华为 USG6000防火墙配置镜像模式双机热备 |
您所在的位置:网站首页 › 华为 镜像模式 › 华为 USG6000防火墙配置镜像模式双机热备 |
网络拓扑
要求:
企业前期是一台防火墙,为了提高网络可靠性,并且在不影响原先防火墙配置情况下,新增一台防火墙做双机热备。两台FW的业务接口都工作在三层,下行为三层核心交换机。上行为二层交换机连接运营商的接入点,运营商为企业分配的IP地址为100.1.1.1-100.1.1.6 配置思路:两台防火墙型号必须要求一样,配置镜像模式前需要先完成双机热备的网络连接和基本配置,但是不需要配置业务接口和路由等。 在两台FW上分别完成双机热备基本配置,包括VGMP组监控业务接口(hrp track interface)、心跳口配置和启用双机热备功能。 在两台FW上启用镜像模式,并进行手工批量备份。 在其中一台FW完成网络配置,保证内网用户能够访问Internet。 镜像模式形成后,所有配置(包括接口和路由等配置)都只需在一台FW上配置即可,配置会自动备份到另外一台FW。 一、双机热备前配置1、PC和server配置 2、接入层交换机SW5配置 1234567891011121314151617181920212223system-view [Huawei]sysname SW5 [SW5]vlan batch 10 20 [SW5]interface GigabitEthernet 0/0/4 [SW5-GigabitEthernet0/0/4]port link-type access [SW5-GigabitEthernet0/0/4]port default vlan 10 [SW5-GigabitEthernet0/0/4]quit [SW5]interface GigabitEthernet 0/0/5 [SW5-GigabitEthernet0/0/5]port link-type access [SW5-GigabitEthernet0/0/5]port default vlan 20 [SW5-GigabitEthernet0/0/5]quit [SW5]interface GigabitEthernet 0/0/2 [SW5-GigabitEthernet0/0/2]port link-type trunk [SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/2]quit [SW5]interface GigabitEthernet 0/0/3 [SW5-GigabitEthernet0/0/3]port link-type trunk [SW5-GigabitEthernet0/0/3]port trunk allow-pass vlan all [SW5-GigabitEthernet0/0/3]quit3、核心交换机配置 SW3 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647system-view [Huawei]sysname SW3 [SW3]vlan batch 10 20 30 [SW3]interface Vlanif 10 [SW3-Vlanif10]ip address 192.168.10.252 24 [SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW3-Vlanif10]vrrp vrid 10 priority 101 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif10]quit [SW3]interface Vlanif 20 [SW3-Vlanif20]ip address 192.168.20.252 24 [SW3-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW3-Vlanif20]vrrp vrid 20 priority 101 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif20]quit [SW3]interface Vlanif 30 [SW3-Vlanif30]ip address 192.168.30.252 24 [SW3-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 [SW3-Vlanif30]vrrp vrid 30 priority 101 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif30]quit [SW3]interface Eth-Trunk 1 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW3-Eth-Trunk1]port link-type trunk [SW3-Eth-Trunk1]port trunk allow-pass vlan all [SW3-Eth-Trunk1]quit [SW3]interface GigabitEthernet 0/0/2 [SW3-GigabitEthernet0/0/2]port link-type trunk [SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan all [SW3-GigabitEthernet0/0/2]quit [SW3]interface GigabitEthernet 0/0/1 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 30 [SW3-GigabitEthernet0/0/1]quit [SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12SW4 12345678910111213141516171819202122232425262728293031323334353637system-view [Huawei]sysname SW4 [SW4]vlan batch 10 20 30 [SW4]interface Vlanif 10 [SW4-Vlanif10]ip address 192.168.10.253 24 [SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW4-Vlanif10]quit [SW4]interface Vlanif 20 [SW4-Vlanif20]ip address 192.168.20.253 24 [SW4-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW4-Vlanif20]quit [SW4]interface Vlanif 30 [SW4-Vlanif30]ip address 192.168.30.253 24 [SW4-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 [SW4-Vlanif30]quit [SW4]interface Eth-Trunk 1 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW4-Eth-Trunk1]port link-type trunk [SW4-Eth-Trunk1]port trunk allow-pass vlan all [SW4-Eth-Trunk1]quit [SW4]interface GigabitEthernet 0/0/3 [SW4-GigabitEthernet0/0/3]port link-type trunk [SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan all [SW4-GigabitEthernet0/0/3]quit [SW4]interface GigabitEthernet 0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 30 [SW4-GigabitEthernet0/0/1]quit [SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.30.124、防火墙FW1配置 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748system-view [USG6000V1]sysname FW1 [FW1]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]ip address 192.168.30.12 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]quit [FW1]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip address 100.1.1.1 29 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]quit 安全区域 [FW1]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 1/0/1 [FW1-zone-trust]quit [FW1]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/0 [FW1-zone-untrust]quit NAT地址池 [FW1]nat address-group nat_group [FW1-address-group-nat_group]section 0 100.1.1.3 [FW1-address-group-nat_group]quit NAT转发 [FW1]nat-policy [FW1-policy-nat]rule name nat_policy1 [FW1-policy-nat-rule-nat_policy1]source-zone trust [FW1-policy-nat-rule-nat_policy1]destination-zone untrust [FW1-policy-nat-rule-nat_policy1]source-address 192.168.10.0 24 [FW1-policy-nat-rule-nat_policy1]action source-nat address-group nat_group [FW1-policy-nat-rule-nat_policy1]return 域间安全策略 [FW1]security-policy [FW1-policy-security]rule name trust_untrust1 [FW1-policy-security-rule-trust_untrust1]source-zone trust [FW1-policy-security-rule-trust_untrust1]destination-zone untrust [FW1-policy-security-rule-trust_untrust1]source-address 192.168.10.0 24 [FW1-policy-security-rule-trust_untrust1]action permit [FW1-policy-security-rule-trust_untrust1]quit [FW1-policy-security]quit [FW1]ip route-static 192.168.10.0 24 192.168.30.254 [FW1]ip route-static 192.168.20.0 24 192.168.30.254 [FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.65、上行交换机SW6 123456789101112131415161718192021system-view [Huawei]sysname SW6 [SW6]vlan 100 [SW6-vlan100]quit [SW6]interface GigabitEthernet 0/0/1 [SW6-GigabitEthernet0/0/1]port link-type access [SW6-GigabitEthernet0/0/1]port default vlan 100 [SW6-GigabitEthernet0/0/1]quit [SW6]interface GigabitEthernet 0/0/2 [SW6-GigabitEthernet0/0/2]port link-type access [SW6-GigabitEthernet0/0/2]port default vlan 100 [SW6-GigabitEthernet0/0/2]quit [SW6]interface GigabitEthernet 0/0/3 [SW6-GigabitEthernet0/0/3]port link-type access [SW6-GigabitEthernet0/0/3]port default vlan 100 [SW6-GigabitEthernet0/0/3]quit6、运营商ISP 12345678910111213141516system-view [Huawei]sysname ISP [ISP]interface GigabitEthernet 0/0/1 [ISP-GigabitEthernet0/0/1]ip address 100.1.1.6 29 [ISP-GigabitEthernet0/0/1]quit [ISP]interface LoopBack 0 [ISP-LoopBack0]ip address 1.1.1.1 32 [ISP-LoopBack0]quit [ISP]interface GigabitEthernet 0/0/0 [ISP-GigabitEthernet0/0/0]ip address 10.1.1.2 24 [ISP-GigabitEthernet0/0/0]quit [ISP]ip route-static 0.0.0.0 0.0.0.0 100.1.1.17、查看内网用户ping外网 二、双机热备配置全程可以使pc长pingISP的1.1.1.1,发现不会丢包 1、FW1配置HRP,然后配置镜像模式 12345678910111213141516171819202122232425FW1配置心跳线接口,并加入对应安全区域 [FW1]interface GigabitEthernet 1/0/2 [FW1-GigabitEthernet1/0/2]ip address 172.16.1.1 30 [FW1-GigabitEthernet1/0/2]quit [FW1]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/2 [FW1-zone-dmz]quit 域间安全策略 [FW1]security-policy [FW1-policy-security]rule name ha_local_dmz [FW1-policy-security-rule-ha_local_dmz]source-zone local dmz [FW1-policy-security-rule-ha_local_dmz]destination-zone local dmz [FW1-policy-security-rule-ha_local_dmz]action permit [FW1-policy-security-rule-ha_local_dmz]quit [FW1-policy-security]quit 在FW1配置VGMP组监控上下行业务接口,默认为主设备 [FW1]hrp track interface GigabitEthernet 1/0/0 [FW1]hrp track interface GigabitEthernet 1/0/1 指定心跳口和对端IP地址,并启用双机热备功能 [FW1]hrp interface GigabitEthernet 1/0/2 remote 172.16.1.2 [FW1]hrp enable2、FW2配置HRP 12345678910111213141516171819202122232425262728FW2配置心跳线接口,并加入对应安全区域 system-view [USG6000V1]sysname FW2 [FW2]interface GigabitEthernet 1/0/2 [FW2-GigabitEthernet1/0/2]ip address 172.16.1.2 30 [FW2-GigabitEthernet1/0/2]quit [FW2]firewall zone dmz [FW2-zone-dmz]add interface GigabitEthernet 1/0/2 [FW2-zone-dmz]quit 域间安全策略 [FW2]security-policy [FW2-policy-security]rule name ha_local_dmz [FW2-policy-security-rule-ha_local_dmz]source-zone local dmz [FW2-policy-security-rule-ha_local_dmz]destination-zone local dmz [FW2-policy-security-rule-ha_local_dmz]action permit [FW2-policy-security-rule-ha_local_dmz]quit 在FW2配置VGMP组监控上下行业务接口,并配置本设备为备用设备 [FW2]hrp track interface GigabitEthernet 1/0/0 [FW2]hrp track interface GigabitEthernet 1/0/1 [FW2]hrp standby-device 指定心跳口和对端IP地址,并启用双机热备功能 [FW2]hrp interface GigabitEthernet 1/0/2 remote 172.16.1.1 [FW2]hrp enable3、查看同步状态 4、在FW1上配置镜像模式(重点)。双机关系建立之后,该配置会自动备份到FW2 1HRP_M[FW1]hrp mirror config enable5、在FW1先手动同步一下配置文件 6、在FW2查看到FW1开启热备之前的配置已经被同步过来 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235HRP_S[FW2]display current-configuration 2020-05-28 02:27:57.980 !Software Version V500R005C10SPC300 # sysname FW2 # l2tp domain suffix-separator @ # ipsec sha2 compatible enable # undo telnet server enable undo telnet ipv6 server enable # hrp enable hrp mirror config enable hrp interface GigabitEthernet1/0/2 remote 172.16.1.1 hrp track interface GigabitEthernet1/0/0 hrp track interface GigabitEthernet1/0/1 # update schedule location-sdb weekly Sun 03:14 # firewall defend action discard # banner enable # user-manage web-authentication security port 8887 undo privacy-statement english undo privacy-statement chinese page-setting user-manage security version tlsv1.1 tlsv1.2 password-policy level high user-manage single-sign-on ad user-manage single-sign-on tsm user-manage single-sign-on radius user-manage auto-sync online-user # web-manager security version tlsv1.1 tlsv1.2 web-manager enable web-manager security enable # firewall dataplane to manageplane application-apperceive default-action drop # undo ips log merge enable # decoding uri-cache disable # update schedule ips-sdb daily 06:38 update schedule av-sdb daily 06:38 update schedule sa-sdb daily 06:38 update schedule cnc daily 06:38 update schedule file-reputation daily 06:38 # ip vpn-instance default ipv4-family # time-range worktime period-range 08:00:00 to 18:00:00 working-day # ike proposal default encryption-algorithm aes-256 aes-192 aes-128 dh group14 authentication-algorithm sha2-512 sha2-384 sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 # aaa authentication-scheme default authentication-scheme admin_local authentication-scheme admin_radius_local authentication-scheme admin_hwtacacs_local authentication-scheme admin_ad_local authentication-scheme admin_ldap_local authentication-scheme admin_radius authentication-scheme admin_hwtacacs authentication-scheme admin_ad authorization-scheme default accounting-scheme default domain default service-type internetaccess ssl-vpn l2tp ike internet-access mode password reference user current-domain manager-user audit-admin password cipher @%@%PufuDg5YR*D@[x~Nqi|~n=5DHjpMOk,OqAV)gT$TQJP5=5Gn@%@% service-type web terminal level 15 manager-user api-admin password cipher @%@%`f5K#iULL!