本举例是在M9000-AI-E8的R9071版本上进行配置和验证的。
如下图所示,某公司以Device设备作为云计算中心的出口网关,对内部网络的信息安全进行防护,为了满足多租户需求,可将Device设备虚拟成多台逻辑设备,每台虚拟设备相互独立,拥有各自的安全策略。同时为了提高业务稳定性,使用两台Device设备进行RBM的双机热备组网,具体组网需求如下:
在两台Device设备上分别创建两个非缺省Context,并以共享接口方式使用GigabitEthernet1/0/1和GigabitEthernet1/0/2。
正常情况下,Device A处理业务,Device B不处理,当其中主设备出现故障时,所有业务转移到备设备上,备设备能正常处理业务。
主设备恢复正常后,流量重新切回原主,备设备不处理业务,原主设备正常处理业务。
图-1 虚拟化Context环境中RBM+VRRP实现云计算中心网关双机热备部署配置组网图
图-2 通过Context cnt1实现云计算中心网关双机热备部署配置的逻辑组网图
图-3 通过Context cnt2实现云计算中心网关双机热备部署配置的逻辑组网图
部署HA前,请先保证主/备设备硬件环境的一致性,具体要求如下:
主/备设备的型号必须一致。
主/备设备主控板的位置、数量和类型必须一致。
主/备设备业务板的位置、数量和类型必须一致。
主/备设备交换网板的位置、数量和类型必须一致。
主/备设备接口板的位置、数量和类型必须一致。
主/备设备上管理接口、业务接口、HA通道接口需要分别使用相互独立的接口,且所使用的接口编号和类型必须一致。
主/备设备上硬盘的位置、数量和类型建议一致。未安装硬盘的设备日志存储量将远低于安装了硬盘的设备,而且部分日志和报表功能不可用。
部署HA前,请先保证主/备设备软件环境的一致性,具体要求如下:
主/备设备的系统软件环境及其版本必须一致,如:Boot包、System包、Feature包和补丁包等等。
主/备设备上被授权的特征库和特性环境必须一致,如:特征库的种类,每类特征库的版本、授权时间范围、授权的资源数等等。
主/备设备的接口编号必须一致。
主/备设备之间建立HA通道的接口类型、速率和编号等信息必须一致,推荐使用聚合接口。
主/备设备上聚合接口的编号、成员接口编号必须一致。
主/备设备相同位置的接口必须加入到相同的安全域。
主/备设备的HASH选择CPU模式以及HASH因子都必须相同(即forwarding policy命令)。
配置接口IP地址
# 根据组网图中规划的信息,配置业务口的IPv4地址,具体配置步骤如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/18
[Router-GigabitEthernet1/0/18] ip address 2.1.1.15 255.255.255.0
[Router-GigabitEthernet1/0/18] quit
[Router] interface gigabitethernet 1/0/19
[Router-GigabitEthernet1/0/19] ip address 3.1.1.1 255.255.255.0
[Router-GigabitEthernet1/0/19] quit
[Router] interface gigabitethernet 1/0/20
[Router-GigabitEthernet1/0/20] ip address 3.1.2.1 255.255.255.0
[Router-GigabitEthernet1/0/20] quit
配置路由信息
# 去往云计算服务器(Server 1)的下一跳IPv4地址为VRRP备份组1的虚拟IPv4地址2.1.1.3,去往云计算服务器(Server 2)的下一跳IPv4地址为VRRP备份组3的虚拟IPv4地址2.1.2.3,本举例中,云计算服务器Server 1地址为10.1.1.100/24,云计算服务器Server 2地址为10.1.2.100/24请参考如下配置:
[Router] ip route-static 10.1.1.0 24 2.1.1.3
[Router] ip route-static 10.1.2.0 24 2.1.2.3
# 一部分去往外网流量的目的地址为30.1.1.1,下一跳IPv4地址为3.1.1.15/24,另一部分去往外网流量的目的地址为30.1.2.1,下一跳IPv4地址为3.1.2.15/24请参考如下配置:
[Router] ip route-static 30.1.1.0 24 3.1.1.15
[Router] ip route-static 30.1.2.0 24 3.1.2.15
在Switch A上创建VLAN 10和VLAN 20,将连接Device A和Device B的接口链路类型设置为Trunk,并在接口放行VLAN 10和VLAN 20。
# 根据组网图中规划的信息,具体配置步骤如下。
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 10 20
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 10 20
[SwitchA-GigabitEthernet1/0/3] quit
在Switch B上创建VLAN 10和VLAN 20,将连接Device A和Device B的接口链路类型设置为Trunk,并在接口放行VLAN 10和VLAN 20。
# 根据组网图中规划的信息,具体配置步骤如下。
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] vlan 20
[SwitchB-vlan20] quit
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 10 20
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port access vlan 10
[SwitchB-GigabitEthernet1/0/3] quit
[SwitchB] interface gigabitethernet 1/0/4
[SwitchB-GigabitEthernet1/0/4] port access vlan 20
[SwitchB-GigabitEthernet1/0/4] quit
配置非缺省Context cnt1
配置非缺省Context cnt1
# Context创建后必须进驻安全引擎(通过将Context进驻安全引擎组来实现),才有实际运行的环境,才能运行业务。本举例以进驻缺省安全引擎组为例。
<DeviceA> system-view
[DeviceA] context cnt1
[DeviceA-context-2-cnt1] location blade-controller-team 1
[DeviceA-context-2-cnt1] allocate interface gigabitethernet 1/0/1 share
[DeviceA-context-2-cnt1] allocate interface gigabitethernet 1/0/2 share
