华为防火墙双机热备（主备分担）

YancyYue

已于 2025-05-09 16:44:50 修改

阅读量1.2k

点赞数 10

分类专栏： # HCIA-Security 文章标签：网络服务器计算机网络运维

于 2025-03-18 23:21:58 首次发布

本文链接：https://blog.csdn.net/weixin_46008548/article/details/146355170

版权

HCIA-Security 专栏收录该内容

6 篇文章

订阅专栏

引言

传统VRRP方式无法实现主、备用防火墙状态信息和多组VRRP状态的一致性，所以可能会导致流量的回包不从首包通过的防火墙回包，防火墙会因为状态检测机制丢弃此报文，所以防火墙使用VGMP统一管理VRRP的状态。

华为双机热备的部署模式有三种，主备备份、负载分担、镜像模式。其中主备分担和镜像模式的VGMP的状态，主是active，备是standby；而负载分担模式中，两个防火墙的状态都是load-balance。

负载分担模式可以我的文章：华为防火墙双机热备（负载分担）-CSDN博客

主备备份实验

在规划拓扑结构时，两个防火墙所用的接口编号建议都要一致，因为在激活双击热备之后，有些接口的配置也会进行同步，比如双机热备开启之后，将某个接口加入安全区域，这个配置也会进行同步。

在我这个拓扑中，G1/0/2是心跳线，心跳线里传两个消息，一个是vgmp消息，一个是hrp消息。

hrp叫做华为冗余协议或者叫华为备份协议。

1、基本配置

FW1：（配置地址、VRRP、接口加入安全区域）

[FW1]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0] ip address 192.168.10.2 24
[FW1-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 192.168.10.1 active

[FW1]interface GigabitEthernet1/0/1
[FW1-GigabitEthernet1/0/1] ip address 1.1.1.2 29
[FW1-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.1 active

[FW1]interface GigabitEthernet1/0/2
[FW1-GigabitEthernet1/0/2] ip address 10.1.1.1 30

[FW1]firewall zone trust
[FW1-zone-trust] add interface GigabitEthernet1/0/0

[FW1]firewall zone untrust                     
[FW1-zone-untrust] add interface GigabitEthernet1/0/1

[FW1]firewall zone name hrp
[FW1-zone-hrp] set priority 51
[FW1-zone-hrp] add interface GigabitEthernet1/0/2

FW2：（配置地址、VRRP、接口加入安全区域）

[FW2]interface GigabitEthernet1/0/0
[FW2-GigabitEthernet1/0/0] ip address 192.168.10.3 24
[FW2-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 192.168.10.1 standby

[FW2]interface GigabitEthernet1/0/1
[FW2-GigabitEthernet1/0/1] ip address 1.1.1.3 29
[FW2-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.1 standby

[FW2]interface GigabitEthernet1/0/2
[FW2-GigabitEthernet1/0/2] ip address 10.1.1.2 30

[FW2]firewall zone trust
[FW2-zone-trust] add interface GigabitEthernet1/0/0

[FW2]firewall zone untrust                     
[FW2-zone-untrust] add interface GigabitEthernet1/0/1

[FW2]firewall zone name hrp
[FW2-zone-hrp] set priority 51
[FW2-zone-hrp] add interface GigabitEthernet1/0/2

2、双机热备配置

FW1：（配置心跳接口、开启HRP）

[FW1]hrp interface G1/0/2 remote 10.1.1.2
[FW1]hrp enable

FW2：（配置心跳接口、开启HRP）

[FW2]hrp interface g1/0/2 remote 10.1.1.1
[FW2]hrp enable

查看双机热备状态

① FW1：（作为主设备，Role 为Active）

HRP_M[FW1]display hrp state  verbose 
2025-03-16 03:11:08.760 
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2025-03-16 3:07:01 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: active
           GigabitEthernet1/0/1 vrrp vrid 2: active
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0

② FW2：（作为备设备，Role 为Standby）

HRP_S[FW2]display hrp state verbose  
2025-03-16 03:10:43.150 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2025-03-16 3:07:01 HRP link changes to up.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: standby
           GigabitEthernet1/0/1 vrrp vrid 2: standby
                                  ospf-cost: +65500
                                ospfv3-cost: +65500
                                   bgp-cost: +100

备机无法配置安全策略、NAT策略等等，比如进入NAT策略的视图都会报错。因为只有我们是主备备份模式，配置都是在主墙上进行配置，然后同步给备墙。

HRP_S[FW2]nat-policy 
 Error: The device is in HRP standby state, so this command can not be executed.

