基于VRRP的三层架构数据中心网络部署举例

SE_YT 2024-12-30 交换机 13 阅读

适用产品和版本

  • CloudEngine系列交换机V300R020C00或更高版本。
  • USG5500系列产品V300R001版本。
  • 如果需要了解软件版本与交换机具体型号的配套信息,请查看硬件中心

组网需求

在数据中心场景中,采用接入层、汇聚层和核心层三层方式部署。用户希望:

  • 考虑到业务的可靠性,接入层和汇聚层之间部署VRRP,在一条上行链路断开的时候,流量能切换到另外一条上行链路转发。
  • 避免冗余备份链路导致的环网问题,消除接入层和汇聚层之间的环路。
  • 核心层设备外挂防火墙,对业务流量提供安全过滤功能。
  • 汇聚层和核心层部署OSPF协议实现三层互通。
图1 基于VRRP的三层架构数据中心网络组网
表1 数据准备表(以DeviceA、DeviceB、DeviceC和DeviceD为例)
设备 VLAN及IP地址 接口编号 描述
DeviceA VLAN:2

IP地址:10.1.2.102/24

虚拟IP地址:10.1.2.100

 100GE1/0/1 TO-CE6800-DEVICEC
100GE1/0/3 TO-CE16800-DEVICEB
VLAN:3

IP地址:10.1.3.102/24

虚拟IP地址:10.1.3.100

 100GE1/0/2 TO-CE6800-DEVICED
100GE1/0/3 TO-CE16800-DEVICEB
VLAN:6

IP地址:10.1.6.102/24

 100GE1/0/4 TO-CE16800-DEVICEI
VLAN:7

IP地址:10.1.7.102/24

 100GE1/0/5 TO-CE16800-DEVICEJ
DeviceB VLAN:2

IP地址:10.1.2.103/24

虚拟IP地址:10.1.2.100

 100GE1/0/2 TO-CE6800-DEVICEC
100GE1/0/3 TO-CE16800-DEVICEA
VLAN:3

IP地址:10.1.3.103/24

虚拟IP地址:10.1.3.100

 100GE1/0/1 TO-CE6800-DEVICED
100GE1/0/3 TO-CE16800-DEVICEA
VLAN:6

IP地址:10.1.6.103/24

 100GE1/0/4 TO-CE16800-DEVICEI
VLAN:7

IP地址:10.1.7.103/24

 100GE1/0/5 TO-CE16800-DEVICEJ
DeviceC VLAN:2 100GE1/0/1 TO-CE16800-DEVICEA
100GE1/0/2 TO-CE16800-DEVICEB
100GE1/0/3 TO-HOSTA
DeviceD VLAN:3 100GE1/0/1 TO-CE16800-DEVICEB
100GE1/0/2 TO-CE16800-DEVICEA
100GE1/0/3 TO-HOSTB
DeviceI VLAN:6

IP地址:10.1.6.104/24

 100GE1/0/1 TO-CE16800-DEVICEA
100GE1/0/2 TO-CE16800-DEVICEB
100GE1/0/3 TO-CE16800-DEVICEE
100GE1/0/4 TO-CE16800-DEVICEF
VLAN:8

IP地址:10.1.8.104/24

 100GE1/0/5 TO-ROUTERA
VLAN:9

IP地址:172.16.1.2/24

 100GE1/0/6 TO-FW-1
VLAN:10

IP地址:172.16.2.2/24

 100GE1/0/7 TO-FW-1
VLAN:11

IP地址:172.16.3.2/24

 100GE1/0/8 TO-FW-2
VLAN:12

IP地址:172.16.4.2/24

 100GE1/0/9 TO-FW-2
VLAN:13

IP地址:10.1.13.102/24

 100GE1/0/14 TO-CE16800-DEVICEJ
DeviceJ VLAN:7

IP地址:10.1.7.104/24

 100GE1/0/1 TO-CE16800-DEVICEA
100GE1/0/2 TO-CE16800-DEVICEB
100GE1/0/3 TO-CE16800-DEVICEE
100GE1/0/4 TO-CE16800-DEVICEF
VLAN:8

