本举例介绍在业务接口工作在三层,上下行连接交换机的IPv6组网下,如何通过CLI配置具有自己虚拟IPv6地址的VRRP备份组实现IPv6负载分担双机热备。
组网需求
如图1所示,企业的两台FW的业务接口都工作在三层,上下行分别连接二层交换机。现在希望两台FW以负载分担方式工作。正常情况下,FW_A和FW_B共同转发流量。当其中一台FW出现故障时,另外一台FW转发全部业务,保证业务不中断。
操作步骤
- 完成网络基本配置。
FW_A FW_B # 开启FW IPv6报文转发功能。 <FW_A> system-view [FW_A] ipv6
<FW_B> system-view [FW_B] ipv6
# 配置FW各接口的IP地址。 [FW_A] interface GigabitEthernet 1/0/1 [FW_A-GigabitEthernet1/0/1] ipv6 enable [FW_A-GigabitEthernet1/0/1] ipv6 address 2001:db8:6::1 64 [FW_A-GigabitEthernet1/0/1] quit [FW_A] interface GigabitEthernet 1/0/3 [FW_A-GigabitEthernet1/0/3] ipv6 enable [FW_A-GigabitEthernet1/0/3] ipv6 address 2001:db8:5::1 64 [FW_A-GigabitEthernet1/0/3] quit [FW_A] interface GigabitEthernet 1/0/7 [FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet1/0/7] quit
[FW_B] interface GigabitEthernet 1/0/1 [FW_B-GigabitEthernet1/0/1] ipv6 enable [FW_B-GigabitEthernet1/0/1] ipv6 address 2001:db8:6::2 64 [FW_B-GigabitEthernet1/0/1] quit [FW_B] interface GigabitEthernet 1/0/3 [FW_B-GigabitEthernet1/0/3] ipv6 enable [FW_B-GigabitEthernet1/0/3] ipv6 address 2001:db8:5::2 64 [FW_B-GigabitEthernet1/0/3] quit [FW_B] interface GigabitEthernet 1/0/7 [FW_B-GigabitEthernet1/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet1/0/7] quit
# 将FW各接口加入相应的安全区域。 [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 1/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 1/0/7 [FW_A-zone-dmz] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1 [FW_A-zone-untrust] quit
[FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 1/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 1/0/7 [FW_B-zone-dmz] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1 [FW_B-zone-untrust] quit
# 在FW上配置缺省路由,下一跳为2001:db8:6::4,使内网用户的流量可以正常转发至Router。 [FW_A] ipv6 route-static 0:0::0:0 0 2001:db8:6::4[FW_B] ipv6 route-static 0:0::0:0 0 2001:db8:6::4 - 配置IPv6 VRRP备份组。
FW_A FW_B # 在FW_A上行业务接口GE1/0/1上配置VRRP备份组1,并设置其状态为Active;配置VRRP备份组3,并将其状态设置为Standby。在FW_B上行业务接口GE1/0/1上配置VRRP备份组1,并设置其状态为Standby;配置VRRP备份组3,并将其状态设置为Active。 [FW_A] interface GigabitEthernet 1/0/1 [FW_A-GigabitEthernet1/0/1] vrrp6 vrid 1 virtual-ip FE80::1 link-local active [FW_A-GigabitEthernet1/0/1] vrrp6 vrid 1 virtual-ip 2001:db8:6::3 [FW_A-GigabitEthernet1/0/1] vrrp6 vrid 3 virtual-ip FE80::3 link-local standby [FW_A-GigabitEthernet1/0/1] vrrp6 vrid 3 virtual-ip 2001:db8:6::5 [FW_A-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/1 [FW_B-GigabitEthernet1/0/1] vrrp6 vrid 1 virtual-ip FE80::1 link-local standby [FW_B-GigabitEthernet1/0/1] vrrp6 vrid 1 virtual-ip 2001:db8:6::3 [FW_B-GigabitEthernet1/0/1] vrrp6 vrid 3 virtual-ip FE80::3 link-local active [FW_B-GigabitEthernet1/0/1] vrrp6 vrid 3 virtual-ip 2001:db8:6::5 [FW_B-GigabitEthernet1/0/1] quit
# 在FW_A下行业务接口GE1/0/3上配置VRRP备份组2,并设置其状态为Active;配置VRRP备份组4,并将其状态设置为Standby。在FW_B下行业务接口GE1/0/3上配置VRRP备份组2,并设置其状态为Standby;配置VRRP备份组4,并将其状态设置为Active。 [FW_A] interface GigabitEthernet 1/0/3 [FW_A-GigabitEthernet1/0/3] vrrp6 vrid 2 virtual-ip FE80::2 link-local active [FW_A-GigabitEthernet1/0/3] vrrp6 vrid 2 virtual-ip 2001:db8:5::3 [FW_A-GigabitEthernet1/0/3] vrrp6 vrid 4 virtual-ip FE80::4 link-local standby [FW_A-GigabitEthernet1/0/3] vrrp6 vrid 4 virtual-ip 2001:db8:5::5 [FW_A-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/3 [FW_B-GigabitEthernet1/0/3] vrrp6 vrid 2 virtual-ip FE80::2 link-local standby [FW_B-GigabitEthernet1/0/3] vrrp6 vrid 2 virtual-ip 2001:db8:5::3 [FW_B-GigabitEthernet1/0/3] vrrp6 vrid 4 virtual-ip FE80::4 link-local active [FW_B-GigabitEthernet1/0/3] vrrp6 vrid 4 virtual-ip 2001:db8:5::5 [FW_B-GigabitEthernet1/0/3] quit
- 配置会话快速备份功能,指定心跳口并启用双机热备功能。
