锐客网

  1. 首页 > 睿知 > it技术 > >

防火墙直路部署,上下行连接交换机(双机热备)

IT知识交换机双机热备

家资是何物,积帙列梁梠。这篇文章主要讲述防火墙直路部署,上下行连接交换机(双机热备)相关的知识,希望能为你提供帮助。
如??图1??所示,企业的两台FW的业务接口都工作在三层,上下行分别连接二层交换机。上行交换机连接运营商的接入点,运营商为企业分配的IP地址为1.1.1.1。现在希望两台FW以主备备份方式工作。正常情况下,流量通过FW_A转发。当FW_A出现故障时,流量通过FW_B转发,保证业务不中断。
图1 业务接口工作在三层,上下行连接交换机的主备备份组网

    FW_A
    		FW_B
    # 配置FW各接口的IP地址。
    < FW_A> system-view
    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
    [FW_A-GigabitEthernet1/0/1] quit
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
    [FW_A-GigabitEthernet1/0/3] quit
    [FW_A] interface GigabitEthernet 1/0/7
    [FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
    [FW_A-GigabitEthernet1/0/7] quit

    FW_A
    		FW_B
    # 配置FW各接口的IP地址。
    < FW_A> system-view
    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
    [FW_A-GigabitEthernet1/0/1] quit
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
    [FW_A-GigabitEthernet1/0/3] quit
    [FW_A] interface GigabitEthernet 1/0/7
    [FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
    [FW_A-GigabitEthernet1/0/7] quit

操作步骤
  2. 完成网络基本配置。
    3. FW_A
    		FW_B
    # 配置FW各接口的IP地址。
    < FW_A> system-view
    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
    [FW_A-GigabitEthernet1/0/1] quit
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
    [FW_A-GigabitEthernet1/0/3] quit
    [FW_A] interface GigabitEthernet 1/0/7
    [FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
    [FW_A-GigabitEthernet1/0/7] quit

    < FW_B> system-view
    [FW_B] interface GigabitEthernet 1/0/1
    [FW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
    [FW_B-GigabitEthernet1/0/1] quit
    [FW_B] interface GigabitEthernet 1/0/3
    [FW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
    [FW_B-GigabitEthernet1/0/3] quit
    [FW_B] interface GigabitEthernet 1/0/7
    [FW_B-GigabitEthernet1/0/7] ip address 10.10.0.2 24
    [FW_B-GigabitEthernet1/0/7] quit

    # 将FW各接口加入相应的安全区域。
    [FW_A] firewall zone trust
    [FW_A-zone-trust] add interface GigabitEthernet 1/0/3
    [FW_A-zone-trust] quit
    [FW_A] firewall zone dmz
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
    [FW_A-zone-dmz] quit
    [FW_A] firewall zone untrust
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
    [FW_A-zone-untrust] quit

    [FW_B] firewall zone trust
    [FW_B-zone-trust] add interface GigabitEthernet 1/0/3
    [FW_B-zone-trust] quit
    [FW_B] firewall zone dmz
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/7
    [FW_B-zone-dmz] quit
    [FW_B] firewall zone untrust
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
    [FW_B-zone-untrust] quit

    # 在FW上配置缺省路由,下一跳为1.1.1.10,使内网用户的流量可以正常转发至Router。
    [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

    [FW_B] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

  4. 配置VRRP备份组。
    5. FW_A
    		FW_B
    # 在FW_A上行业务接口GE1/0/1上配置VRRP备份组1,并设置其状态为Active。在FW_B上行业务接口GE1/0/1上配置VRRP备份组1,并设置其状态为Standby。需要注意的是如果接口的IP地址与VRRP备份组地址不在同一网段,则配置VRRP备份组地址时需要指定掩码。
    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active
    [FW_A-GigabitEthernet1/0/1] quit

    [FW_B] interface GigabitEthernet 1/0/1
    [FW_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby
    [FW_B-GigabitEthernet1/0/1] quit

    # 在FW_A下行业务接口GE1/0/3上配置VRRP备份组2,并设置其状态为Active。在FW_B下行业务接口GE1/0/3上配置VRRP备份组2,并设置其状态为Standby。
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active
    [FW_A-GigabitEthernet1/0/3] quit

    [FW_B] interface GigabitEthernet 1/0/3
    [FW_B-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby
    [FW_B-GigabitEthernet1/0/3] quit

  6. 指定心跳口并启用双机热备功能。
    7. FW_A
    		FW_B
    [FW_A] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2
    [FW_A] hrp enable

    [FW_B] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1
    [FW_B] hrp enable

  7. 在FW_A上配置安全策略。双机热备状态成功建立后,FW_A的安全策略配置会自动备份到FW_B上。
    # 配置安全策略,允许内网用户访问Internet。
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit

  1. 在FW_A上配置NAT策略。双机热备状态成功建立后,FW_A的NAT策略配置会自动备份到FW_B上。
    # 配置NAT策略,当内网用户访问Internet时,将源地址由10.3.0.0/16网段转换为地址池中的地址(1.1.1.2-1.1.1.5)。
HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1

