<vrname> Virtual router name
"VR-Default" "VR-Mgmt"
例如 管理Mgmt要加default route
# config iproute add default 12.34.56.78 vr VR-Mgmt
2011年10月4日 星期二
Summit add default route
# config iproute add default 12.34.56.78 vr
<vrname> Virtual router name
"VR-Default" "VR-Mgmt"
<vrname> Virtual router name
"VR-Default" "VR-Mgmt"
2011年10月3日 星期一
Juniper NETSCREEN NSRP典型配置及維護
一、NSRP工作原理
NSRP(NetScreen Redundant Protocol)是Juniper公司基於VRRP協議規範自行開發的設備冗餘協議。防火牆作為企業核心網絡中的關鍵設備,需要為所有進出網絡的信息流提供安全保護,為滿足客戶不間斷業務訪問需求,要求防火牆設備必須具備高可靠性,能夠在設備、鏈路及互連設備出現故障的情況下,提供網絡訪問路徑無縫切換。NSRP冗餘協議提供複雜網絡環境下的冗餘路徑保護機制。NSRP主要功能有:
1、在高可用群組成員之間同步配置信息;2、提供活動會話同步功能,以保證發生路徑切換情況下不會中斷網絡連接;3、採用高效的故障切換算法,能夠在短短幾秒內迅速完成故障檢測和狀態切換。
NSRP集群兩種工作模式:
一、Active/Passive模式:通過對一個冗餘集群中的兩台安全設備進行電纜連接和配置,使其中一台設備作為主用設備,另一台作為備用設備。主用設備負責處理所有網絡信息流,備用設備處於在線備份狀態。主設備將其網絡和配置命令及當前會話信息傳播到備用設備,備用設備始終保持與主用設備配置信息和會話連接信息的同步,並跟踪主用設備狀態,一旦主設備出現故障,備份設備將在極短時間內晉升為主設備並接管信息流處理。
二、Active/Active模式:在NSRP中創建兩個虛擬安全設備(VSD) 組,每個組都具有自己的虛擬安全接口(VSI),通過VSI接口與網絡進行通信。設備A充當VSD組1的主設備和VSD 組2的備份設備。設備B充當VSD組2的主設備和VSD組1的備份設備。Active/Active模式中兩台防火牆同時進行信息流的處理並彼此互為備份。在雙主動模式中不存在任何單一故障點。如下圖所示,通過調整防火牆上下行路由/交換設備到網絡的路由指向,HostA通過左側路徑訪問ServerA,HostB通過右側路徑訪問ServerB,網絡中任一設備或鏈路出現故障時,NSRP集群均能夠做出正確的路徑切換。
NSRP集群技術優勢主要體現於:
1、消除防火牆及前後端設備單點故障,提供網絡高可靠性。即使在骨幹網絡中兩類核心設備同時出現故障,也能夠保證業務安全可靠運行。
2、根據客戶網絡環境和業務可靠性需要,提供靈活多樣的可靠組網方式。NSRP雙機集群能夠提供1、Active-Passive模式Layer2/3多虛擬路由器多虛擬系統和口型/交叉型組網方式;2、Active-Active模式Layer2/3多虛擬路由器多虛擬系統和口型/ Fullmesh交叉型組網方式。為用戶提供靈活的組網選擇。
3、NSRP雙機結構便於網絡維護管理,通過將流量在雙機間的靈活切換,在防火牆軟件升級、前後端網絡結構優化改造及故障排查時,雙機結構均能夠保證業務的不間斷運行。
4、結合Netscreen虛擬系統和虛擬路由器技術,部署一對NSRP集群防火牆,可以為企業更多的應用提供靈活可靠的安全防護,減少企業防火牆部署數量和維護成本。
二、NSRP典型結構與配置
1、Layer3 口型A/P組網模式
Layer3 口型A/P組網模式是當前很多企業廣泛採用的HA模式,該模式具有對網絡環境要求不高,無需網絡結構做較大調整,具有較好冗餘性、便於管理維護等優點。缺點是Netscreen防火牆利用率不高,同一時間只有一台防火牆處理網絡流量;冗餘程度有限,僅在一側鏈路和設備出現故障時提供冗餘切換。Layer3 口型組網A/P模式具有較強冗餘性、低端口成本和網絡結構簡單、便於維護管理等角度考慮,成為很多企業選用該組網模式的標準。
配置說明:兩台Netscreen設備採用相同硬件型號和軟件版本,組成Active/Passive冗餘模式,兩台防火牆均使用一致的Ethernet接口編號連接到網絡。通過雙HA端口或將2Ethernet接口放入HA區段,其中控制鏈路用於NSRP心跳信息、配置信息和Session會話同步,數據鏈路用於在兩防火牆間必要時傳輸數據流量。
NS-A(主用):
Set hostname NS-A /***定義主機名***/
Set interface ethernet1 zone untrust
Set interface ethernet1 ip 100.1.1.4/29
Set interface ethernet1 route
Set interface ethernet2 zone trust
Set interface ethernet2 ip 192.168.1.4/29
Set interface ethernet2 route
Set interface mgt ip 192.168.2.1/24 /***通過管理口遠程管理NS-A***/
/***配置接口:Untrust/Trust Layer3路由模式** */
Set interface ethernet3 zone HA
Set interface ethernet4 zone HA
/***Eth3和Eth4口用於HA互連,用於同步配置文件、會話信息和跟踪設備狀態信息***/
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 50 /***缺省值為100,低值優先成為主用設備***/
set nsrp monitor interface ethernet2
set nsrp monitor interface ethernet1
/***配置NSRP :Vsd-group缺省為0,VSI使用物理接口IP地址,非搶占模式***/
NS-B(備用):
Set hostname NS-B /***定義主機名***/
Set interface ethernet1 zone Untrust
Set interface ethernet1 ip 100.1.1.4/29
Set interface ethernet1 route
Set interface ethernet2 zone trust
