其他分享
首页 > 其他分享> > 华为防火墙双机热备与BFD联动

华为防火墙双机热备与BFD联动

作者:互联网

![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623247934966278.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 1.配置内网及其互通 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248014302908.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW1-GigabitEthernet1/0/0]ip add 10.1.10.1 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1]firewall zone trust [FW1-zone-trust]add interface g1/0/0 [FW2-GigabitEthernet1/0/0]ip add 10.1.10.2 24 [FW2-GigabitEthernet1/0/0]service-manage ping permit [FW2]firewall zone trust [FW2-zone-trust]add interface g1/0/0 2.配置DMZ区域 [FW1-GigabitEthernet1/0/3]ip add 10.1.3.1 24 [FW1-GigabitEthernet1/0/3]service-manage ping permit [FW1]firewall zone dmz [FW1-zone-dmz]add interface g1/0/3 [FW2-GigabitEthernet1/0/3]ip add 10.1.3.2 24 [FW2-GigabitEthernet1/0/3]service-manage ping permit [FW2]firewall zone dmz [FW2-zone-dmz]add interface g1/0/3 3.配置外网及其互通 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248043696972.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1]firewall zone untrust [FW1-zone-untrust]add interface g1/0/1 [FW2-GigabitEthernet1/0/2]ip add 10.1.2.2 24 [FW2-GigabitEthernet1/0/2]service-manage ping permit [FW2]firewall zone untrust [FW2-zone-untrust]add interface g1/0/2 [AR1-GigabitEthernet0/0/1]ip add 10.1.1.3 24 [AR1-GigabitEthernet0/0/0]ip add 10.1.20.3 24 [AR1]ospf [AR1-ospf-1]area 0 [AR1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255 [AR1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.1.20.254 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248070138210.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [AR2-GigabitEthernet0/0/2]ip add 10.1.2.4 24 [AR2-GigabitEthernet0/0/0]ip add 10.1.20.4 24 [AR2]ospf [AR2-ospf-1]area 0 [AR2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255 [AR2-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255 [AR2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.1.20.254 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248090775625.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 4.配置NAT功能(源地址池) [FW1]nat address-group nat_fw1 [FW1-address-group-nat_fw1]section 10.1.1.10 10.1.1.100 [FW1]nat-policy [FW1-policy-nat]rule name source_out [FW1-policy-nat-rule-source_out]source-zone trust [FW1-policy-nat-rule-source_out]destination-zone untrust [FW1-policy-nat-rule-source_out]action source-nat address-group nat_fw1 [FW2]nat address-group nat_fw2 [FW2-address-group-nat_fw2]section 10.1.2.10 10.1.2.100 [FW2]nat-policy [FW2-policy-nat]rule name source_out [FW2-policy-nat-rule-source_out]source-zone trust [FW2-policy-nat-rule-source_out]destination-zone untrust [FW2-policy-nat-rule-source_out]action source-nat address-group nat_fw2 5.配置BFD [FW1]bfd [FW1]bfd bfd_1 bind peer-ip 10.1.20.3 [FW1-bfd-session-bfd_1]discriminator local 13 [FW1-bfd-session-bfd_1]discriminator remote 31 [FW1-bfd-session-bfd_1]commit [FW2]bfd [FW2]bfd bfd_2 bind peer-ip 10.1.20.4 [FW2-bfd-session-bfd_2]discriminator local 24 [FW2-bfd-session-bfd_2]discriminator remote 42 [FW2-bfd-session-bfd_2]commit [AR1]bfd [AR1]bfd 1 bind peer-ip 10.1.1.1 [AR1-bfd-session-1]discriminator local 31 [AR1-bfd-session-1]discriminator remote 13 [AR1-bfd-session-1]commit [AR2]bfd [AR2]bfd 2 bind peer-ip 10.1.2.2 [AR2-bfd-session-2]discriminator remote 24 [AR2-bfd-session-2]commit 6.配置双机热备 [FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 active [FW1-GigabitEthernet1/0/0]vrrp virtual-mac enable [FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 standby [FW2-GigabitEthernet1/0/0]vrrp virtual-mac enable 7.配置安全策略 [FW1]security-policy [FW1-policy-security]rule name dmz_local [FW1-policy-security-rule-dmz_local]source-zone local dmz [FW1-policy-security-rule-dmz_local]destination-zone dmz local [FW1-policy-security-rule-dmz_local]action permit [FW1-policy-security]rule name trust_untrust [FW1-policy-security-rule-trust_untrust]source-zone trust [FW1-policy-security-rule-trust_untrust]destination-zone untrust [FW1-policy-security-rule-trust_untrust]action permit [FW1-policy-security]rule name bfd [FW1-policy-security-rule-bfd]source-zone local [FW1-policy-security-rule-bfd]destination-zone untrust [FW1-policy-security-rule-bfd]action permit ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248109391080.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) [FW2]security-policy [FW2-policy-security-rule-dmz_local]source-zone local dmz [FW2-policy-security-rule-dmz_local]destination-zone local dmz [FW2-policy-security-rule-dmz_local]action permit [FW2-policy-security]rule name trust_untrust [FW2-policy-security-rule-trust_untrust]source-zone trust [FW2-policy-security-rule-trust_untrust]destination-zone untrust [FW2-policy-security-rule-trust_untrust]action permit [FW2-policy-security]rule name bfd [FW2-policy-security-rule-bfd]source-zone local [FW2-policy-security-rule-bfd]destination-zone untrust [FW2-policy-security-rule-bfd]action permit ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248133384816.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 8.配置BFD与双机热备联动 [FW1]hrp enable HRP_S[FW1]hrp interface g1/0/3 remote 10.1.3.2 HRP_S[FW1]hrp track interface g1/0/1 HRP_S[FW1]hrp track bfd-session 13 [FW2]hrp enable HRP_S[FW2]hrp interface g1/0/3 remote 10.1.3.1 HRP_S[FW2]hrp track interface g1/0/2 HRP_S[FW2]hrp track bfd-session 24 9.配置静态默认路由 HRP_M[FW1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.3 HRP_S[FW2]ip route-static 0.0.0.0 0.0.0.0 10.1.2.4 9.验证 在PC1上ping PC2 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248145825250.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248165399426.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) 关闭AR1上的g0/0/0接口后用tracert PC2时发现已经自动切换 ![image.png](http://www.icode9.com/i/li/?n=2&i=images/20210609/1623248176675561.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)

标签:10.1,热备,bfd,BFD,rule,policy,双机,FW1,FW2
来源: https://blog.51cto.com/u_13699905/2887253