防火墙双机热备实验

实验拓扑图：

实验需求：

1.PC1 ping通PC2

2.防火墙双机备份

二、实验步骤：

第一步：配置思路

1.配置ip

2.配置区域

3.配置安全策略

4.配置VRRP和hrp

第二步：实验操作

配置ip

FW1:

interface GigabitEthernet1/0/0

ip address 192.168.3.1 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

ip address 192.168.4.1 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/2

ip address 10.10.10.10 255.255.255.0

service-manage ping permit

FW2:

interface GigabitEthernet1/0/0

ip address 192.168.3.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

ip address 192.168.4.2 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/2

ip address 10.10.10.11 255.255.255.0

service-manage ping permit

2.配置区域：

FW1:

firewall zone trust

add interface GigabitEthernet1/0/0

firewall zone untrust

add interface GigabitEthernet1/0/1

firewall zone dmz

add interface GigabitEthernet1/0/2

FW2:

firewall zone trust

add interface GigabitEthernet1/0/0

firewall zone untrust

add interface GigabitEthernet1/0/1

firewall zone dmz

add interface GigabitEthernet1/0/2

配置安全策略

FW1:

security-policy

rule name 1

source-zone trust

destination-zone untrust

action permit

FW2:

security-policy

rule name 1

source-zone trust

destination-zone untrust

action permit

配置VRRP和hrp：

FW1:

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 192.168.3.254 active

vrrp virtual-mac enable

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 192.168.4.254 active

vrrp virtual-mac enable

[FW1]hrp interface GigabitEthernet 1/0/2 remote 10.10.10.11

[FW1]hrp enable

FW2:

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 192.168.3.254 standby

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 192.168.4.254 standby

[FW2]hrp interface GigabitEthernet 1/0/2 remote 10.10.10.10

[FW2]hrp enable

5.测试：

PC1àPC2:

FW1:G1/0/1 和FW2:G1/0/1

VGMP、VRRP实验报告

一、实验需求：

1.全网用静态路由打通
2.R3上有两个loop地址1.1.1.1 2.2.2.2

3.PC1访问1.1.1.1走FW1、R1、R3

4.PC2 访问2.2.2.2走FW2、R2、R3

5.注意线路切换

二、实验拓扑图：

三、实验目标：

1.熟悉vrrp相关配置

2.了解vrrp原理及作用

四、实验步骤：

第一步：配置思路

1.配置两台PC IP地址

2.检测连通性

3.配置VGMP+HRP

4.配置路由器侧的vrrp+track

5.配置路由+份路由+安全策略

6.检查连通性

7.断掉R1与R3之间的链路后查看包路径

8.断掉FW1与R1之间的链路后查看包路径

9.开启hrp-track后重复7、8两步查看包路径

10.总结

第二步：实际操作

配置IP地址，并开启Ping，配置VLAN

PC1：

PC2:

FW1:

int g1/0/1

ip address 10.10.10.10 24

service-manage ping permit

int g1/0/0

ip address 192.168.1.252 24

FW2:

int g1/0/0

ip address 192.168.1.252 255.255.255.0

service-manage ping permit

int g1/0/1

ip address 10.10.10.11 24

service-manage ping permit

FW1:

vlan 10

int g1/0/2

port link-type access

port default vlan 10

int g1/0/3

portswitch

port link-type access

port de vlan 10

int vlan 10

ip add 172.16.1.1 24

FW2:

int g1/0/2

portswitch

port link-type access

port de vlan 10

int g1/0/3

portswitch

port link-type access

port de vlan 10

int vlan 10

ip add 172.16.2.12 24

R1:

int g0/0/0

ip add 172.16.1.1 24

int g0/0/1

ip add 172.16.2.1 24

int g0/0/2

ip add 172.16.13.1 24

R3:

int g0/0/0

ip add 172.16.13.3 24

int g0/0/1

ip add 172.16.23.3 24

int loopback 0

ip add 1.1.1.1 32

int loopback 1

ip add 2.2.2.2 32

R2:

int g0/0/2

ip add 172.16.23.2 24

int g0/0/1

ip add 172.16.1.2 24

int g0/0/0

ip add 172.16.2.2 24

配置区域和VGMP+HRP

FW1:

firewall zone trust

add int g1/0/0

firewall zone dmz

add int g1/0/1

firewall zone untrust

add int g1/0/2

add int g1/0/3

add int vlan 10

FW2:

firewall zone trust

add int g1/0/0

firewall zone dmz

add int g1/0/1

firewall zone untrust

add int g1/0/2

add int g1/0/3

add int vlan 10

int g1/0/0

vrrp vrid 1 virtual-ip 192.168.1.253 24 active

vrrp vrid 2 virtual-ip 192.168.1.254 24 standby

FW1:

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 192.168.1.253 standby

vrrp vrid 2 virtual-ip 192.168.1.254 active

hrp enable

hrp mirror session enable

hrp int g1/0/1 remote 10.10.10.11

FW2:

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 192.168.1.253 active

vrrp vrid 2 virtual-ip 192.168.1.254 standby

hrp enable

hrp mirror session enable

hrp int g1/0/1 remote 10.10.10.10

配置路由器侧的vrrp+track

AR1:

int g0/0/0

vrrp vrid 1 virtual-ip 172.16.1.254

vrrp vrid 1 priority 200

int g0/0/1

vrrp vrid 2 virtual-ip 172.16.2.254

AR2:

int g0/0/1

vrrp vrid 1 virtual-ip 172.16.1.254

int g0/0/0

vrrp vrid 2 virtual-ip 172.16.2.254

vrrp vrid 2 priority 200

AR1:

int g0/0/0

vrrp vrid 1 track int g0/0/2 reduced 120

AR2:

int g0/0/0

vrrp vrid 2 track int g0/0/2 reduced 120

配置路由+备份路由+安全策略

FW1:

ip route-static 0.0.0.0 0 172.16.1.254

FW2:

ip route-static 0.0.0.0 0 172.16.2.254

AR1:

ip route-static 1.1.1.1 32 172.16.13.3

ip route-static 2.2.2.2 32 172.16.13.3

ip route-static 192.168.1.0 24 172.16.1.11

ip route-static 192.168.1.0 24 172.16.2.12 preference 100

AR2:

ip route-static 1.1.1.1 32 172.16.23.3

ip route-static 2.2.2.2 32 172.16.23.3

ip route-static 192.168.1.0 24 172.16.1.11 preference 100

ip route-static 192.168.1.0 24 172.16.2.12

AR3:

ip route-static 172.16.1.0 24 172.16.13.1

ip route-static 172.16.1.0 24 172.16.23.2 preference 100

ip route-static 172.16.2.0 24 172.16.23.2

ip route-static 172.16.2.0 24 172.16.13.1 preference 100

ip route-static 192.168.1.0 24 172.16.13.1

ip route-static 192.168.1.0 24 172.16.23.2

FW1:

security-policy

rule name trust

source-zone trust

destination-zone untrust

action permit

FW1:

int vlan 10

service-manage ping permit

断掉R1与R3之间的链路后查看包路径

PC1

断掉FW1与R1之间的链路后查看包路径

第三步：测试并查看

检测连通性

PC1

PC2

进入华为软件 eNSP 学习的第八天

防火墙双机热备实验

VGMP、VRRP实验报告

猜你喜欢