#yyds干货盘点#HCIE-Security Day14:防火墙双机热备实验防火墙直路部署,上下行连接路由器

Posted 小梁L同学

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了#yyds干货盘点#HCIE-Security Day14:防火墙双机热备实验防火墙直路部署,上下行连接路由器相关的知识,希望对你有一定的参考价值。



 #yyds干货盘点#HCIE-Security#yyds干货盘点#HCIE-Security

#yyds干货盘点#HCIE-Security#yyds干货盘点#HCIE-Security

#yyds干货盘点#HCIE-Security#yyds干货盘点#HCIE-Security

vgmp与vrrp的配合只适用于防火墙连接二层设备的组网,如果上下行设备是路由器,就不能使用vrrp备份组,这时vgmp组直接监控接口状态来进行故障监控。具体是直接将接口加入vgmp组,当vgmp组中的接口故障时,vgmp组会直接感知到接口状态变化,从而降低自身优先级。

实验二:防火墙直路部署,上下行连接路由器

需求和拓扑

两台FW的业务接口都工作在三层,上下行分别连接路由器。FW与上下行路由器之间运行OSPF协议。现在希望两台FW以主备备份方式工作。正常情况下,流量通过FW_A转发。当FW_A出现故障时,流量通过FW_B转发,保证业务不中断。

#yyds干货盘点#HCIE-Security#yyds干货盘点#HCIE-Security

操作步骤

1、配置接口ip和安全区域

2、配置ospf路由

r1/r2/r3/r4/f1/f2开启ospf进程1,将相连网段加入区域0

3、配置双机热备功能

3.1 配置vgmp组监控上下行业务接口


//f1/f2

hrp track interface GigabitEthernet1/0/0
hrp track interface GigabitEthernet1/0/1

#yyds干货盘点#HCIE-Security

3.2 配置根据vgmp状态调整ospf cost值功能,配置这个命令后,fw发布ospf路由时,会判断自身是主用设备还是备用设备,如果是主用设备,fw会把学习到的路由直接发布出去,如果是备用设备,fw会增加cost值后再将路由发布出去,这样上下行路由器在计算路由时,就能将下一跳指向主用设备,并把报文转发到主用设备上。 


//f1/f2


hrp adjust ospf-cost enable

#yyds干货盘点#HCIE-Security

3.3 指定心跳口并启用双机热备功能


f1/f2
hrp interface g1/0/6 remote 10.10.0.1/2
hrp enable

#yyds干货盘点#HCIE-Security

4、配置安全策略

4.1 允许fw与上下行路由器交互ospf报文


//f1配置,f2自动同步
security-policy
 rule name 1
  source-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit
 rule name 2
  source-zone untrust
  destination-zone local
  service ospf
  action permit

#yyds干货盘点#HCIE-Security

4.2 允许内网用户访问外网


rule name 3
  source-zone trust
  destination-zone untrust
  source-address 10.3.2.0 mask 255.255.255.0
  source-address 10.3.3.0 mask 255.255.255.0
  action permit

#yyds干货盘点#HCIE-Security

验证和分析

1、检查fw1和fw2的ospf邻居建立关系


//f1
dis ospf peer brief
2022-02-16 00:14:41.880 

   OSPF Process 1 with Router ID 11.11.11.11
      Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet1/0/0             3.3.3.3          Full        
 0.0.0.0          GigabitEthernet1/0/1             1.1.1.1          Full        
 ----------------------------------------------------------------------------
 Total Peer(s):     2
//f2
dis ospf peer brief 
2022-02-16 00:18:02.950 

   OSPF Process 1 with Router ID 22.22.22.22
      Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet1/0/0             4.4.4.4          Full        
 0.0.0.0          GigabitEthernet1/0/1             2.2.2.2          Full        
 ----------------------------------------------------------------------------
 Total Peer(s):     2

#yyds干货盘点#HCIE-Security

2、检查上下行路由器路由开销


[r3]dis ip routing-table protocol ospf 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 8        Routes : 8        

