本举例介绍了FW上配置虚拟系统后,上下行连接交换机的主备备份方式双机热备的CLI配置方法。
数据规划
图2 数据规划图
|
项目 |
数据 |
说明 |
|---|---|---|
|
接口 |
接口号:GigabitEthernet 0/0/1 IP地址:192.168.0.2/24 安全区域:Untrust |
根系统(public)公网接口 |
|
接口号:GigabitEthernet 0/0/2 IP地址:10.3.1.2/24 安全区域:Trust |
根系统(public)私网接口 |
|
|
接口号:GigabitEthernet 0/0/3 IP地址:192.168.1.2/24 安全区域:Untrust |
虚拟系统(vsysa)公网接口 |
|
|
接口号:GigabitEthernet 0/0/4 IP地址:10.3.2.2/24 安全区域:Trust |
虚拟系统(vsysa)私网接口 |
|
|
接口号:GigabitEthernet 0/0/7 IP地址:10.10.0.1/24 安全区域:DMZ |
心跳接口 |
|
|
VRRP备份组 |
VRRP备份组1:1.1.1.1/24 active |
– |
|
VRRP备份组2:10.3.1.1/24 active |
– |
|
|
VRRP备份组3:2.2.2.2/24 active |
– |
|
|
VRRP备份组4:10.3.2.1/24 active |
– |
|
|
路由 |
目的地址:0.0.0.0 下一跳:1.1.1.254 |
根系统(public)缺省路由 |
|
目的地址:0.0.0.0 下一跳:2.2.2.254 |
虚拟系统(vsysa)缺省路由 |
|
项目 |
数据 |
说明 |
|---|---|---|
|
接口 |
接口号:GigabitEthernet 0/0/1 IP地址:192.168.0.3/24 安全区域:Untrust |
根系统(public)公网接口 |
|
接口号:GigabitEthernet 0/0/2 IP地址:10.3.1.3/24 安全区域:Trust |
根系统(public)私网接口 |
|
|
接口号:GigabitEthernet 0/0/3 IP地址:192.168.1.3/24 安全区域:Untrust |
虚拟系统(vsysa)公网接口 |
|
|
接口号:GigabitEthernet 0/0/4 IP地址:10.3.2.3/24 安全区域:Trust |
虚拟系统(vsysa)私网接口 |
|
|
接口号:GigabitEthernet 0/0/7 IP地址:10.10.0.2/24 安全区域:DMZ |
心跳接口 |
|
|
VRRP备份组 |
VRRP备份组1:1.1.1.1/24 standby |
– |
|
VRRP备份组2:10.3.1.1/24 standby |
– |
|
|
VRRP备份组3:2.2.2.2/24 standby |
– |
|
|
VRRP备份组4:10.3.2.1/24 standby |
– |
|
|
路由 |
目的地址:0.0.0.0 下一跳:1.1.1.254 |
根系统(public)缺省路由 |
|
目的地址:0.0.0.0 下一跳:2.2.2.254 |
虚拟系统(vsysa)缺省路由 |
|
设备 |
VLAN |
成员接口1 |
成员接口2 |
成员接口3 |
|---|---|---|---|---|
|
switch1 |
10(public) |
GE0/0/15 |
GE0/0/16 |
GE0/0/17 |
|
30(vsysa) |
GE0/0/18 |
GE0/0/19 |
GE0/0/20 |
|
|
switch2 |
20(public) |
GE0/0/15 |
GE0/0/16 |
GE0/0/17 |
|
40(vsysa) |
GE0/0/18 |
GE0/0/19 |
GE0/0/20 |
操作步骤
- 创建虚拟系统vsysa,并为其分配接口。
请确保FW_A和FW_B上创建的虚拟系统名称和ID均相同。可以在虚拟系统创建好后,分别在两台设备上执行display vsys命令查看和比较配置结果。
FW_A
FW_B
# 在FW上开启虚拟系统功能。
<FW_A> system-view [FW_A] vsys enable
<FW_B> system-view [FW_B] vsys enable
# 在FW上创建虚拟系统并分配接口。
[FW_A] vsys name vsysa [FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/3 [FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/4 [FW_A-vsys-vsysa] assign global-ip 2.2.2.2 2.2.2.2 exclusive [FW_A-vsys-vsysa] quit
[FW_B] vsys name vsysa [FW_B-vsys-vsysa] assign interface GigabitEthernet 0/0/3 [FW_B-vsys-vsysa] assign interface GigabitEthernet 0/0/4 [FW_B-vsys-vsysa] assign global-ip 2.2.2.2 2.2.2.2 exclusive [FW_B-vsys-vsysa] quit
- 配置接口。
FW_A
FW_B
# 在FW上完成根系统接口IP地址和VRRP备份组配置。
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 192.168.0.2 24 [FW_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 10.3.1.2 24 [FW_A-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 10.3.1.1 24 active [FW_A-GigabitEthernet0/0/2] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ip address 192.168.0.3 24 [FW_B-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 10.3.1.3 24 [FW_B-GigabitEthernet0/0/2] vrrp vrid 2 virtual-ip 10.3.1.1 24 standby [FW_B-GigabitEthernet0/0/2] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# 在FW上完成根系统接口安全区域配置。
