RBM(VRRP HA ACL NAT)综合实操


1. 组网需求

公司以Device作为网络边界安全防护设备,连接公司内部网络和Internet。为提高业务稳定性,使用两台Device进行HA组网,需要两台Device同时处理业务,提高业务处理能力。但是当Device A或其链路发生故障时,Device B可以接替Device A继续工作,保证业务不会中断。时需要在Device上配置动态NAT功能保证内网用户可以访问Internet,该公司20个外网IPv4地址。

RBM(VRRP HA ACL NAT)综合实操_服务器

3. 配置步骤

(1)      配置双主模式的HA组网环境

# 使用两台Device进行HA组网,需要两台Device同时处理业务,提高业务处理能力。但是当Device A或其链路发生故障时,Device B可以接替Device A继续工作,保证业务不会中断。

RBM(VRRP HA ACL NAT)综合实操_组网_02

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3 HA

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] backup-mode dual-active

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group]backup-mode dual-active

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] delay-time 1

RBM_P[DeviceA-remote-backup-group]backup-mode dual-active 是一种配置命令,用于设置双机热备(Redundancy Backup Management,简称RBM)的工作模式为双主模式(dual-active)。在这种模式下,两台设备都会同时处理业务流量,以提高系统的负载分担能力和业务处理能力。这种配置通常用于高可用性网络环境中,以确保当一台设备或其链路发生故障时,另一台设备可以无缝接管业务,保证业务连续性不会中断。

RBM(VRRP HA ACL NAT)综合实操_组网_03

# VRRP配置脚本

#

interface GigabitEthernet1/0/1

 port link-mode route

 combo enable copper

 ip address 2.1.1.1 255.255.255.0

 vrrp vrid 1 virtual-ip 2.1.1.3 active

 vrrp vrid 2 virtual-ip 2.1.1.4 standby

 nat outbound address-group 1

 manage ping inbound

 manage ping outbound

#

return

RBM_P[DeviceA-GigabitEthernet1/0/1]int g1/0/2

RBM_P[DeviceA-GigabitEthernet1/0/2]dis

RBM_P[DeviceA-GigabitEthernet1/0/2]display  th

RBM_P[DeviceA-GigabitEthernet1/0/2]display  this

#

interface GigabitEthernet1/0/2

 port link-mode route

 combo enable copper

 ip address 10.1.1.1 255.255.255.0

 vrrp vrid 3 virtual-ip 10.1.1.3 active

 vrrp vrid 4 virtual-ip 10.1.1.4 standby

 manage ping inbound

 manage ping outbound

#

RBM(VRRP HA ACL NAT)综合实操_运维_04

测试

RBM(VRRP HA ACL NAT)综合实操_网络_05

RBM(VRRP HA ACL NAT)综合实操_组网_06

(2)      配置动态NAT

在此配置举例中,仅需要在主管理设备Device A上配置NAT的相关配置,Device A上的NAT配置会自动同步到从管理设备Device B。

# 配置NAT地址组1,其地址成员范围为2.1.1.5到2.1.1.7,并与VRRP备份组1绑定。

RBM_P<DeviceA> system-view

RBM_P[DeviceA] nat address-group 1

RBM_P[DeviceA-address-group-1] address 2.1.1.5 2.1.1.7

RBM_P[DeviceA-address-group-1] vrrp vrid 1

RBM_P[DeviceA-address-group-1] quit

# 配置NAT地址组2,其地址成员范围为2.1.1.8到2.1.1.10,并与VRRP备份组2绑定。

RBM_P[DeviceA] nat address-group 2

RBM_P[DeviceA-address-group-2] address 2.1.1.8 2.1.1.10

RBM_P[DeviceA-address-group-2] vrrp vrid 2

RBM_P[DeviceA-address-group-2] quit

# 配置ACL 3000,仅允许10.1.1.1/25网段的报文通过;配置ACL 3001,仅允许10.1.1.129/25网段的报文通过。

RBM_P[DeviceA] acl advanced 3000

RBM_P[DeviceA-ipv4-adv-3000] rule permit ip source 10.1.1.1 0.0.0.127

RBM_P[DeviceA-ipv4-adv-3000] quit

RBM_P[DeviceA] acl advanced 3001

RBM_P[DeviceA-ipv4-adv-3001] rule permit ip source 10.1.1.129 0.0.0.127

RBM_P[DeviceA-ipv4-adv-3001] quit

# 在接口上配置出方向动态地址转换,允许使用地址组1中的IPv4地址对匹配ACL 3000的报文进行源地址转换,并在转换过程中使用端口信息;允许使用地址组2中的IPv4地址对匹配ACL 3001的报文进行源地址转换,并在转换过程中使用端口信息。

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound 3000 address-group 1

RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound 3001 address-group 2

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

DeviceA NAT+ACL脚本

nat outbound 3000 address-group 1

address 2.1.1.21 2.1.1.30

vrrp vrid 2

#

acl advanced 3000

rule permit ip source 10.1.1.1 0.0.0.127

#

acl advanced 3001

rule permit ip source 10.1.1.129 0.0.0.127

quit

#

nat outbound 3000 address-group 1

nat outbound 3000 address-group 2

(4) 测试

RBM_P[DeviceA] display remote-backup-group status

RBM_P[DeviceA] display ospf interface

脚本

RBM_P<DeviceA>display  current-configuration
#
nat address-group 1
 address 2.1.1.10 2.1.1.20
 vrrp vrid 1 
#
remote-backup group
 backup-mode dual-active
 data-channel interface GigabitEthernet1/0/3
 configuration sync-check interval 13
 delay-time 1
 track interface GigabitEthernet1/0/1
 track interface GigabitEthernet1/0/2
 local-ip 10.2.1.1
 remote-ip 10.2.1.2
 device-role primary
#
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 2.1.1.1 255.255.255.0
 vrrp vrid 1 virtual-ip 2.1.1.3 active
 vrrp vrid 2 virtual-ip 2.1.1.4 standby
 nat outbound address-group 1
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 10.1.1.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.1.1.3 active
 vrrp vrid 4 virtual-ip 10.1.1.4 standby
 manage ping inbound
 manage ping outbound
return
RBM_P<DeviceA>
RBM_P<DeviceB>display  current-configuration
#
 version 7.1.064, Alpha 7164
#
 sysname DeviceB
#
context Admin id 1
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
nat address-group 1
 address 2.1.1.10 2.1.1.20
 vrrp vrid 1 
#
nat address-group 2
 address 2.1.1.21 2.1.1.30
 vrrp vrid 2 
#
remote-backup group
 backup-mode dual-active
 data-channel interface GigabitEthernet1/0/3
 configuration sync-check interval 12
 local-ip 10.2.1.2
 remote-ip 10.2.1.1
 device-role secondary
#
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 2.1.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 2.1.1.3 standby
 vrrp vrid 2 virtual-ip 2.1.1.4 active
 nat outbound address-group 1
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 10.1.1.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.1.1.3 standby
 vrrp vrid 4 virtual-ip 10.1.1.4 active
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/3
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/4
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/6
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/7
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/8
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/9
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/10
 port link-mode route
 combo enable copper
#              
interface GigabitEthernet1/0/11
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/12
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/13
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/14
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/15
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/16
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/17
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/18
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/19
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/20
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/21
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/22
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/23
 port link-mode route
 combo enable copper
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
 import interface GigabitEthernet1/0/1
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line con 0
 user-role network-admin
#
line vty 0 4
 authentication-mode scheme
 user-role network-admin
#
line vty 5 63
 user-role network-operator
#
 ip route-static 0.0.0.0 0 2.1.1.254
#              
acl advanced 3000
 rule 0 permit ip source 10.1.1.0 0.0.0.127
#
acl advanced 3001
 rule 0 permit ip source 10.1.1.128 0.0.0.127
#
domain system
#
 aaa session-limit ftp 16
 aaa session-limit telnet 16
 aaa session-limit ssh 16
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#              
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
 service-type telnet terminal http https
 authorization-attribute user-role level-3
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
 ip http enable
 ip https enable
#
return
RBM_P<DeviceB>
上一篇:网络协议都有哪些?


下一篇:过采样与欠采样技术原理图解:基于二维数据的常见方法效果对比