrrp3
[DeviceA-security-policy-ip-3-vrrp3] source-zone untrust
[DeviceA-security-policy-ip-3-vrrp3] destination-zone local
[DeviceA-security-policy-ip-3-vrrp3] service vrrp
[DeviceA-security-policy-ip-3-vrrp3] action pass
[DeviceA-security-policy-ip-3-vrrp3] quit
[DeviceA-security-policy-ip] rule name vrrp4
[DeviceA-security-policy-ip-4-vrrp4] source-zone local
[DeviceA-security-policy-ip-4-vrrp4] destination-zone untrust
[DeviceA-security-policy-ip-4-vrrp4] service vrrp
[DeviceA-security-policy-ip-4-vrrp4] action pass
[DeviceA-security-policy-ip-4-vrrp4] quit
[DeviceA-security-policy-ip] quit
(5) 配置双机热备
# 使用两台Device进行RBM组网,Device A作为主设备,Device B作为备设备。当Device A或其链路发生故障时,由Device B接替Device A继续工作,保证业务不中断。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 1.0.0.2
[DeviceA-remote-backup-group] local-ip 1.0.0.1
[DeviceA-remote-backup-group] data-channel interface FortyGigE1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] hot-backup enable
RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 1
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 配置VRRP备份组,并与RBM关联。实现RBM对VRRP备份组的统一管理和流量引导。
RBM_P[DeviceA] interface FortyGigE1/0/1
RBM_P[DeviceA-FortyGigE1/0/1] vrrp vrid 11 virtual-ip 172.1.1.3 active
RBM_P[DeviceA-FortyGigE1/0/1] vrrp vrid 13 virtual-ip 172.1.1.4 standby
RBM_P[DeviceA-FortyGigE1/0/1] quit
RBM_P[DeviceA] interface FortyGigE1/0/2
RBM_P[DeviceA-FortyGigE1/0/2] vrrp vrid 12 virtual-ip 172.1.2.3 active
RBM_P[DeviceA-FortyGigE1/0/2] vrrp vrid 14 virtual-ip 172.1.2.4 standby
RBM_P[DeviceA-FortyGigE1/0/2] quit
(6) 配置安全业务
# 以上有关RBM的配置部署完成后,可以配置各种安全业务。对于RBM支持配置信息备份的功能模块仅需要在此主管理设备上(Device A)进行配置即可。
(1) 配置接口IPv4地址
# 根据组网图中规划的信息,配置各接口的IPv4地址,具体配置步骤如下。
<DeviceB> system-view
[DeviceB] interface FortyGigE1/0/1
[DeviceB-FortyGigE1/0/1] port link-mode route
[DeviceB-FortyGigE1/0/1] ip address 172.1.1.2 255.255.255.0
[DeviceB-FortyGigE1/0/1] quit
[DeviceB] interface FortyGigE1/0/2
[DeviceB-FortyGigE1/0/2] port link-mode route
[DeviceB-FortyGigE1/0/2] ip address 172.1.2.2 255.255.255.0
[DeviceB-FortyGigE1/0/2] quit
[DeviceB] interface FortyGigE1/0/3
[DeviceB-FortyGigE1/0/3] port link-mode route
[DeviceB-FortyGigE1/0/3] ip address 1.0.0.2 255.255.255.0
[DeviceB-FortyGigE1/0/3] quit
(2) 配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 请根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。
[DeviceB] ip route-static 0.0.0.0 0.0.0.0 172.1.1.5
[DeviceB] ip route-static 192.168.10.0 255.255.255.0 172.1.2.5
[DeviceB] ip route-static 192.168.11.0 255.255.255.0 172.1.2.5
(3) 配置双机热备
# 使用两台Device进行RBM组网,Device A作为主设备,Device B作为备设备。当Device A或其链路发生故障时,由Device B接替Device A继续工作,保证业务不中断。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 1.0.0.1
[DeviceB-remote-backup-group] local-ip 1.0.0.2
[DeviceB-remote-backup-group] data-channel interface FortyGigE1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] backup-mode dual-active
RBM_S[DeviceB-remote-backup-group] hot-backup enable
RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable
RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 1
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 配置VRRP备份组,并与RBM关联。实现RBM对VRRP备份组的统一管理和流量引导。
RBM_S[DeviceB] interface FortyGigE1/0/1
RBM_S[DeviceB-FortyGigE1/0/1] vrrp vrid 11 virtual-ip 172.1.1.3 standby
RBM_S[DeviceB-FortyGigE1/0/1] vrrp vrid 13 virtual-ip 172.1.1.4 active
RBM_S[DeviceB-FortyGigE1/0/1] quit
RBM_S[DeviceB] interface FortyGigE1/0/2
RBM_S[DeviceB-FortyGigE1/0/2] vrrp vrid 12 virtual-ip 172.1.2.3 standby
RBM_S[DeviceB-FortyGigE1/0/2] vrrp vrid 14 virtual-ip 172.1.2.4 active
RBM_S[DeviceB-FortyGigE1/0/2] quit
(1) Device A
