華爲 USG6000防火牆配置鏡像模式雙機熱備

原創 友人a笔记 2020-06-02 23:22

網絡拓撲

要求:

企業前期是一臺防火牆,爲了提高網絡可靠性,並且在不影響原先防火牆配置情況下,新增一臺防火牆做雙機熱備。兩臺FW的業務接口都工作在三層,下行爲三層核心交換機。上行爲二層交換機連接運營商的接入點,運營商爲企業分配的IP地址爲100.1.1.1-100.1.1.6

配置思路:

兩臺防火牆型號必須要求一樣,配置鏡像模式前需要先完成雙機熱備的網絡連接和基本配置,但是不需要配置業務接口和路由等。

  1. 在兩臺FW上分別完成雙機熱備基本配置,包括VGMP組監控業務接口(hrp track interface)、心跳口配置和啓用雙機熱備功能。
  2. 在兩臺FW上啓用鏡像模式,並進行手工批量備份。
  3. 在其中一臺FW完成網絡配置,保證內網用戶能夠訪問Internet。
  4. 鏡像模式形成後,所有配置(包括接口和路由等配置)都只需在一臺FW上配置即可,配置會自動備份到另外一臺FW。

一、雙機熱備前配置

1、PC和server配置

2、接入層交換機SW5配置

<Huawei>system-view	
[Huawei]sysname SW5
[SW5]vlan batch 10 20

[SW5]interface  GigabitEthernet  0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access	
[SW5-GigabitEthernet0/0/4]port default vlan 10
[SW5-GigabitEthernet0/0/4]quit

[SW5]interface  GigabitEthernet  0/0/5
[SW5-GigabitEthernet0/0/5]port link-type access
[SW5-GigabitEthernet0/0/5]port default  vlan  20
[SW5-GigabitEthernet0/0/5]quit

[SW5]interface  GigabitEthernet  0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk	
[SW5-GigabitEthernet0/0/2]port trunk  allow-pass  vlan  all
[SW5-GigabitEthernet0/0/2]quit

[SW5]interface  GigabitEthernet  0/0/3
[SW5-GigabitEthernet0/0/3]port link-type trunk
[SW5-GigabitEthernet0/0/3]port trunk  allow-pass vlan  all
[SW5-GigabitEthernet0/0/3]quit

3、核心交換機配置

SW3

<Huawei>system-view
[Huawei]sysname SW3
[SW3]vlan batch 10 20 30

[SW3]interface  Vlanif 10
[SW3-Vlanif10]ip address 192.168.10.252 24
[SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW3-Vlanif10]vrrp vrid 10 priority 101
[SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 10
[SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/1 reduced 10
[SW3-Vlanif10]quit

[SW3]interface  Vlanif  20
[SW3-Vlanif20]ip address  192.168.20.252 24
[SW3-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254	
[SW3-Vlanif20]vrrp vrid 20 priority 101
[SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/1 reduced 10
[SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 10
[SW3-Vlanif20]quit

[SW3]interface  Vlanif  30
[SW3-Vlanif30]ip address  192.168.30.252 24
[SW3-Vlanif30]vrrp vrid  30 virtual-ip 192.168.30.254	
[SW3-Vlanif30]vrrp vrid 30 priority 101
[SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/1 reduced 10
[SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/2 reduced 10
[SW3-Vlanif30]quit

[SW3]interface  Eth-Trunk 1
[SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/7
[SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/8
[SW3-Eth-Trunk1]port link-type trunk	
[SW3-Eth-Trunk1]port trunk allow-pass vlan all
[SW3-Eth-Trunk1]quit


[SW3]interface  GigabitEthernet  0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk
[SW3-GigabitEthernet0/0/2]port trunk  allow-pass  vlan  all 
[SW3-GigabitEthernet0/0/2]quit

[SW3]interface  GigabitEthernet  0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 30
[SW3-GigabitEthernet0/0/1]quit

[SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

SW4

<Huawei>system-view
[Huawei]sysname SW4
[SW4]vlan batch 10 20 30

[SW4]interface  Vlanif 10
[SW4-Vlanif10]ip address 192.168.10.253 24
[SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254
[SW4-Vlanif10]quit

[SW4]interface  Vlanif  20
[SW4-Vlanif20]ip address  192.168.20.253 24
[SW4-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254
[SW4-Vlanif20]quit

[SW4]interface  Vlanif  30
[SW4-Vlanif30]ip address  192.168.30.253 24
[SW4-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254
[SW4-Vlanif30]quit

