The configuration end of the-hillstone-nav20-ha of the Stone Network branch

First of all, practice, to understand all the requirements and configuration ideas. High-availability requirements so much so that I don't have much to talk about. Direct Chat Configuration Ideas!

On meal!

Conditions required to configure HA:

before configuring, verify that the build the two security gateways in typical HA network mode adopt identical hardware platform, firmware version, enable VR and anti-virus, IPS, install antivirus, IPS license, and use two devices the same interface is connected to the network.

PS: Popular understanding is: Firmware version to the same, license to the same, even the public network and connected to the same intranet interface. Anyway, everything's going to be the same. Configure

cli-Main Equipment Configuration Method

hillstone-a (A) (config) #track HA Trace Naming   

hillstone-a (A) (config-trackip) #interface ETHERNET0/1 weight 255 Tracking ETH0/1 Weight Defaults 255

hillstone-a (config) #ha Group 0 Create ha Group 0

hillstone-a (config-ha-group) #priority Configure precedence Values , The smaller the higher the priority

hillstone-a (config-ha-group) #preempt Configuring role Preemption ( generally not configured )

hillstone-a (A) (config-ha-group) #monitor track ha call the trace interface configured earlier

Hillstone-a (Config-ha-group) #exit

Hillstone-a (config) #

hillstone-a ( Config) #ha link interface ethernet0/4   set interface ( ,ETH0/4 zone ha

hillstone-a ( Config) #ha link IP 172.29.200.1/30      halink IP ip ip

hillstone-a (config) #ha cluster 7 Configuration Clusterid ( Configuring the most critical step )

Hillstone-a (M) (config) #

The same configuration (standby) device comes in once

Hillstone-b (B) (config) #track HA

Hillstone-b (B) (config-trackip) #interface ETHERNET0/1 weight 255

Hillstone-b (config) #ha Group 0

Hillstone-b (config-ha-group) #priority 100

Hillstone-b (Config-ha-group) #preempt

Hillstone-b (B) (config-ha-group) #monitor track ha

Hillstone-b (Config-ha-group) #exit

Hillstone-b (config) #

Hillstone-b (config) #ha link Interface ETHERNET0/4

Hillstone-b (config) #ha link IP 172.29.200.2/30

Hillstone-b (config) #ha cluster 7

Hillstone-b (B) (config) #

Now that the HA configuration has been completed, you can see that the primary and standby status of the two devices is normal. Let's play happily.

Ps:ha Link-ip and Intranet-independent, even can be said casual configuration/30, I above the track is monitoring uplink, so here Brothers do not set to listen to the heartbeat of Ha (ETH0/4).

The following describes the Web interface configuration method:

1. 1. Click the HA button in System Management to enter the HA configuration interface

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/53/wKioL1Y22Ajxr4G9AAIz_48Fp_I288.jpg "title=" 51.png "alt=" Wkiol1y22ajxr4g9aaiz_48fp_i288.jpg "/>

2. Configure heartbeat interface, and Heartbeat interface address, ha cluster ID selected 1, priority value small indicates host, number

Large value indicates the standby time only the host needs to be configured (0 means no preemption), configure the detection object to

Control the switchover of the main standby, when the monitoring object is in effect, the device automatically becomes the standby machine:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/55/wKiom1Y21-jBl5FKAAOMIvOtNr4488.jpg "title=" 52.png "alt=" Wkiom1y21-jbl5fkaaomivotnr4488.jpg "/>

3. Configuring the Detection Object

Click the Monitoring Object button in the object user to enter the configuration interface

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/75/55/wKiom1Y22AKDquTSAAEqr-aLKcM968.jpg "title=" 53.png "alt=" Wkiom1y22akdqutsaaeqr-alkcm968.jpg "/>

