close
keyboard_arrow_left
Table of Contents
- play_arrow 概述
- play_arrow 服务概述
- play_arrow 服务配置概述
-
- play_arrow 网络地址转换
- play_arrow NAT 概述
- play_arrow 状态式 NAT64
- play_arrow 静态源 NAT
- play_arrow 静态目标 NAT
- play_arrow 网络地址端口转换
- play_arrow 可确定的 NAT
- play_arrow NAT 协议转换
- play_arrow 使用 464XLAT 跨纯 IPv6 网络的 IPv4 连接
- play_arrow 端口控制协议
- play_arrow 安全端口块分配
- play_arrow 端口转发
- play_arrow 动态仅地址源转换
- play_arrow 内联 NAT
- play_arrow IPv6 的无状态源网络前缀转换
- play_arrow 监控 NAT
- play_arrow 数据包转换和 GRE 隧道
-
- play_arrow 使用 MAP-E 和 MAP-T 过渡到 IPv6
- play_arrow 使用 MAP-E 和 MAP-T 过渡到 IPv6
- 地址和端口映射与转换 (MAP-T)
-
- play_arrow 通过软线过渡到 IPv6
- play_arrow 通过 6to4 软线过渡到 IPv6
- play_arrow 通过 DS-Lite 软线过渡到 IPv6
- play_arrow 通过第 6 条软线过渡到 IPv6
- play_arrow 通过内联软线过渡到 IPv6
- play_arrow 监控和故障排除 软线
-
- play_arrow ALG
- play_arrow 访问安全
- play_arrow 有状态防火墙
- play_arrow MS-DPC 上的 IDS
- play_arrow MS-MPC 和 MS-MIC 上的网络攻击防护
-
- play_arrow IPsec 隧道
- play_arrow IPsec 概述
- play_arrow 内联 IPsec
- play_arrow 具有静态端点的 IPsec 隧道
- play_arrow 具有动态端点的 IPsec 隧道
-
- play_arrow 服务卡上的 CoS
- play_arrow 服务卡上的 CoS
- play_arrow 链路服务接口上的服务等级
-
- play_arrow 多链路
- play_arrow 流量负载均衡器
- play_arrow 流量负载均衡器
-
- play_arrow 服务卡冗余
- play_arrow MS-MPC 和 MS-MIC 的服务卡冗余
- play_arrow 多服务 PIC 的服务卡冗余
-
- play_arrow 语音服务
- play_arrow 语音服务
-
- play_arrow 第 2 层 PPP 隧道
- play_arrow PPP 数据包的第 2 层隧道
-
- play_arrow URL 过滤
- play_arrow URL 过滤
-
- play_arrow 配置语句和作命令
list Table of Contents
MS-MIC 和 MS-MPC 的机箱间高可用性(版本 15.1 及更早版本)
date_range
18-Dec-23
注意:
本主题适用于 Junos OS 15.1 及更低版本。(对于 Junos OS 16.1 及更高版本,请参阅针对长期生存的 NAT 和有状态防火墙流的机箱间有状态同步(MS-MPC、MS-MIC)概述(版本 16.1 及更高版本)。
机箱间高可用性支持使用切换到不同机箱上的备份服务 PIC 的有状态服务同步。本主题适用于 Junos OS 15.1 及更低版本。(对于 Junos OS 16.1 及更高版本,请参阅 针对长期生存的 NAT 和有状态防火墙流的机箱间有状态同步(MS-MPC、MS-MIC)概述(版本 16.1 及更高版本)。以下主题介绍了该功能:
有状态防火墙和 NAPT44 的机箱间高可用性概述(MS-MIC、MS-MPC)
运营商级 NAT (CGN) 部署可以使用双机箱实施,为路由器中的关键组件提供冗余数据路径和冗余。尽管机箱内高可用性可用于双机箱环境,但它只能处理服务 PIC 故障。如果由于路由器中的某些其他故障而导致流量切换到备份路由器,则状态将丢失。机箱间高可用性可保留状态,并使用比机箱内高可用性更少的服务 PIC 提供冗余。在高可用性对中的主机箱和备份机箱之间仅同步长期流。在发出显式 CLI 命令 request services redundancy (synchronize | no-synchronize)以启动或停止状态复制之前,服务 PIC 不会复制状态。可以同步状态防火墙、NAPT44 和 APP 状态信息。
注意:
当主 PIC 和备份 PIC 都启动时,复制会在发出 时 request services redundancy command 立即开始。
要使用机箱间高可用性,必须使用为下一跃点服务接口配置的服务集。机箱间高可用性适用于在 MS-MIC 或 MS-MPC 接口卡上配置的 MS 服务接口。必须使用选项 ip-address-owner service-plane 配置单元 0 以外的单元。
以下限制适用:
NAPT44 是唯一受支持的翻译类型。
ALG、PBA 端口块分配 (PBA)、端点无关映射 (EIM) 或端点无关过滤器 (EIF) 不支持检查点。
图 1 显示了机箱间高可用性拓扑。
图 1:机箱间高可用性拓扑 
为有状态防火墙和 NAPT44 配置机箱间高可用性(MS-MPC、MS-MIC)
要在 MS-MIC 或 MS-MPC 服务 PICS 上为状态防火墙和 NAPT44 配置机箱间可用性,请在高可用性对的每个机箱上执行以下配置步骤:
示例:NAT 和有状态防火墙的机箱间有状态高可用性(MS-MIC、MS-MPC)
此示例说明如何为有状态防火墙和 NAT 服务配置机箱间高可用性。
要求
此示例使用以下硬件和软件组件:
两台带有 MS-MPC 线卡的 MX480 路由器
Junos OS 13.3 或更高版本
概述
两台 MX 3D 路由器的配置相同,可在机箱发生故障时促进防火墙和 NAT 服务的有状态故障切换。
配置
要为此示例配置机箱间高可用性,请执行以下操作:
CLI 快速配置
要在路由器上快速配置此示例,请复制以下命令,并在删除换行符并替换特定于站点的接口信息后将其粘贴到路由器终端窗口中。
注意:
以下配置适用于机箱 1。
content_copy zoom_out_map