# 查看RBM状态
RBM_P<DeviceA> display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Primary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.0.0.1
Remote IP: 1.0.0.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 1 hour
Configuration consistency check result: Consistent(2023-05-06 14:25:21)
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 58 minutes
Switchover records:
Time Status change Cause
2023-05-06 15:13:11 Initial to Active Interface status changed
# 查看VRRP状态
RBM_P<DeviceA> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 4
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Master 100 100 None 172.1.1.3
FGE1/0/1 13 Backup 100 100 None 172.1.1.4
FGE1/0/2 12 Master 100 100 None 172.1.2.3
FGE1/0/2 14 Backup 100 100 None 172.1.2.4
(2) Device B
# 查看RBM状态
RBM_S<DeviceB> display remote-backup-group status
Remote backup group information:
Backup mode: Dual-active
Device management role: Secondary
Device running status: Active
Data channel interface: FortyGigE1/0/3
Local IP: 1.0.0.2
Remote IP: 1.0.0.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 1 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 58 minutes
Switchover records:
Time Status change Cause
2023-05-06 15:13:11 Initial to Active Interface status changed
# 查看VRRP状态
RBM_S<DeviceB> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Backup
Total number of virtual routers : 4
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Backup 100 100 None 172.1.1.3
FGE1/0/1 13 Master 100 100 None 172.1.1.4
FGE1/0/2 12 Backup 100 100 None 172.1.2.3
FGE1/0/2 14 Master 100 100 None 172.1.2.4
Host1访问200.1.1.1,可以成功访问,在Device A和Device B上都能查看到会话信息,其中Device B上会话为备,当Device A上链路down掉后,Device B上会话状态切换为主,仍然可以正常访问。
(1) Device A上的会话信息:
RBM_P<DeviceA> display session table ipv4 source-ip 192.168.10.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.10.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.10.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: UDP_OPEN
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 23s
Initiator->Responder: 34 packets 7658 bytes
Responder->Initiator: 34 packets 7658 bytes
Total sessions found: 1
(2) Device B上的会话信息:
RBM_S<DeviceB> display session table ipv4 source-ip 192.168.10.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.10.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.10.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: INACTIVE
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 230s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
(3) 链路切换
# Down掉Device A上的FGE1/0/1接口后,Device B上对应会话切换为主:
RBM_S<DeviceB> display session table ipv4 source-ip 192.168.10.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.10.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.10.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: UDP_READY
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:03:22 TTL: 29s
Initiator->Responder: 38 packets 8541 bytes
Responder->Initiator: 38 packets 8541 bytes
Total sessions found: 1
# VRRP状态如下:
Device A上,Shutdown的接口状态为Initialize,其他接口状态为Backup。
RBM_P<DeviceA> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 4
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Initialize 100 100 None 172.1.1.3
FGE1/0/1 13 Initialize 100 100 None 172.1.1.4
FGE1/0/2 12 Backup 100 100 None 172.1.2.3
FGE1/0/2 14 Backup 100 100 None 172.1.2.4
Device B上,所有接口都变为Master状态。
RBM_S<DeviceB> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 4
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Master 100 100 None 172.1.1.3
FGE1/0/1 13 Master 100 100 None 172.1.1.4
FGE1/0/2 12 Master 100 100 None 172.1.2.3
FGE1/0/2 14 Master 100 100 None 172.1.2.4
Host2访问200.1.1.1,可以成功访问,在Device A和Device B上都能查看到会话信息,其中Device A上会话为备,当Device B上链路down掉后,Device A上会话状态切换为主,仍然可以正常访问。
