山石网科HA高可靠性实验分享

简介: 山石网科HA高可靠性实验分享

HA工作模式


640.png

主备模式


640.png

640.jpg

640.jpg


AP/AA的配置必须保持一致,但是在Peer mode下不可以保证

OTI双活数据中心

优先级100,小优

主动发生抢占


640.png

实验拓扑

640.png

配置过程:

SG-6000# configure
SG-6000(config)#hostname HS-A
HS-B(config)#
HS-A(config)# interface ethernet0/4  //指定外网接口
HS-A(config-if-eth0/4)# zone untrust   //指定外网接口为Untrust
HS-A(config-if-eth0/4)# ip add 200.0.0.10/24 // 配置IP地址
HS-A(config-if-eth0/4)# manage ping  //打开ping
HS-A(config-if-eth0/4)#int ethernet0/1
HS-A(config-if-eth0/1)#zone trust
HS-A(config-if-eth0/1)#ip add 192.168.10.1/24
HS-A(config-if-eth0/1)#manage ping
HS-A(config-if-eth0/1)# manage http //打开http
HS-A(config-vrouter)# ip route 0.0.0.0/0 200.0.0.1 // 默认路由
HS-A(config-vrouter)# snatrule from any to any service any eifethernet0/4 trans-to eif-ip mode dynamicport //配置snat
HS-A(config-policy)# rule from any to any from-zone trust to-zoneuntrust service any permit //放行流量

查看:

HS-A(config)# show policy
Total rules count: 1
S: Rule Status (E -Enabled;  D - Disabled)
Flag: * - NeedApplication Identification
      S - Log Session Start;  E - Log Session End;  D - Log Policy Deny
      F - Drop Fragment;  P - Permit Unknown Application;  W - Web Redirect
Default action DENY.Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S    Id Name             RBNS_Attr   Source           Destination      Service          Application  Action    Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E     1                              Any              Any              Any                           PERMIT   ------
====================================================================================================================
HS-A(config)#
HS-A(config)# show config  uration vrouter
ip vrouter"twin-mode-vr"
exit
ip vrouter"trust-vr"
  snatrule id 1 from address-book"Any" to address-book "Any" service "Any" eifethernet0/4 trans-to eif-ip mode dynamicport
  ip route 0.0.0.0/0 200.0.0.1
exit
HS-A(config)#

配置HA监控对象

HS-A(config)# track track1 //配置track
HS-A(config-trackip)# ?  // 可配置的track的内容
  arp                Configure track arp address
  dns                Configure track dns address
  http               Configure track http address orhost
  icmp               Configure track ip address orhost
  icmp6              Configure track ip ipv6 addressor host
  interface          Configure track interface
  ndp                Configure track ndp address
  tcp                Configure track tcp address orhost
  threshold          Configure track threshold
  traffic-condition  Configure traffic condition
-
  auxswitch          Switch aux port to subcard
  clear              Reset functions or clear thescreen
  debug              Debugging functions
  delete             Delete a file
  end                Exit from configure mode
  exec               Perform command operation
  exit               Exit from Track IP Profileconfiguration mode
  help               CLI help
  no                 Negate a command or reset todefault
  ping               Test network connectivity
  remove             Remove files
  rollback           Rollback startup with one backup
  save               Save configuration
  show               Show running system information
  terminal           Configure terminal line parameters
  traceroute         Trace route to destination
  undebug            Negate debugging functions
  unset              Back to the default configuration
HS-A(config-trackip)#
HS-A(config-trackip)#interface eth0/4
HS-A(config-trackip)#interface eth0/1
HS-A(config-trackip)#
HS-A(config-trackip)#interface eth0/1 ?
  weight            Configure track if weight // 默认255

查看:


HS-A(config)# showtrack track1
======================================================================================================================
Track name:track1;track ID:1; local:no
threshold:255; delaythreshold:255; bandwidth threshold:255
used type:not used; status:UNKNOWN; link_status: UNKNOWN // 未调用
bind interface:;snat cnt:0
I:interval;T:threshold; W:weight; S:status; M:mode
F:failed;SU:successful; UN:unknown
HWMK:high watermark;LWMK:low watermark; DW:delay weight
FLAG:link statusflag; N:normal; L:long-delay; O:overload
track interface:
----------------------------------------------------------------------------------------------------------------------
Track interface      weight status 
----------------------------------------------------------------------------------------------------------------------
ethernet0/4          255   unknown  
ethernet0/1          255   unknown  
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
HS-A(config)#