[edit] set interfaces ms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.2 set interfaces ms-4/0/0 redundancy-options routing-instance HA set interfaces ms-4/0/0 unit 10 ip-address-owner service-plane set interfaces ms-4/0/0 unit 10 family inet address 5.5.5.1/32 set interfaces ms-4/0/0 unit 20 family inet set interfaces ms-4/0/0 unit 20 service-domain inside set interfaces ms-4/0/0 unit 30 family inet set interfaces ms-4/0/0 unit 30 service-domain outside set interfaces ge-2/0/0 vlan-tagging set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.1/24 set routing-instances HA instance-type vrf set routing-instances HA interface ge-2/0/0.0 set routing-instances HA interface ms-4/0/0.10 set routing-instances HA route-distinguisher 1:1 set policy-options policy-statement dummy term 1 then reject set routing-instances HA vrf-import dummy set routing-instances HA vrf-export dummy set routing-instances HA routing-options static route route 5.5.5.1/32 next-hop ms-4/0/0.10 set routing-instances HA routing-options static route route 5.5.5.2/32 next-hop 20.1.1.2 set services nat pool p2 address 32.0.0.0/24 set services nat pool p2 port automatic random-allocation set services nat pool p2 address-allocation round-robin set services nat rule r2 match-direction input set services nat rule r2 term t1 from source-address 129.0.0.0/8 set services nat rule r2 term t1 from source-address 128.0.0.0/8 set services nat rule r2 term t1 then translated source-pool p2 set services nat rule r2 term t1 then translated translation-type napt-44 set services nat rule r2 term t1 then translated address-pooling paired set services nat rule r2 term t1 then syslog set services stateful-firewall rule r2 match-direction input set services stateful-firewall rule r2 term t1 from source-address any-unicast set services stateful-firewall rule r2 term t1 then accept set services stateful-firewall rule r2 term t1 then syslog set services service-set ss2 replicate-services replication-threshold 180 set services service-set ss2 replicate-services stateful-firewall set services service-set ss2 replicate-services nat set services service-set ss2 stateful-firewall-rules r2 set services service-set ss2 nat-rules r2 set services service-set ss2 next-hop-service inside-service-interface ms-4/0/0.20 set services service-set ss2 next-hop-service outside-service-interface ms-4/0/0.30 set services service-set ss2 syslog host local class session-logs set services service-set ss2 syslog host local class stateful-firewall-logs set services service-set ss2 syslog host local class nat-logs
注意:
以下配置适用于机箱 2。机箱 1 和机箱 2 的 NAT、有状态防火墙和服务集信息必须相同。
content_copy zoom_out_map
set interfaces ms-4/0/0 redundancy-options routing-instance HA set interfaces ms-4/0/0 unit 10 ip-address-owner service-plane set interfaces ms-4/0/0 unit 10 family inet address 5.5.5.2/32 set interfaces ms-4/0/0 unit 20 family inet set interfaces ms-4/0/0 unit 20 service-domain inside set interfaces ms-4/0/0 unit 30 family inet set interfaces ms-4/0/0 unit 30 service-domain outside set interfaces ge-2/0/0 vlan-tagging set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.2/24 set routing-instances HA instance-type vrf set routing-instances HA interface ge-2/0/0.0 set routing-instances HA interface ms-4/0/0.10 set routing-instances HA route-distinguisher 1:1 set routing-instances HA vrf-import dummy set routing-instances HA vrf-export dummy set routing-instances HA routing-options static route 5.5.5.2/32 next-hop ms-4/0/0.10 set routing-instances HA