档案
日志
相册
视频
分享
2008-06-26 | juniper防火墙主动/被动全网状NSRP配置实例
网络拓朴图如下:
以下为Juniper ISG-2000防火墙相关配置:
一、物理接口配置情况:
NS2000_M(M)-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
mgt 192.168.1.1/24 MGT 0010.dbbf.0c80 - D -
eth1/1 0.0.0.0/0 Untrust 0010.dbff.4070 - U 0
eth1/2 0.0.0.0/0 Untrust 0010.dbff.4080 - U 0
eth2/1 0.0.0.0/0 Trust 0010.dbff.4150 - U 0
eth2/2 0.0.0.0/0 Trust 0010.dbff.4160 - U 0
eth3/1 10.243.213.9/29 DMZ 0010.dbff.41d0 - U 0
eth3/2 0.0.0.0/0 Null 0010.dbff.41e0 - D 0
eth4/1 0.0.0.0/0 HA 0010.dbbf.0ca5 - U -
eth4/2 0.0.0.0/0 HA 0010.dbbf.0ca6 - U -
eth4/3 0.0.0.0/0 Null 0010.dbff.4270 - D 0
eth4/4 0.0.0.0/0 IDP 0010.dbff.4280 - U 0
eth4/4.200 10.243.210.142/28 IDP 0010.dbff.4280 200 U 0
red1 10.243.213.1/29 Trust 0010.dbff.4400 - U 0
red2 10.243.209.17/29 Untrust 0010.dbff.4410 - U 0
vlan1 0.0.0.0/0 VLAN 0010.dbff.40f0 1 D 0
null 0.0.0.0/0 Null N/A - U 0
NS2000_B(B)-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
mgt 192.168.1.1/24 MGT 0010.dbbf.0c00 - D -
eth1/1 0.0.0.0/0 Untrust 0010.dbff.4070 - I 0
eth1/2 0.0.0.0/0 Untrust 0010.dbff.4080 - I 0
eth2/1 0.0.0.0/0 Trust 0010.dbff.4150 - I 0
eth2/2 0.0.0.0/0 Trust 0010.dbff.4160 - I 0
eth3/1 10.243.213.9/29 DMZ 0010.dbff.41d0 - I 0
eth3/2 0.0.0.0/0 Null 0010.dbff.41e0 - I 0
eth4/1 0.0.0.0/0 HA 0010.dbbf.0c25 - U -
eth4/2 0.0.0.0/0 HA 0010.dbbf.0c26 - U -
eth4/3 0.0.0.0/0 Null 0010.dbff.4270 - I 0
eth4/4 0.0.0.0/0 IDP 0010.dbff.4280 - I 0
eth4/4.200 10.243.210.142/28 IDP 0010.dbff.4280 200 I 0
red1 10.243.213.1/29 Trust 0010.dbff.4400 - I 0
red2 10.243.209.17/29 Untrust 0010.dbff.4410 - I 0
vlan1 0.0.0.0/0 VLAN 0010.dbff.40f0 1 I 0
null 0.0.0.0/0 Null N/A - U 0
二、HA配置
NS2000_M(M)-> get config | in ethernet4/1
set interface "ethernet4/1" zone "HA"
NS2000_M(M)-> get config | in ethernet4/2
set interface "ethernet4/2" zone "HA"
NS2000_B(B)-> get config | in ethernet4/1
set interface "ethernet4/1" zone "HA"
NS2000_B(B)-> get config | in ethernet4/2
set interface "ethernet4/2" zone "HA"
三、冗余接口配置
NS2000_M(M)-> get config | in redundant1
set interface id 64 "redundant1" zone "Trust"
set interface ethernet2/1 group redundant1
set interface ethernet2/2 group redundant1
set interface redundant1 ip 10.243.213.1/29
set interface redundant1 route
set interface redundant1 manage-ip 10.243.213.2
unset interface redundant1 ip manageable
NS2000_B(B)-> get config | in redundant1
set interface id 64 "redundant1" zone "Trust"
set interface ethernet2/1 group redundant1
set interface ethernet2/2 group redundant1
set interface redundant1 ip 10.243.213.1/29
set interface redundant1 route
set interface redundant1 manage-ip 10.243.213.3
unset interface redundant1 ip manageable
四、NSRP配置
NS2000_M(M)-> get config | in nsrp
set nsrp cluster id 2
set nsrp rto-mirror sync
set nsrp rto-mirror session ageout-ack
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt hold-down 1
set nsrp monitor interface redundant1
set nsrp monitor interface redundant2
set nsrp monitor interface ethernet3/1
set nsrp ha-link probe
NS2000_B(B)-> get config | in nsrp
set nsrp cluster id 2
set nsrp rto-mirror sync
set nsrp rto-mirror session ageout-ack
set nsrp vsd-group id 0 priority 100
set nsrp monitor interface redundant1
set nsrp monitor interface redundant2
set nsrp monitor interface ethernet3/1
set nsrp ha-link probe
以下为华为交换机S8512相关配置:
一、VLAN配置情况
<S8512_1>disp vlan 80
VLAN ID: 80
VLAN Type: static
Route Interface: configured
IP Address: 10.243.213.4
Subnet Mask: 255.255.255.248
Description: NetScreen
Name: VLAN 0080
Tagged Ports:
GigabitEthernet5/1/24 GigabitEthernet8/1/22
Untagged Ports:
GigabitEthernet5/1/23 GigabitEthernet8/1/21
<S8512_2>disp vlan 80
VLAN ID: 80
VLAN Type: static
Route Interface: configured
IP Address: 10.243.213.5
Subnet Mask: 255.255.255.248
Description: VLAN 0080
Name: VLAN 0080
Tagged Ports:
GigabitEthernet5/1/24 GigabitEthernet8/1/22
Untagged Ports:
GigabitEthernet5/1/23 GigabitEthernet8/1/21
二、VLAN起三层接口配置情况
<S8512_1>disp cur | be interface Vlan-interface80
interface Vlan-interface80
description NetScreen
ip address 10.243.213.4 255.255.255.248
vrrp vrid 80 virtual-ip 10.243.213.6
vrrp vrid 80 priority 200
vrrp vrid 80 preempt-mode timer delay 3
<S8512_2>disp cur | be interface Vlan-interface80
interface Vlan-interface80
description NetScreen
ip address 10.243.213.5 255.255.255.248
vrrp vrid 80 virtual-ip 10.243.213.6
vrrp vrid 80 preempt-mode timer delay 3
三、VLAN TRUNK透传配置情况
<S8512_1>disp cur | be GigabitEthernet5/1/24
interface GigabitEthernet5/1/24
description to GZ_S8512_YZ_2
speed 1000
duplex full
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
<S8512_1>disp cur | be GigabitEthernet8/1/22
interface GigabitEthernet8/1/22
description to GZ_S8512_YZ_2
speed 1000
duplex full
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
<S8512_2>disp cur | be GigabitEthernet5/1/24
interface GigabitEthernet5/1/24
description to GZ_S8512_YZ_1
speed 1000
duplex full
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
<S8512_2>disp cur | be GigabitEthernet8/1/22
interface GigabitEthernet8/1/22
description to GZ_S8512_YZ_1
speed 1000
duplex full
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
分享
评论
想第一时间抢沙发么?