配置监控对象

HS-A(config)# hagroup 0
HS-A(config-ha-group)#priority 99

配置HS-B

HS-B# configure
HS-B(config)# hagroup 0

查看:

HS-B(config-ha-group)#show ha group 0
HA Group id=0
  state N/A
  priority 100
  preempt N/A
  monitor 
  HA total peer number  0
HS-A(config)# ha link interface eth0/3 // 配置HA-link
HS-A(config)# ha link ip 1.1.1.1/24   //配置HA-link的接口IP地址
HS-B(config)# ha link ip 1.1.1.2/24  //对端IP地址
HS-B(config)# ping 1.1.1.1  //测试
Sending ICMP packetsto 1.1.1.1
   Seq   ttl    time(ms)
   1     128    7.47
   2     128    2.12

调用HA 簇:

HS-A(config)# hacluster 1
HS-B(config)# ha cluster 1

问题:在B上先加入簇1 B成为master不同步,A不抢占

 

成功log:


HS-B(config)# hacluster 1 
2020-03-07 16:53:13,Event CRIT@FLOW: The local device 0010008416670930  in the VirtualSecurity Device group 0 changed state from Standalone to Init.
HS-B(config)#2020-03-07 16:53:14, Event CRIT@FLOW: The local device  0010008416670930  in the Virtual Security Device group 0changed state from Init to Hello.
2020-03-07 16:53:14,Event CRIT@FLOW: The HA peer device 0010025169456692  in the Virtual Security Device group 0 wasdiscovered.
2020-03-07 16:53:17,Event CRIT@FLOW: The local device 0010008416670930  in the VirtualSecurity Device group 0 changed state from Hello to Backup.
2020-03-07 16:53:21,Event WARNING@NET: interface ethernet0/4 turn to protocol up
2020-03-07 16:53:21,Event WARNING@NET: WAN interface IP address changes to 200.0.0.10
2020-03-07 16:53:22,Network INFO@NET: Route in VR trust-vr that has IP address 0.0.0.0/0 throughnexthop 200.0.0.1 with precedence 1 is created
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" created a policy (id 1)
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "action" has been set: "PERMIT"
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "src-zone" has been modified: Any->trust
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "dst-zone" has been modified: Any->untrust
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "src-addr" has been added: Any
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "dst-addr" has been added: Any
2020-03-07 16:53:22,Event CRIT@SECURITY: The user "SYSTEM" modified the policy (id 1),the "service" has been added: Any
2020-03-07 16:53:21,Event CRIT@FLOW: HA configuration batch synchronization succeeded
 HS-B(B)(config)#show policy
Total rules count: 1
S: Rule Status (E -Enabled;  D - Disabled)
Flag: * - NeedApplication Identification
      S - Log Session Start;  E - Log Session End;  D - Log Policy Deny
      F - Drop Fragment;  P - Permit Unknown Application;  W - Web Redirect
Default action DENY.Default log OFF. Check to-self OFF. Session rematch ON
====================================================================================================================
S    Id Name             RBNS_Attr   Source           Destination      Service          Application  Action    Flag
--------------------------------------------------------------------------------------------------------------------
trust => untrust
E     1                              Any              Any              Any                           PERMIT   ------
====================================================================================================================
HS-B(B)(config)#
HS-B(B)(config)#show  interface
H:physicalstate;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up
========================================================================================================
Interface name       IP address/mask    Zone name       H A L P MAC address     Description                    
--------------------------------------------------------------------------------------------------------
ethernet0/0          0.0.0.0/0          trust           U U U D 5000.0004.0000  ------                         
ethernet0/1          0.0.0.0/0          NULL            U U U D 5000.0004.0001  ------                         
ethernet0/2          0.0.0.0/0          NULL            U U U D 5000.0004.0002  ------                         
ethernet0/3          0.0.0.0/0          HA              U U U D 5000.0004.0003  ------                         
ethernet0/4          200.0.0.10/24      untrust         U U U U 5000.0004.0004  ------                         
ethernet0/5          0.0.0.0/0          NULL            U U U D 5000.0004.0005  ------                         
ethernet0/6          0.0.0.0/0          NULL            U U U D 5000.0004.0006  ------                         
ethernet0/7          0.0.0.0/0          NULL            U U U D 5000.0004.0007  ------                         
vswitchif1           0.0.0.0/0          NULL            D U D D 001c.545a.1f13  ------                         
========================================================================================================
HS-B(B)(config)#
HS-B(B)(config)#show ha group 0
HA Group id=0
  state Backup
  priority 100
  preempt N/A
  monitor 
  HA total peer number  1
  HA peer information:
     device id 0010025169456692
     ip 1.1.1.1
     state Master
     priority 99
HS-B(B)(config)#
VPCS> ip 192.168.10.10/24  192.168.10.1
Checking forduplicate address...
PC1 : 192.168.10.10255.255.255.0 gateway 192.168.10.1
VPCS> ip 192.168.10.20/24 192.168.10.1
Checking forduplicate address...
PC2 : 192.168.10.20 255.255.255.0 gateway192.168.10.1
VPCS> ping 192.168.10.1  //测试成功
84 bytes from192.168.10.1 icmp_seq=1 ttl=128 time=3.608 ms
84 bytes from192.168.10.1 icmp_seq=2 ttl=128 time=1.813 ms
84 bytes from192.168.10.1 icmp_seq=3 ttl=128 time=1.490 ms
^C
VPCS>
VPCS> ping192.168.10.1
84 bytes from192.168.10.1 icmp_seq=1 ttl=128 time=2.844 ms
84 bytes from192.168.10.1 icmp_seq=2 ttl=128 time=1.328 ms
84 bytes from192.168.10.1 icmp_seq=3 ttl=128 time=1.423 ms
^C
VPCS> ping200.0.0.1
84 bytes from200.0.0.1 icmp_seq=1 ttl=254 time=5.417 ms
84 bytes from200.0.0.1 icmp_seq=2 ttl=254 time=2.997 ms
^C
VPCS>