routing-options static route 5.5.5.1/32 next-hop 20.1.1.1 set services nat pool p2 address 32.0.0.0/24 set services nat pool p2 port automatic random-allocation set services nat pool p2 address-allocation round-robin set services nat rule r2 match-direction input set services nat rule r2 term t1 from source-address 129.0.0.0/8 set services nat rule r2 term t1 from source-address 128.0.0.0/8 set services nat rule r2 term t1 then translated source-pool p2 set services nat rule r2 term t1 then translated translation-type napt-44 set services nat rule r2 term t1 then translated address-pooling paired set services nat rule r2 term t1 then syslog set services stateful-firewall rule r2 match-direction input set services stateful-firewall rule r2 term t1 from source-address any-unicast set services stateful-firewall rule r2 term t1 then accept set services stateful-firewall rule r2 term t1 then syslog set services service-set ss2 replicate-services replication-threshold 180 set services service-set ss2 replicate-services stateful-firewall set services service-set ss2 replicate-services nat set services service-set ss2 stateful-firewall-rules r2 set services service-set ss2 nat-rules r2 set services service-set ss2 next-hop-service inside-service-interface ms-4/0/0.20 set services service-set ss2 next-hop-service outside-service-interface ms-4/0/0.30 set services service-set ss2 syslog host local class session-logs set services service-set ss2 syslog host local class stateful-firewall-logs set services service-set ss2 syslog host local class nat-logs
配置机箱 1 的接口。
分步过程
每个 HA 路由器对的接口配置相同,但以下服务 PIC 选项除外:
redundancy-options redundancy-peer ipaddress addressunit unit-number family inet address address包含选项的单位(除 0 外)ip-address-owner service-plane
要配置接口:
在机箱 1 上配置冗余服务 PIC。
content_copy zoom_out_map[edit interfaces} user@host# set interfaces ms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.2 user@host# set interfaces ms-4/0/0 redundancy-options routing-instance HA user@host# set interfaces ms-4/0/0 unit 10 ip-address-owner service-plane user@host# set interfaces ms-4/0/0 unit 10 family inet address 5.5.5.1/32 user@host# set interfaces ms-4/0/0 unit 20 family inet user@host# set interfaces ms-4/0/0 unit 20 service-domain inside user@host# set interfaces ms-4/0/0 unit 30 family inet user@host# set interfaces ms-4/0/0 unit 30 service-domain outside
配置机箱 1 的接口,用作同步流量的机箱间链路。
content_copy zoom_out_mapuser@host# set interfaces ge-2/0/0 vlan-tagging user@host# set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.1/24
根据需要配置其余接口。
结果
content_copy zoom_out_map
user@host# show interfaces
ge-2/0/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 20.1.1.1/24;
}
}
}
ms-4/0/0 {
redundancy-options {
redundancy-peer {
ipaddress 5.5.5.2;
}
routing-instance HA;
}
unit 10 {
ip-address-owner service-plane;
family inet {
address 5.5.5.1/32;
}
}
unit 20 {
family inet;
family inet6;
service-domain inside;
}
unit 30 {
family inet;
family inet6;
service-domain outside;
}
}
}
配置机箱 1 的路由信息
分步过程
此示例不包括详细的路由配置。机箱之间的 HA 同步流量需要一个路由实例,如下所示:
为机箱 1 配置路由实例。
