HA工作模式
主备模式
AP/AA的配置必须保持一致,但是在Peer mode下不可以保证
OTI双活数据中心
优先级100,小优
主动发生抢占
实验拓扑
配置过程:
SG-6000# configure SG-6000(config)#hostname HS-A HS-B(config)# HS-A(config)# interface ethernet0/4 //指定外网接口 HS-A(config-if-eth0/4)# zone untrust //指定外网接口为Untrust HS-A(config-if-eth0/4)# ip add 200.0.0.10/24 // 配置IP地址 HS-A(config-if-eth0/4)# manage ping //打开ping HS-A(config-if-eth0/4)#int ethernet0/1 HS-A(config-if-eth0/1)#zone trust HS-A(config-if-eth0/1)#ip add 192.168.10.1/24 HS-A(config-if-eth0/1)#manage ping HS-A(config-if-eth0/1)# manage http //打开http HS-A(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1 // 默认路由 HS-A(config-vrouter)# snatrule from any to any service any eifethernet0/4 trans-to eif-ip mode dynamicport //配置snat HS-A(config-policy)# rule from any to any from-zone trust to-zoneuntrust service any permit //放行流量
查看:
HS-A(config)# show policy Total rules count: 1 S: Rule Status (E -Enabled; D - Disabled) Flag: * - NeedApplication Identification S - Log Session Start; E - Log Session End; D - Log Policy Deny F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect Default action DENY.Default log OFF. Check to-self OFF. Session rematch ON ==================================================================================================================== S Id Name RBNS_Attr Source Destination Service Application Action Flag -------------------------------------------------------------------------------------------------------------------- trust => untrust E 1 Any Any Any PERMIT ------ ==================================================================================================================== HS-A(config)# HS-A(config)# show config uration vrouter ip vrouter"twin-mode-vr" exit ip vrouter"trust-vr" snatrule id 1 from address-book"Any" to address-book "Any" service "Any" eifethernet0/4 trans-to eif-ip mode dynamicport ip route 0.0.0.0/0 200.0.0.1 exit HS-A(config)#
配置HA监控对象
HS-A(config)# track track1 //配置track HS-A(config-trackip)# ? // 可配置的track的内容 arp Configure track arp address dns Configure track dns address http Configure track http address orhost icmp Configure track ip address orhost icmp6 Configure track ip ipv6 addressor host interface Configure track interface ndp Configure track ndp address tcp Configure track tcp address orhost threshold Configure track threshold traffic-condition Configure traffic condition - auxswitch Switch aux port to subcard clear Reset functions or clear thescreen debug Debugging functions delete Delete a file end Exit from configure mode exec Perform command operation exit Exit from Track IP Profileconfiguration mode help CLI help no Negate a command or reset todefault ping Test network connectivity remove Remove files rollback Rollback startup with one backup save Save configuration show Show running system information terminal Configure terminal line parameters traceroute Trace route to destination undebug Negate debugging functions unset Back to the default configuration HS-A(config-trackip)# HS-A(config-trackip)#interface eth0/4 HS-A(config-trackip)#interface eth0/1 HS-A(config-trackip)# HS-A(config-trackip)#interface eth0/1 ? weight Configure track if weight // 默认255
查看:
HS-A(config)# showtrack track1 ====================================================================================================================== Track name:track1;track ID:1; local:no threshold:255; delaythreshold:255; bandwidth threshold:255 used type:not used; status:UNKNOWN; link_status: UNKNOWN // 未调用 bind interface:;snat cnt:0 I:interval;T:threshold; W:weight; S:status; M:mode F:failed;SU:successful; UN:unknown HWMK:high watermark;LWMK:low watermark; DW:delay weight FLAG:link statusflag; N:normal; L:long-delay; O:overload track interface: ---------------------------------------------------------------------------------------------------------------------- Track interface weight status ---------------------------------------------------------------------------------------------------------------------- ethernet0/4 255 unknown ethernet0/1 255 unknown ---------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------- HS-A(config)#
配置监控对象
HS-A(config)# hagroup 0 HS-A(config-ha-group)#priority 99
配置HS-B
HS-B# configure HS-B(config)# hagroup 0
查看:
