51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

H3C防火墙RBM主备模式+静态路由方案验证

1、概述

某银行用户通过两条专线接入到某公司IDC环境,大致如下所示,考虑近几年业务发展比较迅猛,现有网络环境存在单点故障的风险,万一设备出现故障,会对业务产生严重影响。经过用户进行评估,对现有网络环境进行改造。

2、改造方案

2.1 改造前拓扑

2.2 改造后拓扑

3、RBM环境验证

3.1 测试拓扑

3.2 实施步骤

防火墙配置:

1)配置主备防火墙设备互联IP地址和路由

2)配置RBM功能,可以参考官网配置,这里省略

3)配置主备防火墙安全策略

4)配置完成后检查主备防火墙HA状态

3.3 验证

主墙状态:

#可以看到当前主防火墙状态是active的,会话同步和配置同步功能是使能的

RBM_P[FWA]dis remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Primary

Device running status: Active

Data channel interface: Route-Aggregation1

Local IP: 12.1.1.1

Remote IP: 12.1.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 24 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 5 min

Uptime since last switchover: 0 days, 0 hours, 8 minutes

Switchover records:

Time Status change Cause

2022-10-29 13:21:32 Active to Active Keepalive link established

2022-10-29 13:15:22 Initial to Active HA Configuration changed

#主备防火墙HA建立后的日志

%Oct 29 13:21:32:599 2022 FWA RBM/6/CFG_BATCH_SYNC: -Context=1; Started batch configuration synchronization.

%Oct 29 13:21:34:101 2022 FWA RBM/6/RBM_CFG_BATCH_SYNC_FINISH: -Context=1; Finished batch configuration synchronization.

#主防火墙上查看TCP连接如下,可以看到主备防火墙HA需要依赖TCP 60064和端口60066

RBM_Pdis tcp
*: TCP connection with authentication
Local Addr:port       Foreign Addr:port     State       Slot  PCB
0.0.0.0:23            0.0.0.0:0             LISTEN      1     0xffffffffffffff9d
0.0.0.0:80            0.0.0.0:0             LISTEN      1     0xffffffffffffffb2
0.0.0.0:443           0.0.0.0:0             LISTEN      1     0xffffffffffffffb4
12.1.1.1:36846        12.1.1.2:60064        ESTABLISHED 1     0xffffffffffffffd1
12.1.1.1:36847        12.1.1.2:60066        ESTABLISHED 1     0xffffffffffffffd2

备墙状态:

RBM_S[FWB]dis remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Secondary

Device running status: Standby

Data channel interface: Route-Aggregation1

Local IP: 12.1.1.2

Remote IP: 12.1.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 24 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 5 min

Uptime since last switchover: 0 days, 0 hours, 3 minutes

Switchover records:

Time Status change Cause

2022-10-29 13:20:01 Active to Standby Keepalive link established

2022-10-29 13:20:00 Initial to Active HA Configuration changed

#查看备墙的TCP连接

RBM_Sdis tcp
*: TCP connection with authentication
Local Addr:port       Foreign Addr:port     State       Slot  PCB
0.0.0.0:23            0.0.0.0:0             LISTEN      1     0xffffffffffffff9d
0.0.0.0:80            0.0.0.0:0             LISTEN      1     0xffffffffffffffa2
0.0.0.0:443           0.0.0.0:0             LISTEN      1     0xffffffffffffffa4
12.1.1.2:60064        12.1.1.1:0            LISTEN      1     0xffffffffffffff9f
12.1.1.2:60064        12.1.1.1:36846        ESTABLISHED 1     0xffffffffffffffa5
12.1.1.2:60066        12.1.1.1:0            LISTEN      1     0xffffffffffffffa0
12.1.1.2:60066        12.1.1.1:36847        ESTABLISHED 1     0xffffffffffffffa6

主备防火墙倒换前设备信息

#可以看到S6850设备去往4.4.4.4的路由是走主墙

dis ip rou 4.4.4.4
Summary count : 1
Destination/Mask   Proto   Pre Cost        NextHop         Interface
4.4.4.4/32         Static  60  0           13.1.1.1        Vlan1