  1. 配置Switch和内网PC。
  1. 分别将两台Switch的三个接口加入同一个VLAN,具体配置命令请参考交换机的相关文档。
  2. 将内网PC的默认网关设置为VRRP备份组2的虚拟IP地址,具体步骤略。
  1. 配置Router。在Router上配置到FW的等价路由,路由下一跳指向VRRP备份组1的虚拟IP地址。
结果验证
  2. 在FW_A和FW_B上执行display vrrp命令,检查VRRP组内接口的状态信息,显示以下信息表示VRRP组建立成功。
    3. FW_A
    		FW_B
    HRP_M< FW_A> display vrrp
    GigabitEthernet1/0/1 | Virtual Router 1
    State : Master
    Virtual IP : 1.1.1.1
    Master IP : 10.2.0.1
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YESDelay Time : 0 s
    TimerRun : 60 s
    TimerConfig : 60 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : vgmp-vrrp
    Backup-forward : disabled
    Create time : 2018-03-17 17:35:54 UTC+08:00
    Last change time : 2018-03-22 16:01:56 UTC+08:00

    GigabitEthernet1/0/3 | Virtual Router 2
    State : Master
    Virtual IP : 10.3.0.3
    Master IP : 10.3.0.1
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YESDelay Time : 0 s
    TimerRun : 60 s
    TimerConfig : 60 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0102
    Check TTL : YES
    Config type : vgmp-vrrp
    Backup-forward : disabled
    Create time : 2018-03-17 17:35:54 UTC+08:01
    Last change time : 2018-03-22 16:01:56 UTC+08:01

    HRP_S< FW_B> display vrrp
    GigabitEthernet1/0/1 | Virtual Router 1
    State : Backup
    Virtual IP : 1.1.1.1
    Master IP : 10.2.0.1
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YESDelay Time : 0 s
    TimerRun : 60 s
    TimerConfig : 60 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : vgmp-vrrp
    Backup-forward : disabled
    Create time : 2018-03-17 17:37:54 UTC+08:00
    Last change time : 2018-03-22 16:03:56 UTC+08:00

    GigabitEthernet1/0/3 | Virtual Router 2
    State : Backup
    Virtual IP : 10.3.0.3
    Master IP : 10.3.0.1
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YESDelay Time : 0 s
    TimerRun : 60 s
    TimerConfig : 60 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0102
    Check TTL : YES
    Config type : vgmp-vrrp
    Backup-forward : disabled
    Create time : 2018-03-17 17:37:54 UTC+08:01
    Last change time : 2018-03-22 16:03:56 UTC+08:01

  4. 在FW_A和FW_B上执行display hrp state verbose命令,检查当前VGMP组的状态,显示以下信息表示双机热备建立成功。
    5. FW_A
    		FW_B
    HRP_M< FW_A> display hrp state verbose
    Role: active, peer: standby
    Running priority: 45000, peer: 45000
    Backup channel usage: 30%
    Stable time: 1 days, 13 hours, 35 minutes
    Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
    state = normal(standby), new_state = normal(active), local_priority = 45000,
    peer_priority = 45000.

    Configuration:
    hello interval:1000ms
    preempt:60s
    mirror configuration:off
    mirror session:off
    track trunk member:on
    auto-sync configuration:on
    auto-sync connection-status: on
    adjust ospf-cost:on
    adjust ospfv3-cost:on
    adjust bgp-cost:on
    nat resource:off

    Detail information:
    GigabitEthernet1/0/1 vrrp vrid 1: active
    GigabitEthernet1/0/3 vrrp vrid 2: active

    HRP_S< FW_B> display hrp state verbose
    Role: standby, peer: active
    Running priority: 45000, peer: 45000
    Backup channel usage: 30%
    Stable time: 1 days, 13 hours, 35 minutes
    Last state change information: 2018-03-22 16:03:56 HRP core state changed, old_
    state = normal(standby), new_state = normal(standby), local_priority = 45000,
    peer_priority = 45000.

    Configuration:
    hello interval:1000ms
    preempt:60s
    mirror configuration:off
    mirror session:off
    track trunk member:on
    auto-sync configuration:on
    auto-sync connection-status: on
    adjust ospf-cost:on
    adjust ospfv3-cost:on
    adjust bgp-cost:on
    nat resource:off

    Detail information:
    GigabitEthernet1/0/1 vrrp vrid 1: standby
    GigabitEthernet1/0/3 vrrp vrid 2: standby

  6. Router位于Untrust区域。在Trust区域的PC端能够ping通Untrust区域的Router。分别在FW_A和FW_B上检查会话。
    7. FW_A
    		FW_B
    HRP_M< FW_A> display firewall session table

    Current Total Sessions : 1
    icmpVPN: public --> public 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048

    HRP_S< FW_B> display firewall session table

    Current Total Sessions : 1
    icmpVPN:public --> publicRemote 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048

  7. 可以看出FW_B上存在带有Remote标记的会话,表示配置双机热备功能后,会话备份成功。
  8. 在PC上执行ping 1.1.1.10 -t,然后将FW_A GE1/0/1接口网线拨出,观察防火墙状态切换及ping包丢包情况;再将FW_A GE1/0/1接口网线恢复,观察防火墙状态切换及ping包丢包情况。
配置脚本
FW_A
FW_B
#
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2
#
interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
#
interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active
#
interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet 1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet 1/0/7
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#
nat address-group group1
section 0 1.1.1.2 1.1.1.5
#
security-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 16
action source-nat address-group group1

【防火墙直路部署,上下行连接交换机(双机热备)】

#
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1
#
interface GigabitEthernet 1/0/1
ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
#
interface GigabitEthernet 1/0/3
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 standby
#
interface GigabitEthernet 1/0/7
ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet 1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/7
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#
nat address-group group1
section 0 1.1.1.2 1.1.1.5
#
security-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 16
action source-nat address-group group1


    推荐阅读


    上一篇:网络协议之:memcached binary protocol详解

    下一篇:如何构建高可用的分布式系统()