分类:
2012-11-07 09:57:25
netscreen通过nsrp实现主备的方案中,备用设备上接口、策略等配置和主用设备是一致的,arp表、session等也是同步的。对netscreen防火墙的nsrp主备一直比较好奇,特别是备边接口mac地址、arp学习等是怎么处理的,因为在同一个VLAN下不可能存在两个设备接口拥有一样的mac地址和一样的IP地址。
下面通过一个netscreen防火墙主备的网络环境来分析一下arp的处理方式。
FW01和SW01为主用,FW02和SW02为备用,两个SW之间运行vrrp协议。
FW01-NS204(M)-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth1 132.99.20.92/27 Trust 0010.dbff.2000 - U 0
eth2 10.202.177.153/29 Trust 0010.dbff.2050 - U 0
eth3 10.202.177.41/29 Untrust 0010.dbff.2060 - U 0
eth4 0.0.0.0/0 HA 0014.f641.fef7 - U -
vlan1 0.0.0.0/0 VLAN 0010.dbff.20f0 1 D 0
FW02-NS204(B)-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth1 132.99.20.92/27 Trust 0010.dbff.2000 - I 0
eth2 10.202.177.153/29 Trust 0010.dbff.2050 - I 0
eth3 10.202.177.41/29 Untrust 0010.dbff.2060 - I 0
eth4 0.0.0.0/0 HA 0010.db92.97b7 - U -
vlan1 0.0.0.0/0 VLAN 0010.dbff.20f0 1 I 0
主备FW的接口配置是一样的,包括接口的mac地址也是一样的。
FW01-NS204-QQT5F(M)->get arp | incl 10.202.177.42
10.202.177.42 00005e000101 trust-vr/eth3 VLD 967 0 0
FW02-NS204(B)-> get arp | incl 10.202.177.42
10.202.177.42 00005e000101 trust-vr/eth3 VLD 1005 0 0
主备FW的ARP表中SW01和SW02的VRRP IP对应的mac地址相同,关联的端口也相同。
[SW01-S3328]dis arp | incl 10.202.177.41
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN
------------------------------------------------------------------------------
10.202.177.41 0010-dbff-2060 13 DF0 Eth0/0/17
------------------------------------------------------------------------------
Total:21 Dynamic:14 Static:0 Interface:7
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total:12 Dynamic:5 Static:0 Interface:7
SW01上可以学习到防火墙IP对应的ARP表项,而SW02上无法学习到防火墙IP对应的ARP表项,这说明SW01从FW01进行了ARP会话,而SW02和FW02之间没有进行ARP会话。
Ethernet0/0/17 current state : UP
Description : Downlink to CZNMS-FW01-NS204-QQT5F:E3, Switch Port
PVID : 3001
The Maximum Transmit Unit is 1500 bytes, The Maximum Frame Length is 1600
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e33-713f
AUTO NEGOTIATION, SPEED 100M, DUPLEX FULL, LOOPBACK NOT SET;
Transmitter's pause : disable, Receiver's pause : disable ;
Last 300 seconds input rate: 76904 bits/sec, 18 packets/sec
Last 300 seconds output rate: 7624 bits/sec, 13 packets/sec
Last 300 seconds Multicast input rate: 0 packets/sec
Last 300 seconds Multicast output rate: 1 packets/sec
Input: 984598652 Packets, 625257458787 Bytes
374 Broadcasts, 279 Multicasts
0 Oversizes, 0 Undersizes
0 FCSs, 0 Pauses
Output: 676182067 Packets, 56154994137 Bytes
318119 Broadcasts, 47637577 Multicasts
0 Oversizes, 0 Defers
0 FCSs, 0 Pauses
0 Collisions
Ethernet0/0/17 current state : UP
Description : Downlink to CZNMS-FW02-NS204-QQT5F::E3, Switch Port
PVID : 3001
The Maximum Transmit Unit is 1500 bytes, The Maximum Frame Length is 1600
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0025-9e33-71b3
AUTO NEGOTIATION, SPEED 100M, DUPLEX FULL, LOOPBACK NOT SET;
Transmitter's pause : disable, Receiver's pause : disable ;
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 1040 bits/sec, 1 packets/sec
Last 300 seconds Multicast input rate: 0 packets/sec
Last 300 seconds Multicast output rate: 1 packets/sec
Input: 1 Packets, 64 Bytes
0 Broadcasts, 0 Multicasts
0 Oversizes, 0 Undersizes
0 FCSs, 0 Pauses
Output: 602 Packets, 51038 Bytes
5 Broadcasts, 597 Multicasts
0 Oversizes, 0 Defers
0 FCSs, 0 Pauses
0 Collisions
SW01连接FW01的接口上存在流量,流入、流出方向都有;SW02连接FW02的接口上只有流出的流量,流入方向的没有流量。
结论:
netscreen防火墙运行nsrp协议时,备用设备出了主机名、网管IP等信息需要手工单独配合,其他配置基本都是通过nsrp协议从主用设备同步过来,包括接口IP、接口MAC、ARP表等。备用设备和对接设备之间应该是软关闭的,虽然看到端口为up状态,这样备用设备端口就不会参与和邻接设备的arp等会话,与配用设备对接的设备上端口无流量和无ARP条目也说明了这一点。
