MLAG+VRF防火墙旁挂+双机热备+OSPF部署笔记

不做菜鸟的网工2025-04-21 18:04

网络拓扑

部署思路

1. 核心MLAG配置(S1-S2)
  • MLAG Peer & Keepalive
    • G1/0/4 作为 Peer-Link(MLAG同步端口)
    • G1/0/5 作为 Keepalive(心跳检测)
  • 链路聚合(LACP)
    • FW1/FW2 建立聚合组(放行 VLAN 100/101)
    • S3(接入层交换机) 建立聚合组(放行 VLAN 10)
2. 防火墙双机热备(FW1-FW2)
  • HA 热备模式:主备模式
  • 二层链路聚合 :与 S1-S2 绑定聚合组,放行 VLAN 100/101
  • 安全策略:放行 OSPF 报文,确保路由可达 放行trust>untrust流量
3. 接入层 & 三层互联(S3、R1)
  • S3(接入层交换机):与 S1-S2 建立 LACP 聚合(VLAN 10)
  • R1(测试设备)
    • 与 S1-S2 建立三层链路聚合(IP: 192.168.200.1
    • 配置环回口 8.8.8.8 用于连通性测试
4. VRF & OSPF 多实例(S1/S2)
  • VRF 实例
    • VRF-A (下联设备):绑定 VLANIF100
    • VRF-B (上联设备):绑定 VLANIF101
  • OSPF 多进程
    • OSPF1(VRF-A):处理内联路由(VLAN 100)
    • OSPF2(VRF-B):处理外联路由(VLAN 101)

S1-S2建立MLAG组 与防火墙互联地址为VLANIF100/VLANIF101

流量总体转发路径为PCA->S1/S2(VLANIF100)->FW1(VLANIF100)->S1/S2(VLANIF101)->R1
为了实现上行流量与下行流量隔离 采取OSPF多进程以及VPN实例方法

问题思考

  1. 如果不采用OSPF多进程可以么
  2. MLAG组采取VRF实例具体解决了什么

设备配置

S1完整配置

python 复制代码 
#
sysname S1
#
ip vpn-instance a
 #
 address-family ipv4
#
ip vpn-instance b
 #
 address-family ipv4
#
ospf 1 router-id 1.1.1.1 vpn-instance a
 area 0.0.0.0
#
ospf 2 router-id 11.11.11.11 vpn-instance b
 area 0.0.0.0
#              
 ip unreachables enable
 ip ttl-expires enable
#
vlan 1
#
vlan 10
#
vlan 100 to 101
#
vlan 200
#
interface Bridge-Aggregation1
 description peerlink
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag peer-link 1
#
interface Bridge-Aggregation2
 description to_FW1
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 2
#
interface Bridge-Aggregation3
 description to_FW2
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 3
#
interface Bridge-Aggregation4
 description to_R1
 port access vlan 200
 link-aggregation mode dynamic
 port m-lag group 4
#
interface Bridge-Aggregation5
 description to_PC
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 5
#
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.252 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 10 virtual-ip 192.168.10.254
 vrrp vrid 10 priority 120
#
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.252 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 100 virtual-ip 192.168.100.254
 vrrp vrid 100 priority 120
#
interface Vlan-interface101
 ip binding vpn-instance b
 ip address 192.168.101.252 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 101 virtual-ip 192.168.101.254
 vrrp vrid 101 priority 120
#
interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.252 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 200 virtual-ip 192.168.200.254
 vrrp vrid 200 priority 120
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable fiber
 ip address 192.168.99.1 255.255.255.252
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 200
 combo enable fiber
 port link-aggregation group 4
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 2
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 3
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 5
#
 m-lag mad exclude interface GigabitEthernet1/0/5
 m-lag restore-delay 10
 m-lag role priority 120
 m-lag system-mac 68fb-1ae4-0300
 m-lag system-number 1
 m-lag system-priority 0
 m-lag consistency-check disable
 m-lag keepalive ip destination 192.168.99.2 source 192.168.99.1

S2完整配置

python 复制代码 
#
 sysname S2
#
ip vpn-instance a
 #
 address-family ipv4
#
ip vpn-instance b
 #
 address-family ipv4
#
ospf 1 router-id 2.2.2.2 vpn-instance a
 area 0.0.0.0
#
ospf 2 router-id 12.12.12.12 vpn-instance b
 area 0.0.0.0
#              
 ip unreachables enable
 ip ttl-expires enable
#
vlan 1
#
vlan 10
#
vlan 100 to 101
#
vlan 200
#
interface Bridge-Aggregation1
 description peerlink
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag peer-link 1
#
interface Bridge-Aggregation2
 description to_FW1
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 2
#
interface Bridge-Aggregation3
 description to_FW2
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 3
#
interface Bridge-Aggregation4
 description to_R1
 port access vlan 200
 link-aggregation mode dynamic
 port m-lag group 4
#
interface Bridge-Aggregation5
 description to_PC
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
 port m-lag group 5
#
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.253 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 10 virtual-ip 192.168.10.254
#
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.253 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 100 virtual-ip 192.168.100.254
#              
interface Vlan-interface101
 ip binding vpn-instance b
 ip address 192.168.101.253 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 101 virtual-ip 192.168.101.254
#
interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.253 255.255.255.0
 ospf 2 area 0.0.0.0
 vrrp vrid 200 virtual-ip 192.168.200.254
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable fiber
 ip address 192.168.99.2 255.255.255.252
#              
interface GigabitEthernet1/0/1
 port link-mode bridge
 port access vlan 200
 combo enable fiber
 port link-aggregation group 4
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 2
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 3
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 1
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
 port link-aggregation group 5
#
 m-lag mad exclude interface GigabitEthernet1/0/5
 m-lag restore-delay 10
 m-lag system-mac 68fb-1ae4-0300
 m-lag system-number 2
 m-lag system-priority 0
 m-lag consistency-check disable
 m-lag keepalive ip destination 192.168.99.1 source 192.168.99.2