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/2 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit
[FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/2 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit
# 在FW上完成虚拟系统接口IP地址和VRRP备份组配置。
[FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 192.168.1.2 24 [FW_A-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 2.2.2.2 24 active [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/4 [FW_A-GigabitEthernet0/0/4] ip address 10.3.2.2 24 [FW_A-GigabitEthernet0/0/4] vrrp vrid 4 virtual-ip 10.3.2.1 24 active [FW_A-GigabitEthernet0/0/4] quit
[FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 192.168.1.3 24 [FW_B-GigabitEthernet0/0/3] vrrp vrid 3 virtual-ip 2.2.2.2 24 standby [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/4 [FW_B-GigabitEthernet0/0/4] ip address 10.3.2.3 24 [FW_B-GigabitEthernet0/0/4] vrrp vrid 4 virtual-ip 10.3.2.1 24 standby [FW_B-GigabitEthernet0/0/4] quit
# 在FW上完成虚拟系统接口安全区域配置。
[FW_A] switch vsys vsysa <FW_A-vsysa> system-view [FW_A-vsysa] firewall zone untrust [FW_A-vsysa-zone-untrust] add interface GigabitEthernet 0/0/3 [FW_A-vsysa-zone-untrust] quit [FW_A-vsysa] firewall zone trust [FW_A-vsysa-zone-trust] add interface GigabitEthernet 0/0/4 [FW_A-vsysa-zone-trust] quit [FW_A-vsysa] quit
[FW_B] switch vsys vsysa <FW_B-vsysa> system-view [FW_B-vsysa] firewall zone untrust [FW_B-vsysa-zone-untrust] add interface GigabitEthernet 0/0/3 [FW_B-vsysa-zone-untrust] quit [FW_B-vsysa] firewall zone trust [FW_B-vsysa-zone-trust] add interface GigabitEthernet 0/0/4 [FW_B-vsysa-zone-trust] quit [FW_B-vsysa] quit
- 配置静态路由。
FW_A
FW_B
# 在FW上完成根系统到公网缺省路由的配置,下一跳为ISP路由器的地址。
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254[FW_B] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254# 在FW上完成虚拟系统到公网缺省路由的配置,下一跳为ISP路由器的地址。
[FW_A] switch vsys vsysa <FW_A-vsysa> system-view [FW_A-vsysa] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 [FW_A-vsysa] quit
[FW_B] switch vsys vsysa <FW_B-vsysa> system-view [FW_B-vsysa] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 [FW_B-vsysa] quit
- 配置双机热备功能。
# 在FW上指定心跳接口,启用双机热备。
FW_A
FW_B
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable
- 配置安全策略。
双机热备状态成功建立后,FW_A上配置的安全策略会自动备份到FW_B上。
# 配置根系统安全策略,允许私网用户访问公网。
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name policy_sec HRP_M[FW_A-policy-security-rule-policy_sec] source-zone trust HRP_M[FW_A-policy-security-rule-policy_sec] destination-zone untrust HRP_M[FW_A-policy-security-rule-policy_sec] source-address 10.3.1.0 24 HRP_M[FW_A-policy-security-rule-policy_sec] action permit HRP_M[FW_A-policy-security-rule-policy_sec] quit HRP_M[FW_A-policy-security] quit
