收藏
下载资源 加入VIP免费专享

实战行业USG防火墙双机热备多ISP接入.doc

上传人:peixunshi 文档编号:15034155 上传时间:2022-03-06 格式:DOC 页数:19 大小:337KB
返回 下载 相关 举报
实战行业USG防火墙双机热备多ISP接入.doc_第1页
第1页 / 共19页
实战行业USG防火墙双机热备多ISP接入.doc_第2页
第2页 / 共19页
实战行业USG防火墙双机热备多ISP接入.doc_第3页
第3页 / 共19页
实战行业USG防火墙双机热备多ISP接入.doc_第4页
第4页 / 共19页
实战行业USG防火墙双机热备多ISP接入.doc_第5页
第5页 / 共19页
点击查看更多>>
资源描述

《实战行业USG防火墙双机热备多ISP接入.doc》由会员分享,可在线阅读,更多相关《实战行业USG防火墙双机热备多ISP接入.doc(19页珍藏版)》请在三一文库上搜索。

1、两台USG5120防火墙多ISP接入,运行双机热备主备模式。内网两台S7706交换机运行 VRRP,各自连接到 USG5120防火墙上。应用服务器做双网卡绑定(主备模式),分别连接两台 S7706交换机上。两台USG防火墙上、下行运行 VRRP。通过配置VRRP备份组,分别加入到 VGMP管理组中。通过 Master和Slave状态统一监 控。心跳接口不参加业务流量。启用HRP备份功能,对两台 USG的配置与状态进行实时备份,避免网络异常业务中断长 久。配置NAT策略,供内网用户上 In ternet。配置端口映射将内部应用发布到外网。防火墙默认域间策略全部放行,方便测试。网络拓扑:-nffn

2、w-nffms_spwpipGO P202.100.2.10-20/24202.100.1.10-20/24a 朗202.100.2.100202.100.1.100a toT|wX珈n10.10.11.1/24逹O) pG0/0/110.10.12.1/24联通ISPG0/0/210.10.10.1/24G0/0/310.10.255.1/24HRP心跳FW2G0/0/010.10.11.2/24电信ISPG0/0/110.10.12.2/24联通ISPG0/0/210.10.10.2/24G0/0/310.10.254.2/24HRP心跳FW-VRRPVRID 110.10.10.10/2

3、4VRID 2202.100.1.10/24电信ISPVRID 3202.100.2.10/24联通ISPS7706-1Vlanif 1010.10.10.21/24Vlanif 88510.88.85.241/24G6/0/1Vlan 10FW1G6/0/2Vlan 885G6/0/42Trunk/Eth-trunk心跳G6/0/43S7706-2Vlanif 1010.10.10.22/24Vlanif 88510.88.85.242/24G6/0/1Vlan 10FW2G6/0/2Vlan 885G6/0/42Trunk/Eth-trunk心跳G6/0/43S7706-VRRPVRID

4、1010.10.10.20/24FW寸接VRID 8510.88.85.240/24业务网段操作步骤:1. 完成各设备接口配置,并加入安全区域,允许默认包过滤,各网络设备配置静态路由。FW1 :#Sys name FW1#in terface GigabitEthernet 0/0/0ip address 10.10.11.1 24#firewall zone trustundo add in terface GigabitEther net 0/0/0#firewall zone n ame wan1set priority 15add in terface GigabitEthernet

5、0/0/0#in terface GigabitEthernet 0/0/1ip add 10.10.12.1 24#firewall zone n ame wan2set priority 10add in terface GigabitEthernet 0/0/1#in terface GigabitEthernet 0/0/2ip add 10.10.10.1 24#firewall zone trustadd in terface GigabitEthernet 0/0/2#in terface GigabitEthernet 0/0/3ip address 10.10.254.1 2

6、4#firewall zone dmzadd in terface GigabitEthernet 0/0/8#firewall packet-filter default permit all#ip route-static 10.88.85.0 255.255.255.0 10.10.10.20ip route-static 0.0.0.0 0.0.0.0 202.100.1.100#FW2 :#Sys name FW2#in terface GigabitEthernet 0/0/0ip address 10.10.11.2 24#firewall zone trustundo add

7、in terface GigabitEther net 0/0/0#firewall zone n ame wan1set priority 15add in terface GigabitEthernet 0/0/0#in terface GigabitEthernet 0/0/1ip add 10.10.12.2 24#firewall zone n ame wan2set priority 10add in terface GigabitEthernet 0/0/1#in terface GigabitEthernet 0/0/2ip add 10.10.10.2 24#firewall