FW_A FW_B # 负载分担组网下,两台FW都转发流量,为了防止来回路径不一致,需要在两台FW上都配置会话快速备份功能。 [FW_A] hrp mirror session enable[FW_B] hrp mirror session enable# 在FW上指定心跳口并启用双机热备功能。 [FW_A] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1 [FW_B] hrp enable
- 配置安全策略,允许内网用户访问Internet。# 在FW_A上配置安全策略。双机热备状态成功建立后,FW_A的安全策略配置会自动备份到FW_B上。
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name trust_to_untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 2001:db8:5:: 64 HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit HRP_M[FW_A-policy-security] quit
- 配置Switch和内网PC。
- 分别将两台Switch的三个接口加入同一个VLAN,具体配置命令请参考交换机的相关文档。
- 将内网部分PC的默认网关设置为VRRP备份组2的虚拟IP地址,部分PC的默认网关设置为VRRP备份组4的虚拟IP地址,从而实现内网流量的负载分担。
- 配置Router。在Router上配置到FW_A和FW_B的等价路由,路由下一跳分别指向VRRP备份组1的虚拟IP地址和VRRP备份组3的虚拟IP地址。
结果验证
- 执行命令display vrrp6,检查VRRP备份组内接口的状态信息,显示以下信息表示VRRP备份组建立成功。
FW_A FW_B HRP_M<FW_A> display vrrp6 GigabitEthernet1/0/1 | Virtual Router 1 State : Master Virtual IP : FE80::1 2001:DB8:6::3 Master IP : FE80::8269:33FF:FE8C:5C7D PriorityRun : 100 PriorityConfig : 100 MasterPriority : 0 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0201 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:54:28 UTC+08:00 Last change time : 2019-04-13 14:56:53 UTC+08:00 GigabitEthernet1/0/3 | Virtual Router 2 State : Master Virtual IP : FE80::2 2001:DB8:5::3 Master IP : FE80::8269:33FF:FE8C:5C6B PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0202 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:11:51 UTC+08:00 Last change time : 2019-04-13 14:54:42 UTC+08:00 GigabitEthernet1/0/1 | Virtual Router 3 State : Backup Virtual IP : FE80::3 2001:DB8:6::5 Master IP : FE80::8269:33FF:FE8C:5C7D PriorityRun : 100 PriorityConfig : 100 MasterPriority : 0 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0203 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:54:28 UTC+08:00 Last change time : 2019-04-13 14:56:53 UTC+08:00 GigabitEthernet1/0/3 | Virtual Router 4 State : Backup Virtual IP : FE80::4 2001:DB8:5::5 Master IP : FE80::8269:33FF:FE8C:5C6B PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0204 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:11:51 UTC+08:00 Last change time : 2019-04-13 14:54:42 UTC+08:0HRP_S<FW_B> display vrrp6 GigabitEthernet1/0/1 | Virtual Router 1 State : Backup Virtual IP : FE80::1 2001:DB8:6::3 Master IP : FE80::4AF8:DBFF:FE50:82DB PriorityRun : 100 PriorityConfig : 100 MasterPriority : 0 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0201 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:28:28 UTC+08:00 Last change time : 2019-04-13 15:08:53 UTC+08:00 GigabitEthernet1/0/3 | Virtual Router 2 State : Backup Virtual IP : FE80::2 2001:DB8:5::3 Master IP : FE80::4AF8:DBFF:FE50:826B PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0202 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:30:51 UTC+08:00 Last change time : 2019-04-13 15:10:42 UTC+08:00 GigabitEthernet1/0/1 | Virtual Router 3 State : Master Virtual IP : FE80::3 2001:DB8:6::5 Master IP : FE80::4AF8:DBFF:FE50:82DB PriorityRun : 100 PriorityConfig : 100 MasterPriority : 0 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0203 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:28:28 UTC+08:00 Last change time : 2019-04-13 15:08:53 UTC+08:00 GigabitEthernet1/0/3 | Virtual Router 4 State : Master Virtual IP : FE80::4 2001:DB8:5::5 Master IP : FE80::4AF8:DBFF:FE50:826B PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0204 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:30:51 UTC+08:00 Last change time : 2019-04-13 15:10:42 UTC+08:00 - 执行命令display hrp state verbose,检查双机热备状态,显示以下信息表示双机热备建立成功。
