MLAG+VRF防火墙旁挂+双机热备+OSPF部署笔记

不做菜鸟的网工2025-04-21 18:04

网络拓扑

部署思路

1. 核心MLAG配置(S1-S2)
  • MLAG Peer & Keepalive
    • G1/0/4 作为 Peer-Link(MLAG同步端口)
    • G1/0/5 作为 Keepalive(心跳检测)
  • 链路聚合(LACP)
    • FW1/FW2 建立聚合组(放行 VLAN 100/101)
    • S3(接入层交换机) 建立聚合组(放行 VLAN 10)
2. 防火墙双机热备(FW1-FW2)
  • HA 热备模式:主备模式
  • 二层链路聚合 :与 S1-S2 绑定聚合组,放行 VLAN 100/101
  • 安全策略:放行 OSPF 报文,确保路由可达 放行trust>untrust流量
3. 接入层 & 三层互联(S3、R1)
  • S3(接入层交换机):与 S1-S2 建立 LACP 聚合(VLAN 10)
  • R1(测试设备)
    • 与 S1-S2 建立三层链路聚合(IP: 192.168.200.1
    • 配置环回口 8.8.8.8 用于连通性测试
4. VRF & OSPF 多实例(S1/S2)
  • VRF 实例
    • VRF-A (下联设备):绑定 VLANIF100
    • VRF-B (上联设备):绑定 VLANIF101
  • OSPF 多进程
    • OSPF1(VRF-A):处理内联路由(VLAN 100)
    • OSPF2(VRF-B):处理外联路由(VLAN 101)

S1-S2建立MLAG组 与防火墙互联地址为VLANIF100/VLANIF101

流量总体转发路径为PCA->S1/S2(VLANIF100)->FW1(VLANIF100)->S1/S2(VLANIF101)->R1
为了实现上行流量与下行流量隔离 采取OSPF多进程以及VPN实例方法

问题思考

  1. 如果不采用OSPF多进程可以么
  2. MLAG组采取VRF实例具体解决了什么

设备配置

S1完整配置

python 复制代码 
#
sysname S1
#
ip vpn-instance a
 #
 address-family ipv4
#
ip vpn-instance b
 #
 address-family ipv4
#
ospf 1 router-id 1.1.1.1 vpn-instance a
 area 0.0.0.0
#
ospf 2 router-id 11.11.11.11 vpn-instance b
 area 0.0.0.0
#              
 ip unreachables enable
 ip ttl-expires enable
#
vlan 1
#
vlan 10
#
vlan 100 to 101
#
vlan 200
#
interface Bridge-Aggregation1
 description peerlink
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag peer-link 1
#
interface Bridge-Aggregation2
 description to_FW1
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 2
#
interface Bridge-Aggregation3
 description to_FW2
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 3
#
interface Bridge-Aggregation4
 description to_R1
 port access vlan 200
 link-aggregation mode dynamic
 port m-lag group 4
#
interface Bridge-Aggregation5
 description to_PC
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 5
#
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.252 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 10 virtual-ip 192.168.10.254
 vrrp vrid 10 priority 120
#
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.252 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 100 virtual-ip 192.168.100.254
 vrrp vrid 100 priority 120
#
interface Vlan-interface101
 ip binding vpn-instance b
 ip address 192.168.101.252 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 101 virtual-ip 192.168.101.254
 vrrp vrid 101 priority 120
#
interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.252 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 200 virtual-ip 192.168.200.254
 vrrp vrid 200 priority 120
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable fiber
 ip address 192.168.99.1 255.255.255.252
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 200
 combo enable fiber
 port link-aggregation group 4
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 2
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 3
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 5
#
 m-lag mad exclude interface GigabitEthernet1/0/5
 m-lag restore-delay 10
 m-lag role priority 120
 m-lag system-mac 68fb-1ae4-0300
 m-lag system-number 1
 m-lag system-priority 0
 m-lag consistency-check disable
 m-lag keepalive ip destination 192.168.99.2 source 192.168.99.1

S2完整配置

python 复制代码 
#
 sysname S2
#
ip vpn-instance a
 #
 address-family ipv4
#
ip vpn-instance b
 #
 address-family ipv4
#
ospf 1 router-id 2.2.2.2 vpn-instance a
 area 0.0.0.0
#
ospf 2 router-id 12.12.12.12 vpn-instance b
 area 0.0.0.0
#              
 ip unreachables enable
 ip ttl-expires enable
#
vlan 1
#
vlan 10
#
vlan 100 to 101
#
vlan 200
#
interface Bridge-Aggregation1
 description peerlink
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag peer-link 1
#
interface Bridge-Aggregation2
 description to_FW1
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 2
#
interface Bridge-Aggregation3
 description to_FW2
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 3
#
interface Bridge-Aggregation4
 description to_R1
 port access vlan 200
 link-aggregation mode dynamic
 port m-lag group 4
#
interface Bridge-Aggregation5
 description to_PC
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 5
#
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.253 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.253 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 100 virtual-ip 192.168.100.254
#              
interface Vlan-interface101
 ip binding vpn-instance b
 ip address 192.168.101.253 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 101 virtual-ip 192.168.101.254
#
interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.253 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 200 virtual-ip 192.168.200.254
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable fiber
 ip address 192.168.99.2 255.255.255.252
#              
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 200
 combo enable fiber
 port link-aggregation group 4
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 2
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 3
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 5
#
 m-lag mad exclude interface GigabitEthernet1/0/5
 m-lag restore-delay 10
 m-lag system-mac 68fb-1ae4-0300
 m-lag system-number 2
 m-lag system-priority 0
 m-lag consistency-check disable
 m-lag keepalive ip destination 192.168.99.1 source 192.168.99.2

