mypath 发表于 2009-5-12 00:55:00

Netscreen防火墙双机非对称路由session同步案例

&nbsp;<h2 style="margin: 13pt="13pt"0cm;"><span>综述</span></h2>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt; text-indent: 28pt;"><span style="font-size: 14pt;">在部署<span>Netscreen</span>防
火墙双机时,由于客户的网络环境往往比较复杂,并且客户普遍存在一些比较独特的需求,比如:不愿改变当前网络的组网结构、不能因部署防火墙而带来其他网络
设备的采购、两台防火墙要能同时进行独立工作且能够互为备份、要求防火墙支持非对称路由结构下的路径冗余。这样就对防火墙双机适应复杂的网络环境提出了及
高的要求,<span>Netscreen NSRP</span>冗余协议在提供了高可靠性的基础上充分发挥设备的可用性。能够实现基于链路级的多重冗余能力,提供多种环境下灵活的组网方式,具体部署时可以根据具体客户网络环境选择主<span>/</span>备和主<span>/</span>主结构下的口型或<span>Full Mesh</span>组网方式,并且能够实现两台防火墙独立工作时的<span>session</span>同步。本文将对非对称网络结构下<span>Netscreen</span>双机的<span>session</span>同步进行讨论。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<h2 style="margin: 13pt="13pt"0cm;"><span>非对称路由环境下路径冗余分析</span></h2>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">众所周知,状态检测防火墙依据策略来决定会话的建立,一旦策略匹配且应用连接建立后,防火墙将根据会话的具体信息建立相应的<span>session</span>(会话条目),并通过<span>session</span>来匹配该连接的后续数据报,只有匹配某<span>session</span>的数据包才能够通过数据流状态的检查。通常来讲,进入某防火墙的数据流,其返回数据包也必须流经该防火墙。如果当网络出现故障或不对称路由(进出流量经过不同路径)时,<span>Netscreen</span>防火墙是否能保证已建的<span>session</span>不中断,保证业务不间断运行呢?经过测试验证,<span>Netscreen</span>防火墙支持两独立防火墙间的<span>session</span>同步和不对称路由环境下的流量正常转发。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">客户需求</span></strong><span style="font-size: 14pt;">:网络环境如下所示: </span></p>
<div forimg="1"><img class="blogimg" small="0" src="http://hiphotos.baidu.com/huangtangjun/pic/item/c46ff1def09c674594ee3707.jpg" border="0"/></div>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">客户希望充分利用现有网络资源(上下行网络设备均为路由器),实现两台防火墙独立工作(两侧设备分别处理各自的网络流量),并能够在一台防火墙或链路失效时由另一台设备自动接管故障设备上的会话信息,保证业务不间断运行。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">需求存在原因:</span></strong><span style="font-size: 14pt;">1</span><span style="font-size: 14pt;">、网络流量得到完全意义上的分担,在这样的网络环境下每一台设备均分担流量的处理任务,充分发挥了设备的可用性。<span>2</span>、充分利用现有网络设备,无需因增加防火墙而额外采购三层或二层交换机。<span>3</span>、使用<span>ospf</span>协议实现网络故障的自动收敛,避免配置繁杂的静态路由。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">解决方案:</span></strong><span style="font-size: 14pt;">启用<span>ospf</span>路由协议实现网络故障动态收敛,两防火墙间通过<span>NSRP</span>心跳线相连,用于同步防火墙间<span>session</span>表同步。 </span></p>
<div forimg="1"><img class="blogimg" small="0" src="http://hiphotos.baidu.com/huangtangjun/pic/item/18b3ab7782f9590ab151b958.jpg" border="0"/></div>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">方案说明:</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt="0pt"36pt; text-indent: -36pt;"><span style="font-size: 14pt;"><span style="">1、<span style="font-family: Times="Times"New="New"Roman; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></span></span><span style="font-size: 14pt;">通过设定<span>metric</span>值实现网络流量均衡,并保证从某侧进来的流量从原路返回。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt="0pt"36pt; text-indent: -36pt;"><span style="font-size: 14pt;"><span style="">2、<span style="font-family: Times="Times"New="New"Roman; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></span></span><span style="font-size: 14pt;">两防火墙间通过心跳线连接(接口置于<span>HA zone</span>并启用<span>NSRP</span>),删除缺省的<span>NSRP VSD 0 group</span>,取消缺省的配置同步功能,启用<span>NSRP</span>的<span>session</span>同步功能,并配置</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">nsrp rto-mirror session non-vsi</font></span><span style="font-size: 14pt;">命令,实现非</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">vsi</font></span><span style="font-size: 14pt;">环境下</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">session</font></span><span style="font-size: 14pt;">信息在两防火墙间的同步。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt="0pt"36pt; text-indent: -36pt;"><span style="font-size: 14pt;"><span style="">3、<span style="font-family: Times="Times"New="New"Roman; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></span></span><span style="font-size: 14pt;">配置两防火墙策略,使之始终保持一致。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">在正常情况下两防火墙各自处理进出的网络流量,并互相同步彼此建立的<span>session</span>表,当网络出现故障时(路由器、防火墙或连接线缆),通过<span>ospf</span>动态路由协议进行收敛和路径切换,由于两防火墙间<span>session</span>信息始终保持一致,即使应用流量从一侧进来,因路径切换而从另一侧返回时,另一个防火墙也能正确地进行状态检查和流量转发,保证应用的<span>session</span>不会发生中断。<span><br style=""/>
<br style=""/>
</span></span></p>
<h2 style="margin: 13pt="13pt"0cm;"><span style="font-size: 18pt; line-height: 173%;">方案验证测试</span></h2>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">测试环境:</span></strong><span style="font-size: 14pt;">两台<span>ns204</span>,<st1:chsdate year="1899" m="m"day="30" islunardate="False" isrocdate="False"><span>5.3.0</span></st1:chsdate><span>R3</span>,二台二层交换机,两台<span>windows</span>终端,连接结构图如下: </span>
