热门标签
热门文章
- 1机器学习之特征变换-标签和索引的转化_机器学习特征变换
- 2flutter go_router 官方路由(一)基本使用_go_router 用法
- 3华为OD机试真题(Java),根据员工出勤信息,判断本次是否能获得出勤奖(100%通过+复盘思路)_公司用一个字符串来表示员工的出勤信息:
- 4sql更新某个字段_sql更新某个字段的值
- 5vue ECharts 树图修改某节点样式,选中、聚焦改变节点样式等_echart tree 如果有子节点,显示加号
- 6YOLOv8分类识别训练配置详细_yolov8分类命令
- 7微信小程序 --- 事件处理
- 8selenium 下载文件取消安全下载的配置_selenium chrome已阻止不安全的下载
- 9PythonTF-IDF算法对文本进行统计词频_python使用文本数据的test.txt(每一行为一条新闻数据),使用自定义的tf-idf函数(词
- 10使用OpenAI Whipser开源模型实现长音频转录并结合GPT模型做文本翻译_开源语yin转文本
当前位置: article > 正文
在eNSP模拟器上使用usg6000v实现双机热备(旁路部署,上下行连接三层设备的主备备份组网)_ensp交换机怎么热备
作者:IT小白 | 2024-04-10 18:32:47
赞
踩
ensp交换机怎么热备
拓扑图
设备选型
PC1设备为PC型终端设备
LSW1设备为S3700型交换机
LSW2-3为S5700型交换机
AR1-5为AR2220型路由器
FW1-2为USG6000型防火墙
实验要求
1.完成所有设备的初始化配置(命名,接口IP,FW设备的安全区域划分)
2.在AR1-2设备上部署VRRP备份组,用于内网设备的网关
3.底层部署OSPF,Trust区域(内网区域)为OSPF10,Untrust区域(外网区域)为OSPF20并在FW设备上双向引入
4.防火墙上开启HRP协议,配置心跳接口,追踪业务端口,并指定FW2设备为备份设备
5.在两个核心交换机(LSW2-3)上配置策略路由,调整来回流量路径使其经过防火墙
6.主设备上根据业务需求配置安全策略
7.为实现主备链路的及时切换,需要创建BFD会话(R1<–>FW1,FW1<–>R5)
8.在连接终端设备的VRRP备份组以及防火墙的HRP协议上都联动已创建好的BFD会话实现主备角色的一致切换
操作步骤
1.设备初始化配置
PC1:
AR1:
sysname R1
#
interface GigabitEthernet0/0/0
ip address 10.0.0.251 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.10.1 255.255.255.0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
AR2:
sysname R2
#
interface GigabitEthernet0/0/0
ip address 10.0.0.252 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.11.1 255.255.255.0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
AR3:
sysname R3
#
interface GigabitEthernet0/0/0
ip address 10.0.20.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.35.3 255.255.255.0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
AR4:
sysname R4
#
interface GigabitEthernet0/0/0
ip address 10.0.21.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.45.4 255.255.255.0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
AR5:
sysname R5
#
interface GigabitEthernet0/0/0
ip address 10.0.35.5 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.45.5 255.255.255.0
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
LSW2:
sysname Sw2 # undo info-center enable # vlan batch 10 20 30 40 # interface Vlanif10 ip address 10.0.10.2 255.255.255.0 # interface Vlanif20 ip address 10.0.20.1 255.255.255.0 # interface Vlanif30 ip address 10.0.24.2 255.255.255.0 # interface Vlanif40 ip address 10.0.22.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # interface GigabitEthernet0/0/3 port link-type access port default vlan 30 # interface GigabitEthernet0/0/4 port link-type access port default vlan 40
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
LSW3:
sysname Sw3 # undo info-center enable # vlan batch 10 20 30 40 # interface Vlanif10 ip address 10.0.11.2 255.255.255.0 # interface Vlanif20 ip address 10.0.21.1 255.255.255.0 # interface Vlanif30 ip address 10.0.25.2 255.255.255.0 # interface Vlanif40 ip address 10.0.23.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # interface GigabitEthernet0/0/3 port link-type access port default vlan 30 # interface GigabitEthernet0/0/4 port link-type access port default vlan 40
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
FW1:
sysname Fw1 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.0.12.1 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.0.24.1 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown ip address 10.0.22.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
FW2:
sysname Fw2 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.0.12.2 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.0.25.1 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown ip address 10.0.23.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
2.在AR1-2设备上部署VRRP备份组
AR1:
interface GigabitEthernet0/0/0
vrrp vrid 1 virtual-ip 10.0.0.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 10
- 1
- 2
- 3
- 4
AR2:
interface GigabitEthernet0/0/0
vrrp vrid 1 virtual-ip 10.0.0.254
- 1
- 2
3.部署OSPF,Trust区域(内网区域)为OSPF10,UNtrust区域(外网区域)为OSPF20并在FW设备上双向引入
AR1:
ospf 10
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.10.0 0.0.0.255
- 1
- 2
- 3
- 4
AR2:
ospf 10
