华为防火墙双机热备-业务三层口-上下行交换机

上张贴CrossGrave发表回复

拓扑结构:

实验说明:PC2所在区域为Trust区域,PC1所在区域为Untrust,FW1与FW2形成双击热备主备模式,业务接口为三层接口,上下行连接交换机。防火墙GE1/0/6接口为心跳线(简化配置,可以配置多条做链路聚合),实现PC2访问PC1,模拟FW1的Trust接口故障,进行切换,故障恢复后60s,FW1自动抢占。

FW1配置:

 !Software Version V500R005C10SPC300
 #
 sysname FW1
 #
  hrp enable
  hrp interface GigabitEthernet1/0/6 remote 1.1.1.2
 #
 interface GigabitEthernet0/0/0
  undo shutdown
  ip binding vpn-instance default
  ip address 192.168.10.253 255.255.255.0
  alias GE0/METH
  service-manage http permit
  service-manage https permit
  service-manage ping permit
  service-manage ssh permit
  service-manage snmp permit
  service-manage telnet permit
 #
 interface GigabitEthernet1/0/0
  undo shutdown
 #
 interface GigabitEthernet1/0/1
  undo shutdown
  ip address 192.168.30.253 255.255.255.0
  vrrp vrid 2 virtual-ip 192.168.30.254 active
  vrrp virtual-mac enable
  service-manage ping permit
 #
 interface GigabitEthernet1/0/2
  undo shutdown
  ip address 192.168.20.253 255.255.255.0
  vrrp vrid 1 virtual-ip 192.168.20.254 active
  vrrp virtual-mac enable
  service-manage ping permit
 #
 interface GigabitEthernet1/0/6
  undo shutdown
  ip address 1.1.1.1 255.255.255.252
  service-manage ping permit
 #
 firewall zone local
  set priority 100
 #
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/0
  add interface GigabitEthernet1/0/2
  add interface GigabitEthernet1/0/6
 #
 firewall zone untrust
  set priority 5
  add interface GigabitEthernet1/0/1
 #
 firewall zone dmz
  set priority 50
 #
 security-policy
  rule name Trust_Untrust
   source-zone trust
   destination-zone untrust
   action permit
  rule name Untrust_Trust
   source-zone untrust
   destination-zone trust
   action permit
 #
 return

FW2配置:

 #
 sysname FW2
 #
  hrp enable
  hrp standby-device
  hrp interface GigabitEthernet1/0/6 remote 1.1.1.1
 #
 interface GigabitEthernet0/0/0
  undo shutdown
  ip binding vpn-instance default
  ip address 192.168.10.252 255.255.255.0
  alias GE0/METH
  service-manage http permit
  service-manage https permit
  service-manage ping permit
  service-manage ssh permit
  service-manage snmp permit
  service-manage telnet permit
 #
 interface GigabitEthernet1/0/0
  undo shutdown
 #
 interface GigabitEthernet1/0/1
  undo shutdown
  ip address 192.168.30.252 255.255.255.0
  vrrp vrid 2 virtual-ip 192.168.30.254 standby
  vrrp virtual-mac enable
  service-manage ping permit
 #
 interface GigabitEthernet1/0/2
  undo shutdown
  ip address 192.168.20.252 255.255.255.0
  vrrp vrid 1 virtual-ip 192.168.20.254 standby
  vrrp virtual-mac enable
  service-manage ping permit
 #
 interface GigabitEthernet1/0/3
  undo shutdown
 #
 interface GigabitEthernet1/0/4
  undo shutdown
 #
 interface GigabitEthernet1/0/5
  undo shutdown
 #
 interface GigabitEthernet1/0/6
  undo shutdown
  ip address 1.1.1.2 255.255.255.252
  service-manage ping permit
 #
 interface Virtual-if0
 #
 interface NULL0
 #
 firewall zone local
  set priority 100
 #
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/0
  add interface GigabitEthernet1/0/2
  add interface GigabitEthernet1/0/6
 #
 firewall zone untrust
  set priority 5
  add interface GigabitEthernet1/0/1
 #
 firewall zone dmz
  set priority 50
 #
 security-policy
  rule name Trust_Untrust
   source-zone trust
   destination-zone untrust
   action permit
  rule name Untrust_Trust
   source-zone untrust
   destination-zone trust
   action permit
 #
 return

配置要点:主要是配置hrp之前要保证接口加入的zone一致,配置简单,安全策略是hrp成功后在FW1主设备上配置,hrp成功后无法在备用设备配置。

实验结果:PC2 ping PC1 同时中断FW1的GE1/0/2接口,实现流量切换。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据