</p><p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">测试过程:</span></strong></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">按照上图搭建测试环境,配置两台防火墙</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">cluster</font></span><span style="font-size: 14pt;">信息,在删除掉</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">vsd0 group</font></span><span style="font-size: 14pt;">后,配置</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">set nsrp rto-mirror session non-vsi</font></span><span style="font-size: 14pt;">命令,使两台防火墙处于(</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">M</font></span><span style="font-size: 14pt;">)状态,通过</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">telnet</font></span><span style="font-size: 14pt;">连接进行测试。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt="0pt"18pt; text-indent: -18pt;"><span style="font-size: 14pt;"><span style=""><font face="Times New="New"Roman">1、<span style="font-family: Times="Times"New="New"Roman; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></font></span></span><span style="font-size: 14pt;">当</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">client</font></span><span style="font-size: 14pt;">和</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">server</font></span><span style="font-size: 14pt;">网关均指向同一台防火墙时,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">telnet</font></span><span style="font-size: 14pt;">连接正常,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">session</font></span><span style="font-size: 14pt;">信息能够同步到另一台防火墙上。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt="0pt"18pt; text-indent: -18pt;"><span style="font-size: 14pt;"><span style=""><font face="Times New="New"Roman">2、<span style="font-family: Times="Times"New="New"Roman; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></font></span></span><span style="font-size: 14pt;">当</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">client</font></span><span style="font-size: 14pt;">和</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">server</font></span><span style="font-size: 14pt;">网关指向不同防火墙时,如上图所示,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">telnet</font></span><span style="font-size: 14pt;">能够正常建立连接,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">session</font></span><span style="font-size: 14pt;">信息能够在两台防火墙间保持同步,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">ping</font></span><span style="font-size: 14pt;">不会出现丢包现象。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt="0pt"18pt; text-indent: -18pt;"><span style="font-size: 14pt;"><span style=""><font face="Times New="New"Roman">3、<span style="font-family: Times="Times"New="New"Roman; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></font></span></span><span style="font-size: 14pt;">由于缺少两台路由器作为两台终端的网关,测试过程中无法进行设备关电和网线拔插测试,但是从测试结果来看,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">NS</font></span><span style="font-size: 14pt;">能够支持这种不对称环境下的设备冗余和</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">session</font></span><span style="font-size: 14pt;">切换。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">测试结论:</span></strong><strong><span style="font-size: 14pt;"><font face="Times New="New"Roman"> </font></span></strong><span style="font-size: 14pt;">在非对称路由环境下,通过特定的配置命令,能够使两台独立的防火墙保持</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">session</font></span><span style="font-size: 14pt;">同步,即使应用连接不是由该防火墙(</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">NS204-B</font></span><span style="font-size: 14pt;">)独立建立,</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">NS204-B</font></span><span style="font-size: 14pt;">也能够根据同步的</span><span style="font-size: 14pt;"><font face="Times New="New"Roman">session</font></span><span style="font-size: 14pt;">做出正确的转发决定。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">配置信息</span></strong></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span><font face="Times New="New"Roman">NS-A</font></span></strong><strong><span>:</span></strong></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">ns204-a(M)-&gt; get config | in nsrp</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">set nsrp cluster id 1</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">set nsrp rto-mirror sync</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">set nsrp rto-mirror session non-vsi</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">unset nsrp vsd-group id 0</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">unset nsrp config sync</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">ns204-a(M)-&gt; get int</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">Name<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>IP Address<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>Zone<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>MAC<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>LAN