FW1完整配置

python 复制代码 
#
 sysname FW1
#
track 1 interface Bridge-Aggregation1
#
ospf 1 router-id 3.3.3.3
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
vlan 1
#
vlan 100 to 101
#
interface Bridge-Aggregation1
 description to_SW
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
#
interface Vlan-interface100
 ip address 192.168.100.1 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface101
 ip address 192.168.101.1 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 1.1.1.1 255.255.255.252
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
security-zone name Trust
 import interface Vlan-interface100
#
security-zone name Untrust
 import interface Vlan-interface101
#
security-zone name Heart
 import interface GigabitEthernet1/0/0
#
 ip http enable
 ip https enable
#
security-policy ip
 rule 0 name Heart
  action pass
  source-zone Heart
  service-port icmp
 rule 5 name ospf
  action pass
  source-zone local
  source-zone untrust
  source-zone trust
  destination-zone trust
  destination-zone untrust
  destination-zone local
  service ospf
 rule 10 name Local>any
  action pass  
  source-zone local
 rule 15 name Trust>Untrust
  action pass
  source-zone trust
  destination-zone untrust
#
remote-backup group
 data-channel interface GigabitEthernet1/0/0
 delay-time 1
 track 1
 local-ip 1.1.1.1
 remote-ip 1.1.1.2
 device-role primary

FW2完整配置

python 复制代码 
#
 sysname FW2
#
track 1 interface Bridge-Aggregation1
#
ospf 1 router-id 4.4.4.4
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
vlan 100 to 101
#
interface Bridge-Aggregation1
 description to_SW
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
#
interface Vlan-interface100
 ip address 192.168.100.2 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface101
 ip address 192.168.101.2 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 1.1.1.2 255.255.255.252
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
security-zone name Trust
 import interface Vlan-interface100
#
security-zone name Untrust
 import interface Vlan-interface101
#
security-zone name Heart
 import interface GigabitEthernet1/0/0
#
 ip http enable
 ip https enable
#
security-policy ip
 rule 0 name Heart
  action pass
  source-zone Heart
  service-port icmp
 rule 5 name ospf
  action pass
  source-zone local
  source-zone untrust
  source-zone trust
  destination-zone trust
  destination-zone untrust
  destination-zone local
  service ospf
 rule 10 name Local>any
  action pass  
  source-zone local
 rule 15 name Trust>Untrust
  action pass
  source-zone trust
  destination-zone untrust
#
remote-backup group
 data-channel interface GigabitEthernet1/0/0
 delay-time 1
 adjust-cost ospf enable absolute 65535
 track 1
 local-ip 1.1.1.2
 remote-ip 1.1.1.1
 device-role secondary

R1完整配置

perl 复制代码 
#
 sysname R1
#
ospf 1 router-id 8.8.8.8
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
interface Route-Aggregation1
 description to_SW
 ip address 192.168.200.1 255.255.255.0
 ospf 1 area 0.0.0.0
 link-aggregation mode dynamic
#
interface LoopBack0
 ip address 8.8.8.8 255.255.255.255
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 port link-aggregation group 1

配置验证

相关推荐
roshy20 小时前
RPC 与http对比
网络协议·http·rpc
慢慢沉1 天前
UDP与TCP的区别
网络协议·tcp/ip·udp
绝世剑仙纪宁1 天前
TCP 三次握手、四次挥手
网络·网络协议·tcp/ip
索迪迈科技1 天前
HTTP中Payload的含义解析
网络·网络协议·http
时空潮汐1 天前
我用神卓 NAT 公网 IP 盒子搭建《我的世界》联机的经历
网络·网络协议·tcp/ip
liulilittle1 天前
HTTP/3.0:网络通信的技术革新与性能飞跃
网络·网络协议·http·https·quic·流媒体·通信
妳人話1 天前
TCP的三次握手和四次挥手
网络·网络协议·tcp/ip
2501_916013741 天前
HTTPS 抓包难点分析,从端口到工具的实战应对
网络协议·http·ios·小程序·https·uni-app·iphone
Yuki’2 天前
网络编程---UDP
c语言·网络·网络协议·udp
傻傻虎虎2 天前
【CentOS7】使用yum安装出错,报HTTPS Error 404 - Not Found
网络协议·http·https
热门推荐
01conda中设置镜像地址(附所有可换的地址)02UV安装并设置国内源03A股预测还能更准?开源大模型Kronos带你跑通预测+回测全流程04解决 WSL Ubuntu 中 /etc/resolv.conf 自动重置问题05UV 工具安装与国内镜像源配置指南06KGG转MP3工具|非KGM文件|解密音频07突破百度网盘的下载限速,两种方法教会你【超详细】08GitHub 镜像站点09教你如何认证 Gemini 教育优惠的二次验证,薅个 1年的 Gemini Pro 会员1046个Nano-banana 精选提示词,持续更新中