Nsrp完成juniper防火墙的高可用性【HA】!51CTO博客 - AG环亚娱乐

Nsrp完成juniper防火墙的高可用性【HA】!51CTO博客

2019年03月01日13时09分34秒 | 作者: 辰宇 | 标签: 防火墙,装备,交流 | 浏览: 2386

1.试验拓扑图:

2.ip规划:

eth1 :192.168.101.68/24

eth3 :  192.168.100.10/24

3.设备描述:

trust区域运用的交流机为神州数码DCS-3950S

untrust区域的交流机为H3C的quidwayS3526E

防火墙:Juniper的Netscreen-25

4.设备装备

4.1 第一台防火墙ns-a的装备

login: netscreen
password:
NS-A(M)-> get system
Product Name: NetScreen-25
Serial Number: 0096052007001238, Control Number: 00000000
Hardware Version: 4010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r6.0, Type: Firewall+***
Compiled by build_master at: Tue Nov 28 15:14:46 PST 2006
Base Mac: 0019.e240.67d0
File Name: ns50ns25.5.3.0r6.0, Checksum: 966acd5c

Date 11/15/2012 19:45:39, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 51 minutes 30 seconds Since 15Nov2012:18:54:09
Total Device Resets: 48, Last Device Reset at: 11/15/2012 15:21:15

System in NAT/route mode.

NS-A(M)-> exit
login: 0096052007001238
password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue?  y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue?  y/[n] y
In reset ...
Start deactivate session...
0 sessions deactivated

NetScreen NS-25/50 Boot Loader Version 3.0.0 (Checksum: D1C6421F)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.

Total physical memory: 128MB
    Test - Pass
    Initialization - Done

ns25-> set hostname  ns-a
ns-a-> set interface eth1 ip 192.168.101.68 255.255.255.0
ns-a-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-a-> set int eth4 zone    
Null                 Null zone
Trust                Trust zone
Untrust              Untrust zone
Self                 Self zone
Global               Global zone
HA                   HA zone
MGT                  MGT zone
Untrust-Tun          Untrust-Tun zone
v1-Null              v1-Null zone
V1-Trust             V1-Trust zone
V1-Untrust           V1-Untrust zone
DMZ                  DMZ zone
V1-DMZ               V1-DMZ zone
VLAN                 VLAN zone
ns-a-> set int eth4 zone HA   心跳勘探(eth4)

ns-a-> set nsrp cl   
cluster              config cluster id/name
ns-a-> set nsrp cluster id    
<number>             NSRP cluster ID (range: 1 - 7)
ns-a-> set nsrp cluster id 1
ns-a(B)-> Unit becomes master of NSRP vsd-group 0

ns-a(M)-> set nsrp vsd-group id 0
ns-a(M)-> set nsrp vsd-group id    
<number>             vsd group ID (range: 0 - 7)    最多8个毛病搬运域
ns-a(M)-> set nsrp vsd-group id 0 pr   
preempt              allow to preempt a lower priority master
priority             priority for this vsd group
<return>
ns-a(M)-> set nsrp vsd-group id 0 priority 50
ns-a(M)-> set nsrp vsd-group id 0 preempt   
ns-a(M)-> set nsrp vsd-group id 0 monitor inter   
interface            interface to be monitored    监控端口
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth1
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth3

ns-a(M)-> get config  检查装备

set nsrp cluster id 1
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1
set nsrp vsd-group id 0 monitor interface ethernet3

ns-a(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id:   4220880, ctrl mac: 0019e24067d7, index: 1, unit id:   4220080, ctrl mac: 0019e24064b7, data mac: ffffffffffff
total number of units: 2

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0       50 yes            3 no       myself     none 4220080(inoperable)

ns-a(M)-> save
Save System Configuration  ...
Done

4.2 第二台防火墙的装备

先用序列号铲除装备!