[SW4]interface  Eth-Trunk 1
[SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/7
[SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/8
[SW4-Eth-Trunk1]port link-type trunk	
[SW4-Eth-Trunk1]port trunk allow-pass vlan all
[SW4-Eth-Trunk1]quit

[SW4]interface  GigabitEthernet  0/0/3
[SW4-GigabitEthernet0/0/3]port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunk  allow-pass  vlan  all 
[SW4-GigabitEthernet0/0/3]quit

[SW4]interface  GigabitEthernet  0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 30
[SW4-GigabitEthernet0/0/1]quit

[SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

4、防火牆FW1配置

<USG6000V1>system-view	
[USG6000V1]sysname FW1

[FW1]interface GigabitEthernet  1/0/1
[FW1-GigabitEthernet1/0/1]ip address  192.168.30.12 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]quit

[FW1]interface GigabitEthernet  1/0/0
[FW1-GigabitEthernet1/0/0]ip address  100.1.1.1 29
[FW1-GigabitEthernet1/0/0]service-manage ping permit 
[FW1-GigabitEthernet1/0/0]quit

安全區域
[FW1]firewall zone  trust
[FW1-zone-trust]add  interface  GigabitEthernet  1/0/1
[FW1-zone-trust]quit
[FW1]firewall zone  untrust
[FW1-zone-untrust]add  interface  GigabitEthernet  1/0/0	
[FW1-zone-untrust]quit

NAT地址池
[FW1]nat address-group nat_group	
[FW1-address-group-nat_group]section 0 100.1.1.3	
[FW1-address-group-nat_group]quit

NAT轉發
[FW1]nat-policy
[FW1-policy-nat]rule name nat_policy1	
[FW1-policy-nat-rule-nat_policy1]source-zone  trust
[FW1-policy-nat-rule-nat_policy1]destination-zone  untrust
[FW1-policy-nat-rule-nat_policy1]source-address 192.168.10.0 24
[FW1-policy-nat-rule-nat_policy1]action source-nat  address-group nat_group
[FW1-policy-nat-rule-nat_policy1]return

域間安全策略
[FW1]security-policy
[FW1-policy-security]rule name trust_untrust1	
[FW1-policy-security-rule-trust_untrust1]source-zone trust
[FW1-policy-security-rule-trust_untrust1]destination-zone untrust
[FW1-policy-security-rule-trust_untrust1]source-address 192.168.10.0 24
[FW1-policy-security-rule-trust_untrust1]action permit
[FW1-policy-security-rule-trust_untrust1]quit
[FW1-policy-security]quit

[FW1]ip route-static 192.168.10.0 24 192.168.30.254
[FW1]ip route-static 192.168.20.0 24 192.168.30.254
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.6

5、上行交換機SW6

<Huawei>system-view 
[Huawei]sysname SW6

[SW6]vlan  100	
[SW6-vlan100]quit

[SW6]interface  GigabitEthernet  0/0/1	
[SW6-GigabitEthernet0/0/1]port link-type access
[SW6-GigabitEthernet0/0/1]port default  vlan  100
	
[SW6-GigabitEthernet0/0/1]quit 

[SW6]interface GigabitEthernet 0/0/2	
[SW6-GigabitEthernet0/0/2]port link-type access	
[SW6-GigabitEthernet0/0/2]port default  vlan  100	
[SW6-GigabitEthernet0/0/2]quit 
	
[SW6]interface  GigabitEthernet  0/0/3
[SW6-GigabitEthernet0/0/3]port link-type access	
[SW6-GigabitEthernet0/0/3]port default  vlan  100
[SW6-GigabitEthernet0/0/3]quit

6、運營商ISP

<Huawei>system-view
[Huawei]sysname ISP
	
[ISP]interface  GigabitEthernet  0/0/1
[ISP-GigabitEthernet0/0/1]ip address  100.1.1.6 29	
[ISP-GigabitEthernet0/0/1]quit

[ISP]interface  LoopBack 0
[ISP-LoopBack0]ip address  1.1.1.1 32
[ISP-LoopBack0]quit

[ISP]interface  GigabitEthernet  0/0/0
[ISP-GigabitEthernet0/0/0]ip address  10.1.1.2 24
[ISP-GigabitEthernet0/0/0]quit

[ISP]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

7、查看內網用戶ping外網

二、雙機熱備配置

全程可以使pc長pingISP的1.1.1.1,發現不會丟包

1、FW1配置HRP,然後配置鏡像模式

FW1配置心跳線接口,並加入對應安全區域
[FW1]interface GigabitEthernet  1/0/2
[FW1-GigabitEthernet1/0/2]ip address  172.16.1.1 30	
[FW1-GigabitEthernet1/0/2]quit

