以主备备份方式的双机热备为例,介绍BFD与双机热备联动。
组网需求
FW作为安全设备被部署在业务节点上。其中上下行设备均是路由器,FW_A、FW_B以主备备份方式工作。
组网图如图1所示,具体描述如下:
- 两台FW和路由器之间运行动态路由OSPF协议,由路由器根据路由计算结果,将业务流量发送到主用FW上。
- FW通过BFD与双机热备联动功能监控网络的出接口。当FW_A所在链路的网络出接口故障时,FW_B切换成主用设备,业务流量通过FW_B转发。
操作步骤
- 在FW_A上完成双机热备配置。
# 配置GigabitEthernet 1/0/1的IP地址。
<FW_A> system-view [FW_A] interface GigabitEthernet 1/0/1 [FW_A-GigabitEthernet1/0/1] ip address 10.100.10.2 24 [FW_A-GigabitEthernet1/0/1] quit
# 配置GigabitEthernet 1/0/1加入Trust区域。
[FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 1/0/1 [FW_A-zone-trust] quit
# 配置GigabitEthernet 1/0/3的IP地址。
[FW_A] interface GigabitEthernet 1/0/3 [FW_A-GigabitEthernet1/0/3] ip address 10.100.30.2 24 [FW_A-GigabitEthernet1/0/3] quit
# 配置GigabitEthernet 1/0/3加入Untrust区域。
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 1/0/3 [FW_A-zone-untrust] quit
# 配置GigabitEthernet 1/0/2的IP地址。
[FW_A] interface GigabitEthernet 1/0/2 [FW_A-GigabitEthernet1/0/2] ip address 10.100.50.2 24 [FW_A-GigabitEthernet1/0/2] quit
# 配置GigabitEthernet 1/0/2加入DMZ区域。
[FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2 [FW_A-zone-dmz] quit
# 在FW_A上配置运行OSPF动态路由协议。
[FW_A] ospf 101 [FW_A-ospf-101] area 0 [FW_A-ospf-101-area-0.0.0.0] network 10.100.10.0 0.0.0.255 [FW_A-ospf-101-area-0.0.0.0] network 10.100.30.0 0.0.0.255 [FW_A-ospf-101-area-0.0.0.0] quit [FW_A-ospf-101] quit
# 配置根据HRP状态调整OSPF的相关COST值的功能。
[FW] hrp adjust ospf-cost enable# 配置VGMP组监控业务接口状态。
[FW_A] hrp track interface GigabitEthernet 1/0/1 [FW_A] hrp track interface GigabitEthernet 1/0/3
# 配置HRP备份通道。
[FW_A] hrp interface GigabitEthernet 1/0/2 remote 10.100.50.3# 启动HRP。
[FW_A] hrp enable - 在FW_B上完成双机热备配置。
FW_B和FW_A的配置基本相同,不同之处在于:
- FW_B各接口的IP地址与FW_A各接口的IP地址不相同,且FW_B和FW_A对应的业务接口的IP地址不能在同一网段。
- 在FW_B上配置运行OSPF动态路由协议时,应该发布与FW_B的业务接口直接相连的网段的路由。
- 在FW_B上执行命令hrp standby-device,指定FW_B为备用设备。
- 在路由器上配置IP地址和OSPF功能,保证路由可达,具体配置命令请参考路由器的相关文档。
- 配置安全策略。
在FW_A上配置的安全策略会自动备份到FW_B上。
# 在FW_A上配置安全策略,使192.168.1.0/24网段用户可以访问Untrust区域。
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name policy1 HRP_M[FW_A-policy-security-rule-policy1] source-zone trust HRP_M[FW_A-policy-security-rule-policy1] destination-zone untrust HRP_M[FW_A-policy-security-rule-policy1] source-address 192.168.1.0 24 HRP_M[FW_A-policy-security-rule-policy1] action permit HRP_M[FW_A-policy-security-rule-policy1] quit
# 在FW_A上配置local和GE1/0/3接口所在安全区域的安全策略,允许BFD报文通过。
HRP_M[FW_A-policy-security] rule name bfd1 HRP_M[FW_A-policy-security-rule-bfd1] source-zone local HRP_M[FW_A-policy-security-rule-bfd1] destination-zone untrust HRP_M[FW_A-policy-security-rule-bfd1] source-address 10.100.30.2 32 HRP_M[FW_A-policy-security-rule-bfd1] source-address 10.100.40.2 32 HRP_M[FW_A-policy-security-rule-bfd1] destination-address 1.1.1.2 32 HRP_M[FW_A-policy-security-rule-bfd1] destination-address 2.2.2.2 32 HRP_M[FW_A-policy-security-rule-bfd1] action permit HRP_M[FW_A-policy-security-rule-bfd1] quit HRP_M[FW_A-policy-security] rule name bfd2 HRP_M[FW_A-policy-security-rule-bfd2] source-zone untrust HRP_M[FW_A-policy-security-rule-bfd2] destination-zone local HRP_M[FW_A-policy-security-rule-bfd2] source-address 1.1.1.2 32 HRP_M[FW_A-policy-security-rule-bfd2] source-address 2.2.2.2 32 HRP_M[FW_A-policy-security-rule-bfd2] destination-address 10.100.30.2 32 HRP_M[FW_A-policy-security-rule-bfd2] destination-address 10.100.40.2 32 HRP_M[FW_A-policy-security-rule-bfd2] action permit HRP_M[FW_A-policy-security-rule-bfd2] quit
- 在FW_A与Router_A上创建BFD会话。