State VSD<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">eth1<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>172.27.10.111/25<span style="">&nbsp;&nbsp;</span>Untrust<span style="">&nbsp;&nbsp;&nbsp;&nbsp;</span>0010.db5d<st1:chmetcnv unitname="F" sourcevalue=".55" hasspace="False" negative="False" numbertype="1" tcsc="0">.55f</st1:chmetcnv>0<span style="">&nbsp;&nbsp;&nbsp;</span>-<span style="">&nbsp;&nbsp;</span>U<span style="">&nbsp;&nbsp;</span>-<span style=""> </span></font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">eth2<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>192.168.100.1/24<span style="">&nbsp;&nbsp;</span>Trust<span style="">&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="">&nbsp;&nbsp;</span>0010.db5d<st1:chmetcnv unitname="F" sourcevalue=".55" hasspace="False" negative="False" numbertype="1" tcsc="0">.55f</st1:chmetcnv>6<span style="">&nbsp;&nbsp;&nbsp;</span>-<span style="">&nbsp;&nbsp;</span>U<span style="">&nbsp;&nbsp;</span>-<span style=""> </span></font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span><font face="Times New="New"Roman">NS-B</font></span></strong><strong><span>:</span></strong></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">ns204-b(M)-&gt; get config | in nsrp</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">set nsrp cluster id 1</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">set nsrp rto-mirror sync</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">set nsrp rto-mirror session non-vsi</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">unset nsrp vsd-group id 0</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">unset nsrp config sync</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">ns204-b(M)-&gt; get int</font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">Name<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>IP Address<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>Zone<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>MAC<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>AN State VSD<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span></font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">eth1<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>172.27.10.114/25<span style="">&nbsp;&nbsp;</span>Untrust<span style="">&nbsp;&nbsp;&nbsp;&nbsp;</span>0010.db30.1bd0<span style="">&nbsp;&nbsp;&nbsp;</span>-<span style="">&nbsp;&nbsp;</span>U<span style="">&nbsp;&nbsp;</span>-<span style=""> </span></font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span><font face="Times New="New"Roman">eth2<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>192.168.100.4/24<span style="">&nbsp;&nbsp;</span>Trust<span style="">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>0010.db30.1bd5<span style="">&nbsp;&nbsp;&nbsp;</span>-<span style="">&nbsp;&nbsp;</span>U<span style="">&nbsp;&nbsp;</span>-<span style=""> </span></font></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><strong><span style="font-size: 14pt;">附:<span>NSRP</span>双机<span>A/A</span>双主动典型部署模式</span></strong></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">1</span><span style="font-size: 14pt;">、三层交换机+防火墙+三层交换机的组网结构,组网结构如下所示: </span></p>
<div forimg="1"><img class="blogimg" small="0" src="http://hiphotos.baidu.com/huangtangjun/pic/item/da0b31fae0844d0fa8d3113b.jpg" border="0"/></div>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">优点:该组网方式适用于大型<span>Intranet</span>网络环境。提供防火墙、交换机及链路故障冗余的基础上充分提高了设备的可用性,两台防火墙同时处于激活状态,能够在故障情况下快速切换,保证业务不间断运行。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">缺点:由于<span>HSRP/VRRP</span>在同一个子网里只能有一个<span>Master</span>,因此网络中上下行每组交换机同一时间只有一台处于工作状态,另一台交换机处于在线热备状态。</span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">2</span><span style="font-size: 14pt;">、路由器+防火墙+三层交换机的组网结构,组网结构如下所示: </span></p>
<div forimg="1"><img class="blogimg" small="0" src="http://hiphotos.baidu.com/huangtangjun/pic/item/693679f4dd3688c8f3d3855c.jpg" border="0"/></div>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"> </p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">特点:适用范围广,支持主<span>/</span>备、主<span>/</span>主防火墙组网方式,冗余性强,<span> </span></span></p>
<p class="MsoNormal" style="margin: 0cm="0cm"0cm="0cm"0pt;"><span style="font-size: 14pt;">缺点是需要额外配置二层交换机来配合路由器实现<span>VRRP/HSRP</span>。</span></p>

<div forimg="1"><img class="blogimg" small="0" src="http://hiphotos.baidu.com/huangtangjun/pic/item/f966d309ebce7793d1581b04.jpg" border="0"/></div>

jbzkvvtg 发表于 2012-7-18 15:04:00

好贴。。。。<font face="Verdana">伟哥</font>

zw517 发表于 2012-7-23 11:32:00

好贴。。。。
页: [1]
查看完整版本: Netscreen防火墙双机非对称路由session同步案例