目录
需求和拓扑
操作步骤
1、配置接口ip和安全区域
2、配置ospf动态路由
3、配置双机热备
3.1 配置vrrp备份组
3.2 配置心跳线
3.3 配置检测上行链路
3.4 开启双机热备
4、配置安全策略
验证和分析
1、检查vrrp备份组建立情况
2、检查vgmp组状态
3、检查r3的路由情况
4、检查f1和f2通告的一类lsa情况
5、在f1和f2上检查到达r3的路由情况
实验四:防火墙直路部署,上行连接路由器(OSPF),下行连接交换机
需求和拓扑
两台FW的业务接口都工作在三层,上行连接路由器,下行连接二层交换机。FW与路由器之间运行OSPF协议。现在希望两台FW以主备备份方式工作。正常情况下,流量通过FW_A转发。当FW_A出现故障时,流量通过FW_B转发,保证业务不中断。
分析:上行由于连接路由器,无法配置vrrp备份组,所以只能在下行配置vrrp备份组,同时为了监控上行链路,需要配置hrp检测上行链路。即这是一个单vrrp备份组配合动态路由的双机热备案例。
操作步骤
1、配置接口ip和安全区域
2、配置ospf动态路由
2、配置ospf动态路由
配置完成后应该r3能够和r1、r2建立ospf邻居关系,r1和r2分别和fw1和fw2建立邻居关系,fw1能够和fw2、r1建立邻居关系,fw2能够和fw1、r2建立邻居关系。
r3上检查是否存在由fw1/fw2发布的10.3.0.0/24的路由,fw1/fw2上检查是否存在由r3发布3.3.3.3/32的路由。
f1
dis ip routing-table | inc 3.3.3.3
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.3/32 OSPF 10 2 D 10.2.0.2 GigabitEthernet1/0/1
f2
dis ip routing-table | inc 3.3.3.3
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.3/32 OSPF 10 2 D 10.2.1.2 GigabitEthernet1/0/1
r3
dis ip routing-table | inc 10.3.0.0
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.3.0.0/24 OSPF 10 3 D 13.1.1.1 GigabitEthernet0/0/0
10.3.0.0/24 OSPF 10 3 D 23.1.1.2 GigabitEthernet0/0/1
注意这时候,r3去往10.3.0.0/24网段的下一跳是负载的,即经过f1和f2的开销是一样的。
3、配置双机热备
3.1 配置vrrp备份组
//f1
interface GigabitEthernet1/0/0
vrrp vrid 1 virtual-ip 10.3.0.3 active
//f2
interface GigabitEthernet1/0/0
vrrp vrid 1 virtual-ip 10.3.0.3 standby
3.2 配置心跳线
//f1
hrp interface GigabitEthernet1/0/6 remote 10.10.0.2
//f2
hrp interface GigabitEthernet1/0/6 remote 10.10.0.2
//f1 interface GigabitEthernet1/0/0 vrrp vrid 1 virtual-ip 10.3.0.3 active //f2 interface GigabitEthernet1/0/0 vrrp vrid 1 virtual-ip 10.3.0.3 standby
3.2 配置心跳线
//f1
hrp interface GigabitEthernet1/0/6 remote 10.10.0.2
//f2
hrp interface GigabitEthernet1/0/6 remote 10.10.0.2
3.3 配置检测上行链路
//f1/f2
hrp track interface GigabitEthernet1/0/1
3.4 开启双机热备
hrp enable
4、配置安全策略
//仅需在f1配置,f2会自动同步的
security-policy
rule name 1
source-zone trust
destination-zone untrust
action permit
验证和分析
1、检查vrrp备份组建立情况
HRP_M[f1]dis vrrp
2022-02-18 06:02:35.670
GigabitEthernet1/0/0 | Virtual Router 1
State : Master
Virtual IP : 10.3.0.3
Master IP : 10.3.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-18 00:56:39
Last change time : 2022-02-18 01:02:21
2、检查vgmp组状态
//f1
HRP_M[f1]dis hrp state verbose
2022-02-18 06:03:39.420
Role: active, peer: standby
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/1: up
ospf-cost: +0
//f2
HRP_S[f2]dis hrp state verbose
2022-02-18 06:04:51.380
Role: standby, peer: active
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/1: up
ospf-cost: +65500
hrp enable
4、配置安全策略
//仅需在f1配置,f2会自动同步的
security-policy
rule name 1
source-zone trust
destination-zone untrust
action permit
验证和分析
1、检查vrrp备份组建立情况
HRP_M[f1]dis vrrp
2022-02-18 06:02:35.670
GigabitEthernet1/0/0 | Virtual Router 1
State : Master
Virtual IP : 10.3.0.3
Master IP : 10.3.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-18 00:56:39
Last change time : 2022-02-18 01:02:21
2、检查vgmp组状态
//f1
HRP_M[f1]dis hrp state verbose
2022-02-18 06:03:39.420
Role: active, peer: standby
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/1: up
ospf-cost: +0
//f2
HRP_S[f2]dis hrp state verbose
2022-02-18 06:04:51.380
Role: standby, peer: active
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/1: up
ospf-cost: +65500
1、检查vrrp备份组建立情况
HRP_M[f1]dis vrrp
2022-02-18 06:02:35.670
GigabitEthernet1/0/0 | Virtual Router 1
State : Master
Virtual IP : 10.3.0.3
Master IP : 10.3.0.1
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 60 s
TimerConfig : 60 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : vgmp-vrrp
Backup-forward : disabled
Create time : 2022-02-18 00:56:39
Last change time : 2022-02-18 01:02:21
