组网拓扑图

 

FW-A配置：

 sysname FW1090-A

#

track 1 interface GigabitEthernet1/0/1 physical   ///检测上行口

#

track 2 interface GigabitEthernet1/0/2 physical    ///检测下行口

#

ospf 1 router-id 192.168.10.254     ///OSPF发布于核心互联路由

 default-route-advertise always

 area 0.0.0.0

  network 10.0.0.0 0.0.0.3

  network 192.168.10.254 0.0.0.0

#

 ip unreachables enable

 ip ttl-expires enable

#

nat address-group 1    ///创建NAT地址池，否则VRRP对接方式下默认以接口地址NAT。

 address 117.1.1.2 117.1.1.2

#

 lldp global enable

#

interface Route-Aggregation1   ///创建RBM控制与管理通道互联地址。

 description to-FW1090-B

 ip address 192.168.10.1 255.255.255.252   ///IP地址30为地址，不要和现网冲突以及打通路由。

 link-aggregation mode dynamic

#

interface LoopBack0

 description to-OSPF_ID

 ip address 192.168.10.254 255.255.255.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 description to-ZhuanXianSW;GE1/0/1

 combo enable copper

 ip address 192.168.9.1 255.255.255.248

 vrrp vrid 1 virtual-ip 117.1.1.2 255.255.255.252 active  RBM+VRRP对接一定要配置虚地址掩码，否则ARP学习会受到影响。M9K不支持

 nat outbound 3000 address-group 1     ///NAT配置一定要加NAT地址池，否则会以接口地址NAT

 nat server protocol tcp global 117.1.1.2 1123 inside 192.168.10.252 23 rule ServerRule_1

#

interface GigabitEthernet1/0/2

 port link-mode route

 description to-HeXinSW-6850;ge1/0/1

 combo enable copper

 ip address 10.0.0.1 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/22   ///防火墙互联端口

 port link-mode route

 description to-FW1090-B;GE1/0/22

 combo enable copper

 port link-aggregation group 1

#

interface GigabitEthernet1/0/23   ///防火墙互联端口

 port link-mode route

 description to-FW1090-B;GE1/0/23

 combo enable copper

 port link-aggregation group 1

#

ip route-static 0.0.0.0 0 117.1.1.1 description CMCC  ///配置默认路由指向公网

#

security-zone name RMB     ///创建RBM安全域并将控制端口与管理通道端口加入到RBM安全域中

 import interface Route-Aggregation1

#

remote-backup group             ///RBM组配置

 data-channel interface Route-Aggregation1         ///指定通道端口（AB墙RBM通信）

 adjust-cost ospf enable absolute 10000

 adjust-cost ospfv3 enable absolute 10000

 track 1       ///联动上行口检测

 track 2       ///联动下行口检测

 local-ip 192.168.10.1         指定本端地址

 remote-ip 192.168.10.2     ///指定对端地址

 device-role primary             ///配置本端防火墙为主墙

#

security-policy ip   配置安全策略，根据需求放通相关策略。

 rule 1 name RBM->Local

  action pass

  source-zone RMB

  destination-zone Local

 rule 2 name Local->RBM

  action pass

  source-zone Local

  destination-zone RMB

 rule 3 name Untrust->Local

  action pass

  source-zone Untrust

  destination-zone Local

  service ping

 rule 4 name Local->any

  action pass

  source-zone Local

 rule 5 name Trust->Untrust

  action pass

  source-zone Trust

  destination-zone Untrust

 rule 6 name Trust->Local

  action pass

  source-zone Trust

  destination-zone Local

 rule 7 name Untrust->Trust

  action pass

  source-zone Untrust

  destination-zone Trust

  service ssh

  service telnet

#

补充：RBM组网中AB墙安全策略、对象组、ACL等配置会自动同步，所以只需要在某一个墙上配置即可。

------------------------------------------------------------------

FW-B配置（无注释）

#

 sysname FW1090-B

#

track 1 interface GigabitEthernet1/0/1 physical

#

track 2 interface GigabitEthernet1/0/2 physical

#

ospf 1 router-id 192.168.10.253

 default-route-advertise always

 area 0.0.0.0

  network 10.0.0.4 0.0.0.3

  network 192.168.10.253 0.0.0.0

#

 ip unreachables enable

 ip ttl-expires enable

#

nat address-group 1

 address 117.1.1.2 117.1.1.2

#

interface Route-Aggregation1

 description to-FW1090-A

 ip address 192.168.10.2 255.255.255.252

 link-aggregation mode dynamic

#

interface NULL0

#

interface LoopBack0

 description to-OSPF_ID

 ip address 192.168.10.253 255.255.255.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 description to-ZhuanXianSW;GE1/0/2

 combo enable copper

 ip address 192.168.9.2 255.255.255.248

 vrrp vrid 1 virtual-ip 117.1.1.2 255.255.255.252 standby

 nat outbound 3000 address-group 1

 nat server protocol tcp global 117.1.1.2 1123 inside 192.168.10.252 23 rule ServerRule_1