(1) Device B上的会话信息:
RBM_P<DeviceB> display session table ipv4 source-ip 192.168.11.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.11.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.11.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: UDP_OPEN
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 23s
Initiator->Responder: 34 packets 7658 bytes
Responder->Initiator: 34 packets 7658 bytes
Total sessions found: 1
(2) Device A上的会话信息:
RBM_S<DeviceA> display session table ipv4 source-ip 192.168.11.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.11.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.11.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: INACTIVE
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:02:22 TTL: 230s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
(3) 链路切换
# Down掉Device B上的FGE1/0/1接口后,Device A上对应会话切换为主:
RBM_S<DeviceA> display session table ipv4 source-ip 192.168.11.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.11.2/1024
Destination IP/port: 200.1.1.1/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/2
Source security zone: Trust
Responder:
Source IP/port: 200.1.1.1/1024
Destination IP/port: 192.168.11.2/1024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: FortyGigE1/0/1
Source security zone: Untrust
State: UDP_READY
Application: OTHER
Rule ID: 3
Rule name: trust-untrust
Start time: 2023-05-06 19:03:22 TTL: 29s
Initiator->Responder: 38 packets 8541 bytes
Responder->Initiator: 38 packets 8541 bytes
Total sessions found: 1
# VRRP状态如下:
Device B上,Shutdown的接口状态为Initialize,其他接口状态为Backup。
RBM_P<DeviceA> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 4
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Initialize 100 100 None 172.1.1.3
FGE1/0/1 13 Initialize 100 100 None 172.1.1.4
FGE1/0/2 12 Backup 100 100 None 172.1.2.3
FGE1/0/2 14 Backup 100 100 None 172.1.2.4
Device A上,所有接口都变为Master状态。
RBM_S<DeviceA> display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 4
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1 11 Master 100 100 None 172.1.1.3
FGE1/0/1 13 Master 100 100 None 172.1.1.4
FGE1/0/2 12 Master 100 100 None 172.1.2.3
FGE1/0/2 14 Master 100 100 None 172.1.2.4
#
interface Ten-GigabitEthernet1/0/1
port link-mode route
ip address 100.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/24
port link-mode route
ip address 200.1.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0 200.1.1.3
ip route-static 192.168.10.0 24 100.1.1.2
ip route-static 192.168.11.0 24 100.1.1.2
#
vlan 2 to 3
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
policy-based-route aaa permit node 5
if-match acl 3101
apply next-hop 172.1.2.3
#
policy-based-route aaa permit node 6
if-match acl 3103
apply next-hop 172.1.2.4
#
policy-based-route bbb permit node 5
if-match acl 3102
apply next-hop 172.1.1.3
#
policy-based-route bbb permit node 6
if-match acl 3104
apply next-hop 172.1.1.4
#
interface Bridge-Aggregation3
link-aggregation mode dynamic
port m-lag peer-link 1
undo mac-address static source-check enable
#
interface Bridge-Aggregation10
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port m-lag group 10
link-aggregation mode dynamic
#
interface Bridge-Aggregation20
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port m-lag group 20
link-aggregation mode dynamic
#
interface Bridge-Aggregation30
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port m-lag group 30
link-aggregation mode dynamic
#
interface Bridge-Aggregation40
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
link-aggregation mode dynamic
port m-lag group 40
#
interface Vlan-interface10
