拓扑说明:FW1作为主墙、FW2作为备墙,进行双机热备,旁挂形式组网,PC访问路由器AR1的时候需要流量经过防火墙,并且在防火墙上做SNAT,PC地址对于路由器不可见。
CSW配置:
# sysname CSW # vlan batch 100 to 102 # dhcp enable # ip vpn-instance Internet ipv4-family route-distinguisher 100:1 # ip vpn-instance Lan ipv4-family route-distinguisher 100:2 # interface Vlanif1 ip binding vpn-instance Lan ip address 192.168.1.254 255.255.255.0 dhcp select interface # interface Vlanif100 ip binding vpn-instance Internet ip address 192.168.100.2 255.255.255.252 # interface Vlanif101 ip binding vpn-instance Lan ip address 192.168.101.6 255.255.255.248 # interface Vlanif102 ip binding vpn-instance Internet ip address 192.168.102.6 255.255.255.248 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 102 mode lacp-static # interface Eth-Trunk2 port link-type trunk port trunk allow-pass vlan 101 to 102 mode lacp-static # interface GigabitEthernet0/0/1 eth-trunk 1 # interface GigabitEthernet0/0/2 eth-trunk 1 # interface GigabitEthernet0/0/3 eth-trunk 2 # interface GigabitEthernet0/0/4 eth-trunk 2 # interface GigabitEthernet0/0/5 port link-type access # interface GigabitEthernet0/0/24 port link-type access port default vlan 100 # ip route-static vpn-instance Internet 0.0.0.0 0.0.0.0 192.168.100.1 ip route-static vpn-instance Lan 0.0.0.0 0.0.0.0 192.168.101.1
FW-1主墙配置:
# sysname FW-1 # hrp enable hrp interface Eth-Trunk63 remote 1.1.1.2 hrp mirror session enable hrp standby config enable hrp track interface GigabitEthernet1/0/0 hrp track interface GigabitEthernet1/0/1 # interface Eth-Trunk1 mode lacp-static # interface Eth-Trunk1.101 vlan-type dot1q 101 ip address 192.168.101.2 255.255.255.248 vrrp vrid 1 virtual-ip 192.168.101.1 active service-manage ping permit # interface Eth-Trunk1.102 vlan-type dot1q 102 ip address 192.168.102.2 255.255.255.248 vrrp vrid 2 virtual-ip 192.168.102.1 active service-manage ping permit # interface Eth-Trunk63 ip address 1.1.1.1 255.255.255.252 mode lacp-static # interface GigabitEthernet1/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/5 undo shutdown eth-trunk 63 # interface GigabitEthernet1/0/6 undo shutdown eth-trunk 63 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Eth-Trunk1.101 add interface Eth-Trunk63 add interface GigabitEthernet0/0/0 # firewall zone untrust set priority 5 add interface Eth-Trunk1.102 # firewall zone dmz set priority 50 # ip route-static 0.0.0.0 0.0.0.0 192.168.102.6 ip route-static 192.168.1.0 255.255.255.0 192.168.101.6 # nat address-group PC 0 mode pat section 0 192.168.102.5 192.168.102.5 # security-policy rule name Trust_To_Local source-zone trust destination-zone local action permit rule name Trust_To_Untrust source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action permit # nat-policy rule name Turst_Untrust_Easy-ip source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action source-nat address-group PC #
FW-2备墙配置:
# sysname FW-2 # hrp enable hrp standby-device hrp interface Eth-Trunk63 remote 1.1.1.1 hrp mirror session enable hrp standby config enable hrp track interface GigabitEthernet1/0/0 hrp track interface GigabitEthernet1/0/1 # interface Eth-Trunk1 mode lacp-static # interface Eth-Trunk1.101 vlan-type dot1q 101 ip address 192.168.101.3 255.255.255.248 vrrp vrid 1 virtual-ip 192.168.101.1 standby service-manage ping permit # interface Eth-Trunk1.102 vlan-type dot1q 102 ip address 192.168.102.3 255.255.255.248 vrrp vrid 2 virtual-ip 192.168.102.1 standby service-manage ping permit # interface Eth-Trunk63 ip address 1.1.1.2 255.255.255.252 mode lacp-static # interface GigabitEthernet1/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 1 # interface GigabitEthernet1/0/5 undo shutdown eth-trunk 63 # interface GigabitEthernet1/0/6 undo shutdown eth-trunk 63 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Eth-Trunk1.101 add interface Eth-Trunk63 add interface GigabitEthernet0/0/0 # firewall zone untrust set priority 5 add interface Eth-Trunk1.102 # firewall zone dmz set priority 50 # ip route-static 0.0.0.0 0.0.0.0 192.168.102.6 ip route-static 192.168.1.0 255.255.255.0 192.168.101.6 # nat address-group PC 0 mode pat section 0 192.168.102.5 192.168.102.5 # security-policy rule name Trust_To_Local source-zone trust destination-zone local action permit rule name Trust_To_Untrust source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action permit # nat-policy rule name Turst_Untrust_Easy-ip source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action source-nat address-group PC #
结果:
知识点:由于华为不能设置hrp track的优先级,当track接口down后,优先级会-2,然后会进行主备切换,当track接口为Eth-trunk接口的时候,可以设置Eth-trunk的成员的下限阈值来控制最小的端口活动数,如果不满足则down掉eth-trunk接口,如:least active-linknumber 2,就是当成员端口数量大于等于2的时候接口状态为UP,否者为DOWN。