OSPF routing table status : <Active>
         Destinations : 8        Routes : 8

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        5.5.5.5/32  OSPF    10   3           D   10.3.0.1        GigabitEthernet0/0/1
       10.2.0.0/24  OSPF    10   2           D   10.3.0.1        GigabitEthernet0/0/1
       10.2.1.0/24  OSPF    10   4           D   10.3.0.1        GigabitEthernet0/0/1
       10.3.1.0/24  OSPF    10   2           D   34.1.1.4        GigabitEthernet0/0/0
       10.3.3.0/24  OSPF    10   2           D   34.1.1.4        GigabitEthernet0/0/0
       12.1.1.0/24  OSPF    10   3           D   10.3.0.1        GigabitEthernet0/0/1
       15.1.1.0/24  OSPF    10   3           D   10.3.0.1        GigabitEthernet0/0/1
       25.1.1.0/24  OSPF    10   4           D   10.3.0.1        GigabitEthernet0/0/1


<r4>dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 8        Routes : 8        

OSPF routing table status : <Active>
         Destinations : 8        Routes : 8

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        5.5.5.5/32  OSPF    10   4           D   34.1.1.3        GigabitEthernet0/0/0
       10.2.0.0/24  OSPF    10   3           D   34.1.1.3        GigabitEthernet0/0/0
       10.2.1.0/24  OSPF    10   5           D   34.1.1.3        GigabitEthernet0/0/0
       10.3.0.0/24  OSPF    10   2           D   34.1.1.3        GigabitEthernet0/0/0
       10.3.2.0/24  OSPF    10   2           D   34.1.1.3        GigabitEthernet0/0/0
       12.1.1.0/24  OSPF    10   4           D   34.1.1.3        GigabitEthernet0/0/0
       15.1.1.0/24  OSPF    10   4           D   34.1.1.3        GigabitEthernet0/0/0
       25.1.1.0/24  OSPF    10   5           D   34.1.1.3        GigabitEthernet0/0/0

OSPF routing table status : <Inactive>
         Destinations : 0        Routes : 0

#yyds干货盘点#HCIE-Security

可见经过r3访问r5开销小于r4,r4的开销比r3大1,这个1是因为从r4访问r5经过r3,为什么不经过fw2呢?因为经过fw2的开销太大了 。


dis ip routing-table protocol ospf | include 5.5.5.5
2022-02-16 00:38:09.180 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 9        Routes : 9        

OSPF routing table status : <Active>
         Destinations : 9        Routes : 9

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        5.5.5.5/32  OSPF    10   65501       D   10.2.1.2        GigabitEthernet1/0/1

OSPF routing table status : <Inactive>
         Destinations : 0        Routes : 0

#yyds干货盘点#HCIE-Security

如果fw1故障,业务会被上下行路由器的路由信息引导到fw2上,fw2上有同步过fw1的会话表项,所以业务得以正常传输。

3、检查f1/f2的会话表项


HRP_M<f1>dis fire session table 
2022-02-16 00:49:33.150 
 Current Total Sessions : 4
 udp  VPN: public --> public  10.10.0.2:16384 --> 10.10.0.1:18514
 udp  VPN: public --> public  10.10.0.1:49152 --> 10.10.0.2:18514
 udp  VPN: public --> public  10.10.0.2:49152 --> 10.10.0.1:18514
 telnet  VPN: public --> public  10.3.0.2:49804 --> 5.5.5.5:23

HRP_S<f2>dis fire sess table
2022-02-16 00:50:01.270 
 Current Total Sessions : 4
 udp  VPN: public --> public  10.10.0.1:49152 --> 10.10.0.2:18514
 udp  VPN: public --> public  10.10.0.2:49152 --> 10.10.0.1:18514
 udp  VPN: public --> public  10.10.0.1:16384 --> 10.10.0.2:18514
 telnet  VPN: public --> public  Remote 10.3.0.2:49804 --> 5.5.5.5:23
HRP_S<f2>

#yyds干货盘点#HCIE-Security

可见表项是同步的。


以上是关于#yyds干货盘点#HCIE-Security Day14:防火墙双机热备实验防火墙直路部署,上下行连接路由器的主要内容,如果未能解决你的问题,请参考以下文章

#yyds干货盘点# HCIE-Security Day6:5个实验搞定源NAT

#yyds干货盘点# HCIE-Security Day11:初步学习防火墙双机热备和VGMP概念

#yyds干货盘点#HCIE-Security Day15:防火墙双机热备实验防火墙透明接入,上下行连接交换机

#yyds干货盘点#HCIE-Security Day14:防火墙双机热备实验防火墙直路部署,上下行连接路由器

#yyds干货盘点#HCIE-Security Day17:防火墙双机热备实验:防火墙旁挂交换机,交换机静态路由引流

#yyds干货盘点#Zabbi学习