华为防火墙-CLI举例:虚拟系统双机热备(负载分担),防火墙上行连接路由器,下行连接交换机

2026年 5月 28日 网络安全 SE_YT

本举例介绍了FW上配置虚拟系统后,上行连接路由器,下行连接交换机的负载分担方式双机热备的CLI配置方法。

组网需求

图1所示,企业内网两个不同的网段要做网络隔离。交换机Switch通过VLAN来隔离两个网段,FW上则通过虚拟系统来隔离两个网段。FW上行连接路由器。FW与上行路由器之间运行OSPF协议。两台FW以负载分担方式工作。正常情况下,LAN1流量通过FW_A转发,LAN2流量通过FW_B转发。当FW_A或FW_B出现故障时,LAN1和LAN2流量都通过另一台FW转发,保证业务不中断。

图1 虚拟系统双机热备组网图
华为防火墙-CLI举例:虚拟系统双机热备(负载分担),防火墙上行连接路由器,下行连接交换机

数据规划

图2 数据规划图
华为防火墙-CLI举例:虚拟系统双机热备(负载分担),防火墙上行连接路由器,下行连接交换机
表1 FW_A数据规划

项目

数据

说明

接口

接口号:GigabitEthernet 1/0/1

IP地址:192.168.0.2/30

安全区域:Untrust

根系统(public)公网接口

接口号:GigabitEthernet 1/0/2

IP地址:10.3.1.2/24

安全区域:Trust

根系统(public)私网接口

接口号:GigabitEthernet 1/0/3

IP地址:192.168.1.2/30

安全区域:Untrust

虚拟系统(vsysa)公网接口

接口号:GigabitEthernet 1/0/4

IP地址:10.3.2.2/24

安全区域:Trust

虚拟系统(vsysa)私网接口

接口号:GigabitEthernet 1/0/7

IP地址:10.10.0.1/24

安全区域:DMZ

心跳接口

VRRP备份组

VRRP备份组1:10.3.1.1/24 active

-

VRRP备份组2:10.3.2.1/24 standby

-

路由

黑洞路由

目的地址:1.1.1.1/32

根系统(public)NAT地址池的黑洞路由,防止路由环路

黑洞路由

目的地址:1.1.1.2/32

虚拟系统(vsysa)NAT地址池的黑洞路由,防止路由环路

OSPF 100

发布的网段:192.168.0.0/30

引入静态路由

根系统(public)OSPF配置

OSPF 200

绑定的VPN实例:vsysa

发布的网段:192.168.1.0/30

引入静态路由

虚拟系统(vsysa)OSPF配置
表2 FW_B数据规划

项目

数据

说明

接口

接口号:GigabitEthernet 1/0/1

IP地址:192.168.0.10/30

安全区域:Untrust

根系统(public)公网接口

接口号:GigabitEthernet 1/0/2

IP地址:10.3.1.3/24

安全区域:Trust

根系统(public)私网接口

接口号:GigabitEthernet 1/0/3

IP地址:192.168.1.10/30

安全区域:Untrust

虚拟系统(vsysa)公网接口

接口号:GigabitEthernet 1/0/4

IP地址:10.3.2.3/24

安全区域:Trust

虚拟系统(vsysa)私网接口

接口号:GigabitEthernet 1/0/7

IP地址:10.10.0.2/24

安全区域:DMZ

心跳接口

VRRP备份组

VRRP备份组1:10.3.1.1/24 standby

-

VRRP备份组2:10.3.2.1/24 active

-

路由

黑洞路由

目的地址:1.1.1.1/32

根系统(public)NAT地址池的黑洞路由,防止路由环路

黑洞路由

目的地址:1.1.1.2/32

虚拟系统(vsysa)NAT地址池的黑洞路由,防止路由环路

OSPF 100

发布的网段:192.168.0.8/30

引入静态路由

根系统(public)OSPF配置

OSPF 200

绑定的VPN实例:vsysa

发布的网段:192.168.1.8/30

引入静态路由

虚拟系统(vsysa)OSPF配置
表3 交换机数据规划

VLAN

成员接口1

成员接口2

成员接口3

10(public)

GE1/0/15

GE1/0/16

GE1/0/17

30(vsysa)

GE1/0/18

GE1/0/19

GE1/0/20
表4 Router1数据规划

项目

数据

说明

接口

接口号:GigabitEthernet 1/0/1

IP地址:192.168.0.1/30

连接FW根系统(public)

接口号:GigabitEthernet 1/0/2

IP地址:192.168.0.5/30

连接Router2

接口号:GigabitEthernet 1/0/3

IP地址:192.168.1.1/30

连接FW虚拟系统(vsysa)

接口号:GigabitEthernet 1/0/4

IP地址:192.168.1.5/30

连接Router2

OSPF

OSPF 100

发布的网段:192.168.0.0/30、192.168.0.4/30

引入缺省路由

-

OSPF 200

发布的网段:192.168.1.0/30、192.168.1.4/30

引入缺省路由

-
表5 Router2数据规划

项目

数据

说明

接口

接口号:GigabitEthernet 1/0/1

IP地址:192.168.0.9/30

连接FW根系统(public)

接口号:GigabitEthernet 1/0/2

IP地址:192.168.0.6/30

连接Router1

接口号:GigabitEthernet 1/0/3

IP地址:192.168.1.9/30

连接FW虚拟系统(vsysa)

接口号:GigabitEthernet 1/0/4

IP地址:192.168.1.6/30

连接Router1

OSPF

OSPF 100

发布的网段:192.168.0.8/30、192.168.0.4/30

引入缺省路由

-

OSPF 200

发布的网段:192.168.1.8/30、192.168.1.4/30

引入缺省路由

-

操作步骤

  1. 创建虚拟系统vsysa,并为其分配接口。 
    华为防火墙-CLI举例:虚拟系统双机热备(负载分担),防火墙上行连接路由器,下行连接交换机

    请确保FW_A和FW_B上创建的虚拟系统名称和ID均相同。可以在虚拟系统创建好后,分别在两台设备上执行display vsys命令查看和比较配置结果。

    FW_A

    FW_B

    # 在FW上开启虚拟系统功能。

    		 
    <FW_A> system-view
[FW_A] vsys enable
    		 
    <FW_B> system-view
[FW_B] vsys enable

    # 在FW上创建虚拟系统并分配接口。

    		 
    [FW_A] vsys name vsysa
[FW_A-vsys-vsysa] assign interface GigabitEthernet 1/0/3
[FW_A-vsys-vsysa] assign interface GigabitEthernet 1/0/4
[FW_A-vsys-vsysa] assign global-ip 1.1.1.2 1.1.1.2 exclusive
[FW_A-vsys-vsysa] quit
    		 
    [FW_B] vsys name vsysa
[FW_B-vsys-vsysa] assign interface GigabitEthernet 1/0/3
[FW_B-vsys-vsysa] assign interface GigabitEthernet 1/0/4
[FW_B-vsys-vsysa]  assign global-ip 1.1.1.2 1.1.1.2 exclusive
[FW_B-vsys-vsysa] quit

     

  2. 配置接口。 

    FW_A

    FW_B

    # 在FW上完成根系统接口和VRRP备份组配置。

    		 
    [FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 192.168.0.2 30
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.3.1.2 24
[FW_A-GigabitEthernet1/0/2] vrrp vrid 1 virtual-ip 10.3.1.1 24 active
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface GigabitEthernet 1/0/7
[FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet1/0/7] quit
    		 
    [FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ip address 192.168.0.10 30
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/2
[FW_B-GigabitEthernet1/0/2] ip address 10.3.1.3 24
[FW_B-GigabitEthernet1/0/2] vrrp vrid 1 virtual-ip 10.3.1.1 24 standby
[FW_B-GigabitEthernet1/0/2] quit
[FW_B] interface GigabitEthernet 1/0/7
[FW_B-GigabitEthernet1/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet1/0/7] quit

    # 在FW上完成根系统接口安全区域配置。

    		 
    [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/2
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_A-zone-dmz] quit
    		 
    [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/2
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_B-zone-dmz] quit

    # 在FW上完成虚拟系统接口和VRRP备份组配置。

    		 
    [FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ip address 192.168.1.2 30
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] ip address 10.3.2.2 24
[FW_A-GigabitEthernet1/0/4] vrrp vrid 2 virtual-ip 10.3.2.1 24 standby
[FW_A-GigabitEthernet1/0/4] quit
    		 
    [FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] ip address 192.168.1.10 30
[FW_B-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/4
[FW_B-GigabitEthernet1/0/4] ip address 10.3.2.3 24
[FW_B-GigabitEthernet1/0/4] vrrp vrid 2 virtual-ip 10.3.2.1 24 active
[FW_B-GigabitEthernet1/0/4] quit