8、 zone trustadd in terface GigabitEthernet 0/0/2#in terface GigabitEthernet 0/0/3ip address 10.10.254.2 24#firewall zone dmzadd in terface GigabitEthernet 0/0/8#firewall packet-filter default permit all#ip route-static 10.88.85.0 255.255.255.0 10.10.10.20ip route-static 0.0.0.0 0.0.0.0 202.100.2.100#

9、配置内网核心交换机,并配置VRRP、S7706-1为Master VRRPS7706-1:#sys name S7706-1#vlan batch 10 885#in terface Vla nif10ip address 10.10.10.21 255.255.255.0vrrp vrid 10 virtual-ip 10.10.10.20vrrp vrid 10 priority 105#in terface Vla nif885ip address 10.88.85.241 255.255.255.0vrrp vrid 85 virtual-ip 10.88.85.240vrrp vri

10、d 85 priority 105#in terface Eth-Tru nk1description HAport lin k-type trunkport trunk allow-pass vlan 10 885mode lacp#in terface GigabitEthernet6/0/1port lin k-type accessport default vlan 10#in terface GigabitEthernet6/0/2port lin k-type accessport default vlan 885#in terface GigabitEthernet6/0/42e

11、th-tru nk 1#in terface GigabitEthernet6/0/43eth-tru nk 1#ip route-static 0.0.0.0 0.0.0.0 10.10.10.10#S7706-2:#sys name S7706-2#vlan batch 10 885#in terface Vla nif10ip address 10.10.10.22 255.255.255.0vrrp vrid 10 virtual-ip 10.10.10.20#in terface Vla nif885ip address 10.88.85.241 255.255.255.0 vrrp

12、 vrid 85 virtual-ip 10.88.85.240#in terface Eth-Tru nk1description HAport lin k-type trunkport trunk allow-pass vlan 10 885mode lacp#in terface GigabitEthernet6/0/1port lin k-type accessport default vlan 10#in terface GigabitEthernet6/0/2port lin k-type accessport default vlan 885#in terface Gigabit

13、Ethernet6/0/42eth-tru nk 1#in terface GigabitEthernet6/0/43eth-tru nk 1#ip route-static 0.0.0.0 0.0.0.0 10.10.10.10#MAC2. 配置USG防火墙VRRP备份组,并加入VGMP管理组。(eNSP中需要启用虚拟 地址功能,否则 PING不通虚拟地址,现网真实设备,无需配置)FW1 :#in terface GigabitEthernet0/0/0vrrp vrid 2 virtual-ip 202.100.1.10 master#in terface GigabitEthernet0

14、/0/1vrrp vrid 3 virtual-ip 202.100.2.10 master#in terface GigabitEthernet0/0/2vrrp vrid 1 virtual-ip 10.10.10.10 master#FW2 :#in terface GigabitEthernet0/0/0vrrp vrid 2 virtual-ip 202.100.1.10 slave#in terface GigabitEthernet0/0/1vrrp vrid 3 virtual-ip 202.100.2.10 slave#in terface GigabitEthernet0/

15、0/2vrrp vrid 1 virtual-ip 10.10.10.10 slave#3. 配置HRP功能。配置HRP心跳接口。FW1 :#hrp in terface GigabitEthernet 0/0/3#FW2 :#hrp in terface GigabitEthernet 0/0/3#启动HRP备份功能。FW1#hrp en able#FW2#hrp en able#查看两台防火墙状态。FW1 :HRP_Mdisp hrp state10:32:012014/08/08The firewalls config state is: MASTERCurrent state of v

16、irtual routers con figured as master:GigabitEthernet0/0/2vrid1:masterGigabitEthernet0/0/1vrid3:masterGigabitEthernet0/0/0vrid2:masterHRP_MFW2 :HRP_Sdisp hrp state10:30:292014/08/08The firewalls config state is: SLAVECurrent state of virtual routers con figured as slave:GigabitEthernet0/0/2vrid1:slav

17、eGigabitEthernet0/0/1vrid3:slaveGigabitEthernet0/0/0vrid2:slaveHRP_SNAT配置(只需要在Master主防火墙上配置,主墙会同步给备墙,备墙也是无法配置,如果需要配置,启动允许配置备用设备的功能即可:hrp slave config en able)#nat address-group index 2 202.100.1.10 202.100.1.20 vrrp 2n at address-group in dex 3 202.100.2.10 202.100.2.20 vrrp 3#n at-policy in terz on

18、e trust wan1 outbo undpolicy 5action source-nataddress-group 2#n at-policy in terz one trust wan2 outbo undpolicy 5action source-nataddress-group 3#查看防火墙之间配置同步情况FW1:HRP_MFW1hrp con figuratio n check hrp11:46:182014/08/08You need use command:display hrp configuration check . to see the result.HRP_MFW