Monitoring the physical state of the interface, you can add more than one interface, each interface has a weight, the value of the interface will be released after the number of values, when all the weight accumulated value is greater than or equal to the alert value, the test object will be effective, weights and alert values can be self-adjusting:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/75/53/wKioL1Y22H3AGMbRAAGE2yXwROg502.jpg "style=" float: none; "title=" 54.png "alt=" Wkiol1y22h3agmbraage2yxwrog502.jpg "/>

Note here that the listener must be set up as an uplink (public network out-of-port) or intranet uplink

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/55/wKiom1Y22EPiPhlyAAGc41tkZyM677.jpg "style=" float: none; "title=" 55.png "alt=" Wkiom1y22epiphlyaagc41tkzym677.jpg "/>

(optional) monitoring the link logic state, you can configure a variety of forms of detection, here with the ping example, single-machine add,

Ping, name pickup, configuration, device not 3 seconds to send a ping packet, 3 consecutive packets do not pass,

This entry takes effect and the device takes precedence over the configured management IP of the receiving interface as the source address (if no

The IP of the interface is the source address) through the configured packet interface to send ping packets.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/55/wKiom1Y22JzChGXgAAGo0JLeMDQ722.jpg "style=" float: none; "title=" 56.png "alt=" Wkiom1y22jzchgxgaago0jlemdq722.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/53/wKioL1Y22NeQR2rmAAHEhc7p5C4623.jpg "style=" float: none; "title=" 57.png "alt=" Wkiol1y22neqr2rmaahehc7p5c4623.jpg "/>

4. Configure the interface

"If it is the main standby mode" in AP mode, the configuration mode and normal Internet connection, directly on the interface configuration can be, while the daily maintenance is the same as usual, there is no change.

"If not dual Master mode, the following configuration can be ignored" in AA mode, group 0 is configured normally, group 1 needs to configure the VF interface as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/55/wKiom1Y22PGA7iXuAADNoe7h1MM532.jpg "style=" float: none; "title=" 58.png "alt=" Wkiom1y22pga7ixuaadnoe7h1mm532.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/53/wKioL1Y22S3xvPW7AAG8KkGsuL8005.jpg "style=" float: none; "title=" 59.png "alt=" Wkiol1y22s3xvpw7aag8kkgsul8005.jpg "/>

5. Configure the management IP

Since the standby is not forwarding traffic, it is necessary to configure the management IP on the interface of the group 0, for the management of the equipment and track monitoring, the configuration is as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/55/wKiom1Y22SWjFsjJAAGusgf0H54927.jpg "style=" float: none; "title=" 60.png "alt=" Wkiom1y22swjfsjjaagusgf0h54927.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/53/wKioL1Y22WGgcTa3AAHULYzGI_w788.jpg "style=" float: none; "title=" 61.png "alt=" Wkiol1y22wggcta3aahulyzgi_w788.jpg "/>

6. Configure NAT

In AP mode, configuring NAT is consistent with normal configuration and can be configured directly.

AA mode, group 0 configuration NAT and normal configuration consistent, directly configured, Group 1 configuration NAT is required

Select group 1, as follows:

SNAT:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/75/55/wKiom1Y22VSBjDArAAFdGot0IcY991.jpg "style=" float: none; "title=" 62.png "alt=" Wkiom1y22vsbjdaraafdgot0icy991.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/75/53/wKioL1Y22ZDCKzXNAADAqT8MvuI537.jpg "style=" float: none; "title=" 63.png "alt=" Wkiol1y22zdckzxnaadaqt8mvui537.jpg "/>

DNAT:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/53/wKioL1Y22fPw1K_wAADz_JpvHZA208.jpg "title=" 64.png "alt=" Wkiol1y22fpw1k_waadz_jpvhza208.jpg "/>

7. Configure Routing and policies to ensure the network is unblocked.

Write to the end, I will add more ha troubleshooting problems later. Please pass the Danale to shoot bricks!!

This article from "Allen on the road-from zero to one" blog, reprint please contact the author!

The configuration end of the-hillstone-nav20-ha of the Stone Network branch