    # 在FW上完成虚拟系统接口安全区域配置。

    		 
    [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] firewall zone untrust
[FW_A-vsysa-zone-untrust] add interface GigabitEthernet 1/0/3
[FW_A-vsysa-zone-untrust] quit
[FW_A-vsysa] firewall zone trust
[FW_A-vsysa-zone-trust] add interface GigabitEthernet 1/0/4
[FW_A-vsysa-zone-trust] quit
[FW_A-vsysa] quit
    		 
    [FW_B] switch vsys vsysa
<FW_B-vsysa> system-view
[FW_B-vsysa] firewall zone untrust
[FW_B-vsysa-zone-untrust] add interface GigabitEthernet 1/0/3
[FW_B-vsysa-zone-untrust] quit
[FW_B-vsysa] firewall zone trust
[FW_B-vsysa-zone-trust] add interface GigabitEthernet 1/0/4
[FW_B-vsysa-zone-trust] quit
[FW_B-vsysa] quit

     

  3. 配置静态路由。 

    FW_A

    FW_B

    # 在FW上完成到根系统NAT地址池地址黑洞路由的配置。

    		 
    [FW_A] ip route-static 1.1.1.1 32 null 0
    		 
    [FW_B] ip route-static 1.1.1.1 32 null 0

    # 在FW上完成到虚拟系统NAT地址池地址黑洞路由的配置。

    		 
    [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] ip route-static 1.1.1.2 32 null 0
[FW_A-vsysa] quit
    		 
    [FW_B] switch vsys vsysa
<FW_B-vsysa> system-view
[FW_B-vsysa] ip route-static 1.1.1.2 32 null 0
[FW_B-vsysa] quit

     

  4. 配置OSPF。 

    FW_A

    FW_B

    		 
    [FW_A] ospf 100
[FW_A-ospf-100] import-route static
[FW_A-ospf-100] area 0
[FW_A-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[FW_A-ospf-100-area-0.0.0.0] quit
[FW_A-ospf-100] quit
[FW_A] ospf 200 vpn-instance vsysa
[FW_A-ospf-200] import-route static
[FW_A-ospf-200] area 0
[FW_A-ospf-200-area-0.0.0.0] network 192.168.1.0 0.0.0.3
[FW_A-ospf-200-area-0.0.0.0] quit
[FW_A-ospf-200] quit
    		 
    [FW_B] ospf 100
[FW_B-ospf-100] import-route static
[FW_B-ospf-100] area 0
[FW_B-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[FW_B-ospf-100-area-0.0.0.0] quit
[FW_B-ospf-100] quit
[FW_B] ospf 200 vpn-instance vsysa
[FW_B-ospf-200] import-route static
[FW_B-ospf-200] area 0
[FW_B-ospf-200-area-0.0.0.0] network 192.168.1.8 0.0.0.3
[FW_B-ospf-200-area-0.0.0.0] quit
[FW_B-ospf-200] quit

     

  5. 配置双机热备功能。 

    FW_A

    FW_B

    # 在FW上配置VGMP组监控上下行业务接口。

    		 
    [FW_A] hrp track interface GigabitEthernet 1/0/1
[FW_A] hrp track interface GigabitEthernet 1/0/3
    		 
    [FW_B] hrp track interface GigabitEthernet 1/0/1
[FW_B] hrp track interface GigabitEthernet 1/0/3

    # 负载分担组网下,两台FW都转发流量,为了防止来回路径不一致,需要在两台FW上都配置会话快速备份功能。

    		 
    [FW_A] hrp mirror session enable
    		 
    [FW_B] hrp mirror session enable

    # 在FW上指定心跳接口,启用双机热备。

    		 
    [FW_A] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2
[FW_A] hrp enable
    		 
    [FW_B] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1
[FW_B] hrp enable

    # 对于双机热备的负载分担组网,为了防止两台设备进行NAT转换时端口冲突,需要在FW_A和FW_B上分别配置可用的端口范围。

    说明:

    双机热备的负载分担场景下,两台FW共用同一个NAT地址池时,在NAPT模式下有可能两台设备分配的公网端口出现冲突。为了避免这种可能存在的冲突,需要在两台设备上分别配置各自可使用的NAT资源(包括公网IP地址和公网端口号)。此时,可以在主设备上配置hrp nat resource primary-group命令,备设备上会自动生成hrp nat resource secondary-group命令(如果主设备上配置的是hrp nat resource secondary-group命令,则备设备上将自动对应生成hrp nat resource primary-group命令)。