(vQ6M@lpCB'H,@{QzA=M{5O*as_2+Uk}J7H,C'@%@% level 15 manager-user admin password cipher @%@%ZFDu3)yV"LfTPj'O3+7437VT3h:D@nUDCO]h[qWQRb1Q7VW3@%@% service-type web terminal level 15 role system-admin role device-admin role device-admin(monitor) role audit-admin bind manager-user audit-admin role audit-admin bind manager-user admin role system-admin # l2tp-group default-lns # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH # interface GigabitEthernet1/0/0 undo shutdown ip address 100.1.1.1 255.255.255.248 service-manage ping permit # interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.30.12 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/2 undo shutdown ip address 172.16.1.2 255.255.255.252 # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/4 undo shutdown # interface GigabitEthernet1/0/5 undo shutdown # interface GigabitEthernet1/0/6 undo shutdown # interface Virtual-if0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 100.1.1.6 ip route-static 192.168.10.0 255.255.255.0 192.168.30.254 ip route-static 192.168.20.0 255.255.255.0 192.168.30.254 # undo ssh server compatible-ssh1x enable ssh authentication-type default password ssh server cipher aes256_ctr aes128_ctr ssh server hmac sha2_256 sha1 ssh client cipher aes256_ctr aes128_ctr ssh client hmac sha2_256 sha1 # firewall detect ftp # user-interface con 0 authentication-mode aaa user-interface vty 0 4 authentication-mode aaa protocol inbound ssh user-interface vty 16 20 # pki realm default # sa # location # nat address-group nat_group 0 mode pat section 0 100.1.1.3 100.1.1.3 # multi-linkif mode proportion-of-weight # right-manager server-group # device-classification device-group pc device-group mobile-terminal device-group undefined-group # user-manage server-sync tsm # security-policy rule name ha_local_dmz source-zone dmz source-zone local destination-zone dmz destination-zone local action permit rule name trust_untrust source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit # auth-policy # traffic-policy # policy-based-route # nat-policy rule name nat_policy1 source-zone trust destination-zone untrust source-address 192.168.10.0 mask 255.255.255.0 action source-nat address-group nat_group # quota-policy # pcp-policy # dns-transparent-policy # rightm-policy # return 三、配置服务器映射在开启双机热备的情况下,在active上操作的任何步骤都过自动同步到standby 1、在FW1为server1添加映射,让外网用户能访问 12HRP_M[FW1]nat server policy_web protocol tcp global 100.1.1.2 80 inside 192.168. 20.1 80 unr-route在FW2查看已经被同步配置 2、配置域间安全测试,允许外网访问内网服务器 1234567HRP_M[FW1]security-policy HRP_M[FW1-policy-security]rule name untrust_trust HRP_M[FW1-policy-security-rule-untrust_trust]source-zone untrust HRP_M[FW1-policy-security-rule-untrust_trust]destination-zone trust HRP_M[FW1-policy-security-rule-untrust_trust]destination-address 192.168.20.0 24 HRP_M[FW1-policy-security-rule-untrust_trust]action permit HRP_M[FW1-policy-security-rule-untrust_trust]return3、client1访问服务器映射(访问域名,状态200表示成功) |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |