1. 组网需求
公司以Device作为网络边界安全防护设备,连接公司内部网络和Internet。为提高业务稳定性,使用两台Device进行HA组网,需要两台Device同时处理业务,提高业务处理能力。但是当Device A或其链路发生故障时,Device B可以接替Device A继续工作,保证业务不会中断。时需要在Device上配置动态NAT功能保证内网用户可以访问Internet,该公司20个外网IPv4地址。
3. 配置步骤
(1) 配置双主模式的HA组网环境
# 使用两台Device进行HA组网,需要两台Device同时处理业务,提高业务处理能力。但是当Device A或其链路发生故障时,Device B可以接替Device A继续工作,保证业务不会中断。
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 10.2.1.2
[DeviceA-remote-backup-group] local-ip 10.2.1.1
[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3 HA
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] hot-backup enable
RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_P[DeviceA-remote-backup-group]backup-mode dual-active
RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12
RBM_P[DeviceA-remote-backup-group] delay-time 1
RBM_P[DeviceA-remote-backup-group]backup-mode dual-active 是一种配置命令,用于设置双机热备(Redundancy Backup Management,简称RBM)的工作模式为双主模式(dual-active)。在这种模式下,两台设备都会同时处理业务流量,以提高系统的负载分担能力和业务处理能力。这种配置通常用于高可用性网络环境中,以确保当一台设备或其链路发生故障时,另一台设备可以无缝接管业务,保证业务连续性不会中断。
# VRRP配置脚本
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 2.1.1.3 active
vrrp vrid 2 virtual-ip 2.1.1.4 standby
nat outbound address-group 1
manage ping inbound
manage ping outbound
#
return
RBM_P[DeviceA-GigabitEthernet1/0/1]int g1/0/2
RBM_P[DeviceA-GigabitEthernet1/0/2]dis
RBM_P[DeviceA-GigabitEthernet1/0/2]display th
RBM_P[DeviceA-GigabitEthernet1/0/2]display this
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.1.3 active
vrrp vrid 4 virtual-ip 10.1.1.4 standby
manage ping inbound
manage ping outbound
#
测试
(2) 配置动态NAT
在此配置举例中,仅需要在主管理设备Device A上配置NAT的相关配置,Device A上的NAT配置会自动同步到从管理设备Device B。
# 配置NAT地址组1,其地址成员范围为2.1.1.5到2.1.1.7,并与VRRP备份组1绑定。
RBM_P<DeviceA> system-view
RBM_P[DeviceA] nat address-group 1
RBM_P[DeviceA-address-group-1] address 2.1.1.5 2.1.1.7
RBM_P[DeviceA-address-group-1] vrrp vrid 1
RBM_P[DeviceA-address-group-1] quit
# 配置NAT地址组2,其地址成员范围为2.1.1.8到2.1.1.10,并与VRRP备份组2绑定。
RBM_P[DeviceA] nat address-group 2
RBM_P[DeviceA-address-group-2] address 2.1.1.8 2.1.1.10
RBM_P[DeviceA-address-group-2] vrrp vrid 2
RBM_P[DeviceA-address-group-2] quit
# 配置ACL 3000,仅允许10.1.1.1/25网段的报文通过;配置ACL 3001,仅允许10.1.1.129/25网段的报文通过。
RBM_P[DeviceA] acl advanced 3000
RBM_P[DeviceA-ipv4-adv-3000] rule permit ip source 10.1.1.1 0.0.0.127
RBM_P[DeviceA-ipv4-adv-3000] quit
RBM_P[DeviceA] acl advanced 3001
RBM_P[DeviceA-ipv4-adv-3001] rule permit ip source 10.1.1.129 0.0.0.127
RBM_P[DeviceA-ipv4-adv-3001] quit
# 在接口上配置出方向动态地址转换,允许使用地址组1中的IPv4地址对匹配ACL 3000的报文进行源地址转换,并在转换过程中使用端口信息;允许使用地址组2中的IPv4地址对匹配ACL 3001的报文进行源地址转换,并在转换过程中使用端口信息。
RBM_P[DeviceA] interface gigabitethernet 1/0/1
RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound 3000 address-group 1
RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound 3001 address-group 2
RBM_P[DeviceA-GigabitEthernet1/0/1] quit
DeviceA NAT+ACL脚本
nat outbound 3000 address-group 1
address 2.1.1.21 2.1.1.30
vrrp vrid 2
#
acl advanced 3000
rule permit ip source 10.1.1.1 0.0.0.127
#
acl advanced 3001
rule permit ip source 10.1.1.129 0.0.0.127
quit
#
nat outbound 3000 address-group 1
nat outbound 3000 address-group 2
(4) 测试
RBM_P[DeviceA] display remote-backup-group status
RBM_P[DeviceA] display ospf interface
脚本
RBM_P<DeviceA>display current-configuration
#
nat address-group 1
address 2.1.1.10 2.1.1.20
vrrp vrid 1
#
remote-backup group
backup-mode dual-active
data-channel interface GigabitEthernet1/0/3
configuration sync-check interval 13
delay-time 1
track interface GigabitEthernet1/0/1
track interface GigabitEthernet1/0/2
local-ip 10.2.1.1
remote-ip 10.2.1.2
device-role primary
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 2.1.1.3 active
vrrp vrid 2 virtual-ip 2.1.1.4 standby
nat outbound address-group 1
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.1.3 active
vrrp vrid 4 virtual-ip 10.1.1.4 standby
manage ping inbound
manage ping outbound
return
RBM_P<DeviceA>
RBM_P<DeviceB>display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname DeviceB
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 1
address 2.1.1.10 2.1.1.20
vrrp vrid 1
#
nat address-group 2
address 2.1.1.21 2.1.1.30
vrrp vrid 2
#
remote-backup group
backup-mode dual-active
data-channel interface GigabitEthernet1/0/3
configuration sync-check interval 12
local-ip 10.2.1.2
remote-ip 10.2.1.1
device-role secondary
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 2.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 2.1.1.3 standby
vrrp vrid 2 virtual-ip 2.1.1.4 active
nat outbound address-group 1
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.1.1.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.1.3 standby
vrrp vrid 4 virtual-ip 10.1.1.4 active
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 2.1.1.254
#
acl advanced 3000
rule 0 permit ip source 10.1.1.0 0.0.0.127
#
acl advanced 3001
rule 0 permit ip source 10.1.1.128 0.0.0.127
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
return
RBM_P<DeviceB>