场景说明:防火墙主备双机,防火墙南向做为Trust,北向作为Untrust,两台PC在同一个vlan,允许Trust-PC访问Untrust-PC,不允许Untrsut主动访问Trust。
防火墙配置如下:
#
sysname A
#
vlan batch 10
#
hrp enable
hrp interface GigabitEthernet1/0/4 remote 1.1.1.2
hrp mirror session enable //配置会话热备,防止主备切换时因为会话不一致导致通讯中断,重新进行首包建立会话的情况
hrp track vlan 10 //track vlan 10的接口,实际部署的时候防火墙可能不止一个接口属于vlan10,当vlan10的接口出现问题的时候VGMP协议进行主备切换
备墙比主墙多一个配置 hrp device-standby
#
interface GigabitEthernet1/0/0
portswitch
undo shutdown
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
link-group 1 //配置link-group,本环境中只有一组上下联,当某个接口故障后,会关闭同组内的所有接口。如果存在多个上联、下联的场景可以考虑使用Link-group-monitor来实现多组的link-group联动
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
link-group 1
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 1.1.1.1 255.255.255.252
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/4
#
security-policy
rule name Trust_Untrust
source-zone trust
destination-zone untrust
action permit
#
return
#
sysname A
#
vlan batch 10
#
hrp enable
hrp interface GigabitEthernet1/0/4 remote 1.1.1.2
hrp mirror session enable //配置会话热备,防止主备切换时因为会话不一致导致通讯中断,重新进行首包建立会话的情况
hrp track vlan 10 //track vlan 10的接口,实际部署的时候防火墙可能不止一个接口属于vlan10,当vlan10的接口出现问题的时候VGMP协议进行主备切换
备墙比主墙多一个配置 hrp device-standby
#
interface GigabitEthernet1/0/0
portswitch
undo shutdown
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
link-group 1 //配置link-group,本环境中只有一组上下联,当某个接口故障后,会关闭同组内的所有接口。如果存在多个上联、下联的场景可以考虑使用Link-group-monitor来实现多组的link-group联动
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
link-group 1
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 1.1.1.1 255.255.255.252
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/4
#
security-policy
rule name Trust_Untrust
source-zone trust
destination-zone untrust
action permit
#
return
# sysname A # vlan batch 10 # hrp enable hrp interface GigabitEthernet1/0/4 remote 1.1.1.2 hrp mirror session enable //配置会话热备,防止主备切换时因为会话不一致导致通讯中断,重新进行首包建立会话的情况 hrp track vlan 10 //track vlan 10的接口,实际部署的时候防火墙可能不止一个接口属于vlan10,当vlan10的接口出现问题的时候VGMP协议进行主备切换 备墙比主墙多一个配置 hrp device-standby # interface GigabitEthernet1/0/0 portswitch undo shutdown port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 link-group 1 //配置link-group,本环境中只有一组上下联,当某个接口故障后,会关闭同组内的所有接口。如果存在多个上联、下联的场景可以考虑使用Link-group-monitor来实现多组的link-group联动 # interface GigabitEthernet1/0/1 portswitch undo shutdown port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 link-group 1 # interface GigabitEthernet1/0/4 undo shutdown ip address 1.1.1.1 255.255.255.252 service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/4 # security-policy rule name Trust_Untrust source-zone trust destination-zone untrust action permit # return
其他注意要点:上下接交换机接口在二层部署的情况,部署方式一定是主备,不能负载。
实验结果:
