网络拓扑 
文章图片
要求: 企业前期是一台防火墙,为了提高网络可靠性,并且在不影响原先防火墙配置情况下,新增一台防火墙做双机热备。两台FW的业务接口都工作在三层,下行为三层核心交换机。上行为二层交换机连接运营商的接入点,运营商为企业分配的IP地址为100.1.1.1-100.1.1.6
配置思路: 两台防火墙型号必须要求一样,配置镜像模式前需要先完成双机热备的网络连接和基本配置,但是不需要配置业务接口和路由等。
- 在两台FW上分别完成双机热备基本配置,包括VGMP组监控业务接口(hrp track interface)、心跳口配置和启用双机热备功能。
- 在两台FW上启用镜像模式,并进行手工批量备份。
- 在其中一台FW完成网络配置,保证内网用户能够访问Internet。
- 镜像模式形成后,所有配置(包括接口和路由等配置)都只需在一台FW上配置即可,配置会自动备份到另外一台FW。
文章图片
【#|华为 USG6000防火墙配置镜像模式双机热备】
文章图片
文章图片
2、接入层交换机SW5配置
system-view
[Huawei]sysname SW5
[SW5]vlan batch 10 20[SW5]interfaceGigabitEthernet0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access
[SW5-GigabitEthernet0/0/4]port default vlan 10
[SW5-GigabitEthernet0/0/4]quit[SW5]interfaceGigabitEthernet0/0/5
[SW5-GigabitEthernet0/0/5]port link-type access
[SW5-GigabitEthernet0/0/5]port defaultvlan20
[SW5-GigabitEthernet0/0/5]quit[SW5]interfaceGigabitEthernet0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunkallow-passvlanall
[SW5-GigabitEthernet0/0/2]quit[SW5]interfaceGigabitEthernet0/0/3
[SW5-GigabitEthernet0/0/3]port link-type trunk
[SW5-GigabitEthernet0/0/3]port trunkallow-pass vlanall
[SW5-GigabitEthernet0/0/3]quit3、核心交换机配置
SW3
system-view
[Huawei]sysname SW3
[SW3]vlan batch 10 20 30[SW3]interfaceVlanif 10
[SW3-Vlanif10]ip address 192.168.10.252 24
[SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW3-Vlanif10]vrrp vrid 10 priority 101
[SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 10
[SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/1 reduced 10
[SW3-Vlanif10]quit[SW3]interfaceVlanif20
[SW3-Vlanif20]ip address192.168.20.252 24
[SW3-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW3-Vlanif20]vrrp vrid 20 priority 101
[SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/1 reduced 10
[SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 10
[SW3-Vlanif20]quit[SW3]interfaceVlanif30
[SW3-Vlanif30]ip address192.168.30.252 24
[SW3-Vlanif30]vrrp vrid30 virtual-ip 192.168.30.254
[SW3-Vlanif30]vrrp vrid 30 priority 101
[SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/1 reduced 10
[SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/2 reduced 10
[SW3-Vlanif30]quit[SW3]interfaceEth-Trunk 1
[SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/7
[SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/8
[SW3-Eth-Trunk1]port link-type trunk
[SW3-Eth-Trunk1]port trunk allow-pass vlan all
[SW3-Eth-Trunk1]quit[SW3]interfaceGigabitEthernet0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk
[SW3-GigabitEthernet0/0/2]port trunkallow-passvlanall
[SW3-GigabitEthernet0/0/2]quit[SW3]interfaceGigabitEthernet0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]quit[SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12SW4
system-view
[Huawei]sysname SW4
[SW4]vlan batch 10 20 30[SW4]interfaceVlanif 10
[SW4-Vlanif10]ip address 192.168.10.253 24
[SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW4-Vlanif10]quit[SW4]interfaceVlanif20
[SW4-Vlanif20]ip address192.168.20.253 24
[SW4-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW4-Vlanif20]quit[SW4]interfaceVlanif30
[SW4-Vlanif30]ip address192.168.30.253 24
[SW4-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW4-Vlanif30]quit[SW4]interfaceEth-Trunk 1
[SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/7
[SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/8
[SW4-Eth-Trunk1]port link-type trunk
[SW4-Eth-Trunk1]port trunk allow-pass vlan all
[SW4-Eth-Trunk1]quit[SW4]interfaceGigabitEthernet0/0/3
[SW4-GigabitEthernet0/0/3]port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunkallow-passvlanall
[SW4-GigabitEthernet0/0/3]quit[SW4]interfaceGigabitEthernet0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 30