[DeviceA-context-2-cnt1] context start
[DeviceA-context-2-cnt1] quit
在非缺省Context cnt1下配置接口IP地址
# 根据组网图中规划的信息,配置业务口的IPv4地址,以太网子接口只有在关联了VLAN后才能正常收发报文,开启子接口的Dot1q终结功能,实现VLAN间流量互通,具体配置步骤如下。
[DeviceA] switchto context cnt1
<DeviceA> system-view
[DeviceA] sysname DeviceA_cnt1
[DeviceA_cnt1] interface gigabitethernet 1/0/1.10
[DeviceA_cnt1-GigabitEthernet1/0/1.10] ip address 2.1.1.1 24
[DeviceA_cnt1-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[DeviceA_cnt1-GigabitEthernet1/0/1.10] quit
[DeviceA_cnt1] interface gigabitethernet 1/0/2.10
[DeviceA_cnt1-GigabitEthernet1/0/2.10] ip address 10.1.1.1 24
[DeviceA_cnt1-GigabitEthernet1/0/2.10] vlan-type dot1q vid 10
[DeviceA_cnt1-GigabitEthernet1/0/2.10] quit
配置接口加入安全域
# 根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA_cnt1] security-zone name untrust
[DeviceA_cnt1-security-zone-Untrust] import interface gigabitethernet 1/0/1.10
[DeviceA_cnt1-security-zone-Untrust] quit
[DeviceA_cnt1] security-zone name trust
[DeviceA_cnt1-security-zone-Trust] import interface gigabitethernet 1/0/2.10
[DeviceA_cnt1-security-zone-Trust] quit
配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。本举例假设到达外网的下一跳IPv4地址为2.1.1.15,实际环境中请以具体组网情况为准,具体配置步骤如下。
[DeviceA_cnt1] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15
配置安全策略,允许所需的业务报文通过
此部分安全策略只需在主管理设备配置,双机热备组网完成后,从管理设备会自动同步这些安全策略配置信息。
# 配置名称为trust-untrust的安全策略规则,使10.1.1.0/24网段的内网用户可以主动访问Internet,但是Internet上的用户不能访问内网,具体配置步骤如下。
[DeviceA_cnt1] security-policy ip
[DeviceA_cnt1-security-policy-ip] rule name trust-untrust
[DeviceA_cnt1-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA_cnt1-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA_cnt1-security-policy-ip-0-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA_cnt1-security-policy-ip-0-trust-untrust] action pass
[DeviceA_cnt1-security-policy-ip-0-trust-untrust] quit
# 配置安全策略规则,允许VRRP协议报文通过。当RBM通道断开时,使主设备与备设备之间可以交换VRRP报文,进行VRRP角色竞选,保证网络互通。
[DeviceA_cnt1-security-policy-ip] rule name vrrp1
[DeviceA_cnt1-security-policy-ip-1-vrrp1] source-zone trust
[DeviceA_cnt1-security-policy-ip-1-vrrp1] destination-zone local
[DeviceA_cnt1-security-policy-ip-1-vrrp1] service vrrp
[DeviceA_cnt1-security-policy-ip-1-vrrp1] action pass
[DeviceA_cnt1-security-policy-ip-1-vrrp1] quit
[DeviceA_cnt1-security-policy-ip] rule name vrrp2
[DeviceA_cnt1-security-policy-ip-2-vrrp2] source-zone local
[DeviceA_cnt1-security-policy-ip-2-vrrp2] destination-zone trust
[DeviceA_cnt1-security-policy-ip-2-vrrp2] service vrrp
[DeviceA_cnt1-security-policy-ip-2-vrrp2] action pass
[DeviceA_cnt1-security-policy-ip-2-vrrp2] quit
[DeviceA_cnt1-security-policy-ip] rule name vrrp3
[DeviceA_cnt1-security-policy-ip-3-vrrp3] source-zone untrust
[DeviceA_cnt1-security-policy-ip-3-vrrp3] destination-zone local
[DeviceA_cnt1-security-policy-ip-3-vrrp3] service vrrp
[DeviceA_cnt1-security-policy-ip-3-vrrp3] action pass
[DeviceA_cnt1-security-policy-ip-3-vrrp3] quit
[DeviceA_cnt1-security-policy-ip] rule name vrrp4
[DeviceA_cnt1-security-policy-ip-4-vrrp4] source-zone local
[DeviceA_cnt1-security-policy-ip-4-vrrp4] destination-zone untrust
[DeviceA_cnt1-security-policy-ip-4-vrrp4] service vrrp
[DeviceA_cnt1-security-policy-ip-4-vrrp4] action pass
[DeviceA_cnt1-security-policy-ip-4-vrrp4] quit
[DeviceA_cnt1-security-policy-ip] quit
[DeviceA_cnt1] quit
<DeviceA_cnt1> quit
配置非缺省Context cnt2
配置非缺省Context cnt2
# 将Context进驻缺省安全引擎组。
<DeviceA> system-view
[DeviceA] context cnt2
[DeviceA-context-3-cnt2] location blade-controller-team 1
[DeviceA-context-3-cnt2] allocate interface gigabitethernet 1/0/1 share
[DeviceA-context-3-cnt2] allocate interface gigabitethernet 1/0/2 share
[DeviceA-context-3-cnt2] context start
[DeviceA-context-3-cnt2] quit
在非缺省Context cnt2下配置接口IP地址
# 根据组网图中规划的信息,配置业务口的IPv4地址,以太网子接口只有在关联了VLAN后才能正常收发报文,开启子接口的Dot1q终结功能,实现VLAN间流量互通,具体配置步骤如下。
[DeviceA] switchto context cnt2
<DeviceA> system-view
[DeviceA] sysname DeviceA_cnt2
[DeviceA_cnt2] interface gigabitethernet 1/0/1.20
[DeviceA_cnt2-GigabitEthernet1/0/1.20] ip address 2.1.2.1 24
[DeviceA_cnt2-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[DeviceA_cnt2-GigabitEthernet1/0/1.20] quit
[DeviceA_cnt2] interface gigabitethernet 1/0/2.20
[DeviceA_cnt2-GigabitEthernet1/0/2.20] ip address 10.1.2.1 24
[DeviceA_cnt2-GigabitEthernet1/0/2.20] vlan-type dot1q vid 20
[DeviceA_cnt2-GigabitEthernet1/0/2.20] quit
配置接口加入安全域
# 根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceA_cnt2] security-zone name untrust
[DeviceA_cnt2-security-zone-Untrust] import interface gigabitethernet 1/0/1.20
[DeviceA_cnt2-security-zone-Untrust] quit
[DeviceA_cnt2] security-zone name trust
[DeviceA_cnt2-security-zone-Trust] import interface gigabitethernet 1/0/2.20
[DeviceA_cnt2-security-zone-Trust] quit
配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。本举例假设到达外网的下一跳IPv4地址为2.1.1.15,实际环境中请以具体组网情况为准,具体配置步骤如下。
[DeviceA_cnt2] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15
配置安全策略,允许所需的业务报文通过
此部分安全策略只需在主管理设备配置,双机热备组网完成后,从管理设备会自动同步这些安全策略配置信息。
# 配置名称为trust-untrust的安全策略规则,使10.1.2.0/24网段的内网用户可以主动访问Internet,但是Internet上的用户不能访问内网,具体配置步骤如下。
[DeviceA_cnt2] security-policy ip
[DeviceA_cnt2-security-policy-ip] rule name trust-untrust
[DeviceA_cnt2-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA_cnt2-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA_cnt2-security-policy-ip-0-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceA_cnt2-security-policy-ip-0-trust-untrust] action pass
[DeviceA_cnt2-security-policy-ip-0-trust-untrust] quit
# 配置安全策略规则,允许VRRP协议报文通过。当RBM通道断开时,使主设备与备设备之间可以交换VRRP报文,进行VRRP角色竞选,保证网络互通。
[DeviceA_cnt2-security-policy-ip] rule name vrrp1
[DeviceA_cnt2-security-policy-ip-1-vrrp1] source-zone trust
[DeviceA_cnt2-security-policy-ip-1-vrrp1] destination-zone local
[DeviceA_cnt2-security-policy-ip-1-vrrp1] service vrrp
[DeviceA_cnt2-security-policy-ip-1-vrrp1] action pass
[DeviceA_cnt2-security-policy-ip-1-vrrp1] quit
[DeviceA_cnt2-security-policy-ip] rule name vrrp2
[DeviceA_cnt2-security-policy-ip-2-vrrp2] source-zone local
[DeviceA_cnt2-security-policy-ip-2-vrrp2] destination-zone trust
[DeviceA_cnt2-security-policy-ip-2-vrrp2] service vrrp
[DeviceA_cnt2-security-policy-ip-2-vrrp2] action pass
[DeviceA_cnt2-security-policy-ip-2-vrrp2] quit
