防火墙双击热备技术
双击热备技术原理
产生原因:传统的组网方式,内部用户和外部用户的交互报文全部通过Firewall 。如果Firewall 出现故障,内部网络中所有以Firewall 作为默认网关的主机与外部网络之间的通讯将中断,通讯可靠性无法保证。
VRRP在防火墙应用中存在的缺陷:传统VRRP方式无法实现主、备用防火墙状态的一致性。
为了保证所有VRRP备份组切换的一致性,在VRRP的基础上进行了扩展,推出了VGMP(VRRP Group Management Protocol)来弥补此局限。
防火墙双击热备使用的技术:VGMP
VGMP基本原理
当防火墙上的VGMP为Active/Standby状态时,组内所有VRRP备份组的状态统一为Active/Standby状态。
状态为Active的VGMP也会定期向对端发送HELLO报文,通知Standby端本身的运行状态(包括优先级、VRRP成员状态等)。
解释:1. 定期VGMP HELLO报文发送周期缺省为1秒
2. 当Standby端三个HELLO报文周期没有收到对端发送的HELLO报文时,即3s
3.会认为对端出现故障,从而将自己切换到Active状态
HRP(Huawei Redundancy Protocol) 协议==心跳线
-
两台FW之间备份的数据是通过
心跳口发送和接收的,是通过心跳链路
(备份通道)传输的。- 心跳口必须是状态独立且具有IP地址的接口,可以是一个物理接口(GE接口),也可以是为了增加带宽,由多个物理接口捆绑而成的一个逻辑接口Eth-Trunk。
双机热备基本组网
VRRP配置过程:
1.地址配置(基础配置)
2.安全区域的划分
3.策略放行
4.VRRP组的创建
5.HRP的配置
– 启用HRP备份功能
– 启用允许配置备用设备的功能
– 启用命令与状态信息的自动备份
-启用会话快速备份
检查命令: display vrrp interface X/X/X
检查心跳线的状态:dis hrp state
防火墙直路部署,上下行连接交换机
1.完成网络基本配置。
配置FW各接口的IP地址。
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] interface GigabitEthernet 1/0/6
[FW_A-GigabitEthernet1/0/6] ip address 10.10.0.1 24
<FW_B> system-view
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
[FW_B-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/6
[FW_B-GigabitEthernet1/0/6] ip address 10.10.0.2 24
将FW各接口加入相应的安全区域。
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/6
[FW_A-zone-dmz] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/6
[FW_B-zone-dmz] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_B-zone-untrust] quit
配置VRRP备份组
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active
[FW_A-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby
[FW_B-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby
[FW_B-GigabitEthernet0/0/3] quit
指定心跳口并启用双机热备功能。
[FW_A] hrp interface GigabitEthernet 1/0/6 remote 10.10.0.2
[FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 1/0/6 remote 10.10.0.1
[FW_B] hrp enable
配置安全策略,允许内网用户访问Internet。
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit
在FW_A上配置NAT策略
HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW_A-address-group-group1] route enable
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1
pc1
PC2
验证网络是否连通
防火墙直路部署,上下行连接交换机的负载分担组网
完成基本配置
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] interface GigabitEthernet 1/0/7
[FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet1/0/7] quit
<FW_B> system-view
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/2
[FW_B-GigabitEthernet1/0/2] ip address 10.3.0.2 24
[FW_B-GigabitEthernet1/0/2] quit
[FW_B] interface GigabitEthernet 1/0/7
[FW_B-GigabitEthernet1/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet1/0/7] quit
将FW各接口加入相应的安全区域
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_A-zone-dmz] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit
配置VRRP备份组
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 active
[FW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 standby
[FW_A-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 standby
[FW_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 active
[FW_B-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] vrrp vrid 3 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 10.3.0.4 standby
[FW_A-GigabitEthernet1/0/2] quit
[FW_B] interface GigabitEthernet 1/0/2
[FW_B-GigabitEthernet1/0/2] vrrp vrid 3 virtual-ip 10.3.0.3 standby
[FW_B-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 10.3.0.4 active
[FW_B-GigabitEthernet1/0/2] quit
配置会话快速备份功能,指定心跳口并启用双机热备功能
[FW_A] hrp mirror session enable
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
[FW_A] hrp enable
[FW_B] hrp mirror session enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
[FW_B] hrp enable
配置安全策略
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit
配置NAT策略
HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.2.5 1.1.2.8
HRP_M[FW_A-address-group-group1] route enable
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1
HRP_M[FW_A-policy-nat-rule-policy_nat1] quit
HRP_M[FW_A-policy-nat] quit
注意:对于双机热备的负载分担组网,为了防止两台设备进行NAT转换时端口冲突,需要在FW_A和FW_B上分别配置可用的端口范围。在FW_A上进行如下配置:
HRP_M[FW_A] hrp nat resource primary-group
PC:
