防火墙双机热备旁挂

防火墙双机热备旁挂

拓扑图:

地址表

配置

• SW1

  Vlan100-Vlan200：连接防火墙

  Vlan10：连接PC

  Vlan20：连接路由器

[SW1]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 2Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           down       down      
Vlanif10                          192.168.10.254/24    up         up        
Vlanif20                          192.168.20.254/24    up         up        
Vlanif100                         192.168.100.254/24   up         up        
Vlanif200                         192.168.200.254/24   up         up  # 接口划分
interface GigabitEthernet0/0/1port link-type accessport default vlan 20
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 200
#
interface GigabitEthernet0/0/4port link-type accessport default vlan 100
#
interface GigabitEthernet0/0/5port link-type access                    port default vlan 200
#
interface GigabitEthernet0/0/6port link-type accessport default vlan 100# 静态路由
[SW1]display current-configuration | include static
# 去往互联网的流量，下一跳FW1-FW2上行的VRRP虚拟地址
ip route-static vpn-instance a 0.0.0.0 0.0.0.0 192.168.100.251
# 从防火墙回到SW1的流量，下一跳AR1的地址
ip route-static vpn-instance b 0.0.0.0 0.0.0.0 192.168.20.1
# 从互联网返回的流量，下一跳去往FW1-FW2的下行接口的vrrp虚拟地址
ip route-static vpn-instance b 192.168.10.0 255.255.255.0 192.168.200.251

• FW1

[FW1]display ip interface brief 
2024-05-02 12:29:20.020 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 5
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 5Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.0.1/24       down       down      
GigabitEthernet1/0/0              192.168.200.253/24   up         up        
GigabitEthernet1/0/1              192.168.100.253/24   up         up        
GigabitEthernet1/0/2              1.1.1.1/30           up         up        
GigabitEthernet1/0/3              unassigned           down       down      
GigabitEthernet1/0/4              unassigned           down       down      
GigabitEthernet1/0/5              unassigned           down       down      
GigabitEthernet1/0/6              unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Virtual-if0                       unassigned           up         up(s) [FW1]display zone trust 
2024-05-02 12:29:45.110 
trustpriority is 85interface of the zone is (2):GigabitEthernet0/0/0GigabitEthernet1/0/1[FW1]display zone untrust    
2024-05-02 12:30:29.740 
untrustpriority is 5interface of the zone is (1):GigabitEthernet1/0/0[FW1]display zone dmz    
2024-05-02 12:30:42.360 
dmzpriority is 50interface of the zone is (1):GigabitEthernet1/0/2# 安全策略，默认全部放通
# 配置往返路由
ip route-static 0.0.0.0 0.0.0.0 192.168.200.254
ip route-static 192.168.10.0 255.255.255.0 192.168.100.254# 配置双机热备hrp enablehrp interface GigabitEthernet1/0/2 remote 1.1.1.2[FW1]display vrrp brief 
2024-05-02 12:34:20.250 
Total:2     Master:2     Backup:0     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/1                  Vgmp     192.168.100.251
2     Master       GE1/0/0                  Vgmp     192.168.200.251

• FW2

[FW2]display ip interface brief 
2024-05-02 12:31:57.100 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 5
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 5Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.0.1/24       down       down      
GigabitEthernet1/0/0              192.168.200.252/24   up         up        
GigabitEthernet1/0/1              192.168.100.252/24   up         up        
GigabitEthernet1/0/2              1.1.1.2/30           up         up        
GigabitEthernet1/0/3              unassigned           down       down      
GigabitEthernet1/0/4              unassigned           down       down      
GigabitEthernet1/0/5              unassigned           down       down      
GigabitEthernet1/0/6              unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Virtual-if0                       unassigned           up         up(s) [FW2]display zone trust 
2024-05-02 12:32:08.320 
trustpriority is 85interface of the zone is (2):GigabitEthernet0/0/0GigabitEthernet1/0/1[FW2]display zone untrust 
2024-05-02 12:32:21.710 
untrustpriority is 5interface of the zone is (1):GigabitEthernet1/0/0[FW2]display zone dmz     
2024-05-02 12:32:32.230 
dmzpriority is 50interface of the zone is (1):GigabitEthernet1/0/2# 安全策略，默认全部放通
# 配置往返路由
ip route-static 0.0.0.0 0.0.0.0 192.168.200.254
ip route-static 192.168.10.0 255.255.255.0 192.168.100.254# 配置双机热备hrp enablehrp standby-devicehrp interface GigabitEthernet1/0/2 remote 1.1.1.1# 配置vrrp
[FW2]display vrrp brief 
2024-05-02 12:34:39.040 
Total:2     Master:0     Backup:2     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Backup       GE1/0/1                  Vgmp     192.168.100.251
2     Backup       GE1/0/0                  Vgmp     192.168.200.251