[DeviceA_cnt2-security-policy-ip] rule name vrrp3
[DeviceA_cnt2-security-policy-ip-3-vrrp3] source-zone untrust
[DeviceA_cnt2-security-policy-ip-3-vrrp3] destination-zone local
[DeviceA_cnt2-security-policy-ip-3-vrrp3] service vrrp
[DeviceA_cnt2-security-policy-ip-3-vrrp3] action pass
[DeviceA_cnt2-security-policy-ip-3-vrrp3] quit
[DeviceA_cnt2-security-policy-ip] rule name vrrp4
[DeviceA_cnt2-security-policy-ip-4-vrrp4] source-zone local
[DeviceA_cnt2-security-policy-ip-4-vrrp4] destination-zone untrust
[DeviceA_cnt2-security-policy-ip-4-vrrp4] service vrrp
[DeviceA_cnt2-security-policy-ip-4-vrrp4] action pass
[DeviceA_cnt2-security-policy-ip-4-vrrp4] quit
[DeviceA_cnt2-security-policy-ip] quit
[DeviceA_cnt2] quit
<DeviceA_cnt2> quit
配置双机热备
配置双机热备
# 配置RBM通道接口IP地址
[DeviceA] interface gigabitethernet 1/0/6
[DeviceA-GigabitEthernet1/0/6] ip address 10.2.1.1 24
[DeviceA-GigabitEthernet1/0/6] quit
# 使用两台Device进行双机热备组网,Device A作为主设备,Device B作为备设备。当Device A或其链路发生故障时,由Device B接替Device A继续工作,保证业务不中断。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 10.2.1.2
[DeviceA-remote-backup-group] local-ip 10.2.1.1
[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/6
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] undo backup-mode
RBM_P[DeviceA-remote-backup-group] hot-backup enable
RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group] quit
# 在Context下分别配置VRRP备份组,并与双机热备关联。实现双机热备对VRRP备份组的统一管理和流量引导。
RBM_P[DeviceA] switchto context cnt1
RBM_P<DeviceA_cnt1> system-view
RBM_P[DeviceA_cnt1] interface gigabitethernet 1/0/1.10
RBM_P[DeviceA_cnt1-GigabitEthernet1/0/1.10] vrrp vrid 1 virtual-ip 2.1.1.3 active
RBM_P[DeviceA_cnt1-GigabitEthernet1/0/1.10] quit
RBM_P[DeviceA_cnt1] interface gigabitethernet 1/0/2.10
RBM_P[DeviceA_cnt1-GigabitEthernet1/0/2.10] vrrp vrid 2 virtual-ip 10.1.1.3 active
RBM_P[DeviceA_cnt1-GigabitEthernet1/0/2.10] quit
RBM_P[DeviceA_cnt1] quit
RBM_P<DeviceA_cnt1> quit
RBM_P[DeviceA] switchto context cnt2
RBM_P<DeviceA_cnt2> system-view
RBM_P[DeviceA_cnt2] interface gigabitethernet 1/0/1.20
RBM_P[DeviceA_cnt2-GigabitEthernet1/0/1.20] vrrp vrid 3 virtual-ip 2.1.2.3 active
RBM_P[DeviceA_cnt2-GigabitEthernet1/0/1.20] quit
RBM_P[DeviceA_cnt2] interface gigabitethernet 1/0/2.20
RBM_P[DeviceA_cnt2-GigabitEthernet1/0/2.20] vrrp vrid 4 virtual-ip 10.1.2.3 active
RBM_P[DeviceA_cnt2-GigabitEthernet1/0/2.20] quit
RBM_P[DeviceA_cnt2] quit
RBM_P<DeviceA_cnt2> quit
配置安全业务
# 以上有关双机热备的配置部署完成后,可以配置各种安全业务。对于双机热备支持配置信息备份的功能模块仅需要在此主管理设备上(Device A)进行配置即可。
配置非缺省Context cnt1
配置非缺省Context cnt1
# 将Context进驻缺省安全引擎组。
<DeviceB> system-view
[DeviceB] context cnt1
[DeviceB-context-2-cnt1] location blade-controller-team 1
[DeviceB-context-2-cnt1] allocate interface gigabitethernet 1/0/1 share
[DeviceB-context-2-cnt1] allocate interface gigabitethernet 1/0/2 share
[DeviceB-context-2-cnt1] context start
[DeviceB-context-2-cnt1] quit
在非缺省Context cnt1下配置接口IP地址
# 根据组网图中规划的信息,配置业务口的IPv4地址,以太网子接口只有在关联了VLAN后才能正常收发报文,开启子接口的Dot1q终结功能,实现VLAN间流量互通,具体配置步骤如下。
[DeviceB] switchto context cnt1
<DeviceB> system-view
[DeviceB] sysname DeviceB_cnt1
[DeviceB_cnt1] interface gigabitethernet1/0/1.10