Set interface ethernet2 ip 192.168.1.4/29
Set interface ethernet2 route
Set interface mgt ip 192.168.2.2/24 /***通過管理口遠程管理NS-A***/
/***配置接口:Untrust/Trust Layer3路由模式***/
Set interface ethernet3 zone HA
Set interface ethernet4 zone HA
/***Eth3和Eth4口用於HA互連,用於同步配置文件、會話信息和跟踪設備狀態信息***/
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 100
set nsrp monitor interface ethernet2
set nsrp monitor interface ethernet1
/***Vsd -group缺省為0,VSI使用物理接口IP地址,備用設備:優先級100,成為非搶占模式***/
2、Layer3 Fullmesh A/P組網模式
Layer3 Fullmesh連接A/P組網使用全交叉網絡連接模式,容許在同一設備上提供鏈路級冗餘,發生鏈路故障時,由備用鏈路接管網絡流量,防火牆間無需進行狀態切換。僅在上行或下行兩條鏈路同時發生故障情況下,防火牆才會進行狀態切換,Fullmesh連接進一步提高了業務的可靠性。該組網模式在提供設備冗餘的同時提供鏈路級冗餘,成為很多企業部署關鍵業務時的最佳選擇。
NS-A(Active):
Set hostname NS-A /***定義主機名***/
Set interface mgt ip 192.168.2.1/24 /***通過管理口遠程管理NS-A***/
Set interface red1 zone Untrust /***創建冗餘接口1***/
Set interface e1 zone null
Set interface e1 group red1
Set interface e2 zone null
Set interface e2 group red1
Set interface red1 ip 10.1.1.4/29
Set interface red2 zone trust
Set interface e3 zone null
Set interface e3 group red2
Set interface e4 zone null
Set interface e4 group red2
Set interface red2 ip 192.168.1.4/29
/***配置接口:Untrust/Trust Layer3路由模式***/
Set interface ethernet7 zone ha
Set interface ethernet8 zone ha
set nsrp cluster id 1
set nsrp rto-mirror sync /***容許會話信息自動同步***/
set nsrp vsd-group id 0 priority 50
set nsrp monitor interface ethernet2
set nsrp monitor interface ethernet1
/ ***配置NSRP:Vsd-group缺省為0,VSI使用物理接口IP地址,優先級為50,非搶占模式***/
NS-B(Backup):
Set hostname NS-B /***定義主機名***/
Set interface mgt ip 192.168.2.2/24 /***通過管理口遠程管理NS-A***/
Set interface red1 zone Untrust /***創建冗餘接口***/
Set interface e1 zone null
Set interface e1 group red1 /***將該物理接口放置到冗餘接口中***/
Set interface e2 zone null
Set interface e2 group red1
Set interface red1 ip 10.1.1.4/29
Set interface red2 zone trust
Set interface e3 zone null
Set interface e3 group red2
Set interface e4 zone null
Set interface e4 group red2
Set interface red2 ip 192.168.1.4/29
/***配置接口:Untrust/Trust Layer3路由模式***/
Set interface ethernet7 zone ha
Set interface ethernet8 zone ha
set nsrp cluster id 1
set nsrp rto-mirror sync /***容許會話信息自動同步***/
set nsrp vsd-group id 0 priority 100
set nsrp monitor interface ethernet2
set nsrp monitor interface ethernet1
/ ***Vsd-group缺省為0,VSI使用物理接口IP地址,備用設備***/
Cisco Trunk & PortChannel
Trunk~
conf t
interface Gi1/0/23
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Gi1/0/24
switchport trunk allowed vlan 1
switchport mode trunk
wri
Port Channel~
如果是要將2個port合併頻寬的話,則用下列方法即可
conf t
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface Gi1/0/23
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Gi1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
wri
conf t
interface Gi1/0/23
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Gi1/0/24
switchport trunk allowed vlan 1
switchport mode trunk