• AR1

[AR1]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 2Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.20.1/24      up         up        
GigabitEthernet0/0/1              unassigned           down       down      
GigabitEthernet0/0/2              unassigned           down       down      
NULL0                             unassigned           up         up(s)# 配置回程路由
ip route-static 192.168.10.0 255.255.255.0 192.168.20.254

验证

• PC

这里为了模拟设备的上行接口down后的双机热备能否实现切换,我们这里将sw1的g0/0/4down掉,查看流量反应

• PC

• FW1

HRP_S[FW1]display hrp state verbose 
2024-05-02 12:37:41.190 Role: standby, peer: active (should be "active-standby")Running priority: 44998, peer: 45000Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 1 minutesLast state change information: 2024-05-02 12:36:00 HRP core state changed, old_state = normal, new_state = abnormal(standby), local_priority = 44998, peer_priority = 45000.Configuration:hello interval:              1000mspreempt:                     60smirror configuration:        offmirror session:              offtrack trunk member:          onauto-sync configuration:     onauto-sync connection-status: onadjust ospf-cost:            onadjust ospfv3-cost:          onadjust bgp-cost:             onnat resource:                offDetail information:GigabitEthernet1/0/1 vrrp vrid 1: InitializeGigabitEthernet1/0/0 vrrp vrid 2: standby (should be "active")ospf-cost: +65500 (should be "+0")ospfv3-cost: +65500 (should be "+0")bgp-cost: +100 (should be "+0")HRP_S[FW1]display vrrp brief 
2024-05-02 12:37:51.510 
Total:2     Master:0     Backup:1     Non-active:1      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Initialize   GE1/0/1                  Vgmp     192.168.100.251
2     Backup       GE1/0/0                  Vgmp     192.168.200.251

• FW2

HRP_M[FW2]display hrp state verbose 
2024-05-02 12:38:15.020 Role: active, peer: standby (should be "standby-active")Running priority: 45000, peer: 44998Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 2 minutesLast state change information: 2024-05-02 12:36:02 HRP core state changed, old_state = normal, new_state = abnormal(active), local_priority = 45000, peer_priority = 44998.Configuration:hello interval:              1000mspreempt:                     60smirror configuration:        offmirror session:              offtrack trunk member:          onauto-sync configuration:     onauto-sync connection-status: onadjust ospf-cost:            onadjust ospfv3-cost:          onadjust bgp-cost:             onnat resource:                offDetail information:GigabitEthernet1/0/1 vrrp vrid 1: active (should be "standby")GigabitEthernet1/0/0 vrrp vrid 2: active (should be "standby")ospf-cost: +0 (should be "+65500")ospfv3-cost: +0 (should be "+65500")bgp-cost: +0 (should be "+100")HRP_M[FW2]display vrrp brief 
2024-05-02 12:38:22.380 
Total:2     Master:2     Backup:0     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/1                  Vgmp     192.168.100.251
2     Master       GE1/0/0                  Vgmp     192.168.200.251# 查看firewall session表
HRP_M[FW2]display firewall session table 
2024-05-02 12:38:41.040 Current Total Sessions : 5udp  VPN: public --> public  1.1.1.1:16384 --> 1.1.1.2:18514udp  VPN: public --> public  1.1.1.1:49152 --> 1.1.1.2:18514icmp  VPN: public --> public  192.168.10.253:20873 --> 192.168.20.1:2048udp  VPN: public --> public  1.1.1.2:49152 --> 1.1.1.1:18514icmp  VPN: public --> public  192.168.10.253:21129 --> 192.168.20.1:2048