(华为配置)防火墙双机热备+BFD联动故障切换实验报告

转载：(华为配置)防火墙双机热备+BFD联动故障切换实验报告

一、实验拓扑

二、实验内容

（一）实验需求:

某公司通过主防火墙(FW1)与外网进行通信，当主防火墙出现故障时，备份防火墙能够保障正常通信。

（二）基础配置(vlan划分、IP地址配置)

1．ISP

复制代码

#

interface GigabitEthernet0/0/0

ip address 100.1.1.1 255.255.255.248

#

interface LoopBack0

ip address 114.114.114.114 255.255.255.252

#

2．SW-OUT

复制代码

#

vlan batch 2

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 2

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 2

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 2

#

interface Vlanif2

ip address 100.1.1.5 255.255.255.248

#

3．FW1

复制代码

#

interface GigabitEthernet1/0/0

description to_SW-IN_G0/0/1

undo shutdown

ip address 10.1.1.1 255.255.255.248

#

interface GigabitEthernet1/0/1

description to_SW-OUT_G0/0/2

undo shutdown

ip address 100.1.1.2 255.255.255.248

#

interface GigabitEthernet1/0/2

description to_FW2_G1/0/2

undo shutdown

ip address 10.0.12.1 255.255.255.252

alias hrp

#

4．FW2

复制代码

#

interface GigabitEthernet1/0/0

description to_SW-IN_G0/0/2

undo shutdown

ip address 10.1.1.3 255.255.255.248

#

interface GigabitEthernet1/0/1

description to_SW-OUT_G0/0/3

undo shutdown

ip address 100.1.1.3 255.255.255.248

#

interface GigabitEthernet1/0/2

description to_FW1_G1/0/2

undo shutdown

ip address 10.0.12.2 255.255.255.252

alias hrp

#

5．SW-IN

复制代码

#

Vlan batch 2 10 20

#

interface GigabitEthernet0/0/1

description to_FW1_G1/0/0

port link-type access

port default vlan 2

#

interface GigabitEthernet0/0/2

description to_FW2_G1/0/0

port link-type access

port default vlan 2

#

interface GigabitEthernet0/0/3

description to_vlan10

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/4

description to_vlan20

port link-type access

port default vlan 20

#

interface Vlanif2

ip address 10.1.1.2 255.255.255.248

#

interface Vlanif10

ip address 172.16.10.254 255.255.255.0

#

interface Vlanif20

ip address 192.168.1.254 255.255.255.0

#

（三）安全区域划分

1．FW1

复制代码

#

firewall zone trust

add interface GigabitEthernet1/0/0

#

firewall zone untrust

add interface GigabitEthernet1/0/1

#

firewall zone dmz

add interface GigabitEthernet1/0/2

#

2．FW2

复制代码

#

firewall zone trust

add interface GigabitEthernet1/0/0

#

firewall zone untrust

add interface GigabitEthernet1/0/1

#

firewall zone dmz

add interface GigabitEthernet1/0/2

#

（四）VRRP

1．FW1

复制代码

#

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 10.1.1.4 active

#

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 100.1.1.4 active

#

2．FW2

复制代码

#

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 10.1.1.4 standby

#

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 100.1.1.4 standby

#

（五）配置HRP

1．FW1

复制代码

#

hrp enable

hrp interface GigabitEthernet1/0/2 remote 10.0.12.2

hrp mirror session enable

#

2．FW2

复制代码

#

hrp enable

hrp interface GigabitEthernet1/0/2 remote 10.0.12.1

hrp mirror session enable

#

（六）配置防火墙安全策略

只需要在FW1上配置，就会同步到FW2

1．FW1

复制代码

#

security-policy

rule name t_U

source-zone trust

destination-zone untrust

action permit

rule name guanli

source-zone local

action permit

#

（七）配置防火墙NAT地址池及NAT策略

只需要在FW1上配置，就会同步到FW2

1．FW1

复制代码

#

nat address-group CK_NAT_address 0

mode pat

section 1 100.1.1.6 100.1.1.6

#

nat-policy

rule name internet

source-zone trust

destination-zone untrust

action source-nat address-group CK_NAT_address

#

（八）配置指向内外网的双向静态路由

1．SW-OUT

复制代码

#

ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

#

2．FW1

复制代码

#

ip route-static 0.0.0.0 0.0.0.0 100.1.1.5

ip route-static 172.16.10.0 255.255.255.0 10.1.1.2

ip route-static 192.168.1.0 255.255.255.0 10.1.1.2

#

3．FW2

复制代码

#

ip route-static 0.0.0.0 0.0.0.0 100.1.1.5

ip route-static 172.16.10.0 255.255.255.0 10.1.1.2

ip route-static 192.168.1.0 255.255.255.0 10.1.1.2

#

4．SW-IN

复制代码

#

ip route-static 0.0.0.0 0.0.0.0 10.1.1.4

#

（九）上行接口配置BFD联动实现故障快速切换

还可以使用IP-link的icmp报文探测是否存活，但是由于IP-Link探测时间间隔需断网较长时间才恢复正常，所以这里使用BFD。

1．SW-OUT

复制代码

#

bfd

#

bfd 1 bind peer-ip 100.1.1.2

discriminator local 20

discriminator remote 10

commit

#

bfd 2 bind peer-ip 100.1.1.3

discriminator local 40

discriminator remote 30

commit

#

2．FW1

复制代码

#

bfd

#

bfd 1 bind peer-ip 100.1.1.5

discriminator local 10

discriminator remote 20

commit

#

hrp enable

hrp track interface GigabitEthernet1/0/1

hrp track bfd-session 10

#

3.FW2

复制代码

#

bfd

#

bfd 1 bind peer-ip 100.1.1.5

discriminator local 30

discriminator remote 40

commit

#

hrp enable

hrp track interface GigabitEthernet1/0/1

hrp track bfd-session 30

#

三、实验结果

（一）PC之间互通

（二）当主防火墙出现故障时，依然能够正常通信

往期推荐

（华为配置篇）华为设备ssh配置脚本

（全网最全面）开学季笔记本电脑验机详细流程及系统优化设置

（华为配置篇）交换机镜像配置

（华为配置篇）IPSec加密GRE通道

（华为配置篇）PPPoe拨号实验、策略路由选路与故障切换