设为首页收藏本站
开启辅助访问

华为 USG6000防火墙配置镜像模式双机热备

您所在的位置:网站首页 华为 镜像模式 华为 USG6000防火墙配置镜像模式双机热备

华为 USG6000防火墙配置镜像模式双机热备

2023-05-27 16:19| 来源: 网络整理| 查看: 265

网络拓扑

要求:

企业前期是一台防火墙,为了提高网络可靠性,并且在不影响原先防火墙配置情况下,新增一台防火墙做双机热备。两台FW的业务接口都工作在三层,下行为三层核心交换机。上行为二层交换机连接运营商的接入点,运营商为企业分配的IP地址为100.1.1.1-100.1.1.6

配置思路:

两台防火墙型号必须要求一样,配置镜像模式前需要先完成双机热备的网络连接和基本配置,但是不需要配置业务接口和路由等。

在两台FW上分别完成双机热备基本配置,包括VGMP组监控业务接口(hrp track interface)、心跳口配置和启用双机热备功能。 在两台FW上启用镜像模式,并进行手工批量备份。 在其中一台FW完成网络配置,保证内网用户能够访问Internet。 镜像模式形成后,所有配置(包括接口和路由等配置)都只需在一台FW上配置即可,配置会自动备份到另外一台FW。 一、双机热备前配置

1、PC和server配置

2、接入层交换机SW5配置

1234567891011121314151617181920212223system-view [Huawei]sysname SW5 [SW5]vlan batch 10 20 [SW5]interface  GigabitEthernet  0/0/4 [SW5-GigabitEthernet0/0/4]port link-type access [SW5-GigabitEthernet0/0/4]port default vlan 10 [SW5-GigabitEthernet0/0/4]quit [SW5]interface  GigabitEthernet  0/0/5 [SW5-GigabitEthernet0/0/5]port link-type access [SW5-GigabitEthernet0/0/5]port default  vlan  20 [SW5-GigabitEthernet0/0/5]quit [SW5]interface  GigabitEthernet  0/0/2 [SW5-GigabitEthernet0/0/2]port link-type trunk  [SW5-GigabitEthernet0/0/2]port trunk  allow-pass  vlan  all [SW5-GigabitEthernet0/0/2]quit [SW5]interface  GigabitEthernet  0/0/3 [SW5-GigabitEthernet0/0/3]port link-type trunk [SW5-GigabitEthernet0/0/3]port trunk  allow-pass vlan  all [SW5-GigabitEthernet0/0/3]quit

3、核心交换机配置

SW3

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647system-view [Huawei]sysname SW3 [SW3]vlan batch 10 20 30 [SW3]interface  Vlanif 10 [SW3-Vlanif10]ip address 192.168.10.252 24 [SW3-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW3-Vlanif10]vrrp vrid 10 priority 101 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif10]vrrp vrid 10 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif10]quit [SW3]interface  Vlanif  20 [SW3-Vlanif20]ip address  192.168.20.252 24 [SW3-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254    [SW3-Vlanif20]vrrp vrid 20 priority 101 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif20]vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif20]quit [SW3]interface  Vlanif  30 [SW3-Vlanif30]ip address  192.168.30.252 24 [SW3-Vlanif30]vrrp vrid  30 virtual-ip 192.168.30.254   [SW3-Vlanif30]vrrp vrid 30 priority 101 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/1 reduced 10 [SW3-Vlanif30]vrrp vrid 30 track interface GigabitEthernet 0/0/2 reduced 10 [SW3-Vlanif30]quit [SW3]interface  Eth-Trunk 1 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW3-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW3-Eth-Trunk1]port link-type trunk    [SW3-Eth-Trunk1]port trunk allow-pass vlan all [SW3-Eth-Trunk1]quit [SW3]interface  GigabitEthernet  0/0/2 [SW3-GigabitEthernet0/0/2]port link-type trunk [SW3-GigabitEthernet0/0/2]port trunk  allow-pass  vlan  all [SW3-GigabitEthernet0/0/2]quit [SW3]interface  GigabitEthernet  0/0/1 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 30 [SW3-GigabitEthernet0/0/1]quit [SW3]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