[DeviceB_cnt1-GigabitEthernet1/0/1.10] ip address 2.1.1.2 255.255.255.0
[DeviceB_cnt1-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10
[DeviceB_cnt1-GigabitEthernet1/0/1.10] quit
[DeviceB_cnt1] interface gigabitethernet1/0/2.10
[DeviceB_cnt1-GigabitEthernet1/0/2.10] ip address 10.1.1.2 255.255.255.0
[DeviceB_cnt1-GigabitEthernet1/0/2.10] vlan-type dot1q vid 10
[DeviceB_cnt1-GigabitEthernet1/0/2.10] quit
配置接口加入安全域
# 根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB_cnt1] security-zone name untrust
[DeviceB_cnt1-security-zone-Untrust] import interface gigabitethernet 1/0/1.10
[DeviceB_cnt1-security-zone-Untrust] quit
[DeviceB_cnt1] security-zone name trust
[DeviceB_cnt1-security-zone-Trust] import interface gigabitethernet 1/0/2.10
[DeviceB_cnt1-security-zone-Trust] quit
配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。本举例假设到达外网的下一跳IPv4地址为2.1.1.15,实际环境中请以具体组网情况为准,具体配置步骤如下。
[DeviceB_cnt1] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15
配置非缺省Context cnt2
配置非缺省Context cnt2
# 将Context进驻缺省安全引擎组。
<DeviceB> system-view
[DeviceB] context cnt2
[DeviceB-context-3-cnt2] location blade-controller-team 1
[DeviceB-context-2-cnt2] allocate interface gigabitethernet 1/0/1 share
[DeviceB-context-2-cnt2] allocate interface gigabitethernet 1/0/2 share
[DeviceB-context-2-cnt2] context start
[DeviceB-context-2-cnt2] quit
在非缺省Context cnt2下配置接口IP地址
# 根据组网图中规划的信息,配置业务口的IPv4地址,以太网子接口只有在关联了VLAN后才能正常收发报文,开启子接口的Dot1q终结功能,实现VLAN间流量互通,具体配置步骤如下。
[DeviceB] switchto context cnt2
<DeviceB> system-view
[DeviceB] sysname DeviceB_cnt2
[DeviceB_cnt2] interface gigabitethernet1/0/1.20
[DeviceB_cnt2-GigabitEthernet1/0/1.20] ip address 2.1.2.2 255.255.255.0
[DeviceB_cnt2-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20
[DeviceB_cnt2-GigabitEthernet1/0/1.20] quit
[DeviceB_cnt2] interface gigabitethernet1/0/2.20
[DeviceB_cnt2-GigabitEthernet1/0/2.20] ip address 10.1.2.2 255.255.255.0
[DeviceB_cnt2-GigabitEthernet1/0/2.20] vlan-type dot1q vid 20
[DeviceB_cnt2-GigabitEthernet1/0/2.20] quit
配置接口加入安全域
# 根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[DeviceB_cnt2] security-zone name untrust
[DeviceB_cnt2-security-zone-Untrust] import interface gigabitethernet 1/0/1.20
[DeviceB_cnt2-security-zone-Untrust] quit
[DeviceB_cnt2] security-zone name trust
[DeviceB_cnt2-security-zone-Trust] import interface gigabitethernet 1/0/2.20
[DeviceB_cnt2-security-zone-Trust] quit
配置静态路由,保证路由可达
本举例仅以静态路由方式配置路由信息。实际组网中,请根据具体情况选择相应的路由配置方式。
# 根据组网图中规划的信息,配置静态路由使设备与内外网之间路由可达。本举例假设到达外网的下一跳IPv4地址为2.1.1.15,实际环境中请以具体组网情况为准,具体配置步骤如下。
[DeviceB_cnt2] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15
配置双机热备
# 配置RBM通道接口IP地址
[DeviceB] interface gigabitethernet 1/0/6
[DeviceB-GigabitEthernet1/0/6] port link-mode route
[DeviceB-GigabitEthernet1/0/6] ip address 10.2.1.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/6] quit
# 使用两台Device进行双机热备组网,Device A作为主设备,Device B作为备设备。当Device A或其链路发生故障时,由Device B接替Device A继续工作,保证业务不中断。
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 10.2.1.1
[DeviceB-remote-backup-group] local-ip 10.2.1.2
[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/6
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] undo backup-mode
