一 组网说明
2台透明防火墙透明独立部署;
两端设备做跨设备的链路聚合,配置一对互联地址,默认能否实现互通?
最终结果结合防火墙的端口联动功能可以实现
二 设备配置
2.1 SW1配置
sysname SW1
lldp global enable
vlan 10
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
interface LoopBack0
ip address 9.9.9.9 255.255.255.255
interface Vlan-interface10
ip address 1.1.1.2 255.255.255.0
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
link-aggregation port-priority 10
port link-aggregation group 1
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
port link-aggregation group 1
ip route-static 8.8.8.8 32 1.1.1.1
2.2 SW2配置
sysname SW2
vlan 10
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
interface Vlan-interface10
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
link-aggregation port-priority 10
port link-aggregation group 1
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
port link-aggregation group 1
ip route-static 9.9.9.9 32 1.1.1.2
2.3 FW1配置
sysname FW1
vlan 10
interface GigabitEthernet1/0/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
security-zone name Trust
import interface GigabitEthernet1/0/0 vlan 10
import interface GigabitEthernet1/0/1 vlan 10
security-policy ip
rule 0 name any
action pass
2.4 FW2配置
sysname FW2
vlan 10
interface GigabitEthernet1/0/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
security-zone name Trust
import interface GigabitEthernet1/0/0 vlan 10
import interface GigabitEthernet1/0/1 vlan 10
三 设备状态与业务测试
3.1 SW1状态查看
SW1dis li v
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port: A -- Auto
Port Status: S -- Selected, U -- Unselected, I -- Individual
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
GE1/0/1 S 10 1
GE1/0/2 S 32768 1
SW1
3.2 SW2状态查看
<SW2>dis li v
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port: A -- Auto
Port Status: S -- Selected, U -- Unselected, I -- Individual
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
GE1/0/1 S 10 1
GE1/0/2 S 32768 1
<SW2>
3.3 默认业务测试不通
四 防火墙开启宽松模式业务可通:
4.1 FW1和FW2开启宽松模式
FW1session state-machine mode loose
FW1
FW2session state-machine mode loose
FW2
4.2 业务测试可通
五 防火墙关闭宽松模式,交换机配置选中端口数量业务可通
5.1 FW1和FW2关闭宽松模式,交换机配置选中端口数量业务可通
1.FW1和FW2关闭防火墙宽松模式
FW1un session state-machine mode
FW1
FW2un session state-machine mode
FW2
2.交换机1配置链路聚合最大选中端口为1
SW1dis cu int b 1
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
link-aggregation selected-port maximum 1
return
SW1dis cu int g 1/0/1
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
link-aggregation port-priority 10
port link-aggregation group 1
return
SW1
SW1dis cu int g 1/0/2
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
port link-aggregation group 1
3.交换机2配置链路聚合最大选中端口为1
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
link-aggregation selected-port maximum 1
return
SW2-Bridge-Aggregation1dis cu int g1/0/1
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
link-aggregation port-priority 10
port link-aggregation group 1
return
SW2-Bridge-Aggregation1
SW2-Bridge-Aggregation1dis cu int g1/0/2
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable fiber
port link-aggregation group 1
return
SW2-Bridge-Aggregation1
5.2 业务测试可通
六 关闭FW1下联SW1接口-业务不可达
6.1 关闭FW1下联SW1接口
FW1dis ll n l
Chassis ID : * -- -- Nearest nontpmr bridge neighbor
-- -- Nearest customer bridge neighbor
Default -- -- Nearest bridge neighbor
Local Interface Chassis ID Port ID System Name
GE1/0/0 96e2-7a35-0100 GigabitEthernet1/0/1 SW2
GE1/0/1 96e2-b57c-0400 GigabitEthernet1/0/1 SW1
FW1int g1/0/1
FW1-GigabitEthernet1/0/1shu
FW1-GigabitEthernet1/0/1shutdown
%Aug 26 22:32:30:392 2023 FW1 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:32:30:393 2023 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
FW1-GigabitEthernet1/0/1
FW1-GigabitEthernet1/0/1
6.2 业务中断
56 bytes from 8.8.8.8: icmp_seq=127 ttl=255 time=1.000 ms
56 bytes from 8.8.8.8: icmp_seq=128 ttl=255 time=1.000 ms
56 bytes from 8.8.8.8: icmp_seq=129 ttl=255 time=1.000 ms
%Aug 26 22:32:35:867 2023 SW1 LLDP/6/LLDP_DELETE_NEIGHBOR: Nearest bridge agent neighbor deleted on port GigabitEthernet1/0/1 (IfIndex 2), neighbor's chassis ID is 96e2-8b93-0200, port ID is GigabitEthernet1/0/1.
