华为防火墙双机热备-主备旁挂组网

上张贴CrossGrave发表回复

拓扑说明:FW1作为主墙、FW2作为备墙,进行双机热备,旁挂形式组网,PC访问路由器AR1的时候需要流量经过防火墙,并且在防火墙上做SNAT,PC地址对于路由器不可见。

CSW配置:

#
sysname CSW
#
vlan batch 100 to 102
#
dhcp enable
#
ip vpn-instance Internet
 ipv4-family
  route-distinguisher 100:1
#
ip vpn-instance Lan
 ipv4-family
  route-distinguisher 100:2
#                                         
interface Vlanif1
 ip binding vpn-instance Lan
 ip address 192.168.1.254 255.255.255.0
 dhcp select interface
#
interface Vlanif100
 ip binding vpn-instance Internet
 ip address 192.168.100.2 255.255.255.252
#
interface Vlanif101
 ip binding vpn-instance Lan
 ip address 192.168.101.6 255.255.255.248
#
interface Vlanif102
 ip binding vpn-instance Internet         
 ip address 192.168.102.6 255.255.255.248
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 101 to 102
 mode lacp-static
#
interface Eth-Trunk2
 port link-type trunk
 port trunk allow-pass vlan 101 to 102
 mode lacp-static
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 eth-trunk 2
#
interface GigabitEthernet0/0/4            
 eth-trunk 2
#
interface GigabitEthernet0/0/5
 port link-type access
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 100
#
ip route-static vpn-instance Internet 0.0.0.0 0.0.0.0 192.168.100.1
ip route-static vpn-instance Lan 0.0.0.0 0.0.0.0 192.168.101.1

FW-1主墙配置:

#
sysname FW-1
#
 hrp enable
 hrp interface Eth-Trunk63 remote 1.1.1.2
 hrp mirror session enable
 hrp standby config enable
 hrp track interface GigabitEthernet1/0/0
 hrp track interface GigabitEthernet1/0/1
#
interface Eth-Trunk1
 mode lacp-static
#
interface Eth-Trunk1.101
 vlan-type dot1q 101
 ip address 192.168.101.2 255.255.255.248
 vrrp vrid 1 virtual-ip 192.168.101.1 active
 service-manage ping permit
#
interface Eth-Trunk1.102
 vlan-type dot1q 102
 ip address 192.168.102.2 255.255.255.248
 vrrp vrid 2 virtual-ip 192.168.102.1 active
 service-manage ping permit
#
interface Eth-Trunk63
 ip address 1.1.1.1 255.255.255.252
 mode lacp-static                         
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/5
 undo shutdown
 eth-trunk 63
#
interface GigabitEthernet1/0/6
 undo shutdown
 eth-trunk 63
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.101
 add interface Eth-Trunk63
 add interface GigabitEthernet0/0/0
#
firewall zone untrust                     
 set priority 5
 add interface Eth-Trunk1.102
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 192.168.102.6
ip route-static 192.168.1.0 255.255.255.0 192.168.101.6
#
nat address-group PC 0
 mode pat
 section 0 192.168.102.5 192.168.102.5
#
security-policy                           
 rule name Trust_To_Local
  source-zone trust
  destination-zone local
  action permit
 rule name Trust_To_Untrust
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name Turst_Untrust_Easy-ip
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat address-group PC
#

FW-2备墙配置:

#
sysname FW-2
#
 hrp enable
 hrp standby-device
 hrp interface Eth-Trunk63 remote 1.1.1.1
 hrp mirror session enable
 hrp standby config enable
 hrp track interface GigabitEthernet1/0/0
 hrp track interface GigabitEthernet1/0/1
#
interface Eth-Trunk1
 mode lacp-static
#
interface Eth-Trunk1.101
 vlan-type dot1q 101
 ip address 192.168.101.3 255.255.255.248
 vrrp vrid 1 virtual-ip 192.168.101.1 standby
 service-manage ping permit
#
interface Eth-Trunk1.102
 vlan-type dot1q 102
 ip address 192.168.102.3 255.255.255.248
 vrrp vrid 2 virtual-ip 192.168.102.1 standby
 service-manage ping permit
#
interface Eth-Trunk63
 ip address 1.1.1.2 255.255.255.252       
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/5
 undo shutdown
 eth-trunk 63
#
interface GigabitEthernet1/0/6
 undo shutdown
 eth-trunk 63
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.101
 add interface Eth-Trunk63
 add interface GigabitEthernet0/0/0
#                                         
firewall zone untrust
 set priority 5
 add interface Eth-Trunk1.102
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 192.168.102.6
ip route-static 192.168.1.0 255.255.255.0 192.168.101.6
#
nat address-group PC 0
 mode pat
 section 0 192.168.102.5 192.168.102.5
#                                      
security-policy
 rule name Trust_To_Local
  source-zone trust
  destination-zone local
  action permit
 rule name Trust_To_Untrust
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name Turst_Untrust_Easy-ip
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat address-group PC
#

结果:

访问的时候会话的状态
VGMP的状态
HRP状态

知识点:由于华为不能设置hrp track的优先级,当track接口down后,优先级会-2,然后会进行主备切换,当track接口为Eth-trunk接口的时候,可以设置Eth-trunk的成员的下限阈值来控制最小的端口活动数,如果不满足则down掉eth-trunk接口,如:least active-linknumber 2,就是当成员端口数量大于等于2的时候接口状态为UP,否者为DOWN。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据