[FW1]firewall zone  dmz
[FW1-zone-dmz]add  interface  GigabitEthernet  1/0/2
[FW1-zone-dmz]quit

域間安全策略
[FW1]security-policy	
[FW1-policy-security]rule name ha_local_dmz	
[FW1-policy-security-rule-ha_local_dmz]source-zone  local dmz	
[FW1-policy-security-rule-ha_local_dmz]destination-zone  local dmz	
[FW1-policy-security-rule-ha_local_dmz]action permit
[FW1-policy-security-rule-ha_local_dmz]quit	
[FW1-policy-security]quit

在FW1配置VGMP組監控上下行業務接口,默認爲主設備
[FW1]hrp  track interface  GigabitEthernet  1/0/0
[FW1]hrp  track interface  GigabitEthernet  1/0/1

指定心跳口和對端IP地址,並啓用雙機熱備功能
[FW1]hrp interface  GigabitEthernet  1/0/2 remote 172.16.1.2	
[FW1]hrp  enable

2、FW2配置HRP

FW2配置心跳線接口,並加入對應安全區域
<USG6000V1>system-view
[USG6000V1]sysname FW2

[FW2]interface GigabitEthernet  1/0/2
[FW2-GigabitEthernet1/0/2]ip address  172.16.1.2 30	
[FW2-GigabitEthernet1/0/2]quit

[FW2]firewall zone  dmz
[FW2-zone-dmz]add interface GigabitEthernet  1/0/2
[FW2-zone-dmz]quit

域間安全策略
[FW2]security-policy	
[FW2-policy-security]rule name ha_local_dmz
[FW2-policy-security-rule-ha_local_dmz]source-zone  local dmz	
[FW2-policy-security-rule-ha_local_dmz]destination-zone local dmz	
[FW2-policy-security-rule-ha_local_dmz]action permit
[FW2-policy-security-rule-ha_local_dmz]quit

在FW2配置VGMP組監控上下行業務接口,並配置本設備爲備用設備
[FW2]hrp  track  interface  GigabitEthernet 1/0/0
[FW2]hrp  track  interface  GigabitEthernet 1/0/1
[FW2]hrp  standby-device 

指定心跳口和對端IP地址,並啓用雙機熱備功能
[FW2]hrp  interface  GigabitEthernet  1/0/2 remote 172.16.1.1
[FW2]hrp  enable

3、查看同步狀態

4、在FW1上配置鏡像模式(重點)。雙機關係建立之後,該配置會自動備份到FW2

HRP_M[FW1]hrp  mirror  config enable

5、在FW1先手動同步一下配置文件

6、在FW2查看到FW1開啓熱備之前的配置已經被同步過來

HRP_S[FW2]display  current-configuration  
2020-05-28 02:27:57.980 
!Software Version V500R005C10SPC300
#
sysname FW2
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
 hrp enable
 hrp mirror config enable
 hrp interface GigabitEthernet1/0/2 remote 172.16.1.1
 hrp track interface GigabitEthernet1/0/0
 hrp track interface GigabitEthernet1/0/1
#
 update schedule location-sdb weekly Sun 03:14
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 06:38
 update schedule av-sdb daily 06:38
 update schedule sa-sdb daily 06:38
 update schedule cnc daily 06:38
 update schedule file-reputation daily 06:38
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher @%@%PufuDg5YR*D@[x~Nqi|~n=5DHjpMOk,OqAV)gT$TQJP5=5Gn@%@%
  service-type web terminal
  level 15

 manager-user api-admin
  password cipher @%@%`f5K#iULL!(vQ6M@lpCB'H,@{QzA=M{5O*as_2+Uk}J7H,C'@%@%
  level 15

 manager-user admin
  password cipher @%@%ZFDu3)yV"LfTPj'O3+7437VT3h:D@nUDCO]h[qWQRb1Q7VW3@%@%
  service-type web terminal
  level 15

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.1.1.1 255.255.255.248
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.30.12 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 172.16.1.2 255.255.255.252
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.6
ip route-static 192.168.10.0 255.255.255.0 192.168.30.254
ip route-static 192.168.20.0 255.255.255.0 192.168.30.254
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
nat address-group nat_group 0
 mode pat
 section 0 100.1.1.3 100.1.1.3
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 rule name ha_local_dmz
  source-zone dmz
  source-zone local
  destination-zone dmz
  destination-zone local
  action permit
 rule name trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 192.168.0.0 mask 255.255.0.0
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name nat_policy1
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action source-nat address-group nat_group
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

