华为防火墙双机热备配置案例（VRRP、HRP）

网络拓扑图：

如上图所示：内网为三层网络架构，核心交换机上连两个防火墙（两个防火墙互为主备关系），两个防火墙上联两个路由器（可做策略路由，起负载均衡的作用）。

配置思路：

一、先配置内网环境

核心交换机配置VLAN、开启DHCP、开启MSTP、创建地址池、配置VLAN地址、配置OSPF、配置静态路由。（上联两个接口g0/0/23、g0/0/24配置和上连防火墙虚拟地址同网段地址）

sys

sys XIAN_CORE_SW_01

stp enable

dhcp enable

vlan batch 10 20 30 99
int vlanif 99
ip add 10.100.99.99 29

q
port-group 1
group-member g0/0/23 to g0/0/24
p l a
p d v 99

port-group 2

group-member g0/0/1 to g0/0/3

p l t

p t a v a

ip pool 10

network 10.100.101.1 mask 24

gateway-list 10.100.101.1

dns-list 61.134.1.5 114.114.114.114

ip pool 20

network 10.100.102.1 mask 24

gateway-list 10.100.102.1

dns-list 61.134.1.5 114.114.114.114

ip pool 30

network 10.100.103.1 mask 24

gateway-list 10.100.103.1

dns-list 61.134.1.5 114.114.114.114

int vlanif 10

ip add 10.100.101.1 24

dhcp select global

int vlanif 20

ip add 10.100.102.1 24

dhcp select global

int vlanif 30

ip add 10.100.103.1 24

dhcp select global

int lo 1

ip add 10.100.99.205 32

ospf 1 router-id 10.100.99.205

area 0

network 10.100.99.99 0.0.0.0

network 10.100.101.1 0.0.0.0

network 10.100.102.1 0.0.0.0

network 10.100.103.1 0.0.0.0

network 10.100.99.205 0.0.0.0

配置静态路由，下一跳指向防火墙的虚拟地址
ip route-static 0.0.0.0 0 10.100.99.100

汇聚交换机和接入交换机配置较简单（配置接口类型、配置VLAN、开启DHCP、开启MSTP。此处只例举一个配置）

汇聚交换机

sys

sys XIAN_CONVERGENCE_SW_01

stp enable

dhcp enable

vlan batch 10

port-group 1

group-member g0/0/1 g0/0/2 g0/0/24

p l t

p t a v a

接入交换机

sys

sys XIAN_ACCESS_SW_01

stp enable

dhcp enable

vlan batch 10

int g0/0/2

p l t

p t a v a

int e0/0/1

p l a

p d v 10

内网配置完成后测试：打开DHCP，然后ipconfig命令查看是否获取到IP地址。

二、配置防火墙：

配置Trust、Untrust、Dmz区域（两个防火墙心跳线）、配置接口IP和放通协议、配置安全策略、配置VRRP、配置HRP

（安全策略会自动同步到备防火墙上，所以只需配置主防火墙即可）

配置主防火墙：

sys

sys XIAN_FW_01

firewall zone trust

add interface g1/0/1

add interface g1/0/3

firewall zone untrust

add interface g1/0/4

add interface g1/0/5
firewall zone dmz
add interface g1/0/6

配置VRRP
int g1/0/1
ip add 10.100.99.97 29
vrrp vrid 1 virtual-ip 10.100.99.100 active

service-manage all permit

int g1/0/3

ip add 192.168.137.101 24

service-manage all permit

int g1/0/6

ip add 10.10.10.1 30

service-manage all permit

配置HRP
hrp enable
hrp interface g1/0/6 remote 10.10.10.2

int g1/0/4

ip add 10.100.99.109 30

int g1/0/5

ip add 10.100.99.101 30

int lo 1

ip add 10.100.99.203 32

//配置安全策略

security policy

rule name TO_UNTRUST

source-zone dmz

source-zone local

source-zone trust

source-zone untrust

destination-zone untrust

action permit

rule name TO_TRUST

source-zone dmz

source-zone local

source-zone trust

source-zone untrust

destination-zone trust

action permit

rule name TO_DMZ

source-zone dmz

source-zone local

source-zone trust

source-zone untrust

destination-zone dmz

action permit

rule name TO_LOCAL

source-zone dmz

source-zone local

source-zone trust

source-zone untrust

destination-zone local

action permit

ospf 1 router-id 10.100.99.203

area 0

network 10.100.99.97 0.0.0.0

network 10.100.99.109 0.0.0.0

network 10.100.99.101 0.0.0.0

network 10.100.99.203 0.0.0.0

q
ip route-static 0.0.0.0 0 10.100.99.102
ip route-static 0.0.0.0 0 10.100.99.110

配置备防火墙：

sys
sys XIAN_FW_02
firewall zone trust
add interface g1/0/1
add interface g1/0/3
firewall zone untrust
add interface g1/0/4
add interface g1/0/5
firewall zone dmz
add interface g1/0/6
配置VRRP
int g1/0/1
ip add 10.100.99.98 29
vrrp vrid 1 virtual-ip 10.100.99.100 standby
service-manage all permit
int g1/0/3
ip add 192.168.0.59 22
service-manage all permit
int g1/0/6
ip add 10.10.10.2 30
service-manage all permit
配置HRP
hrp enable
hrp interface g1/0/6 remote 10.10.10.1
int g1/0/4
ip add 10.100.99.113 30
int g1/0/5
ip add 10.100.99.105 30
int lo 1
ip add 10.100.99.204 32
ospf 1 router-id 10.100.99.204
area 0
network 10.100.99.98 0.0.0.0
network 10.100.99.113 0.0.0.0
network 10.100.99.105 0.0.0.0
network 10.100.99.204 0.0.0.0
q
q
ip route-static 0.0.0.0 0 10.100.99.106
ip route-static 0.0.0.0 0 10.100.99.114