CLI举例:防火墙旁挂交换机,交换机静态路由引流的负载分担组网
介绍了两台FW旁挂在数据中心核心交换机侧的CLI典型配置案例。经过核心交换机的流量通过静态路由方式被引流到旁挂的FW。两台FW以负载分担方式工作。
组网需求
如图1所示,两台FW旁挂在数据中心的核心交换机侧,保证数据中心网络安全。通过核心交换机的流量都会被引流到旁挂的FW上进行安全检测,引流的方式为静态路由方式。企业希望两台FW以负载分担方式工作。正常情况下,FW_A和FW_B共同转发流量。当其中一台FW出现故障时,另外一台FW转发全部业务,保证业务不中断。
配置思路
-
如图2所示,如果希望通过静态路由方式将经过核心交换机的流量引导到FW,则需要在核心交换机上配置静态路由,下一跳为防火墙接口的地址。但是由于核心交换机与上行路由器和下行汇聚交换机之间运行OSPF,因此流量到达核心交换机后会直接被转发到上行或下行设备,而不会被引流到FW上。
所以如果希望通过静态路由引流,就必须在核心交换机上配置VRF功能,将一台交换机虚拟成连接上行的交换机(根交换机Public)和连接下行的交换机(虚拟交换机VRF)。由于虚拟出的两个交换机完全隔离开来,流量就会被送到FW上。
-
图2可以进一步抽象成图3。由于FW与上下行交换机(Public和VRF)之间运行静态路由,因此需要在FW和交换机上分别配置VRRP备份组,使他们能够通过VRRP备份组的虚拟地址进行通信。
如图3所示,由于两台FW以负载分担方式工作,因此需要在FW的同一方向上配置两条等价的静态路由,下一跳分别为对端的两个VRRP备份组的地址。在Public或VRF上也配置两条等价的静态路由,下一跳分别为防火墙接口上的两个VRRP备份组地址。
核心交换机与FW之间运行静态路由,与其他设备之间运行OSPF。图3中仅给出核心交换机与FW有关的接口信息。
-
双机热备功能配置完成后,需要在FW_A上配置安全策略、IPS、攻击防范等安全功能。FW_A的配置会自动备份到FW_B。本举例中仅给出安全策略的配置作为示意。
操作步骤
- 配置接口IP地址和将接口加入安全区域。
FW_A
FW_B
# 配置FW各接口的IP地址。
<FW_A> system-view [FW_A] interface GigabitEthernet 1/0/2 [FW_A-GigabitEthernet1/0/2] ip address 10.0.0.1 24 [FW_A-GigabitEthernet1/0/2] quit [FW_A] interface GigabitEthernet 1/0/3 [FW_A-GigabitEthernet1/0/3] ip address 10.1.0.1 24 [FW_A-GigabitEthernet1/0/3] quit [FW_A] interface GigabitEthernet 1/0/7 [FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet1/0/7] quit
<FW_B> system-view [FW_B] interface GigabitEthernet 1/0/2 [FW_B-GigabitEthernet1/0/2] ip address 10.0.0.2 24 [FW_B-GigabitEthernet1/0/2] quit [FW_B] interface GigabitEthernet 1/0/3 [FW_B-GigabitEthernet1/0/3] ip address 10.1.0.2 24 [FW_B-GigabitEthernet1/0/3] quit [FW_B] interface GigabitEthernet 1/0/7 [FW_B-GigabitEthernet1/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet1/0/7] quit
# 将FW各接口加入相应的安全区域。
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 1/0/3 [FW_A-zone-untrust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 1/0/7 [FW_A-zone-dmz] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 1/0/2 [FW_A-zone-trust] quit
[FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 1/0/3 [FW_B-zone-untrust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 1/0/7 [FW_B-zone-dmz] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 1/0/2 [FW_B-zone-trust] quit
- 配置静态路由。
FW_A
FW_B
# 在上行方向配置两条等价的静态路由(缺省路由),下一跳分别为VRRP备份组4和8的地址。
[FW_A] ip route-static 0.0.0.0 0.0.0.0 10.1.0.6 [FW_A] ip route-static 0.0.0.0 0.0.0.0 10.1.0.8
[FW_B] ip route-static 0.0.0.0 0.0.0.0 10.1.0.6 [FW_B] ip route-static 0.0.0.0 0.0.0.0 10.1.0.8
# 在下行方向配置两条静态路由,目的地址为服务器区地址,下一跳分别为VRRP备份组3和7的地址。
[FW_A] ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 [FW_A] ip route-static 192.168.0.0 255.255.0.0 10.0.0.8
[FW_B] ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 [FW_B] ip route-static 192.168.0.0 255.255.0.0 10.0.0.8
- 配置双机热备功能。
FW_A
FW_B
# 在FW上配置VRRP备份组。
[FW_A] interface GigabitEthernet 1/0/2 [FW_A-GigabitEthernet1/0/2] vrrp vrid 1 virtual-ip 10.0.0.3 active [FW_A-GigabitEthernet1/0/2] vrrp vrid 5 virtual-ip 10.0.0.7 standby [FW_A-GigabitEthernet1/0/2] quit [FW_A] interface GigabitEthernet 1/0/3 [FW_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.1.0.3 active [FW_A-GigabitEthernet1/0/3] vrrp vrid 6 virtual-ip 10.1.0.7 standby [FW_A-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/2 [FW_B-GigabitEthernet1/0/2] vrrp vrid 1 virtual-ip 10.0.0.3 standby [FW_B-GigabitEthernet1/0/2] vrrp vrid 5 virtual-ip 10.0.0.7 active [FW_B-GigabitEthernet1/0/2] quit [FW_B] interface GigabitEthernet 1/0/3 [FW_B-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.1.0.3 standby [FW_B-GigabitEthernet1/0/3] vrrp vrid 6 virtual-ip 10.1.0.7 active [FW_B-GigabitEthernet1/0/3] quit