FW_A FW_B HRP_M<FW_A> display hrp state verbose Role: active, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 0.00% Stable time: 0 days, 0 hours, 0 minutes Last state change information: 2019-04-13 15:01:44 HRP core state changed, old_state = initial, new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: on track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet1/0/1 vrrp6 vrid 1: active GigabitEthernet1/0/3 vrrp6 vrid 2: active GigabitEthernet1/0/1 vrrp6 vrid 3: standby GigabitEthernet1/0/3 vrrp6 vrid 4: standbyHRP_S<FW_B> display hrp state verbose Role: active, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 0.00% Stable time: 0 days, 0 hours, 0 minutes Last state change information: 2019-04-13 15:01:44 HRP core state changed, old_state = initial, new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: on track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet1/0/1 vrrp6 vrid 1: standby GigabitEthernet1/0/3 vrrp6 vrid 2: standby GigabitEthernet1/0/1 vrrp6 vrid 3: active GigabitEthernet1/0/3 vrrp6 vrid 4: active - 在trust区域内选取默认网关分别指向VRRP备份组2和VRRP备份组4的虚拟IPv6地址的两台PC,在这两台PC上执行命令ping 2001:db8:6::4,均应能ping通Router,且在FW_A和FW_B上执行命令display firewall ipv6 session table,均应能检查到会话已创建,且两台FW之间会话应能正常备份。
FW_A FW_B HRP_M<FW_A> display firewall ipv6 session table Current Total Sessions : 2 icmpv6 VPN: public --> public 2001:DB8:5::4.0 --> 2001:DB8:6::4.2048 icmpv6 VPN: public --> public Remote 2001:DB8:5::6.0 --> 2001:DB8:6::4.2048HRP_S<FW_B> display firewall ipv6 session table Current Total Sessions : 2 icmpv6 VPN: public --> public Remote 2001:DB8:5::4.0 --> 2001:DB8:6::4.2048 icmpv6 VPN: public --> public 2001:DB8:5::6.0 --> 2001:DB8:6::4.2048从如上的输出信息中可以看到两台FW上存在带有Remote标记的会话,说明配置双机热备功能后,相互的会话备份成功。
- 在PC上执行ping 2001:db8:6::4 -t,然后将FW_A GE1/0/1接口网线拨出,观察设备状态切换及ping包丢包情况;再将FW_A GE1/0/1接口网线恢复,观察设备状态切换及ping包丢包情况。整个过程中,ping访问应不中断。
配置脚本
| FW_A | FW_B |
|---|---|
# ipv6 # hrp enable hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2 hrp mirror session enable # interface GigabitEthernet 1/0/1 ipv6 enable ipv6 address 2001:DB8:6::1/64 vrrp6 vrid 1 virtual-ip FE80::1 link-local active vrrp6 vrid 1 virtual-ip 2001:DB8:6::3 vrrp6 vrid 3 virtual-ip FE80::3 link-local standby vrrp6 vrid 3 virtual-ip 2001:DB8:6::5 # interface GigabitEthernet 1/0/3 ipv6 enable ipv6 address 2001:DB8:5::1/64 vrrp6 vrid 2 virtual-ip FE80::2 link-local active vrrp6 vrid 2 virtual-ip 2001:DB8:5::3 vrrp6 vrid 4 virtual-ip FE80::4 link-local standby vrrp6 vrid 4 virtual-ip 2001:DB8:5::5 # interface GigabitEthernet 1/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet 1/0/7 # ipv6 route-static 0:0::0:0 0 2001:db8:6::4 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 2001:db8:5:: 64 action permit |
# ipv6 # hrp enable hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1 hrp mirror session enable # interface GigabitEthernet 1/0/1 ipv6 enable ipv6 address 2001:DB8:6::2/64 vrrp6 vrid 1 virtual-ip FE80::1 link-local standby vrrp6 vrid 1 virtual-ip 2001:DB8:6::3 vrrp6 vrid 3 virtual-ip FE80::3 link-local active vrrp6 vrid 3 virtual-ip 2001:DB8:6::5 # interface GigabitEthernet 1/0/3 ipv6 enable ipv6 address 2001:DB8:5::2/64 vrrp6 vrid 2 virtual-ip FE80::2 link-local standby vrrp6 vrid 2 virtual-ip 2001:DB8:5::3 vrrp6 vrid 4 virtual-ip FE80::4 link-local active vrrp6 vrid 4 virtual-ip 2001:DB8:5::5 # interface GigabitEthernet 1/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 1/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/7 # ipv6 route-static 0:0::0:0 0 2001:db8:6::4 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 2001:db8:5:: 64 action permit |