双机热备
两台或多台设备实现业务不间断(高可用)和负载均衡
华为防火墙双机热备模式
热备模式:提供高可用,仅活跃设备转发数据,其他设备起备份作用
负载均衡模式:同时间,多台设备都转发数据,互作主备
VRRP
虚拟路由冗余协议,公有协议
协议号 112
组播地址:224.0.0.18
基本概念:
vrrp路由器:vrrp组的成员设备
虚拟路由器:虚拟出的虚拟网关
vrid:vrrp组号
虚拟ip地址:标识虚拟路由器ip地址
虚拟mac地址:提供客户端访问虚拟网关的方式
IP拥有者:vrrp组中,拥有虚拟ip地址的设备
优先级:vrrp用来竞选活跃设备,高者优先,0-255(0系统保留,255代表虚拟ip)
抢占模式:相当于思科hsrp的占先权,主动竞选,立刻进行
非抢占模式:保持当前环境,但到下一次选举时(重启或断电),才会竞选
VRRP和HSRP的区别
vrrp公有,hsrp思科私有
vrrp的虚拟ip可以是成员ip,hsrp不可以
vrrp虚拟mac:00-00-5e-00-01-vrid,hsrp虚拟mac:00-00-0c-07-ac-组号
vrrp状态有三个:初始、活跃、备份,hsrp状态有六个:初始、学习、监听、发言、备份、活跃
vrrp报文:只有一种,通告报文(主路由器发,选举或检测备份路由);hsrp有三种报文
vrrp不支持接口追踪,hsrp支持
vrrp角色
master:活跃设备,转发数据
backup:备份设备,冗余备份
vrrp状态
初始:initialize,刚配置vrrp的设备处于该状态,接口故障时设备也会变成初始
活跃:master,主路由器,转发数据,定时(1s)发送通告报文
备份:backup,不转发数据,仅接收通告报文
vrrp工作原理
选优先级高者当master;如果优先级相同,则比较ip地址,大者为master
vrrp默认接口优先级为100,取值0-255,如果配置成活跃,优先级自动变成255
通告时间:1s 保持时间:3s (保持为通告的三倍时间)
VGMP:vrrp组管理协议
把多个vrrp组整理成一个大组,统一实现故障切换
任一成员接口故障,本设备所有组全部切换成backup状态
vgmp默认优先级:45000 故障时减2
双机热备的备份方式
自动备份:master的配置和状态信息,自动同步到backup
手工批量备份:主备无法自动同步,手动命令备份
快速备份:仅用于负载均衡模式,不同步配置,仅同步状态
vrrp配置命令
开启热备:hrp enable
自动备份:hrp auto-sync
手工备份:hrp sync [config|connection-status]
快速备份:hrp mirror session enable
练习
一、基础设置:各个设备ip、路由设置
1.fw1设置
undo info enable
[FW1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 192.168.1.101 24
[FW1-GigabitEthernet1/0/2]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 172.16.1.1 24
[FW1-GigabitEthernet1/0/1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.1.1.101 24
[FW1-GigabitEthernet1/0/0]quit
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/2
[FW1-zone-trust]firewall zone dmz
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]firewall zone untrust
[FW1-zone-untrust]add int g1/0/0
[FW1-zone-untrust]quit
[FW1]
2.fw2设置
[FW2]int g1/0/2
[FW2-GigabitEthernet1/0/2]ip add 192.168.1.102 24
[FW2-GigabitEthernet1/0/2]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 172.16.1.2 24
[FW2-GigabitEthernet1/0/1]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.1.1.102 24
[FW2-GigabitEthernet1/0/0]quit
[FW2]firewall zone trust
[FW2-zone-trust]add int g1/0/2
[FW2-zone-trust]firewall zone dmz
[FW2-zone-dmz]add int g1/0/1
[FW2-zone-dmz]firewall zone untrust
[FW2-zone-untrust]add int g1/0/0
[FW2-zone-untrust]quit
二、配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name permit_heat
[FW1-policy-security-rule-permit_heat]source-zone local
[FW1-policy-security-rule-permit_heat]destination-zone dmz
[FW1-policy-security-rule-permit_heat]action permit
[FW1-policy-security-rule-permit_heat]quit
[FW1-policy-security]quit
[FW1-policy-security]rule name permit_trust_untrust
[FW1-policy-security-rule-permit_trust_untrust]source-zone trust
[FW1-policy-security-rule-permit_trust_untrust]destination-zone untrust
[FW1-policy-security-rule-permit_trust_untrust]action permit
[FW1-policy-security-rule-permit_trust_untrust]quit
[FW1-policy-security]quit
[FW1]
[FW2]security-policy
