Nsrp实现juniper防火墙的高可用性【HA】!
1.实验拓扑图:
2.ip规划:
eth1 :192.168.101.68/24
eth3 : 192.168.100.10/24
3.设备描述:
trust区域使用的交换机为神州数码DCS-3950S
untrust区域的交换机为H3C的quidwayS3526E
防火墙:Juniper的Netscreen-25
4.设备配置
4.1 第一台防火墙ns-a的配置
login: netscreen
password:
NS-A(M)-> get system
Product Name: NetScreen-25
Serial Number: 0096052007001238, Control Number: 00000000
Hardware Version: 4010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r6.0, Type: Firewall+VPN
Compiled by build_master at: Tue Nov 28 15:14:46 PST 2006
Base Mac: 0019.e240.67d0
File Name: ns50ns25.5.3.0r6.0, Checksum: 966acd5c
Date 11/15/2012 19:45:39, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 51 minutes 30 seconds Since 15Nov2012:18:54:09
Total Device Resets: 48, Last Device Reset at: 11/15/2012 15:21:15
System in NAT/route mode.
NS-A(M)-> exit
login: 0096052007001238
password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue? y/[n] y
!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y
In reset ...
Start deactivate session...
0 sessions deactivated
NetScreen NS-25/50 Boot Loader Version 3.0.0 (Checksum: D1C6421F)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.
Total physical memory: 128MB
Test - Pass
Initialization - Done
ns25-> set hostname ns-a
ns-a-> set interface eth1 ip 192.168.101.68 255.255.255.0
ns-a-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-a-> set int eth4 zone
Null Null zone
Trust Trust zone
Untrust Untrust zone
Self Self zone
Global Global zone
HA HA zone
MGT MGT zone
Untrust-Tun Untrust-Tun zone
v1-Null v1-Null zone
V1-Trust V1-Trust zone
V1-Untrust V1-Untrust zone
DMZ DMZ zone
V1-DMZ V1-DMZ zone
VLAN VLAN zone
ns-a-> set int eth4 zone HA 心跳探测(eth4)
ns-a-> set nsrp cl
cluster config cluster id/name
ns-a-> set nsrp cluster id
<number> NSRP cluster ID (range: 1 - 7)
ns-a-> set nsrp cluster id 1
ns-a(B)-> Unit becomes master of NSRP vsd-group 0
ns-a(M)-> set nsrp vsd-group id 0
ns-a(M)-> set nsrp vsd-group id
<number> vsd group ID (range: 0 - 7) 最多8个故障转移域
ns-a(M)-> set nsrp vsd-group id 0 pr
preempt allow to preempt a lower priority master
priority priority for this vsd group
<return>
ns-a(M)-> set nsrp vsd-group id 0 priority 50
ns-a(M)-> set nsrp vsd-group id 0 preempt
ns-a(M)-> set nsrp vsd-group id 0 monitor inter
interface interface to be monitored 监控端口
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth1
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth3
ns-a(M)-> get config 查看配置
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1
set nsrp vsd-group id 0 monitor interface ethernet3
ns-a(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id: 4220880, ctrl mac: 0019e24067d7, index: 1, unit id: 4220080, ctrl mac: 0019e24064b7, data mac: ffffffffffff
total number of units: 2
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none 4220080(inoperable)
ns-a(M)-> save
Save System Configuration ...
Done
4.2 第二台防火墙的配置
先用序列号清除配置!
login: netscreen
password:
ns25-> set hostname ns-b
ns-b-> set int eth1 ip 192.168.101.68 255.255.255.0
ns-b-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-b-> set int eth4 zone HA
ns-b-> set nsrp cluster id 1
ns-b(B)-> set nsrp vsd-group id 0
ns-b(B)-> set nsrp vsd-group id 0 priority 100
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth1
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth3
ns-b(I)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 4220080
active units discovered:
index: 0, unit id: 4220080, ctrl mac: 0019e24064b7, index: 1, unit id: 4220880, ctrl mac: 0019e24067d7, data mac: ffffffffffff
total number of units: 2
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 100 no 3 no 4220880 none myself(inoperable)
ns-b(I)-> save
Save System Configuration ...