    		 
    HRP_M[FW_A] hrp nat resource primary-group
    		 
    HRP_S[FW_B] hrp nat resource secondary-group

     

  6. 配置安全策略。 

    双机热备状态成功建立后,FW_A上配置的安全策略会自动备份到FW_B上。

    # 配置根系统安全策略,允许私网用户访问公网。

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec
HRP_M[FW_A-policy-security-rule-policy_sec] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy_sec] source-address 10.3.1.0 24
HRP_M[FW_A-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-policy-security-rule-policy_sec] quit
HRP_M[FW_A-policy-security] quit

    # 配置虚拟系统安全策略,允许私网用户访问公网。

    HRP_M[FW_A] Switch vsys vsysa
HRP_M<FW_A-vsysa> system-view
HRP_M[FW_A-vsysa] security-policy
HRP_M[FW_A-vsysa-policy-security] rule name policy_sec
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-zone trust 
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-address 10.3.2.0 24
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] quit
HRP_M[FW_A-vsysa-policy-security] quit
HRP_M[FW_A-vsysa] quit

     

  7. 配置NAT策略。 

    双机热备状态成功建立后,FW_A上配置的NAT策略会自动备份到FW_B上。

    # 配置根系统NAT策略,允许私网用户访问公网。

    HRP_M[FW_A] nat address-group addressgroup1 
HRP_M[FW_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.1 
HRP_M[FW_A-address-group-addressgroup1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat
HRP_M[FW_A-policy-nat-rule-policy_nat] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat] source-address 10.3.1.0 24
HRP_M[FW_A-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1
HRP_M[FW_A-policy-nat-rule-policy_nat] quit
HRP_M[FW_A-policy-nat] quit

    # 配置虚拟系统NAT策略,允许私网用户访问公网。

    HRP_M[FW_A] Switch vsys vsysa
HRP_M<FW_A-vsysa> system-view
HRP_M[FW_A-vsysa] nat address-group addressgroup1 
HRP_M[FW_A-vsysa-address-group-addressgroup1] section 0 1.1.1.2 1.1.1.2 
HRP_M[FW_A-vsysa-address-group-addressgroup1] quit
HRP_M[FW_A-vsysa] nat-policy
HRP_M[FW_A-vsysa-policy-nat] rule name policy_nat
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] source-zone trust 
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] destination-zone untrust
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] source-address 10.3.2.0 24
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] quit
HRP_M[FW_A-vsysa-policy-nat] quit
HRP_M[FW_A-vsysa] quit

     

  8. 配置交换机。 
    华为防火墙-CLI举例:虚拟系统双机热备(负载分担),防火墙上行连接路由器,下行连接交换机

    本举例以华为交换机为例进行说明。

    # 配置Switch。

    [Switch] vlan batch 10 30
[Switch] interface GigabitEthernet 1/0/15
[Switch-GigabitEthernet1/0/15] port link-type access
[Switch-GigabitEthernet1/0/15] port default vlan 10
[Switch-GigabitEthernet1/0/15] quit  
[Switch] interface GigabitEthernet 1/0/16
[Switch-GigabitEthernet1/0/16] port link-type access
[Switch-GigabitEthernet1/0/16] port default vlan 10
[Switch-GigabitEthernet1/0/16] quit        
[Switch] interface GigabitEthernet 1/0/17
[Switch-GigabitEthernet1/0/17] port link-type access
[Switch-GigabitEthernet1/0/17] port default vlan 10
[Switch-GigabitEthernet1/0/17] quit        
[Switch] interface GigabitEthernet 1/0/18
[Switch-GigabitEthernet1/0/18] port link-type access
[Switch-GigabitEthernet1/0/18] port default vlan 30
[Switch-GigabitEthernet1/0/18] quit  
[Switch] interface GigabitEthernet 1/0/19
[Switch-GigabitEthernet1/0/19] port link-type access
[Switch-GigabitEthernet1/0/19] port default vlan 30
[Switch-GigabitEthernet1/0/19] quit        
[Switch] interface GigabitEthernet 1/0/20
[Switch-GigabitEthernet1/0/20] port link-type access
[Switch-GigabitEthernet1/0/20] port default vlan 30
[Switch-GigabitEthernet1/0/20] quit

     

