华为防火墙双机热备:上下行接交换机负载分担场景(接口工作三层)

上张贴CrossGrave发表回复

场景说明:某公司跟运营商申请了公网地址100.0.12.0/29,其中100.0.12.6作为运营商下一跳,100.0.12.1-5为购买地址,其中防火墙负载分担使用100.0.12.1-2两个IP,其余100.0.12.3-5作为SNAT使用使内网PC1可以访问公网。

FW-1配置如下:

#
sysname FW-1
#
 hrp enable
 hrp interface GigabitEthernet1/0/6 remote 1.1.1.2 //配置HRP接口及地址,指定remote采用UDP封装HRP报文,不指定remote-ip则采用组播发送通过VRRP封装
 hrp mirror session enable  //开启会话同步
 hrp nat resource primary-group //负载分担场景为了防止SNAT后的端口冲突需要配置该命令,备墙需要配置hrp nat resource secondary-group
 hrp track interface GigabitEthernet1/0/4 
 hrp track interface GigabitEthernet1/0/5
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 10.0.21.1 255.255.255.252
 vrrp vrid 3 virtual-ip 100.0.12.1 255.255.255.248 active
 vrrp vrid 4 virtual-ip 100.0.12.2 255.255.255.248 standby
 link-group 1 //配置link-group联动组,当组内一个端口down后,其他组内成员端口也会down,本场景可以不配置link-group
 service-manage ping permit
#
interface GigabitEthernet1/0/5
 undo shutdown
 ip address 10.0.12.3 255.255.255.248
 vrrp vrid 1 virtual-ip 10.0.12.1 active
 vrrp vrid 2 virtual-ip 10.0.12.2 standby
 link-group 1
 service-manage ping permit               
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 1.1.1.1 255.255.255.252
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/5
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/4
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/6       
#
ip route-static 0.0.0.0 0.0.0.0 100.0.12.6
ip route-static 192.168.10.0 255.255.255.0 10.0.12.5
#
nat address-group SNAT 0
 mode pat
 route enable //自动生成unr的黑洞路由
 section 0 100.0.12.3 100.0.12.5
#
security-policy
 rule name Trust_Untrust_Permit
  source-zone trust
  destination-zone untrust
  action permit                           
#
nat-policy
 rule name Trust_Untrust_Snat
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action source-nat address-group SNAT
return

备墙和主墙配置差不多,唯一区别就是hrp nat resource secondary-group。
vrrp结果如下:

核心交换机上的默认路由指向两个虚地址10.0.12.1和10.0.12.2,无需配置track来监控路由是否可达

实验结果:

模拟主墙GE1/0/4接口故障后主备发生切换:

备墙成为MASTER承担流量转发。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据