防火墙直路部署，上下行连接交换机的负载分担组网

介绍了业务接口工作在三层，上下行连接交换机的负载分担组网的CLI举例。

组网需求

如图1所示，两台FW的业务接口都工作在三层，上下行分别连接二层交换机。上行交换机连接运营商的接入点，运营商为企业分配的IP地址为1.1.1.3和1.1.1.4。现在希望两台FW以负载分担方式工作。正常情况下，FW_A和FW_B共同转发流量。当其中一台FW出现故障时，另外一台FW转发全部业务，保证业务不中断。

图1 业务接口工作在三层，上下行连接交换机的负载分担组网

操作步骤

完成网络基本配置。

FW_A	FW_B
# 配置FW各接口的IP地址。
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 10.2.0.1 24 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit	<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ip address 10.2.0.2 24 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 10.3.0.2 24 [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# 将FW各接口加入相应的安全区域。
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit	[FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit
# 在FW上配置一条缺省路由，下一跳为1.1.1.10，使内网用户的流量可以正常转发至Router。
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10	[FW_B] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

配置VRRP备份组。

为了实现负载分担组网需要在每个业务接口上配置两个VRRP备份组，一个设置状态为Active，另一个设置状态为Standby。

FW_A	FW_B
# 在FW_A上行业务接口GE0/0/1上配置VRRP备份组1，并将其状态设置为Active；配置VRRP备份组2，并将其状态设置为Standby。在FW_B上行业务接口GE0/0/1上配置VRRP备份组1，并将其状态设置为Standby；配置VRRP备份组2，并将其状态设置为Active。需要注意的是：如果接口的IP地址与VRRP备份组地址不在同一网段，则配置VRRP备份组地址时需要指定掩码。
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 active [FW_A-GigabitEthernet0/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 standby [FW_A-GigabitEthernet0/0/1] quit	[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 standby [FW_B-GigabitEthernet0/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 active [FW_B-GigabitEthernet0/0/1] quit
# 在FW_A下行业务接口GE0/0/3上配置VRRP备份组3，并将其状态设置为Active；配置VRRP备份组4，并将其状态设置为Standby。在FW_B下行业务接口GE0/0/3上配置VRRP备份组3，并将其状态设置为Standby；配置VRRP备份组4，并将其状态设置为Active。
[FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active [FW_A-GigabitEthernet0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby [FW_A-GigabitEthernet0/0/3] quit	[FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby [FW_B-GigabitEthernet0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active [FW_B-GigabitEthernet0/0/3] quit

配置会话快速备份功能，指定心跳口并启用双机热备功能。

FW_A	FW_B
# 负载分担组网下，两台FW都转发流量，为了防止来回路径不一致，需要在两台FW上都配置会话快速备份功能。
[FW_A] hrp mirror session enable	[FW_B] hrp mirror session enable
# 在FW上指定心跳口并启用双机热备功能。
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable	[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable

在FW_A上配置安全策略。双机热备状态成功建立后，FW_A的安全策略配置会自动备份到FW_B上。

# 配置安全策略，允许内网用户访问Internet。

HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust  
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit

在FW_A上配置NAT策略。双机热备状态成功建立后，FW_A的NAT策略配置会自动备份到FW_B上。

# 配置NAT策略，当内网用户访问Internet时，将源地址由10.3.0.0/24网段转换为地址池中的地址（1.1.2.5-1.1.2.8）。

HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.2.5 1.1.2.8
HRP_M[FW_A-address-group-group1] route enable
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1  
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1
HRP_M[FW_A-policy-nat-rule-policy_nat1] quit
HRP_M[FW_A-policy-nat] quit