IP地址:10.1.8.105/24

 100GE1/0/5 TO-ROUTERB
VLAN:9

IP地址:172.16.6.2/24

 100GE1/0/6 TO-FW-1
VLAN:10

IP地址:172.16.7.2/24

 100GE1/0/7 TO-FW-1
VLAN:11

IP地址:172.16.8.2/24

 100GE1/0/8 TO-FW-2
VLAN:12

IP地址:172.16.9.2/24

 100GE1/0/9 TO-FW-2
VLAN:13

IP地址:10.1.13.103/24

 100GE1/0/14 TO-CE16800-DEVICEI
FW-1 172.16.1.1/24 GE1/0/1 TO-CE16800-DEVICEI-Upstream
172.16.2.1/24 GE1/0/2 TO-CE16800-DEVICEI-Downstream
172.16.3.1/24 GE1/0/3 TO-CE16800-DEVICEJ-Upstream
172.16.4.1/24 GE1/0/4 TO-CE16800-DEVICEJ-Downstream
172.16.5.1/24 Eth-Trunk1:GE2/0/0 TO-FW-2-HRP
Eth-Trunk1:GE2/0/1
Eth-Trunk1:GE2/0/2
Eth-Trunk1:GE2/0/3
172.16.100.1/24 Loopback1 NA
172.16.100.2/24 Loopback2 NA
172.16.100.3/24 Loopback3 NA
172.16.100.4/24 Loopback4 NA
FW-2 172.16.6.1/24 GE1/0/1 TO-CE16800-DEVICEJ-Upstream
172.16.7.1/24 GE1/0/2 TO-CE16800-DEVICEJ-Downstream
172.16.8.1/24 GE1/0/3 TO-CE16800-DEVICEI-Upstream
172.16.9.1/24 GE1/0/4 TO-CE16800-DEVICEI-Downstream
172.16.10.1/24 Eth-Trunk1:GE2/0/0 TO-FW-1-HRP
Eth-Trunk1:GE2/0/1
Eth-Trunk1:GE2/0/2
Eth-Trunk1:GE2/0/3
172.16.100.1/24 Loopback1 NA
172.16.100.2/24 Loopback2 NA
172.16.100.3/24 Loopback3 NA
172.16.100.4/24 Loopback4 NA

配置思路

  1. 通过在汇聚层设备DeviceA和DeviceB之间部署VRRP,实现链路冗余备份。
  2. 通过在汇聚层设备DeviceA、汇聚层设备DeviceB和接入层设备DeviceC之间部署MSTP,消除网络中的环路。
  3. 配置出口防火墙FW-1和FW-2双机热备,从核心层设备DeviceI或DeviceJ转发的流量经防火墙的安全策略处理,再分别流向数据中心或Internet。
  4. 通过在汇聚层设备DeviceA、汇聚层设备DeviceB、核心层设备DeviceI和DeviceJ之间部署OSPF,实现网络三层互通。

操作步骤

  1. 配置MSTP基本功能。

    只要两台设备的以下配置相同,这两台设备就属于同一个MST域。

    • MST域的域名。
    • 多生成树实例和VLAN的映射关系。
    • MST域的修订级别。
    1. 配置DeviceA、DeviceB、DeviceC到域名为RG1的域内,创建实例MSTI1和实例MSTI2。

      # 配置汇聚层设备DeviceA的MST域。

      <HUAWEI> system-view
[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] stp region-configuration
[~DeviceA-mst-region] region-name RG1
[*DeviceA-mst-region] instance 1 vlan 2
[*DeviceA-mst-region] instance 2 vlan 3
[*DeviceA-mst-region] commit
[~DeviceA-mst-region] quit

      # 配置汇聚层设备DeviceB的MST域。

      <HUAWEI> system-view
[~HUAWEI] sysname DeviceB
[*HUAWEI] commit
[~DeviceB] stp region-configuration
[~DeviceB-mst-region] region-name RG1
[*DeviceB-mst-region] instance 1 vlan 2
[*DeviceB-mst-region] instance 2 vlan 3
[*DeviceB-mst-region] commit
[~DeviceB-mst-region] quit

      # 配置接入层设备DeviceC的MST域。

      <HUAWEI> system-view
[~HUAWEI] sysname DeviceC
[*HUAWEI] commit
[~DeviceC] stp region-configuration
[~DeviceC-mst-region] region-name RG1
[*DeviceC-mst-region] instance 1 vlan 2
[*DeviceC-mst-region] instance 2 vlan 3
[*DeviceC-mst-region] commit
[~DeviceC-mst-region] quit

      # 配置接入层设备DeviceD的MST域。

      <HUAWEI> system-view
[~HUAWEI] sysname DeviceD
[*HUAWEI] commit
[~DeviceD] stp region-configuration
[~DeviceD-mst-region] region-name RG1
[*DeviceD-mst-region] instance 1 vlan 2
[*DeviceD-mst-region] instance 2 vlan 3
[*DeviceD-mst-region] commit
[~DeviceD-mst-region] quit
    2. 在域RG1内,配置MSTI1与MSTI2的根桥与备份根桥。
      • 配置MSTI1的根桥与备份根桥。

        # 配置汇聚层设备DeviceA为MSTI1的根桥。

        [~DeviceA] stp instance 1 root primary
[*DeviceA] commit

        # 配置汇聚层设备DeviceB为MSTI1的备份根桥。

        [~DeviceB] stp instance 1 root secondary
[*DeviceB] commit
      • 配置MSTI2的根桥与备份根桥。

        # 配置汇聚层设备DeviceB为MSTI2的根桥。

        [~DeviceB] stp instance 2 root primary
[*DeviceB] commit

        # 配置汇聚层设备DeviceA为MSTI2的备份根桥。

        [~DeviceA] stp instance 2 root secondary
[*DeviceA] commit
    3. 配置实例MSTI1和MSTI2中将要被阻塞端口的路径开销值大于缺省值。

      • 端口路径开销值取值范围由路径开销计算方法决定,这里选择使用华为私有计算方法为例,配置实例MSTI1和MSTI2中将被阻塞端口的路径开销值为20000。
      • 同一网络内所有交换设备的端口路径开销应使用相同的计算方法。

