华为防火墙USG6000V（防火墙直路部署，上下行连接交换机）

男儿欲遂平生志，五经勤向窗前读。这篇文章主要讲述华为防火墙USG6000V：防火墙直路部署，上下行连接交换机相关的知识，希望能为你提供帮助。
网络需求
拓扑如下，企业的两台FW的业务接口都工作在三层，上下行分别连接二层交换机。上行交换机连接运营商的接入点，运营商为企业分配的IP地址为1.1.1.1。现在希望两台FW以主备备份方式工作。正常情况下，流量通过FW_A转发。当FW_A出现故障时，流量通过FW_B转发，保证业务不中断。
业务接口工作在三层，上下行连接交换机的主备备份组网

配置步骤
1.完成网络基本配置。

FW1	FW2
# 配置FW各个接口的IP地址。
< FW1> system-view [FW1] interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1] ip address 10.2.0.1 24 [FW1-GigabitEthernet1/0/1] quit [FW1] interface GigabitEthernet 1/0/3 [FW1-GigabitEthernet1/0/3] ip address 10.3.0.1 24 [FW1-GigabitEthernet1/0/3] quit [FW1] interface GigabitEthernet 1/0/6 [FW1-GigabitEthernet1/0/6] ip address 10.10.0.1 24 [FW1-GigabitEthernet1/0/6] quit	< FW2> system-view [FW2] interface GigabitEthernet 1/0/1 [FW2-GigabitEthernet1/0/1] ip address 10.2.0.2 24 [FW2-GigabitEthernet1/0/1] quit [FW2] interface GigabitEthernet 1/0/3 [FW2-GigabitEthernet1/0/3] ip address 10.3.0.2 24 [FW2-GigabitEthernet1/0/3] quit [FW2] interface GigabitEthernet 1/0/7 [FW2-GigabitEthernet1/0/6] ip address 10.10.0.2 24 [FW2-GigabitEthernet1/0/6] quit
# 将FW各接口加入相应的安全区域。
[FW1] firewall zone trust [FW1-zone-trust] add interface GigabitEthernet 1/0/3 [FW1-zone-trust] quit [FW1] firewall zone dmz [FW1-zone-dmz] add interface GigabitEthernet 1/0/6 [FW1-zone-dmz] quit [FW1] firewall zone untrust [FW1-zone-untrust] add interface GigabitEthernet 1/0/1 [FW1-zone-untrust] quit	[FW2] firewall zone trust [FW2-zone-trust] add interface GigabitEthernet 1/0/3 [FW2-zone-trust] quit [FW2] firewall zone dmz [FW2-zone-dmz] add interface GigabitEthernet 1/0/6 [FW2-zone-dmz] quit [FW2] firewall zone untrust [FW2-zone-untrust] add interface GigabitEthernet 1/0/1 [FW2-zone-untrust] quit
# 在FW上配置缺省路由，下一跳为1.1.1.10，使内网用户的流量可以正常转发至AR1。
[FW1] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10	[FW2] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

2.配置VRRP备份组。

FW1	FW2
# 在FW1上行业务接口GE1/0/1上配置VRRP备份组1，并设置其状态为Active。在FW2上行业务接口GE1/0/1上配置VRRP备份组1，并设置其状态为Standby。需要注意的是如果接口的IP地址与VRRP备份组地址不在同一网段，则配置VRRP备份组地址时需要指定掩码。
[FW1] interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active [FW1-GigabitEthernet1/0/1] quit	[FW2] interface GigabitEthernet 1/0/1 [FW2-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby [FW2-GigabitEthernet1/0/1] quit
# 在FW1下行业务接口GE1/0/3上配置VRRP备份组2，并设置其状态为Active。在FW2下行业务接口GE1/0/3上配置VRRP备份组2，并设置其状态为Standby。
[FW1] interface GigabitEthernet 1/0/3 [FW1-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active [FW1-GigabitEthernet1/0/3] quit	[FW2] interface GigabitEthernet 1/0/3 [FW2-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby [FW2-GigabitEthernet1/0/3] quit

指定心跳口并启用双机热备功能。

FW1	FW2
[FW1] hrp interface GigabitEthernet 1/0/6 remote 10.10.0.2 [FW1] hrp enable	[FW2] hrp interface GigabitEthernet 1/0/6 remote 10.10.0.1 [FW] hrp enable

在FW1上配置安全策略。双机热备状态成功建立后，FW1的安全策略配置会自动备份到FW2上。
# 配置安全策略，允许内网用户访问Internet。

HRP_M[FW1] security-policy
HRP_M[FW1-policy-security] rule name trust_to_untrust
HRP_M[FW1-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW1-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW1-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW1-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW1-policy-security-rule-trust_to_untrust] quit
HRP_M[FW1-policy-security] quit