Done
4.3 神州数码交换机的配置如下:
sw14#show version
DCS-3950S Device, Aug 27 2004 11:14:24
HardWare version is 2.10, SoftWare version is DCNOS-4.1.5, BootRom version is 1.2.1
Copyright (C) 2001-2004 by Digital China Networks Limited.
All rights reserved.
sw14>enable
sw14#config
sw14(Config)#exit
sw14#show running-config
Current configuration:
!
hostname sw14
sw14#config
sw14(Config)#int vlan 1
sw14(Config-If-Vlan1)#ip add 192.168.101.20 255.255.255.0
sw14# ping 192.168.101.68
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#show ip route
Codes: C - connected, S - static, R - RIP derived, O - OSPF derived
A - OSPF ASE, B - BGP derived, D - DVMRP derived
Destination Mask Nexthop Interface Preference
C 192.168.101.0 255.255.255.0 0.0.0.0 Vlan1 0
4.4 web方式配置访问策略
在交换机上查看命令的变化
ns-a(M)-> get config
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
在ns-b上查看是否已同步
ns-b(B)-> get config
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
检测配置是否同步?
ns-b(B)-> exec nsrp sync global-config check-sum
ns-b(B)-> configuration in sync
在sw14上做测试:
sw14#ping 192.168.101.68
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#ping 192.168.100.10
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
sw14#ping 192.168.100.20
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#ping 192.168.100.20
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
发现192.168.100.10 ping不通,发现其ping功能没有开启
查看并开启ping功能:
ns-a(M)-> get interface eth3
Interface ethernet3(VSI):
description ethernet3
number 6, if_info 1248, if_index 0, mode route
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr, vsd 0
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.100.10/24 mac 0010.dbff.2060
*manage ip 192.168.100.10, mac 0019.e240.67d6
route-deny disable
pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
band physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
DHCP-Relay disabled
DHCP-server disabled
Number of SW session: 32063, hw sess err cnt 0
ns-a(M)-> set interface eth3 manage ping
4.5 测试:
sw14#ping 192.168.100.10
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
高可用性测试:
把eth1的线拔掉,进行相应的测试,观看其状态!
把ns-a的eth1接口拔掉:
ns-a(M)-> ethernet1 interface change state to Down
Start deactivate session...
2 sessions deactivated
ns-a(I)-> get nsrp
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no 4220080 none myself(inoperable)
login: netscreen
password:
ns-b(M)-> get nsrp
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 100 no 3 no myself none 4220880(inoperable)
如果eth1的线又好了,由于启动了抢占模式,则观看如下:
ns-b(B)-> get nsrp
nsrp version: 2.0
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 100 no 3 no 4220880 myself
ns-a(M)-> get nsrp
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself 4220080
没有出现丢包现象!
如果eth3端开,会出现上面同样的现象!
如果备份防火墙eth1 和 eth3 及心跳线eth4都已断开
ns-a(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id: 4220880, total number of units: 1
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none
total number of vsd groups: 1
Total iteration=6917,time=97434286,max=75534,min=5702,average=14086
ns-b(I)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 4220080
active units discovered:
index: 0, unit id: 4220080, total number of units: 1
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 100 no 3 no none none myself(inoperable
4.6 untrust区域内的三层交换机的配置:
int vlan 1
ip add 192.168.100.20 255.255.255.0
注意:trust区域的交换机要指定网关!(测试时)
本文转自 gjp0731 51CTO博客,原文链接:http://blog.51cto.com/guojiping/1061551
Nsrp实现juniper防火墙的高可用性【HA】!相关推荐
- Juniper 防火墙简明配置手册
Juniper SRX防火墙简明配置手册 SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品,JUNOS集成了路由.交换.安全性和一系列丰富的网络服务.目前Juniper公司的 ...
- Juniper防火墙备份与恢复处理方法
为防止Juniper防火墙设备故障情况下造成网络中断,保障用户业务不间断运行,现针对Juniper防火墙故障情况下的快速恢复做具体描述. 一.设备重启动:Juniper防火墙在工作期间出现运行异常 ...