19、1hrp con figuratio n check acl11:46:202014/08/08You need use command:display hrp configuration check . to see the result.HRP_MFW1display hrp con figuratio n check all11:46:332014/08/08Module State Start-timeEn d-timeResultaclfin ish 2014/08/08 11:46:20 2014/08/08 11:46:20 same con figurationhrpfin i

20、sh 2014/08/08 11:46:18 2014/08/08 11:46:18 same con figurati onHRP_MFW1FW2:HRP_SFW2hrp con figuration check hrp11:47:282014/08/08You need use command:display hrp configuration check . to see the result.HRP_SFW2hrp con figuration check acl11:47:312014/08/08You need use command:display hrp configurati

21、on check . to see the result.HRP_SFW2display hrp con figuratio n check all11:47:432014/08/08ResultModule State Start-timeEn d-timeaclfinish 2014/08/08 11:47:31 2014/08/08 11:47:31 same configurationhrpfin ish 2014/08/08 11:47:28 2014/08/08 11:47:28 same con figurationHRP_SFW2测试从内部网络到达外部网络已能正常通信。CsXp

22、ina uuu-baiduconPingf ui-jirj _ a - srizlF en .coin 115.239.211.11Q 的 115.239.211.110 的 115-239.211.110 的 115_239_Z11_110 的2 2 2 23 3 3 3=5 =-卄T节节节罢X子2.ii具有52于的数据,时 a- B- 时间日=17nsa17ms=16 msTTL=54TTL=54TTL-54TTL=54无=4,已劇攵=4,丢失=0 0Z丢失儿 裁臺秒为畢位畀 距长=17ns,平土-239-211-110 的 Fing 统计彳 罄劇飆-十取矩=16rs,丽上=17ns,平

23、= 16ns内部服务器映射到外网:#nat server protocol tcp global 202.100.1.11 31943 in side 10.88.85.31 31943 no-reversenat server protocol tcp global 202.100.2.11 31943 in side 10.88.85.31 31943 no-reverse#外网访问测试Sight测试防火墙主备切换。断掉 FW1 G0/0/0(电信 ISP)接口。FW1:#in terface GigabitEthernetO/O/Oshutdow n#FW1 :HRP_MFW1i nte

24、rface g0/0/0HRP_MFW1-GigabitEthernet0/0/0shutdow n10:57:502014/08/08#2014-08-08 10:57:50 FW1 IFNET/4/IF_PVCDOWN:1.3.6.163.1.1.5.3 in terface 513 turns into DOWN state.2014-08-08 10:57:50 FW1 %01PHY/4/STATUSDOWN(l): GigabitEthernet0/0/0cha nged status to dow n.2014-08-08 10:57:50 FW1 %01IFNET/4/LINK_

25、STATE(l): Line protocol on in terfaceGigabitEthernet0/0/0 has turned into DOWN state.2014-08-08 10:57:50 FW1 %01VRRP/4/STATEWARNING(l): In terface:GigabitEthernet0/0/0, Virtual Router 2 : MASTER cha nged to INITIALIZE!d31SVIAI :S! ejejs 6ijuoo sjieMajij aqi00/00/怦 0 乙 6:00:14 巩Eis di| Ae|ds!pl/l_ddH

26、 皇皐卑Yk ddH l/l_ddH id3丄SHIAI oi peBueqo dD19Va :乙印noy |enpiA 0/0/02uoi|口四師旧 :9oepa;u| :(|)9NINdVM31VlS/WdddAL0% SMd ee:Z9:0L 80-801,02 id3丄SHIAI oi peBueqo dD19Va : 印noy |眄口八|70/02uoi|口四師旧 :9oepa;u| :(|)9NINdVM31VlS/WdddAL0% SMd ee:Z9:0L 80-801,02 id3丄SHIAI oi peBueqo dD19Va : L Jenoy |enpiA Z/0/02u

27、oi|口四師旧 :9oepa;u| :(|)9NINdVM31VlS/WdddAL0% SMd ee:Z9:0L 80-801,02 丄 SVI/I - 3 AVIS: 3 A VIS dnojg;uaiua6eue|/| Jejnoy |enpiA :(I)31V1S/Wdl/I9ALO% SMd ee:Z9:0L 80-801,02 jjajseiu Mau aiueoaq 乙oinoleniJiA 旳 eoepajui |,089 VZ L9 G V :3日丄SVI/IM3N3l/IV93adVdl/e/dddA SMd Ce:Z9:0L 80-801,02# jjajseiu Mau

