1、概述
某银行用户通过两条专线接入到某公司IDC环境,大致如下所示,考虑近几年业务发展比较迅猛,现有网络环境存在单点故障的风险,万一设备出现故障,会对业务产生严重影响。经过用户进行评估,对现有网络环境进行改造。
2、改造方案
2.1 改造前拓扑
2.2 改造后拓扑
3、RBM环境验证
3.1 测试拓扑
3.2 实施步骤
防火墙配置:
1)配置主备防火墙设备互联IP地址和路由
2)配置RBM功能,可以参考官网配置,这里省略
3)配置主备防火墙安全策略
4)配置完成后检查主备防火墙HA状态
3.3 验证
主墙状态:
#可以看到当前主防火墙状态是active的,会话同步和配置同步功能是使能的
RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 5 min
Uptime since last switchover: 0 days, 0 hours, 8 minutes
Switchover records:
Time Status change Cause
2022-10-29 13:21:32 Active to Active Keepalive link established
2022-10-29 13:15:22 Initial to Active HA Configuration changed
#主备防火墙HA建立后的日志
%Oct 29 13:21:32:599 2022 FWA RBM/6/CFG_BATCH_SYNC: -Context=1; Started batch configuration synchronization.
%Oct 29 13:21:34:101 2022 FWA RBM/6/RBM_CFG_BATCH_SYNC_FINISH: -Context=1; Finished batch configuration synchronization.
#主防火墙上查看TCP连接如下,可以看到主备防火墙HA需要依赖TCP 60064和端口60066
RBM_Pdis tcp
*: TCP connection with authentication
Local Addr:port Foreign Addr:port State Slot PCB
0.0.0.0:23 0.0.0.0:0 LISTEN 1 0xffffffffffffff9d
0.0.0.0:80 0.0.0.0:0 LISTEN 1 0xffffffffffffffb2
0.0.0.0:443 0.0.0.0:0 LISTEN 1 0xffffffffffffffb4
12.1.1.1:36846 12.1.1.2:60064 ESTABLISHED 1 0xffffffffffffffd1
12.1.1.1:36847 12.1.1.2:60066 ESTABLISHED 1 0xffffffffffffffd2
备墙状态:
RBM_S[FWB]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 5 min
Uptime since last switchover: 0 days, 0 hours, 3 minutes
Switchover records:
Time Status change Cause
2022-10-29 13:20:01 Active to Standby Keepalive link established
2022-10-29 13:20:00 Initial to Active HA Configuration changed
#查看备墙的TCP连接
RBM_Sdis tcp
*: TCP connection with authentication
Local Addr:port Foreign Addr:port State Slot PCB
0.0.0.0:23 0.0.0.0:0 LISTEN 1 0xffffffffffffff9d
0.0.0.0:80 0.0.0.0:0 LISTEN 1 0xffffffffffffffa2
0.0.0.0:443 0.0.0.0:0 LISTEN 1 0xffffffffffffffa4
12.1.1.2:60064 12.1.1.1:0 LISTEN 1 0xffffffffffffff9f
12.1.1.2:60064 12.1.1.1:36846 ESTABLISHED 1 0xffffffffffffffa5
12.1.1.2:60066 12.1.1.1:0 LISTEN 1 0xffffffffffffffa0
12.1.1.2:60066 12.1.1.1:36847 ESTABLISHED 1 0xffffffffffffffa6
主备防火墙倒换前设备信息
#可以看到S6850设备去往4.4.4.4的路由是走主墙
dis ip rou 4.4.4.4
Summary count : 1
Destination/Mask Proto Pre Cost NextHop Interface
4.4.4.4/32 Static 60 0 13.1.1.1 Vlan1
主墙状态:
RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 3 minutes
Switchover records:
Time Status change Cause
2022-10-29 15:31:35 Standby to Active Interface status changed
2022-10-29 15:27:05 Active to Standby Interface status changed
2022-10-29 15:26:41 Standby to Active Interface status changed
2022-10-29 15:22:57 Active to Standby Interface status changed
2022-10-29 15:16:51 Active to Active Keepalive link established
2022-10-29 15:16:16 Initial to Active The local device quits the remote backup group
2022-10-29 15:13:49 Active to Standby Interface status changed
2022-10-29 14:57:19 Standby to Active Interface status changed
2022-10-29 14:45:48 Active to Standby Interface status changed
2022-10-29 13:51:35 Active to Active Keepalive link established
备墙状态:
RBM_Sdis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 4 minutes
Switchover records:
Time Status change Cause
2022-10-29 15:33:11 Active to Standby Interface status changed
2022-10-29 15:28:24 Standby to Active Interface status changed
2022-10-29 15:27:48 Active to Standby Interface status changed
2022-10-29 15:23:52 Standby to Active Interface status changed
2022-10-29 15:16:59 Active to Standby Keepalive link established
2022-10-29 15:16:37 Initial to Active The local device quits the remote backup group
2022-10-29 14:57:13 Active to Standby Interface status changed
2022-10-29 14:45:55 Standby to Active Interface status changed
2022-10-29 13:51:34 Active to Standby Keepalive link established
2022-10-29 13:51:14 Initial to Active The local device quits the remote backup group
3.1.1 业务从主防火墙倒换到备防火墙
#登录到主防火墙上,shutdown互联S6850设备接口
RBM_P[FWA] int g 1/0/1
RBM_P[FWA-GigabitEthernet1/0/1]shu
%Oct 29 15:36:57:088 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to down.
%Oct 29 15:36:57:090 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
%Oct 29 15:36:57:111 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/3 changed to down.
%Oct 29 15:36:57:113 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/3 changed to down.
RBM_P[FWA-GigabitEthernet1/0/1]dis this
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
shutdown
ip address 13.1.1.1 255.255.255.0
#查看主墙RBM接口状态,G1/0/1接口被认为shutdown了,下行接口G1/0/3被RBM-track模块管理Down了
RBM_P[FWA]dis int g 1/0/1
GigabitEthernet1/0/1
Current state: Administratively DOWN
RBM_P[FWA]dis int g 1/0/3
GigabitEthernet1/0/3
Current state: RBM-track Shutdown
#再次查看S6850设备侧去往S5560侧环回接口的路由,路由已经倒换到备墙了
dis ip rou 4.4.4.4
Summary count : 1
Destination/Mask Proto Pre Cost NextHop Interface
4.4.4.4/32 Static 70 0 23.1.1.2 Vlan2
#从S6850侧屏S5560侧环回接口地址,不丢包
56 bytes from 4.4.4.4: icmp_seq=997 ttl=254 time=1.000 ms
56 bytes from 4.4.4.4: icmp_seq=998 ttl=254 time=1.000 ms
56 bytes from 4.4.4.4: icmp_seq=999 ttl=254 time=2.000 ms
--- Ping statistics for 4.4.4.4 ---
1000 packet(s) transmitted, 1000 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.896/10.000/0.701 ms
#查看主备墙的状态,主墙已经变成了 Standby角色,备墙变成了Active角色,倒换原因为Interface status changed
主墙:
RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 1 minutes
Switchover records:
Time Status change Cause
2022-10-29 15:36:57 Active to Standby Interface status changed
2022-10-29 15:31:35 Standby to Active Interface status changed
2022-10-29 15:27:05 Active to Standby Interface status changed
2022-10-29 15:26:41 Standby to Active Interface status changed
2022-10-29 15:22:57 Active to Standby Interface status changed
2022-10-29 15:16:51 Active to Active Keepalive link established
2022-10-29 15:16:16 Initial to Active The local device quits the remote backup group
2022-10-29 15:13:49 Active to Standby Interface status changed
2022-10-29 14:57:19 Standby to Active Interface status changed
2022-10-29 14:45:48 Active to Standby Interface status changed
备墙:
RBM_Sdis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 2 minutes
Switchover records:
Time Status change Cause
2022-10-29 15:39:16 Standby to Active Interface status changed
2022-10-29 15:33:11 Active to Standby Interface status changed
2022-10-29 15:28:24 Standby to Active Interface status changed
2022-10-29 15:27:48 Active to Standby Interface status changed
2022-10-29 15:23:52 Standby to Active Interface status changed
2022-10-29 15:16:59 Active to Standby Keepalive link established
2022-10-29 15:16:37 Initial to Active The local device quits the remote backup group
2022-10-29 14:57:13 Active to Standby Interface status changed
2022-10-29 14:45:55 Standby to Active Interface status changed
2022-10-29 13:51:34 Active to Standby Keepalive link established
3.1.2 业务从备防火墙切换到主防火墙
打开G1/0/1接口,经过delay-time时间后,上下行接口UP,流量回切到原有主墙上
RBM_P[FWA]int g 1/0/1
RBM_P[FWA-GigabitEthernet1/0/1]dis this
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
shutdown
ip address 13.1.1.1 255.255.255.0
return
RBM_P[FWA-GigabitEthernet1/0/1]
#打开主墙连接S6850的设备接口,接口会先UP,然后在被RBM-track Down掉,Down的时间和delay-time有关系,默认没有配置delay-time,即不抢占。
RBM_P[FWA-GigabitEthernet1/0/1]und shu
%Oct 29 15:42:20:439 2022 FWA LLDP/6/LLDP_CREATE_NEIGHBOR: -Context=1; Nearest bridge agent neighbor created on port GigabitEthernet1/0/1 (IfIndex 2), neighbor's chassis ID is a61d-8646-0300, port ID is GigabitEthernet1/0/1.
%Oct 29 15:42:20:449 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to up.
%Oct 29 15:42:20:452 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to up.
%Oct 29 15:42:20:455 2022 FWA IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to down.