RBM_S[DeviceB-remote-backup-group] hot-backup enable
RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable
RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12
RBM_S[DeviceB-remote-backup-group] delay-time 1
RBM_S[DeviceB-remote-backup-group] quit
# 在Context下分别配置VRRP备份组,并与双机热备关联。实现双机热备对VRRP备份组的统一管理和流量引导。
RBM_S[DeviceB] switchto context cnt1
RBM_S<DeviceB_cnt1> system-view
RBM_S[DeviceB_cnt1] interface gigabitethernet 1/0/1.10
RBM_S[DeviceB_cnt1-GigabitEthernet1/0/1.10] vrrp vrid 1 virtual-ip 2.1.1.3 standby
RBM_S[DeviceB_cnt1-GigabitEthernet1/0/1.10] quit
RBM_S[DeviceB_cnt1] interface gigabitethernet 1/0/2.10
RBM_S[DeviceB_cnt1-GigabitEthernet1/0/2.10] vrrp vrid 2 virtual-ip 10.1.1.3 standby
RBM_S[DeviceB_cnt1-GigabitEthernet1/0/2.10] quit
RBM_S[DeviceB_cnt1] quit
RBM_S<DeviceB_cnt1> quit
RBM_S[DeviceB] switchto context cnt2
RBM_S<DeviceB_cnt2> system-view
RBM_S[DeviceB_cnt2] interface gigabitethernet 1/0/1.20
RBM_S[DeviceB_cnt2-GigabitEthernet1/0/1.20] vrrp vrid 1 virtual-ip 2.1.2.3 standby
RBM_S[DeviceB_cnt2-GigabitEthernet1/0/1.20] quit
RBM_S[DeviceB_cnt2] interface gigabitethernet 1/0/2.20
RBM_S[DeviceB_cnt2-GigabitEthernet1/0/2.20] vrrp vrid 2 virtual-ip 10.1.2.3 standby
RBM_S[DeviceB_cnt2-GigabitEthernet1/0/2.20] quit
RBM_S[DeviceB_cnt2] quit
RBM_S<DeviceB_cnt2> quit
配置Server 1的默认网关为VRRP备份组2的虚拟IPv4地址10.1.1.3。Server 2的默认网关为VRRP备份组4的虚拟IPv4地址10.1.2.3。
# 以上配置完成后,通过执行以下显示命令可查看双机热备配置已生效,RBM通道已建立。
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigE1/0/6
Local IP: 10.2.1.1
Remote IP: 10.2.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 1 hours, 5 minutes
Switchover records:
Time Status change Cause
2022-11-26 14:39:42 Initial to Active Interface status changed
Device A Context cnt1
# 以上配置完成后,通过执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA_cnt1] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1.10 1 Master 100 100 None 2.1.1.3
FGE1/0/2.10 2 Master 100 100 None 10.1.1.3
Device A Context cnt2
# 以上配置完成后,通过执行以下显示命令可查看VRRP备份组的状态信息。
RBM_P[DeviceA_cnt2] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1.20 1 Master 100 100 None 2.1.2.3
FGE1/0/2.20 2 Master 100 100 None 10.1.2.3
# 以上配置完成后,通过执行以下显示命令可查看双机热备配置已生效,RBM通道已建立。
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: GigE1/0/6
Local IP: 10.2.1.2
Remote IP: 10.2.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 28 minutes
Switchover records:
Time Status change Cause
2022-11-26 15:07:26 Initial to Standby Interface status changed
Device B Context cnt1
# 以上配置完成后,通过执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB_cnt1] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1.10 1 Backup 100 100 None 2.1.1.3
FGE1/0/2.10 2 Backup 100 100 None 10.1.1.3
Device B Context cnt2
# 以上配置完成后,通过执行以下显示命令可查看VRRP备份组的状态信息。
RBM_S[DeviceB_cnt2] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
FGE1/0/1.20 1 Backup 100 100 None 2.1.2.3
FGE1/0/2.20 2 Backup 100 100 None 10.1.2.3
模拟Device A Context cnt1故障
# 设备正常运行情况下,将主管理设备接口关闭,主设备通过RBM通道将业务切换到对端处理,保证业务不中断,Device B Context cnt1上的会话信息。
RBM_S<DeviceB_cnt1> display session table ipv4 source-ip 10.1.1.100 verbose