2、检查vgmp组状态
//f1
HRP_M[f1]dis hrp state verbose
2022-02-18 06:03:39.420
Role: active, peer: standby
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/1: up
ospf-cost: +0
//f2
HRP_S[f2]dis hrp state verbose
2022-02-18 06:04:51.380
Role: standby, peer: active
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/1: up
ospf-cost: +65500
//f1
HRP_M[f1]dis hrp state verbose
2022-02-18 06:03:39.420
Role: active, peer: standby
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/1: up
ospf-cost: +0
//f2
HRP_S[f2]dis hrp state verbose
2022-02-18 06:04:51.380
Role: standby, peer: active
Running priority: 45000, peer: 45000
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/1: up
ospf-cost: +65500
vgmp对备份组的操作是对其ospf开销增加了65500,导致上下行选路从f2经过时开销加65500,从而不被优选。
3、检查r3的路由情况
dis ip routing-table 10.3.0.0
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.3.0.0/24 OSPF 10 3 D 13.1.1.1 GigabitEthernet0/0/0
4、检查f1和f2通告的一类lsa情况
dis ospf lsdb router 11.11.11.11
OSPF Process 1 with Router ID 3.3.3.3
Area: 0.0.0.0
link State Database
Type : Router
Ls id : 11.11.11.11
Adv rtr : 11.11.11.11
Ls age : 89
Len : 60
Options : E
seq# : 8000001a
chksum : 0x6019
link count: 3
* link ID: 10.2.0.2
data: 10.2.0.1
link Type: TransNet
Metric : 1
* link ID: 10.3.0.3
data: 255.255.255.255
link Type: StubNet
Metric : 1
Priority : Medium
* link ID: 10.3.0.1
data: 10.3.0.1
link Type: TransNet
Metric : 1
dis ospf lsdb router 22.22.22.22
OSPF Process 1 with Router ID 3.3.3.3
Area: 0.0.0.0
link State Database
Type : Router
Ls id : 22.22.22.22
Adv rtr : 22.22.22.22
Ls age : 100
Len : 48
Options : E
seq# : 80000014
chksum : 0x4e3f
link count: 2
* link ID: 10.2.1.2
data: 10.2.1.1
link Type: TransNet
Metric : 65500
* link ID: 10.3.0.1
data: 10.3.0.2
link Type: TransNet
Metric : 65500
dis ospf lsdb router 11.11.11.11 OSPF Process 1 with Router ID 3.3.3.3 Area: 0.0.0.0 link State Database Type : Router Ls id : 11.11.11.11 Adv rtr : 11.11.11.11 Ls age : 89 Len : 60 Options : E seq# : 8000001a chksum : 0x6019 link count: 3 * link ID: 10.2.0.2 data: 10.2.0.1 link Type: TransNet Metric : 1 * link ID: 10.3.0.3 data: 255.255.255.255 link Type: StubNet Metric : 1 Priority : Medium * link ID: 10.3.0.1 data: 10.3.0.1 link Type: TransNet Metric : 1 dis ospf lsdb router 22.22.22.22 OSPF Process 1 with Router ID 3.3.3.3 Area: 0.0.0.0 link State Database Type : Router Ls id : 22.22.22.22 Adv rtr : 22.22.22.22 Ls age : 100 Len : 48 Options : E seq# : 80000014 chksum : 0x4e3f link count: 2 * link ID: 10.2.1.2 data: 10.2.1.1 link Type: TransNet Metric : 65500 * link ID: 10.3.0.1 data: 10.3.0.2 link Type: TransNet Metric : 65500
metric值说明了一切。
5、在f1和f2上检查到达r3的路由情况
RP_M[f1]dis ip rou 3.3.3.3
2022-02-18 06:14:15.280
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.3/32 OSPF 10 2 D 10.2.0.2 GigabitEthernet1/0/1
HRP_S[f2]dis ip rou 3.3.3.3
2022-02-18 06:14:44.610
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.3/32 OSPF 10 65501 D 10.2.1.2 GigabitEthernet1/0/1
这个开销是怎么来的呢?并不是r3通告1类lsa的时候赋予的,也不是r1或者r2通过1类lsa的时候赋予的,而是其自己的1类lsa中transnet的链路类型赋予的,然后进行累加形成的。
HRP_S[f2]dis ospf lsdb router 22.22.22.22
2022-02-18 06:19:20.300
OSPF Process 1 with Router ID 22.22.22.22
Area: 0.0.0.0
link State Database
Type : Router
Ls id : 22.22.22.22
Adv rtr : 22.22.22.22
Ls age : 471
Len : 48
Options : E
seq# : 80000014
chksum : 0x4e3f
link count: 2
* link ID: 10.2.1.2
data: 10.2.1.1
link Type: TransNet
Metric : 65500
* link ID: 10.3.0.1
data: 10.3.0.2
link Type: TransNet
Metric : 65500
但是从内网访问外网的上行链路的选路并不是ospf的开销主导的,而是由于vrrp的arp通告导致的,作为active的fw1,也即master设备,会主动向下游设备通告虚拟网关ip对应的虚拟mac,引导流量从自己经过。
假如f1的直连链路出现故障,这实际上是两步操作,第一是调整了vrrp中的master设备,第二是调整了ospf的开销,从而保证上下行流量路径一致。
