山石网科HA高可靠性实验分享
主备模式
AP/AA的配置必须保持一致,但是在Peer mode下不可以保证
OTI双活数据中心
优先级100,小优
主动发生抢占
实验拓扑
配置过程:
SG-6000# configure
SG-6000(config)#hostname HS-A
HS-B(config)#
HS-A(config)# interface ethernet0/4 //指定外网接口
HS-A(config-if-eth0/4)# zone untrust //指定外网接口为Untrust
HS-A(config-if-eth0/4)# ip add 200.0.0.10/24 // 配置IP地址
HS-A(config-if-eth0/4)# manage ping //打开ping
HS-A(config-if-eth0/4)#int ethernet0/1
HS-A(config-if-eth0/1)#zone trust
HS-A(config-if-eth0/1)#ip add 192.168.10.1/24
HS-A(config-if-eth0/1)#manage ping
HS-A(config-if-eth0/1)# manage http //打开http
HS-A(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1 // 默认路由
HS-A(config-vrouter)# snatrule from any to any service any eifethernet0/4 trans-to eif-ip mode dynamicport //配置snat
HS-A(config-policy)# rule from any to any from-zone trust to-zoneuntrust service any permit //放行流量
查看:
HS-A(config)# show policy
Total rules count: 1
S: Rule Status (E -Enabled; D - Disabled)
Flag: * - NeedApplication Identification
S - Log Session Start; E - Log Session End; D - Log Policy Deny
F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect
Default action DENY.Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S Id Name RBNS_Attr Source Destination Service Application Action Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E 1 Any Any Any PERMIT ------
====================================================================================================================
HS-A(config)#
HS-A(config)# show config uration vrouter
ip vrouter"twin-mode-vr"
exit
ip vrouter"trust-vr"
snatrule id 1 from address-book"Any" to address-book "Any" service "Any" eifethernet0/4 trans-to eif-ip mode dynamicport
ip route 0.0.0.0/0 200.0.0.1
exit
HS-A(config)#
配置HA监控对象
HS-A(config)# track track1 //配置track
HS-A(config-trackip)# ? // 可配置的track的内容
arp Configure track arp address
dns Configure track dns address
http Configure track http address orhost
icmp Configure track ip address orhost
icmp6 Configure track ip ipv6 addressor host
interface Configure track interface
ndp Configure track ndp address
tcp Configure track tcp address orhost
threshold Configure track threshold
traffic-condition Configure traffic condition
-
auxswitch Switch aux port to subcard
clear Reset functions or clear thescreen
debug Debugging functions
delete Delete a file
end Exit from configure mode
exec Perform command operation
exit Exit from Track IP Profileconfiguration mode
help CLI help
no Negate a command or reset todefault
ping Test network connectivity
remove Remove files
rollback Rollback startup with one backup
save Save configuration
show Show running system information
terminal Configure terminal line parameters
traceroute Trace route to destination
undebug Negate debugging functions
unset Back to the default configuration
HS-A(config-trackip)#
HS-A(config-trackip)#interface eth0/4
HS-A(config-trackip)#interface eth0/1
HS-A(config-trackip)#
HS-A(config-trackip)#interface eth0/1 ?
weight Configure track if weight // 默认255
查看:
HS-A(config)# showtrack track1
======================================================================================================================
Track name:track1;track ID:1; local:no
threshold:255; delaythreshold:255; bandwidth threshold:255
used type:not used; status:UNKNOWN; link_status: UNKNOWN // 未调用
bind interface:;snat cnt:0
I:interval;T:threshold; W:weight; S:status; M:mode
F:failed;SU:successful; UN:unknown
HWMK:high watermark;LWMK:low watermark; DW:delay weight
FLAG:link statusflag; N:normal; L:long-delay; O:overload
track interface:
----------------------------------------------------------------------------------------------------------------------
Track interface weight status
----------------------------------------------------------------------------------------------------------------------
ethernet0/4 255 unknown
ethernet0/1 255 unknown
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
HS-A(config)#
配置监控对象
HS-A(config)# hagroup 0
HS-A(config-ha-group)#priority 99
配置HS-B
HS-B# configure
HS-B(config)# hagroup 0
查看:
HS-B(config-ha-group)#show ha group 0
HA Group id=0
state N/A
priority 100
preempt N/A
monitor
HA total peer number 0
HS-A(config)# ha link interface eth0/3 // 配置HA-link
HS-A(config)# ha link ip 1.1.1.1/24 //配置HA-link的接口IP地址
HS-B(config)# ha link ip 1.1.1.2/24 //对端IP地址
HS-B(config)# ping 1.1.1.1 //测试
Sending ICMP packetsto 1.1.1.1
Seq ttl time(ms)
1 128 7.47
2 128 2.12
调用HA 簇:
HS-A(config)# hacluster 1
HS-B(config)# ha cluster 1
问题:在B上先加入簇1 ,B成为master不同步,A不抢占
成功log:
HS-B(config)# hacluster 1
2020-03-07 16:53:13,Event CRIT@FLOW: The local device 0010008416670930 in the VirtualSecurity Device group 0 changed state from Standalone to Init.
HS-B(config)#2020-03-07 16:53:14, Event CRIT@FLOW: The local device 0010008416670930 in the Virtual Security Device group 0changed state from Init to Hello.
2020-03-07 16:53:14,Event CRIT@FLOW: The HA peer device 0010025169456692 in the Virtual Security Device group 0 wasdiscovered.
2020-03-07 16:53:17,Event CRIT@FLOW: The local device 0010008416670930 in the VirtualSecurity Device group 0 changed state from Hello to Backup.
2020-03-07 16:53:21,Event WARNING@NET: interface ethernet0/4 turn to protocol up
2020-03-07 16:53:21,Event WARNING@NET: WAN interface IP address changes to 200.0.0.10
2020-03-07 16:53:22,Network INFO@NET: Route in VR trust-vr that has IP address 0.0.0.0/0 throughnexthop 200.0.0.1 with precedence 1 is created
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" created a policy (id 1)
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "action" has been set: "PERMIT"
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "src-zone" has been modified: Any->trust
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "dst-zone" has been modified: Any->untrust
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "src-addr" has been added: Any
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "dst-addr" has been added: Any
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "service" has been added: Any
2020-03-07 16:53:21,Event CRIT@FLOW: HA configuration batch synchronization succeeded
HS-B(B)(config)#show policy
Total rules count: 1
S: Rule Status (E -Enabled; D - Disabled)
Flag: * - NeedApplication Identification
S - Log Session Start; E - Log Session End; D - Log Policy Deny
F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect
Default action DENY.Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S Id Name RBNS_Attr Source Destination Service Application Action Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E 1 Any Any Any PERMIT ------
====================================================================================================================
HS-B(B)(config)#
HS-B(B)(config)#show interface
H:physicalstate;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up
========================================================================================================
Interface name IP address/mask Zone name H A L P MAC address Description
--------------------------------------------------------------------------------------------------------
ethernet0/0 0.0.0.0/0 trust U U U D 5000.0004.0000 ------
ethernet0/1 0.0.0.0/0 NULL U U U D 5000.0004.0001 ------
ethernet0/2 0.0.0.0/0 NULL U U U D 5000.0004.0002 ------
ethernet0/3 0.0.0.0/0 HA U U U D 5000.0004.0003 ------
ethernet0/4 200.0.0.10/24 untrust U U U U 5000.0004.0004 ------
ethernet0/5 0.0.0.0/0 NULL U U U D 5000.0004.0005 ------
ethernet0/6 0.0.0.0/0 NULL U U U D 5000.0004.0006 ------
ethernet0/7 0.0.0.0/0 NULL U U U D 5000.0004.0007 ------
vswitchif1 0.0.0.0/0 NULL D U D D 001c.545a.1f13 ------
========================================================================================================
HS-B(B)(config)#
HS-B(B)(config)#show ha group 0
HA Group id=0
state Backup
priority 100
preempt N/A
monitor
HA total peer number 1
HA peer information:
device id 0010025169456692
ip 1.1.1.1
state Master
priority 99
HS-B(B)(config)#
VPCS> ip 192.168.10.10/24 192.168.10.1
Checking forduplicate address...
PC1 : 192.168.10.10255.255.255.0 gateway 192.168.10.1
VPCS> ip 192.168.10.20/24 192.168.10.1
Checking forduplicate address...