配置ISP的ssh

ISP(config)#aaanew-model
ISP(config)#ipdomain-name cisco
ISP(config)#usernamecisco secret 123456
ISP(config)#enablesecret 123456
ISP(config)#cryptokey generate rsa general-keys modulus 1024
ISP(config)#ip sshauthentication-retries 5
ISP(config)#ip sshtime-out 30
ISP(config)#line vty0 4
ISP(config-line)#transportinput ssh

Telnet 22端口测试

 

如果不加track,HA切换会失败

HS-A(M)(config)# hagroup 0
HS-A(M)(config-ha-group)#monitor track track1

测试track

HS-A(M)(config)#interface ethernet0/4
HS-A(M)(config-if-eth0/4)#shu
HS-A(M)(config-if-eth0/4)#shutdown
2020-03-07 17:20:14,Event WARNING@NET: interface ethernet0/4 turn to admin down
2020-03-07 17:20:14,Event CRIT@NET: interface ethernet0/4 turn to physical down
2020-03-07 17:20:14,Event WARNING@NET: HS-A(M)(config-if-eth0/4)# interface ethernet0/4 turn toprotocol down
2020-03-07 17:20:14,Event WARNING@NET: interface ethernet0/4 turn to link down
2020-03-07 17:20:14,Event CRIT@NET: track:  track1  interface: ethernet0/4  item failed
2020-03-07 17:20:14,Event CRIT@FLOW: HA group 0 change realtime priority from 99 to 3099
2020-03-07 17:20:14,Event CRIT@FLOW: The local device 0010025169456692  in the VirtualSecurity Device group 0 changed state from Master to Link Failed.
HS-A(F)(config-if-eth0/4)#
HS-A(F)(config-if-eth0/4)#show track track1
======================================================================================================================
Track name:track1;track ID:1; local:no
threshold:255; delaythreshold:255; bandwidth threshold:255
used type:ha;status:FAILED; link_status: FAILED
bind interface:;snat cnt:0
I:interval;T:threshold; W:weight; S:status; M:mode
F:failed;SU:successful; UN:unknown
HWMK:high watermark;LWMK:low watermark; DW:delay weight
FLAG:link statusflag; N:normal; L:long-delay; O:overload
track interface:
----------------------------------------------------------------------------------------------------------------------
Track interface      weight status 
----------------------------------------------------------------------------------------------------------------------
ethernet0/4          255   failed   
ethernet0/1          255   successful
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
HS-A(F)(config-if-eth0/4)#
HS-B(M)# show track track1  //track也会同步到备上面但是不会调用
======================================================================================================================
Track name:track1;track ID:1; local:no
threshold:255; delaythreshold:255; bandwidth threshold:255
used type:not used;status:UNKNOWN; link_status: UNKNOWN
bind interface:;snat cnt:0
I:interval;T:threshold; W:weight; S:status; M:mode
F:failed;SU:successful; UN:unknown
HWMK:high watermark;LWMK:low watermark; DW:delay weight
FLAG:link statusflag; N:normal; L:long-delay; O:overload
track interface:
----------------------------------------------------------------------------------------------------------------------
Track interface      weight status 
----------------------------------------------------------------------------------------------------------------------
ethernet0/4          255   unknown  
ethernet0/1          255   unknown  
----------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------
HS-B(M)#