ip address 172.1.1.5 255.255.255.0
#
interface Vlan-interface20
ip address 172.1.2.5 255.255.255.0
#
interface Vlan-interface30
ip address 100.1.2.1 255.255.255.0
ip policy-based-route bbb
#
interface Vlan-interface40
ip address 172.1.3.1 255.255.255.0
ip policy-based-route aaa
#
interface FortyGigE1/2/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port link-aggregation group 10
#
interface FortyGigE1/2/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port link-aggregation group 20
#
interface FortyGigE1/2/0/3
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/6/0/3
port link-mode route
ip address 2.1.1.1 255.255.255.0
#
interface Ten-GigabitEthernet1/6/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 40
#
interface Ten-GigabitEthernet1/6/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 30
#
interface Ten-GigabitEthernet1/6/0/4
port link-mode bridge
port link-aggregation group 3
#
interface Ten-GigabitEthernet1/6/0/5
port link-mode bridge
port link-aggregation group 3
#
m-lag restore-delay 180
m-lag system-mac 0001-0001-0001
m-lag system-number 1
m-lag system-priority 123
m-lag mad default-action none
m-lag keepalive ip destination 2.1.1.2 source 2.1.1.1
#
ip route-static 0.0.0.0 0 100.1.2.2
ip route-static 192.168.10.0 24 172.1.3.2
ip route-static 192.168.11.0 24 172.1.3.2
#
acl advanced 3101
rule 0 permit ip source 192.168.10.0 0.0.0.255
#
acl advanced 3102
rule 0 permit ip destination 192.168.10.0 0.0.0.255
#
acl advanced 3103
rule 0 permit ip source 192.168.11.0 0.0.0.255
#
acl advanced 3104
rule 0 permit ip destination 192.168.11.0 0.0.0.255
#
vlan 2 to 3
#
vlan 10
#
vlan 20
#
vlan 30
#
vlan 40
#
policy-based-route aaa permit node 5
if-match acl 3101
apply next-hop 172.1.2.3
#
policy-based-route aaa permit node 6
if-match acl 3103
apply next-hop 172.1.2.4
#
policy-based-route bbb permit node 5
if-match acl 3102
apply next-hop 172.1.1.3
#
policy-based-route bbb permit node 6
if-match acl 3104
apply next-hop 172.1.1.4
#
interface Bridge-Aggregation3
link-aggregation mode dynamic
port m-lag peer-link 1
undo mac-address static source-check enable
#
interface Bridge-Aggregation10
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port m-lag group 10
link-aggregation mode dynamic
#
interface Bridge-Aggregation20
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port m-lag group 20
link-aggregation mode dynamic
#
interface Bridge-Aggregation30
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port m-lag group 30
link-aggregation mode dynamic
#
interface Bridge-Aggregation40
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
link-aggregation mode dynamic
port m-lag group 40
#
interface Vlan-interface10
ip address 172.1.1.5 255.255.255.0
#
interface Vlan-interface20
ip address 172.1.2.5 255.255.255.0
#
interface Vlan-interface30
ip address 100.1.2.1 255.255.255.0
ip policy-based-route bbb
#
interface Vlan-interface40
ip address 172.1.3.1 255.255.255.0
ip policy-based-route aaa
#
interface FortyGigE1/2/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
port link-aggregation group 10
#
interface FortyGigE1/2/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port link-aggregation group 20
#
interface FortyGigE1/2/0/3
port link-mode bridge
port access vlan 2
#
interface Ten-GigabitEthernet1/6/0/3
port link-mode route
ip address 2.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/6/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 40
#
interface Ten-GigabitEthernet1/6/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 30
#
interface Ten-GigabitEthernet1/6/0/4
port link-mode bridge
port link-aggregation group 3
#
interface Ten-GigabitEthernet1/6/0/5
port link-mode bridge
