如图下所示,企业的两台FW的业务接口都工作在三层,上下行分别连接二层交换机。上行交换机连接运营商的接入点,运营商为企业分配的IP地址为1.1.1.1。现在希望两台FW以主备备份方式工作。正常情况下,流量通过FW_A转发。当FW_A出现故障时,流量通过FW_B转发,保证业务不中断。
操作步骤
- 完成网络基本配置。
配置FW各个接口的ip地址
FW_A
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] interface GigabitEthernet 1/0/6
[FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet1/0/7] quit FW_B
<FW_B> system-view
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
[FW_B-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/6
[FW_B-GigabitEthernet1/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet1/0/7] quit 将fw各个接口加入相应的安全区域。
FW_A
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/6
[FW_A-zone-dmz] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quitFW_B
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/6
[FW_B-zone-dmz] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_B-zone-untrust] quit在FW上配置缺省路由,下一跳为1.1.1.10,使内网用户的流量可以正常转发至Router.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10[FW_B] ip route-static 0.0.0.0 0.0.0.0 1.1.1.102.配置VRRP备份组。
在FW_A上行业务接口GE1/0/1上配置VRRP备份组1,并设置其状态为Active。在FW_B上行业务接口GE1/0/1上配置VRRP备份组1,并设置其状态为Standby。需要注意的是如果接口的IP地址与VRRP备份组地址不在同一网段,则配置VRRP备份组地址时需要指定掩码。
FW_A
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active
[FW_A-GigabitEthernet1/0/1] quitFW_B
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby
[FW_B-GigabitEthernet1/0/1] quit在FW_A下行业务接口GE1/0/3上配置VRRP备份组2,并设置其状态为Active。在FW_B下行业务接口GE1/0/3上配置VRRP备份组2,并设置其状态为Standby。
FW_A
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet1/0/3] quit FW_B
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby
[FW_B-GigabitEthernet1/0/3] quit 3.指定心跳口并启用双机热备功能。
FW_A
[FW_A] hrp interface GigabitEthernet 1/0/6 remote 10.10.0.2
[FW_A] hrp enable FW_B
[FW_B] hrp interface GigabitEthernet 1/0/6 remote 10.10.0.1
[FW_B] hrp enable 4.在FW_A上配置安全策略。双机热备状态成功建立后,FW_A的安全策略配置会自动备份到FW_B上。
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit 5.在FW_A上配置NAT策略。双机热备状态成功建立后,FW_A的NAT策略配置会自动备份到FW_B上。
配置NAT策略,当内网用户访问Internet时,将源地址由10.3.0.0/16网段转换为地址池中的地址(1.1.1.2-1.1.1.5)。
HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1结果验证
- 在FW_A和FW_B上执行display vrrp命令,检查VRRP组内接口的状态信息,显示以下信息表示VRRP组建立成功。
- 在FW_A和FW_B上执行display hrp state verbose命令,检查当前VGMP组的状态,显示以下信息表示双机热备建立成功。