# 配置虚拟系统安全策略,允许私网用户访问公网。
HRP_M[FW_A] switch vsys vsysa HRP_M<FW_A-vsysa> system-view HRP_M[FW_A-vsysa] security-policy HRP_M[FW_A-vsysa-policy-security] rule name policy_sec HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-zone trust HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] destination-zone untrust HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-address 10.3.2.0 24 HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] action permit HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] quit HRP_M[FW_A-vsysa-policy-security] quit HRP_M[FW_A-vsysa] quit
- 配置NAT策略。
双机热备状态成功建立后,FW_A上配置的NAT策略会自动备份到FW_B上。
# 配置根系统NAT策略,允许私网用户访问公网。
HRP_M[FW_A] nat address-group addressgroup1 HRP_M[FW_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.1 HRP_M[FW_A-address-group-addressgroup1] route enable HRP_M[FW_A-address-group-addressgroup1] quit HRP_M[FW_A] nat-policy HRP_M[FW_A-policy-nat] rule name policy_nat HRP_M[FW_A-policy-nat-rule-policy_nat] source-zone trust HRP_M[FW_A-policy-nat-rule-policy_nat] destination-zone untrust HRP_M[FW_A-policy-nat-rule-policy_nat] source-address 10.3.1.0 24 HRP_M[FW_A-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1 HRP_M[FW_A-policy-nat-rule-policy_nat] quit HRP_M[FW_A-policy-nat] quit
# 配置虚拟系统NAT策略,允许私网用户访问公网。
HRP_M[FW_A] switch vsys vsysa HRP_M<FW_A-vsysa> system-view HRP_M[FW_A-vsysa] nat address-group addressgroup1 HRP_M[FW_A-vsysa-address-group-addressgroup1] section 0 2.2.2.2 2.2.2.2 HRP_M[FW_A-vsysa-address-group-addressgroup1] route enable HRP_M[FW_A-vsysa-address-group-addressgroup1] quit HRP_M[FW_A-vsysa] nat-policy HRP_M[FW_A-vsysa-policy-nat] rule name policy_nat HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] source-zone trust HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] destination-zone untrust HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] source-address 10.3.2.0 24 HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1 HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] quit HRP_M[FW_A-vsysa-policy-nat] quit HRP_M[FW_A-vsysa] quit
- 配置交换机。
本举例以华为交换机为例进行说明。
# 配置switch1。
[switch1] vlan batch 10 30 [switch1] interface GigabitEthernet 0/0/15 [switch1-GigabitEthernet0/0/15] port link-type access [switch1-GigabitEthernet0/0/15] port default vlan 10 [switch1-GigabitEthernet0/0/15] quit [switch1] interface GigabitEthernet 0/0/16 [switch1-GigabitEthernet0/0/16] port link-type access [switch1-GigabitEthernet0/0/16] port default vlan 10 [switch1-GigabitEthernet0/0/16] quit [switch1] interface GigabitEthernet 0/0/17 [switch1-GigabitEthernet0/0/17] port link-type access [switch1-GigabitEthernet0/0/17] port default vlan 10 [switch1-GigabitEthernet0/0/17] quit [switch1] interface GigabitEthernet 0/0/18 [switch1-GigabitEthernet0/0/18] port link-type access [switch1-GigabitEthernet0/0/18] port default vlan 30 [switch1-GigabitEthernet0/0/18] quit [switch1] interface GigabitEthernet 0/0/19 [switch1-GigabitEthernet0/0/19] port link-type access [switch1-GigabitEthernet0/0/19] port default vlan 30 [switch1-GigabitEthernet0/0/19] quit [switch1] interface GigabitEthernet 0/0/20 [switch1-GigabitEthernet0/0/20] port link-type access [switch1-GigabitEthernet0/0/20] port default vlan 30 [switch1-GigabitEthernet0/0/20] quit
# 配置switch2。
[switch2] vlan batch 20 40 [switch2] interface GigabitEthernet 0/0/15 [switch2-GigabitEthernet0/0/15] port link-type access [switch2-GigabitEthernet0/0/15] port default vlan 20 [switch2-GigabitEthernet0/0/15] quit [switch2] interface GigabitEthernet 0/0/16 [switch2-GigabitEthernet0/0/16] port link-type access [switch2-GigabitEthernet0/0/16] port default vlan 20 [switch2-GigabitEthernet0/0/16] quit [switch2] interface GigabitEthernet 0/0/17 [switch2-GigabitEthernet0/0/17] port link-type trunk [switch2-GigabitEthernet0/0/17] port trunk allow-pass vlan 20 [switch2-GigabitEthernet0/0/17] quit [switch2] interface GigabitEthernet 0/0/18 [switch2-GigabitEthernet0/0/18] port link-type access [switch2-GigabitEthernet0/0/18] port default vlan 40 [switch2-GigabitEthernet0/0/18] quit [switch2] interface GigabitEthernet 0/0/19 [switch2-GigabitEthernet0/0/19] port link-type access [switch2-GigabitEthernet0/0/19] port default vlan 40 [switch2-GigabitEthernet0/0/19] quit [switch2] interface GigabitEthernet 0/0/20 [switch2-GigabitEthernet0/0/20] port link-type trunk [switch2-GigabitEthernet0/0/20] port trunk allow-pass vlan 40 [switch2-GigabitEthernet0/0/20] quit
结果验证
-
在FW_A和FW_B上执行display hrp state verbose命令,检查当前HRP的状态,显示以下信息表示HRP建立成功。
FW_A
FW_B
HRP_M[FW_A] display hrp state verbose Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(standby), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1 vrid 1: active GigabitEthernet0/0/2 vrid 2: active GigabitEthernet0/0/3 vrid 3: active GigabitEthernet0/0/4 vrid 4: activeHRP_S[FW_B] display hrp state verbose Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(active), new_state = normal(standby), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1 vrid 1: standby GigabitEthernet0/0/2 vrid 2: standby GigabitEthernet0/0/3 vrid 3: standby GigabitEthernet0/0/4 vrid 4: standby -
从私网访问公网,能访问成功。分别在FW_A和FW_B上检查会话。
FW_A
FW_B
HRP_M[FW_A] display firewall session table Current Total Sessions : 2 icmp VPN:vsysa --> vsysa 10.3.2.10:2057[2.2.2.2:2048]-->2.2.2.254:2048 icmp VPN:public -> public 10.3.1.10:2057[1.1.1.1:2048]-->1.1.1.254:2048HRP_S[FW_B] display firewall session table Current Total Sessions : 2 icmp VPN:vsysa --> vsysa Remote 10.3.2.10:2057[2.2.2.2:2048]-->2.2.2.254:2048 icmp VPN:public -> public Remote 10.3.1.10:2057[1.1.1.1:2048]-->1.1.1.254:2048可以看出FW_B上存在带有Remote标记的会话,表示配置双机热备功能后,会话备份成功。
-
在私网PC上长ping公网的IP,然后将FW_A的GigabitEthernet 0/0/1接口网线拨出,观察主备FW状态切换及ping包丢包情况;再将FW_A的GigabitEthernet 0/0/1接口网线恢复,观察主备FW状态切换及ping包丢包情况。
声明:本网站的文章部分内容可能来源于网络,仅供大家学习与参考,如有侵权,请联系站长,进行删除处理。本网站所有内容未经授权请勿转载。本站一切资源不代表本站立场,并不代表本站赞同其观点和对其真实性负责。本站一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报。