三、配置服務器映射

在開啓雙機熱備的情況下,在active上操作的任何步驟都過自動同步到standby

1、在FW1爲server1添加映射,讓外網用戶能訪問

HRP_M[FW1]nat server policy_web protocol tcp global 100.1.1.2 80 inside 192.168.
20.1 80 unr-route

在FW2查看已經被同步配置

2、配置域間安全測試,允許外網訪問內網服務器

HRP_M[FW1]security-policy
HRP_M[FW1-policy-security]rule name untrust_trust
HRP_M[FW1-policy-security-rule-untrust_trust]source-zone  untrust
HRP_M[FW1-policy-security-rule-untrust_trust]destination-zone trust
HRP_M[FW1-policy-security-rule-untrust_trust]destination-address 192.168.20.0 24
HRP_M[FW1-policy-security-rule-untrust_trust]action permit
HRP_M[FW1-policy-security-rule-untrust_trust]return

3、client1訪問服務器映射(訪問域名,狀態200表示成功)

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

USG5500 配置路由模式下主備備份方式的雙機熱備份

組網需求: USG5500作爲安全設備被部署在業務節點上。其中上下行設備均爲交換機,USG5300A,USG5300B分別充當主設備和備用設備,且均工作在路由模式下。 網絡規劃如下: •需要保護的網段地址爲192.168.1.0/24,與

友人a笔记 2020-06-23 04:05:21

防火牆入侵與檢測 day04 防火牆雙機熱備

防火牆雙機熱備雙擊熱備技術原理雙機熱備在路由器上的部署VRRP在多區域防火牆組網VRRP用於防火牆多區域備份雙擊熱備基本組網與配置雙機熱備在防火牆上的部署VRRP前提知曉 雙擊熱備技術原理 雙機熱備技術產生的原因 傳統的組網方

果子哥丶 2020-06-22 10:57:01

防火牆入侵與檢測 day05 防火牆可靠性

果子哥丶 2020-06-01 00:03:53

防火牆入侵與檢測 day06 防火牆虛擬系統

果子哥丶 2020-06-01 00:03:43

防火牆入侵與檢測 day03 詳解NAT及配置

果子哥丶 2020-05-23 23:52:02

防火牆入侵與檢測 day02

果子哥丶 2020-05-21 11:40:26

防火牆入侵與檢測 day01

果子哥丶 2020-05-18 23:23:59

11、中小企業網絡架構-擴展配置防火牆雙出口

友人a笔记 2020-05-11 11:34:18

6、中小企業網絡架構-防火牆基本配置

友人a笔记 2020-02-20 17:33:45

MySQL5.7.25雙機熱備搭建

環境 IP 主機名 作用 10.1.24.128 bd128 MySQL 節點1 10.1.24.131 bd131 MySQL 節點2 10.1.24.9 VIP 虛擬地址 下載安裝包: 鏈接:http

吃顿好的 2020-06-29 07:19:00

MySQL高可用部署(雙機熱備 + Keepalived 故障自動切換)

目錄一、安裝 MySQL二、安裝 keepalived 一、安裝 MySQL 解壓 ## 卸載系統自帶 mariadb [root@data-01 ~]# rpm -qa | grep mariadb mariadb-libs-

MySomeday 2020-06-21 05:14:13

華爲模擬器eNSP防火牆雙機熱備實驗

命令行配置 簡要步驟如下: 配置所有接口IP 在防火牆上規劃接口區域,所有接口允許被ping 防火牆配置安全策略,local到any 配置虛擬地址並分配VRRP組以及備用設備組(這一步配置完之後,在R1和R2測試ping

m0c1nu7 2020-06-19 02:39:48

centos雙機熱備 數據庫主從相互備份(中)

  centos雙機熱備 數據庫主從相互備份(上):https://blog.csdn.net/Berzingou/article/details/82017228 相關資料網盤鏈接:https://pan.baidu.com/s/1Zg

emonade 2020-06-16 04:44:14

防火牆雙機熱備命令行配置

文章目錄實驗要求實驗內容步驟一步驟二步驟三步驟四步驟五步驟六 實驗要求 部署防火牆雙機熱備,避免防火牆出現單點故障而導致的網絡癱瘓 進行故障模擬,在雙機熱備的部署完成之後,關閉主設備,查看業務連通性是否收到影響 連通性要求:

TKE_Skye 2020-06-10 02:27:27

雙機熱備方案

wangsiman 2020-02-22 18:58:32