介绍了多ISP接入,且业务接口工作在三层,上下行连接交换机的双机热备负载分担组网的CLI举例。

组网需求

如图1所示,两台FW的业务接口都工作在三层,上下行分别连接二层交换机。上行的两台交换机分别连接到不同的运营商,其中ISP1分配给企业的IP地址为1.1.1.1、1.1.1.2、1.1.1.3,ISP2分配给企业的IP地址为2.2.2.1、2.2.2.2、2.2.2.3。现在希望两台FW以负载分担方式工作,部门A的用户(10.3.0.51~10.3.0.100)的流量去往ISP1,部门B(10.3.0.101~10.3.0.150)的流量去往ISP2。正常情况下,FW_A和FW_B共同转发流量。当其中一台FW出现故障时,另外一台FW转发全部业务,保证业务不中断。

图1 业务接口工作在三层,上下行连接交换机的负载分担组网 

操作步骤

  1. 配置接口IP地址和安全区域,完成网络基本参数配置。 
    FW_A FW_B
    # 配置FW各接口的IP地址。
    <FW_A> system-view
    [FW_A] interface GigabitEthernet 0/0/1
    [FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
    [FW_A-GigabitEthernet0/0/1] quit
    [FW_A] interface GigabitEthernet 0/0/2
    [FW_A-GigabitEthernet0/0/2] ip address 2.2.2.1 24
    [FW_A-GigabitEthernet0/0/2] quit
    [FW_A] interface GigabitEthernet 0/0/3
    [FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24
    [FW_A-GigabitEthernet0/0/3] quit
    [FW_A] interface GigabitEthernet 0/0/7
    [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24
    [FW_A-GigabitEthernet0/0/7] quit
    <FW_B> system-view
    [FW_B] interface GigabitEthernet 0/0/1
    [FW_B-GigabitEthernet0/0/1] ip address 1.1.1.2 24
    [FW_B-GigabitEthernet0/0/1] quit
    [FW_B] interface GigabitEthernet 0/0/2
    [FW_B-GigabitEthernet0/0/2] ip address 2.2.2.2 24
    [FW_B-GigabitEthernet0/0/2] quit
    [FW_B] interface GigabitEthernet 0/0/3
    [FW_B-GigabitEthernet0/0/3] ip address 10.3.0.2 24
    [FW_B-GigabitEthernet0/0/3] quit
    [FW_B] interface GigabitEthernet 0/0/7
    [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24
    [FW_B-GigabitEthernet0/0/7] quit
    # 将FW各接口加入相应的安全区域。
    [FW_A] firewall zone name isp1
    [FW_A-zone-isp1] set priority 10
    [FW_A-zone-isp1] add interface GigabitEthernet 0/0/1
    [FW_A-zone-isp1] quit
    [FW_A] firewall zone name isp2
    [FW_A-zone-isp2] set priority 15
    [FW_A-zone-isp2] add interface GigabitEthernet 0/0/2
    [FW_A-zone-isp2] quit
    [FW_A] firewall zone trust
    [FW_A-zone-trust] add interface GigabitEthernet 0/0/3
    [FW_A-zone-trust] quit
    [FW_A] firewall zone dmz
    [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7
    [FW_A-zone-dmz] quit
    [FW_B] firewall zone name isp1
    [FW_B-zone-isp1] set priority 10
    [FW_B-zone-isp1] add interface GigabitEthernet 0/0/1
    [FW_B-zone-isp1] quit
    [FW_B] firewall zone name isp2
    [FW_B-zone-isp2] set priority 15
    [FW_B-zone-isp2] add interface GigabitEthernet 0/0/2
    [FW_B-zone-isp2] quit
    [FW_B] firewall zone trust
    [FW_B-zone-trust] add interface GigabitEthernet 0/0/3
    [FW_B-zone-trust] quit
    [FW_B] firewall zone dmz
    [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
    [FW_B-zone-dmz] quit

     