HS-B(config-ha-group)#show ha group 0 HA Group id=0 state N/A priority 100 preempt N/A monitor HA total peer number 0 HS-A(config)# ha link interface eth0/3 // 配置HA-link HS-A(config)# ha link ip 1.1.1.1/24 //配置HA-link的接口IP地址 HS-B(config)# ha link ip 1.1.1.2/24 //对端IP地址 HS-B(config)# ping 1.1.1.1 //测试 Sending ICMP packetsto 1.1.1.1 Seq ttl time(ms) 1 128 7.47 2 128 2.12
调用HA 簇:
HS-A(config)# hacluster 1 HS-B(config)# ha cluster 1
问题:在B上先加入簇1 ,B成为master不同步,A不抢占
成功log:
HS-B(config)# hacluster 1 2020-03-07 16:53:13,Event CRIT@FLOW: The local device 0010008416670930 in the VirtualSecurity Device group 0 changed state from Standalone to Init. HS-B(config)#2020-03-07 16:53:14, Event CRIT@FLOW: The local device 0010008416670930 in the Virtual Security Device group 0changed state from Init to Hello. 2020-03-07 16:53:14,Event CRIT@FLOW: The HA peer device 0010025169456692 in the Virtual Security Device group 0 wasdiscovered. 2020-03-07 16:53:17,Event CRIT@FLOW: The local device 0010008416670930 in the VirtualSecurity Device group 0 changed state from Hello to Backup. 2020-03-07 16:53:21,Event WARNING@NET: interface ethernet0/4 turn to protocol up 2020-03-07 16:53:21,Event WARNING@NET: WAN interface IP address changes to 200.0.0.10 2020-03-07 16:53:22,Network INFO@NET: Route in VR trust-vr that has IP address 0.0.0.0/0 throughnexthop 200.0.0.1 with precedence 1 is created 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" created a policy (id 1) 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "action" has been set: "PERMIT" 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "src-zone" has been modified: Any->trust 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "dst-zone" has been modified: Any->untrust 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "src-addr" has been added: Any 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "dst-addr" has been added: Any 2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "service" has been added: Any 2020-03-07 16:53:21,Event CRIT@FLOW: HA configuration batch synchronization succeeded HS-B(B)(config)#show policy Total rules count: 1 S: Rule Status (E -Enabled; D - Disabled) Flag: * - NeedApplication Identification S - Log Session Start; E - Log Session End; D - Log Policy Deny F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect Default action DENY.Default log OFF. Check to-self OFF. Session rematch ON ==================================================================================================================== S Id Name RBNS_Attr Source Destination Service Application Action Flag -------------------------------------------------------------------------------------------------------------------- trust => untrust E 1 Any Any Any PERMIT ------ ==================================================================================================================== HS-B(B)(config)# HS-B(B)(config)#show interface H:physicalstate;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up ======================================================================================================== Interface name IP address/mask Zone name H A L P MAC address Description -------------------------------------------------------------------------------------------------------- ethernet0/0 0.0.0.0/0 trust U U U D 5000.0004.0000 ------ ethernet0/1 0.0.0.0/0 NULL U U U D 5000.0004.0001 ------ ethernet0/2 0.0.0.0/0 NULL U U U D 5000.0004.0002 ------ ethernet0/3 0.0.0.0/0 HA U U U D 5000.0004.0003 ------ ethernet0/4 200.0.0.10/24 untrust U U U U 5000.0004.0004 ------ ethernet0/5 0.0.0.0/0 NULL U U U D 5000.0004.0005 ------ ethernet0/6 0.0.0.0/0 NULL U U U D 5000.0004.0006 ------ ethernet0/7 0.0.0.0/0 NULL U U U D 5000.0004.0007 ------ vswitchif1 0.0.0.0/0 NULL D U D D 001c.545a.1f13 ------ ======================================================================================================== HS-B(B)(config)# HS-B(B)(config)#show ha group 0 HA Group id=0 state Backup priority 100 preempt N/A monitor HA total peer number 1 HA peer information: device id 0010025169456692 ip 1.1.1.1 state Master priority 99 HS-B(B)(config)# VPCS> ip 192.168.10.10/24 192.168.10.1 Checking forduplicate address... PC1 : 192.168.10.10255.255.255.0 gateway 192.168.10.1 VPCS> ip 192.168.10.20/24 192.168.10.1 Checking forduplicate address... PC2 : 192.168.10.20 255.255.255.0 gateway192.168.10.1 VPCS> ping 192.168.10.1 //测试成功 84 bytes from192.168.10.1 icmp_seq=1 ttl=128 time=3.608 ms 84 bytes from192.168.10.1 icmp_seq=2 ttl=128 time=1.813 ms 84 bytes from192.168.10.1 icmp_seq=3 ttl=128 time=1.490 ms ^C VPCS> VPCS> ping192.168.10.1 84 bytes from192.168.10.1 icmp_seq=1 ttl=128 time=2.844 ms 84 bytes from192.168.10.1 icmp_seq=2 ttl=128 time=1.328 ms 84 bytes from192.168.10.1 icmp_seq=3 ttl=128 time=1.423 ms ^C VPCS> ping200.0.0.1 84 bytes from200.0.0.1 icmp_seq=1 ttl=254 time=5.417 ms 84 bytes from200.0.0.1 icmp_seq=2 ttl=254 time=2.997 ms ^C VPCS>