在FW1上配置NAT策略。双机热备状态成功建立后，FW1的NAT策略配置会自动备份到FW2上。
# 配置NAT策略，当内网用户访问Internet时，将源地址由10.3.0.0/16网段转换为地址池中的地址（1.1.1.2-1.1.1.5）。

HRP_M[FW1] nat address-group group1
HRP_M[FW1-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW1-address-group-group1] quit
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1
HRP_M[FW1-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16
HRP_M[FW1-policy-nat-rule-policy_nat1] action source-nat address-group group1

配置Switch和内网PC。

分别将两台Switch的三个接口加入同一个VLAN，具体配置命令请参考交换机的相关文档。
将内网PC的默认网关设置为VRRP备份组2的虚拟IP地址，具体步骤略。

配置AR1
# 在AR1上配置到FW的等价路由，路由下一跳指向VRRP备份组1的虚拟IP地址。

结果验证

在FW1和FW2上执行display vrrp命令，检查VRRP组内接口的状态信息，显示以下信息表示VRRP组建立成功。

FW1	FW2
HRP_M< FW1> display vrrp 2022-05-11 03:33:21.390 GigabitEthernet1/0/1 \| Virtual Router 1 State : Master Virtual IP : 1.1.1.1 Master IP : 10.2.0.2 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YESDelay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2022-05-11 02:17:54 Last change time : 2022-05-11 02:22:37 GigabitEthernet1/0/3 \| Virtual Router 2 State : Master Virtual IP : 10.3.0.3 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YESDelay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2022-05-11 02:20:23 Last change time : 2022-05-11 02:22:37	HRP_S< FW2> display vrrp 2022-05-11 03:33:31.390 GigabitEthernet1/0/1 \| Virtual Router 1 State : Backup Virtual IP : 1.1.1.1 Master IP : 10.2.0.2 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 100 Preempt : YESDelay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2022-05-11 02:18:50 Last change time : 2022-05-11 02:22:35 GigabitEthernet1/0/3 \| Virtual Router 2 State : Backup Virtual IP : 10.3.0.3 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YESDelay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2022-05-11 02:21:04 Last change time : 2022-05-11 02:21:04

在FW1和FW2上执行display hrp state verbose命令，检查当前VGMP组的状态，显示以下信息表示双机热备建立成功。

FW1	FW2
HRP_M[FW1] display hrp state verbose 2022-05-11 03:46:11.370 Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 0.00% Stable time: 0 days, 1 hours, 23 minutes Last state change information: 2022-05-11 2:22:37 HRP core state changed, old_s tate = abnormal(standby), new_state = normal, local_priority = 45000, peer_prior ity = 45000. Configuration: hello interval:1000ms preempt:60s mirror configuration:off mirror session:off track trunk member:on auto-sync configuration:on auto-sync connection-status: on adjust ospf-cost:on adjust ospfv3-cost:on adjust bgp-cost:on nat resource:off Detail information: GigabitEthernet1/0/1 vrrp vrid 1: active GigabitEthernet1/0/3 vrrp vrid 2: active ospf-cost: +0 ospfv3-cost: +0 bgp-cost: +0	HRP_S< FW2> display hrp state verbose 2022-05-11 03:46:45.420 Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 0.00% Stable time: 0 days, 1 hours, 24 minutes Last state change information: 2022-05-11 2:22:38 HRP link changes to up. Configuration: hello interval:1000ms preempt:60s mirror configuration:off mirror session:off track trunk member:on auto-sync configuration:on auto-sync connection-status: on adjust ospf-cost:on adjust ospfv3-cost:on adjust bgp-cost:on nat resource:off Detail information: GigabitEthernet1/0/1 vrrp vrid 1: standby GigabitEthernet1/0/3 vrrp vrid 2: standby ospf-cost: +65500 ospfv3-cost: +65500 bgp-cost: +100

AR1位于Untrust区域。在Trust区域的PC端能够ping通Untrust区域的AR1。分别在FW1和FW2上检查会话。

FW1	FW2
HRP_M[FW1]display firewall session table 2022-05-11 03:50:17.190 Current Total Sessions : 3 udpVPN: public --> public10.10.0.2:16384 --> 10.10.0.1:18514 udpVPN: public --> public10.10.0.1:49152 --> 10.10.0.2:18514 udpVPN: public --> public10.10.0.2:49152 --> 10.10.0.1:18514	HRP_S< FW2> display firewall session table 2022-05-11 03:50:27.380 Current Total Sessions : 3 udpVPN: public --> public10.10.0.1:49152 --> 10.10.0.2:18514 udpVPN: public --> public10.10.0.2:49152 --> 10.10.0.1:18514 udpVPN: public --> public10.10.0.1:16384 --> 10.10.0.2:18514