[SW4-GigabitEthernet0/0/1]quit[SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.30.124、防火墙FW1配置
system-view
[USG6000V1]sysname FW1[FW1]interface GigabitEthernet1/0/1
[FW1-GigabitEthernet1/0/1]ip address192.168.30.12 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]quit[FW1]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0]ip address100.1.1.1 29
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1-GigabitEthernet1/0/0]quit安全区域
[FW1]firewall zonetrust
[FW1-zone-trust]addinterfaceGigabitEthernet1/0/1
[FW1-zone-trust]quit
[FW1]firewall zoneuntrust
[FW1-zone-untrust]addinterfaceGigabitEthernet1/0/0
[FW1-zone-untrust]quitNAT地址池
[FW1]nat address-group nat_group
[FW1-address-group-nat_group]section 0 100.1.1.3
[FW1-address-group-nat_group]quitNAT转发
[FW1]nat-policy
[FW1-policy-nat]rule name nat_policy1
[FW1-policy-nat-rule-nat_policy1]source-zonetrust
[FW1-policy-nat-rule-nat_policy1]destination-zoneuntrust
[FW1-policy-nat-rule-nat_policy1]source-address 192.168.10.0 24
[FW1-policy-nat-rule-nat_policy1]action source-nataddress-group nat_group
[FW1-policy-nat-rule-nat_policy1]return域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name trust_untrust1
[FW1-policy-security-rule-trust_untrust1]source-zone trust
[FW1-policy-security-rule-trust_untrust1]destination-zone untrust
[FW1-policy-security-rule-trust_untrust1]source-address 192.168.10.0 24
[FW1-policy-security-rule-trust_untrust1]action permit
[FW1-policy-security-rule-trust_untrust1]quit
[FW1-policy-security]quit[FW1]ip route-static 192.168.10.0 24 192.168.30.254
[FW1]ip route-static 192.168.20.0 24 192.168.30.254
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.6 5、上行交换机SW6
system-view
[Huawei]sysname SW6[SW6]vlan100
[SW6-vlan100]quit[SW6]interfaceGigabitEthernet0/0/1
[SW6-GigabitEthernet0/0/1]port link-type access
[SW6-GigabitEthernet0/0/1]port defaultvlan100
[SW6-GigabitEthernet0/0/1]quit [SW6]interface GigabitEthernet 0/0/2
[SW6-GigabitEthernet0/0/2]port link-type access
[SW6-GigabitEthernet0/0/2]port defaultvlan100
[SW6-GigabitEthernet0/0/2]quit
[SW6]interfaceGigabitEthernet0/0/3
[SW6-GigabitEthernet0/0/3]port link-type access
[SW6-GigabitEthernet0/0/3]port defaultvlan100
[SW6-GigabitEthernet0/0/3]quit6、运营商ISP
system-view
[Huawei]sysname ISP
[ISP]interfaceGigabitEthernet0/0/1
[ISP-GigabitEthernet0/0/1]ip address100.1.1.6 29
[ISP-GigabitEthernet0/0/1]quit[ISP]interfaceLoopBack 0
[ISP-LoopBack0]ip address1.1.1.1 32
[ISP-LoopBack0]quit[ISP]interfaceGigabitEthernet0/0/0
[ISP-GigabitEthernet0/0/0]ip address10.1.1.2 24
[ISP-GigabitEthernet0/0/0]quit[ISP]ip route-static 0.0.0.0 0.0.0.0 100.1.1.17、查看内网用户ping外网
文章图片
文章图片
二、双机热备配置 全程可以使pc长pingISP的1.1.1.1,发现不会丢包
1、FW1配置HRP,然后配置镜像模式
FW1配置心跳线接口,并加入对应安全区域
[FW1]interface GigabitEthernet1/0/2
[FW1-GigabitEthernet1/0/2]ip address172.16.1.1 30
[FW1-GigabitEthernet1/0/2]quit[FW1]firewall zonedmz
[FW1-zone-dmz]addinterfaceGigabitEthernet1/0/2
[FW1-zone-dmz]quit域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name ha_local_dmz
[FW1-policy-security-rule-ha_local_dmz]source-zonelocal dmz
[FW1-policy-security-rule-ha_local_dmz]destination-zonelocal dmz
[FW1-policy-security-rule-ha_local_dmz]action permit
[FW1-policy-security-rule-ha_local_dmz]quit
[FW1-policy-security]quit在FW1配置VGMP组监控上下行业务接口,默认为主设备
[FW1]hrptrack interfaceGigabitEthernet1/0/0
[FW1]hrptrack interfaceGigabitEthernet1/0/1指定心跳口和对端IP地址,并启用双机热备功能
[FW1]hrp interfaceGigabitEthernet1/0/2 remote 172.16.1.2
[FW1]hrpenable2、FW2配置HRP
FW2配置心跳线接口,并加入对应安全区域
system-view
[USG6000V1]sysname FW2[FW2]interface GigabitEthernet1/0/2
[FW2-GigabitEthernet1/0/2]ip address172.16.1.2 30
[FW2-GigabitEthernet1/0/2]quit[FW2]firewall zonedmz
[FW2-zone-dmz]add interface GigabitEthernet1/0/2
