vrrp双机热备

1：配置接口ip（略）

2：设置区域

[fw1]firewall zone trust

[fw1-zone-trust]add interface GigabitEthernet 1/0/1

[fw1-zone-trust]q

[fw1]firewall zone untrust

[fw1-zone-untrust]add interface g1/0/0

[fw1-zone-untrust]q

[fw1]firewall zone dmz

[fw1-zone-dmz]add int g1/0/6

[fw1-zone-dmz]q

[fw2]firewall zone trust

[fw2-zone-trust]add int g1/0/1

[fw2-zone-trust]q

[fw2]firewall zone untrust

[fw2-zone-untrust]add int g1/0/0

[fw2-zone-untrust]q

[fw2]firewall zone dmz

[fw2-zone-dmz]add int g1/0/6

[fw2-zone-dmz]q

3：设置vrrp组 （本实验需要设置两个vrrp组，上面俩g1/0/0口一组，下面俩1/0/1一组，上面的vrid2，下面为1）

#################组2配置

[fw1]int g1/0/0

[fw1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 active //组为2并设置为组2的master

[fw1-GigabitEthernet1/0/0]q，

[fw2]int g1/0/0

[fw2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 standby //组为2并设置为组2standby

[fw2-GigabitEthernet1/0/0]q

#################组1配置

[fw1]int g1/0/1

[fw1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 active

[fw1-GigabitEthernet1/0/1]q

[fw2]int g1/0/1

[fw2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 standby

[fw2-GigabitEthernet1/0/1]q

4：设置hrp心跳线

[fw1]hrp interface g1/0/6 remote 172.16.1.2

[fw2]hrp interface g1/0/6 remote 172.16.1.1 //指定心跳口并且指定对端口的ip

[fw2]hrp standby-device //指定备份设备

[fw2]hrp enable//开启hrp

[fw1]hrp enable//开启hrp

防火墙的状态会变成这样↓

5：配置安全策略（现在只需要在主设备上配置就可以了，策略会自动同步到备用设备）（+B）是自动出现的敲完回车自动出现的

HRP_M[fw1]security-policy (+B)

HRP_M[fw1-policy-security]rule name name1 (+B)

HRP_M[fw1-policy-security-rule-name1]source-zone trust (+B)

HRP_M[fw1-policy-security-rule-name1]destination-zone untrust (+B)

HRP_M[fw1-policy-security-rule-name1]source-address 10.1.1.1 24 (+B)

HRP_M[fw1-policy-security-rule-name1]destination-address 192.168.1.1 24 (+B)

HRP_M[fw1-policy-security-rule-name1]service icmp (+B)

HRP_M[fw1-policy-security-rule-name1]action permit (+B)

HRP_M[fw1-policy-security-rule-name1]q

HRP_M[fw1-policy-security]q

down掉一个口

https://blog.csdn.net/sgslwms/article/details/121999919?spm=1001.2014.3001.5502