%Oct 29 15:42:20:455 2022 FWA IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
RBM_P[FWA-GigabitEthernet1/0/1]dis this
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 13.1.1.1 255.255.255.0
return
#查看接口状态,被RBM-track Shutdown,等待RBM delay-time 时间后,接口会被自动打开
RBM_P[FWA-GigabitEthernet1/0/1]dis int g 1/0/1
GigabitEthernet1/0/1
Current state: RBM-track Shutdown
RBM_P[FWA]dis int g 1/0/3
GigabitEthernet1/0/3
Current state: RBM-track Shutdown
Line protocol state: DOWN
#S6850侧长ping,回切后不丢包
56 bytes from 4.4.4.4: icmp_seq=992 ttl=254 time=1.000 ms
56 bytes from 4.4.4.4: icmp_seq=993 ttl=254 time=1.000 ms
56 bytes from 4.4.4.4: icmp_seq=994 ttl=254 time=0.000 ms
56 bytes from 4.4.4.4: icmp_seq=995 ttl=254 time=1.000 ms
56 bytes from 4.4.4.4: icmp_seq=996 ttl=254 time=0.000 ms
56 bytes from 4.4.4.4: icmp_seq=997 ttl=254 time=0.000 ms
56 bytes from 4.4.4.4: icmp_seq=998 ttl=254 time=1.000 ms
56 bytes from 4.4.4.4: icmp_seq=999 ttl=254 time=1.000 ms
--- Ping statistics for 4.4.4.4 ---
1000 packet(s) transmitted, 997 packet(s) received, 0.3% packet loss
round-trip min/avg/max/std-dev = 0.000/0.930/11.000/0.822 ms
%Oct 29 15:47:53:811 2022 S6850 PING/6/PING_STATISTICS: Ping statistics for 4.4.4.4: 1000 packet(s) transmitted, 997 packet(s) received, 0.3% packet loss, round-trip min/avg/max/std-dev = 0.000/0.930/11.000/0.822 ms.
#再次查看主墙的角色,当前运行角色为Active,备墙变成了Standby角色
RBM_P[FWA]dis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.1
Remote IP: 12.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 1 minutes
Switchover records:
Time Status change Cause
2022-10-29 15:43:52 Standby to Active Interface status changed
2022-10-29 15:36:57 Active to Standby Interface status changed
2022-10-29 15:31:35 Standby to Active Interface status changed
2022-10-29 15:27:05 Active to Standby Interface status changed
2022-10-29 15:26:41 Standby to Active Interface status changed
2022-10-29 15:22:57 Active to Standby Interface status changed
2022-10-29 15:16:51 Active to Active Keepalive link established
2022-10-29 15:16:16 Initial to Active The local device quits the remote backup group
2022-10-29 15:13:49 Active to Standby Interface status changed
2022-10-29 14:57:19 Standby to Active Interface status changed
RBM_Sdis remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: Route-Aggregation1
Local IP: 12.1.1.2
Remote IP: 12.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
Uptime since last switchover: 0 days, 0 hours, 2 minutes
Switchover records:
Time Status change Cause
2022-10-29 15:46:43 Active to Standby Interface status changed
2022-10-29 15:39:16 Standby to Active Interface status changed
2022-10-29 15:33:11 Active to Standby Interface status changed
2022-10-29 15:28:24 Standby to Active Interface status changed
2022-10-29 15:27:48 Active to Standby Interface status changed
2022-10-29 15:23:52 Standby to Active Interface status changed
2022-10-29 15:16:59 Active to Standby Keepalive link established
2022-10-29 15:16:37 Initial to Active The local device quits the remote backup group
2022-10-29 14:57:13 Active to Standby Interface status changed
2022-10-29 14:45:55 Standby to Active Interface status changed
4、遗留问题
客户想要实现的效果是如果1对应的接口Down了,防火墙主备关系不能切换,流量从2对应的接口出去。实际测试环境中,RBM把1,2,3对应的接口都做了track检测,那么,当其中一个接口Down,主备防火墙就会倒换,这样就不符合客户预期了。
换个思考方式,如果track 3口,1,2接口不做track检测(1,2出接口靠静态浮动路由来实现主走移动,备走联通),那么,当1口Down了,防火墙主备关系不会倒换,主路由失效,流量从2口转发,看似要求达到了,此时,如果2口也Down了,主防火墙1,2出口全Down了,由于没有track 1,2接口做RBM联动,所以3口还是UP的状态,流量依旧会转发到主墙,造成业务不通。
那么,有人又想到了,monitor-link不是可以做上下行接口联动吗,只要将1,2口作为monitor-link上行口,3口作为monitor-link的下行接口,当1,2接口全Down,3口伴随着也会Down,这样主备墙就能够倒换了。
看似monitor-link达到要求了,我们在仔细想想,发现如果3口Down了,防火墙HA正常应该要做倒换了,让内网访问人行的流量倒换到备墙出去。但是实际上,RBM只是和3口做了联动,没有和1,2口做联动,monitor-link也是1,2接口作为上行,3口作为下行,所以此时流量也是有问题的。
那么这种场景应该如何解决呢?大家可以一起考虑下。
5、备注
1、RBM心跳接口不用加入到安全域中也能够同步数据,心跳接口之间缺省是无法Ping通的。
2、RBM配置思路和华为HRP一致,先配置设备互联地址、路由、和RBM等配置,最后在配置安全策略(策略是靠RBM心跳线来同步的)。
3、RBM数据和控制通道是基于TCP的,控制通道(端口60064)可以跨三层环境,数据通道只能是直连的(端口60066),不能跨三层。