content_copy zoom_out_mapuser@host# set routing-instances HA instance-type vrf user@host# set routing-instances HA interface ge-2/0/0.0 user@host# set routing-instances HA interface ms-4/0/0.10 user@host# set routing-instances HA route-distinguisher 1:1 user@host# set policy-options policy-statement dummy term 1 then reject user@host# set routing-instances HA vrf-import dummy user@host# set routing-instances HA vrf-export dummy user@host# set routing-instances HA routing-options static route route 5.5.5.1/32 next-hop ms-4/0/0.10 user@host# set routing-instances HA routing-options static route route 5.5.5.2/32 next-hop 20.1.1.2
结果
content_copy zoom_out_map
user@host# show routing-instances
HA {
instance-type vrf;
interface ge-2/0/0.0;
interface ms-4/0/0.10;
route-distinguisher 1:1;
vrf-import dummy;
vrf-export dummy;
routing-options {
static {
route 5.5.5.1/32 next-hop ms-4/0/0.10;
route 5.5.5.2/32 next-hop 20.1.1.2;
}
}
}
为机箱 1 配置 NAT 和有状态防火墙
分步过程
在两个路由器上以相同的方式配置 NAT 和有状态防火墙。要配置 NAT 和有状态防火墙,请执行以下操作:
根据需要配置 NAT。
content_copy zoom_out_mapuser@host# set services nat pool p2 address 32.0.0.0/24 user@host# set services nat pool p2 port automatic random-allocation user@host# set services nat pool p2 address-allocation round-robin user@host# set services nat rule r2 match-direction input user@host# set services nat rule r2 term t1 from source-address 129.0.0.0/8 user@host# set services nat rule r2 term t1 from source-address 128.0.0.0/8 user@host# set services nat rule r2 term t1 then translated source-pool p2 user@host# set services nat rule r2 term t1 then translated translation-type napt-44 user@host# set services nat rule r2 term t1 then translated address-pooling paired user@host# set services nat rule r2 term t1 then syslog
根据需要配置有状态防火墙。
content_copy zoom_out_mapuser@host# set services stateful-firewall rule r2 match-direction input user@host# set services stateful-firewall rule r2 term t1 from source-address any-unicast user@host# set services stateful-firewall rule r2 term t1 then accept user@host# set services stateful-firewall rule r2 term t1 then syslog
结果
content_copy zoom_out_map
user@host# show services nat
nat {
pool p2 {
address 32.0.0.0/24;
port {
automatic {
random-allocation;
}
}
address-allocation round-robin;
}
rule r2 {
match-direction input;
term t1 {
from {
source-address {
129.0.0.0/8;
128.0.0.0/8;
}
}
then {
translated {
source-pool p2;
translation-type {
napt-44;
}
address-pooling paired;
}
syslog;
}
}
}
}
}
content_copy zoom_out_map
user@host show services stateful-firewell
rule r2 {
match-direction input;
term t1 {
from {
source-address {
any-unicast;
}
}
then {
accept;
syslog;
}
}
}
配置服务集
分步过程
在两个路由器上以相同的方式配置服务集。要配置服务集:
配置服务集复制选项。
content_copy zoom_out_mapuser@host# set services service-set ss2 replicate-services replication-threshold 180 user@host# set services service-set ss2 replicate-services stateful-firewall user@host# set services service-set ss2 replicate-services nat
为服务集配置对 NAT 和有状态防火墙规则的引用。
content_copy zoom_out_mapuser@host# set services service-set ss2 stateful-firewall-rules r2 user@host# set services service-set ss2 nat-rules r2
在 MS-PIC 上配置下一跃点服务接口。
content_copy zoom_out_mapuser@host# set services service-set ss2 next-hop-service inside-service-interface ms-4/0/0.20 user@host# set services service-set ss2 next-hop-service outside-service-interface ms-4/0/0.30