主墙状态:

RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2    Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 3 minutes
Switchover records:
Time                  Status change        Cause
2022-10-29 15:31:35   Standby to Active    Interface status changed
2022-10-29 15:27:05   Active to Standby    Interface status changed
2022-10-29 15:26:41   Standby to Active    Interface status changed
2022-10-29 15:22:57   Active to Standby    Interface status changed
2022-10-29 15:16:51   Active to Active     Keepalive link established
2022-10-29 15:16:16   Initial to Active    The local device quits the remote backup group
2022-10-29 15:13:49   Active to Standby    Interface status changed
2022-10-29 14:57:19   Standby to Active    Interface status changed
2022-10-29 14:45:48   Active to Standby    Interface status changed
2022-10-29 13:51:35   Active to Active     Keepalive link established

备墙状态:

RBM_Sdis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1    Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 4 minutes
Switchover records:
Time                  Status change        Cause
2022-10-29 15:33:11   Active to Standby    Interface status changed
2022-10-29 15:28:24   Standby to Active    Interface status changed
2022-10-29 15:27:48   Active to Standby    Interface status changed
2022-10-29 15:23:52   Standby to Active    Interface status changed
2022-10-29 15:16:59   Active to Standby    Keepalive link established
2022-10-29 15:16:37   Initial to Active    The local device quits the remote backup group
2022-10-29 14:57:13   Active to Standby    Interface status changed
2022-10-29 14:45:55   Standby to Active    Interface status changed
2022-10-29 13:51:34   Active to Standby    Keepalive link established
2022-10-29 13:51:14   Initial to Active    The local device quits the remote backup group

3.1.1 业务从主防火墙倒换到备防火墙

#登录到主防火墙上,shutdown互联S6850设备接口

RBM_P[FWA] int g 1/0/1

RBM_P[FWA-GigabitEthernet1/0/1]shu

%Oct 29 15:36:57:088 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to down.

%Oct 29 15:36:57:090 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to down.

%Oct 29 15:36:57:111 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/3 changed to down.

%Oct 29 15:36:57:113 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/3 changed to down.

RBM_P[FWA-GigabitEthernet1/0/1]dis this

interface GigabitEthernet1/0/1

port link-mode route

combo enable copper

shutdown

ip address 13.1.1.1 255.255.255.0

#查看主墙RBM接口状态,G1/0/1接口被认为shutdown了,下行接口G1/0/3被RBM-track模块管理Down了

RBM_P[FWA]dis int g 1/0/1

GigabitEthernet1/0/1

Current state: Administratively DOWN

RBM_P[FWA]dis int g 1/0/3

GigabitEthernet1/0/3

Current state: RBM-track Shutdown

#再次查看S6850设备侧去往S5560侧环回接口的路由,路由已经倒换到备墙了

dis ip rou 4.4.4.4
Summary count : 1
Destination/Mask   Proto   Pre Cost        NextHop         Interface
4.4.4.4/32         Static  70  0           23.1.1.2        Vlan2

#从S6850侧屏S5560侧环回接口地址,不丢包

56 bytes from 4.4.4.4: icmp_seq=997 ttl=254 time=1.000 ms

56 bytes from 4.4.4.4: icmp_seq=998 ttl=254 time=1.000 ms

56 bytes from 4.4.4.4: icmp_seq=999 ttl=254 time=2.000 ms

--- Ping statistics for 4.4.4.4 ---

1000 packet(s) transmitted, 1000 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.896/10.000/0.701 ms

#查看主备墙的状态,主墙已经变成了 Standby角色,备墙变成了Active角色,倒换原因为Interface status changed

主墙:

RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2    Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 1 minutes
Switchover records:
Time                  Status change        Cause
2022-10-29 15:36:57   Active to Standby    Interface status changed
2022-10-29 15:31:35   Standby to Active    Interface status changed
2022-10-29 15:27:05   Active to Standby    Interface status changed
2022-10-29 15:26:41   Standby to Active    Interface status changed
2022-10-29 15:22:57   Active to Standby    Interface status changed
2022-10-29 15:16:51   Active to Active     Keepalive link established
2022-10-29 15:16:16   Initial to Active    The local device quits the remote backup group
2022-10-29 15:13:49   Active to Standby    Interface status changed
2022-10-29 14:57:19   Standby to Active    Interface status changed
2022-10-29 14:45:48   Active to Standby    Interface status changed

备墙:

RBM_Sdis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1    Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 2 minutes
Switchover records:
Time                  Status change        Cause
2022-10-29 15:39:16   Standby to Active    Interface status changed
2022-10-29 15:33:11   Active to Standby    Interface status changed
2022-10-29 15:28:24   Standby to Active    Interface status changed
2022-10-29 15:27:48   Active to Standby    Interface status changed
2022-10-29 15:23:52   Standby to Active    Interface status changed
2022-10-29 15:16:59   Active to Standby    Keepalive link established
2022-10-29 15:16:37   Initial to Active    The local device quits the remote backup group
2022-10-29 14:57:13   Active to Standby    Interface status changed
2022-10-29 14:45:55   Standby to Active    Interface status changed
2022-10-29 13:51:34   Active to Standby    Keepalive link established

3.1.2 业务从备防火墙切换到主防火墙

打开G1/0/1接口,经过delay-time时间后,上下行接口UP,流量回切到原有主墙上

RBM_P[FWA]int g 1/0/1

RBM_P[FWA-GigabitEthernet1/0/1]dis this

interface GigabitEthernet1/0/1

port link-mode route

combo enable copper

shutdown

ip address 13.1.1.1 255.255.255.0

return

RBM_P[FWA-GigabitEthernet1/0/1]

#打开主墙连接S6850的设备接口,接口会先UP,然后在被RBM-track Down掉,Down的时间和delay-time有关系,默认没有配置delay-time,即不抢占。

RBM_P[FWA-GigabitEthernet1/0/1]und shu

%Oct 29 15:42:20:439 2022 FWA LLDP/6/LLDP_CREATE_NEIGHBOR: -Context=1; Nearest bridge agent neighbor created on port GigabitEthernet1/0/1 (IfIndex 2), neighbor's chassis ID is a61d-8646-0300, port ID is GigabitEthernet1/0/1.

%Oct 29 15:42:20:449 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to up.

%Oct 29 15:42:20:452 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to up.

%Oct 29 15:42:20:455 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to down.

%Oct 29 15:42:20:455 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to down.

RBM_P[FWA-GigabitEthernet1/0/1]dis this

interface GigabitEthernet1/0/1

port link-mode route

combo enable copper

ip address 13.1.1.1 255.255.255.0

return

#查看接口状态,被RBM-track Shutdown,等待RBM delay-time 时间后,接口会被自动打开

RBM_P[FWA-GigabitEthernet1/0/1]dis int g 1/0/1

GigabitEthernet1/0/1

Current state: RBM-track Shutdown

RBM_P[FWA]dis int g 1/0/3

GigabitEthernet1/0/3

Current state: RBM-track Shutdown

Line protocol state: DOWN

#S6850侧长ping,回切后不丢包

56 bytes from 4.4.4.4: icmp_seq=992 ttl=254 time=1.000 ms

56 bytes from 4.4.4.4: icmp_seq=993 ttl=254 time=1.000 ms

56 bytes from 4.4.4.4: icmp_seq=994 ttl=254 time=0.000 ms

56 bytes from 4.4.4.4: icmp_seq=995 ttl=254 time=1.000 ms

56 bytes from 4.4.4.4: icmp_seq=996 ttl=254 time=0.000 ms

56 bytes from 4.4.4.4: icmp_seq=997 ttl=254 time=0.000 ms

56 bytes from 4.4.4.4: icmp_seq=998 ttl=254 time=1.000 ms

56 bytes from 4.4.4.4: icmp_seq=999 ttl=254 time=1.000 ms

--- Ping statistics for 4.4.4.4 ---

1000 packet(s) transmitted, 997 packet(s) received, 0.3% packet loss

round-trip min/avg/max/std-dev = 0.000/0.930/11.000/0.822 ms

%Oct 29 15:47:53:811 2022 S6850 PING/6/PING_STATISTICS: Ping statistics for 4.4.4.4: 1000 packet(s) transmitted, 997 packet(s) received, 0.3% packet loss, round-trip min/avg/max/std-dev = 0.000/0.930/11.000/0.822 ms.

