Nsrp实现juniper防火墙的高可用性【HA】！

1.实验拓扑图：

2.ip规划：

eth1 ：192.168.101.68/24

eth3 : 192.168.100.10/24

3.设备描述：

trust区域使用的交换机为神州数码DCS-3950S

untrust区域的交换机为H3C的quidwayS3526E

防火墙：Juniper的Netscreen-25

4.设备配置

4.1 第一台防火墙ns-a的配置

login: netscreen
password:
NS-A(M)-> get system
Product Name: NetScreen-25
Serial Number: 0096052007001238, Control Number: 00000000
Hardware Version: 4010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r6.0, Type: Firewall+VPN
Compiled by build_master at: Tue Nov 28 15:14:46 PST 2006
Base Mac: 0019.e240.67d0
File Name: ns50ns25.5.3.0r6.0, Checksum: 966acd5c

Date 11/15/2012 19:45:39, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 51 minutes 30 seconds Since 15Nov2012:18:54:09
Total Device Resets: 48, Last Device Reset at: 11/15/2012 15:21:15

System in NAT/route mode.

NS-A(M)-> exit
login: 0096052007001238
password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue? y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y
In reset ...
Start deactivate session...
0 sessions deactivated

Total physical memory: 128MB
Test - Pass
Initialization - Done

ns25-> set hostname ns-a
ns-a-> set interface eth1 ip 192.168.101.68 255.255.255.0
ns-a-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-a-> set int eth4 zone
Null                 Null zone
Trust                Trust zone
Untrust              Untrust zone
Self                 Self zone
Global               Global zone
HA                   HA zone
MGT                  MGT zone
Untrust-Tun          Untrust-Tun zone
v1-Null              v1-Null zone
V1-Trust             V1-Trust zone
V1-Untrust           V1-Untrust zone
DMZ                  DMZ zone
V1-DMZ               V1-DMZ zone
VLAN                 VLAN zone
ns-a-> set int eth4 zone HA   心跳探测（eth4）

ns-a-> set nsrp cl
cluster              config cluster id/name
ns-a-> set nsrp cluster id
<number>             NSRP cluster ID (range: 1 - 7)
ns-a-> set nsrp cluster id 1
ns-a(B)-> Unit becomes master of NSRP vsd-group 0

ns-a(M)-> set nsrp vsd-group id 0
ns-a(M)-> set nsrp vsd-group id
<number>             vsd group ID (range: 0 - 7)    最多8个故障转移域
ns-a(M)-> set nsrp vsd-group id 0 pr
preempt              allow to preempt a lower priority master
priority             priority for this vsd group
<return>
ns-a(M)-> set nsrp vsd-group id 0 priority 50
ns-a(M)-> set nsrp vsd-group id 0 preempt
ns-a(M)-> set nsrp vsd-group id 0 monitor inter
interface            interface to be monitored    监控端口
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth1
ns-a(M)-> set nsrp vsd-group id 0 monitor interface eth3

ns-a(M)-> get config 查看配置

set nsrp cluster id 1
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1
set nsrp vsd-group id 0 monitor interface ethernet3

ns-a(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id: 4220880, ctrl mac: 0019e24067d7, index: 1, unit id: 4220080, ctrl mac: 0019e24064b7, data mac: ffffffffffff
total number of units: 2

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none 4220080(inoperable)

ns-a(M)-> save
Save System Configuration ...
Done

4.2 第二台防火墙的配置

先用序列号清除配置！

login: netscreen
password:
ns25-> set hostname ns-b
ns-b-> set int eth1 ip 192.168.101.68 255.255.255.0
ns-b-> set int eth3 ip 192.168.100.10 255.255.255.0
ns-b-> set int eth4 zone HA
ns-b-> set nsrp cluster id 1
ns-b(B)-> set nsrp vsd-group id 0
ns-b(B)-> set nsrp vsd-group id 0 priority 100
ns-b(B)-> set nsrp vsd-group id 0 monitor int eth1

ns-b(B)-> set nsrp vsd-group id 0 monitor int eth3

ns-b(I)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220080
active units discovered:
index: 0, unit id: 4220080, ctrl mac: 0019e24064b7, index: 1, unit id: 4220880, ctrl mac: 0019e24067d7, data mac: ffffffffffff
total number of units: 2

ns-b(I)-> save
Save System Configuration ...
Done

4.3 神州数码交换机的配置如下:

sw14#show version
DCS-3950S Device, Aug 27 2004 11:14:24
HardWare version is 2.10, SoftWare version is DCNOS-4.1.5, BootRom version is 1.2.1
Copyright (C) 2001-2004 by Digital China Networks Limited.
All rights reserved.

sw14>enable
sw14#config

sw14(Config)#exit
sw14#show running-config
Current configuration:
!
hostname sw14

sw14#config
sw14(Config)#int vlan 1
sw14(Config-If-Vlan1)#ip add 192.168.101.20 255.255.255.0

Destination Mask Nexthop Interface Preference
C 192.168.101.0 255.255.255.0 0.0.0.0 Vlan1 0