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.11.0 0.0.0.255
- 1
- 2
- 3
- 4
AR3:
ospf 20
area 0.0.0.0
network 10.0.20.0 0.0.0.255
network 10.0.35.0 0.0.0.255
- 1
- 2
- 3
- 4
AR4:
ospf 20
area 0.0.0.0
network 10.0.21.0 0.0.0.255
network 10.0.45.0 0.0.0.255
- 1
- 2
- 3
- 4
AR5:
ospf 20
area 0.0.0.0
network 5.5.5.0 0.0.0.255
network 10.0.35.0 0.0.0.255
network 10.0.45.0 0.0.0.255
- 1
- 2
- 3
- 4
- 5
LSW2:
ospf 10
area 0.0.0.0
network 10.0.10.0 0.0.0.255
network 10.0.24.0 0.0.0.255
#
ospf 20
area 0.0.0.0
network 10.0.20.0 0.0.0.255
network 10.0.22.0 0.0.0.255
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
LSW3:
ospf 10
area 0.0.0.0
network 10.0.11.0 0.0.0.255
network 10.0.25.0 0.0.0.255
#
ospf 20
area 0.0.0.0
network 10.0.23.0 0.0.0.255
network 10.0.21.0 0.0.0.255
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
FW1:
ospf 10
import-route ospf 20
area 0.0.0.0
network 10.0.24.0 0.0.0.255
#
ospf 20
import-route ospf 10
area 0.0.0.0
network 10.0.22.0 0.0.0.255
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
FW2:
ospf 10
import-route ospf 20
area 0.0.0.0
network 10.0.25.0 0.0.0.255
#
ospf 20
import-route ospf 10
area 0.0.0.0
network 10.0.23.0 0.0.0.255
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
4.防火墙上开启HRP协议,配置心跳接口,追踪业务端口,并指定FW2设备为备份设备
FW1:
hrp enable
hrp interface GigabitEthernet1/0/0 remote 10.0.12.2
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
- 1
- 2
- 3
- 4
FW2:
hrp enable
hrp standby-device //指定当前设备为备份设备
hrp interface GigabitEthernet1/0/0 remote 10.0.12.1
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
- 1
- 2
- 3
- 4
- 5
5.在两个核心交换机(LSW2-3)上配置策略路由,调整来回流量路径使其经过防火墙
LSW2:
acl number 2000
rule 10 permit source 10.0.0.0 0.0.0.255
//创建基本ACL用来筛选需要重定向的内网流量
#
interface GigabitEthernet0/0/1
traffic-redirect inbound acl 2000 ip-nexthop 10.0.24.1
//调用刚才创建的ACL,使用Traffic-redirect工具进行流量重定向
#
acl number 2001
rule 10 permit source 5.5.5.0 0.0.0.255
//创建基本ACL用来筛选需要重定向的外网流量
#
interface GigabitEthernet0/0/2
traffic-redirect inbound acl 2001 ip-nexthop 10.0.22.1
//调用刚才创建的ACL,使用Traffic-redirect工具进行流量重定向
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
注:流量重定向也可使用Traffic-Policy工具完成
LSW3:
acl number 2000
rule 5 permit source 10.0.0.0 0.0.0.255
#
acl number 2001
rule 5 permit source 5.5.5.0 0.0.0.255
#
interface GigabitEthernet0/0/1
traffic-redirect inbound acl 2000 ip-nexthop 10.0.25.1
#
interface GigabitEthernet0/0/2
traffic-redirect inbound acl 2001 ip-nexthop 10.0.23.1
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
6.主设备(FW1)上根据业务需求配置安全策略
FW1:
security-policy
rule name t2u
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
destination-address 5.5.5.5 mask 255.255.255.255
action permit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
7.为实现主备链路的及时切换,需要创建BFD会话(R1<–>FW1,FW1<–>R5)
R1:
bfd
#
bfd 1 bind peer-ip 10.0.22.1 source-ip 10.0.10.1 //指向FW1设备的上游接口的BFD会话
discriminator local 10
discriminator remote 22
commit
- 1
- 2
- 3
- 4
- 5
- 6
FW1:
bfd
#
bfd 1 bind peer-ip 10.0.10.1 source-ip 10.0.22.1 //回指R1设备的BFD会话
discriminator local 22
discriminator remote 10
commit
bfd 2 bind peer-ip 10.0.35.5 source-ip 10.0.22.1 //指向R5设备的BFD会话
discriminator local 20
discriminator remote 35
commit
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
R5:
bfd
#
bfd 2 bind peer-ip 10.0.22.1 source-ip 10.0.35.5 //回指FW1设备的BFD会话
discriminator local 35
discriminator remote 20
commit
- 1
- 2
- 3
- 4
- 5
- 6
8.在连接终端设备的VRRP备份组以及防火墙的HRP协议上都联动已创建好的BFD会话实现主备角色的一致切换
AR1:
interface GigabitEthernet0/0/0
vrrp vrid 1 track bfd-session 10 reduced 30 //VRRP备份组联动BFD会话,惩罚值为30
- 1
- 2
FW1:
hrp track bfd-session 20 //探测FW1到AR5的区间链路
hrp track bfd-session 22 //探测FW1到AR1的区间链路
- 1
- 2
结果验证
1.无故障情况下
连通性&流量路径:
BFD会话状态(以中间设备FW1为参考):
VRRP备份组主备角色:
2.故障模拟,在BFD会话覆盖的链路上找端口down掉(本案例选择FW1设备端口)
FW1设备关闭主链路对应端口:
interface GigabitEthernet1/0/2
shutdown
- 1
- 2
连通性&流量路径:
BFD会话状态(以中间设备FW1为参考):
VRRP备份组主备角色:
3.故障恢复
FW1:
interface GigabitEthernet1/0/2
undo shutdown
- 1
- 2
连通性&流量路径:
BFD会话状态(以中间设备FW1为参考):
VRRP备份组主备角色:
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/IT小白/article/detail/400351
推荐阅读
相关标签