FW1完整配置

python 复制代码 
#
 sysname FW1
#
track 1 interface Bridge-Aggregation1
#
ospf 1 router-id 3.3.3.3
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
vlan 1
#
vlan 100 to 101
#
interface Bridge-Aggregation1
 description to_SW
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
#
interface Vlan-interface100
 ip address 192.168.100.1 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface101
 ip address 192.168.101.1 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 1.1.1.1 255.255.255.252
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
security-zone name Trust
 import interface Vlan-interface100
#
security-zone name Untrust
 import interface Vlan-interface101
#
security-zone name Heart
 import interface GigabitEthernet1/0/0
#
 ip http enable
 ip https enable
#
security-policy ip
 rule 0 name Heart
  action pass
  source-zone Heart
  service-port icmp
 rule 5 name ospf
  action pass
  source-zone local
  source-zone untrust
  source-zone trust
  destination-zone trust
  destination-zone untrust
  destination-zone local
  service ospf
 rule 10 name Local>any
  action pass  
  source-zone local
 rule 15 name Trust>Untrust
  action pass
  source-zone trust
  destination-zone untrust
#
remote-backup group
 data-channel interface GigabitEthernet1/0/0
 delay-time 1
 track 1
 local-ip 1.1.1.1
 remote-ip 1.1.1.2
 device-role primary

FW2完整配置

python 复制代码 
#
 sysname FW2
#
track 1 interface Bridge-Aggregation1
#
ospf 1 router-id 4.4.4.4
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
vlan 100 to 101
#
interface Bridge-Aggregation1
 description to_SW
 port link-type trunk
 port trunk permit vlan all
 link-aggregation mode dynamic
#
interface Vlan-interface100
 ip address 192.168.100.2 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface101
 ip address 192.168.101.2 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 1.1.1.2 255.255.255.252
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable copper
 port link-aggregation group 1
#
security-zone name Trust
 import interface Vlan-interface100
#
security-zone name Untrust
 import interface Vlan-interface101
#
security-zone name Heart
 import interface GigabitEthernet1/0/0
#
 ip http enable
 ip https enable
#
security-policy ip
 rule 0 name Heart
  action pass
  source-zone Heart
  service-port icmp
 rule 5 name ospf
  action pass
  source-zone local
  source-zone untrust
  source-zone trust
  destination-zone trust
  destination-zone untrust
  destination-zone local
  service ospf
 rule 10 name Local>any
  action pass  
  source-zone local
 rule 15 name Trust>Untrust
  action pass
  source-zone trust
  destination-zone untrust
#
remote-backup group
 data-channel interface GigabitEthernet1/0/0
 delay-time 1
 adjust-cost ospf enable absolute 65535
 track 1
 local-ip 1.1.1.2
 remote-ip 1.1.1.1
 device-role secondary

R1完整配置

perl 复制代码 
#
 sysname R1
#
ospf 1 router-id 8.8.8.8
 area 0.0.0.0
#
 ip unreachables enable
 ip ttl-expires enable
#
interface Route-Aggregation1
 description to_SW
 ip address 192.168.200.1 255.255.255.0
 ospf 1 area 0.0.0.0
 link-aggregation mode dynamic
#
interface LoopBack0
 ip address 8.8.8.8 255.255.255.255
 ospf 1 area 0.0.0.0
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 port link-aggregation group 1
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 port link-aggregation group 1

配置验证

相关推荐
秋名RG6 分钟前
HTTP 1.0 和 2.0 的区别
网络·网络协议·http
2301_810154552 小时前
小迪第10天http/s数据包
网络·深度学习·网络协议·安全·web安全·http·网络安全
Edward.W4 小时前
模型上下文协议(MCP)详解
python·网络协议·go·js
我太想进步了C~~5 小时前
深入浅出讲解UDP检验中如何计算检验和
网络·网络协议·udp
changxiang6 小时前
WebSocket启用备忘
网络·websocket·网络协议
2501_915918417 小时前
iOS13描述文件在哪下载 iOS13测试版描述文件下载地址与安装教程
websocket·网络协议·tcp/ip·http·网络安全·https·udp
徐子童11 小时前
WebSocket介绍
网络·websocket·网络协议
傻小胖11 小时前
Node.js 创建 HTTP 服务端
网络协议·http·node.js
知道了啊19 小时前
websocket和SSE学习记录
websocket·网络协议·学习
热门推荐
01YOLOv8改进 | 细节创新篇 | iAFF迭代注意力特征融合助力多目标细节涨点02我决定放弃搞 Java 了03RAG 实践- Ollama+RagFlow 部署本地知识库04YOLOv8改进 | 2023检测头篇 | 利用AFPN改进检测头适配YOLOv8版(全网独家创新)05Scipy||第三章 线性代数 (scipy.linalg)06DeepSeek各版本说明与优缺点分析07埃文科技助力山西公共数据运营新发展08汽车上的各种质量:整备质量、总质量、装载质量、簧上质量、簧下质量09本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程10避免IP地址关联,多个手机设备的完美公网IP问题