防火墙双机热备之镜像模式以及VGMP组监控链路

发布时间:2024年01月15日

一、镜像模式

1、镜像模式基础

镜像模式与主备备份模式一样,也是主用设备以及备用设备,但是存在一定区别,镜像模式的两台防火墙拥有相同的业务接口地址,相同的路由配置,可以当成一台设备多了个镜像模式管理接口。

默认情况下,镜像模式的备用设备除了MEth0/0/0管理接口和心跳接口,其他接口无法发送以及接收报文,除非备用设备需要向日志服务器发送日志等情况,此时需要在备用设备使用命令hrp mgt-interface指定镜像模式管理接口,通过这些接口发送日志与日志服务器通信。

注意:①管理接口和心跳接口、业务接口不能复用;②镜像模式只能形成主备备份网络,不能形成负载分担组网,常用于数据中心网络解决方案;③编号相同的业务接口使用相同的IP地址;④采取IPv6时,编号相同的业务接口配置相同的IPv6地址以及IPv6链路本地地址,需手工配置IPv6链路本地地址,而非自动生成,避免不一致;⑤镜像模式支持备份的配置会比主备备份以及负载分担多,如接口IP地址配置命令,镜像模式下支持。

2、镜像模式配置

[FW1]interface g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.0.1.1 24
[FW1-GigabitEthernet1/0/0]interface g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 10.0.0.1 24
[FW1-GigabitEthernet1/0/1]interface g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 10.10.0.1 24
[FW1-GigabitEthernet1/0/2]q
[FW1]hrp track interface g1/0/0
[FW1]hrp track interface g1/0/1
[FW1]hrp interface g1/0/2 remote 10.10.0.2
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface g1/0/2
[FW1]hrp enable

HRP_M[FW1]hrp mirror config enable  (+B)
HRP_M<FW1>hrp sync config
 Info: Starting to synchronize configuration to peer device, and can not do oper
ations during this period, please wait for a moment.......send complete.
[FW2]interface g1/0/2
[FW2-GigabitEthernet1/0/2]ip add 10.10.0.2 24
[FW2-GigabitEthernet1/0/2]interface g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.0.1.1 24
[FW2-GigabitEthernet1/0/0]interface g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 10.0.0.1 24
[FW2-GigabitEthernet1/0/1]q
[FW2]hrp track interface g1/0/0
[FW2]hrp track interface g1/0/1
[FW2]hrp interface g1/0/2 remote 10.10.0.1
[FW2]hrp standby-device
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface g1/0/2
[FW2]hrp enable
HRP_M[FW1]display hrp state verbose 
2024-01-13 04:04:50.090 
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 4 minutes
 Last state change information: 2024-01-13 4:00:45 HRP core state changed, old_s
tate = abnormal(standby), new_state = normal, local_priority = 45000, peer_prior
ity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        on
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0




HRP_S[FW2]display hrp state verbose 
2024-01-13 04:05:23.290 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 4 minutes
 Last state change information: 2024-01-13 4:00:44 HRP link changes to up.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        on
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                                  ospf-cost: +65500
                                ospfv3-cost: +65500
                                   bgp-cost: +100

优先级相等均为45000,mirror configuration为on,接口G1/0/0、G1/0/1均为VGMP组监控项。静态路由配置根据自身组网需要配置。

①当VGMP组状态为load-balance,业务接口状态由配置决定,配置了hrp standby-device命令被指定为备用设备的业务接口为静默状态,不能接收和发送除了LLDP报文、LACP报文之外的报文,如ARP报文、路由协议报文;

②当VGMP组状态为active状态,业务接口为非静默状态,业务接口正常接收发送报文;

当VGMP组状态为standby状态,业务接口为静默状态,业务接口正不能接收和发送除了LLDP报文、LACP报文之外的报文,如ARP报文、路由协议报文。

如上组网,FW2为备机,当内网用户访问外网,发送ARP广播报文请求10.0.0.1的MAC地址,备机不会响应ARP请求,只有FW1会相应请求并刷新交换机的MAC地址表和主机的ARP缓存表。

HRP_M[FW1]interface g1/0/0 (+B)
HRP_M[FW1-GigabitEthernet1/0/0]shutdown
HRP_S[FW1-GigabitEthernet1/0/0]

当FW1业务接口G1/0/0故障,标识符发生变化,主备关系发生改变,测试仍成功。

3、镜像模式配置注意事项

①若想配置镜像模式,请用两台初始化状态防火墙,已运行业务的防火墙必须初始化后再切换为镜像模式;

②镜像模式与VRRP互斥,不可同时使用;

③镜像模式的防火墙不能与BFD/IP-Link联用,静默端口无法发送BFD探测报文,备用防火墙BFD状态始终为down状态,若联用,备用防火墙VGMP管理组提前降低2优先级,此时主用防火墙接口down的情况,主备不会切换。