  2. 配置策略路由。 
    FW_A FW_B
    [FW_A] policy-based-route
    [FW_A-policy-pbr] rule name route_policy_isp1
    [FW_A-policy-pbr-rule-route_policy_isp1] source-zone trust
    [FW_A-policy-pbr-rule-route_policy_isp1] source-address range 10.3.0.51 10.3.0.100
    [FW_A-policy-pbr-rule-route_policy_isp1] action pbr next-hop 1.1.1.254
    [FW_A-policy-pbr-rule-route_policy_isp1] quit
    [FW_A-policy-pbr] rule name route_policy_isp2
    [FW_A-policy-pbr-rule-route_policy_isp2] source-zone trust
    [FW_A-policy-pbr-rule-route_policy_isp2] source-address range 10.3.0.101 10.3.0.150
    [FW_A-policy-pbr-rule-route_policy_isp2] action pbr next-hop 2.2.2.254
    [FW_A-policy-pbr-rule-route_policy_isp2] quit
    [FW_A-policy-pbr] quit
    [FW_B] policy-based-route
    [FW_B-policy-pbr] rule name route_policy_isp1
    [FW_B-policy-pbr-rule-route_policy_isp1] source-zone trust
    [FW_B-policy-pbr-rule-route_policy_isp1] source-address range 10.3.0.51 10.3.0.100
    [FW_B-policy-pbr-rule-route_policy_isp1] action pbr next-hop 1.1.1.254
    [FW_B-policy-pbr-rule-route_policy_isp1] quit
    [FW_B-policy-pbr] rule name route_policy_isp2
    [FW_B-policy-pbr-rule-route_policy_isp2] source-zone trust
    [FW_B-policy-pbr-rule-route_policy_isp2] source-address range 10.3.0.101 10.3.0.150
    [FW_B-policy-pbr-rule-route_policy_isp2] action pbr next-hop 2.2.2.254
    [FW_B-policy-pbr-rule-route_policy_isp2] quit
    [FW_B-policy-pbr] quit

     

  3. 配置双机热备功能。 
    FW_A FW_B
    # 在FW_A的GE0/0/1接口上配置VRRP备份组1,并将其状态设置为Active;在FW_B的GE0/0/1接口上配置VRRP备份组1,并将其状态设置为Standby。
    [FW_A] interface GigabitEthernet 0/0/1
    [FW_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 active
    [FW_A-GigabitEthernet0/0/1] quit
    [FW_B] interface GigabitEthernet 0/0/1
    [FW_B-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 standby
    [FW_B-GigabitEthernet0/0/1] quit
    # 在FW_A的GE0/0/2接口上配置VRRP备份组2,并将其状态设置为Standby;在FW_B的GE0/0/2接口上配置VRRP备份组2,并将其状态设置为Active。
    [FW_A] interface GigabitEthernet 0/0/2
    [FW_A-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 2.2.2.3 standby
    [FW_A-GigabitEthernet0/0/2] quit
    [FW_B] interface GigabitEthernet 0/0/2
    [FW_B-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 2.2.2.3 active
    [FW_B-GigabitEthernet0/0/2] quit
    # 在FW_A的GE0/0/3接口上配置VRRP备份组3,并将其状态设置为Active;配置VRRP备份组4,并将其状态设置为Standby。在FW_B的GE0/0/3接口上配置VRRP备份组3,并将其状态设置为Standby;配置VRRP备份组4,并将其状态设置为Active。
    [FW_A] interface GigabitEthernet 0/0/3
    [FW_A-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active
    [FW_A-GigabitEthernet0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby
    [FW_A-GigabitEthernet0/0/3] quit
    [FW_B] interface GigabitEthernet 0/0/3
    [FW_B-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby
    [FW_B-GigabitEthernet0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active
    [FW_B-GigabitEthernet0/0/3] quit
    # 负载分担组网下,两台FW都转发流量,为了防止来回路径不一致,需要在两台FW上都配置会话快速备份功能。
    [FW_A] hrp mirror session enable
    [FW_B] hrp mirror session enable
    # 在FW上指定心跳口并启用双机热备功能。
    [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
    [FW_A] hrp enable
    [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
    [FW_B] hrp enable

     

  4. 配置安全策略。 

    双机热备状态成功建立后,在FW_A上配置的安全策略会自动备份到FW_B上。

    [FW_A] security-policy
    [FW_A-policy-security] rule name policy_sec
    [FW_A-policy-security-rule-policy_sec] source-zone trust
    [FW_A-policy-security-rule-policy_sec] destination-zone isp1 isp2
    [FW_A-policy-security-rule-policy_sec] action permit
    [FW_A-policy-security-rule-policy_sec] quit
    [FW_A-policy-security] quit