%Aug 26 22:32:35:870 2023 SW1 LAGG/6/LAGG_ACTIVE: Member port GE1/0/2 of aggregation group BAGG1 changed to the active state.
%Aug 26 22:32:35:870 2023 SW1 LAGG/6/LAGG_INACTIVE_PHYSTATE: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the physical state of the port is down.
%Aug 26 22:32:35:871 2023 SW1 IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:32:35:871 2023 SW1 IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:32:35:871 2023 SW1 IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/2 changed to up.
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
6.3 解决方法-防火墙配置端口联动
collaboration-group 1
interface GigabitEthernet1/0/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 1
interface GigabitEthernet1/0/0
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 10
combo enable copper
port collaboration-group 1
6.4 再次测试业务可以切换
1.shutdown FW1下联SW1接口
FW1-GigabitEthernet1/0/1shutdown
%Aug 26 22:39:15:410 2023 FW1 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:39:15:418 2023 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:39:15:463 2023 FW1 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on the interface GigabitEthernet1/0/0 changed to down.
%Aug 26 22:39:15:463 2023 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol state on the interface GigabitEthernet1/0/0 changed to down.
FW1-GigabitEthernet1/0/1%Aug 26 22:39:15:620 2023 FW1 CGROUP/6/CGROUP_STATUS_CHANGE: -Context=1; The status of collaboration group 1 is down.
FW1-GigabitEthernet1/0/1
2.业务测试正常切换
56 bytes from 8.8.8.8: icmp_seq=12 ttl=255 time=3.000 ms
56 bytes from 8.8.8.8: icmp_seq=13 ttl=255 time=2.000 ms
%Aug 26 22:42:44:000 2023 SW1 LLDP/6/LLDP_DELETE_NEIGHBOR: Nearest bridge agent neighbor deleted on port GigabitEthernet1/0/1 (IfIndex 2), neighbor's chassis ID is 96e2-8b93-0200, port ID is GigabitEthernet1/0/1.
%Aug 26 22:42:44:002 2023 SW1 IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:42:44:002 2023 SW1 IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/1 changed to down.
%Aug 26 22:42:44:002 2023 SW1 LAGG/6/LAGG_ACTIVE: Member port GE1/0/2 of aggregation group BAGG1 changed to the active state.
%Aug 26 22:42:44:002 2023 SW1 LAGG/6/LAGG_INACTIVE_PHYSTATE: Member port GE1/0/1 of aggregation group BAGG1 changed to the inactive state, because the physical state of the port is down.
%Aug 26 22:42:44:005 2023 SW1 IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/2 changed to up.
Request time out
Request time out
Request time out
Request time out
Request time out
56 bytes from 8.8.8.8: icmp_seq=19 ttl=255 time=2.000 ms
56 bytes from 8.8.8.8: icmp_seq=20 ttl=255 time=1.000 ms
3.接口联动状态查看
FW1dis collaboration-group all
Group ID Group Status
1 DOWN
FW1
FW1dis collaboration-group all verbose
Collaboration group protocol status: Enabled
Collaboration group 1 information:
Group status : DOWN
Member up delay : 0 seconds
Last up time : 22:37:44 2023/08/26
Last down time : 22:39:15 2023/08/26
Member Status
GE1/0/0 Collaboration-down
GE1/0/1 DOWN
FW1