PC2 : 192.168.10.20 255.255.255.0 gateway192.168.10.1
VPCS> ping 192.168.10.1 //测试成功
84 bytes from192.168.10.1 icmp_seq=1 ttl=128 time=3.608 ms
84 bytes from192.168.10.1 icmp_seq=2 ttl=128 time=1.813 ms
84 bytes from192.168.10.1 icmp_seq=3 ttl=128 time=1.490 ms
^C
VPCS>
VPCS> ping192.168.10.1
84 bytes from192.168.10.1 icmp_seq=1 ttl=128 time=2.844 ms
84 bytes from192.168.10.1 icmp_seq=2 ttl=128 time=1.328 ms
84 bytes from192.168.10.1 icmp_seq=3 ttl=128 time=1.423 ms
^C
VPCS> ping200.0.0.1
84 bytes from200.0.0.1 icmp_seq=1 ttl=254 time=5.417 ms
84 bytes from200.0.0.1 icmp_seq=2 ttl=254 time=2.997 ms
^C
VPCS>
配置ISP的ssh
ISP(config)#aaanew-model
ISP(config)#ipdomain-name cisco
ISP(config)#usernamecisco secret 123456
ISP(config)#enablesecret 123456
ISP(config)#cryptokey generate rsa general-keys modulus 1024
ISP(config)#ip sshauthentication-retries 5
ISP(config)#ip sshtime-out 30
ISP(config)#line vty0 4
ISP(config-line)#transportinput ssh
Telnet 22端口测试
如果不加track,HA切换会失败
HS-A(M)(config)# hagroup 0
HS-A(M)(config-ha-group)#monitor track track1
测试track
HS-A(M)(config)#interface ethernet0/4
HS-A(M)(config-if-eth0/4)#shu
HS-A(M)(config-if-eth0/4)#shutdown
2020-03-07 17:20:14,Event WARNING@NET: interface ethernet0/4 turn to admin down
2020-03-07 17:20:14,Event CRIT@NET: interface ethernet0/4 turn to physical down
2020-03-07 17:20:14,Event WARNING@NET: HS-A(M)(config-if-eth0/4)# interface ethernet0/4 turn toprotocol down
2020-03-07 17:20:14,Event WARNING@NET: interface ethernet0/4 turn to link down
2020-03-07 17:20:14,Event CRIT@NET: track: track1 interface: ethernet0/4 item failed
2020-03-07 17:20:14,Event CRIT@FLOW: HA group 0 change realtime priority from 99 to 3099
2020-03-07 17:20:14,Event CRIT@FLOW: The local device 0010025169456692 in the VirtualSecurity Device group 0 changed state from Master to Link Failed.
HS-A(F)(config-if-eth0/4)#
HS-A(F)(config-if-eth0/4)#show track track1
======================================================================================================================
Track name:track1;track ID:1; local:no
threshold:255; delaythreshold:255; bandwidth threshold:255
used type:ha;status:FAILED; link_status: FAILED
bind interface:;snat cnt:0
I:interval;T:threshold; W:weight; S:status; M:mode
F:failed;SU:successful; UN:unknown
HWMK:high watermark;LWMK:low watermark; DW:delay weight
FLAG:link statusflag; N:normal; L:long-delay; O:overload
track interface:
----------------------------------------------------------------------------------------------------------------------
Track interface weight status
----------------------------------------------------------------------------------------------------------------------
ethernet0/4 255 failed
ethernet0/1 255 successful
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
HS-A(F)(config-if-eth0/4)#
HS-B(M)# show track track1 //track也会同步到备上面但是不会调用
======================================================================================================================
Track name:track1;track ID:1; local:no
threshold:255; delaythreshold:255; bandwidth threshold:255
used type:not used;status:UNKNOWN; link_status: UNKNOWN
bind interface:;snat cnt:0
I:interval;T:threshold; W:weight; S:status; M:mode
F:failed;SU:successful; UN:unknown
HWMK:high watermark;LWMK:low watermark; DW:delay weight
FLAG:link statusflag; N:normal; L:long-delay; O:overload
track interface:
----------------------------------------------------------------------------------------------------------------------
Track interface weight status
----------------------------------------------------------------------------------------------------------------------
ethernet0/4 255 unknown
ethernet0/1 255 unknown
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
HS-B(M)#
配置抢占
HS-A(F)(config-if-eth0/4)# no shu //恢复接口
2020-03-07 17:25:06,Event WARNING@NET: interface ethernet0/4 turn to admin up
HS-A(F)(config-if-eth0/4)#2020-03-07 17:25:07, Event CRIT@NET: interface ethernet0/4 turn to physical up
2020-03-07 17:25:07,Event WARNING@NET: interface ethernet0/4 turn to link up
2020-03-07 17:25:07,Event CRIT@NET: track: track1 interface: ethernet0/4 item recover
2020-03-07 17:25:07,Event CRIT@NET: track: track1 interface: ethernet0/1 item recover
2020-03-07 17:25:07,Event WARNING@NET: interface ethernet0/4 turn to protocol up
2020-03-07 17:25:07,Event CRIT@FLOW: HA group 0 change realtime priority from 3099 to 99
2020-03-07 17:25:07,Event CRIT@FLOW: The local device 0010025169456692 in the VirtualSecurity Device group 0 changed state from Link Failed to Backup.
管理HS
HS-A(B)(config-if-eth0/1)#manage ip 192.168.10.253
山石相关文档,后台联系小编获取回复“加群”添加小编
