介绍了多ISP接入,且业务接口工作在三层,上下行连接交换机的双机热备负载分担组网的CLI举例。
组网需求
如图1所示,两台FW的业务接口都工作在三层,上下行分别连接二层交换机。上行的两台交换机分别连接到不同的运营商,其中ISP1分配给企业的IP地址为1.1.1.1、1.1.1.2、1.1.1.3,ISP2分配给企业的IP地址为2.2.2.1、2.2.2.2、2.2.2.3。现在希望两台FW以负载分担方式工作,部门A的用户(10.3.0.51~10.3.0.100)的流量去往ISP1,部门B(10.3.0.101~10.3.0.150)的流量去往ISP2。正常情况下,FW_A和FW_B共同转发流量。当其中一台FW出现故障时,另外一台FW转发全部业务,保证业务不中断。
操作步骤
- 配置接口IP地址和安全区域,完成网络基本参数配置。
FW_A FW_B # 配置FW各接口的IP地址。 <FW_A> system-view [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 2.2.2.1 24 [FW_A-GigabitEthernet0/0/2] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit
<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ip address 1.1.1.2 24 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 2.2.2.2 24 [FW_B-GigabitEthernet0/0/2] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 10.3.0.2 24 [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# 将FW各接口加入相应的安全区域。 [FW_A] firewall zone name isp1 [FW_A-zone-isp1] set priority 10 [FW_A-zone-isp1] add interface GigabitEthernet 0/0/1 [FW_A-zone-isp1] quit [FW_A] firewall zone name isp2 [FW_A-zone-isp2] set priority 15 [FW_A-zone-isp2] add interface GigabitEthernet 0/0/2 [FW_A-zone-isp2] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit
[FW_B] firewall zone name isp1 [FW_B-zone-isp1] set priority 10 [FW_B-zone-isp1] add interface GigabitEthernet 0/0/1 [FW_B-zone-isp1] quit [FW_B] firewall zone name isp2 [FW_B-zone-isp2] set priority 15 [FW_B-zone-isp2] add interface GigabitEthernet 0/0/2 [FW_B-zone-isp2] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit
- 配置策略路由。
FW_A FW_B [FW_A] policy-based-route [FW_A-policy-pbr] rule name route_policy_isp1 [FW_A-policy-pbr-rule-route_policy_isp1] source-zone trust [FW_A-policy-pbr-rule-route_policy_isp1] source-address range 10.3.0.51 10.3.0.100 [FW_A-policy-pbr-rule-route_policy_isp1] action pbr next-hop 1.1.1.254 [FW_A-policy-pbr-rule-route_policy_isp1] quit [FW_A-policy-pbr] rule name route_policy_isp2 [FW_A-policy-pbr-rule-route_policy_isp2] source-zone trust [FW_A-policy-pbr-rule-route_policy_isp2] source-address range 10.3.0.101 10.3.0.150 [FW_A-policy-pbr-rule-route_policy_isp2] action pbr next-hop 2.2.2.254 [FW_A-policy-pbr-rule-route_policy_isp2] quit [FW_A-policy-pbr] quit
[FW_B] policy-based-route [FW_B-policy-pbr] rule name route_policy_isp1 [FW_B-policy-pbr-rule-route_policy_isp1] source-zone trust [FW_B-policy-pbr-rule-route_policy_isp1] source-address range 10.3.0.51 10.3.0.100 [FW_B-policy-pbr-rule-route_policy_isp1] action pbr next-hop 1.1.1.254 [FW_B-policy-pbr-rule-route_policy_isp1] quit [FW_B-policy-pbr] rule name route_policy_isp2 [FW_B-policy-pbr-rule-route_policy_isp2] source-zone trust [FW_B-policy-pbr-rule-route_policy_isp2] source-address range 10.3.0.101 10.3.0.150 [FW_B-policy-pbr-rule-route_policy_isp2] action pbr next-hop 2.2.2.254 [FW_B-policy-pbr-rule-route_policy_isp2] quit [FW_B-policy-pbr] quit
- 配置双机热备功能。
FW_A FW_B # 在FW_A的GE0/0/1接口上配置VRRP备份组1,并将其状态设置为Active;在FW_B的GE0/0/1接口上配置VRRP备份组1,并将其状态设置为Standby。 [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 active [FW_A-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 standby [FW_B-GigabitEthernet0/0/1] quit
# 在FW_A的GE0/0/2接口上配置VRRP备份组2,并将其状态设置为Standby;在FW_B的GE0/0/2接口上配置VRRP备份组2,并将其状态设置为Active。 [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 2.2.2.3 standby [FW_A-GigabitEthernet0/0/2] quit
[FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 2.2.2.3 active [FW_B-GigabitEthernet0/0/2] quit
# 在FW_A的GE0/0/3接口上配置VRRP备份组3,并将其状态设置为Active;配置VRRP备份组4,并将其状态设置为Standby。在FW_B的GE0/0/3接口上配置VRRP备份组3,并将其状态设置为Standby;配置VRRP备份组4,并将其状态设置为Active。 [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active [FW_A-GigabitEthernet0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby [FW_A-GigabitEthernet0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby [FW_B-GigabitEthernet0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active [FW_B-GigabitEthernet0/0/3] quit
# 负载分担组网下,两台FW都转发流量,为了防止来回路径不一致,需要在两台FW上都配置会话快速备份功能。 [FW_A] hrp mirror session enable
[FW_B] hrp mirror session enable
# 在FW上指定心跳口并启用双机热备功能。 [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable
- 配置安全策略。
双机热备状态成功建立后,在FW_A上配置的安全策略会自动备份到FW_B上。
