虚拟机双机热备解决方案(详解防火墙VRRP、双机热备、链路聚合、MSTP综合配置)
三石哥 2022-07-13 14:57:57 261
组网要求:
1. PC1(VLAN10)Server(VLAN20)的网关在FW1及FW2上(VRRP组1及组2的虚拟IP地址);PC2的网关在FW1及FW2上(VRRP组3的虚拟IP地址);
2. PC1属于Trust区域;Server属于DMZ区域;PC2属于Untrust区域;
3. 网络中一共存在三组VRRP,VRRP组1的虚拟IP地址作为PC1的网关;VRRP组2的虚拟IP地址作为Server的网关地址;VRRP组3的虚拟IP地址作为PC2的网关;
4. FW1及FW2运行双机热备,FW1为主,FW2为备;两台防火墙的GE0/0/2口为心跳接口,专用于HRP,同时将该接口划分到一个自定义的安全区域ha之中;
5. PC1能够主动访问PC2,但PC2无法主动访问PC1;当PC1访问Server1时,使用源地址NAT,NAT地址池为10.1.1.200到10.1.1.210这个区间的IP。
6. PC2能够访问Server的FTP服务,当其访问时,使用的目的IP地址是10.1.1.211,目的端口号是65111。
一、eNSP详解视频:
重播
播放
00:00/00:00正在直播
00:00
进入全屏
点击按住可拖动视频
二、IP设置:
PC1:192.168.10.100/24,vlan10,网关:192.168.10.1
Server1:192.168.20.100/24,vlan20,网关:192.168.20.1
FW1:ge1/0/0.10:192.168.10.3/24,VRRP 1 virtual-ip:192.168.10.1
ge1/0/0.20:192.168.20.3/24,VRRP 2 virtual-ip:192.168.20.1
ge1/0/3:10.1.1.3/24,VRRP 3 virtual-ip:10.1.1.1
FW2:ge1/0/0.10:192.168.10.2/24,VRRP 1 virtual-ip:192.168.10.1
ge1/0/0.20:192.168.20.2/24,VRRP 2 virtual-ip:192.168.20.1
ge1/0/3:10.1.1.2/24,VRRP 3 virtual-ip:10.1.1.1
三、SW3的主要配置文件:
#
sysname SW3
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
四、SW1的主要配置文件:
#
sysname SW1
#
vlan batch 10 20
#
stp instance 0 root primary
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp-static
#
interface GigabitEthernet0/0/20
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
Return
五、SW2的主要配置文件:
#
sysname SW2
#
vlan batch 10 20
#
stp instance 0 root secondary
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp-static
#
interface GigabitEthernet0/0/20
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
return
六、FW1的主要配置文件:
#
sysname FW1
#
hrp enable
hrp interface GigabitEthernet1/0/2 remote 1.1.1.2
#
interface GigabitEthernet1/0/0
undo shutdown
undo service-manage enable
#
interface GigabitEthernet1/0/0.10
vlan-type dot1q 10
ip address 192.168.10.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1 active
service-manage ping permit
#
interface GigabitEthernet1/0/0.20
vlan-type dot1q 20
ip address 192.168.20.3 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.1 active
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.1.1.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.1.1 active
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0.10
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
detect ftp
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/0.20
#
firewall zone name ha id 4
set priority 90
add interface GigabitEthernet1/0/2
#
firewall detect ftp
#
nat server 0 zone untrust protocol tcp global 10.1.1.211 65111 inside 192.168.2
0.100 ftp
#
nat address-group 1 0
mode pat
section 0 10.1.1.200 10.1.1.210
#
security-policy
rule name TtoU
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name UtoD
source-zone untrust
destination-zone dmz
destination-address 192.168.20.100 mask 255.255.255.255
action permit
rule name TtoD
source-zone trust
destination-zone dmz
destination-address 192.168.20.100 mask 255.255.255.255
action permit
