转载:(华为配置)防火墙双机热备+BFD联动故障切换实验报告
一、实验拓扑
二、实验内容
(一)实验需求:
某公司通过主防火墙(FW1)与外网进行通信,当主防火墙出现故障时,备份防火墙能够保障正常通信。
(二)基础配置(vlan划分、IP地址配置)
1.ISP
#interface GigabitEthernet0/0/0ip address 100.1.1.1 255.255.255.248#interface LoopBack0ip address 114.114.114.114 255.255.255.252#2.SW-OUT
#vlan batch 2#interface GigabitEthernet0/0/1port link-type accessport default vlan 2#interface GigabitEthernet0/0/2port link-type accessport default vlan 2#interface GigabitEthernet0/0/3port link-type accessport default vlan 2#interface Vlanif2ip address 100.1.1.5 255.255.255.248#3.FW1
#interface GigabitEthernet1/0/0description to_SW-IN_G0/0/1undo shutdownip address 10.1.1.1 255.255.255.248#interface GigabitEthernet1/0/1description to_SW-OUT_G0/0/2undo shutdownip address 100.1.1.2 255.255.255.248#interface GigabitEthernet1/0/2description to_FW2_G1/0/2undo shutdownip address 10.0.12.1 255.255.255.252alias hrp#4.FW2
#interface GigabitEthernet1/0/0description to_SW-IN_G0/0/2undo shutdownip address 10.1.1.3 255.255.255.248#interface GigabitEthernet1/0/1description to_SW-OUT_G0/0/3undo shutdownip address 100.1.1.3 255.255.255.248#interface GigabitEthernet1/0/2description to_FW1_G1/0/2undo shutdownip address 10.0.12.2 255.255.255.252alias hrp#5.SW-IN
#Vlan batch 2 10 20#interface GigabitEthernet0/0/1description to_FW1_G1/0/0port link-type accessport default vlan 2#interface GigabitEthernet0/0/2description to_FW2_G1/0/0port link-type accessport default vlan 2#interface GigabitEthernet0/0/3description to_vlan10port link-type accessport default vlan 10#interface GigabitEthernet0/0/4description to_vlan20port link-type accessport default vlan 20#interface Vlanif2ip address 10.1.1.2 255.255.255.248#interface Vlanif10ip address 172.16.10.254 255.255.255.0#interface Vlanif20ip address 192.168.1.254 255.255.255.0#(三)安全区域划分
1.FW1
#firewall zone trustadd interface GigabitEthernet1/0/0#firewall zone untrustadd interface GigabitEthernet1/0/1#firewall zone dmzadd interface GigabitEthernet1/0/2#2.FW2
#firewall zone trustadd interface GigabitEthernet1/0/0#firewall zone untrustadd interface GigabitEthernet1/0/1#firewall zone dmzadd interface GigabitEthernet1/0/2#(四)VRRP
1.FW1
#interface GigabitEthernet1/0/0vrrp vrid 1 virtual-ip 10.1.1.4 active#interface GigabitEthernet1/0/1vrrp vrid 2 virtual-ip 100.1.1.4 active#2.FW2
#interface GigabitEthernet1/0/0vrrp vrid 1 virtual-ip 10.1.1.4 standby#interface GigabitEthernet1/0/1vrrp vrid 2 virtual-ip 100.1.1.4 standby#(五)配置HRP
1.FW1
#hrp enablehrp interface GigabitEthernet1/0/2 remote 10.0.12.2hrp mirror session enable#2.FW2
#hrp enablehrp interface GigabitEthernet1/0/2 remote 10.0.12.1hrp mirror session enable#(六)配置防火墙安全策略
只需要在FW1上配置,就会同步到FW2
1.FW1
#security-policyrule name t_Usource-zone trustdestination-zone untrustaction permitrule name guanlisource-zone localaction permit#(七)配置防火墙NAT地址池及NAT策略
只需要在FW1上配置,就会同步到FW2
1.FW1
#nat address-group CK_NAT_address 0mode patsection 1 100.1.1.6 100.1.1.6#nat-policyrule name internetsource-zone trustdestination-zone untrustaction source-nat address-group CK_NAT_address#(八)配置指向内外网的双向静态路由
1.SW-OUT
#ip route-static 0.0.0.0 0.0.0.0 100.1.1.1#2.FW1
#ip route-static 0.0.0.0 0.0.0.0 100.1.1.5ip route-static 172.16.10.0 255.255.255.0 10.1.1.2ip route-static 192.168.1.0 255.255.255.0 10.1.1.2#3.FW2
#ip route-static 0.0.0.0 0.0.0.0 100.1.1.5ip route-static 172.16.10.0 255.255.255.0 10.1.1.2ip route-static 192.168.1.0 255.255.255.0 10.1.1.2#4.SW-IN
#ip route-static 0.0.0.0 0.0.0.0 10.1.1.4#(九)上行接口配置BFD联动实现故障快速切换
还可以使用IP-link的icmp报文探测是否存活,但是由于IP-Link探测时间间隔需断网较长时间才恢复正常,所以这里使用BFD。
1.SW-OUT
#bfd#bfd 1 bind peer-ip 100.1.1.2discriminator local 20discriminator remote 10commit#bfd 2 bind peer-ip 100.1.1.3discriminator local 40discriminator remote 30commit#2.FW1
#bfd#bfd 1 bind peer-ip 100.1.1.5discriminator local 10discriminator remote 20commit#hrp enablehrp track interface GigabitEthernet1/0/1hrp track bfd-session 10#3.FW2
#bfd#bfd 1 bind peer-ip 100.1.1.5discriminator local 30discriminator remote 40commit#hrp enablehrp track interface GigabitEthernet1/0/1hrp track bfd-session 30#三、实验结果
(一)PC之间互通
(二)当主防火墙出现故障时,依然能够正常通信
往期推荐
(华为配置篇)华为设备ssh配置脚本
(全网最全面)开学季笔记本电脑验机详细流程及系统优化设置
(华为配置篇)交换机镜像配置
(华为配置篇)IPSec加密GRE通道
(华为配置篇)PPPoe拨号实验、策略路由选路与故障切换