port link-aggregation group 3
#
m-lag restore-delay 180
m-lag system-mac 0001-0001-0001
m-lag system-number 2
m-lag system-priority 123
m-lag mad default-action none
m-lag keepalive ip destination 2.1.1.1 source 2.1.1.2
#
ip route-static 0.0.0.0 0 100.1.2.2
ip route-static 192.168.10.0 24 172.1.3.2
ip route-static 192.168.11.0 24 172.1.3.2
#
acl advanced 3101
rule 0 permit ip source 192.168.10.0 0.0.0.255
#
acl advanced 3102
rule 0 permit ip destination 192.168.10.0 0.0.0.255
第 II 条
#
acl advanced 3103
rule 0 permit ip source 192.168.11.0 0.0.0.255
#
acl advanced 3104
rule 0 permit ip destination 192.168.11.0 0.0.0.255
#
vlan 30
#
interface Bridge-Aggregation50
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
link-aggregation mode dynamic
#
interface Vlan-interface30
ip address 100.1.2.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/3
port link-mode route
ip address 100.1.1.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 50
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 30
port link-aggregation group 50
#
ip route-static 0.0.0.0 0 100.1.1.1
ip route-static 192.168.10.0 24 100.1.2.1
ip route-static 192.168.11.0 24 100.1.2.1
#
vlan 40
#
interface Bridge-Aggregation60
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
link-aggregation mode dynamic
#
interface Vlan-interface40
ip address 172.1.3.2 255.255.255.0
#
interface Ten-GigabitEthernet1/0/3
port link-mode route
ip address 192.168.10.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/4
port link-mode route
ip address 192.168.11.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 60
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 40
port link-aggregation group 60
#
ip route-static 0.0.0.0 0 172.1.3.1
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
configuration sync-check interval 1
delay-time 1
local-ip 1.0.0.1
remote-ip 1.0.0.2
device-role primary
#
interface FortyGigE1/0/1
port link-mode route
ip address 172.1.1.1 255.255.255.0
vrrp vrid 11 virtual-ip 172.1.1.3 active
vrrp vrid 13 virtual-ip 172.1.1.4 standby
#
interface FortyGigE1/0/2
port link-mode route
ip address 172.1.2.1 255.255.255.0
vrrp vrid 12 virtual-ip 172.1.2.3 active
vrrp vrid 14 virtual-ip 172.1.2.4 standby
#
interface FortyGigE1/0/3
port link-mode route
ip address 1.0.0.1 255.255.255.0
#
security-zone name Trust
import interface FortyGigE1/0/2
#
security-zone name Untrust
import interface FortyGigE1/0/1
#
ip route-static 0.0.0.0 0 172.1.1.5
ip route-static 192.168.10.0 24 172.1.2.5
ip route-static 192.168.11.0 24 172.1.2.5
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
rule 1 name vrrp1
action pass
source-zone trust
destination-zone local
service vrrp
rule 2 name vrrp2
action pass
source-zone local
destination-zone trust
service vrrp
rule 3 name vrrp3
action pass
source-zone untrust
destination-zone local
service vrrp
rule 4 name vrrp4
action pass
source-zone local
destination-zone untrust
service vrrp
#
remote-backup group
backup-mode dual-active
data-channel interface FortyGigE1/0/3
configuration sync-check interval 1
delay-time 1
local-ip 1.0.0.2
remote-ip 1.0.0.1
device-role secondary
#
interface FortyGigE1/0/1
port link-mode route
ip address 172.1.1.2 255.255.255.0
vrrp vrid 11 virtual-ip 172.1.1.3 standby
vrrp vrid 13 virtual-ip 172.1.1.4 active
#
interface FortyGigE1/0/2
port link-mode route
ip address 172.1.2.2 255.255.255.0
vrrp vrid 12 virtual-ip 172.1.2.3 standby
vrrp vrid 14 virtual-ip 172.1.2.4 active
#
interface FortyGigE1/0/3
port link-mode route
ip address 1.0.0.2 255.255.255.0
#
ip route-static 0.0.0.0 0 172.1.1.5
ip route-static 192.168.10.0 24 172.1.2.5
ip route-static 192.168.11.0 24 172.1.2.5