主备切换

FW1：关闭主防火墙的一个配置了VRRP的接口

HRP_M[FW1]interface g1/0/1 (+B)
HRP_M[FW1-GigabitEthernet1/0/1]shutdown

FW1：主防火墙的角色会立马发生转变，变成Role 是 Standby

HRP_S[FW1]display hrp state  
2025-03-16 03:14:00.580 
 Role: standby, peer: active (should be "active-standby")
 Running priority: 44998, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2025-03-16 3:13:45 HRP core state changed, old_state = normal, new_state = abnormal(standby), local_priority = 44998, peer_priority = 45000.

FW2：备防火墙的角色会立马发生转变，变成Role 是 Active


HRP_M[FW2]display hrp state
2025-03-16 03:14:12.050 
 Role: active, peer: standby (should be "standby-active")
 Running priority: 45000, peer: 44998
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2025-03-16 3:13:44 HRP core state changed, old_state = normal, new_state = abnormal(active), local_priority = 45000, peer_priority = 44998.

FW1：恢复主防火墙的接口，查看切换状态

HRP_S[FW1]interface g1/0/1 (+B)
HRP_S[FW1-GigabitEthernet1/0/1]undo shutdown

（主防火墙一分钟之后会抢占回来，因为默认的抢占就是60S）

路由影响

双机热备除了主墙响应VRRP的地址以外，对于网络中路由的宣告也有影响。

备墙会自动增加OSPF、ISIS、BGP的cost值，从而影响网络选路，上下行设备的选路优先变会是主墙。

HRP_S[FW2]display hrp state verbose  
2025-03-16 03:10:43.150 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2025-03-16 3:07:01 HRP link changes to up.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: standby
           GigabitEthernet1/0/1 vrrp vrid 2: standby
                                  ospf-cost: +65500
                                ospfv3-cost: +65500
                                   bgp-cost: +100

FW1 ：（配置OSPF）

HRP_M[FW1]ospf 1 router-id 1.1.1.1
HRP_M[FW1-ospf-1]area 0
HRP_M[FW1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.7

FW2 ：（配置OSPF）

HRP_S[FW2]ospf 1 router-id 2.2.2.2
HRP_S[FW2-ospf-1] area 0.0.0.0
HRP_S[FW2-ospf-1-area-0.0.0.0]  network 1.1.1.0 0.0.0.7
HRP_S[FW2-ospf-1-area-0.0.0.0]  network 192.168.10.0 0.0.0.255

ISP：（配置OSPF）

[ISP]inter g1/0
[ISP-GigabitEthernet1/0]ip address  1.1.1.4 29
[ISP]inter g2/0
[ISP-GigabitEthernet2/0]ip address 39.156.66.1 28

[ISP]ospf 1 router-id 3.3.3.3
[ISP-ospf-1]area  0
[ISP-ospf-1-area-0.0.0.0]network 39.156.66.0 0.0.0.15
[ISP-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.7

PC （测试访问外部的服务器）

VPCS> ping 39.156.66.14

84 bytes from 39.156.66.14 icmp_seq=1 ttl=62 time=15.340 ms
84 bytes from 39.156.66.14 icmp_seq=2 ttl=62 time=24.609 ms
84 bytes from 39.156.66.14 icmp_seq=3 ttl=62 time=16.693 ms
84 bytes from 39.156.66.14 icmp_seq=4 ttl=62 time=16.757 ms
84 bytes from 39.156.66.14 icmp_seq=5 ttl=62 time=15.839 ms

查看会话表

FW1：

HRP_M[FW1]display firewall session table          
2025-03-16 03:34:32.710 
 Current Total Sessions : 8
 icmp  VPN: public --> public  192.168.10.10:49990 --> 39.156.66.14:2048

FW2：（因为是备墙，所以会同步主墙的会话表，所以带有remote字样）

HRP_S[FW2]display firewall session table  
2025-03-16 03:34:26.770 
 Current Total Sessions : 5
 icmp  VPN: public --> public  Remote 192.168.10.10:49990 --> 39.156.66.14:2048