#

interface GigabitEthernet1/0/2

 port link-mode route

 description to-HeXinSW-6850;ge1/0/2

 combo enable copper

 ip address 10.0.0.5 255.255.240.0

 ospf network-type p2p

#

interface GigabitEthernet1/0/22

 port link-mode route

 description to-FW1090-A;GE1/0/22

 combo enable copper

 port link-aggregation group 1

#

interface GigabitEthernet1/0/23

 port link-mode route

 description to-FW1090-A;GE1/0/23

 combo enable copper

 port link-aggregation group 1

#

security-zone name Local

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name DMZ

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

security-zone name Management

#

security-zone name RMB

 import interface Route-Aggregation1

#

line con 0

 authentication-mode scheme

 user-role network-admin

#

line vty 0 4

 authentication-mode scheme

 user-role network-admin

#

line vty 5 63

 user-role network-operator

#

 ip route-static 0.0.0.0 0 117.1.1.1 description CMCC

#

 local-user admin class manage

 password hash $h$6$1lV85eqd3VE2FO4s$YC5FfjbtcB+YBRORZVKzynr2oAJm0nJp3yW8FHduhPr5U9LseomZ/SxxYcmJiFB4s0+2ubo3Ocxeb/GCvTVGPQ==

 service-type ssh telnet terminal http

 authorization-attribute user-role level-3

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

 ip http enable

 ip https enable

#

security-policy ip

 rule 1 name RBM->Local

  action pass

  source-zone RMB

  destination-zone Local

 rule 2 name Local->RBM

  action pass

  source-zone Local

  destination-zone RMB

 rule 3 name Untrust->Local

  action pass

  source-zone Untrust

  destination-zone Local

  service ping

 rule 4 name Local->any

  action pass

  source-zone Local

 rule 5 name Trust->Untrust

  action pass

  source-zone Trust

  destination-zone Untrust

 rule 6 name Trust->Local

  action pass

  source-zone Trust

  destination-zone Local

 rule 7 name Untrust->Trust

  action pass

  source-zone Untrust

  destination-zone Trust

  service ssh

  service telnet

#

remote-backup group

 data-channel interface Route-Aggregation1

 delay-time 1

 adjust-cost ospf enable absolute 10000

 adjust-cost ospfv3 enable absolute 10000

 track 1

 track 2

 local-ip 192.168.10.2

 remote-ip 192.168.10.1

 device-role secondary

----------------------

核心交换机配置：

#

 version 7.1.070, Alpha 7170

#

 sysname HeXinSW

#

 telnet server enable

#

ospf 1 router-id 192.168.10.252

 area 0.0.0.0

  network 10.0.0.0 0.0.0.3

  network 10.0.0.4 0.0.0.3

  network 10.202.1.0 0.0.0.255

  network 192.168.10.252 0.0.0.0

#

 ip unreachables enable

 ip ttl-expires enable

#

 lldp global enable

#

vlan 10

 description to-PC

#

interface LoopBack0

 description OSPF_ID

 ip address 192.168.10.252 255.255.255.255

#

interface Vlan-interface10

 description to-PC

 ip address 10.202.1.1 255.255.255.0

#

interface FortyGigE1/0/53

 port link-mode bridge

#

interface FortyGigE1/0/54

 port link-mode bridge

#

interface GigabitEthernet1/0/1

 port link-mode route

 description to-FW1090-A;GE1/0/1

 combo enable fiber

 ip address 10.0.0.2 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/2

 port link-mode route

 description to-FW1090-B;GE1/0/1

 combo enable fiber

 ip address 10.0.0.6 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/3

 port link-mode bridge

 description to-PC

 port access vlan 10

 combo enable fiber

#

专线交换机配置：

#

vlan 10

 description to-CMCC-1G

#

interface GigabitEthernet1/0/1

 port link-mode bridge

 description TO-FW1090-A;1/0/1

 port access vlan 10

 combo enable fiber

#

interface GigabitEthernet1/0/2

 port link-mode bridge

 description FW1090-B;GE1/0/1

 port access vlan 10

 combo enable fiber

#

interface GigabitEthernet1/0/3

 port link-mode bridge

 description TO-CMCC-1G

 port access vlan 10

 combo enable fiber

---------------------------------

测试：

查看RBM组建立情况。

RBM_P<FW1090-A>display remote-backup-group status

Remote backup group information:

  Backup mode: Active/standby

  Device management role: Primary

  Device running status: Standby

  Data channel interface: Route-Aggregation1

  Local IP: 192.168.10.1

  Remote IP: 192.168.10.2    Destination port: 60064

  Control channel status: Connected

  Keepalive interval: 1s

  Keepalive count: 10

  Configuration consistency check interval: 24 hour

  Configuration consistency check result: Not Performed

  Configuration backup status: Auto sync enabled

  Session backup status: Hot backup enabled

  Uptime since last switchover: 0 days, 0 hours, 25 minutes

  Switchover records:

    Time                  Status change        Cause

2022-10-21 09:23:13   Active to Standby    Track entries changed

    2022-10-21 09:22:46   Standby to Active    Track entries changed

    2022-10-21 09:22:21   Active to Standby    Track entries changed

    2022-10-20 16:13:21   Standby to Active    Track entries changed

    2022-10-20 16:08:46   Active to Standby    Track entries changed

    2022-10-20 15:53:07   Standby to Active    Interface status changed

    2022-10-20 15:38:20   Active to Standby    Track entries changed

    2022-10-20 15:35:29   Active to Active     Keepalive link established

    2022-10-20 15:30:00   Initial to Active    The local device quits the remote backup group

    2022-10-20 15:09:57   Active to Active     Keepalive link established

down掉核心与防火墙A的链路，业务切换情况。

查看主墙上VRRP状态为Backup

测试PC上tracert路径，业务切换至备墙。

恢复核心与防火墙A的链路，业务切换情况。

此时业务还在防火墙B上运行，查看防火墙A上的VRRP状态为Backup

一分钟后：

主墙VRRP状态恢复Master

PS:如果对业务要求比较高的，可以在RBM组中修改切换时间。

配置关键：VRRP虚地址要配置掩码，否则无法正常学习ARP。

FW-A配置：

 sysname FW1090-A

#

track 1 interface GigabitEthernet1/0/1 physical   ///检测上行口

#

track 2 interface GigabitEthernet1/0/2 physical    ///检测下行口

#

ospf 1 router-id 192.168.10.254     ///OSPF发布于核心互联路由

 default-route-advertise always

 area 0.0.0.0

  network 10.0.0.0 0.0.0.3

  network 192.168.10.254 0.0.0.0

#

 ip unreachables enable

 ip ttl-expires enable

#

nat address-group 1    ///创建NAT地址池，否则VRRP对接方式下默认以接口地址NAT。

 address 117.1.1.2 117.1.1.2

#

 lldp global enable

#

interface Route-Aggregation1   ///创建RBM控制与管理通道互联地址。

 description to-FW1090-B

 ip address 192.168.10.1 255.255.255.252   ///IP地址30为地址，不要和现网冲突以及打通路由。

 link-aggregation mode dynamic

#

interface LoopBack0

 description to-OSPF_ID

 ip address 192.168.10.254 255.255.255.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 description to-ZhuanXianSW;GE1/0/1

 combo enable copper

 ip address 192.168.9.1 255.255.255.248

 vrrp vrid 1 virtual-ip 117.1.1.2 255.255.255.252 active  RBM+VRRP对接一定要配置虚地址掩码，否则ARP学习会受到影响。M9K不支持

 nat outbound 3000 address-group 1     ///NAT配置一定要加NAT地址池，否则会以接口地址NAT

 nat server protocol tcp global 117.1.1.2 1123 inside 192.168.10.252 23 rule ServerRule_1