      # 配置汇聚层设备DeviceA的端口路径开销的计算方法为华为私有计算方法。

      [~DeviceA] stp pathcost-standard legacy
[*DeviceA] commit

      # 配置汇聚层设备DeviceB的端口路径开销的计算方法为华为的私有计算方法。

      [~DeviceB] stp pathcost-standard legacy
[*DeviceB] commit

      # 配置接入层设备DeviceC的端口路径开销的计算方法为华为的私有计算方法,将端口100GE1/0/2在实例MSTI1中的路径开销值配置为20000。

      [~DeviceC] stp pathcost-standard legacy
[*DeviceC] interface 100ge 1/0/2
[*DeviceC-100GE1/0/2] description TO-CE16800-DEVICEB
[*DeviceC-100GE1/0/2] stp instance 1 cost 20000
[*DeviceC-100GE1/0/2] commit
[~DeviceC-100GE1/0/2] quit

      # 配置接入层设备DeviceD的端口路径开销的计算方法为华为的私有计算方法,将端口100GE1/0/2在实例MSTI2中的路径开销值配置为20000。

      [~DeviceD] stp pathcost-standard legacy
[*DeviceD] interface 100ge 1/0/2
[*DeviceD-100GE1/0/2] description TO-CE16800-DEVICEA
[*DeviceD-100GE1/0/2] stp instance 2 cost 20000
[*DeviceD-100GE1/0/2] commit
[~DeviceD-100GE1/0/2] quit
    4. 使能MSTP,实现破除环路。

      设备上MSTP功能默认使能。

      • 设备全局使能MSTP。

        # 在汇聚层设备DeviceA上启动MSTP。

        [~DeviceA] stp enable
[*DeviceA] commit

        # 在汇聚层设备DeviceB上启动MSTP。

        [~DeviceB] stp enable
[*DeviceB] commit

        # 在接入层设备DeviceC上启动MSTP。

        [~DeviceC] stp enable
[*DeviceC] commit

        # 在接入层设备DeviceD上启动MSTP。

        [~DeviceD] stp enable
[*DeviceD] commit
      • 将与Host相连的端口配置为边缘端口。

        # 配置接入层设备DeviceC端口100GE1/0/3为边缘端口。

        [~DeviceC] interface 100ge 1/0/3
[*DeviceC-100GE1/0/3] description TO-HOSTA
[*DeviceC-100GE1/0/3] stp edged-port enable
[*DeviceC-100GE1/0/3] commit
[~DeviceC-100GE1/0/3] quit

        # 配置接入层设备DeviceD端口100GE1/0/3为边缘端口。

        [~DeviceD] interface 100ge 1/0/3
[*DeviceD-100GE1/0/3] description TO-HOSTB
[*DeviceD-100GE1/0/3] stp edged-port enable
[*DeviceD-100GE1/0/3] commit
[~DeviceD-100GE1/0/3] quit
  2. 配置保护功能,如在各实例的根桥设备的指定端口配置根保护功能。# 在汇聚层设备DeviceA端口100GE1/0/1上启动根保护。 
    [~DeviceA] interface 100ge 1/0/1
[~DeviceA-100GE1/0/1] description TO-CE6800-DEVICEC
[*DeviceA-100GE1/0/1] stp root-protection
[*DeviceA-100GE1/0/1] commit
[~DeviceA-100GE1/0/1] quit

    # 在汇聚层设备DeviceB端口100GE1/0/1上启动根保护。

    [~DeviceB] interface 100ge 1/0/1
[~DeviceB-100GE1/0/1] description TO-CE6800-DEVICED
[*DeviceB-100GE1/0/1] stp root-protection
[*DeviceB-100GE1/0/1] commit
[~DeviceB-100GE1/0/1] quit
  3. 配置处于环网中的设备的二层转发功能。
    • 在交换设备DeviceA、DeviceB、DeviceC、DeviceD上创建VLAN2~3。

      # 在汇聚层设备DeviceA上创建VLAN2~3。

      [~DeviceA] vlan batch 2 to 3

      # 在汇聚层设备DeviceB上创建VLAN2~3。

      [~DeviceB] vlan batch 2 to 3

      # 在接入层设备DeviceC上创建VLAN2。

      [~DeviceC] vlan batch 2

      # 在接入层设备DeviceD上创建VLAN3。

      [~DeviceD] vlan batch 3
    • 将交换设备上接入环路中的端口加入VLAN。

      # 将汇聚层设备DeviceA端口100GE1/0/1加入VLAN。

      [~DeviceA] interface 100ge 1/0/1
[~DeviceA-100GE1/0/1] port link-type trunk
[*DeviceA-100GE1/0/1] undo port trunk allow-pass vlan 1
[*DeviceA-100GE1/0/1] port trunk allow-pass vlan 2
[*DeviceA-100GE1/0/1] commit
[~DeviceA-100GE1/0/1] quit

      # 将汇聚层设备DeviceA端口100GE1/0/2加入VLAN。

      [~DeviceA] interface 100ge 1/0/2
[~DeviceA-100GE1/0/2] description TO-CE6800-DEVICED
[*DeviceA-100GE1/0/2] port link-type trunk
[*DeviceA-100GE1/0/2] undo port trunk allow-pass vlan 1
[*DeviceA-100GE1/0/2] port trunk allow-pass vlan 3
[*DeviceA-100GE1/0/2] commit
[~DeviceA-100GE1/0/2] quit