  9. 配置路由器。 
    华为防火墙-CLI举例:虚拟系统双机热备(负载分担),防火墙上行连接路由器,下行连接交换机

    本举例以华为路由器为例进行说明。

    Router1

    Router2

    		 
    [Router1] interface GigabitEthernet 1/0/1
[Router1-GigabitEthernet1/0/1] ip address 192.168.0.1 30
[Router1-GigabitEthernet1/0/1] quit
[Router1] interface GigabitEthernet 1/0/2
[Router1-GigabitEthernet1/0/2] ip address 192.168.0.5 30
[Router1-GigabitEthernet1/0/2] quit
[Router1] interface GigabitEthernet 1/0/3
[Router1-GigabitEthernet1/0/3] ip address 192.168.1.1 30
[Router1-GigabitEthernet1/0/3] quit
[Router1] interface GigabitEthernet 1/0/4
[Router1-GigabitEthernet1/0/4] ip address 192.168.1.5 30
[Router1-GigabitEthernet1/0/4] quit
[Router1] ospf 100
[Router1-ospf-100] default-route-advertise
[Router1-ospf-100] area 0
[Router1-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[Router1-ospf-100-area-0.0.0.0] network 192.168.0.4 0.0.0.3
[Router1-ospf-100-area-0.0.0.0] quit
[Router1-ospf-100] quit
[Router1] ospf 200
[Router1-ospf-200] default-route-advertise
[Router1-ospf-200] area 0
[Router1-ospf-200-area-0.0.0.0] network 192.168.1.0 0.0.0.3
[Router1-ospf-200-area-0.0.0.0] network 192.168.1.4 0.0.0.3
[Router1-ospf-200-area-0.0.0.0] quit
[Router1-ospf-200] quit
    		 
    [Router2] interface GigabitEthernet 1/0/1
[Router2-GigabitEthernet1/0/1] ip address 192.168.0.9 30
[Router2-GigabitEthernet1/0/1] quit
[Router2] interface GigabitEthernet 1/0/2
[Router2-GigabitEthernet1/0/2] ip address 192.168.0.6 30
[Router2-GigabitEthernet1/0/2] quit
[Router2] interface GigabitEthernet 1/0/3
[Router2-GigabitEthernet1/0/3] ip address 192.168.1.9 30
[Router2-GigabitEthernet1/0/3] quit
[Router2] interface GigabitEthernet 1/0/4
[Router2-GigabitEthernet1/0/4] ip address 192.168.1.6 30
[Router2-GigabitEthernet1/0/4] quit
[Router2] ospf 100
[Router2-ospf-100] default-route-advertise
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[Router2-ospf-100-area-0.0.0.0] network 192.168.0.4 0.0.0.3
[Router2-ospf-100-area-0.0.0.0] quit
[Router2-ospf-100] quit
[Router2] ospf 200
[Router2-ospf-200] default-route-advertise
[Router2-ospf-200] area 0
[Router2-ospf-200-area-0.0.0.0] network 192.168.1.8 0.0.0.3
[Router2-ospf-200-area-0.0.0.0] network 192.168.1.4 0.0.0.3
[Router2-ospf-200-area-0.0.0.0] quit
[Router2-ospf-200] quit

     

结果验证

  1. FW_A和FW_B上执行display hrp state verbose命令,检查当前HRP的状态,显示以下信息表示HRP建立成功。

    FW_A

    FW_B

    		 
    HRP_M[FW_A] display hrp state verbose
 Role: active, peer: active    
 Running priority: 45000, peer: 45000 
 Backup channel usage: 30%       
 Stable time: 1 days, 13 hours, 35 minutes  
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
 state = Abnormal(standby), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.
                     
 Configuration:                 
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        off   
 mirror session:              on   
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                primary
                                
 Detail information: 
            GigabitEthernet1/0/2 vrid 1: active
            GigabitEthernet1/0/4 vrid 2: standby
                   GigabitEthernet1/0/1: up
                   GigabitEthernet1/0/3: up
                              ospf-cost: +0
    		 
    HRP_S[FW_B] display hrp state verbose
 Role: active, peer: active    
 Running priority: 45000, peer: 45000 
 Backup channel usage: 30%       
 Stable time: 1 days, 13 hours, 35 minutes 
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
 state = Abnormal(standby), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.
            
