华为防火墙VRRP直路部署，上下行连接交换机

Posted 2022-05-12 资本家的鱼

项目需求

企业的两台FW的业务接口都工作在三层，上下行分别连接二层交换机。上行交换机连接运营商的接入点，运营商为企业分配的IP地址为1.1.1.1。现在希望两台FW以主备备份方式工作。正常情况下，流量通过FW_A转发。当FW_A出现故障时，流量通过FW_B转发，保证业务不中断。

eNSP拓扑

配置步骤

• FW1基本配置

[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 10.2.0.1 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]ip address 10.3.0.1 24
[FW1-GigabitEthernet1/0/3]quit
[FW1]interface GigabitEthernet 1/0/6
[FW1-GigabitEthernet1/0/6]ip address 10.10.10.1 24
[FW1-GigabitEthernet1/0/6]quit
[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/3
[FW1-zone-trust]quit
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]quit
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/6
[FW1-zone-dmz]quit

• FW2基本配置

[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 10.2.0.2 24
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/3
[FW2-GigabitEthernet1/0/3]ip address 10.3.0.2 24
[FW2-GigabitEthernet1/0/3]quit
[FW2]interface GigabitEthernet 1/0/6
[FW2-GigabitEthernet1/0/6]ip address 10.10.10.2 24
[FW2-GigabitEthernet1/0/6]quit
[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/3
[FW2-zone-trust]quit
[FW2]firewall zone untrust 
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1
[FW2-zone-untrust]quit
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/6
[FW2-zone-dmz]quit

• FW上配置缺省路由，下一跳为1.1.1.10，使内网用户的流量可以正常转发至Router

FW1:

[FW1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

FW2

[FW2]ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

• 配置VRRP备份组。

FW1

[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 1.1.1.1 24 active  
[FW1-GigabitEthernet1/0/1]quit 
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]vrrp vrid 2 virtual-ip 10.3.0.3 active 
[FW1-GigabitEthernet1/0/3]quit

FW2

[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 1.1.1.1 24 standby   
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/3
[FW2-GigabitEthernet1/0/3]vrrp vrid 2 virtual-ip 10.3.0.3 standby 
[FW2-GigabitEthernet1/0/3]quit

• 指定心跳口并启用双机热备功能。

FW1

[FW1]hrp enable
HRP_S[FW1]hrp interface GigabitEthernet 1/0/6 remote 10.10.10.2
HRP_M[FW1]quit
HRP_M<FW1>sy

FW2

[FW2]hrp enable
HRP_S[FW2]hrp interface GigabitEthernet 1/0/6 remote 10.10.10.1 
HRP_M[FW2]quit
HRP_M<FW2>sy

• 在FW1上配置安全策略。双机热备状态成功建立后，FW1的安全策略配置会自动备份到FW2上。

FW1

HRP_M[FW1]security-policy  
HRP_M[FW1-policy-security] rule name trust_to_untrust
HRP_M[FW1-policy-security-rule-trust_to_untrust]  source-zone trust  
HRP_M[FW1-policy-security-rule-trust_to_untrust]  destination-zone untrust
HRP_M[FW1-policy-security-rule-trust_to_untrust]  source-address 10.3.0.0 24
HRP_M[FW1-policy-security-rule-trust_to_untrust]  action permit

FW2

HRP_M[FW2]security-policy  
HRP_M[FW2-policy-security] rule name trust_to_untrust
HRP_M[FW2-policy-security-rule-trust_to_untrust]  source-zone trust  
HRP_M[FW2-policy-security-rule-trust_to_untrust]  destination-zone untrust
HRP_M[FW2-policy-security-rule-trust_to_untrust]  source-address 10.3.0.0 24
HRP_M[FW2-policy-security-rule-trust_to_untrust]  action permit

• 在FW_A上配置NAT策略。双机热备状态成功建立后，FW_A的NAT策略配置会自动备份到FW_B上。
  # 配置NAT策略，当内网用户访问Internet时，将源地址由10.3.0.0/16网段转换为地址池中的地址（1.1.1.2-1.1.1.5）。

FW1:

HRP_M[FW1]nat address-group group1 
HRP_M[FW1-address-group-group1]section 0 1.1.1.2 1.1.1.5
HRP_M[FW1-address-group-group1]security-policy  
HRP_M[FW1-policy-security] rule name trust_to_untrust
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-zone trust  
HRP_M[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-address 10.3.0.0 24
HRP_M[FW1-policy-security-rule-trust_to_untrust]action permit    
HRP_M[FW1-policy-security-rule-trust_to_untrust]nat-policy  
HRP_M[FW1-policy-nat] rule name policy_nat1
HRP_M[FW1-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW1-policy-nat-rule-policy_nat1]  source-address 10.3.0.0 16 
HRP_M[FW1-policy-nat-rule-policy_nat1]  action source-nat address-group group1

FW2

HRP_M[FW2]nat address-group group1 
HRP_M[FW2-address-group-group1]section 0 1.1.1.2 1.1.1.5  
HRP_M[FW2-address-group-group1]security-policy  
HRP_M[FW2-policy-security] rule name trust_to_untrust
HRP_M[FW2-policy-security-rule-trust_to_untrust]source-zone trust  
HRP_M[FW2-policy-security-rule-trust_to_untrust]destination-zone untrust
HRP_M[FW2-policy-security-rule-trust_to_untrust]source-address 10.3.0.0 24
HRP_M[FW2-policy-security-rule-trust_to_untrust]action permit     
HRP_M[FW2-policy-security-rule-trust_to_untrust]nat-policy  
HRP_M[FW2-policy-nat] rule name policy_nat1
HRP_M[FW2-policy-nat-rule-policy_nat1]source-zone trust
HRP_M[FW2-policy-nat-rule-policy_nat1]destination-zone untrust
HRP_M[FW2-policy-nat-rule-policy_nat1]source-address 10.3.0.0 16 
HRP_M[FW2-policy-nat-rule-policy_nat1]action source-nat address-group group1

• 配置Router。在Router上配置到FW的等价路由，路由下一跳指向VRRP备份组1的虚拟IP地址。

[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 1.1.1.10 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ip route-static 0.0.0.0 16 1.1.1.1

结果验证

• 在FW1和FW2上执行display vrrp命令，检查VRRP组内接口的状态信息，显示以下信息表示VRRP组建立成功。

FW1:

FW2：

• 在FW1和FW2上执行display hrp state verbose命令，检查当前VGMP组的状态，显示以下信息表示双机热备建立成功。

FW1:

FW2:

• Router位于Untrust区域。在Trust区域的PC端能够ping通Untrust区域的Router。分别在FW1和FW2上检查会话。

FW1:

FW2: