vrrp双机热备
.png)
1:配置接口ip(略)
2:设置区域
[fw1]firewall zone trust
[fw1-zone-trust]add interface GigabitEthernet 1/0/1
[fw1-zone-trust]q
[fw1]firewall zone untrust
[fw1-zone-untrust]add interface g1/0/0
[fw1-zone-untrust]q
[fw1]firewall zone dmz
[fw1-zone-dmz]add int g1/0/6
[fw1-zone-dmz]q
[fw2]firewall zone trust
[fw2-zone-trust]add int g1/0/1
[fw2-zone-trust]q
[fw2]firewall zone untrust
[fw2-zone-untrust]add int g1/0/0
[fw2-zone-untrust]q
[fw2]firewall zone dmz
[fw2-zone-dmz]add int g1/0/6
[fw2-zone-dmz]q
3:设置vrrp组 (本实验需要设置两个vrrp组,上面俩g1/0/0口一组,下面俩1/0/1一组,上面的vrid2,下面为1)
#################组2配置
[fw1]int g1/0/0
[fw1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 active //组为2并设置为组2的master
[fw1-GigabitEthernet1/0/0]q,
[fw2]int g1/0/0
[fw2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 standby //组为2并设置为组2standby
[fw2-GigabitEthernet1/0/0]q
#################组1配置
[fw1]int g1/0/1
[fw1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 active
[fw1-GigabitEthernet1/0/1]q
[fw2]int g1/0/1
[fw2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 standby
[fw2-GigabitEthernet1/0/1]q
4:设置hrp心跳线
[fw1]hrp interface g1/0/6 remote 172.16.1.2
[fw2]hrp interface g1/0/6 remote 172.16.1.1 //指定心跳口并且指定对端口的ip
[fw2]hrp standby-device //指定备份设备
[fw2]hrp enable//开启hrp
[fw1]hrp enable//开启hrp
防火墙的状态会变成这样↓
.png)
5:配置安全策略(现在只需要在主设备上配置就可以了,策略会自动同步到备用设备)(+B)是自动出现的敲完回车自动出现的
HRP_M[fw1]security-policy (+B)
HRP_M[fw1-policy-security]rule name name1 (+B)
HRP_M[fw1-policy-security-rule-name1]source-zone trust (+B)
HRP_M[fw1-policy-security-rule-name1]destination-zone untrust (+B)
HRP_M[fw1-policy-security-rule-name1]source-address 10.1.1.1 24 (+B)
HRP_M[fw1-policy-security-rule-name1]destination-address 192.168.1.1 24 (+B)
HRP_M[fw1-policy-security-rule-name1]service icmp (+B)
HRP_M[fw1-policy-security-rule-name1]action permit (+B)
HRP_M[fw1-policy-security-rule-name1]q
HRP_M[fw1-policy-security]q
down掉一个口
.png)
https://blog.csdn.net/sgslwms/article/details/121999919?spm=1001.2014.3001.5502
- 点赞
- 收藏
- 关注作者
评论(0)