      # 将汇聚层设备DeviceA端口100GE1/0/3加入VLAN。

      [~DeviceA] interface 100ge 1/0/3
[~DeviceA-100GE1/0/3] description TO-CE16800-DEVICEB
[*DeviceA-100GE1/0/3] port link-type trunk
[*DeviceA-100GE1/0/3] undo port trunk allow-pass vlan 1
[*DeviceA-100GE1/0/3] port trunk allow-pass vlan 2 to 3
[*DeviceA-100GE1/0/3] commit
[~DeviceA-100GE1/0/3] quit

      # 将汇聚层设备DeviceB端口100GE1/0/1加入VLAN。

      [~DeviceB] interface 100ge 1/0/1
[~DeviceB-100GE1/0/1] port link-type trunk
[*DeviceB-100GE1/0/1] undo port trunk allow-pass vlan 1
[*DeviceB-100GE1/0/1] port trunk allow-pass vlan 3
[*DeviceB-100GE1/0/1] commit
[~DeviceB-100GE1/0/1] quit

      # 将汇聚层设备DeviceB端口100GE1/0/2加入VLAN。

      [~DeviceB] interface 100ge 1/0/2
[~DeviceB-100GE1/0/2] description TO-CE6800-DEVICEC
[*DeviceB-100GE1/0/2] port link-type trunk
[*DeviceB-100GE1/0/2] undo port trunk allow-pass vlan 1
[*DeviceB-100GE1/0/2] port trunk allow-pass vlan 2
[*DeviceB-100GE1/0/2] commit
[~DeviceB-100GE1/0/2] quit

      # 将汇聚层设备DeviceB端口100GE1/0/3加入VLAN。

      [~DeviceB] interface 100ge 1/0/3
[~DeviceB-100GE1/0/3] description TO-CE16800-DEVICEA
[*DeviceB-100GE1/0/3] port link-type trunk
[*DeviceB-100GE1/0/3] undo port trunk allow-pass vlan 1
[*DeviceB-100GE1/0/3] port trunk allow-pass vlan 2 to 3
[*DeviceB-100GE1/0/3] commit
[~DeviceB-100GE1/0/3] quit

      # 将接入层设备DeviceC端口100GE1/0/1加入VLAN。

      [~DeviceC] interface 100ge 1/0/1
[~DeviceC-100GE1/0/1] description TO-CE16800-DEVICEA
[*DeviceC-100GE1/0/1] port link-type trunk
[*DeviceC-100GE1/0/1] undo port trunk allow-pass vlan 1
[*DeviceC-100GE1/0/1] port trunk allow-pass vlan 2
[*DeviceC-100GE1/0/1] commit
[~DeviceC-100GE1/0/1] quit

      # 将接入层设备DeviceC端口100GE1/0/2加入VLAN。

      [~DeviceC] interface 100ge 1/0/2
[~DeviceC-100GE1/0/2] port link-type trunk
[*DeviceC-100GE1/0/2] undo port trunk allow-pass vlan 1
[*DeviceC-100GE1/0/2] port trunk allow-pass vlan 2
[*DeviceC-100GE1/0/2] commit
[~DeviceC-100GE1/0/2] quit

      # 将接入层设备DeviceC端口100GE1/0/3加入VLAN。

      [~DeviceC] interface 100ge 1/0/3
[~DeviceC-100GE1/0/3] port link-type access
[*DeviceC-100GE1/0/3] port default vlan 2
[*DeviceC-100GE1/0/3] commit
[~DeviceC-100GE1/0/3] quit

      # 将接入层设备DeviceD端口100GE1/0/1加入VLAN。

      [~DeviceD] interface 100ge 1/0/1
[~DeviceD-100GE1/0/1] description TO-CE16800-DEVICEB
[*DeviceD-100GE1/0/1] port link-type trunk
[*DeviceD-100GE1/0/1] undo port trunk allow-pass vlan 1
[*DeviceD-100GE1/0/1] port trunk allow-pass vlan 3
[*DeviceD-100GE1/0/1] commit
[~DeviceD-100GE1/0/1] quit

      # 将接入层设备DeviceD端口100GE1/0/2加入VLAN。

      [~DeviceD] interface 100ge 1/0/2
[~DeviceD-100GE1/0/2] port link-type trunk
[*DeviceD-100GE1/0/2] undo port trunk allow-pass vlan 1
[*DeviceD-100GE1/0/2] port trunk allow-pass vlan 3
[*DeviceD-100GE1/0/2] commit
[~DeviceD-100GE1/0/2] quit

      # 将接入层设备DeviceD端口100GE1/0/3加入VLAN。

      [~DeviceD] interface 100ge 1/0/3
[~DeviceD-100GE1/0/3] port link-type access
[*DeviceD-100GE1/0/3] port default vlan 3
[*DeviceD-100GE1/0/3] commit
[~DeviceD-100GE1/0/3] quit
  4. 配置VRRP备份组。# 在汇聚层设备DeviceA和DeviceB上创建VRRP备份组1,配置DeviceA的优先级为120,抢占延时为20秒,作为Master设备;DeviceB的优先级为缺省值,作为Backup设备。
    • DeviceA 
      [~DeviceA] interface vlanif 2
[*DeviceA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[*DeviceA-Vlanif2] vrrp vrid 1 priority 120
[*DeviceA-Vlanif2] vrrp vrid 1 preempt timer delay 20
[*DeviceA-Vlanif2] commit
[~DeviceA-Vlanif2] quit
    • DeviceB 
      [~DeviceB] interface vlanif 2
[*DeviceB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[*DeviceB-Vlanif2] commit
[~DeviceB-Vlanif2] quit

    # 在汇聚层设备DeviceA和DeviceB上创建VRRP备份组2,配置DeviceB的优先级为120,抢占延时为20秒,作为Master设备;DeviceA的优先级为缺省值,作为Backup设备。

    • DeviceB 
      [~DeviceB] interface vlanif 3
[*DeviceB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[*DeviceB-Vlanif3] vrrp vrid 2 priority 120
[*DeviceB-Vlanif3] vrrp vrid 2 preempt timer delay 20
[*DeviceB-Vlanif3] commit
[~DeviceB-Vlanif3] quit
    • DeviceA 
      [~DeviceA] interface vlanif 3
[*DeviceA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[*DeviceA-Vlanif3] commit
[~DeviceA-Vlanif3] quit

    # 配置主机HostA的缺省网关为备份组1的虚拟IP地址10.1.2.100,配置主机HostB的缺省网关为备份组2的虚拟IP地址10.1.3.100。

  5. 配置设备间的网络互连。# 配置设备各接口的IP地址,以汇聚层设备DeviceA为例。DeviceB、DeviceI和DeviceJ的配置与之类似,详见配置脚本。 
    [~DeviceA] vlan batch 6 7
[*DeviceA] interface 100ge 1/0/4
[*DeviceA-100GE1/0/4] description TO-CE16800-DEVICEI
[*DeviceA-100GE1/0/4] port link-type trunk
[*DeviceA-100GE1/0/4] undo port trunk allow-pass vlan 1
[*DeviceA-100GE1/0/4] port trunk allow-pass vlan 6
[*DeviceA-100GE1/0/4] quit
[*DeviceA] interface 100ge 1/0/5
[*DeviceA-100GE1/0/5] description TO-CE16800-DEVICEJ
[*DeviceA-100GE1/0/5] port link-type trunk
[*DeviceA-100GE1/0/5] undo port trunk allow-pass vlan 1
[*DeviceA-100GE1/0/5] port trunk allow-pass vlan 7
[*DeviceA-100GE1/0/5] quit
[*DeviceA] interface vlanif 2
[*DeviceA-Vlanif2] ip address 10.1.2.102 24
[*DeviceA-Vlanif2] quit
[*DeviceA] interface vlanif 3
[*DeviceA-Vlanif3] ip address 10.1.3.102 24
[*DeviceA-Vlanif3] quit
[*DeviceA] interface vlanif 6
[*DeviceA-Vlanif6] ip address 10.1.6.102 24
[*DeviceA-Vlanif6] quit
[*DeviceA] interface vlanif 7
[*DeviceA-Vlanif7] ip address 10.1.7.102 24
[*DeviceA-Vlanif7] quit
[*DeviceA] commit

    # 配置汇聚层设备DeviceA、汇聚层设备DeviceB、核心层设备DeviceI、核心层设备DeviceJ和出口路由器间采用OSPF协议进行互连。以汇聚层设备DeviceA为例。DeviceB、DeviceI和DeviceJ的配置与之类似,详见配置脚本。

    [~DeviceA] ospf 1
[*DeviceA-ospf-1] area 0
[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.6.0 0.0.0.255
[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.7.0 0.0.0.255
[*DeviceA-ospf-1-area-0.0.0.0] quit
[*DeviceA-ospf-1] quit
[*DeviceA] commit
  6. 配置防火墙。配置FW-1和FW-2进行双机热备,从DeviceI、DeviceJ转发的报文经FW-1或FW-2的安全策略处理,再分别流向数据中心或Internet。