     

  5. 配置NAT策略,使内网用户通过转换后的公网IP地址访问Internet。 

    双机热备状态成功建立后,在FW_A上配置的NAT策略会自动备份到FW_B上。

    # 配置地址池。

    HRP_M[FW_A] nat address-group 1
    HRP_M[FW_A-address-group-1] section 0 1.1.1.3 1.1.1.3
    HRP_M[FW_A-address-group-1] quit
    HRP_M[FW_A] nat address-group 2
    HRP_M[FW_A-address-group-2] section 0 2.2.2.3 2.2.2.3
    HRP_M[FW_A-address-group-2] quit

    # 配置NAT策略。

    HRP_M[FW_A] nat-policy
    HRP_M[FW_A-policy-nat] rule name policy_nat_1
    HRP_M[FW_A-policy-nat-rule-policy_nat_1] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat_1] destination-zone isp1
    HRP_M[FW_A-policy-nat-rule-policy_nat_1] action source-nat address-group 1
    HRP_M[FW_A-policy-nat-rule-policy_nat_1] quit
    HRP_M[FW_A-policy-nat] rule name policy_nat_2
    HRP_M[FW_A-policy-nat-rule-policy_nat_2] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat_2] destination-zone isp2
    HRP_M[FW_A-policy-nat-rule-policy_nat_2] action source-nat address-group 2
    HRP_M[FW_A-policy-nat-rule-policy_nat_2] quit
    HRP_M[FW_A-policy-nat] quit

     

  6. 在内网的设备上配置缺省路由,将部门A用户的下一跳设置为VRRP备份组3的虚拟IP地址10.3.0.3,部门B用户的下一跳设置为VRRP备份组4的虚拟IP地址10.3.0.4。

配置脚本

FW_A FW_B
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp mirror session enable
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.3 active
#
interface GigabitEthernet 0/0/2
 ip address 2.2.2.1 255.255.255.0
 vrrp vrid 2 virtual-ip 2.2.2.3 standby
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
 vrrp vrid 4 virtual-ip 10.3.0.4 standby
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet0/0/7
#
firewall zone isp1
 set priority 10   
 add interface GigabitEthernet 0/0/1
#
firewall zone isp2
 set priority 15
 add interface GigabitEthernet 0/0/2
#
 nat address-group 1
  section 0 1.1.1.3 1.1.1.3
 nat address-group 2
  section 0 2.2.2.3 2.2.2.3
#
security-policy  
 rule name policy_sec
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  action permit    
#
policy-based-route
 rule name route_policy_isp1
  source-zone trust
  source-address range 10.3.0.51 10.3.0.100
  action pbr next-hop 1.1.1.254
 rule name route_policy_isp2
  source-zone trust
  source-address range 10.3.0.101 10.3.0.150
  action pbr next-hop 2.2.2.254
#
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1
  action source-nat address-group 1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp2
  action source-nat address-group 2
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp mirror session enable
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.3 standby
#
interface GigabitEthernet 0/0/2
 ip address 2.2.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 2.2.2.3 active
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
 vrrp vrid 4 virtual-ip 10.3.0.4 active
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet0/0/7
#
firewall zone isp1
 set priority 10 
 add interface GigabitEthernet 0/0/1
#
firewall zone isp2
 set priority 15   
 add interface GigabitEthernet 0/0/2
#
 nat address-group 1
  section 0 1.1.1.3 1.1.1.3
 nat address-group 2
  section 0 2.2.2.3 2.2.2.3
#
security-policy  
 rule name policy_sec
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  action permit    
#
policy-based-route
 rule name route_policy_isp1
  source-zone trust
  source-address range 10.3.0.51 10.3.0.100
  action pbr next-hop 1.1.1.254
 rule name route_policy_isp2
  source-zone trust
  source-address range 10.3.0.101 10.3.0.150
  action pbr next-hop 2.2.2.254
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1
  action source-nat address-group 
 rule name policy_nat_2
  source-zone trust
  destination-zone isp2
  action source-nat address-group 2