设备直路部署,上下行连接交换机
如
图所示,DeviceA和DeviceB的业务接口都工作在三层,上下行分别连接二层交换机。上行交换机连接运营商的接入点,运营商为企业分配的IP地址为1.1.1.3和1.1.1.4。现在希望DeviceA和DeviceB以负载分担方式工作。正常情况下,DeviceA和DeviceB共同转发流量;当其中一台设备出现故障时,另外一台设备转发全部业务,保证业务不中断。
操作步骤
- 完成网络基本配置。
DeviceA
DeviceB
# 配置DeviceA和DeviceB各接口的IP地址。
<HUAWEI> system-view [HUAWEI] sysname DeviceA [DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] ip address 10.2.0.1 24 [DeviceA-10GE0/0/1] quit [DeviceA] interface 10ge 0/0/3 [DeviceA-10GE0/0/3] ip address 10.3.0.1 24 [DeviceA-10GE0/0/3] quit [DeviceA] interface 10ge 0/0/7 [DeviceA-10GE0/0/7] ip address 10.10.0.1 24 [DeviceA-10GE0/0/7] quit
<HUAWEI> system-view [HUAWEI] sysname DeviceB [DeviceB] interface 10ge 0/0/1 [DeviceB-10GE0/0/1] ip address 10.2.0.2 24 [DeviceB-10GE0/0/1] quit [DeviceB] interface 10ge 0/0/3 [DeviceB-10GE0/0/3] ip address 10.3.0.2 24 [DeviceB-10GE0/0/3] quit [DeviceB] interface 10ge 0/0/7 [DeviceB-10GE0/0/7] ip address 10.10.0.2 24 [DeviceB-10GE0/0/7] quit
# 将DeviceA和DeviceB各接口加入相应的安全区域。
[DeviceA] firewall zone untrust [DeviceA-zone-untrust] add interface 10ge 0/0/1 [DeviceA-zone-untrust] quit [DeviceA] firewall zone trust [DeviceA-zone-trust] add interface 10ge 0/0/3 [DeviceA-zone-trust] quit [DeviceA] firewall zone dmz [DeviceA-zone-dmz] add interface 10ge 0/0/7 [DeviceA-zone-dmz] quit
[DeviceB] firewall zone untrust [DeviceB-zone-untrust] add interface 10ge 0/0/1 [DeviceB-zone-untrust] quit [DeviceB] firewall zone trust [DeviceB-zone-trust] add interface 10ge 0/0/3 [DeviceB-zone-trust] quit [DeviceB] firewall zone dmz [DeviceB-zone-dmz] add interface 10ge 0/0/7 [DeviceB-zone-dmz] quit
# 在DeviceA和DeviceB上配置一条缺省路由,下一跳为1.1.1.10,使内网用户的流量可以正常转发至Router。
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
[DeviceB] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
- 配置VRRP备份组。
为了实现负载分担组网需要在每个业务接口上配置两个VRRP备份组,一个设置状态为Active,另一个设置状态为Standby。
DeviceA
DeviceB
# 在DeviceA上行业务接口10GE0/0/1上配置VRRP备份组1,并将其状态设置为Active;配置VRRP备份组2,并将其状态设置为Standby。在DeviceB上行业务接口10GE0/0/1上配置VRRP备份组1,并将其状态设置为Standby;配置VRRP备份组2,并将其状态设置为Active。需要注意的是:如果接口的IP地址与VRRP备份组地址不在同一网段,则配置VRRP备份组地址时需要指定掩码。
[DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 active [DeviceA-10GE0/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 standby [DeviceA-10GE0/0/1] quit
[DeviceB] interface 10ge 0/0/1 [DeviceB-10GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 standby [DeviceB-10GE0/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 active [DeviceB-10GE0/0/1] quit
# 在DeviceA下行业务接口10GE0/0/3上配置VRRP备份组3,并将其状态设置为Active;配置VRRP备份组4,并将其状态设置为Standby。在DeviceB下行业务接口10GE0/0/3上配置VRRP备份组3,并将其状态设置为Standby;配置VRRP备份组4,并将其状态设置为Active。
[DeviceA] interface 10ge 0/0/3 [DeviceA-10GE0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active [DeviceA-10GE0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby [DeviceA-10GE0/0/3] quit
[DeviceB] interface 10ge 0/0/3 [DeviceB-10GE0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby [DeviceB-10GE0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active [DeviceB-10GE0/0/3] quit
- 配置安全策略,允许心跳接口之间交互HRP报文。
| DeviceA | DeviceB |
|---|---|