    FW-1和FW-2进行负载分担,均同时转发流量,当一台FW故障时,业务可以平滑切换到另一台FW。

    以下FW-1和FW-2以华为USG统一安全网关为例,介绍FW双机热备负载分担配置步骤。

    1. 在出口防火墙FW-1上完成基础配置,包括配置设备名称、接口、安全区域等。 
      <USG> system-view
[USG] sysname FW-1
[FW-1] interface GigabitEthernet 1/0/1
[FW-1-GigabitEthernet1/0/1] description TO-CE16800-DeviceI-Upstream
[FW-1-GigabitEthernet1/0/1] ip address 172.16.1.1 24
[FW-1-GigabitEthernet1/0/1] quit
[FW-1] interface GigabitEthernet 1/0/2
[FW-1-GigabitEthernet1/0/2] description TO-CE16800-DeviceI-Downstream
[FW-1-GigabitEthernet1/0/2] ip address 172.16.2.1 24
[FW-1-GigabitEthernet1/0/2] quit
[FW-1] interface GigabitEthernet 1/0/3
[FW-1-GigabitEthernet1/0/3] description TO-CE16800-DeviceJ-Upstream
[FW-1-GigabitEthernet1/0/3] ip address 172.16.3.1 24
[FW-1-GigabitEthernet1/0/3] quit
[FW-1] interface GigabitEthernet 1/0/4
[FW-1-GigabitEthernet1/0/4] description TO-CE16800-DeviceJ-Downstream
[FW-1-GigabitEthernet1/0/4] ip address 172.16.4.1 24
[FW-1-GigabitEthernet1/0/4] quit
[FW-1] interface Eth-Trunk 1
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3
[FW-1-Eth-Trunk1] description TO-FW-2-HRP
[FW-1-Eth-Trunk1] ip address 172.16.5.1 24
[FW-1-Eth-Trunk1] quit
[FW-1] firewall zone trust
[FW-1-zone-trust] add interface GigabitEthernet 1/0/1
[FW-1-zone-trust] add interface GigabitEthernet 1/0/3
[FW-1-zone-trust] quit
[FW-1] firewall zone untrust
[FW-1-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-1-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-1-zone-untrust] quit
[FW-1] firewall zone dmz
[FW-1-zone-dmz] add interface Eth-Trunk 1
[FW-1-zone-dmz] quit
[FW-1] interface LoopBack 1
[FW-1-LoopBack1] ip address 172.16.100.1 32
[FW-1-LoopBack1] quit
[FW-1] interface LoopBack 2
[FW-1-LoopBack2] ip address 172.16.100.2 32
[FW-1-LoopBack2] quit
[FW-1] interface LoopBack 3
[FW-1-LoopBack3] ip address 172.16.100.3 32
[FW-1-LoopBack3] quit
[FW-1] interface LoopBack 4
[FW-1-LoopBack4] ip address 172.16.100.4 32
[FW-1-LoopBack4] quit
    2. 在出口防火墙FW-2上完成基础配置,包括配置设备名称、接口、安全区域等。 
      <USG> system-view
[USG] sysname FW-2
[FW-2] interface GigabitEthernet 1/0/1
[FW-2-GigabitEthernet1/0/1] description TO-CE16800-DeviceI-Upstream
[FW-2-GigabitEthernet1/0/1] ip address 172.16.6.1 24
[FW-2-GigabitEthernet1/0/1] quit
[FW-2] interface GigabitEthernet 1/0/2
[FW-2-GigabitEthernet1/0/2] description TO-CE16800-DeviceI-Downstream
[FW-2-GigabitEthernet1/0/2] ip address 172.16.7.1 24
[FW-2-GigabitEthernet1/0/2] quit
[FW-2] interface GigabitEthernet 1/0/3
[FW-2-GigabitEthernet1/0/3] description TO-CE16800-DeviceJ-Upstream
[FW-2-GigabitEthernet1/0/3] ip address 172.16.8.1 24
[FW-2-GigabitEthernet1/0/3] quit
[FW-2] interface GigabitEthernet 1/0/4
[FW-2-GigabitEthernet1/0/4] description TO-CE16800-DeviceJ-Downstream
[FW-2-GigabitEthernet1/0/4] ip address 172.16.9.1 24
[FW-2-GigabitEthernet1/0/4] quit
[FW-2] interface Eth-Trunk 1
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3
[FW-2-Eth-Trunk1] description TO-FW-1-HRP
[FW-2-Eth-Trunk1] ip address 172.16.10.1 24
[FW-2-Eth-Trunk1] quit
[FW-2] firewall zone trust
[FW-2-zone-trust] add interface GigabitEthernet 1/0/1
[FW-2-zone-trust] add interface GigabitEthernet 1/0/3
[FW-2-zone-trust] quit
[FW-2] firewall zone untrust
[FW-2-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-2-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-2-zone-untrust] quit
[FW-2] firewall zone dmz
[FW-2-zone-dmz] add interface Eth-Trunk 1
[FW-2-zone-dmz] quit
[FW-2] interface LoopBack 1
[FW-2-LoopBack1] ip address 172.16.100.1 32
[FW-2-LoopBack1] quit
[FW-2] interface LoopBack 2