28、aiueoaq g 冋noleniJiA 沖9 eoepajui |,089 VZ L9 G V :3日丄SVI/IM3N3l/IV93adVdl/e/dddA SMd Ce:Z9:0L 80-801,02# jjajseiu Mau aiueoaq yoinoleniJiA 692. eoepajui |,089 VZ L9 G V :3日丄SVI/IM3N3l/IV93adVdl/e/dddA SMd Ce:Z9:0L 80-801,02#S_ddH:SMd 0/0/019UJ81|口四師!9- LMdlS_ddH(umop) eziiBRjU! : z P!JA0/0/02UJOII归四

29、師!99ab|S : g P!JA|70/02uoi|归四師!99ab|S : iP!JA乙/o/02uoi|归四師!9jajseiu se pain6i)uoo soino|EnpiA 40 ajejs iuaun。 3AV1S :S!眄s 6ijuoo sjieMajij ain 00/00/怦 0 乙 H):00:l4 印Eis di| Ae|ds!p0/0/019Ujam3;!qe6!9-|,MdS_ddH皇皐卑Yk ddH 0/0/019UJ81|口四師!9- LMdlS_ddH idn19Va oi peBueqo 耳日丄SVI/I : C Jenoy |enpiA 1170/02

30、uoi|口四師旧 :9oepa;u| :(|)9NINdVM31VlS/WdddAL0% LMd 09:Z9:0L 80-801,02 idn19Va oi peBueqo 耳日丄SVI/I : V Jenoy |enpiA Z/0/02uoi|口四師旧 :9oepa;u| :(|)9NINdVM31VlS/WdddAL0% LMd 09:Z9:0L 80-801,023 A VIS - 3AVIS_01_d3 丄 SHIAI:丄 SVI/I dnojg;uaiua6eue|/| Jejnoy |enpiA :(I)31V1S/Wdl/I9ALO% LMd 09:Z9:0L 80-801,02

31、 3AVIS_01_d3丄SHIAI -丄SVI/I:丄SVI/I dnojg;uaiua6eue|/| Jejnoy |enpiA :(I)31V1S/Wdl/I9ALO% LMd 09:Z9:0L 80-801,02Current state of virtual routers con figured as slave:GigabitEthernet0/0/2vrid 1 : masterGigabitEthernet0/0/1vrid 3 : masterGigabitEther net0/0/0vrid 2 : master (peer dow n)HRP_M 网络PING测试:C:

32、xping www-t匚 non 正:Ping115115115.超时。11S-1L15.115.115.11S-t)uvj,a.i3.fen .con111239.2丄0龙7239-210.27239.216.27的回229-219-2?的239-210.27 的239.210.27 的239-210-27 的239-210-27 的115 .232 2 2=3=3=3节节节2 2 2 2 2=3=3=3-3=3节节节节节-210-271具有32子的数据:=17me=17ms=17rsTTL=E4ITL=54TTL=S4时也0-fS=17nsm -=17nts56ms =5fcnsTTL=E

33、4TTL=54TTL 話 4TTL-54TTL=54ilG.2J9-210.27 的 Pin3 统计宿息: 簪包=已滾送=9,已痢文叭丢失丄Ux丢失儿 性返危呈的怙计篩吐常量秒为華位匕取短=17rtS,取长=Gtms ,平均=26msControl-GAC测试主防火墙恢复恢复 FW1 G0/0/0(电信 ISP)接口。FW1 :#in terface GigabitEthernetO/O/1undo shutdow n#FW1 :HRP_SFW1-GigabitEthernet0/0/0u ndo shutdow n11:02:142014/08/08HRP_SFW1-GigabitEther

34、net0/0/0#2014-08-08 11:02:16 FW1 IFNET/4/IF_PVCUP:1.3.6.163.1.1.5.4 in terface 513 turns into UP state.2014-08-08 11:02:16 FW1 %01PHY/4/STATUSUP(l): GigabitEthernet0/0/0cha nged status to up.2014-08-08 11:02:16 FW1 %01IFNET/4/LINK_STATE(l): Line protocol on in terface GigabitEthernet0/0/0 has turned

35、 into UP state.224-08-08 =02=6 _HS %0VRRP、4、STATEWARN 乏 G(_)二 nCDrface GigabifTi5:erne3、0p Virtua 一 ROUCDr2 -乏 _T_A匚ZE changed fo BACKU 卫 224-08-08 =02010 _HS %0VGMP4STATE(三 Virtua 一 ROUCDr Management Group MASTER - SLAVE IV SLAVEITOIMASTER #201408-08 =0250 _HS VRRPQTRAPBECAMENEWMASTER V- 36208o二nCD

36、rface 769 virtua- rouCD二 became new master- #201408-08 =0250 _HS VRRPQTRAPBECAMENEWMASTER V- 36208o二nCDrface 641 virtua- rouCDr 3 became new master- #201408-08 =0250 _HS VRRPQTRAPBECAMENEWMASTER V- 36208o二nCDrface 513 virtua- rouCDr 2 became new master- 224-08-08 =02010 _HS %0VGMP4STATE(三 Virtua 一 R

37、ouCDr Management Group MASTER - SLAVEITOIMASTER IV MASTER 224-08-08 =02010 _HS %0VRRP、4、STATEWARN 乏 G(_)二 nCDrface GigabifTi5:erne3、05 virtua- ROUCD二-BAOKUP changed fo MASTER- 224-08-08 =02010 _HS %0VRRP、4、STATEWARN 乏 G(_) nCDrface Gigabimfherne3、0M vinua- RouCDr 3 - BACKUP changed fo MASTER- 224-08

38、-08 =02010 _HS %0VRRP、4、STATEWARN 乏 G(_)二 nCDrface GigabifTi5:erne3、0p virtua- RouCDr 2 - BACKUP changed fo MASTER-HRPIM-FW1 -GigabimfherneQOQl训 hrp 克eHHRPIM-FWrGigabimfherne3、oodisp hrp sfaCD=0342 20E0Q08The firewa=-s config sQrCDis MASTERcurrent SQrCDof virtua- rollers configured as masCDn Gigabim

39、fherne3Q2 vrid 1 - masCDr Gigabimfherne3、0M vrid 3 - masCDr GigabimfhernesQO vrid 2 - masCDr HRPIM-FW1 -GigabimfherneQOQFW2 -HRPM 令 W2V224-08-08 =0233 FW2 %0VGMP4STATE(三 Virtua 一 RouCDr Management Group SLAVE - MASTER IV SLAVE224-08-08 =0233 FW2 %0VRRP、4、STATEWARN 乏 G(_)二 nCDrface GigabifTi5:erne3、0

40、5 virtua- ROUCD二-MASTER changed fo BACKUP- 224-08-08 =0233 FW2 %0VRRP、4、STATEWARN 乏 G(_) nCDrface Gigabimfherne3、0M vinua- RouCDr 3 - MASTER changed fo BACKUP- 224-08-08 =0233 FW2 %0VRRP、4、STATEWARN 乏 G(_)二 nCDrface GigabifTi5:erne3、0p virtua- R0uCDr2 - MASTER changed fo BACKUP- HRP SAFW2VHRP状态查看HRP

41、_Sdisplay hrp state11:04:372014/08/08The firewalls config state is: SLAVECurrent state of virtual routers con figured as slave:GigabitEthernet0/0/2 vrid 1 : slaveGigabitEthernet0/0/1vrid3 : slaveGigabitEthernet0/0/0vrid2 : slaveHRP_S网络PING测试:Windov s 刃cpd-一-jrnkj - - JTn一-二hydril 二-芒-ZZ二-dm-115-239.

42、210.27115-239.210.27115*29.210.27115.29.216.2?115.239.210.27 115_239.210.27 tl5.229.210.27115.239.210.27超时p115-229.210.2?115-229.210.2?115-239.210.27115,29.210,27115.239.210.2711E_239.210.27 tl5.239.210.27 115.239 .210.27115.239.2ie.27 的 Pins往返鑛扁軽矍7 l?ns、 Mk Conti*o 1-C计 nJTRSIl统秒1息:F =平均- :7 - ; T

43、4q4m1一 二.145,=17s TTL-54 =lns TTL=G4 =1* TT 1=54 =17ns TTL-54 -17hs TTL54 =17s TTL=54 =17s ITL=G4 =i7s TTL=S4=17s TTL=5 4 =17s TTL=E4 =17叱 TTL=54 -17ns TTL-54 -171ns TTL54 =17s TTL-E4=173 TTL=54 -17s ITL=547X穴17ns=1 2y.去件bn x如果FW与S7706之间的接口断开,效果也是一样。优化网络:网络正常情况下 FW1为主防火墙、S7706-1为Master VRRP组。如果FW1与S7706-1之间链路断开,FW2成了主防火墙后,业务的 Master VRRP还是在S7706-1上面,配置track、当链路断开后让 S7706-2成为Master VRRP。S7706-1:#in terface Via nif 885vrrp vrid 85 track in terface GigabitEthernet 6/0/0#如果有多个业务 VRRP组,分别在S7706-1上执行如上操作。

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 社会民生


经营许可证编号:宁ICP备18001539号-1