Slot 1:
Initiator:
Source IP/port: 10.1.1.100/3743
Destination IP/port: 3.1.1.100/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigE1/0/2.10
Source security zone: Trust
Responder:
Source IP/port: 3.1.1.100/2048
Destination IP/port: 10.1.1.100/3743
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigE1/0/1.10
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: trust-untrust
Start time: 2022-11-26 20:51:19 TTL: 29s
Initiator->Responder: 101 packets 8484 bytes
Responder->Initiator: 101 packets 8484 bytes
模拟Device A Context cnt2故障
# 设备正常运行情况下,将主管理设备接口关闭,主设备通过RBM通道将业务切换到对端处理,保证业务不中断,Device B Context cnt2上的会话信息。
RBM_S<DeviceB_cnt2> display session table ipv4 source-ip 10.1.2.100 verbose
Slot 1:
Initiator:
Source IP/port: 10.1.2.100/3743
Destination IP/port: 3.1.2.100/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigE1/0/2.10
Source security zone: Trust
Responder:
Source IP/port: 3.1.2.100/2048
Destination IP/port: 10.1.2.100/3743
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigE1/0/1.10
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: trust-untrust
Start time: 2022-11-26 21:30:19 TTL: 31s
Initiator->Responder: 112 packets 8994 bytes
Responder->Initiator: 112 packets 8994 bytes
#
interface GigabitEthernet1/0/18
port link-mode route
ip address 2.1.1.15 255.255.255.0
#
interface GigabitEthernet1/0/19
port link-mode route
ip address 3.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/20
port link-mode route
ip address 3.1.2.1 255.255.255.0
#
ip route-static 10.1.1.0 24 2.1.1.3
ip route-static 10.1.2.0 24 2.1.2.3
ip route-static 30.1.1.0 24 3.1.1.15
ip route-static 30.1.2.0 24 3.1.2.15
#
#
vlan 10
#
vlan 20
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
#
#
vlan 10
#
vlan 20
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 10 20
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 20
#
#
context cnt1 id 2
context start
location blade-controller-team 1
allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share
#
context cnt2 id 3
context start
location blade-controller-team 1
allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share
#
interface GigabitEthernet1/0/6
port link-mode route
ip address 10.2.1.1 255.255.255.0
#
remote-backup group
data-channel interface GigabitEthernet1/0/6
configuration sync-check interval 12
delay-time 1
local-ip 10.2.1.1
remote-ip 10.2.1.2
device-role primary
#
#
interface GigabitEthernet1/0/1.10
ip address 2.1.1.1 255.255.255.0
vlan-type dot1q vid 10
vrrp vrid 1 virtual-ip 2.1.1.3 active
#
interface GigabitEthernet1/0/2.10
ip address 10.1.1.1 255.255.255.0
vlan-type dot1q vid 10
vrrp vrid 2 virtual-ip 10.1.1.3 active
#
security-zone name Trust
import interface GigabitEthernet1/0/2.10
#
security-zone name Untrust
import interface GigabitEthernet1/0/1.10
#
ip route-static 0.0.0.0 0 2.1.1.15
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 255.255.255.0
rule 1 name vrrp1
source-zone trust
destination-zone local
service vrrp
rule 2 name vrrp2
action pass
source-zone local
destination-zone trust
service vrrp
rule 3 name vrrp3
action pass
source-zone untrust
destination-zone local
service vrrp