# 对于双机热备的负载分担组网，为了防止两台设备进行NAT转换时端口冲突，需要在FW_A和FW_B上分别配置可用的端口范围。在FW_A上进行如下配置：

HRP_M[FW_A] hrp nat resource primary-group

FW_A配置此命令后，FW_B上会自动备份此命令，并转换成hrp nat resource secondary-group命令

配置Switch和PC。
# 分别将两台Switch的三个接口加入同一个VLAN，具体配置命令请参考交换机的相关文档。

# 在内网的部分PC上将VRRP备份组3的地址10.3.0.3设置为默认网关，在内网的另一部分PC上将VRRP备份组4的地址10.3.0.4设置为默认网关，从而实现内网流量的负载分担。
配置Router。
# 在Router上配置到NAT地址池的等价路由，路由下一跳分别指向VRRP备份组1和VRRP备份组2的虚拟IP地址。

结果验证

在FW_A和FW_B上执行display vrrp命令，检查VRRP组内接口的状态信息，显示以下信息表示VRRP组建立成功。

FW_A	FW_B
HRP_M<FW_A> display vrrp GigabitEthernet0/0/1 \| Virtual Router 1 State : Master Virtual IP : 1.1.1.3 Master IP : 10.2.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:00 Last change time : 2015-03-22 16:01:56 UTC+08:00 GigabitEthernet0/0/1 \| Virtual Router 2 State : Backup Virtual IP : 1.1.1.4 Master IP : 10.2.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:01 Last change time : 2015-03-22 16:01:56 UTC+08:01 GigabitEthernet0/0/3 \| Virtual Router 3 State : Master Virtual IP : 10.3.0.3 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0103 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:02 Last change time : 2015-03-22 16:01:56 UTC+08:02 GigabitEthernet0/0/3 \| Virtual Router 4 State : Backup Virtual IP : 10.3.0.4 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0104 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:03 Last change time : 2015-03-22 16:01:56 UTC+08:03	HRP_S<FW_B> display vrrp GigabitEthernet0/0/1 \| Virtual Router 1 State : Backup Virtual IP : 1.1.1.3 Master IP : 10.2.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:00 Last change time : 2015-03-22 16:01:56 UTC+08:00 GigabitEthernet0/0/1 \| Virtual Router 2 State : Master Virtual IP : 1.1.1.4 Master IP : 10.2.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:01 Last change time : 2015-03-22 16:01:56 UTC+08:01 GigabitEthernet0/0/3 \| Virtual Router 3 State : Backup Virtual IP : 10.3.0.3 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0103 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:02 Last change time : 2015-03-22 16:01:56 UTC+08:02 GigabitEthernet0/0/3 \| Virtual Router 4 State : Master Virtual IP : 10.3.0.4 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0104 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2015-03-17 17:35:54 UTC+08:03 Last change time : 2015-03-22 16:01:56 UTC+08:03

FW_A

FW_B

HRP_M<FW_A> display vrrp
 GigabitEthernet0/0/1 | Virtual Router 1
    State : Master                  
    Virtual IP : 1.1.1.3            
    Master IP : 10.2.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0101    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:00
    Last change time : 2015-03-22 16:01:56 UTC+08:00

 GigabitEthernet0/0/1 | Virtual Router 2
    State : Backup                  
    Virtual IP : 1.1.1.4            
    Master IP : 10.2.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0102    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:01
    Last change time : 2015-03-22 16:01:56 UTC+08:01

 GigabitEthernet0/0/3 | Virtual Router 3
    State : Master                  
    Virtual IP : 10.3.0.3            
    Master IP : 10.3.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0103    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:02
    Last change time : 2015-03-22 16:01:56 UTC+08:02

 GigabitEthernet0/0/3 | Virtual Router 4
    State : Backup                  
    Virtual IP : 10.3.0.4            
    Master IP : 10.3.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0104    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:03
    Last change time : 2015-03-22 16:01:56 UTC+08:03

HRP_S<FW_B> display vrrp
 GigabitEthernet0/0/1 | Virtual Router 1
    State : Backup                  
    Virtual IP : 1.1.1.3            
    Master IP : 10.2.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0101    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:00 
    Last change time : 2015-03-22 16:01:56 UTC+08:00