#

interface GigabitEthernet1/0/2

 port link-mode route

 description to-HeXinSW-6850;ge1/0/1

 combo enable copper

 ip address 10.0.0.1 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/22   ///防火墙互联端口

 port link-mode route

 description to-FW1090-B;GE1/0/22

 combo enable copper

 port link-aggregation group 1

#

interface GigabitEthernet1/0/23   ///防火墙互联端口

 port link-mode route

 description to-FW1090-B;GE1/0/23

 combo enable copper

 port link-aggregation group 1

#

ip route-static 0.0.0.0 0 117.1.1.1 description CMCC  ///配置默认路由指向公网

#

security-zone name RMB     ///创建RBM安全域并将控制端口与管理通道端口加入到RBM安全域中

 import interface Route-Aggregation1

#

remote-backup group             ///RBM组配置

 data-channel interface Route-Aggregation1         ///指定通道端口（AB墙RBM通信）

 adjust-cost ospf enable absolute 10000

 adjust-cost ospfv3 enable absolute 10000

 track 1       ///联动上行口检测

 track 2       ///联动下行口检测

 local-ip 192.168.10.1         指定本端地址

 remote-ip 192.168.10.2     ///指定对端地址

 device-role primary             ///配置本端防火墙为主墙

#

security-policy ip   配置安全策略，根据需求放通相关策略。

 rule 1 name RBM->Local

  action pass

  source-zone RMB

  destination-zone Local

 rule 2 name Local->RBM

  action pass

  source-zone Local

  destination-zone RMB

 rule 3 name Untrust->Local

  action pass

  source-zone Untrust

  destination-zone Local

  service ping

 rule 4 name Local->any

  action pass

  source-zone Local

 rule 5 name Trust->Untrust

  action pass

  source-zone Trust

  destination-zone Untrust

 rule 6 name Trust->Local

  action pass

  source-zone Trust

  destination-zone Local

 rule 7 name Untrust->Trust

  action pass

  source-zone Untrust

  destination-zone Trust

  service ssh

  service telnet

#

补充：RBM组网中AB墙安全策略、对象组、ACL等配置会自动同步，所以只需要在某一个墙上配置即可。

------------------------------------------------------------------

FW-B配置（无注释）

#

 sysname FW1090-B

#

track 1 interface GigabitEthernet1/0/1 physical

#

track 2 interface GigabitEthernet1/0/2 physical

#

ospf 1 router-id 192.168.10.253

 default-route-advertise always

 area 0.0.0.0

  network 10.0.0.4 0.0.0.3

  network 192.168.10.253 0.0.0.0

#

 ip unreachables enable

 ip ttl-expires enable

#

nat address-group 1

 address 117.1.1.2 117.1.1.2

#

interface Route-Aggregation1

 description to-FW1090-A

 ip address 192.168.10.2 255.255.255.252

 link-aggregation mode dynamic

#

interface NULL0

#

interface LoopBack0

 description to-OSPF_ID

 ip address 192.168.10.253 255.255.255.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 description to-ZhuanXianSW;GE1/0/2

 combo enable copper

 ip address 192.168.9.2 255.255.255.248

 vrrp vrid 1 virtual-ip 117.1.1.2 255.255.255.252 standby

 nat outbound 3000 address-group 1

 nat server protocol tcp global 117.1.1.2 1123 inside 192.168.10.252 23 rule ServerRule_1

#

interface GigabitEthernet1/0/2

 port link-mode route

 description to-HeXinSW-6850;ge1/0/2

 combo enable copper

 ip address 10.0.0.5 255.255.240.0

 ospf network-type p2p

#

interface GigabitEthernet1/0/22

 port link-mode route

 description to-FW1090-A;GE1/0/22

 combo enable copper

 port link-aggregation group 1

#

interface GigabitEthernet1/0/23

 port link-mode route

 description to-FW1090-A;GE1/0/23

 combo enable copper

 port link-aggregation group 1

#

security-zone name Local

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name DMZ

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

security-zone name Management

#

security-zone name RMB

 import interface Route-Aggregation1

#

line con 0

 authentication-mode scheme

 user-role network-admin

#

line vty 0 4

 authentication-mode scheme

 user-role network-admin

#

line vty 5 63

 user-role network-operator

#

 ip route-static 0.0.0.0 0 117.1.1.1 description CMCC

#

 local-user admin class manage

 password hash $h$6$1lV85eqd3VE2FO4s$YC5FfjbtcB+YBRORZVKzynr2oAJm0nJp3yW8FHduhPr5U9LseomZ/SxxYcmJiFB4s0+2ubo3Ocxeb/GCvTVGPQ==