# 在FW_A上配置BFD会话1,对端IP地址为1.1.1.2,本地标识符为10,远端标识符为20。
HRP_M[FW_A] bfd HRP_M[FW_A-bfd] quit HRP_M[FW_A] bfd 1 bind peer-ip 1.1.1.2 HRP_M[FW_A-bfd-session-1] discriminator local 10 HRP_M[FW_A-bfd-session-1] discriminator remote 20 HRP_M[FW_A-bfd-session-1] commit HRP_M[FW_A-bfd-session-1] quit
# 在Router_A上配置BFD会话1,对端IP地址为10.100.30.2,本地标识符为20,远端标识符为10。
<Router_A> system-view [Router_A] bfd [Router_A-bfd] quit [Router_A] bfd 1 bind peer-ip 10.100.30.2 [Router_A-bfd-session-1] discriminator local 20 [Router_A-bfd-session-1] discriminator remote 10 [Router_A-bfd-session-1] commit [Router_A-bfd-session-1] quit
- 在FW_A上配置BFD与双机热备联动。
HRP_M[FW_A] hrp track bfd-session 10 - 在FW_B与Router_B上创建BFD会话。
# 在FW_B上配置BFD会话1,对端IP地址为2.2.2.2,本地标识符为10,远端标识符为20。
HRP_S[FW_B] bfd HRP_S[FW_B-bfd] quit HRP_S[FW_B] bfd 1 bind peer-ip 2.2.2.2 HRP_S[FW_B-bfd-session-1] discriminator local 10 HRP_S[FW_B-bfd-session-1] discriminator remote 20 HRP_S[FW_B-bfd-session-1] commit HRP_S[FW_B-bfd-session-1] quit
# 在Router_B上配置BFD会话1,对端IP地址为10.100.40.2,本地标识符为20,远端标识符为10。
<Router_B> system-view [Router_B] bfd [Router_B-bfd] quit [Router_B] bfd 1 bind peer-ip 10.100.40.2 [Router_B-bfd-session-1] discriminator local 20 [Router_B-bfd-session-1] discriminator remote 10 [Router_B-bfd-session-1] commit [Router_B-bfd-session-1] quit
- 在FW_B上配置BFD与双机热备联动。
HRP_S[FW_B] hrp track bfd-session 10
配置脚本
|
FW_A |
FW_B |
|---|---|
#
sysname FW_A
#
bfd
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 10.100.50.3
hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/3
hrp track bfd-session 10
#
interface GigabitEthernet 1/0/1
ip address 10.100.10.2 255.255.255.0
#
interface GigabitEthernet 1/0/2
ip address 10.100.50.2 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 10.100.30.2 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
add interface GigabitEthernet 1/0/2
#
firewall zone untrust
add interface GigabitEthernet 1/0/3
#
bfd 1 bind peer-ip 1.1.1.2
discriminator local 10
discriminator remote 20
commit
#
ospf 101
area 0.0.0.0
network 10.100.10.0 0.0.0.255
network 10.100.30.0 0.0.0.255
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action permit
rule name bfd1
source-zone local
destination-zone untrust
source-address 10.100.30.2 32
source-address 10.100.40.2 32
destination-address 1.1.1.2 32
destination-address 2.2.2.2 32
action permit
rule name bfd2
source-zone untrust
destination-zone local
source-address 1.1.1.2 32
source-address 2.2.2.2 32
destination-address 10.100.30.2 32
destination-address 10.100.40.2 32
action permit
#
return
|
#
sysname FW_B
#
bfd
#
hrp enable
hrp standby-device
hrp interface GigabitEthernet 1/0/2 remote 10.100.50.2
hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/3
hrp track bfd-session 10
#
interface GigabitEthernet 1/0/1
ip address 10.100.20.2 255.255.255.0
#
interface GigabitEthernet 1/0/2
ip address 10.100.50.3 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 10.100.40.2 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
add interface GigabitEthernet 1/0/2
#
firewall zone untrust
add interface GigabitEthernet 1/0/3
#
bfd 1 bind peer-ip 2.2.2.2
discriminator local 10
discriminator remote 20
commit
#
ospf 101
area 0.0.0.0
network 10.100.20.0 0.0.0.255
network 10.100.40.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action permit
rule name bfd1
source-zone local
destination-zone untrust
source-address 10.100.30.2 32
source-address 10.100.40.2 32
destination-address 1.1.1.2 32
destination-address 2.2.2.2 32
action permit
rule name bfd2
source-zone untrust
destination-zone local
source-address 1.1.1.2 32
source-address 2.2.2.2 32
destination-address 10.100.30.2 32
destination-address 10.100.40.2 32
action permit
#
return
|