[FW2-policy-security-rule-permit_hea]rule name permit_heat
[FW2-policy-security-rule-permit_heat]source-zone local
[FW2-policy-security-rule-permit_heat]destination-zone dmz
[FW2-policy-security-rule-permit_heat]action permit
[FW2-policy-security-rule-permit_heat]quit
[FW2-policy-security]rule name permit_trust_untrust
[FW2-policy-security-rule-permit_trust_untrust]source-zone trust
[FW2-policy-security-rule-permit_trust_untrust]destination-zone untrust
[FW2-policy-security-rule-permit_trust_untrust]action permit
[FW2-policy-security-rule-permit_trust_untrust]quit
[FW2-policy-security]quit
[FW2]
三、配置vrrp备份组
[FW1]int g1/0/2
[FW1-GigabitEthernet1/0/2]vrrp vrid 1 virtual-ip 192.168.1.100 active
[FW1-GigabitEthernet1/0/2]quit
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.100 active
[FW1-GigabitEthernet1/0/0]quit
[FW2]int g1/0/2
[FW2-GigabitEthernet1/0/2]vrrp vrid 1 virtual-ip 192.168.1.100 standby
[FW2-GigabitEthernet1/0/2]quit
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.100 standby
[FW2-GigabitEthernet1/0/0]quit
四、配置心跳线
[FW1]hrp int g1/0/1 remote 172.16.1.2
[FW2]hrp int g1/0/1 remote 172.16.1.1
五、启用双机热备
[FW1]hrp enable
[FW2]hrp enable
六、配置备份方式
HRP_S[FW1]hrp auto-sync
HRP_S[FW2]hrp auto-sync
七、配置路由器ip和静态路由
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.1.1.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]ip route-static 192.168.1.0 255.255.255.0 10.1.1.100
八、配置防火墙的默认路由
[FW1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
[FW2]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
九、配置检查及验证
1)查看双机热备的状态信息
HRP_M[FW1]disp hrp state
Role: active, peer: standby
Running priority: 45000, peer: 45000
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2018-12-02 4:26:23 HRP core state changed, old_s
tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
ty = 45000.
2)查看心跳状态
HRP_M[FW1]disp hrp interface
GigabitEthernet1/0/1 : running
HRP_M[FW1]
3)在pc1上pingpc2
4)查看安全规则和会话表
HRP_M[FW1]disp firewall session table
Current Total Sessions : 6
icmp VPN: public --> public 192.168.1.1:55392 --> 10.1.1.1:2048
icmp VPN: public --> public 192.168.1.1:54624 --> 10.1.1.1:2048
icmp VPN: public --> public 192.168.1.1:55136 --> 10.1.1.1:2048
udp VPN: public --> public 172.16.1.2:49152 --> 172.16.1.1:18514
udp VPN: public --> public 172.16.1.1:49152 --> 172.16.1.2:18514
icmp VPN: public --> public 192.168.1.1:54880 --> 10.1.1.1:2048
5)在pc1连续pingpc2,并断开FW1上的g/1/0/2口,查看pc1pingpc2
6)在FW2上查看热备状态
HRP_M<FW2>sys
Enter system view, return user view with Ctrl+Z.
HRP_M[FW2]disp hrp state
Role: active, peer: standby (should be "standby-active")
Running priority: 45000, peer: 44998
Core state: abnormal(active), peer: abnormal(standby)
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 8 minutes
Last state change information: 2018-12-02 4:37:49 HRP core state changed, old_s
tate = normal, new_state = abnormal(active), local_priority = 45000, peer_priori
ty = 44998.