热门标签 | HotTags
当前位置:  开发笔记 > 后端 > 正文

HCIP双机热备

一,双机热备原理1.1双机热备简介FW部署在网络出口位置时,如果发生故障会影响到整网业务。为提升网络的可靠性,需要部署两台FW并组成双机热备。双机热备需要两台硬件和软件配置

一,双机热备原理

1.1双机热备简介

  FW部署在网络出口位置时,如果发生故障会影响到整网业务。为提升网络的可靠性,需要部署两台FW并组成双机热备。

  双机热备需要两台硬件和软件配置均相同的FW。两台FW之间通过一条独立的链路连接,这条链路通常被称之为“心跳线”。两台FW通过心跳线了解对端的健康状况,向对端备份配置和表项(如会话表、IPSec SA等)。当一台FW出现故障时,业务流量能平滑地切换到另一台设备上处理,使业务不中断。


1.2双机热备协议架构

VRRP:负责单个接口的故障检测和流量引导。每个VRRP备份组拥有一个虚拟IP地址,作为网络的网关地址;在VRRP主备倒换时通过发送免费ARP来刷新对接设备的MAC转发表来引导流量。

VGMP:将系统中所有的VRRP备份组集中管理,控制状态统一切换,保证出现故障时能上下行流量能同步切换到备用防火墙。

HRP:负责双机之间的数据同步

 

 

 


二,三层接口上下行连接交换机

2.1拓扑(主备模式)

 

 


2.2底层配置































设备VLAN接口
SW110GE0/0/1
GE0/0/2
GE0/0/3
20GE0/0/4
GE0/0/5
GE0/0/6

 

 

 

 

 

 

 



























































设备接口地址
FW1GE0/0/0192.168.0.10/24
GE1/0/010.1.1.10/24
GE1/0/1202.100.1.10/24
GE1/0/2172.16.1.10/24
FW2GE0/0/0192.168.0.11/24
GE1/0/010.1.1.11/24
GE1/0/1202.100.1.11/24
GE1/0/2172.16.1.11/24
R1GE0/0/0202.100.1.254
PC1Ethernet0/0/110.1.1.1/24
MGMT_PCEthernet0/0/1192.168.1.100/24

 

 

 

 

 

 

 

 

 

 

 

 


2.3双机热备配置

#FW1

1.配置VRRP备份组1

[FW1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 202.100.1.100 active

2.配置VRRP备份组2

[FW1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.254 active

3.配置心跳接口

[FW1]hrp interface GigabitEthernet 1/0/2 remote 172.16.1.11

4.启用HRP

[FW1]hrp enable

#FW2

1.配置VRRP 备份组1

[FW2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 202.100.1.100 standby

2.配置VRRP备份组2

[FW2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.254 standby

3.配置心跳接口

[FW2]hrp interface GigabitEthernet 1/0/2 remote 172.16.1.10

4.启用HRP

[FW2]hrp enable

2.4现象解析

1.从日志看出FW1和FW2的状态机都已从initial先转到standby(abnormal有:standby和active),最后由standby转为normal:load-balance。

[FW1]hrp enable
Info: NAT IP detect function
is disabled.
HRP_S[FW1]
Sep
12 2022 07:06:22 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep
12 2022 07:06:22 FW1 %%01HRPI/4/CORE_STATE(l)[5]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
HRP_S[FW1]
Sep
12 2022 07:06:29 FW1 HRPI/6/DEVICEIDOK:1.3.6.1.4.1.2011.6.122.51.2.2.7 HRP link changes to up. Local device ID is 00-e0-fc-04-7f-d2, peer device ID is 00-e0-fc-8a-6d-ae.
Sep
12 2022 07:06:29 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Sep
12 2022 07:06:29 FW1 %%01HRPI/4/CORE_STATE(l)[6]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)

[FW2]hrp enable
Info: NAT IP detect function
is disabled.
HRP_S[FW2]
Sep
12 2022 07:06:26 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep
12 2022 07:06:26 FW2 %%01HRPI/4/CORE_STATE(l)[5]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep
12 2022 07:06:26 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Sep
12 2022 07:06:26 FW2 %%01HRPI/4/CORE_STATE(l)[6]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)

2.查看HRP状态,双机优先级相同,FW1角色为active(主设备),FW2角色为standby(备设备)。(设备角色standby≠状态机状态standby)

HRP_M[FW1]display hrp state
2022-09-12 07:16:54.530
Role: active, peer: standby
Running priority:
45000, peer: 45000
Backup channel usage:
0.00%
Stable time:
0 days, 0 hours, 10 minutes
Last state change information:
2022-09-12 7:06:29 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.