 GigabitEthernet0/0/1 | Virtual Router 2
    State : Master                  
    Virtual IP : 1.1.1.4            
    Master IP : 10.2.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0102    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:01
    Last change time : 2015-03-22 16:01:56 UTC+08:01

 GigabitEthernet0/0/3 | Virtual Router 3
    State : Backup                  
    Virtual IP : 10.3.0.3            
    Master IP : 10.3.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0103    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:02  
    Last change time : 2015-03-22 16:01:56 UTC+08:02  

 GigabitEthernet0/0/3 | Virtual Router 4
    State : Master                  
    Virtual IP : 10.3.0.4            
    Master IP : 10.3.0.1             
    PriorityRun : 120               
    PriorityConfig : 100            
    MasterPriority : 120            
    Preempt : YES   Delay Time : 0 s
    TimerRun : 60 s                 
    TimerConfig : 60 s              
    Auth type : NONE                
    Virtual MAC : 0000-5e00-0104    
    Check TTL : YES                 
    Config type : vgmp-vrrp         
    Backup-forward : disabled       
    Create time : 2015-03-17 17:35:54 UTC+08:03
    Last change time : 2015-03-22 16:01:56 UTC+08:03

在FW_A和FW_B上执行display hrp state verbose命令，检查当前VGMP组的状态，显示以下信息表示双机热备建立成功。

FW_A	FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2019-03-16 11:08:14 HRP core state changed, old_ state = normal(active), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: on track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: primary Detail information: GigabitEthernet0/0/1 vrrp vrid 1: active GigabitEthernet0/0/1 vrrp vrid 2: standby GigabitEthernet0/0/3 vrrp vrid 3: active GigabitEthernet0/0/3 vrrp vrid 4: standby	HRP_S<FW_B> display hrp state verbose Role: active, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2019-03-16 11:10:14 HRP link changes to up. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: on track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: secondary Detail information: GigabitEthernet0/0/1 vrrp vrid 1: standby GigabitEthernet0/0/1 vrrp vrid 2: active GigabitEthernet0/0/3 vrrp vrid 3: standby GigabitEthernet0/0/3 vrrp vrid 4: active

FW_A

FW_B

HRP_M<FW_A> display hrp state verbose
 Role: active, peer: active        
 Running priority: 45000, peer: 45000        
 Backup channel usage: 30%           
 Stable time: 1 days, 13 hours, 35 minutes     
 Last state change information: 2019-03-16 11:08:14 HRP core state changed, old_
state = normal(active), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.       

 Configuration:                     
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        off   
 mirror session:              on   
 track trunk member:          on    
 auto-sync configuration:     on    
 auto-sync connection-status: on    
 adjust ospf-cost:            on    
 adjust ospfv3-cost:          on    
 adjust bgp-cost:             on    
 nat resource:                primary    
   
 Detail information:                
           GigabitEthernet0/0/1 vrrp vrid 1: active
           GigabitEthernet0/0/1 vrrp vrid 2: standby
           GigabitEthernet0/0/3 vrrp vrid 3: active
           GigabitEthernet0/0/3 vrrp vrid 4: standby

HRP_S<FW_B> display hrp state verbose
 Role: active, peer: active        
 Running priority: 45000, peer: 45000        
 Backup channel usage: 30%           
 Stable time: 1 days, 13 hours, 35 minutes     
 Last state change information: 2019-03-16 11:10:14 HRP link changes to up.