配置ISP的ssh
ISP(config)#aaanew-model ISP(config)#ipdomain-name cisco ISP(config)#usernamecisco secret 123456 ISP(config)#enablesecret 123456 ISP(config)#cryptokey generate rsa general-keys modulus 1024 ISP(config)#ip sshauthentication-retries 5 ISP(config)#ip sshtime-out 30 ISP(config)#line vty0 4 ISP(config-line)#transportinput ssh
Telnet 22端口测试
如果不加track,HA切换会失败
HS-A(M)(config)# hagroup 0 HS-A(M)(config-ha-group)#monitor track track1
测试track
HS-A(M)(config)#interface ethernet0/4 HS-A(M)(config-if-eth0/4)#shu HS-A(M)(config-if-eth0/4)#shutdown 2020-03-07 17:20:14,Event WARNING@NET: interface ethernet0/4 turn to admin down 2020-03-07 17:20:14,Event CRIT@NET: interface ethernet0/4 turn to physical down 2020-03-07 17:20:14,Event WARNING@NET: HS-A(M)(config-if-eth0/4)# interface ethernet0/4 turn toprotocol down 2020-03-07 17:20:14,Event WARNING@NET: interface ethernet0/4 turn to link down 2020-03-07 17:20:14,Event CRIT@NET: track: track1 interface: ethernet0/4 item failed 2020-03-07 17:20:14,Event CRIT@FLOW: HA group 0 change realtime priority from 99 to 3099 2020-03-07 17:20:14,Event CRIT@FLOW: The local device 0010025169456692 in the VirtualSecurity Device group 0 changed state from Master to Link Failed. HS-A(F)(config-if-eth0/4)# HS-A(F)(config-if-eth0/4)#show track track1 ====================================================================================================================== Track name:track1;track ID:1; local:no threshold:255; delaythreshold:255; bandwidth threshold:255 used type:ha;status:FAILED; link_status: FAILED bind interface:;snat cnt:0 I:interval;T:threshold; W:weight; S:status; M:mode F:failed;SU:successful; UN:unknown HWMK:high watermark;LWMK:low watermark; DW:delay weight FLAG:link statusflag; N:normal; L:long-delay; O:overload track interface: ---------------------------------------------------------------------------------------------------------------------- Track interface weight status ---------------------------------------------------------------------------------------------------------------------- ethernet0/4 255 failed ethernet0/1 255 successful ---------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------- HS-A(F)(config-if-eth0/4)# HS-B(M)# show track track1 //track也会同步到备上面但是不会调用 ====================================================================================================================== Track name:track1;track ID:1; local:no threshold:255; delaythreshold:255; bandwidth threshold:255 used type:not used;status:UNKNOWN; link_status: UNKNOWN bind interface:;snat cnt:0 I:interval;T:threshold; W:weight; S:status; M:mode F:failed;SU:successful; UN:unknown HWMK:high watermark;LWMK:low watermark; DW:delay weight FLAG:link statusflag; N:normal; L:long-delay; O:overload track interface: ---------------------------------------------------------------------------------------------------------------------- Track interface weight status ---------------------------------------------------------------------------------------------------------------------- ethernet0/4 255 unknown ethernet0/1 255 unknown ---------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------- HS-B(M)#
配置抢占
HS-A(F)(config-if-eth0/4)# no shu //恢复接口 2020-03-07 17:25:06,Event WARNING@NET: interface ethernet0/4 turn to admin up HS-A(F)(config-if-eth0/4)#2020-03-07 17:25:07, Event CRIT@NET: interface ethernet0/4 turn to physical up 2020-03-07 17:25:07,Event WARNING@NET: interface ethernet0/4 turn to link up 2020-03-07 17:25:07,Event CRIT@NET: track: track1 interface: ethernet0/4 item recover 2020-03-07 17:25:07,Event CRIT@NET: track: track1 interface: ethernet0/1 item recover 2020-03-07 17:25:07,Event WARNING@NET: interface ethernet0/4 turn to protocol up 2020-03-07 17:25:07,Event CRIT@FLOW: HA group 0 change realtime priority from 3099 to 99 2020-03-07 17:25:07,Event CRIT@FLOW: The local device 0010025169456692 in the VirtualSecurity Device group 0 changed state from Link Failed to Backup.
管理HS
HS-A(B)(config-if-eth0/1)#manage ip 192.168.10.253