【ENSP】作业十:双机热备实验

2024年5月27日 0 防火墙技术

一、拓扑结构

file

拓扑文件下载:

https://wwk.lanzouq.com/iueVl1zxfvzg

在FW1和FW2上配置负载分担,防止防火墙单机故障。
将FW1的设备名称改为:姓名拼音
将FW2的设备名称改为:学号

二、配置过程

1、配置接口IP地址、区域、安全策略

(1)配置PC1、PC2的IP地址、网关、掩码等

file

file

file

file

(2)FW1上的基础配置

进入防火墙前请先修改初始密码,参考链接:https://www.19itmc.top/fw-tech/usg6000v-passwd.html

<USG6000V1>system-view
#此处FW1可更改为姓名拼音
[USG6000V1]sysname FW1
[FW1]user-interface console 0
[FW1-ui-console0]idle-timeout 0
[FW1-ui-console0]quit
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 10.1.1.2 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 192.168.1.2 24
[FW1-GigabitEthernet1/0/2]quit
[FW1]interface GigabitEthernet 1/0/6
[FW1-GigabitEthernet1/0/6]ip address 172.16.1.1 24
[FW1-GigabitEthernet1/0/6]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-zone-trust]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1-zone-untrust]quit
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/6
[FW1-zone-dmz]quit
[FW1]security-policy
[FW1-policy-security]default action permit (回车后输入Y)

(3)FW2上的基础配置

进入防火墙前请先修改初始密码,参考链接:https://www.19itmc.top/fw-tech/usg6000v-passwd.html

<USG6000V1>system-view
#此处FW2可更改为学号
[USG6000V1]sysname FW2
[FW2]user-interface console 0
[FW2-ui-console0]idle-timeout 0
[FW2-ui-console0]quit
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 10.1.1.3 24
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ip address 192.168.1.3 24
[FW2-GigabitEthernet1/0/2]quit
[FW2]interface GigabitEthernet 1/0/6
[FW2-GigabitEthernet1/0/2]ip address 172.16.1.2 24
[FW2-GigabitEthernet1/0/2]quit
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/1
[FW2-zone-trust]quit
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/2
[FW2-zone-untrust]quit
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/6
[FW2-zone-dmz]quit
[FW2]security-policy
[FW2-policy-security]default action permit(回车后输入Y)
[FW2-policy-security]quit

2、FW1上的双机热备相关配置

(1)配置VRRP备份组

[FW1] interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.1.1.254 active 
[FW1-GigabitEthernet1/0/1] vrrp vrid 3 virtual-ip 10.1.1.253 standby 
[FW1] interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 192.168.1.254 active
[FW1-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 192.168.1.253 standby

(2)配置会话快速备份功能

[FW1] hrp mirror session enable

(3)指定心跳口并启用双机热备功能

[FW1]hrp interface GigabitEthernet 1/0/6 remote 172.16.1.2
[FW1]hrp enable

3、FW2上的双机热备相关配置

(1)配置VRRP备份组

[FW2] interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.1.1.254 standby
[FW2-GigabitEthernet1/0/1] vrrp vrid 3 virtual-ip 10.1.1.253 active 
[FW2] interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 192.168.1.254 standby
[FW2-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 192.168.1.253 active

(2)配置会话快速备份功能

[FW2] hrp mirror session enable

(3)指定心跳口并启用双机热备功能

[FW2]hrp interface GigabitEthernet 1/0/6 remote 172.16.1.1
[FW2]hrp enable

4、保存拓扑

<FW>save  # 回车后输入Y

三、结果验证

1.在FW1上执行display vrrp命令,检查VRRP组内接口的状态信息。

2.在FW1上执行display hrp state verbose命令,检查当前VGMP组的状态

3.在PC1上执行ping 192.168.1.1 –t,然后将FW1防火墙GE1/0/1接口shutdown,观察防火墙状态切换及ping包丢包情况;再将FW1防火墙GE1/0/1接口网线恢复,观察防火墙状态切换及ping包丢包情况。

You may also like...

发表回复