VRRP 双 ISP 设置

网络工程 杜松 故障转移 虚拟现实
2022-02-09 05:46:26

我有一个项目正在苦苦挣扎,想知道是否有人可以就实现我的目标的最佳方式提供一些建议(我是瞻博网络的新手)。

目前我有 2 个瞻博网络 SRX240,一个连接 100Mb 光纤,另一个连接到 10 Mb EFM。

我的目标是设置它们以允许从一个 ISP 自动故障转移到另一个。这个想法是,如果主 100Mb 出现故障,备份会自动启动。

我还需要设置 3 个虚拟路由实例和 2 个 DMZ,其想法是有一个用于 WAN、Internet 和 VOIP 流量的实例。附上一张图片来帮助解释设置。

该公司希望使用 VRRP 而不是机箱集群。

我已经设置了 VRRP,但是,两个路由器都处于主状态,并且它们正在发送广告但没有接收。我怀疑安全配置存在问题,但我似乎找不到它是什么。当我出错时,有人会看看吗?

在这个阶段,我想要 LAN 端的标准 VRRP(172.16 范围),然后再对 WAN 使用 VRRP 路由实例跟踪。

这是配置:

set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 126 description DMZ-1
set interfaces ge-0/0/0 unit 126 vlan-id 126
set interfaces ge-0/0/0 unit 126 family inet address 172.16.126.253/24
set interfaces ge-0/0/0 unit 137 description backup-mpls
set interfaces ge-0/0/0 unit 137 vlan-id 137
set interfaces ge-0/0/0 unit 346 vlan-id 346
set interfaces ge-0/0/0 unit 346 family inet address x.x.x.x/30
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 vlan-tagging
set interfaces ge-0/0/4 unit 20 description users-data
set interfaces ge-0/0/4 unit 20 vlan-id 20
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 virtual-address 172.16.93.254
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 priority 100
set interfaces ge-0/0/4 unit 20 family inet address 172.16.93.253/24 vrrp-group 1 accept-data trust
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust host-inbound-traffic protocols vrrp
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.346 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.346 host-inbound-traffic protocols all
set security zones security-zone voip host-inbound-traffic system-services all
set security zones security-zone voip host-inbound-traffic protocols all
set security zones security-zone mpls host-inbound-traffic system-services all
set security zones security-zone mpls host-inbound-traffic protocols all
set routing-instances cce instance-type virtual-router
set routing-instances cce interface ge-0/0/4.20
set routing-instances internet instance-type virtual-router
set routing-instances internet interface ge-0/0/0.346
set routing-instances internet routing-options static route 0.0.0.0/0 next-hop x.x.x.141
set routing-instances voip instance-type virtual-router
set routing-instances voip interface ge-0/0/4.70
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

如果您能看到我缺少的东西,那就太好了。 在此处输入图像描述

1个回答

从您的配置来看,ge-0/0/4.20不在trust安全区域中。

 set security zone security-zones trust interface ge-0/0/4.20

应该解决问题并建立您的 VRRP 邻接关系。

trust如果您想在两者之间进行策略和工作,您还需要删除路由实例untrust

路由实例总是“似乎”是隔离的正确答案,但它们增加了许多不必要的复杂性。区域和政策工作得很好。

其它你可能感兴趣的问题
上一篇数据包如何区分优先级? 下一篇使用网络监控工具检查我的 API 连接是否为 SSL 的最佳方法是什么?