目录
华为防火墙USG6000v双机热备部署,上下行部署三层业务的负载分担组网。
(1)组网需求
两台FW以负载分担的方式工作,FW1和FW2共同转发数据,当其中一台FW出现故障时,另一台FW转发全部业务,保证业务不中断。
1.要求合理合理规划IP,启用防火墙网络接口以及路由配置;
2.要求防火墙配置安全策略使得PC1、PC2访问PC3、PC4互通;
3.要求防火墙启用高可用性,配置双机热备功能;
4.要求设定sw1、sw2以及FW1、FW2合理规划vlan以及IP地址、防火墙虚拟网关;
5.要求FW1为主设备,FW2为备用设备,出现故障时FW1与FW2主备切换,保证业务不会中等;
6.测试防火墙的双机热备的主备切换;
7.启用双机热备的负载分担功能并测试。
交换设备
主备:指向防火墙的虚拟网关:10.1.2.254/100.1.1.254
负载:指向防火墙的虚拟网关:10.1.2.251/100.1.1.251
(2)组网拓扑
(3)实验操作与验证
1.SW1的基本配置
[SW1]display vlan
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D)
2 common UT:GE0/0/3(U)
3 common UT:GE0/0/1(U) GE0/0/2(U)
4 common UT:GE0/0/4(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
[SW1]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned down down
Vlanif2 10.1.1.1/24 up up
Vlanif3 10.1.2.1/24 up up
Vlanif4 10.1.4.1/24 up up
[SW1]dis ip routing-table protocol static
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : Static
Destinations : 1 Routes : 2 Configured Routes : 2
Static routing table status : <Active>
Destinations : 1 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.1.2.254 Vlanif3
Static 60 0 RD 10.1.2.251 Vlanif3
Static routing table status : <Inactive>
Destinations : 0 Routes : 0
2.SW2的基本配置
<Sw2>display vlan
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D)
2 common UT:GE0/0/3(U)
3 common UT:GE0/0/1(U) GE0/0/2(U)
4 common UT:GE0/0/4(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
<Sw2>display ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned down down
Vlanif2 100.1.2.1/24 up up
Vlanif3 100.1.1.1/24 up up
Vlanif4 100.1.4.1/24 up up
[Sw2]dis ip routing-table protocol static
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : Static
Destinations : 1 Routes : 2 Configured Routes : 2
Static routing table status : <Active>
Destinations : 1 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 100.1.1.254 Vlanif3
Static 60 0 RD 100.1.1.251 Vlanif3
Static routing table status : <Inactive>
Destinations : 0 Routes : 03.防火墙部署网络配置、路由、双机热备(FW1/FW2)
FW1网络接口配置
FW2网络接口配置
FW1路由配置
注意:配置路由需要注意的是将IP置为16位掩码置为16位,安全策略源地址为10.1.0.0/16,否则会影响负载分担业务配置
FW2路由配置
FW安全策略:双机热备部署后主上配置策略,备上会自动同步过去,所以FW2不要部署策略。
FW1双机热备虚拟网关,以及负载分担业务部署
FW2双机热备虚拟网关,以及负载分担业务部署
4.测试防火墙的双机热备
将交换设备上联可置为dow状态,发现走主用设备的数据,由于交换设备上联口出现故障,数据丢包3次切换到备用设备。
5.测试防火墙业务的负载分担
FW1为Active,FW2为Active,表示均可以转发流量,负载分担。
HRP_M[FW1]dis hrp state verbose
2023-05-21 07:16:47.660
Role: active, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 13 minutes
Last state change information: 2023-05-21 7:03:11 HRP link changes to up.
HRP_S[FW2]dis hrp state verbose
2023-05-21 07:17:41.720
Role: active, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 14 minutes
Last state change information: 2023-05-21 7:03:11 HRP link changes to up.
607
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