[DeviceA] security-policy [DeviceA-policy-security] rule name ha_local_to_dmz [DeviceA-policy-security-rule-ha_local_to_dmz] source-zone local dmz [DeviceA-policy-security-rule-ha_local_to_dmz] destination-zone local dmz [DeviceA-policy-security-rule-ha_local_to_dmz] service protocol udp destination-port 18514 [DeviceA-policy-security-rule-ha_local_to_dmz] action permit [DeviceA-policy-security-rule-ha_local_to_dmz] quit [DeviceA-policy-security] quit | [DeviceB] security-policy [DeviceB-policy-security] rule name ha_local_to_dmz [DeviceB-policy-security-rule-ha_local_to_dmz] source-zone local dmz [DeviceB-policy-security-rule-ha_local_to_dmz] destination-zone local dmz [DeviceB-policy-security-rule-ha_local_to_dmz] service protocol udp destination-port 18514 [DeviceB-policy-security-rule-ha_local_to_dmz] action permit [DeviceB-policy-security-rule-ha_local_to_dmz] quit [DeviceB-policy-security] quit |
4. 配置会话快速备份功能,指定心跳口并启用双机热备功能。
| DeviceA | DeviceB |
|---|---|
| # 负载分担组网下,DeviceA和DeviceB都转发流量,为了防止来回路径不一致,需要在两台设备上都配置会话快速备份功能。 | |
[DeviceA] hrp mirror session enable | [DeviceB] hrp mirror session enable |
| # 在DeviceA和DeviceB上指定心跳接口,配置认证密钥,并启用双机热备功能。 | |
[DeviceA] hrp interface 10ge 0/0/7 remote 10.10.0.2 [DeviceA] hrp authentication-key Admin@123 [DeviceA] hrp enable | [DeviceB] hrp interface 10ge 0/0/7 remote 10.10.0.1 [DeviceB] hrp authentication-key Admin@123 [DeviceB] hrp enable |
5. 在DeviceA上配置安全策略。双机热备状态成功建立后,DeviceA的安全策略配置会自动备份到DeviceB上。
# 配置安全策略,允许内网用户访问Internet。
HRP_M[DeviceA] security-policy HRP_M[DeviceA-policy-security] rule name trust_to_untrust HRP_M[DeviceA-policy-security-rule-trust_to_untrust] source-zone trust HRP_M[DeviceA-policy-security-rule-trust_to_untrust] destination-zone untrust HRP_M[DeviceA-policy-security-rule-trust_to_untrust] action permit HRP_M[DeviceA-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24 HRP_M[DeviceA-policy-security-rule-trust_to_untrust] quit HRP_M[DeviceA-policy-security] quit
6. 在DeviceA上配置NAT策略。双机热备状态成功建立后,DeviceA的NAT策略配置会自动备份到DeviceB上。
# 配置NAT策略,当内网用户访问Internet时,将源地址由10.3.0.0/24网段转换为地址池中的地址(1.1.2.5-1.1.2.8)。
HRP_M[DeviceA] nat address-group group1 HRP_M[DeviceA-address-group-group1] section 0 1.1.2.5 1.1.2.8 HRP_M[DeviceA-address-group-group1] quit HRP_M[DeviceA] nat-policy HRP_M[DeviceA-policy-nat] rule name policy_nat1 HRP_M[DeviceA-policy-nat-rule-policy_nat1] source-zone trust HRP_M[DeviceA-policy-nat-rule-policy_nat1] destination-zone untrust HRP_M[DeviceA-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 HRP_M[DeviceA-policy-nat-rule-policy_nat1] action source-nat address-group group1 HRP_M[DeviceA-policy-nat-rule-policy_nat1] quit HRP_M[DeviceA-policy-nat] quit
# 对于双机热备的负载分担组网,为了防止两台设备进行NAT转换时端口冲突,需要在DeviceA和DeviceB上分别配置可用的端口范围。在DeviceA上进行如下配置:
HRP_M[DeviceA] hrp nat resource primary-group
DeviceA配置此命令后,DeviceB上会自动备份此命令,并转换成hrp nat resource secondary-group命令。
7. 配置Switch和PC。
a.分别将两台Switch的三个接口加入同一个VLAN,具体配置命令请参考交换机的相关文档。
b. 在内网的部分PC上将VRRP备份组3的地址10.3.0.3设置为默认网关,在内网的另一部分PC上将VRRP备份组4的地址10.3.0.4设置为默认网关,从而实现内网流量的负载分担。
8. 配置Router。
在Router上配置到NAT地址池的等价路由,路由下一跳分别指向VRRP备份组1和VRRP备份组2的虚拟IP地址。