4.4 web方式配置访问策略

在交换机上查看命令的变化

ns-a(M)-> get config

set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit

在ns-b上查看是否已同步

ns-b(B)-> get config

set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit

检测配置是否同步?

ns-b(B)-> exec nsrp sync global-config check-sum
ns-b(B)-> configuration in sync

在sw14上做测试:

sw14#ping 192.168.101.68
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#ping 192.168.100.10
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
sw14#ping 192.168.100.20
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw14#ping 192.168.100.20
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

发现192.168.100.10 ping不通,发现其ping功能没有开启

查看并开启ping功能:

ns-a(M)-> get interface eth3
Interface ethernet3(VSI):
description ethernet3
number 6, if_info 1248, if_index 0, mode route
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr, vsd 0
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.100.10/24   mac 0010.dbff.2060
*manage ip 192.168.100.10, mac 0019.e240.67d6
route-deny disable
pmtu-v4 disabled
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
band physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
              total allocated gbw 0kbps
DHCP-Relay disabled
DHCP-server disabled
Number of SW session: 32063, hw sess err cnt 0

ns-a(M)-> set interface eth3 manage ping

4.5 测试:

sw14#ping 192.168.100.10
Type ^c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

高可用性测试:

把eth1的线拔掉,进行相应的测试,观看其状态!

把ns-a的eth1接口拔掉:

ns-a(M)-> ethernet1 interface change state to Down
Start deactivate session...
2 sessions deactivated

ns-a(I)-> get nsrp

如果eth1的线又好了,由于启动了抢占模式,则观看如下:

ns-b(B)-> get nsrp
nsrp version: 2.0

ns-a(M)-> get nsrp

没有出现丢包现象!

如果eth3端开,会出现上面同样的现象!

如果备份防火墙eth1 和 eth3 及心跳线eth4都已断开

ns-a(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220880
active units discovered:
index: 0, unit id: 4220880, total number of units: 1

ns-b(I)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 4220080
active units discovered:
index: 0, unit id: 4220080, total number of units: 1

4.6 untrust区域内的三层交换机的配置：

int vlan 1

ip add 192.168.100.20 255.255.255.0

注意：trust区域的交换机要指定网关！（测试时）

本文转自 gjp0731 51CTO博客，原文链接:http://blog.51cto.com/guojiping/1061551

Nsrp实现juniper防火墙的高可用性【HA】！相关推荐

Juniper 防火墙简明配置手册
Juniper SRX防火墙简明配置手册 SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品,JUNOS集成了路由.交换.安全性和一系列丰富的网络服务.目前Juniper公司的 ...
Juniper防火墙备份与恢复处理方法
为防止Juniper防火墙设备故障情况下造成网络中断,保障用户业务不间断运行,现针对Juniper防火墙故障情况下的快速恢复做具体描述. 一.设备重启动:Juniper防火墙在工作期间出现运行异常 ...
教程篇(7.0) 07. FortiGate基础架构高可用性(HA) ❀ Fortinet 网络安全专家 NSE 4
在本课中,你将了解FortiGate高可用性(HA)的基础知识以及如何配置它.FortiGate HA提供了提高可靠性和性能的解决方案. 本节课,你将学习上图显示的主题. 通过展示在HA运行模式 ...
Juniper防火墙丢失ScreenOS的灾难恢复
Juniper的防火墙是一台硬件防火墙,有硬件系统也有软件系统也就是ScreenOS,硬件会出故障软件自然也会出故障,在实际使用中我就碰到过多次Juniper防火墙ScreenOS丢失的情况,大多数情 ...
Juniper防火墙命令行查错工具snoop的使用
Juniper防火墙命令行查错工具snoop的使用摘要:Snoop 是Juniper防火墙另外一个有效的查错工具,它和debug flow basic的区别是: snoop类似于在防火墙的接口上抓包 ...
集群（cluster）amp;高可用性(HA)概念
1.1 什么是集群简单的说,集群(cluster)就是一组计算机,它们作为一个整体向用户提供一组网络资源.这些单个的计算机系统就是集群的节点(node).一个理想的集群是,用户从来不会意识到 ...
Juniper防火墙新手教程8：Juniper防火墙配置的导入及导出
Juniper防火墙的配置文件可以通过多种方法导入导出,以便在防火墙出现故障时进行紧急恢复,因此维护防火墙要养成经常备份配置文件的好习惯.下面看看Juniper防火墙对配置文件可以做的一些操作. 使用 ...
Juniper防火墙透明模式
最近一个小项目,三台网络设备的上架及配置,只有三台设备还是三个不同的厂商, 客户要求H3C MSR5060路由器放到外面连接Internet和专线,路由器下面接Juniper SSG520防火墙,防火 ...
Juniper 防火墙session拥堵案例解决
周一的时候一上班接到公司同事告知连接服务器巨慢.我打开防火墙查看日志发现session数量占据超过90%,可能过多的并发session造成了防火墙的拥堵.于是我看是查找问题根源来解决. 首先我用图形界 ...

Nsrp实现juniper防火墙的高可用性【HA】！

Nsrp实现juniper防火墙的高可用性【HA】！相关推荐

最新文章

热门文章