#再次查看主墙的角色,当前运行角色为Active,备墙变成了Standby角色

RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2    Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 1 minutes
Switchover records:
Time                  Status change        Cause
2022-10-29 15:43:52   Standby to Active    Interface status changed
2022-10-29 15:36:57   Active to Standby    Interface status changed
2022-10-29 15:31:35   Standby to Active    Interface status changed
2022-10-29 15:27:05   Active to Standby    Interface status changed
2022-10-29 15:26:41   Standby to Active    Interface status changed
2022-10-29 15:22:57   Active to Standby    Interface status changed
2022-10-29 15:16:51   Active to Active     Keepalive link established
2022-10-29 15:16:16   Initial to Active    The local device quits the remote backup group
2022-10-29 15:13:49   Active to Standby    Interface status changed
2022-10-29 14:57:19   Standby to Active    Interface status changed

RBM_Sdis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1    Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 2 minutes
Switchover records:
Time                  Status change        Cause
2022-10-29 15:46:43   Active to Standby    Interface status changed
2022-10-29 15:39:16   Standby to Active    Interface status changed
2022-10-29 15:33:11   Active to Standby    Interface status changed
2022-10-29 15:28:24   Standby to Active    Interface status changed
2022-10-29 15:27:48   Active to Standby    Interface status changed
2022-10-29 15:23:52   Standby to Active    Interface status changed
2022-10-29 15:16:59   Active to Standby    Keepalive link established
2022-10-29 15:16:37   Initial to Active    The local device quits the remote backup group
2022-10-29 14:57:13   Active to Standby    Interface status changed
2022-10-29 14:45:55   Standby to Active    Interface status changed

4、遗留问题

客户想要实现的效果是如果1对应的接口Down了,防火墙主备关系不能切换,流量从2对应的接口出去。实际测试环境中,RBM把1,2,3对应的接口都做了track检测,那么,当其中一个接口Down,主备防火墙就会倒换,这样就不符合客户预期了。

换个思考方式,如果track 3口,1,2接口不做track检测(1,2出接口靠静态浮动路由来实现主走移动,备走联通),那么,当1口Down了,防火墙主备关系不会倒换,主路由失效,流量从2口转发,看似要求达到了,此时,如果2口也Down了,主防火墙1,2出口全Down了,由于没有track 1,2接口做RBM联动,所以3口还是UP的状态,流量依旧会转发到主墙,造成业务不通。

那么,有人又想到了,monitor-link不是可以做上下行接口联动吗,只要将1,2口作为monitor-link上行口,3口作为monitor-link的下行接口,当1,2接口全Down,3口伴随着也会Down,这样主备墙就能够倒换了。

看似monitor-link达到要求了,我们在仔细想想,发现如果3口Down了,防火墙HA正常应该要做倒换了,让内网访问人行的流量倒换到备墙出去。但是实际上,RBM只是和3口做了联动,没有和1,2口做联动,monitor-link也是1,2接口作为上行,3口作为下行,所以此时流量也是有问题的。

那么这种场景应该如何解决呢?大家可以一起考虑下。

5、备注

1、RBM心跳接口不用加入到安全域中也能够同步数据,心跳接口之间缺省是无法Ping通的。

2、RBM配置思路和华为HRP一致,先配置设备互联地址、路由、和RBM等配置,最后在配置安全策略(策略是靠RBM心跳线来同步的)。

3、RBM数据和控制通道是基于TCP的,控制通道(端口60064)可以跨三层环境,数据通道只能是直连的(端口60066),不能跨三层。

赞(0)
未经允许不得转载:工具盒子 » H3C防火墙RBM主备模式+静态路由方案验证