# 负载分担组网下,两台FW都转发流量,为了防止来回路径不一致,需要在两台FW上都配置会话快速备份功能。
[FW_A] hrp mirror session enable[FW_B] hrp mirror session enable# 在FW上指定心跳接口,启用双机热备。
[FW_A] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1 [FW_B] hrp enable
- 配置安全策略。
在FW_A上配置安全策略,允许外网用户访问数据中心的服务器区(网段为192.168.0.0/16,端口为80)。FW_A上配置的安全策略会自动备份到FW_B上。
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name policy_sec1 HRP_M[FW_A-policy-security-rule-policy_sec1] source-zone untrust HRP_M[FW_A-policy-security-rule-policy_sec1] destination-zone trust HRP_M[FW_A-policy-security-rule-policy_sec1] destination-address 192.168.0.0 16 HRP_M[FW_A-policy-security-rule-policy_sec1] service http HRP_M[FW_A-policy-security-rule-policy_sec1] action permit
- 配置核心交换机。
这里只给出交换机与防火墙对接的相关配置。
# 配置Switch1。
[Switch1] ip vpn-instance VRF //创建VRF [Switch1-vpn-instance-VRF] ipv4-family [Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1 [Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both [Switch1-vpn-instance-VRF-af-ipv4] quit [Switch1-vpn-instance-VRF] quit [Switch1] vlan 2 [Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //将接口加入VLAN2 [Switch1-vlan2] quit [Switch1] interface Vlanif 2 [Switch1-Vlanif2] ip binding vpn-instance VRF //将VLANIF2绑定至VRF [Switch1-Vlanif2] ip address 10.0.0.4 24 [Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //配置VRRP备份组3 [Switch1-Vlanif2] vrrp vrid 3 priority 120 //配置优先级为120,优先级高的为主用 [Switch1-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //配置VRRP备份组7 [Switch1-Vlanif2] vrrp vrid 7 priority 100 //配置优先级为100,优先级低的为备用 [Switch1-Vlanif2] quit [Switch1] vlan 3 [Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //将接口加入VLAN3 [Switch1-vlan3] quit [Switch1] interface Vlanif 3 [Switch1-Vlanif3] ip address 10.1.0.4 24 [Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //配置VRRP备份组4 [Switch1-Vlanif3] vrrp vrid 4 priority 120 //配置优先级为120,优先级高的为主用 [Switch1-Vlanif3] vrrp vrid 8 virtual-ip 10.1.0.8 //配置VRRP备份组8 [Switch1-Vlanif3] vrrp vrid 8 priority 100 //配置优先级为100,优先级低的为备用 [Switch1-Vlanif3] quit [Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //在VRF中配置缺省路由,下一跳为VRRP备份组1的虚拟地址 [Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //在VRF中配置缺省路由,下一跳为VRRP备份组5的虚拟地址 [Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //在根交换机Public中配置静态路由,下一跳为VRRP备份组2的虚拟地址 [Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //在根交换机Public中配置静态路由,下一跳为VRRP备份组6的虚拟地址
# 配置Switch2。
[Switch2] ip vpn-instance VRF //创建VRF [Switch2-vpn-instance-VRF] ipv4-family [Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1 [Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both [Switch2-vpn-instance-VRF-af-ipv4] quit [Switch2-vpn-instance-VRF] quit [Switch2] vlan 2 [Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //将接口加入VLAN2 [Switch2-vlan2] quit [Switch2] interface Vlanif 2 [Switch2-Vlanif2] ip binding vpn-instance VRF //将VLANIF2绑定至VRF [Switch2-Vlanif2] ip address 10.0.0.5 24 [Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //配置VRRP备份组3 [Switch2-Vlanif2] vrrp vrid 3 priority 100 //配置优先级为100,优先级低的为备用 [Switch2-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //配置VRRP备份组7 [Switch2-Vlanif2] vrrp vrid 7 priority 120 //配置优先级为120,优先级高的为主用 [Switch2-Vlanif2] quit [Switch2] vlan 3 [Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //将接口加入VLAN3 [Switch2-vlan3] quit [Switch2] interface Vlanif 3 [Switch2-Vlanif3] ip address 10.1.0.5 24 [Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //配置VRRP备份组4 [Switch2-Vlanif3] vrrp vrid 4 priority 100 //配置优先级为100,优先级低的为备用 [Switch2-Vlanif3] vrrp vrid 8 virtual-ip 10.1.0.8 //配置VRRP备份组8 [Switch2-Vlanif3] vrrp vrid 8 priority 120 //配置优先级为120,优先级高的为主用 [Switch2-Vlanif3] quit [Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //在VRF中配置缺省路由,下一跳为VRRP备份组1的虚拟地址 [Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //在VRF中配置缺省路由,下一跳为VRRP备份组5的虚拟地址 [Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //在根交换机Public中配置静态路由,下一跳为VRRP备份组2的虚拟地址 [Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //在根交换机Public中配置静态路由,下一跳为VRRP备份组6的虚拟地址
结果验证
-
在FW_A和FW_B上分别执行display hrp state verbose命令,查看双机热备的状态。
FW_A
FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(active), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: on track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet1/0/2 vrrp vrid 1: active GigabitEthernet1/0/2 vrrp vrid 5: standby GigabitEthernet1/0/3 vrrp vrid 2: active GigabitEthernet1/0/3 vrrp vrid 6: standbyHRP_S<FW_B> display hrp state verbose Role: active, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(active), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: on track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet1/0/2 vrrp vrid 1: standby GigabitEthernet1/0/2 vrrp vrid 5: active GigabitEthernet1/0/3 vrrp vrid 2: standby GigabitEthernet1/0/3 vrrp vrid 6: active - 在FW_A和FW_B上分别执行命令display firewall session table,可以看到FW_A存在会话,说明通过核心交换机的流量被引导到了FW,且双机热备主备备份配置成功。
配置脚本
|
FW_A |
FW_B |
|---|---|
# hrp enable hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2 hrp mirror session enable # interface GigabitEthernet 1/0/2 ip address 10.0.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.0.0.3 active vrrp vrid 5 virtual-ip 10.0.0.7 standby # interface GigabitEthernet 1/0/3 ip address 10.1.0.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.1.0.3 active vrrp vrid 6 virtual-ip 10.1.0.7 standby # interface GigabitEthernet 1/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/7 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/3 # ip route-static 0.0.0.0 0.0.0.0 10.1.0.6 ip route-static 0.0.0.0 0.0.0.0 10.1.0.8 ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 ip route-static 192.168.0.0 255.255.0.0 10.0.0.8 # security-policy rule name policy_sec1 source-zone untrust destination-zone trust destination-address 192.168.0.0 16 service http action permit |
# hrp enable hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1 hrp mirror session enable # interface GigabitEthernet 1/0/2 ip address 10.0.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.0.0.3 standby vrrp vrid 5 virtual-ip 10.0.0.7 active # interface GigabitEthernet 1/0/3 ip address 10.1.0.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.1.0.3 standby vrrp vrid 6 virtual-ip 10.1.0.7 active # interface GigabitEthernet 1/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/7 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/3 # ip route-static 0.0.0.0 0.0.0.0 10.1.0.6 ip route-static 0.0.0.0 0.0.0.0 10.1.0.8 ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 ip route-static 192.168.0.0 255.255.0.0 10.0.0.8 # security-policy rule name policy_sec1 source-zone untrust destination-zone trust destination-address 192.168.0.0 16 service http action permit |