配置所需的日志记录选项。
content_copy zoom_out_mapuser@host# set services service-set ss2 syslog host local class session-logs user@host# set services service-set ss2 syslog host local class stateful-firewall-logs user@host# set services service-set ss2 syslog host local class nat-logs
结果
content_copy zoom_out_map
user@host# show services service-set ss2
syslog {
host local {
class {
session-logs;
inactive: stateful-firewall-logs;
nat-logs;
}
}
}
replicate-services {
replication-threshold 180;
stateful-firewall;
nat;
}
stateful-firewall-rules r2;
inactive: nat-rules r2;
next-hop-service {
inside-service-interface ms-3/0/0.20;
outside-service-interface ms-3/0/0.30;
}
}
配置机箱 2 的接口
分步过程
每个 HA 路由器对的接口配置相同,但以下服务 PIC 选项除外:
redundancy-options redundancy-peer ipaddress addressunit unit-number family inet address address包含选项的单位(除 0 外)ip-address-owner service-plane
在机箱 2 上配置冗余服务 PIC。
指向
redundancy-peer ipaddress包含语句的机箱ip-address-owner service-plane1 上 ms-4/0/0 上的单元(单元 10)地址。content_copy zoom_out_map[edit interfaces} set interfaces ms-4/0/0 redundancy-options redundancy-peer ipaddress 5.5.5.1 user@host# set interfaces ms-4/0/0 redundancy-options routing-instance HA user@host# set interfaces ms-4/0/0 unit 10 ip-address-owner service-plane user@host# set interfaces ms-4/0/0 unit 10 family inet address 5.5.5.2/32 user@host# set interfaces ms-4/0/0 unit 20 family inet user@host# set interfaces ms-4/0/0 unit 20 service-domain inside user@host# set interfaces ms-4/0/0 unit 30 family inet user@host# set interfaces ms-4/0/0 unit 30 service-domain outside
配置机箱 2 的接口,用作同步流量的机箱间链路
content_copy zoom_out_mapuser@host# set interfaces ge-2/0/0 vlan-tagging user@host# set interfaces ge-2/0/0 unit 0 vlan-id 100 family inet address 20.1.1.2/24
根据需要配置机箱 2 的其余接口。
结果
content_copy zoom_out_map
user@host# show interfaces
ms-4/0/0 {
redundancy-options {
redundancy-peer {
ipaddress 5.5.5.1;
}
routing-instance HA;
}
unit 0 {
family inet;
}
unit 10 {
ip-address-owner service-plane;
family inet {
address 5.5.5.2/32;
}
}
ge-2/0/0 {
vlan-tagging;
unit 0 {
vlan-id 100;
family inet {
address 20.1.1.2/24;
}
}
unit 10 {
vlan-id 10;
family inet {
address 2.10.1.2/24;
}
配置机箱 2 的路由信息
分步过程
此示例不包括详细的路由配置。路由实例是两个机箱之间的 HA 同步流量所必需的,此处已包含该实例。
为机箱 2 配置路由实例。
content_copy zoom_out_mapuser@host# set routing-instances HA instance-type vrf user@host# set routing-instances HA interface ge-2/0/0.0 user@host# set routing-instances HA interface ms-4/0/0.10 user@host# set routing-instances HA route-distinguisher 1:1 user@host# set policy-options policy-statement dummy term 1 then reject user@host# set routing-instances HA vrf-import dummy user@host# set routing-instances HA vrf-export dummy user@host# set routing-instances HA routing-options static route 5.5.5.2/32 next-hop ms-4/0/0.10 user@host# set routing-instances HA routing-options static route 5.5.5.1/32 next-hop 20.1.1.1
注意:以下配置步骤与机箱 1 所示步骤 相同 。
配置 NAT 和有状态防火墙
配置服务集
结果
content_copy zoom_out_map
user@host# show services routing-instances
HA {
instance-type vrf;
interface xe-2/2/0.0;
interface ms-4/0/0.10;
route-distinguisher 1:1;
vrf-import dummy;
vrf-export dummy;
routing-options {
static {
route 5.5.5.2/32 next-hop ms-4/0/0.10;
route 5.5.5.1/32 next-hop 20.1.1.1;
}
}