某公司上网行为管理使用单线路网桥设计,光模块故障后公司外网中断,事故后采取了以下做法:
#防火墙配置:创建监控项: 核心交换机IP 172.23.97.254 防火墙接口IP 172.23.97.250
nqa entry user 123
type icmp-echo
destination ip 172.23.97.254
frequency 100
reaction 2 checked-element probe-failthreshold-type consecutive 5 action-type trigger-only
source ip 172.23.97.250
nqa schedule user 123 start-time nowlifetime forever
track2 nqaentry user 123 reaction 2
#创建3层聚合口
interfaceRoute-Aggregation1
manage https inbound
manage ping inbound
manage ssh inbound
#将端口 GigabitEthernet1/0/28 GigabitEthernet1/0/29 加入到3层聚合组1
interfaceGigabitEthernet1/0/28
port link-mode route
port link-aggregation group 1
interfaceGigabitEthernet1/0/29
port link-mode route
port link-aggregation group 1
创建静态路由+track项目,和浮动静态路由
ip route-static 172.23.0.0 16 172.23.97.254 track 2
ip route-static 172.23.0.0 16 172.23.98.254 preference 70 description taoshenxianl
#核心交换机配置监控项 目标172.23.97.250 为防火墙三层接口;源为172.23.97.254核心交换机自身
nqa entry admin test
type icmp-echo
destination ip 172.23.97.250
frequency 100
reaction 1 checked-element probe-failthreshold-type consecutive 5 action-type trigger-only
source ip 172.23.97.254
nqa schedule admin test start-time nowlifetime forever
track 1 nqa entry admin test reaction 1
#创建2个VLAN和对应的VLAN虚接口
vlan 98
vlan 97
interface Vlan-interface97
ip address 172.23.97.254 255.255.255.0
interfaceVlan-interface98
ip address 172.23.98.254 255.255.255.0
#创建2层聚合口将 1/0/4 2/0/1 加入聚合组
interfaceBridge-Aggregation1
port access vlan 97
interfaceTen-GigabitEthernet1/0/4
port link-mode bridge
port access vlan 97
port link-aggregation group 1
interfaceTen-GigabitEthernet2/0/1
port link-mode bridge
port access vlan 97
port link-aggregation group 1
#将1/0/5作为逃生口
interfaceTen-GigabitEthernet1/0/5
port link-mode bridge
port access vlan 98
#创建静态路由+track项和静态浮动路由
ip route-static 0.0.0.0 0 172.23.98.250 preference 70
ip route-static 0.0.0.0 0 172.23.97.250 track 1
上网行为管理器 上下行端口还需要做链路状态同步设置
实际测试过程聚合组成员端口挂了不丢包,NBM设备挂了丢3个包,走逃生线路,链路恢复不丢包。
7519
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