 Configuration:                 
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        off   
 mirror session:              on   
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                secondary
                                
 Detail information:        
            GigabitEthernet1/0/2 vrid 1: standby
            GigabitEthernet1/0/4 vrid 2: active
                   GigabitEthernet1/0/1: up
                   GigabitEthernet1/0/3: up
                              ospf-cost: +0

  2. 从私网访问公网,能访问成功。分别在FW_A和FW_B上检查会话。

    FW_A

    FW_B

    		 
    HRP_M[FW_A] display firewall session table
 Current Total Sessions : 2     
  icmp  VPN:vsysa --> vsysa Remote 10.3.2.10:2057[1.1.1.2:2048]-->3.3.3.3:2048 
  icmp  VPN:public -> public 10.3.1.10:2057[1.1.1.1:2048]-->3.3.3.3:2048
    		 
    HRP_S[FW_B] display firewall session table
  Current Total Sessions : 2     
  icmp  VPN:vsysa --> vsysa 10.3.2.10:2057[1.1.1.2:2048]-->3.3.3.3:2048 
  icmp  VPN:public -> public Remote 10.3.1.10:2057[1.1.1.1:2048]-->3.3.3.3:2048

    可以看出FW_A和FW_B上存在带有Remote标记的会话,表示配置双机热备功能后,会话相互备份成功。

  3. 在私网PC上长ping公网的IP,然后将FW_A的GigabitEthernet 1/0/1接口网线拨出,观察主备FW状态切换及ping包丢包情况;再将FW_A的GigabitEthernet 1/0/1接口网线恢复,观察主备FW状态切换及ping包丢包情况。

配置脚本

根系统配置脚本

FW_A

FW_B

 
#
vsys enable
#   
vsys name vsysa 1
  assign interface GigabitEthernet 1/0/3
  assign interface GigabitEthernet 1/0/4 
  assign global-ip 1.1.1.2 1.1.1.2 exclusive 
#
 hrp enable
 hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2
 hrp track interface GigabitEthernet 1/0/1
 hrp track interface GigabitEthernet 1/0/3
 hrp mirror session enable
 hrp nat resource primary-group
#
interface GigabitEthernet 1/0/1
 ip address 192.168.0.2 255.255.255.252
#
interface GigabitEthernet 1/0/2
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
#
interface GigabitEthernet 1/0/3
 ip address 192.168.1.2 255.255.255.252
#
interface GigabitEthernet 1/0/4
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
#
interface GigabitEthernet 1/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/2
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet 1/0/7
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 1/0/1
#
 ip route-static 1.1.1.1 255.255.255.255 null 0
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.0 0.0.0.3
# 
ospf 200 vpn-instance vsysa
 import-route static
 area 0.0.0.0
  network 192.168.1.0 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust   
    source-address 10.3.1.0 24   
    action source-nat address-group addressgroup1
 
#
vsys enable
#   
vsys name vsysa 1
  assign interface GigabitEthernet 1/0/3
  assign interface GigabitEthernet 1/0/4 
  assign global-ip 1.1.1.2 1.1.1.2 exclusive 
#
 hrp enable
 hrp interface GigabitEthernet 1/0/7 remote 10.10.0.1
 hrp track interface GigabitEthernet 1/0/1
 hrp track interface GigabitEthernet 1/0/3
 hrp mirror session enable
 hrp nat resource secondary-group
#
interface GigabitEthernet 1/0/1
 ip address 192.168.0.10 255.255.255.252
#
interface GigabitEthernet 1/0/2
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
#
interface GigabitEthernet 1/0/3
 ip address 192.168.1.10 255.255.255.252
#
interface GigabitEthernet 1/0/4
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
#
interface GigabitEthernet 1/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/2
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet 1/0/7
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 1/0/1
#
 ip route-static 1.1.1.1 255.255.255.255 null 0
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.8 0.0.0.3
# 
ospf 200 vpn-instance vsysa
 import-route static
 area 0.0.0.0
  network 192.168.1.8 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust   
    source-address 10.3.1.0 24   
    action source-nat address-group addressgroup1

虚拟系统vsysa配置脚本

FW_A

FW_B

 
#   
Switch vsys vsysa
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/4
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 1/0/3
#
 ip route-static 1.1.1.2 255.255.255.255 null 0
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.2 1.1.1.2 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust   
    source-address 10.3.2.0 24   
    action source-nat address-group addressgroup1
 
#
Switch vsys vsysa
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/4
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 1/0/3
#
 ip route-static 1.1.1.2 255.255.255.255 null 0
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.2 1.1.1.2 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust 
    source-address 10.3.2.0 24   
    action source-nat address-group addressgroup1
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/11709.html
文章版权归作者所有,未经允许请勿转载。
上一篇 【MySQL筑基篇】一条SQL的“生死时速”:MySQL内部执行全流程可视化
下一篇 Hungtask命令