 Configuration:                     
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        off   
 mirror session:              on   
 track trunk member:          on    
 auto-sync configuration:     on    
 auto-sync connection-status: on    
 adjust ospf-cost:            on    
 adjust ospfv3-cost:          on    
 adjust bgp-cost:             on    
 nat resource:                secondary   
   
 Detail information:                
           GigabitEthernet0/0/1 vrrp vrid 1: standby
           GigabitEthernet0/0/1 vrrp vrid 2: active
           GigabitEthernet0/0/3 vrrp vrid 3: standby
           GigabitEthernet0/0/3 vrrp vrid 4: active

Router位于Untrust区域。在Trust区域的PC端能够ping通Untrust区域的Router。分别在FW_A和FW_B上检查会话。

FW_A	FW_B
HRP_M<FW_A> display firewall session table Current Total Sessions : 1 icmp VPN: public --> public 10.3.0.10:0[1.1.2.5:10298] --> 1.1.1.10:2048	HRP_S<FW_B> display firewall session table Current Total Sessions : 1 icmp VPN:public --> public Remote 10.3.0.10:0[1.1.2.5:10298] --> 1.1.1.10:2048

FW_A

FW_B

HRP_M<FW_A> display firewall session table

 Current Total Sessions : 1
  icmp  VPN: public --> public 10.3.0.10:0[1.1.2.5:10298] --> 1.1.1.10:2048

HRP_S<FW_B> display firewall session table

 Current Total Sessions : 1
  icmp  VPN:public --> public  Remote 10.3.0.10:0[1.1.2.5:10298] --> 1.1.1.10:2048

可以看出FW_B上存在带有Remote标记的会话，表示配置双机热备功能后，会话备份成功。

在PC上执行ping 1.1.1.10 -t，然后将FW_A GE0/0/1接口网线拨出，观察防火墙状态切换及ping包丢包情况；再将FW_A GE0/0/1接口网线恢复，观察防火墙状态切换及ping包丢包情况。

配置脚本

FW_A	FW_B
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 hrp mirror session enable hrp nat resource primary-group # interface GigabitEthernet 0/0/1 ip address 10.2.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.3 255.255.255.0 active vrrp vrid 2 virtual-ip 1.1.1.4 255.255.255.0 standby # interface GigabitEthernet 0/0/3 ip address 10.3.0.1 255.255.255.0 vrrp vrid 3 virtual-ip 10.3.0.3 active vrrp vrid 4 virtual-ip 10.3.0.4 standby # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 # nat address-group group1 route enable section 0 1.1.2.5 1.1.2.8 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.3.0.0 24 action source-nat address-group group1	# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 hrp mirror session enable hrp nat resource secondary-group # interface GigabitEthernet 0/0/1 ip address 10.2.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.3 255.255.255.0 standby vrrp vrid 2 virtual-ip 1.1.1.4 255.255.255.0 active # interface GigabitEthernet 0/0/3 ip address 10.3.0.2 255.255.255.0 vrrp vrid 3 virtual-ip 10.3.0.3 standby vrrp vrid 4 virtual-ip 10.3.0.4 active # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 # nat address-group group1 route enable section 0 1.1.2.5 1.1.2.8 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.3.0.0 24 action source-nat address-group group1

FW_A

FW_B

#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp mirror session enable
 hrp nat resource primary-group
#
interface GigabitEthernet 0/0/1
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.3 255.255.255.0 active
 vrrp vrid 2 virtual-ip 1.1.1.4 255.255.255.0 standby
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
 vrrp vrid 4 virtual-ip 10.3.0.4 standby
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet0/0/7
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 0/0/1
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#    
 nat address-group group1
  route enable 
  section 0 1.1.2.5 1.1.2.8
#    
security-policy  
 rule name trust_to_untrust
  source-zone trust  
  destination-zone untrust
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 24 
  action source-nat address-group group1

#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp mirror session enable
 hrp nat resource secondary-group
#
interface GigabitEthernet 0/0/1
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.3 255.255.255.0 standby
 vrrp vrid 2 virtual-ip 1.1.1.4 255.255.255.0 active
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
 vrrp vrid 4 virtual-ip 10.3.0.4 active
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet0/0/7
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 0/0/1
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#    
 nat address-group group1 
  route enable 
  section 0 1.1.2.5 1.1.2.8
#    
security-policy  
 rule name trust_to_untrust
  source-zone trust  
  destination-zone untrust
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 24 
  action source-nat address-group group1