④防火墙上下行设备之间采用静态路由,不支持动态路由以及智能选路、OSPF/BGP监控远端邻居故障。

二、VGMP组监控链路

1、通过IP-Link监控远端接口状态

方法:建立IP-Link探测远端接口,VGMP组监控IP-Link状态,当探测接口发生故障,IP-Link状态变为down,VGMP组感知变化降低自身优先级。

[FW1]ip-link check enable 
[FW1]ip-link name huawei 
[FW1-iplink-huawei]destination 2.2.2.1 interface g1/0/1 mode icmp
[FW1]hrp track ip-link huawei

[FW2]ip-link check enable 
[FW2]ip-link name huawei
[FW2-iplink-huawei]destination 3.3.3.1 interface g1/0/1 mode icmp
[FW2-iplink-huawei]quit
[FW2]hrp track ip-link huawei
HRP_M[FW1]display hrp state verbose 
2024-01-13 09:57:00.990 
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-01-13 9:56:35 HRP link changes to up.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                IP-Link huawei(VSYS:public): up
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0


HRP_S[FW2]display hrp state verbose
2024-01-13 09:57:31.320 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-01-13 9:56:35 HRP link changes to up.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                IP-Link huawei(VSYS:public): up
                                  ospf-cost: +65500
                                ospfv3-cost: +65500
                                   bgp-cost: +100


当R_B的G0/0/2接口故障,查看主备状态。

[R_B-GigabitEthernet0/0/2]shutdown

HRP_S[FW1]display hrp state verbose 
2024-01-13 09:59:05.050 
 Role: standby, peer: active (should be "active-standby")

HRP_M[FW2]display hrp state verbose
2024-01-13 09:59:25.620 
 Role: active, peer: standby (should be "standby-active")

2、通过BFD监控远端接口状态

方法:建立BFD会话探测远端接口,VGMP组监控BFD状态,当探测接口发生故障,BFD状态变为down,VGMP组感知变化降低自身优先级。

HRP_M[FW1]bfd
HRP_M[FW1-bfd]bfd 1 bind peer-ip 2.2.2.2
HRP_M[FW1-bfd-session-1]discriminator local 10
HRP_M[FW1-bfd-session-1]discriminator remote 20
HRP_M[FW1-bfd-session-1]commit
HRP_M[FW1]hrp track bfd-session 10



HRP_S[FW2]bfd
HRP_S[FW2-bfd]bfd 1 bind peer-ip 3.3.3.2
HRP_S[FW2-bfd-session-1]discriminator local 10
HRP_S[FW2-bfd-session-1]discriminator remote 20
HRP_M[FW2-bfd-session-1]commit
HRP_S[FW2-bfd-session-1]q
HRP_S[FW2]hrp track bfd-session 10
[AR4]bfd
[AR4-bfd]bfd 1 bind peer-ip 10.2.1.2
[AR4-bfd-session-1]discriminator local 20
[AR4-bfd-session-1]discriminator remote 10
[AR4-bfd-session-1]commit 

[AR6]bfd
[AR6-bfd]bfd 1 bind peer-ip 10.2.2.2
[AR6-bfd-session-1]discriminator local 20
[AR6-bfd-session-1]discriminator remote 10
[AR6-bfd-session-1]commit 
HRP_M[FW1]display hrp state verbose 
2024-01-13 10:55:24.590 
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-01-13 10:55:10 HRP core state changed, old_
state = abnormal(standby), new_state = normal, local_priority = 45000, peer_prio
rity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                             BFD session 10: up
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0


HRP_S[FW2]display hrp state verbose 
2024-01-13 10:56:47.350 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 1 minutes
 Last state change information: 2024-01-13 10:55:10 HRP core state changed, old_
state = abnormal(active), new_state = normal, local_priority = 45000, peer_prior
ity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                             BFD session 10: up
                                  ospf-cost: +65500
                                ospfv3-cost: +65500
                                   bgp-cost: +100

当AR4端口故障时,查看防火墙主备关系:

[AR4-GigabitEthernet0/0/2]shutdown

HRP_S[FW1]display hrp state verbose 
2024-01-13 10:57:53.770 
 Role: standby, peer: active (should be "active-standby")
 Running priority: 44998, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-01-13 10:57:40 HRP core state changed, old_
state = normal, new_state = abnormal(standby), local_priority = 44998, peer_prio
rity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                             BFD session 10:down
                                  ospf-cost: +65500 (should be "+0")
                                ospfv3-cost: +65500 (should be "+0")




HRP_M[FW2]display hrp state verbose 
2024-01-13 10:58:08.460 
 Role: active, peer: standby (should be "standby-active")
 Running priority: 45000, peer: 44998
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-01-13 10:57:40 HRP core state changed, old_
state = normal, new_state = abnormal(active), local_priority = 45000, peer_prior
ity = 44998.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
                       GigabitEthernet1/0/0: up
                       GigabitEthernet1/0/1: up
                             BFD session 10: up
                                  ospf-cost: +0 (should be "+65500")
                                ospfv3-cost: +0 (should be "+65500")
                                   bgp-cost: +0 (should be "+100")

主备关系切换!


参考资料:防火墙和VPN技术与实践——李学昭

文章来源:https://blog.csdn.net/Mario_Ti/article/details/135566934
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。