华为防火墙双机热备与BFD联动
作者:互联网
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623247934966278.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
1.配置内网及其互通
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248014302908.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW1-GigabitEthernet1/0/0]ip add 10.1.10.1 24
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.1.10.2 24
[FW2-GigabitEthernet1/0/0]service-manage ping permit
[FW2]firewall zone trust
[FW2-zone-trust]add interface g1/0/0
2.配置DMZ区域
[FW1-GigabitEthernet1/0/3]ip add 10.1.3.1 24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface g1/0/3
[FW2-GigabitEthernet1/0/3]ip add 10.1.3.2 24
[FW2-GigabitEthernet1/0/3]service-manage ping permit
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface g1/0/3
3.配置外网及其互通
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248043696972.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/1
[FW2-GigabitEthernet1/0/2]ip add 10.1.2.2 24
[FW2-GigabitEthernet1/0/2]service-manage ping permit
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface g1/0/2
[AR1-GigabitEthernet0/0/1]ip add 10.1.1.3 24
[AR1-GigabitEthernet0/0/0]ip add 10.1.20.3 24
[AR1]ospf
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255
[AR1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.1.20.254
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248070138210.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[AR2-GigabitEthernet0/0/2]ip add 10.1.2.4 24
[AR2-GigabitEthernet0/0/0]ip add 10.1.20.4 24
[AR2]ospf
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255
[AR2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.1.20.254
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248090775625.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
4.配置NAT功能(源地址池)
[FW1]nat address-group nat_fw1
[FW1-address-group-nat_fw1]section 10.1.1.10 10.1.1.100
[FW1]nat-policy
[FW1-policy-nat]rule name source_out
[FW1-policy-nat-rule-source_out]source-zone trust
[FW1-policy-nat-rule-source_out]destination-zone untrust
[FW1-policy-nat-rule-source_out]action source-nat address-group nat_fw1
[FW2]nat address-group nat_fw2
[FW2-address-group-nat_fw2]section 10.1.2.10 10.1.2.100
[FW2]nat-policy
[FW2-policy-nat]rule name source_out
[FW2-policy-nat-rule-source_out]source-zone trust
[FW2-policy-nat-rule-source_out]destination-zone untrust
[FW2-policy-nat-rule-source_out]action source-nat address-group nat_fw2
5.配置BFD
[FW1]bfd
[FW1]bfd bfd_1 bind peer-ip 10.1.20.3
[FW1-bfd-session-bfd_1]discriminator local 13
[FW1-bfd-session-bfd_1]discriminator remote 31
[FW1-bfd-session-bfd_1]commit
[FW2]bfd
[FW2]bfd bfd_2 bind peer-ip 10.1.20.4
[FW2-bfd-session-bfd_2]discriminator local 24
[FW2-bfd-session-bfd_2]discriminator remote 42
[FW2-bfd-session-bfd_2]commit
[AR1]bfd
[AR1]bfd 1 bind peer-ip 10.1.1.1
[AR1-bfd-session-1]discriminator local 31
[AR1-bfd-session-1]discriminator remote 13
[AR1-bfd-session-1]commit
[AR2]bfd
[AR2]bfd 2 bind peer-ip 10.1.2.2
[AR2-bfd-session-2]discriminator remote 24
[AR2-bfd-session-2]commit
6.配置双机热备
[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 active
[FW1-GigabitEthernet1/0/0]vrrp virtual-mac enable
[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 standby
[FW2-GigabitEthernet1/0/0]vrrp virtual-mac enable
7.配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name dmz_local
[FW1-policy-security-rule-dmz_local]source-zone local dmz
[FW1-policy-security-rule-dmz_local]destination-zone dmz local
[FW1-policy-security-rule-dmz_local]action permit
[FW1-policy-security]rule name trust_untrust
[FW1-policy-security-rule-trust_untrust]source-zone trust
[FW1-policy-security-rule-trust_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_untrust]action permit
[FW1-policy-security]rule name bfd
[FW1-policy-security-rule-bfd]source-zone local
[FW1-policy-security-rule-bfd]destination-zone untrust
[FW1-policy-security-rule-bfd]action permit
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248109391080.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
[FW2]security-policy
[FW2-policy-security-rule-dmz_local]source-zone local dmz
[FW2-policy-security-rule-dmz_local]destination-zone local dmz
[FW2-policy-security-rule-dmz_local]action permit
[FW2-policy-security]rule name trust_untrust
[FW2-policy-security-rule-trust_untrust]source-zone trust
[FW2-policy-security-rule-trust_untrust]destination-zone untrust
[FW2-policy-security-rule-trust_untrust]action permit
[FW2-policy-security]rule name bfd
[FW2-policy-security-rule-bfd]source-zone local
[FW2-policy-security-rule-bfd]destination-zone untrust
[FW2-policy-security-rule-bfd]action permit
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248133384816.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
8.配置BFD与双机热备联动
[FW1]hrp enable
HRP_S[FW1]hrp interface g1/0/3 remote 10.1.3.2
HRP_S[FW1]hrp track interface g1/0/1
HRP_S[FW1]hrp track bfd-session 13
[FW2]hrp enable
HRP_S[FW2]hrp interface g1/0/3 remote 10.1.3.1
HRP_S[FW2]hrp track interface g1/0/2
HRP_S[FW2]hrp track bfd-session 24
9.配置静态默认路由
HRP_M[FW1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.3
HRP_S[FW2]ip route-static 0.0.0.0 0.0.0.0 10.1.2.4
9.验证
在PC1上ping PC2
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248145825250.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248165399426.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
关闭AR1上的g0/0/0接口后用tracert PC2时发现已经自动切换
![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248176675561.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
标签:10.1,热备,bfd,BFD,rule,policy,双机,FW1,FW2 来源: https://blog.51cto.com/u_13699905/2887253