[FW_A] security-policy [FW_A-policy-security] rule name policy_sec [FW_A-policy-security-rule-policy_sec] source-zone trust [FW_A-policy-security-rule-policy_sec] destination-zone isp1 isp2 [FW_A-policy-security-rule-policy_sec] action permit [FW_A-policy-security-rule-policy_sec] quit [FW_A-policy-security] quit
- 配置NAT策略,使内网用户通过转换后的公网IP地址访问Internet。
双机热备状态成功建立后,在FW_A上配置的NAT策略会自动备份到FW_B上。
# 配置地址池。
HRP_M[FW_A] nat address-group 1 HRP_M[FW_A-address-group-1] section 0 1.1.1.3 1.1.1.3 HRP_M[FW_A-address-group-1] quit HRP_M[FW_A] nat address-group 2 HRP_M[FW_A-address-group-2] section 0 2.2.2.3 2.2.2.3 HRP_M[FW_A-address-group-2] quit
# 配置NAT策略。
HRP_M[FW_A] nat-policy HRP_M[FW_A-policy-nat] rule name policy_nat_1 HRP_M[FW_A-policy-nat-rule-policy_nat_1] source-zone trust HRP_M[FW_A-policy-nat-rule-policy_nat_1] destination-zone isp1 HRP_M[FW_A-policy-nat-rule-policy_nat_1] action source-nat address-group 1 HRP_M[FW_A-policy-nat-rule-policy_nat_1] quit HRP_M[FW_A-policy-nat] rule name policy_nat_2 HRP_M[FW_A-policy-nat-rule-policy_nat_2] source-zone trust HRP_M[FW_A-policy-nat-rule-policy_nat_2] destination-zone isp2 HRP_M[FW_A-policy-nat-rule-policy_nat_2] action source-nat address-group 2 HRP_M[FW_A-policy-nat-rule-policy_nat_2] quit HRP_M[FW_A-policy-nat] quit
- 在内网的设备上配置缺省路由,将部门A用户的下一跳设置为VRRP备份组3的虚拟IP地址10.3.0.3,部门B用户的下一跳设置为VRRP备份组4的虚拟IP地址10.3.0.4。
配置脚本
FW_A | FW_B |
---|---|
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 hrp mirror session enable # interface GigabitEthernet 0/0/1 ip address 1.1.1.1 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.3 active # interface GigabitEthernet 0/0/2 ip address 2.2.2.1 255.255.255.0 vrrp vrid 2 virtual-ip 2.2.2.3 standby # interface GigabitEthernet 0/0/3 ip address 10.3.0.1 255.255.255.0 vrrp vrid 3 virtual-ip 10.3.0.3 active vrrp vrid 4 virtual-ip 10.3.0.4 standby # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # firewall zone isp1 set priority 10 add interface GigabitEthernet 0/0/1 # firewall zone isp2 set priority 15 add interface GigabitEthernet 0/0/2 # nat address-group 1 section 0 1.1.1.3 1.1.1.3 nat address-group 2 section 0 2.2.2.3 2.2.2.3 # security-policy rule name policy_sec source-zone trust destination-zone isp1 destination-zone isp2 action permit # policy-based-route rule name route_policy_isp1 source-zone trust source-address range 10.3.0.51 10.3.0.100 action pbr next-hop 1.1.1.254 rule name route_policy_isp2 source-zone trust source-address range 10.3.0.101 10.3.0.150 action pbr next-hop 2.2.2.254 # nat-policy rule name policy_nat_1 source-zone trust destination-zone isp1 action source-nat address-group 1 rule name policy_nat_2 source-zone trust destination-zone isp2 action source-nat address-group 2 |
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 hrp mirror session enable # interface GigabitEthernet 0/0/1 ip address 1.1.1.2 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.3 standby # interface GigabitEthernet 0/0/2 ip address 2.2.2.2 255.255.255.0 vrrp vrid 2 virtual-ip 2.2.2.3 active # interface GigabitEthernet 0/0/3 ip address 10.3.0.2 255.255.255.0 vrrp vrid 3 virtual-ip 10.3.0.3 standby vrrp vrid 4 virtual-ip 10.3.0.4 active # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # firewall zone isp1 set priority 10 add interface GigabitEthernet 0/0/1 # firewall zone isp2 set priority 15 add interface GigabitEthernet 0/0/2 # nat address-group 1 section 0 1.1.1.3 1.1.1.3 nat address-group 2 section 0 2.2.2.3 2.2.2.3 # security-policy rule name policy_sec source-zone trust destination-zone isp1 destination-zone isp2 action permit # policy-based-route rule name route_policy_isp1 source-zone trust source-address range 10.3.0.51 10.3.0.100 action pbr next-hop 1.1.1.254 rule name route_policy_isp2 source-zone trust source-address range 10.3.0.101 10.3.0.150 action pbr next-hop 2.2.2.254 # nat-policy rule name policy_nat_1 source-zone trust destination-zone isp1 action source-nat address-group rule name policy_nat_2 source-zone trust destination-zone isp2 action source-nat address-group 2 |
声明:本网站的文章部分内容可能来源于网络,仅供大家学习与参考,如有侵权,请联系站长,进行删除处理。本网站所有内容未经授权请勿转载。本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报。