SW4

12345678910111213141516171819202122232425262728293031323334353637system-view [Huawei]sysname SW4 [SW4]vlan batch 10 20 30 [SW4]interface  Vlanif 10 [SW4-Vlanif10]ip address 192.168.10.253 24 [SW4-Vlanif10]vrrp vrid 10 virtual-ip 192.168.10.254 [SW4-Vlanif10]quit [SW4]interface  Vlanif  20 [SW4-Vlanif20]ip address  192.168.20.253 24 [SW4-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.254 [SW4-Vlanif20]quit [SW4]interface  Vlanif  30 [SW4-Vlanif30]ip address  192.168.30.253 24 [SW4-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.254 [SW4-Vlanif30]quit [SW4]interface  Eth-Trunk 1 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/7 [SW4-Eth-Trunk1]trunkport GigabitEthernet 0/0/8 [SW4-Eth-Trunk1]port link-type trunk    [SW4-Eth-Trunk1]port trunk allow-pass vlan all [SW4-Eth-Trunk1]quit [SW4]interface  GigabitEthernet  0/0/3 [SW4-GigabitEthernet0/0/3]port link-type trunk [SW4-GigabitEthernet0/0/3]port trunk  allow-pass  vlan  all [SW4-GigabitEthernet0/0/3]quit [SW4]interface  GigabitEthernet  0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 30 [SW4-GigabitEthernet0/0/1]quit [SW4]ip route-static 0.0.0.0 0.0.0.0 192.168.30.12

4、防火墙FW1配置

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748system-view  [USG6000V1]sysname FW1 [FW1]interface GigabitEthernet  1/0/1 [FW1-GigabitEthernet1/0/1]ip address  192.168.30.12 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]quit [FW1]interface GigabitEthernet  1/0/0 [FW1-GigabitEthernet1/0/0]ip address  100.1.1.1 29 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]quit 安全区域 [FW1]firewall zone  trust [FW1-zone-trust]add  interface  GigabitEthernet  1/0/1 [FW1-zone-trust]quit [FW1]firewall zone  untrust [FW1-zone-untrust]add  interface  GigabitEthernet  1/0/0    [FW1-zone-untrust]quit NAT地址池 [FW1]nat address-group nat_group    [FW1-address-group-nat_group]section 0 100.1.1.3    [FW1-address-group-nat_group]quit NAT转发 [FW1]nat-policy [FW1-policy-nat]rule name nat_policy1   [FW1-policy-nat-rule-nat_policy1]source-zone  trust [FW1-policy-nat-rule-nat_policy1]destination-zone  untrust [FW1-policy-nat-rule-nat_policy1]source-address 192.168.10.0 24 [FW1-policy-nat-rule-nat_policy1]action source-nat  address-group nat_group [FW1-policy-nat-rule-nat_policy1]return 域间安全策略 [FW1]security-policy [FW1-policy-security]rule name trust_untrust1   [FW1-policy-security-rule-trust_untrust1]source-zone trust [FW1-policy-security-rule-trust_untrust1]destination-zone untrust [FW1-policy-security-rule-trust_untrust1]source-address 192.168.10.0 24 [FW1-policy-security-rule-trust_untrust1]action permit [FW1-policy-security-rule-trust_untrust1]quit [FW1-policy-security]quit [FW1]ip route-static 192.168.10.0 24 192.168.30.254 [FW1]ip route-static 192.168.20.0 24 192.168.30.254 [FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.6

5、上行交换机SW6

123456789101112131415161718192021system-view [Huawei]sysname SW6 [SW6]vlan  100  [SW6-vlan100]quit [SW6]interface  GigabitEthernet  0/0/1  [SW6-GigabitEthernet0/0/1]port link-type access [SW6-GigabitEthernet0/0/1]port default  vlan  100     [SW6-GigabitEthernet0/0/1]quit [SW6]interface GigabitEthernet 0/0/2    [SW6-GigabitEthernet0/0/2]port link-type access [SW6-GigabitEthernet0/0/2]port default  vlan  100   [SW6-GigabitEthernet0/0/2]quit     [SW6]interface  GigabitEthernet  0/0/3 [SW6-GigabitEthernet0/0/3]port link-type access [SW6-GigabitEthernet0/0/3]port default  vlan  100 [SW6-GigabitEthernet0/0/3]quit

6、运营商ISP

12345678910111213141516system-view [Huawei]sysname ISP     [ISP]interface  GigabitEthernet  0/0/1 [ISP-GigabitEthernet0/0/1]ip address  100.1.1.6 29  [ISP-GigabitEthernet0/0/1]quit [ISP]interface  LoopBack 0 [ISP-LoopBack0]ip address  1.1.1.1 32 [ISP-LoopBack0]quit [ISP]interface  GigabitEthernet  0/0/0 [ISP-GigabitEthernet0/0/0]ip address  10.1.1.2 24 [ISP-GigabitEthernet0/0/0]quit [ISP]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