[FW2-zone-dmz]quit域间安全策略
[FW2]security-policy
[FW2-policy-security]rule name ha_local_dmz
[FW2-policy-security-rule-ha_local_dmz]source-zonelocal dmz
[FW2-policy-security-rule-ha_local_dmz]destination-zone local dmz
[FW2-policy-security-rule-ha_local_dmz]action permit
[FW2-policy-security-rule-ha_local_dmz]quit在FW2配置VGMP组监控上下行业务接口,并配置本设备为备用设备
[FW2]hrptrackinterfaceGigabitEthernet 1/0/0
[FW2]hrptrackinterfaceGigabitEthernet 1/0/1
[FW2]hrpstandby-device 指定心跳口和对端IP地址,并启用双机热备功能
[FW2]hrpinterfaceGigabitEthernet1/0/2 remote 172.16.1.1
[FW2]hrpenable 3、查看同步状态
文章图片
文章图片
4、在FW1上配置镜像模式(重点)。双机关系建立之后,该配置会自动备份到FW2
HRP_M[FW1]hrpmirrorconfig enable
文章图片
5、在FW1先手动同步一下配置文件
文章图片
6、在FW2查看到FW1开启热备之前的配置已经被同步过来
HRP_S[FW2]displaycurrent-configuration
2020-05-28 02:27:57.980
!Software Version V500R005C10SPC300
#
sysname FW2
#
domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
hrp enable
hrp mirror config enable
hrp interface GigabitEthernet1/0/2 remote 172.16.1.1
hrp track interface GigabitEthernet1/0/0
hrp track interface GigabitEthernet1/0/1
#
update schedule location-sdb weekly Sun 03:14
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 06:38
update schedule av-sdb daily 06:38
update schedule sa-sdb daily 06:38
update schedule cnc daily 06:38
update schedule file-reputation daily 06:38
#
ip -instance default
ipv4-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%PufuDg5YR*D@[x~Nqi|~n=5DHjpMOk,OqAV)gT$TQJP5=5Gn@%@%
service-type web terminal
level 15 manager-user api-admin
password cipher @%@%`f5K#iULL!(vQ6M@lpCB'H,@{QzA=M{5O*as_2+Uk}J7H,C'@%@%
level 15 manager-user admin
password cipher @%@%ZFDu3)yV"LfTPj'O3+7437VT3h:D@nUDCO]h[qWQRb1Q7VW3@%@%
service-type web terminal
level 15 role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding -instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.1 255.255.255.248
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.30.12 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.1.2 255.255.255.252
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.6
ip route-static 192.168.10.0 255.255.255.0 192.168.30.254
ip route-static 192.168.20.0 255.255.255.0 192.168.30.254
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
nat address-group nat_group 0
mode pat
section 0 100.1.1.3 100.1.1.3
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name ha_local_dmz
source-zone dmz
source-zone local
destination-zone dmz
destination-zone local
action permit
rule name trust_untrust
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name nat_policy1
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action source-nat address-group nat_group
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return三、配置服务器映射 在开启双机热备的情况下,在active上操作的任何步骤都过自动同步到standby
1、在FW1为server1添加映射,让外网用户能访问
HRP_M[FW1]nat server policy_web protocol tcp global 100.1.1.2 80 inside 192.168.
20.1 80 unr-route
文章图片
在FW2查看已经被同步配置
文章图片
2、配置域间安全测试,允许外网访问内网服务器
HRP_M[FW1]security-policy
HRP_M[FW1-policy-security]rule name untrust_trust
HRP_M[FW1-policy-security-rule-untrust_trust]source-zoneuntrust
HRP_M[FW1-policy-security-rule-untrust_trust]destination-zone trust
HRP_M[FW1-policy-security-rule-untrust_trust]destination-address 192.168.20.0 24
HRP_M[FW1-policy-security-rule-untrust_trust]action permit
HRP_M[FW1-policy-security-rule-untrust_trust]return3、client1访问服务器映射(访问域名,状态200表示成功)
文章图片
推荐阅读
- 数据结构和算法|LeetCode 的正确使用方式
- #|7.分布式事务管理
- #|算法设计与分析(Java实现)——贪心算法(集合覆盖案例)
- #|算法设计与分析(Java实现)—— 动态规划 (0-1 背包问题)
- #|阿尔法点亮LED灯(一)汇编语言
- #|Multimedia
- #|ARM裸机开发(汇编LED灯实验(I.MX6UL芯片))
- 基础课|使用深度优先搜索(DFS)、广度优先搜索(BFS)、A* 搜索算法求解 (n^2 -1) 数码难题,耗时与内存占用(时空复杂度)对比(附((n^2 - 1) 数码问题控
- #|学习笔记 | Ch05 Pandas数据清洗 —— 缺失值、重复值、异常值
- win10|搏一搏 单车变摩托,是时候捣鼓一下家中的小米电视机啦。