CLI举例:防火墙二层,上下行连接交换机的主备备份组网

2026年 3月 10日 网络安全 SE_YT

CLI举例:防火墙二层,上下行连接交换机的主备备份组网

介绍了业务接口工作在二层,上下行连接交换机的主备备份组网的CLI举例。

组网需求

图1所示,两台FW的业务接口都工作在二层,上下行分别连接交换机。FW的上下行业务接口都加入到VLAN10和VLAN20中。现在希望两台FW以主备备份方式工作。正常情况下,流量通过FW_A转发。当FW_A出现故障时,流量通过FW_B转发,保证业务不中断。

图1 业务接口工作在二层,上下行连接交换机的主备备份组网
CLI举例:防火墙二层,上下行连接交换机的主备备份组网

操作步骤

  1. 完成网络基本配置。 

    FW_A

    FW_B

    # 将FW_A上下行业务接口都切换成二层接口,并加入VLAN10和VLAN20。将FW_B上下行业务接口都切换成二层接口,并加入VLAN10和VLAN20。

    		 
    [FW_A] vlan batch 10 20
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] portswitch
[FW_A-GigabitEthernet1/0/3] port link-type trunk
[FW_A-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
[FW_A-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[FW_A-GigabitEthernet1/0/3] quit 
[FW_A] interface GigabitEthernet 1/0/7
[FW_A-GigabitEthernet1/0/7] portswitch
[FW_A-GigabitEthernet1/0/7] port link-type trunk
[FW_A-GigabitEthernet1/0/7] port trunk allow-pass vlan 10 20
[FW_A-GigabitEthernet1/0/7] undo port trunk allow-pass vlan 1
[FW_A-GigabitEthernet1/0/7] quit 

    [FW_B] vlan batch 10 20
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] portswitch
[FW_B-GigabitEthernet1/0/3] port link-type trunk
[FW_B-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
[FW_B-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[FW_B-GigabitEthernet1/0/3] quit 
[FW_B] interface GigabitEthernet 1/0/7
[FW_B-GigabitEthernet1/0/7] portswitch
[FW_B-GigabitEthernet1/0/7] port link-type trunk
[FW_B-GigabitEthernet1/0/7] port trunk allow-pass vlan 10 20
[FW_B-GigabitEthernet1/0/7] undo port trunk allow-pass vlan 1
[FW_B-GigabitEthernet1/0/7] quit

    # 配置FW心跳口的IP地址。

    		 
    [FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.10.0.1 24
[FW_A-GigabitEthernet1/0/2] quit
    		 
    [FW_B] interface GigabitEthernet 1/0/2
[FW_B-GigabitEthernet1/0/2] ip address 10.10.0.2 24
[FW_B-GigabitEthernet1/0/2] quit

    # 将FW各接口加入相应的安全区域。

    		 
    [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/7
[FW_A-zone-trust] quit 
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_A-zone-dmz] quit 
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/3
[FW_A-zone-untrust] quit
    		 
    [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/7
[FW_B-zone-trust] quit 
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_B-zone-dmz] quit 
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/3
[FW_B-zone-untrust] quit

     

  2. 配置双机热备功能。 

    FW_A

    FW_B

    # 在FW_A上配置VGMP组监控VLAN。在FW_B上配置VGMP组监控VLAN,并配置本设备为备用设备。

    		 
    [FW_A] hrp track vlan 10
[FW_A] hrp track vlan 20
    		 
    [FW_B] hrp track vlan 10
[FW_B] hrp track vlan 20
[FW_B] hrp standby-device

    # 在FW上指定心跳口并启用双机热备功能。

    		 
    [FW_A] hrp interface GigabitEthernet 1/0/2 remote 10.10.0.2 
[FW_A] hrp enable
    		 
    [FW_B] hrp interface GigabitEthernet 1/0/2 remote 10.10.0.1 
[FW_B] hrp enable

     

  3. FW_A上配置安全策略。双机热备状态成功建立后,FW_A的安全策略配置会自动备份到FW_B上。  
    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec1 
HRP_M[FW_A-policy-security-rule-policy_sec1] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy_sec1] action permit

     

  4. 配置Switch。分别将两台Switch的三个接口加入同一个VLAN,具体配置命令请参考交换机的相关文档。

结果验证

# 在FW_A和FW_B上执行display hrp state verbose命令,检查当前VGMP组的状态,显示以下信息表示双机热备建立成功。

FW_A

FW_B

 
HRP_M<FW_A> display hrp state verbose
 Role: active, peer: standby     
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.38%     
 Stable time: 0 days, 7 hours, 30 minutes           
 Last state change information: 2019-04-16 11:13:54 HRP core state changed, old_
state = abnormal(standby), new_state = normal, local_priority = 45000, peer_prio
rity = 45000. 
                                 
 Configuration:                  
 hello interval:              1000ms 
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off 
 track trunk member:          on 
 auto-sync configuration:     on 
 auto-sync connection-status: on 
 adjust ospf-cost:            on 
 adjust ospfv3-cost:          on 
 adjust bgp-cost:             on 
 nat resource:                off
                                 
 Detail information:             
                       GigabitEthernet1/0/3: up 
                       GigabitEthernet1/0/7: up  
                                    vlan 10: enabled
                                    vlan 20: enabled
                                  ospf-cost: +0     
                                ospfv3-cost: +0     
                                   bgp-cost: +0
 
HRP_S<FW_B> display hrp state verbose
 Role: standby, peer: active     
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.38%     
 Stable time: 0 days, 5 hours, 47 minutes           
 Last state change information: 2019-04-16 11:10:14 HRP link changes to up.
                                 
 Configuration:                  
 hello interval:              1000ms 
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off 
 track trunk member:          on 
 auto-sync configuration:     on 
 auto-sync connection-status: on 
 adjust ospf-cost:            on 
 adjust ospfv3-cost:          on 
 adjust bgp-cost:             on 
 nat resource:                off
                                 
 Detail information:             
                       GigabitEthernet1/0/3: up 
                       GigabitEthernet1/0/7: up  
                                    vlan 10: disabled
                                    vlan 20: disabled
                                  ospf-cost: +0     
                                ospfv3-cost: +0     
                                   bgp-cost: +0

配置脚本

FW_A FW_B 
#
sysname FW_A
# 
vlan batch 10 20
#
 hrp enable
 hrp interface GigabitEthernet1/0/2 remote 10.10.0.2 
 hrp track vlan 10
 hrp track vlan 20
#
interface GigabitEthernet1/0/3
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet1/0/7
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet1/0/2
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/7
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet1/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/2
#    
security-policy
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  action permit

#
sysname FW_B
# 
vlan batch 10 20
#
 hrp enable
 hrp interface GigabitEthernet1/0/2 remote 10.10.0.1 
 hrp track vlan 10
 hrp track vlan 20
 hrp standby-device
#
interface GigabitEthernet1/0/3
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet1/0/7
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet1/0/2
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/7
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/2
#    
security-policy
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  action permit
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/10886.html
文章版权归作者所有,未经允许请勿转载。
上一篇 【转载】安全运营 -- 监控linux命令history
下一篇 EBGP-邻居建立正常-学习不到EBGP路由