 service-type ssh telnet terminal http

 authorization-attribute user-role level-3

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

 ip http enable

 ip https enable

#

security-policy ip

 rule 1 name RBM->Local

  action pass

  source-zone RMB

  destination-zone Local

 rule 2 name Local->RBM

  action pass

  source-zone Local

  destination-zone RMB

 rule 3 name Untrust->Local

  action pass

  source-zone Untrust

  destination-zone Local

  service ping

 rule 4 name Local->any

  action pass

  source-zone Local

 rule 5 name Trust->Untrust

  action pass

  source-zone Trust

  destination-zone Untrust

 rule 6 name Trust->Local

  action pass

  source-zone Trust

  destination-zone Local

 rule 7 name Untrust->Trust

  action pass

  source-zone Untrust

  destination-zone Trust

  service ssh

  service telnet

#

remote-backup group

 data-channel interface Route-Aggregation1

 delay-time 1

 adjust-cost ospf enable absolute 10000

 adjust-cost ospfv3 enable absolute 10000

 track 1

 track 2

 local-ip 192.168.10.2

 remote-ip 192.168.10.1

 device-role secondary

----------------------

核心交换机配置：

#

 version 7.1.070, Alpha 7170

#

 sysname HeXinSW

#

 telnet server enable

#

ospf 1 router-id 192.168.10.252

 area 0.0.0.0

  network 10.0.0.0 0.0.0.3

  network 10.0.0.4 0.0.0.3

  network 10.202.1.0 0.0.0.255

  network 192.168.10.252 0.0.0.0

#

 ip unreachables enable

 ip ttl-expires enable

#

 lldp global enable

#

vlan 10

 description to-PC

#

interface LoopBack0

 description OSPF_ID

 ip address 192.168.10.252 255.255.255.255

#

interface Vlan-interface10

 description to-PC

 ip address 10.202.1.1 255.255.255.0

#

interface FortyGigE1/0/53

 port link-mode bridge

#

interface FortyGigE1/0/54

 port link-mode bridge

#

interface GigabitEthernet1/0/1

 port link-mode route

 description to-FW1090-A;GE1/0/1

 combo enable fiber

 ip address 10.0.0.2 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/2

 port link-mode route

 description to-FW1090-B;GE1/0/1

 combo enable fiber

 ip address 10.0.0.6 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/3

 port link-mode bridge

 description to-PC

 port access vlan 10

 combo enable fiber

#

专线交换机配置：

保持每一个运营商接口与防火墙互联接口属于同一个vlan即可

#

vlan 10

 description to-CMCC-1G

#

interface GigabitEthernet1/0/1

 port link-mode bridge

 description TO-FW1090-A;1/0/1

 port access vlan 10

 combo enable fiber

#

interface GigabitEthernet1/0/2

 port link-mode bridge

 description FW1090-B;GE1/0/1

 port access vlan 10

 combo enable fiber

#

interface GigabitEthernet1/0/3

 port link-mode bridge

 description TO-CMCC-1G

 port access vlan 10

 combo enable fiber

---------------------------------

测试：

查看RBM组建立情况。

RBM_P<FW1090-A>display remote-backup-group status

Remote backup group information:

  Backup mode: Active/standby

  Device management role: Primary

  Device running status: Standby

  Data channel interface: Route-Aggregation1

  Local IP: 192.168.10.1

  Remote IP: 192.168.10.2    Destination port: 60064

  Control channel status: Connected

  Keepalive interval: 1s

  Keepalive count: 10

  Configuration consistency check interval: 24 hour

  Configuration consistency check result: Not Performed

  Configuration backup status: Auto sync enabled

  Session backup status: Hot backup enabled

  Uptime since last switchover: 0 days, 0 hours, 25 minutes

  Switchover records:

    Time                  Status change        Cause

2022-10-21 09:23:13   Active to Standby    Track entries changed

    2022-10-21 09:22:46   Standby to Active    Track entries changed

    2022-10-21 09:22:21   Active to Standby    Track entries changed

    2022-10-20 16:13:21   Standby to Active    Track entries changed

    2022-10-20 16:08:46   Active to Standby    Track entries changed

    2022-10-20 15:53:07   Standby to Active    Interface status changed

    2022-10-20 15:38:20   Active to Standby    Track entries changed

    2022-10-20 15:35:29   Active to Active     Keepalive link established

    2022-10-20 15:30:00   Initial to Active    The local device quits the remote backup group

    2022-10-20 15:09:57   Active to Active     Keepalive link established

down掉核心与防火墙A的链路，业务切换情况。

查看主墙上VRRP状态为Backup

测试PC上tracert路径，业务切换至备墙。

恢复核心与防火墙A的链路，业务切换情况。

此时业务还在防火墙B上运行，查看防火墙A上的VRRP状态为Backup

一分钟后：

主墙VRRP状态恢复Master

PS:如果对业务要求比较高的，可以在RBM组中修改切换时间。

配置关键：VRRP虚地址要配置掩码，否则无法正常学习ARP。