[FW-2-LoopBack2] ip address 172.16.100.2 32
[FW-2-LoopBack2] quit
[FW-2] interface LoopBack 3
[FW-2-LoopBack3] ip address 172.16.100.3 32
[FW-2-LoopBack3] quit
[FW-2] interface LoopBack 4
[FW-2-LoopBack4] ip address 172.16.100.4 32
[FW-2-LoopBack4] quit
    3. 分别在出口防火墙FW-1、FW-2上配置OSPF。配置router-id时,需要为不同的进程指定不同的router-id。另外,主备防火墙也需要为OSPF进程指定不同的router-id,防止OSPF路由震荡。 
      [FW-1] ospf 1 router-id 172.16.100.1
[FW-1-ospf-1] area 0
[FW-1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[FW-1-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0
[FW-1-ospf-1-area-0.0.0.0] quit
[FW-1-ospf-1] quit
[FW-1] ospf 2 router-id 172.16.100.2
[FW-1-ospf-2] area 0
[FW-1-ospf-2-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[FW-1-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0
[FW-1-ospf-2-area-0.0.0.0] quit
[FW-1-ospf-2] quit
[FW-1] ospf 3 router-id 172.16.100.3
[FW-1-ospf-3] area 0
[FW-1-ospf-3-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[FW-1-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0
[FW-1-ospf-3-area-0.0.0.0] quit
[FW-1-ospf-3] quit
[FW-1] ospf 4 router-id 172.16.100.4
[FW-1-ospf-4] area 0
[FW-1-ospf-4-area-0.0.0.0] network 172.16.4.0 0.0.0.255
[FW-1-ospf-4-area-0.0.0.0] network 172.16.100.4 0.0.0.0
[FW-1-ospf-4-area-0.0.0.0] quit
[FW-1-ospf-4] quit
      [FW-2] ospf 1 router-id 172.16.100.6
[FW-2-ospf-1] area 0
[FW-2-ospf-1-area-0.0.0.0] network 172.16.6.0 0.0.0.255
[FW-2-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0
[FW-2-ospf-1-area-0.0.0.0] quit
[FW-2-ospf-1] quit
[FW-2] ospf 2 router-id 172.16.100.7
[FW-2-ospf-2] area 0
[FW-2-ospf-2-area-0.0.0.0] network 172.16.7.0 0.0.0.255
[FW-2-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0
[FW-2-ospf-2-area-0.0.0.0] quit
[FW-2-ospf-2] quit
[FW-2] ospf 3 router-id 172.16.100.8
[FW-2-ospf-3] area 0
[FW-2-ospf-3-area-0.0.0.0] network 172.16.8.0 0.0.0.255
[FW-2-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0
[FW-2-ospf-3-area-0.0.0.0] quit
[FW-2-ospf-3] quit
[FW-2] ospf 4 router-id 172.16.100.9
[FW-2-ospf-4] area 0
[FW-2-ospf-4-area-0.0.0.0] network 172.16.9.0 0.0.0.255
[FW-2-ospf-4-area-0.0.0.0] network 172.16.100.4 0.0.0.0
[FW-2-ospf-4-area-0.0.0.0] quit
[FW-2-ospf-4] quit
    4. 分别在出口防火墙FW-1、FW-2配置双机热备。
      • 在FW-1上配置双机热备。 
        [FW-1] hrp track interface GigabitEthernet 1/0/1
[FW-1] hrp track interface GigabitEthernet 1/0/2
[FW-1] hrp track interface GigabitEthernet 1/0/3
[FW-1] hrp track interface GigabitEthernet 1/0/4
[FW-1] hrp adjust ospf-cost enable
[FW-1] hrp interface Eth-Trunk 1 remote 172.16.10.1
[FW-1] hrp enable
[FW-1] hrp mirror session enable
      • 在FW-2上配置双机热备。 
        [FW-2] hrp track interface GigabitEthernet 1/0/1
[FW-2] hrp track interface GigabitEthernet 1/0/2
[FW-2] hrp track interface GigabitEthernet 1/0/3
[FW-2] hrp track interface GigabitEthernet 1/0/4
[FW-2] hrp adjust ospf-cost enable
[FW-2] hrp interface Eth-Trunk 1 remote 172.16.5.1
[FW-2] hrp enable
[FW-2] hrp mirror session enable
    5. 配置安全策略和入侵防御。 
      HRP_M[FW-1] policy interzone trust untrust outbound
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.2.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.4.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.5.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit
HRP_M[FW-1] policy interzone trust untrust inbound
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.2.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.4.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.5.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit
HRP_M[FW-1] ips enable
    6. 配置攻击防范。

