Eudemon1000EU3双机热备配置指导.docx
《Eudemon1000EU3双机热备配置指导.docx》由会员分享,可在线阅读,更多相关《Eudemon1000EU3双机热备配置指导.docx(17页珍藏版)》请在冰点文库上搜索。
Eudemon1000EU3双机热备配置指导
Eudemon1000E-U3双机热备部署方案
一、割接前准备工作
1.1设备登陆
缺省情况下,Eudemon通过Console口登录时的认证方式为AAA,用户名为admin,密码为Admin@123
1.2备份旧的配置文件
#查看启动时加载的配置文件
displaystartup
10:
21:
102014/03/07
Configedstartupsystemsoftware:
flash:
/usg5000.bin
Startupsystemsoftware:
flash:
/usg5000.bin
Nextstartupsystemsoftware:
flash:
/usg5000.bin
Startupsaved-configurationfile:
flash:
/a.cfg
Nextstartupsaved-configurationfile:
flash:
/a.cfg
#备份当前配置(文件名与加载配置文件名不同),防止割接失败时快速恢复
save20140307.cfg
#查看存储的文件信息
dir
10:
26:
542014/03/07
Directoryofflash:
/
0-rw-18224900Jul01200700:
03:
49usg5000.bin
1-rw-339Mar31201016:
54:
49flashinfo.fls
2-rw-771Mar31201016:
55:
15license.txt
7-rw-3523Mar07201408:
15:
41a.cfg
8-rw-3523Mar07201410:
26:
4720140307.cfg
1.3系统管理相关命令
#配置设备下次启动时加载的配置文件
startupsaved-configurationconfiguration-filename
startupsaved-configuration20140307.cfg//启动加载20140307.cfg配置
查看配置文件信息
查看设备启动时使用的文件信息
displaystartup
查看存储设备中的文件信息
dir[/all][filename]
查看当前配置文件
displaycurrent-configuration
二、方案概述
Eudemon1000E-U3采用混合模式,两台防火墙配置HRP双机热备;Trust侧通过Ip-link检测GUIP是否可达;Trust与Untrust接口联动;Untrust侧三层口起VRRP,心跳跑在交换机侧,心跳通过Eth-Trunk来保护;VRRP/HRP通过监测Ip-link及接口状态来进行切换。
GU主备板上起BFD(Echo报方方式)检测EudemonTrust侧的实IP,根据BFD状态进行主备切换;主备板到基站侧的默认路由下一跳为EudemonTrust侧的实IP,区别于以往的配置方式(以前方案GU配置默认路由下一跳主备板都是同一个IP)。
CMNET侧两台设备(三层口)之间起VRRP,心跳跑在两台交换机之间.
三、方案部署
3.1设置防火墙模式
#查询防火墙模式
[Eudemon-A]displayfirewallmode
14:
10:
442014/03/07
firewallmodecomposite//混合模式
firewallmodecompositeifreboot
#若不是混合模式,配置混合模式,保存配置重启
[Eudemon-A]firewallmodecomposite
#版本信息
[Eudemon-A]displayversion
14:
16:
432014/03/07
HuaweiVersatileRoutingPlatformSoftware
SoftwareVersion:
Eudemon1000EV100R002C01SPC008(VRP(R)Software,Version3.30)
Copyright(C)2008-2009HuaweiTechnologiesCo.,Ltd.
QuidwayEudemon1000E-U3uptimeis0week,0day,6hours,11minutes
RPU'sVersionInformation:
2048MbytesSDRAM
64MbytesFLASH
128KbytesNVRAM
PCBVersion:
VER.B
RPELogicVersion:
005B
SmallBootROMVersion:
025Oct122009
BigBootROMVersion:
035Sep292009
3.2数据规划
设备
接口
IP地址
虚拟IP地址
Eudemon-A
GigabitEthernet0/0/0
2.2.2.2/24
2.2.2.1/24
GigabitEthernet0/0/3
10.10.216.137/24
/
Eth-Trunk1
15.15.15.2/24
15.15.15.3/24
Eudemon-B
GigabitEthernet0/0/0
2.2.2.4/24
2.2.2.1/24
GigabitEthernet0/0/3
10.10.216.138/24
/
Eth-Trunk1
15.15.15.1/24
15.15.15.3/24
GU
/
10.10.216.38/24
/
CMNET
/
/
2.2.2.10/24
3.3Eudemon-A配置
1.
2.
3.
3.1.
3.2.
3.3.
3.3.1.上、下行接口;Untrust侧VRRP,加入安全区域配置
interfaceGigabitEthernet0/0/0
ipaddress2.2.2.2255.255.255.0
vrrpvrid10virtual-ip2.2.2.1master
#
interfaceGigabitEthernet0/0/3
ipaddress10.10.216.137255.255.255.0
#
firewallzonetrust
addinterfaceGigabitEthernet0/0/3
#
firewallzoneuntrust
addinterfaceGigabitEthernet0/0/0
#
3.3.2.启用HRP及心跳线配置
interfaceEth-Trunk1
#
firewallzonedmz
addinterfaceEth-Trunk1
#
interfaceGigabitEthernet0/0/1
eth-trunk1
#
interfaceGigabitEthernet0/0/2
eth-trunk1
#
interfaceEth-Trunk1
ipaddress15.15.15.2255.255.255.0
vrrpvrid15virtual-ip15.15.15.3master
#
hrpinterfaceEth-Trunk1
hrpenable
#
3.3.3.域间缺省包过滤配置
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutbound
firewallpacket-filterdefaultpermitinterzonedmzuntrustdirectionoutbound
3.3.4.NAT功能配置
nataddress-group02.2.2.22.2.2.2
natserverglobal2.2.2.1inside10.10.216.38vrrp10
3.3.5.Trust区域和Untrust区域的域间转发策略配置
#配置ACL
aclnumber3000
descriptiontrust-to-local
rule0permittcpdestination-porteqtelnet
rule1permittcpdestination-porteqssh
rule2permiticmpicmp-typeecho
aclnumber3001
descriptionuntrust-trust
rule0permitudpdestination-porteq4500
rule5permitudpdestination-porteq500
rule10permitudpdestination-porteq3784
rule11permitudpdestination-porteq3785
rule12permitudpdestination-porteq4784
rule13permitudpdestination-porteq30000
rule14permiticmpicmp-typeecho
aclnumber3002
descriptiontrust-untrust
rule0permitipsource10.100.10.00.0.0.255
rule1permiticmpicmp-typeecho
rule2permitipsource10.10.216.00.0.0.255
aclnumber3003
descriptionuntrust-to-local
rule0permitipdestination2.2.2.00.0.0.255
aclnumber3004
descriptiondmz-to-local
rule0permitipdestination15.15.15.00.0.0.255
#
#配置转发策略
firewallinterzonelocaltrust
packet-filter3000inbound
#
firewallinterzonelocaluntrust
packet-filter3003inbound
#
firewallinterzonelocaldmz
packet-filter3004inbound
#
firewallinterzonetrustuntrust
packet-filter3001inbound
packet-filter3002outbound
natoutbound3002address-group0
3.3.6.IP-link、接口联动功能、默认路由配置
#配置IP-link
ip-link2destination10.10.216.38modeicmp
ip-linkcheckenable
#配置接口、VRRP联动
interfaceGigabitEthernet0/0/0
vrrpvrid10ip-link2
link-group1
#
interfaceGigabitEthernet0/0/3
link-group1
#配置默认路由
iproute-static0.0.0.00.0.0.02.2.2.10
3.3.7.AAA用户配置
aaa
local-userrootpasswordsimpleroot@123
local-userrootservice-typewebtelnetssh
local-userrootlevel3
#
sshuserrootauthentication-typepassword
#
user-interfacevty04
authentication-modeaaa
#
3.3.8.查看状态是否正常?
HRP_M[Eudemon-A]displayvrrp
16:
13:
412014/03/07
GigabitEthernet0/0/0|VirtualRouter10
state:
Master
VirtualIP:
2.2.2.1
PriorityRun:
100
PriorityConfig:
100
MasterPriority:
100
Preempt:
YESDelayTime:
0
Timer:
1
AuthType:
NONE
CheckTTL:
YES
Ip-Link2:
Up
Eth-Trunk1|VirtualRouter15
state:
Master
VirtualIP:
15.15.15.3
PriorityRun:
100
PriorityConfig:
100
MasterPriority:
100
Preempt:
YESDelayTime:
0
Timer:
1
AuthType:
NONE
CheckTTL:
YES
HRP_M[Eudemon-A]dishrpstate
16:
13:
472014/03/07
Thefirewall'sconfigstateis:
MASTER
Currentstateofvirtualroutersconfiguredasmaster:
GigabitEthernet0/0/0vrid10:
master
Eth-Trunk1vrid15:
master
(GigabitEthernet0/0/1):
up
(GigabitEthernet0/0/2):
up
HRP_M[Eudemon-A]dishrpint
16:
13:
522014/03/07
Eth-Trunk1:
running
HRP_M[Eudemon-A]disip-link
16:
15:
142014/03/07
numstatetimermodevpn-instanceip-addressinterface-name
2up3icmp10.10.216.38
HRP_M[Eudemon-A]
#查看NAT转换会话
HRP_M[Eudemon-A]displayfirewallsessiontableverbose
16:
20:
082014/03/07
Currenttotalsessions:
7
icmpVPN:
public->public
Zone:
untrust->trustTTL:
00:
00:
20Left:
00:
00:
20
Interface:
G0/0/3Nexthop:
10.10.216.38MAC:
00-00-50-a1-ca-8c
<--packets:
41bytes:
3444-->packets:
41bytes:
3444
2.2.2.1:
44[10.10.216.38:
44]<--2.2.2.11:
44
3.4Eudemon-B配置
3.4.
3.4.1.上、下行接口;Untrust侧VRRP,加入安全区域配置
interfaceGigabitEthernet0/0/0
ipaddress2.2.2.4255.255.255.0
vrrpvrid10virtual-ip2.2.2.1slave
#
interfaceGigabitEthernet0/0/3
ipaddress10.10.216.138255.255.255.0
#
firewallzonetrust
addinterfaceGigabitEthernet0/0/3
#
firewallzoneuntrust
addinterfaceGigabitEthernet0/0/0
#
3.4.2.启用HRP及心跳线配置
interfaceEth-Trunk1
#
firewallzonedmz
addinterfaceEth-Trunk1
#
interfaceGigabitEthernet0/0/1
eth-trunk1
#
interfaceGigabitEthernet0/0/2
eth-trunk1
#
interfaceEth-Trunk1
ipaddress15.15.15.1255.255.255.0
vrrpvrid15virtual-ip15.15.15.3master
#
hrpinterfaceEth-Trunk1
hrpenable
#
3.4.3.域间缺省包过滤配置
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaldmzdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustdmzdirectionoutbound
firewallpacket-filterdefaultpermitinterzonedmzuntrustdirectionoutbound
3.4.4.NAT功能配置
nataddress-group02.2.2.42.2.2.4
natserverglobal2.2.2.1inside10.10.216.38vrrp10
3.4.5.Trust区域和Untrust区域的域间转发策略配置
#配置ACL
aclnumber3000
descriptiontrust-to-local
rule0permittcpdestination-porteqtelnet
rule1permittcpdestination-porteqssh
rule2permiticmpicmp-typeecho
aclnumber3001
descriptionuntrust-trust
rule0permitudpdestination-porteq4500
rule5permitudpdestination-porteq500
rule10permitudpdestination-porteq3784
rule11permitudpdestination-porteq3785
rule12permitudpdestination-porteq4784
rule13permitudpdestination-porteq30000
rule14permiticmpicmp-typeecho
aclnumber3002
descriptiontrust-untrust
rule0permitipsource10.100.10.00.0.0.255
rule1permiticmpicmp-typeecho
rule2permitipsource10.10.216.00.0.0.255
aclnumber3003
descriptionuntrust-to-local
rule0permitipdestination2.2.2.00.0.0.255#
aclnumber3004
descriptiondmz-to-local
rule0permitipdestination15.15.15.00.0.0.255
#
#配置转发策略
firewallinterzonelocaltrust
packet-filter3000inbound
#
firewallinterzonelocaluntrust
packet-filter3003inbound
#
firewallinterzonelocaldmz
packet-filter3004inbound
#
firewallinterzonetrustuntrust
packet-filter3001inbound
packet-filter3002outbound
natoutbound3002address-group0
3.4.6.IP-link、接口联动功能、默认路由配置
#配置IP-link
ip-link2destination10.10.216.38m
升级会员 