Juniper 防火墙HA配置详解_主从(L2 透明模式)
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Juniper HA 主双(L2)透明模式配置
实际环境中防火墙做主双是不太可能实现全互联结构,juniper 防火墙标配都是4个物理以太网端口,全互联架构需要防火墙增加额外的以太网接口(这样会增加用户成本),或者在物理接口上使用子接口(这样配置的复杂性增加许多),最主要的是用户的网络中大多没有像全互联模式那样多的设备。
因此主双多数实现在相对冗余的网络环境中。
环境中两个Cisco4506交换配置为HSRP 模式,文档最后附上HSRP 配置。
F5的配置请参考我写的关于F5链路负载均衡设备配置手册。
具体实际环境如下:
G 2/23G 2/1
G 2/1
G 2/23G 2/24
G 2/24
G 0/1
G 0/1
G 0/0
G 0/0
防火墙A 上执行的命令
set hostname ISG1000-A
set interface mgt ip 172.16.12.1/24
set interface "ethernet1/4" zone "HA"
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 10
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1/1
set nsrp vsd-group id 0 monitor interface ethernet1/2
防火墙B上执行的命令
set hostname ISG1000-B
set interface mgt ip 172.16.12.2/24
set interface "ethernet1/4" zone "HA"
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 100
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1/1
set nsrp vsd-group id 0 monitor interface ethernet1/2
任意一个防火墙上执行的命令即可
set interface "ethernet1/1" zone "V1-Trust"
set interface "ethernet1/2" zone "V1-Untrust"
set policy id 2 from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit set policy id 3 from "V1-UnTrust" to "V1-trust" "Any" "Any" "ANY" permit
___________________________________________________________
最后 A 和 B 都必须执行的命令
exec nsrp sync global save
这个实验环境中使用的设备是ISG1000,该产品带有专用管理接口,方便设备的管理配置。
如果是其他没有管理接口的型号防火墙请参考下面配置进行管理。
首先在主防火墙上配置
set interface vlan1 ip 192.168.1.254/24 \管理地址为举例
set interface vlan1 manage-ip 192.168.1.1
在从防火墙上配置
set interface vlan1 ip 192.168.1.254/24 \管理地址为举例
set interface vlan1 manage-ip 192.168.1.2
在任意一个防火墙上配置即可
set interface vlan1 ip manageable
set interface vlan1 ip manag
set zone V1-Untrust manage
set zone V1-trust manage
最后在两台防火墙上均需要执行的命令
set interface vlan1 nsrp manage zone V1-Untrust
set interface vlan1 nsrp manage zone V1-trust
此处附上4506 的hsrp的配置方便大家测试,配置中主4506还添加了上游F5链路中断后的检测配置(SLA),有兴趣的朋友自己看配置研究吧。
主4506配置
spanning-tree vlan 1-2,40 priority 0
ip sla 1
icmp-echo 172.16.1.2
frequency 5
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
vtp mode transparent
vlan 2-4,10
interface Port-channel2
switchport
switchport mode trunk
interface GigabitEthernet1/3
description "Connect to Server_Switch_3750G switch1 port51"
switchport mode trunk
interface GigabitEthernet2/1
description "Connect to Core_FW ISG1000-1 prot eth1/1"
switchport access vlan 2
interface GigabitEthernet2/2
description "Connect to BanGong-Switch port 21"
switchport mode trunk
interface GigabitEthernet2/23
switchport mode trunk
channel-group 2 mode desirable
interface GigabitEthernet2/24
switchport mode trunk
channel-group 2 mode desirable interface Vlan2
ip address 172.16.1.251 255.255.255.0 standby 2 ip 172.16.1.1
standby 2 priority 99
standby 2 preempt
standby 2 track 1 decrement 30
interface Vlan3
ip address 192.168.10.251 255.255.255.0 standby 3 ip 192.168.10.254
standby 3 priority 99
standby 3 preempt
standby 3 track 1 decrement 30
interface Vlan4
ip address 192.168.11.251 255.255.255.0 standby 4 ip 192.168.11.254
standby 4 priority 99
standby 4 preempt
standby 4 track 1 decrement 30
interface Vlan10
ip address 10.0.4.251 255.255.255.0 standby 10 ip 10.0.4.254
standby 10 priority 99
standby 10 preempt
standby 10 track 1 decrement 30
ip route 0.0.0.0 0.0.0.0 172.16.1.2
从4506配置
spanning-tree vlan 1-2,40 priority 4096
vtp mode transparent
vlan 2-4,10
interface Port-channel2
switchport
switchport mode trunk
interface GigabitEthernet1/3
description "Connect to Server_Switch_3750G switch1 port52" switchport mode trunk
interface GigabitEthernet2/1
description "Connect to Core_FW ISG1000-2 prot eth1/1" switchport access vlan 2
interface GigabitEthernet2/2
description "Connect to BanGong-Switch port 22" switchport mode trunk
interface GigabitEthernet2/23
switchport mode trunk
channel-group 2 mode desirable
interface GigabitEthernet2/24
switchport mode trunk
channel-group 2 mode desirable
interface Vlan2
ip address 172.16.1.252 255.255.255.0
standby 2 ip 172.16.1.1
standby 2 priority 90
standby 2 preempt
interface Vlan3
ip address 192.168.10.252 255.255.255.0 standby 3 ip 192.168.10.254
standby 3 priority 90
standby 3 preempt
interface Vlan4
ip address 192.168.11.252 255.255.255.0 standby 4 ip 192.168.11.254
standby 4 priority 90
standby 4 preempt
interface Vlan10
ip address 10.0.4.252 255.255.255.0 standby 10 ip 10.0.4.254
standby 10 priority 90
standby 10 preempt
ip route 0.0.0.0 0.0.0.0 172.16.1.2。