      本举例中的攻击防范阈值仅供参考,实际配置时,请管理员根据网络实际流量进行配置。

      HRP_M[FW-1] firewall defend syn-flood enable
HRP_M[FW-1] firewall defend syn-flood enable
HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000
HRP_M[FW-1] firewall defend udp-flood enable
HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500
HRP_M[FW-1] firewall defend icmp-flood enable
HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000
HRP_M[FW-1] firewall blacklist enable
HRP_M[FW-1] firewall defend ip-sweep enable
HRP_M[FW-1] firewall defend ip-sweep max-rate 4000
HRP_M[FW-1] firewall defend port-scan enable
HRP_M[FW-1] firewall defend port-scan max-rate 4000
HRP_M[FW-1] firewall defend ip-fragment enable
HRP_M[FW-1] firewall defend ip-spoofing enable
  7. 配置策略路由将所有流经核心层设备DeviceI和DeviceJ的流量通过策略路由重定向到防火墙,防火墙对流量进行过滤。# 以核心层设备DeviceI的配置为例,核心层设备DeviceJ配置与之类似,详见配置文件。 
    [~DeviceI] acl 3001
[*DeviceI-acl4-advance-3001] rule 5 permit ip source 10.1.2.0 24
[*DeviceI-acl4-advance-3001] rule 10 permit ip source 10.1.3.0 24
[*DeviceI-acl4-advance-3001] rule 15 permit ip source 10.1.4.0 24
[*DeviceI-acl4-advance-3001] rule 20 permit ip source 10.1.5.0 24
[*DeviceI-acl4-advance-3001] commit 
[~DeviceI-acl4-advance-3001] quit
[~DeviceI] traffic classifier c1
[*DeviceI-classifier-c1] if-match acl 3001
[*DeviceI-classifier-c1] quit
[*DeviceI] commit 
[~DeviceI] traffic behavior b1
[*DeviceI-behavior-b1] redirect load-balance nexthop 172.16.100.1 172.16.100.3 
[*DeviceI-behavior-b1] quit
[*DeviceI] commit 
[~DeviceI] traffic policy p1
[*DeviceI-trafficpolicy-p1] classifier c1 behavior b1
[*DeviceI-trafficpolicy-p1] quit
[*DeviceI] commit 
[~DeviceI] interface 100ge 1/0/1
[~DeviceI-100GE1/0/1] traffic-policy p1 inbound 
[*DeviceI-100GE1/0/1] quit
[*DeviceI] commit 
[~DeviceI] interface 100ge 1/0/2
[~DeviceI-100GE1/0/2] traffic-policy p1 inbound 
[*DeviceI-100GE1/0/2] quit
[*DeviceI] commit 
[~DeviceI] interface 100ge 1/0/3
[~DeviceI-100GE1/0/3] traffic-policy p1 inbound 
[*DeviceI-100GE1/0/3] quit
[*DeviceI] commit 
[~DeviceI] interface 100ge 1/0/4
[~DeviceI-100GE1/0/4] traffic-policy p1 inbound 
[*DeviceI-100GE1/0/4] quit
[*DeviceI] commit 
[~DeviceI] interface 100ge 1/0/14
[~DeviceI-100GE1/0/14] traffic-policy p1 inbound 
[*DeviceI-100GE1/0/14] quit
[*DeviceI] commit 
[~DeviceI] acl 3003
[*DeviceI-acl4-advance-3003] rule 5 permit ip destination 10.1.2.0 24
[*DeviceI-acl4-advance-3003] rule 10 permit ip destination 10.1.3.0 24
[*DeviceI-acl4-advance-3003] rule 15 permit ip destination 10.1.4.0 24
[*DeviceI-acl4-advance-3003] rule 20 permit ip destination 10.1.5.0 24
[*DeviceI-acl4-advance-3003] commit 
[~DeviceI-acl4-advance-3003] quit
[~DeviceI] traffic classifier c3
[*DeviceI-classifier-c3] if-match acl 3003
[*DeviceI-classifier-c3] quit
[*DeviceI] commit 
[~DeviceI] traffic behavior b3
[*DeviceI-behavior-b3] redirect load-balance nexthop 172.16.100.2 172.16.100.4
[*DeviceI-behavior-b3] quit
[*DeviceI] commit 
[~DeviceI] traffic policy p2
[*DeviceI-trafficpolicy-p2] classifier c3 behavior b3
[*DeviceI-trafficpolicy-p2] quit
[*DeviceI] commit 
[~DeviceI] interface 100ge 1/0/5
[~DeviceI-100GE1/0/5] traffic-policy p2 inbound
[*DeviceI-100GE1/0/5] quit
[*DeviceI] commit

版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/2784.html
来源:CNESA
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
打赏
海报
基于VRRP的三层架构数据中心网络部署举例
适用产品和版本 CloudEngine系列交换机V300R020C00或更高版本。 USG5500系列产品V300R001版本。 如果需要了解软件版本与交换机具体型号的配套信息,请查看硬件中心。 组网需求 在数据中心场景中,采用接入层、汇聚层和核心层三层方式部署。用户希望: 考虑到业务的可靠性,接入层和汇聚层之间部署VRRP,在一条上行链路断开的时候,流量能切换到另外一条上行链路转发。 避免冗余备份链路导致的环网问题,消除接入层和汇聚层之间的环路。 核心层设备外挂防火墙,对业务流量提供安全过滤功能。 汇聚层和核心层部署OSPF协议实现三层互通。 图1 基于VRRP的三层架构数据中心网络组网 表1 数据准备表(以DeviceA、DeviceB、DeviceC和DeviceD为例) 设备 VLAN及IP地址 接口编号 描述 DeviceA VLAN:2 IP地址:10.1.2.102/24 虚拟IP地址:10.1.2.100 100GE1/0/1 TO-CE6800-DEVICEC 100GE1/0/3 TO-CE16800-DEVICEB VLAN:3 IP地址:10.1.3.102/24 虚拟IP地址:10.1.3.100 100GE1/0/2 TO-CE6800-DEVICED 100GE1/0/3 TO-CE16800-DEVICEB VLAN:6 IP地址:10.1.6.102/24 100GE1/0/4 TO-CE16800-DEVICEI VLAN:7 IP地址:10.1.7.102/24 100GE1/0/5 TO-CE16800-DEVICEJ DeviceB VLAN:2 IP地址:10.1.2.103/24 虚拟IP地址:10.1.2.100 100GE1/0/2 TO-CE6800-DEVICEC 100GE1/0/3 TO-CE16800-DEVICEA VLAN:3 IP地址:10.1.3.103/24 虚拟IP地址:10.1.3.100 100GE1/0/1 TO-CE6800-DEVICED 100GE1/0/3 TO-CE16800-DEVICEA VLAN:6 IP地址:10.1.6.103/24 100GE1/0/4 TO-CE16800-DEVICEI VLAN:7 IP地址:10.1.7.103/24 100GE1/0/5 TO-CE16800-DEVICEJ DeviceC VLAN:2 100GE1/0/1 TO-CE16800-DEVICEA 100GE1/0/2 TO-CE16800-DEVICEB 100GE1/0/3 TO-HOSTA DeviceD VLAN:3 100GE1……
<<上一篇
下一篇>>