防火墙双机热备旁挂
拓扑图:
地址表
| 设备 | 地址 | 描述 |
|---|---|---|
| SW1 | Vlan100:192.168.100.254/24 Vlan200:192.168.200.254/24 | 连接FW1-FW2的vlanif 分别去往防火墙和从防火墙回来 |
| FW1 | int g1/0/1:192.168.100.253/24 int g1/0/0:192.168.200.253/24 | 连接交换机 |
| FW2 | int g1/0/1:192.168.100.252/24 int g1/0/0:192.168.200.252/24 | 连接交换机 |
| AR1 | int g0/0/0:192.168.20.1/24 | 连接交换机 |
| VRF名称 | 接口 | 描述 |
|---|---|---|
| a | Vlan100,Vlan10 | 去往防火墙A、业务vlan10 |
| b | Vlan200,Vlan20 | 从防火墙回到交换机、连接路由器Vlanif20接口 |
配置
-
SW1
Vlan100-Vlan200:连接防火墙
Vlan10:连接PC
Vlan20:连接路由器
[SW1]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned down down
Vlanif10 192.168.10.254/24 up up
Vlanif20 192.168.20.254/24 up up
Vlanif100 192.168.100.254/24 up up
Vlanif200 192.168.200.254/24 up up
# 接口划分
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 100
# 静态路由
[SW1]display current-configuration | include static
# 去往互联网的流量,下一跳FW1-FW2上行的VRRP虚拟地址
ip route-static vpn-instance a 0.0.0.0 0.0.0.0 192.168.100.251
# 从防火墙回到SW1的流量,下一跳AR1的地址
ip route-static vpn-instance b 0.0.0.0 0.0.0.0 192.168.20.1
# 从互联网返回的流量,下一跳去往FW1-FW2的下行接口的vrrp虚拟地址
ip route-static vpn-instance b 192.168.10.0 255.255.255.0 192.168.200.251
- FW1
[FW1]display ip interface brief
2024-05-02 12:29:20.020
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 5
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 5
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 192.168.200.253/24 up up
GigabitEthernet1/0/1 192.168.100.253/24 up up
GigabitEthernet1/0/2 1.1.1.1/30 up up
GigabitEthernet1/0/3 unassigned down down
GigabitEthernet1/0/4 unassigned down down
GigabitEthernet1/0/5 unassigned down down
GigabitEthernet1/0/6 unassigned down down
NULL0 unassigned up up(s)
Virtual-if0 unassigned up up(s)
[FW1]display zone trust
2024-05-02 12:29:45.110
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
[FW1]display zone untrust
2024-05-02 12:30:29.740
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/0
[FW1]display zone dmz
2024-05-02 12:30:42.360
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/2
# 安全策略,默认全部放通
# 配置往返路由
ip route-static 0.0.0.0 0.0.0.0 192.168.200.254
ip route-static 192.168.10.0 255.255.255.0 192.168.100.254
# 配置双机热备
hrp enable
hrp interface GigabitEthernet1/0/2 remote 1.1.1.2
[FW1]display vrrp brief
2024-05-02 12:34:20.250
Total:2 Master:2 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE1/0/1 Vgmp 192.168.100.251
2 Master GE1/0/0 Vgmp 192.168.200.251
- FW2
[FW2]display ip interface brief
2024-05-02 12:31:57.100
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 5
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 5
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 192.168.200.252/24 up up
GigabitEthernet1/0/1 192.168.100.252/24 up up
GigabitEthernet1/0/2 1.1.1.2/30 up up
GigabitEthernet1/0/3 unassigned down down
GigabitEthernet1/0/4 unassigned down down
GigabitEthernet1/0/5 unassigned down down
GigabitEthernet1/0/6 unassigned down down
NULL0 unassigned up up(s)
Virtual-if0 unassigned up up(s)
[FW2]display zone trust
2024-05-02 12:32:08.320
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
[FW2]display zone untrust
2024-05-02 12:32:21.710
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/0
[FW2]display zone dmz
2024-05-02 12:32:32.230
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/2
# 安全策略,默认全部放通
# 配置往返路由
ip route-static 0.0.0.0 0.0.0.0 192.168.200.254
ip route-static 192.168.10.0 255.255.255.0 192.168.100.254
# 配置双机热备
hrp enable
hrp standby-device
hrp interface GigabitEthernet1/0/2 remote 1.1.1.1
# 配置vrrp
[FW2]display vrrp brief
2024-05-02 12:34:39.040
Total:2 Master:0 Backup:2 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Backup GE1/0/1 Vgmp 192.168.100.251
2 Backup GE1/0/0 Vgmp 192.168.200.251
- AR1
[AR1]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.20.1/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
# 配置回程路由
ip route-static 192.168.10.0 255.255.255.0 192.168.20.254
验证
- PC
这里为了模拟设备的上行接口
down后的双机热备能否实现切换,我们这里将sw1的g0/0/4down掉,查看流量反应
- PC
- FW1
HRP_S[FW1]display hrp state verbose
2024-05-02 12:37:41.190
Role: standby, peer: active (should be "active-standby")
Running priority: 44998, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 1 minutes
Last state change information: 2024-05-02 12:36:00 HRP core state changed, old_state = normal, new_state = abnormal(standby), local_priority = 44998, peer_priority = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: Initialize
GigabitEthernet1/0/0 vrrp vrid 2: standby (should be "active")
ospf-cost: +65500 (should be "+0")
ospfv3-cost: +65500 (should be "+0")
bgp-cost: +100 (should be "+0")
HRP_S[FW1]display vrrp brief
2024-05-02 12:37:51.510
Total:2 Master:0 Backup:1 Non-active:1
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Initialize GE1/0/1 Vgmp 192.168.100.251
2 Backup GE1/0/0 Vgmp 192.168.200.251
- FW2
HRP_M[FW2]display hrp state verbose
2024-05-02 12:38:15.020
Role: active, peer: standby (should be "standby-active")
Running priority: 45000, peer: 44998
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 2 minutes
Last state change information: 2024-05-02 12:36:02 HRP core state changed, old_state = normal, new_state = abnormal(active), local_priority = 45000, peer_priority = 44998.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1 vrrp vrid 1: active (should be "standby")
GigabitEthernet1/0/0 vrrp vrid 2: active (should be "standby")
ospf-cost: +0 (should be "+65500")
ospfv3-cost: +0 (should be "+65500")
bgp-cost: +0 (should be "+100")
HRP_M[FW2]display vrrp brief
2024-05-02 12:38:22.380
Total:2 Master:2 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
1 Master GE1/0/1 Vgmp 192.168.100.251
2 Master GE1/0/0 Vgmp 192.168.200.251
# 查看firewall session表
HRP_M[FW2]display firewall session table
2024-05-02 12:38:41.040
Current Total Sessions : 5
udp VPN: public --> public 1.1.1.1:16384 --> 1.1.1.2:18514
udp VPN: public --> public 1.1.1.1:49152 --> 1.1.1.2:18514
icmp VPN: public --> public 192.168.10.253:20873 --> 192.168.20.1:2048
udp VPN: public --> public 1.1.1.2:49152 --> 1.1.1.1:18514
icmp VPN: public --> public 192.168.10.253:21129 --> 192.168.20.1:2048
3567
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
