Juniper HA 双主(L3)模式配置
实际环境中防火墙做双主是不太可能实现全互联结构,juniper防火墙标配都是4个物理以太网端口,全互联架构需要防火墙增加额外的以太网接口(这样会增加用户成本),或者在物理接口上使用子接口(这样配置的复杂性增加许多),最主要的是用户的网络中大多没有像全互联模式那样多的设备。因此双主多数实现在相对冗余的网络环境中。具体实际环境如下:
服务器服务器172.16.40.254服务器交换机172.17.2.3E1/3E1/3Zone:trust 172.17.2.1E1/4HA172.17.2.2E1/4Zone:trust FW-AFW-BE1/1E1/2172.17.1.251Zone:Untrust E1/1E1/2172.17.1.252Zone:Untrust 172.17.1.253172.17.1.254TRUNK核心-1核心-2
防火墙A上执行的命令
set hostname ISG1000-A
set interface mgt ip 172.16.12.1/24
set interface \set interface \
set interface loopback.1 ip 172.255.255.251/32 set interface loopback.1 route
set router-id 172.255.255.251 \\必须web页面设置
set nsrp cluster id 1 set nsrp rto-mirror sync
set nsrp rto-mirror session ageout-ack unset nsrp vsd-group id 0
set nsrp vsd-group id 1 priority 1 set nsrp vsd-group id 1 preempt
set nsrp vsd-group id 1 preempt hold-down 10 set nsrp vsd-group id 2 priority 255
set nsrp vsd-group id 2 preempt hold-down 10
set source-routing enable \\可选设置,命令无法执行时,在web页面设置 set sibr-routing enable \\可选设置,命令无法执行时,在web页面设置 set adv-inact-interface \\可选设置,命令无法执行时,在web页面设置
???????????????????????????????????????????????????
防火墙B上执行的命令
set hostname ISG1000-B
set interface mgt ip 172.16.12.2/24
set interface \set interface \
set interface loopback.1 ip 172.255.255.252/32 set interface loopback.1 route
set router-id 172.255.255.252 \\命令无法执行时,在web页面设置
set nsrp cluster id 1 set nsrp rto-mirror sync
set nsrp rto-mirror session ageout-ack set nsrp rto-mirror session non-vsi unset nsrp vsd-group id 0
set nsrp vsd-group id 1 priority 255
set nsrp vsd-group id 1 preempt hold-down 10 set nsrp vsd-group id 2 priority 1 set nsrp vsd-group id 2 preempt
set nsrp vsd-group id 2 preempt hold-down 10
set nsrp secondary-path ethernet1/2
set nsrp vsd-group id 1 monitor zone Trust set nsrp vsd-group id 2 monitor zone Trust set nsrp ha-link probe
set source-routing enable \\可选设置,命令无法执行时,在web页面设置 set sibr-routing enable \\可选设置,命令无法执行时,在web页面设置 set adv-inact-interface \\可选设置,命令无法执行时,在web页面设置
任意一个防火墙上执行的命令即可
set interface id 64 \set interface \set interface ethernet1/2 group redundant1 set interface ethernet1/1 group redundant1
set interface ethernet1/3:1 ip 172.17.2.1/24 set interface ethernet1/3:1 route
set interface ethernet1/3:2 ip 172.17.2.2/24 set interface ethernet1/3:2 route
set interface redundant1:1 ip 172.17.1.251/28 set interface redundant1:1 route
set interface redundant1:2 ip 172.17.1.252/28 set interface redundant1:2 route
set interface ethernet1/3:1 ip manageable set interface ethernet1/3:2 ip manageable set interface loopback.1 ip manageable set interface redundant1:1 ip manageable set interface redundant1:2 ip manageable
set policy id 1 name \ \ set policy id 2 name \ \
set protocol ospf \\命令无法执行时,在web页面设置 set enable \\命令无法执行时,在web页面设置 set area 0.0.0.0 range 172.17.1.240 255.255.255.240 advertise set area 0.0.0.0 range 172.17.2.0 255.255.255.0 advertise
set interface ethernet1/3:1 protocol ospf area 0.0.0.0 set interface ethernet1/3:1 protocol ospf enable set interface ethernet1/3:1 protocol ospf priority 0 set interface ethernet1/3:1 protocol ospf cost 1
set interface ethernet1/3:2 protocol ospf area 0.0.0.0 set interface ethernet1/3:2 protocol ospf enable set interface ethernet1/3:2 protocol ospf priority 0 set interface ethernet1/3:2 protocol ospf cost 1
set interface redundant1:1 protocol ospf area 0.0.0.0 set interface redundant1:1 protocol ospf enable set interface redundant1:1 protocol ospf priority 0 set interface redundant1:1 protocol ospf cost 1 set interface redundant1:1 manage ping set interface redundant1:1 manage ssh set interface redundant1:1 manage telnet set interface redundant1:1 manage web
set interface redundant1:2 protocol ospf area 0.0.0.0 set interface redundant1:2 protocol ospf enable set interface redundant1:2 protocol ospf priority 0 set interface redundant1:2 protocol ospf cost 1 set interface redundant1:2 manage ping set interface redundant1:2 manage ssh set interface redundant1:2 manage telnet set interface redundant1:2 manage web
set admin user \用户自定义\ \\可选项,再建立一个管理员帐号
___________________________________________________________
最后 A 和 B 都必须执行的命令
set interface loopback.1 protocol ospf area 0.0.0.0 set interface loopback.1 protocol ospf enable