HRP_S[FW2]display hrp state
2022-09-12 07:20:16.980
Role: standby, peer: active
Running priority:
45000, peer: 45000
Backup channel usage:
0.00%
Stable time:
0 days, 0 hours, 13 minutes
Last state change information:
2022-09-12 7:06:29 HRP link changes to up.

3.配置安全策略放行trust到untrust的流量,只能在FW1上配置,自动同步到FW2。(+B及自动同步)

HRP_M[FW1]security-policy (+B)
HRP_M[FW1
-policy-security]rule name pc (+B)
HRP_M[FW1
-policy-security-rule-pc]source-zone trust (+B)
HRP_M[FW1
-policy-security-rule-pc]destination-zone untrust (+B)
HRP_M[FW1
-policy-security-rule-pc]action permit (+B)

4.使用PC1pingR1,在SW1的GE0/0/4抓包,FW1会发送免费ARP,通告虚拟网关10.1.1.254。

 

 

 

 

[SW1]display mac-address
MAC address table of slot
0:
-------------------------------------------------------------------------------
MAC Address VLAN
/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI
/SI MAC-Tunnel
-------------------------------------------------------------------------------
0050-56c0-0001 10 - - GE0/0/3 dynamic 0/-
00e0
-fc8a-6dae 10 - - GE0/0/2 dynamic 0/-
00e0
-fc04-7fd2 10 - - GE0/0/1 dynamic 0/-
0000-5e00-0102 11 - - GE0/0/4 dynamic 0/-
00e0
-fc04-7fd3 11 - - GE0/0/4
dynamic 0/-
5489-98d4-4b44 11 - - GE0/0/6 dynamic 0/-
-------------------------------------------------------------------------------
Total matching items on slot
0 displayed = 6

5.ping命令加上参数t后断开SW2的GE0/0/1,观察现象。PC1丢包两个,FW2切换为主设备状态机由normal:load-balance转为abnormal:active而FW1由normal:load-balance转为abnormal:standby。(在双机优先级相同时是正常的状态,状态机为load-balance。有一方优先级改变,那就是不正常的状态,所以active和standby都是abnormal。)

HRP_S[FW2]
Sep
12 2022 07:34:15 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=normal,new_state=abnormal(active), local_priority=45000, peer_priority=44998)
Sep
12 2022 07:34:15 FW2 %%01HRPI/4/CORE_STATE(l)[9]:The HRP core state changed due to "Unknown". (old_state=normal, new_state=abnormal(active), local_priority=45000, peer_priority=44998)

Sep 12 2022 07:34:15 FW1 %%01IFNET/4/LINK_STATE(l)[8]:The line protocol IP on the interface GigabitEthernet1/0/1 has entered the DOWN state.
Sep
12 2022 07:34:15 FW1 %%01HRPI/4/PRIORITY_CHANGE(l)[9]:The priority of the local VGMP group changed. (change_reason="VRRP change to down.", local_old_priority=45000, local_new_priority=44998)
Sep
12 2022 07:34:15 FW1 %%01HRPI/4/CORE_STATE(l)[10]:The HRP core state changed due to "VRRP change to Down". (old_state=normal, new_state=abnormal(standby), local_priority=44998, peer_priority=45000)

2.5主备改为负载均衡

添加

  ·AR2:202.100.1.253/24,缺省路由指向202.100.1.101

  ·PC2:10.1.1.2/24,网关指向10.1.1.253

 

 


 2.6修改双机热备配置

1.关闭HRP

HRP_M[FW1]undo hrp enable

2.增加VRRP备份组3和4

#FW1

[FW1-GigabitEthernet1/0/1]vrrp vrid 3 virtual-ip 202.100.1.101 standby
[FW1
-GigabitEthernet1/0/0]vrrp vrid 4 virtual-ip 10.1.1.253 standby