配置抢占

HS-A(F)(config-if-eth0/4)# no shu  //恢复接口
2020-03-07 17:25:06,Event WARNING@NET: interface ethernet0/4 turn to admin up
HS-A(F)(config-if-eth0/4)#2020-03-07 17:25:07, Event CRIT@NET: interface ethernet0/4 turn to physical up
2020-03-07 17:25:07,Event WARNING@NET: interface ethernet0/4 turn to link up
2020-03-07 17:25:07,Event CRIT@NET: track:  track1  interface: ethernet0/4  item recover
2020-03-07 17:25:07,Event CRIT@NET: track:  track1  interface: ethernet0/1  item recover
2020-03-07 17:25:07,Event WARNING@NET: interface ethernet0/4 turn to protocol up
2020-03-07 17:25:07,Event CRIT@FLOW: HA group 0 change realtime priority from 3099 to 99
2020-03-07 17:25:07,Event CRIT@FLOW: The local device 0010025169456692  in the VirtualSecurity Device group 0 changed state from Link Failed to Backup.

管理HS


HS-A(B)(config-if-eth0/1)#manage ip 192.168.10.253


相关文章
|
7月前
|
UED
【亮剑】无线AP在中小型和大型网络环境中的两种组网方式——分布式和集中式。
【4月更文挑战第30天】本文探讨了无线AP在中小型和大型网络环境中的两种组网方式——分布式和集中式。分布式组网适合中小型网络,成本低、部署简单,但管理复杂性和漫游体验有限。案例显示,分布式组网能满足小公司基本需求。而在大型网络中,集中式组网提供统一管理、无缝漫游和高稳定性,但初期投资大、维护复杂。大型购物中心采用集中式组网,实现了全面覆盖和客户体验提升。企业应根据需求和预算选择合适组网策略。
196 1
|
7月前
|
监控 安全 数据挖掘
企业异地组网一般选用什么方案比较好?
企业异地组网可选用SD-WAN,它提供灵活、低成本且快速的解决方案。除此之外,还有光纤互联(费用高昂,不适合中小企业)和MPLS VPN(费用高,组网复杂)。SD-WAN能精准划分流量、支持多种接入方式、保障稳定性、简化部署并实现全局监控,是企业广域网建设的理想选择。
141 2
|
运维 安全 Java
上古神器WireGuard异地高效率组网
相信很多的工作者、极客玩家或者学生党在项目开发以及发布的时候会遇到云上服务器资源不够(包括内存不够、磁盘不够等等),而我们可能由于一些问题,无法升级云服务器的配置,这样的场景就很尴尬对吧?现在的确有许多的像netapp、以及zerotier这样的内网穿透的存在,但是存在一个问题就是不安全,路由网关并不是在我们自己机器上,而且这些市面的望穿也有高效的方法但是要用money,苦于囊中羞涩,这时候WireGuard就可以很好提供高性能的内网穿透能力。
10664 10
上古神器WireGuard异地高效率组网
|
存储 人工智能 监控
|
Web App开发
一张图看懂互联网史上最大规模的公共云迁移案例
6月7日,阿里云与国内领先的云存储企业115科技在2018云栖大会·上海峰会上宣布,已将公司全部数据迁移至阿里云上,总量超过100PB。 至此,双方合力完成了互联网史上规模最大的公共云数据迁移,仅耗时45天,创造了百PB级数据公共云迁移的新纪录,而这都要依托于阿里云推出的全新离线数据迁移方案——闪电立方。
1936 0
|
机器学习/深度学习 人工智能 安全