7、查看内网用户ping外网

二、双机热备配置

全程可以使pc长pingISP的1.1.1.1,发现不会丢包

1、FW1配置HRP,然后配置镜像模式

12345678910111213141516171819202122232425FW1配置心跳线接口,并加入对应安全区域 [FW1]interface GigabitEthernet  1/0/2 [FW1-GigabitEthernet1/0/2]ip address  172.16.1.1 30 [FW1-GigabitEthernet1/0/2]quit [FW1]firewall zone  dmz [FW1-zone-dmz]add  interface  GigabitEthernet  1/0/2 [FW1-zone-dmz]quit 域间安全策略 [FW1]security-policy    [FW1-policy-security]rule name ha_local_dmz [FW1-policy-security-rule-ha_local_dmz]source-zone  local dmz   [FW1-policy-security-rule-ha_local_dmz]destination-zone  local dmz  [FW1-policy-security-rule-ha_local_dmz]action permit [FW1-policy-security-rule-ha_local_dmz]quit [FW1-policy-security]quit 在FW1配置VGMP组监控上下行业务接口,默认为主设备 [FW1]hrp  track interface  GigabitEthernet  1/0/0 [FW1]hrp  track interface  GigabitEthernet  1/0/1 指定心跳口和对端IP地址,并启用双机热备功能 [FW1]hrp interface  GigabitEthernet  1/0/2 remote 172.16.1.2    [FW1]hrp  enable

2、FW2配置HRP

12345678910111213141516171819202122232425262728FW2配置心跳线接口,并加入对应安全区域 system-view [USG6000V1]sysname FW2 [FW2]interface GigabitEthernet  1/0/2 [FW2-GigabitEthernet1/0/2]ip address  172.16.1.2 30 [FW2-GigabitEthernet1/0/2]quit [FW2]firewall zone  dmz [FW2-zone-dmz]add interface GigabitEthernet  1/0/2 [FW2-zone-dmz]quit 域间安全策略 [FW2]security-policy    [FW2-policy-security]rule name ha_local_dmz [FW2-policy-security-rule-ha_local_dmz]source-zone  local dmz   [FW2-policy-security-rule-ha_local_dmz]destination-zone local dmz   [FW2-policy-security-rule-ha_local_dmz]action permit [FW2-policy-security-rule-ha_local_dmz]quit 在FW2配置VGMP组监控上下行业务接口,并配置本设备为备用设备 [FW2]hrp  track  interface  GigabitEthernet 1/0/0 [FW2]hrp  track  interface  GigabitEthernet 1/0/1 [FW2]hrp  standby-device 指定心跳口和对端IP地址,并启用双机热备功能 [FW2]hrp  interface  GigabitEthernet  1/0/2 remote 172.16.1.1 [FW2]hrp  enable