wri
Port Channel~
如果是要將2個port合併頻寬的話,則用下列方法即可
conf t
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface Gi1/0/23
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Gi1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
wri
2011年9月29日 星期四
Juniper SSG 520M/550M 教育訓練影片
[Juniper SSG 520M/550M 教育訓練影片]
http://www.juniper.net/us/en/training/elearning/ssg520_550.html
http://www.juniper.net/us/en/training/elearning/ssg520_550.html
2011年9月19日 星期一
FB登入後無法正常顯示首頁內容
當電腦登入Facebook發現無法正常顯示FB首頁時,可能是電腦DNS有問題
此時可以試試將DNS清除
電腦左下角開始-->執行-->輸入cmd--->輸入 ipconfig /flushdns 即可
再重新登入FB帳號...
此時可以試試將DNS清除
電腦左下角開始-->執行-->輸入cmd--->輸入 ipconfig /flushdns 即可
再重新登入FB帳號...
2011年8月16日 星期二
Extreme Download Upload Backup Command
Backup Configuration File
Selecting Active Image Files
Download a New Image File
Selecting Active Configuration Files
Restoring the Configuration
Downloading ASCII-formatted
Managing ASCII-formatted
Returning the Switch To Factory Defaults
Extreme EAPS LAB1
LAB1: 三台Summit X150-24T
EAPS Domain = EAPS1
Control Valn = CV1 tag 100 QP8
Protection Vlan = P1 tag 101 , P2 tag 102 , P3 tag 103
-----------------------------------------------------------------------------
第一台當EAPS MASTER Mode
Step 1
configure vlan default delete ports all (將Default Vlan預設Port Delet)
configure vr VR-Default delete ports 1-26
configure vr VR-Default add ports 1-26
configure vlan default delete ports 1-26
create vlan "cv1" (Control Vlan)
configure vlan cv1 tag 100
configure vlan cv1 qosprofile QP8
create vlan "p1" (Protection Vlan)
configure vlan p1 tag 101
create vlan "p2"
configure vlan p2 tag 102
create vlan "p3"
configure vlan p3 tag 103
configure vlan cv1 add ports 1-2 tagged
configure vlan p1 add ports 1-2 tagged
configure vlan p1 add ports 3-5 untagged
configure vlan p2 add ports 1-2 tagged
configure vlan p2 add ports 6-8 untagged
configure vlan p3 add ports 1-2 tagged
configure vlan p3 add ports 9-11 untagged
configure vlan p1 ipaddress 192.168.0.1 255.255.255.0
Step2
configure eaps fast-convergence on
(如果架構中有一台並非設定eaps的Switch,此指令要下,事後下必須reboot Master Switch才會生效)
enable eaps
create eaps eaps1
configure eaps eaps1 mode master (選其中一台為 Eaps Master其他為Transit)
configure eaps eaps1 primary port 1
configure eaps eaps1 secondary port 2
configure eaps eaps1 failtime expiry-action open-secondary-port
enable eaps eaps1
configure eaps eaps1 add control vlan cv1
configure eaps eaps1 add protected vlan p1
configure eaps eaps1 add protected vlan p2
configure eaps eaps1 add protected vlan p3
Step 1
configure vlan default delete ports all
configure vr VR-Default delete ports 1-26
configure vr VR-Default add ports 1-26
configure vlan default delete ports 1-26
create vlan "cv1"
configure vlan cv1 tag 100
configure vlan cv1 qosprofile QP8
create vlan "p1"
configure vlan p1 tag 101
create vlan "p2"
configure vlan p2 tag 102
create vlan "p3"
configure vlan p3 tag 103
configure vlan cv1 add ports 1-2 tagged
configure vlan p1 add ports 1-2 tagged
configure vlan p1 add ports 3-5 untagged
configure vlan p2 add ports 1-2 tagged
configure vlan p2 add ports 6-8 untagged
configure vlan p3 add ports 1-2 tagged
configure vlan p3 add ports 9-11 untagged
configure vlan p1 ipaddress 192.168.0.2 255.255.255.0
EAPS Domain = EAPS1
Control Valn = CV1 tag 100 QP8
Protection Vlan = P1 tag 101 , P2 tag 102 , P3 tag 103
-----------------------------------------------------------------------------
第一台當EAPS MASTER Mode
Step 1
configure vlan default delete ports all (將Default Vlan預設Port Delet)
configure vr VR-Default delete ports 1-26
configure vr VR-Default add ports 1-26
configure vlan default delete ports 1-26
create vlan "cv1" (Control Vlan)
configure vlan cv1 tag 100
configure vlan cv1 qosprofile QP8
create vlan "p1" (Protection Vlan)
configure vlan p1 tag 101
create vlan "p2"
configure vlan p2 tag 102
create vlan "p3"
configure vlan p3 tag 103
configure vlan cv1 add ports 1-2 tagged
configure vlan p1 add ports 1-2 tagged
configure vlan p1 add ports 3-5 untagged
configure vlan p2 add ports 1-2 tagged
configure vlan p2 add ports 6-8 untagged
configure vlan p3 add ports 1-2 tagged
configure vlan p3 add ports 9-11 untagged
configure vlan p1 ipaddress 192.168.0.1 255.255.255.0
Step2
configure eaps fast-convergence on
(如果架構中有一台並非設定eaps的Switch,此指令要下,事後下必須reboot Master Switch才會生效)
enable eaps
create eaps eaps1
configure eaps eaps1 mode master (選其中一台為 Eaps Master其他為Transit)
configure eaps eaps1 primary port 1
configure eaps eaps1 secondary port 2
configure eaps eaps1 failtime expiry-action open-secondary-port
enable eaps eaps1
configure eaps eaps1 add control vlan cv1
configure eaps eaps1 add protected vlan p1
configure eaps eaps1 add protected vlan p2
configure eaps eaps1 add protected vlan p3
----------------------------------------------------------------------------------------------------------
第二台 EAPS 當 Transit ModeStep 1
configure vlan default delete ports all
configure vr VR-Default delete ports 1-26
configure vr VR-Default add ports 1-26
configure vlan default delete ports 1-26
create vlan "cv1"
configure vlan cv1 tag 100
configure vlan cv1 qosprofile QP8
create vlan "p1"
configure vlan p1 tag 101
create vlan "p2"
configure vlan p2 tag 102
create vlan "p3"
configure vlan p3 tag 103
configure vlan cv1 add ports 1-2 tagged
configure vlan p1 add ports 1-2 tagged
configure vlan p1 add ports 3-5 untagged
configure vlan p2 add ports 1-2 tagged
configure vlan p2 add ports 6-8 untagged
configure vlan p3 add ports 1-2 tagged
configure vlan p3 add ports 9-11 untagged
configure vlan p1 ipaddress 192.168.0.2 255.255.255.0
Step 2
enable eaps
create eaps eaps1
configure eaps eaps1 mode transit
configure eaps eaps1 primary port 1
configure eaps eaps1 secondary port 2
enable eaps eaps1
configure eaps eaps1 add control vlan cv1
configure eaps eaps1 add protected vlan p1
configure eaps eaps1 add protected vlan p2
configure eaps eaps1 add protected vlan p3
------------------------------------------------------------------------
第三台 EAPS 當Transit Mode
Step1
enable eaps
create eaps eaps1
configure eaps eaps1 mode transit
configure eaps eaps1 primary port 1
configure eaps eaps1 secondary port 2
enable eaps eaps1
configure eaps eaps1 add control vlan cv1
configure eaps eaps1 add protected vlan p1
configure eaps eaps1 add protected vlan p2
configure eaps eaps1 add protected vlan p3
Step2
enable eaps
create eaps eaps1
configure eaps eaps1 mode transit
configure eaps eaps1 primary port 1
configure eaps eaps1 secondary port 2
enable eaps eaps1
configure eaps eaps1 add control vlan cv1
configure eaps eaps1 add protected vlan p1
configure eaps eaps1 add protected vlan p2
configure eaps eaps1 add protected vlan p3
------------------------------------------------------------------------------
Master Switch
Show eaps detail
EAPS Enabled: Yes
EAPS Fast-Convergence: On
EAPS Display Config Warnings: On
EAPS Multicast Add Ring Ports: Off
EAPS Multicast Send IGMP Query: On
EAPS Multicast Temporary Flooding: Off
EAPS Multicast Temporary Flooding Duration: 15 sec
Number of EAPS instances: 1
Name: eaps1
State: Complete Running: Yes
Enabled: Yes Mode: Master
Primary port: 1 Port status: Up Tag status: Tagged
Secondary port: 2 Port status: Blocked Tag status: Tagged
Hello Egress Port: Primary
Hello timer interval: 1 sec 0 millisec
Fail timer interval: 3 sec 0 millisec
Fail Timer expiry action: Open secondary port
Last update: From Master Id 00:04:96:51:d8:d9, at Tue Aug 16 15:08:39 2011
EAPS Domain has following Controller Vlan:
Vlan Name VID
cv1 100
EAPS Domain has following Protected Vlan(s):
Vlan Name VID
p1 101
p2 102
p3 103
Number of Protected Vlans: 3
-------------------------------------------------------------------------------
Transit Switch
Show eaps detail
Show eaps detail
EAPS Enabled: Yes
EAPS Fast-Convergence: Off
EAPS Display Config Warnings: On
EAPS Multicast Add Ring Ports: Off
EAPS Multicast Send IGMP Query: On
EAPS Multicast Temporary Flooding: Off
EAPS Multicast Temporary Flooding Duration: 15 sec
Number of EAPS instances: 1
Name: eaps1
State: Links-Up Running: Yes
Enabled: Yes Mode: Transit
Primary port: 1 Port status: Up Tag status: Tagged
Secondary port: 2 Port status: Up Tag status: Tagged
Hello timer interval: 1 sec 0 millisec
Fail timer interval: 3 sec 0 millisec
Preforwarding Timer interval: 15 sec
Last update: From Master Id 00:04:96:51:d8:d9, at Tue Aug 16 15:10:08 2011
EAPS Domain has following Controller Vlan:
Vlan Name VID
cv1 100
EAPS Domain has following Protected Vlan(s):
Vlan Name VID
p1 101
p2 102
p3 103
Number of Protected Vlans: 3
訂閱:
文章 (Atom)