login: netscreen
password:
ns25-> set hostname ns-b
ns-b-> set int eth1 ip 192.168.101.68 255.255.255.0
ns-b-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-b-> set int eth4 zone HA
ns-b-> set nsrp cluster id 1
ns-b(B)-> set nsrp vsd-group id 0
ns-b(B)-> set nsrp vsd-group id 0 priority 100
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth1

ns-b(B)-> set nsrp vsd-group id 0 monitor int eth3

 

ns-b(I)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220080
active units discovered:
index: 0, unit id:   4220080, ctrl mac: 0019e24064b7, index: 1, unit id:   4220880, ctrl mac: 0019e24067d7, data mac: ffffffffffff
total number of units: 2

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no      4220880     none myself(inoperable)

ns-b(I)-> save
Save System Configuration  ...
Done

4.3 神州数码交流机的装备如下:

sw14#show version
  DCS-3950S Device, Aug 27 2004 11:14:24
  HardWare version is 2.10, SoftWare version is DCNOS-4.1.5, BootRom version is 1.2.1
  Copyright (C) 2001-2004 by Digital China Networks Limited.
  All rights reserved.

sw14>enable
sw14#config
 

sw14(Config)#exit    
sw14#show running-config
Current configuration:
!
   hostname sw14

sw14#config
sw14(Config)#int vlan 1
sw14(Config-If-Vlan1)#ip add 192.168.101.20 255.255.255.0

sw14# ping 192.168.101.68
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#show ip route
Codes: C - connected, S - static, R - RIP derived, O - OSPF derived
       A - OSPF ASE, B - BGP derived, D - DVMRP derived

   Destination      Mask             Nexthop          Interface       Preference
C  192.168.101.0    255.255.255.0    0.0.0.0          Vlan1           0  

4.4 web方法装备拜访战略

 

 

 

 

在交流机上检查指令的改变 

ns-a(M)-> get config

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit

在ns-b上检查是否已同步

ns-b(B)-> get config

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit

检测装备是否同步?

ns-b(B)-> exec nsrp sync global-config check-sum
ns-b(B)-> configuration in sync

在sw14上做测验:

sw14#ping 192.168.101.68             
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#ping 192.168.100.10
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
sw14#ping 192.168.100.20
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#ping 192.168.100.20
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

发现192.168.100.10 ping不通,发现其ping功用没有敞开

检查并敞开ping功用:

ns-a(M)-> get interface eth3
Interface ethernet3(VSI):
  description ethernet3
  number 6, if_info 1248, if_index 0, mode route
  link up, phy-link up/full-duplex
  vsys Root, zone Untrust, vr trust-vr, vsd 0
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 192.168.100.10/24   mac 0010.dbff.2060
  *manage ip 192.168.100.10, mac 0019.e240.67d6
  route-deny disable
  pmtu-v4 disabled
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled
, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  band physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
              total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server disabled
Number of SW session: 32063, hw sess err cnt 0

ns-a(M)-> set interface eth3 manage ping

4.5 测验:

sw14#ping 192.168.100.10
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

高可用性测验:

把eth1的线拔掉,进行相应的测验,观看其状况!

把ns-a的eth1接口拔掉:

ns-a(M)-> ethernet1 interface change state to Down
Start deactivate session...
2 sessions deactivated

ns-a(I)-> get nsrp

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0       50 yes            3 no      4220080     none myself(inoperable)

 

login: netscreen
password:
ns-b(M)-> get nsrp

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no       myself     none 4220880(inoperable)

假如eth1的线又好了,因为启动了抢占形式,则观看如下:

ns-b(B)-> get nsrp
nsrp version: 2.0

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no      4220880   myself

ns-a(M)-> get nsrp

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0       50 yes            3 no       myself  4220080

没有呈现丢包现象!

假如eth3端开,会呈现上面相同的现象!

假如备份防火墙eth1 和 eth3 及心跳线eth4都已断开

ns-a(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id:   4220880, total number of units: 1

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0       50 yes            3 no       myself     none
total number of vsd groups: 1
Total iteration=6917,time=97434286,max=75534,min=5702,average=14086

ns-b(I)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220080
active units discovered:
index: 0, unit id:   4220080, total number of units: 1

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no         none     none myself(inoperable

4.6 untrust区域内的三层交流机的装备:

int vlan 1

ip add 192.168.100.20  255.255.255.0

留意:trust区域的交流机要指定网关!(测验时)

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表AG环亚娱乐立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章