华为防火墙双机热备,电信、联通双接入,核心交换机配置VRRP

2022-05-18 17:40:42 浏览数 (1)

本文配置目标:华为防火墙双机热备,电信和联通双运营商、固定IP接入,华为核心交换机配置VRRP。

为保护客户隐私,电信和联通的IP地址为虚构,如有雷同,纯属巧合。

真实拓扑图如下所示,电信和联通给的掩码都是29,如果掩码都是30,恐怕不能这么连接。

回来用模拟器还原了配置,注意AR3以及下面的两台交换机,是用来模拟运营商接入的,实际环境中只是两个光猫而已。

一、配置模拟运营商接入的设备

1、路由器的配置:

配置各接口IP,并且宣告进OSPF

interface GigabitEthernet0/0/0

ip address 33.1.1.3 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 34.1.1.3 255.255.255.0

#

interface LoopBack0

ip address 3.3.3.3 255.255.255.255

#

ospf 1 router-id 3.3.3.3

area 0.0.0.0

network 3.3.3.3 0.0.0.0

network 33.1.1.3 0.0.0.0

network 34.1.1.3 0.0.0.0

#

2、交换机SW3的配置:

创建VLAN,配置IP,并且宣告进OSPF

vlan batch 33 130 222

#

interface Vlanif33

ip address 33.1.1.1 255.255.255.0

#

interface Vlanif222

ip address 222.92.76.1 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 222

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 222

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 33

#

ospf 1 router-id 1.1.1.1

area 0.0.0.0

network 222.92.76.1 0.0.0.0

network 33.1.1.1 0.0.0.0

#

3、交换机SW4的配置:

vlan batch 34 130

#

interface Vlanif34

ip address 34.1.1.4 255.255.255.0

#

interface Vlanif130

ip address 130.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 130

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 130

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 34

#

ospf 1 router-id 4.4.4.4

area 0.0.0.0

network 130.1.1.1 0.0.0.0

network 34.1.1.4 0.0.0.0

#

二、防火墙的配置

以FW1的配置为例说明

1、配置各接口IP

2、配置NAT策略

电信的NAT策略:

联通的NAT策略:

3、配置上网案例策略:

4、配置IP-LINK,也可以在创建默认的路由顺便创建

5、配置默认路由

电信和联通各有一条默认路由

6、配置通向局域网的回程路由

7、配置FW2,过程略,方法同上;

8、在FW1上配置双机热备(主)

9、在FW2上配置双机热备(备)

三、核心交换机和接入交换机的配置

1、核心交换机CE1的配置

vlan batch 9 to 10

#

stp enable

Stp mode mstp

#

stp region-configuration

region-name test

revision-level 1

instance 1 vlan 9 to 10

#

stp instance 1 root primary

#

interface Vlanif9

description ith

ip address 192.168.9.1 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.9.254

vrrp vrid 1 priority 120

vrrp vrid 1 preempt timer delay 15

vrrp vrid 1 track interface GE1/0/0 reduce 40

#

interface Vlanif10

ip address 192.168.10.1 255.255.255.0

vrrp vrid 2 virtual-ip 192.168.10.254

vrrp vrid 2 priority 120

vrrp vrid 2 track interface GE1/0/0 reduce 40

#

interface GE1/0/0

undo portswitch

undo shutdown

ip address 11.1.1.1 255.255.255.248

#

interface GE1/0/1

undo shutdown

port link-type trunk

port trunk allow-pass vlan all

#

interface GE1/0/2

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/3

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

ip route-static 0.0.0.0 0.0.0.0 11.1.1.2 preference 50

ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 70

#

2、核心交换机CE2的配置

vlan batch 9 to 10

#

stp enable

Stp mode mstp

#

stp region-configuration

region-name test

revision-level 1

instance 1 vlan 9 to 10

#

stp instance 1 root secondary

#

interface Vlanif9

ip address 192.168.9.2 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.9.254

#

interface Vlanif10

ip address 192.168.10.2 255.255.255.0

vrrp vrid 2 virtual-ip 192.168.10.254

#

interface MEth0/0/0

undo shutdown

#

interface GE1/0/0

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/1

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/2

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/3

undo portswitch

undo shutdown

ip address 13.1.1.1 255.255.255.248

#

ip route-static 0.0.0.0 0.0.0.0 11.1.1.2 preference 70

ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 50

#

3、接入交换机SW1的配置:

vlan batch 9 to 10

#

stp region-configuration

region-name test

revision-level 1

instance 1 vlan 9 to 10

active region-configuration

#

interface Ethernet0/0/1

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface Ethernet0/0/2

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface Ethernet0/0/3

port link-type access

port default vlan 9

stp edged-port enable

#

interface Ethernet0/0/4

port link-type access

port default vlan 10

stp edged-port enable

#

4、接入交换机SW2的配置

和SW1的配置非常接近,就不再重复贴出来了。

四、灾难测试

1、模拟VRRP Master交换机故障

如上图所示,停止CE1交换机后,上网流量切换到右边了;

2、模拟防火墙FW1故障

关停防火墙FW1之后,HRP状态切换了,右侧备机切换为激活状态,上网流量切换到FW2上面了,说明配置正确。

0 人点赞