- 教程篇(7.0) 07. FortiGate基础架构 高可用性(HA) ❀ Fortinet 网络安全专家 NSE 4
在本课中,你将了解FortiGate高可用性(HA)的基础知识以及如何配置它.FortiGate HA提供了提高可靠性和性能的解决方案. 本节课,你将学习上图显示的主题. 通过展示在HA运行模式 ...
- Juniper防火墙丢失ScreenOS的灾难恢复
Juniper的防火墙是一台硬件防火墙,有硬件系统也有软件系统也就是ScreenOS,硬件会出故障软件自然也会出故障,在实际使用中我就碰到过多次Juniper防火墙ScreenOS丢失的情况,大多数情 ...
- Juniper防火墙命令行查错工具snoop的使用
Juniper防火墙命令行查错工具snoop的使用 摘要:Snoop 是Juniper防火墙另外一个有效的查错工具,它和debug flow basic的区别是: snoop类似于在防火墙的接口上抓包 ...
- 集群(cluster)amp;高可用性(HA)概念
1.1 什么是集群 简单的说,集群(cluster)就是一组计算机,它们作为一个整体向用户提供一组网络资源.这些单个的计算机系统就是集群的节点(node).一个理想的集群是,用户从来不会意识到 ...
- Juniper防火墙新手教程8:Juniper防火墙配置的导入及导出
Juniper防火墙的配置文件可以通过多种方法导入导出,以便在防火墙出现故障时进行紧急恢复,因此维护防火墙要养成经常备份配置文件的好习惯.下面看看Juniper防火墙对配置文件可以做的一些操作. 使用 ...
- Juniper防火墙透明模式
最近一个小项目,三台网络设备的上架及配置,只有三台设备还是三个不同的厂商, 客户要求H3C MSR5060路由器放到外面连接Internet和专线,路由器下面接Juniper SSG520防火墙,防火 ...
- Juniper 防火墙session拥堵案例解决
周一的时候一上班接到公司同事告知连接服务器巨慢.我打开防火墙查看日志发现session数量占据超过90%,可能过多的并发session造成了防火墙的拥堵.于是我看是查找问题根源来解决. 首先我用图形界 ...
最新文章
- 整个领域没了!学术界有史以来最大的丑闻
- 电网机巡智能管控平台渗透测试经历
- AdminStudio功能模块与版本信息总结
- MyEclipse 设置字体
- 基于QTcpSocket和QTcpServer的Tcp通讯以及QDataStream序列化数据
- 技术宝典 | NeCodeGen:基于 clang 的源到源转译工具
- 向模态窗体传递参数和获取返回值
- c++ lambda 重载_您会后悔对Lambdas应用重载!
- pythonjson实例_python:JSON的两种常用编解码方式实例解析
- VL53L0x TOF激光测距的 stm32 HAL库驱动代码
- python判断点在直线的哪一侧_判断点在直线的一侧
- linux fdisk 4k,linux查看硬盘4K对齐方法
- Juggling Life and Learning
- DISCUZ!论坛管理员无法登录后台的各种解决方法总结
- dell服务器自动部署,教你DELL服务器提高电源的转化效率,最高效的方式进行电源管理...
- Go语言值不值得学,发展前景怎么样?
- 打开注册表regedit
- 小甲鱼 P61 IO缓冲区
- Optimization Week 4: Duality
- SamSung WLAN AP:RCE漏洞复现
热门文章
- 用sqoop将mysql的数据导入到hive表
- linux中使用gbd进行单布调试
- 最新log4j2 远程代码执行漏洞(紧急扩散)
- Responsive自适应网页设计与ResponsiveColumn自适应列实例
- Activemq MQTT 简单消息推送示例
- mysql sakila world_MySQL 安装示例数据库(employee、world、sakila、menagerie 等)
- Python的pyproject.toml文件中的tool.poetry.dev-dependencies选项
- BootStrap里面好看的背景色
- mysql 行转列 显示_mysql 行转列 (结果集以坐标显示)
- 利用flashback query解决误删除表数据