rule 4 name vrrp4
action pass
source-zone local
destination-zone untrust
service vrrp
#
#
interface GigabitEthernet1/0/1.20
ip address 2.1.2.1 255.255.255.0
vlan-type dot1q vid 20
vrrp vrid 1 virtual-ip 2.1.2.3 active
#
interface GigabitEthernet1/0/2.20
ip address 10.1.2.1 255.255.255.0
vlan-type dot1q vid 20
vrrp vrid 2 virtual-ip 10.1.2.3 active
#
security-zone name Trust
import interface GigabitEthernet1/0/2.20
#
security-zone name Untrust
import interface GigabitEthernet1/0/1.20
#
ip route-static 0.0.0.0 0 2.1.1.15
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 255.255.255.0
rule 1 name vrrp1
source-zone trust
destination-zone local
service vrrp
rule 2 name vrrp2
action pass
source-zone local
destination-zone trust
service vrrp
rule 3 name vrrp3
action pass
source-zone untrust
destination-zone local
service vrrp
rule 4 name vrrp4
action pass
source-zone local
destination-zone untrust
service vrrp
#
#
context cnt1 id 2
context start
location blade-controller-team 1
allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share
#
context cnt2 id 3
context start
location blade-controller-team 1
allocate interface GigabitEthernet1/0/1 to GigabitEthernet1/0/2 share
#
interface GigabitEthernet1/0/6
port link-mode route
ip address 10.2.1.2 255.255.255.0
#
remote-backup group
data-channel interface GigabitEthernet1/0/6
configuration sync-check interval 12
delay-time 1
local-ip 10.2.1.2
remote-ip 10.2.1.1
device-role secondary
#
#
interface GigabitEthernet1/0/1.10
ip address 2.1.1.2 255.255.255.0
vlan-type dot1q vid 10
vrrp vrid 1 virtual-ip 2.1.1.3 standby
#
interface GigabitEthernet1/0/2.10
ip address 10.1.1.2 255.255.255.0
vlan-type dot1q vid 10
vrrp vrid 2 virtual-ip 10.1.1.3 standby
#
ip route-static 0.0.0.0 0 2.1.1.15
#
security-zone name Trust
import interface GigabitEthernet1/0/2.10
#
security-zone name Untrust
import interface GigabitEthernet1/0/1.10
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 255.255.255.0
rule 1 name vrrp1
source-zone trust
destination-zone local
service vrrp
rule 2 name vrrp2
action pass
source-zone local
destination-zone trust
service vrrp
rule 3 name vrrp3
action pass
source-zone untrust
destination-zone local
service vrrp
rule 4 name vrrp4
action pass
source-zone local
destination-zone untrust
service vrrp
#
#
interface GigabitEthernet1/0/1.20
ip address 2.1.2.2 255.255.255.0
vlan-type dot1q vid 20
vrrp vrid 1 virtual-ip 2.1.2.3 standby
#
interface GigabitEthernet1/0/2.20
ip address 10.1.2.2 255.255.255.0
vlan-type dot1q vid 20
vrrp vrid 2 virtual-ip 10.1.2.3 standby
#
ip route-static 0.0.0.0 0 2.1.1.15
#
security-zone name Trust
import interface GigabitEthernet1/0/2.20
#
security-zone name Untrust
import interface GigabitEthernet1/0/1.20
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.2.0 255.255.255.0
rule 1 name vrrp1
source-zone trust
destination-zone local
service vrrp
rule 2 name vrrp2
action pass
source-zone local
destination-zone trust
service vrrp
rule 3 name vrrp3
action pass
source-zone untrust
destination-zone local
service vrrp
rule 4 name vrrp4
action pass
source-zone local
destination-zone untrust
service vrrp