#FW2

[FW2-GigabitEthernet1/0/1]vrrp vrid 3 virtual-ip 202.100.1.101 active
[FW2
-GigabitEthernet1/0/0]vrrp vrid 4 virtual-ip 10.1.1.253 active

3.启用HRP

[FW1]hrp enable
[FW2]hrp enable

2.7负载均衡现象解析

1.协商后,FW1和FW2状态机稳定在load-balance。

[FW1]hrp enable
Info: NAT IP detect function
is disabled.
HRP_S[FW1]
Sep
12 2022 08:11:56 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep
12 2022 08:11:56 FW1 %%01HRPI/4/CORE_STATE(l)[18]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
HRP_S[FW1]
Sep
12 2022 08:11:56 FW1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Sep
12 2022 08:11:56 FW1 %%01HRPI/4/CORE_STATE(l)[19]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)
HRP_S[FW1]
Sep
12 2022 08:11:58 FW1 HRPI/6/DEVICEIDOK:1.3.6.1.4.1.2011.6.122.51.2.2.7 HRP link changes to up. Local device ID is 00-e0-fc-04-7f-d2, peer device ID is 00-e0-fc-8a-6d-ae.

[FW2]hrp enable
Info: NAT IP detect function
is disabled.
HRP_S[FW2]
Sep
12 2022 08:11:56 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=initial,new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
Sep
12 2022 08:11:56 FW2 %%01HRPI/4/CORE_STATE(l)[15]:The HRP core state changed due to "Unknown". (old_state=initial, new_state=abnormal(standby), local_priority=45000, peer_priority=unknown)
HRP_S[FW2]
Sep
12 2022 08:11:57 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(standby),new_state=abnormal(active), local_priority=45000, peer_priority=unknown)
Sep
12 2022 08:11:57 FW2 %%01HRPI/4/CORE_STATE(l)[16]:The HRP core state changed due to "Unknown". (old_state=abnormal(standby), new_state=abnormal(active), local_priority=45000, peer_priority=unknown)
HRP_M[FW2]
Sep
12 2022 08:11:57 FW2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(active),new_state=normal, local_priority=45000, peer_priority=45000)
Sep
12 2022 08:11:57 FW2 %%01HRPI/4/CORE_STATE(l)[17]:The HRP core state changed due to "Unknown". (old_state=abnormal(active), new_state=normal, local_priority=45000, peer_priority=45000)
Sep
12 2022 08:11:58 FW2 HRPI/6/DEVICEIDOK:1.3.6.1.4.1.2011.6.122.51.2.2.7 HRP link changes to up. Local device ID is 00-e0-fc-8a-6d-ae, peer device ID is 00-e0-fc-04-7f-d2.

2.查看VRRP表,FW1和FW2分别为配置了不同网关的设备转发流量,也互为对方的备设备,即为负载均衡

HRP_M[FW1]display vrrp brief
2022-09-12 08:16:51.730
Total:
4 Master:2 Backup:2 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE1/0/1 Vgmp 202.100.1.100
2 Master GE1/0/0 Vgmp 10.1.1.254
3 Backup GE1/0/1 Vgmp 202.100.1.101
4 Backup GE1/0/0 Vgmp 10.1.1.253

HRP_S[FW2]display vrrp brief
2022-09-12 08:17:59.800
Total:
4 Master:2 Backup:2 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE1/0/1 Vgmp 202.100.1.100
2 Backup GE1/0/0 Vgmp 10.1.1.254
3 Master GE1/0/1 Vgmp 202.100.1.101
4 Master GE1/0/0 Vgmp 10.1.1.253

3.PC1pingAR1,PC2pingAR2,但是PC1不能ping通AR2,PC2不能ping通,AR1。因为来回路径不一致。

4.断开SW2的GE0/0/1查看现象

 

 

HRP_S[FW1]display vrrp brief
2022-09-12 08:33:02.290
Total:
4 Master:0 Backup:2 Non-active:2
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Initialize GE1/0/1 Vgmp 202.100.1.100
2 Backup GE1/0/0 Vgmp 10.1.1.254
3 Initialize GE1/0/1 Vgmp 202.100.1.101
4 Backup GE1/0/0 Vgmp 10.1.1.253