3、查看同步状态

4、在FW1上配置镜像模式(重点)。双机关系建立之后,该配置会自动备份到FW2

1HRP_M[FW1]hrp  mirror  config enable

5、在FW1先手动同步一下配置文件

6、在FW2查看到FW1开启热备之前的配置已经被同步过来

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235HRP_S[FW2]display  current-configuration   2020-05-28 02:27:57.980 !Software Version V500R005C10SPC300 # sysname FW2 #  l2tp domain suffix-separator @ #  ipsec sha2 compatible enable # undo telnet server enable undo telnet ipv6 server enable #  hrp enable  hrp mirror config enable  hrp interface GigabitEthernet1/0/2 remote 172.16.1.1  hrp track interface GigabitEthernet1/0/0  hrp track interface GigabitEthernet1/0/1 #  update schedule location-sdb weekly Sun 03:14 #  firewall defend action discard #  banner enable #  user-manage web-authentication security port 8887  undo privacy-statement english  undo privacy-statement chinese page-setting  user-manage security version tlsv1.1 tlsv1.2 password-policy  level high user-manage single-sign-on ad user-manage single-sign-on tsm user-manage single-sign-on radius user-manage auto-sync online-user #  web-manager security version tlsv1.1 tlsv1.2  web-manager enable  web-manager security enable # firewall dataplane to manageplane application-apperceive default-action drop #  undo ips log merge enable #  decoding uri-cache disable #  update schedule ips-sdb daily 06:38  update schedule av-sdb daily 06:38  update schedule sa-sdb daily 06:38  update schedule cnc daily 06:38  update schedule file-reputation daily 06:38 # ip vpn-instance default  ipv4-family #  time-range worktime   period-range 08:00:00 to 18:00:00 working-day # ike proposal default  encryption-algorithm aes-256 aes-192 aes-128  dh group14  authentication-algorithm sha2-512 sha2-384 sha2-256  authentication-method pre-share  integrity-algorithm hmac-sha2-256  prf hmac-sha2-256 # aaa  authentication-scheme default  authentication-scheme admin_local  authentication-scheme admin_radius_local  authentication-scheme admin_hwtacacs_local  authentication-scheme admin_ad_local  authentication-scheme admin_ldap_local  authentication-scheme admin_radius  authentication-scheme admin_hwtacacs  authentication-scheme admin_ad  authorization-scheme default  accounting-scheme default  domain default   service-type internetaccess ssl-vpn l2tp ike   internet-access mode password   reference user current-domain  manager-user audit-admin   password cipher @%@%PufuDg5YR*D@[x~Nqi|~n=5DHjpMOk,OqAV)gT$TQJP5=5Gn@%@%   service-type web terminal   level 15  manager-user api-admin   password cipher @%@%`f5K#iULL!(vQ6M@lpCB'H,@{QzA=M{5O*as_2+Uk}J7H,C'@%@%   level 15  manager-user admin   password cipher @%@%ZFDu3)yV"LfTPj'O3+7437VT3h:D@nUDCO]h[qWQRb1Q7VW3@%@%   service-type web terminal   level 15  role system-admin  role device-admin  role device-admin(monitor)  role audit-admin  bind manager-user audit-admin role audit-admin  bind manager-user admin role system-admin # l2tp-group default-lns # interface GigabitEthernet0/0/0  undo shutdown  ip binding vpn-instance default  ip address 192.168.0.1 255.255.255.0  alias GE0/METH # interface GigabitEthernet1/0/0  undo shutdown  ip address 100.1.1.1 255.255.255.248  service-manage ping permit # interface GigabitEthernet1/0/1  undo shutdown  ip address 192.168.30.12 255.255.255.0  service-manage ping permit # interface GigabitEthernet1/0/2  undo shutdown  ip address 172.16.1.2 255.255.255.252 # interface GigabitEthernet1/0/3  undo shutdown # interface GigabitEthernet1/0/4  undo shutdown # interface GigabitEthernet1/0/5  undo shutdown # interface GigabitEthernet1/0/6  undo shutdown # interface Virtual-if0 # interface NULL0 # firewall zone local  set priority 100 # firewall zone trust  set priority 85  add interface GigabitEthernet0/0/0  add interface GigabitEthernet1/0/1 # firewall zone untrust  set priority 5  add interface GigabitEthernet1/0/0 # firewall zone dmz  set priority 50  add interface GigabitEthernet1/0/2 # ip route-static 0.0.0.0 0.0.0.0 100.1.1.6 ip route-static 192.168.10.0 255.255.255.0 192.168.30.254 ip route-static 192.168.20.0 255.255.255.0 192.168.30.254 # undo ssh server compatible-ssh1x enable ssh authentication-type default password ssh server cipher aes256_ctr aes128_ctr ssh server hmac sha2_256 sha1 ssh client cipher aes256_ctr aes128_ctr ssh client hmac sha2_256 sha1 # firewall detect ftp # user-interface con 0  authentication-mode aaa user-interface vty 0 4  authentication-mode aaa  protocol inbound ssh user-interface vty 16 20 # pki realm default # sa # location # nat address-group nat_group 0  mode pat  section 0 100.1.1.3 100.1.1.3 # multi-linkif  mode proportion-of-weight # right-manager server-group # device-classification  device-group pc  device-group mobile-terminal  device-group undefined-group # user-manage server-sync tsm # security-policy  rule name ha_local_dmz   source-zone dmz   source-zone local   destination-zone dmz   destination-zone local   action permit  rule name trust_untrust   source-zone trust   destination-zone untrust   source-address 192.168.0.0 mask 255.255.0.0   action permit # auth-policy # traffic-policy # policy-based-route # nat-policy  rule name nat_policy1   source-zone trust   destination-zone untrust   source-address 192.168.10.0 mask 255.255.255.0   action source-nat address-group nat_group # quota-policy # pcp-policy # dns-transparent-policy # rightm-policy # return 三、配置服务器映射

在开启双机热备的情况下,在active上操作的任何步骤都过自动同步到standby

1、在FW1为server1添加映射,让外网用户能访问

12HRP_M[FW1]nat server policy_web protocol tcp global 100.1.1.2 80 inside 192.168. 20.1 80 unr-route

在FW2查看已经被同步配置

2、配置域间安全测试,允许外网访问内网服务器

1234567HRP_M[FW1]security-policy HRP_M[FW1-policy-security]rule name untrust_trust HRP_M[FW1-policy-security-rule-untrust_trust]source-zone  untrust HRP_M[FW1-policy-security-rule-untrust_trust]destination-zone trust HRP_M[FW1-policy-security-rule-untrust_trust]destination-address 192.168.20.0 24 HRP_M[FW1-policy-security-rule-untrust_trust]action permit HRP_M[FW1-policy-security-rule-untrust_trust]return

3、client1访问服务器映射(访问域名,状态200表示成功)



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3