#
nat-policy
rule name TtoD
source-zone trust
destination-zone dmz
source-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.100 mask 255.255.255.255
action source-nat address-group 1
#
return
七、FW2的主要配置文件:
#
sysname FW2
#
hrp enable
hrp interface GigabitEthernet1/0/2 remote 1.1.1.1
#
interface GigabitEthernet1/0/0.10
vlan-type dot1q 10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1 standby
#
interface GigabitEthernet1/0/0.20
vlan-type dot1q 20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.1 standby
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.1.1.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.1.1 standby
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0.10
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
detect ftp
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/0.20
#
firewall zone name ha id 4
set priority 90
add interface GigabitEthernet1/0/2
#
firewall detect ftp
#
nat server 0 zone untrust protocol tcp global 10.1.1.211 65111 inside 192.168.20.100 ftp
#
nat address-group 1 0
mode pat
section 0 10.1.1.200 10.1.1.210
#
security-policy
rule name TtoU
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name UtoD
source-zone untrust
destination-zone dmz
destination-address 192.168.20.100 mask 255.255.255.255
action permit
rule name TtoD
source-zone trust
destination-zone dmz
destination-address 192.168.20.100 mask 255.255.255.255
action permit
#
nat-policy
rule name TtoD
source-zone trust
destination-zone dmz
source-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.100 mask 255.255.255.255
action source-nat address-group 1
#
return
八、验证结果
1、PC1能正常ping通PC2。
PC>ping 10.1.1.100 -t
Ping 10.1.1.100: 32 data bytes, Press Ctrl_C to break
From 10.1.1.100: bytes=32 seq=1 ttl=126 time=78 ms
From 10.1.1.100: bytes=32 seq=2 ttl=126 time=62 ms
From 10.1.1.100: bytes=32 seq=3 ttl=126 time=78 ms
--- 10.1.1.100 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/72/78 ms
2、在SW3——SW1——FW1——FW4的链路上断开,PC1能够正常Ping通PC2。
3、PC2可以通过ftp 10.1.1.211:65111访问Server1的ftp服务。
4、PC1访问Server1时是转换成10.1.1.200至10.1.1.210的ip地址后访问server1的
HRP_M[FW2]dis firewall session table
2021-01-22 05:15:08.660
Current Total Sessions : 9
icmp VPN: public --> public 192.168.10.100:24671[10.1.1.208:2056]--> 192.168
.20.100:2048
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至 3561739510@qq.com 举报,一经查实,本站将立刻删除。
转载请注明来自专注SEO技术,教程,推广 - 8848SEO,本文标题:《虚拟机双机热备解决方案(详解防火墙VRRP、双机热备、链路聚合、MSTP综合配置)》
标签:防火墙
- 搜索
- 最新文章
- 热门文章
-
- 快手怎么发1到15分钟长视频?上传有什么技巧?
- 淘宝直播入口在哪?如何观看?
- 京东达人怎么注册?申请需要什么条件?
- 淘宝直播在哪进入?商家开通需要什么条件?
- 闲鱼怎么提高曝光率?如何推广最有效?
- 微信发的消息超过两分钟怎么撤回?超时怎么补救?
- 为什么多多买菜的东西这么便宜?能放心吃用吗?
- 淘工厂直营店的东西质量怎么样?是正品吗?
- 抖音作品撤程(如何在抖音上撤回已发布的作品)
- 抖音访客记录保存多久(探究抖音访客记录的生命周期与应用场景)
- 小红书怎么创建粉丝群聊?如何引流到微信?
- 微信封号前的征兆有哪些?会提示警告几次?
- 微信电影票怎么退?步骤有哪些?
- 外国抖音怎么才能看?国际版在中国能用吗?
- 淘票票不支持退票的票怎么退?怎么投诉平台?
- 如何在抖音达人广场获得更多关注(分享15个小技巧)
- 抖音视频如何撤回(教你轻松撤回发布的视频)
- 拼多多带货怎么赚佣金?操作流程有哪些?
- 京东e卡能买哪些东西?一千能回收多少钱?
- 快手赞赏功能怎么开通?需要满足什么条件?
- 热门tag