HRP_M[FW2]display vrrp brief
2022-09-12 08:34:16.470
Total:
4 Master:4 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE1/0/1 Vgmp 202.100.1.100
2 Master GE1/0/0 Vgmp 10.1.1.254
3 Master GE1/0/1 Vgmp 202.100.1.101
4 Master GE1/0/0 Vgmp 10.1.1.253

 



推荐阅读
  • 在macOS环境下使用Electron Builder进行应用打包时遇到签名验证失败的问题,具体表现为签名后spctl命令检测到应用程序未通过公证(Notarization)。本文将详细探讨该问题的原因及解决方案。 ... [详细]
  • Docker的安全基准
    nsitionalENhttp:www.w3.orgTRxhtml1DTDxhtml1-transitional.dtd ... [详细]
  • 技术分享:从动态网站提取站点密钥的解决方案
    本文探讨了如何从动态网站中提取站点密钥,特别是针对验证码(reCAPTCHA)的处理方法。通过结合Selenium和requests库,提供了详细的代码示例和优化建议。 ... [详细]
  • Java 中的 BigDecimal pow()方法,示例 ... [详细]
  • 本文详细介绍了如何在BackTrack 5中配置和启动SSH服务,确保其正常运行,并通过Windows系统成功连接。涵盖了必要的密钥生成步骤及常见问题解决方法。 ... [详细]
  • 探讨如何高效使用FastJSON进行JSON数据解析,特别是从复杂嵌套结构中提取特定字段值的方法。 ... [详细]
  • 1:有如下一段程序:packagea.b.c;publicclassTest{privatestaticinti0;publicintgetNext(){return ... [详细]
  • 本文介绍如何利用动态规划算法解决经典的0-1背包问题。通过具体实例和代码实现,详细解释了在给定容量的背包中选择若干物品以最大化总价值的过程。 ... [详细]
  • 本文详细探讨了Java中的24种设计模式及其应用,并介绍了七大面向对象设计原则。通过创建型、结构型和行为型模式的分类,帮助开发者更好地理解和应用这些模式,提升代码质量和可维护性。 ... [详细]
  • 本文基于刘洪波老师的《英文词根词缀精讲》,深入探讨了多个重要词根词缀的起源及其相关词汇,帮助读者更好地理解和记忆英语单词。 ... [详细]
  • 本文介绍了Java并发库中的阻塞队列(BlockingQueue)及其典型应用场景。通过具体实例,展示了如何利用LinkedBlockingQueue实现线程间高效、安全的数据传递,并结合线程池和原子类优化性能。 ... [详细]
  • 数据管理权威指南:《DAMA-DMBOK2 数据管理知识体系》
    本书提供了全面的数据管理职能、术语和最佳实践方法的标准行业解释,构建了数据管理的总体框架,为数据管理的发展奠定了坚实的理论基础。适合各类数据管理专业人士和相关领域的从业人员。 ... [详细]
  • CentOS7源码编译安装MySQL5.6
    2019独角兽企业重金招聘Python工程师标准一、先在cmake官网下个最新的cmake源码包cmake官网:https:www.cmake.org如此时最新 ... [详细]
  • 深入理解 SQL 视图、存储过程与事务
    本文详细介绍了SQL中的视图、存储过程和事务的概念及应用。视图为用户提供了一种灵活的数据查询方式,存储过程则封装了复杂的SQL逻辑,而事务确保了数据库操作的完整性和一致性。 ... [详细]
  • 深入理解Java中的volatile、内存屏障与CPU指令
    本文详细探讨了Java中volatile关键字的作用机制,以及其与内存屏障和CPU指令之间的关系。通过具体示例和专业解析,帮助读者更好地理解多线程编程中的同步问题。 ... [详细]
author-avatar
丫头丫头520
这个家伙很懒,什么也没留下!
PHP1.CN | 中国最专业的PHP中文社区 | DevBox开发工具箱 | json解析格式化 |PHP资讯 | PHP教程 | 数据库技术 | 服务器技术 | 前端开发技术 | PHP框架 | 开发工具 | 在线工具
Copyright © 1998 - 2020 PHP1.CN. All Rights Reserved | 京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有