目录
引言
主备备份实验
1、基本配置
2、双机热备配置
查看双机热备状态
主备切换
路由影响
引言
传统VRRP方式无法实现主、备用防火墙状态信息和多组VRRP状态的一致性,所以可能会导致流量的回包不从首包通过的防火墙回包,防火墙会因为状态检测机制丢弃此报文,所以防火墙使用VGMP统一管理VRRP的状态。
双机热备的部署模式有三种,主备备份、负载分担、镜像模式。其中主备分担和镜像模式的VGMP的状态,主是active,备是standby;而负载分担模式中,两个防火墙的状态都是load-balance。
主备备份实验
1、基本配置
FW1:(配置地址、VRRP、接口加入安全区域)
[FW1]interface GigabitEthernet1/0/0
[FW1-GigabitEthernet1/0/0] ip address 192.168.10.2 24
[FW1-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 192.168.10.1 active
[FW1]interface GigabitEthernet1/0/1
[FW1-GigabitEthernet1/0/1] ip address 1.1.1.2 29
[FW1-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.1 active
[FW1]interface GigabitEthernet1/0/2
[FW1-GigabitEthernet1/0/2] ip address 10.1.1.1 30[FW1]firewall zone trust
[FW1-zone-trust] add interface GigabitEthernet1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust] add interface GigabitEthernet1/0/1
[FW1]firewall zone name hrp
[FW1-zone-hrp] set priority 51
[FW1-zone-hrp] add interface GigabitEthernet1/0/2FW2:(配置地址、VRRP、接口加入安全区域)
[FW2]interface GigabitEthernet1/0/0
[FW2-GigabitEthernet1/0/0] ip address 192.168.10.3 24
[FW2-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 192.168.10.1 standby
[FW2]interface GigabitEthernet1/0/1
[FW2-GigabitEthernet1/0/1] ip address 1.1.1.3 29
[FW2-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.1 standby
[FW2]interface GigabitEthernet1/0/2
[FW2-GigabitEthernet1/0/2] ip address 10.1.1.2 30
[FW2]firewall zone trust
[FW2-zone-trust] add interface GigabitEthernet1/0/0
[FW2]firewall zone untrust
[FW2-zone-untrust] add interface GigabitEthernet1/0/1
[FW2]firewall zone name hrp
[FW2-zone-hrp] set priority 51
[FW2-zone-hrp] add interface GigabitEthernet1/0/2
2、双机热备配置
FW1:(配置心跳接口、开启HRP)
[FW1]hrp interface G1/0/2 remote 10.1.1.2
[FW1]hrp enableFW2: (配置心跳接口、开启HRP)
[FW2]hrp interface g1/0/2 remote 10.1.1.1
[FW2]hrp enable
查看双机热备状态
FW1:(作为主设备,Role 为Active)
HRP_M[FW1]display hrp state verbose
2025-03-16 03:11:08.760 Role: active, peer: standbyRunning priority: 45000, peer: 45000Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 0 minutesLast state change information: 2025-03-16 3:07:01 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.
Configuration:hello interval: 1000mspreempt: 60smirror configuration: offmirror session: offtrack trunk member: onauto-sync configuration: onauto-sync connection-status: onadjust ospf-cost: onadjust ospfv3-cost: onadjust bgp-cost: onnat resource: off
Detail information:GigabitEthernet1/0/0 vrrp vrid 1: activeGigabitEthernet1/0/1 vrrp vrid 2: activeospf-cost: +0ospfv3-cost: +0bgp-cost: +0FW2: (作为备设备,Role 为Standby)
HRP_S[FW2]display hrp state verbose
2025-03-16 03:10:43.150 Role: standby, peer: activeRunning priority: 45000, peer: 45000Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 0 minutesLast state change information: 2025-03-16 3:07:01 HRP link changes to up.
Configuration:hello interval: 1000mspreempt: 60smirror configuration: offmirror session: offtrack trunk member: onauto-sync configuration: onauto-sync connection-status: onadjust ospf-cost: onadjust ospfv3-cost: onadjust bgp-cost: onnat resource: off
Detail information:GigabitEthernet1/0/0 vrrp vrid 1: standbyGigabitEthernet1/0/1 vrrp vrid 2: standbyospf-cost: +65500ospfv3-cost: +65500bgp-cost: +100验证备机无法配置安全策略、NAT策略等等,比如进入NAT策略的视图都会报错。
HRP_S[FW2]nat-policy Error: The device is in HRP standby state, so this command can not be executed.
主备切换
FW1:关闭主防火墙的一个配置了VRRP的接口
HRP_M[FW1]interface g1/0/1 (+B)
HRP_M[FW1-GigabitEthernet1/0/1]shutdown FW1:主防火墙的角色会立马发生转变,变成Role 是 Standby
HRP_S[FW1]display hrp state
2025-03-16 03:14:00.580 Role: standby, peer: active (should be "active-standby")Running priority: 44998, peer: 45000Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 0 minutesLast state change information: 2025-03-16 3:13:45 HRP core state changed, old_state = normal, new_state = abnormal(standby), local_priority = 44998, peer_priority = 45000.FW2:备防火墙的角色会立马发生转变,变成Role 是 Active
HRP_M[FW2]display hrp state
2025-03-16 03:14:12.050 Role: active, peer: standby (should be "standby-active")Running priority: 45000, peer: 44998Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 0 minutesLast state change information: 2025-03-16 3:13:44 HRP core state changed, old_state = normal, new_state = abnormal(active), local_priority = 45000, peer_priority = 44998.FW1:恢复主防火墙的接口,查看切换状态
HRP_S[FW1]interface g1/0/1 (+B)
HRP_S[FW1-GigabitEthernet1/0/1]undo shutdown (主防火墙一分钟之后会抢占回来,因为默认的抢占就是60S)
路由影响
双机热备除了主墙响应VRRP的地址以外,对于网络中路由的宣告也有影响。
备墙会增加OSPF、ISIS、BGP的cost值,从而影响网络的流量,走到主墙上。(在最后几行)
HRP_S[FW2]display hrp state verbose
2025-03-16 03:10:43.150 Role: standby, peer: activeRunning priority: 45000, peer: 45000Backup channel usage: 0.00%Stable time: 0 days, 0 hours, 0 minutesLast state change information: 2025-03-16 3:07:01 HRP link changes to up.
Configuration:hello interval: 1000mspreempt: 60smirror configuration: offmirror session: offtrack trunk member: onauto-sync configuration: onauto-sync connection-status: onadjust ospf-cost: onadjust ospfv3-cost: onadjust bgp-cost: onnat resource: off
Detail information:GigabitEthernet1/0/0 vrrp vrid 1: standbyGigabitEthernet1/0/1 vrrp vrid 2: standbyospf-cost: +65500ospfv3-cost: +65500bgp-cost: +100FW1 :(配置OSPF)
HRP_M[FW1]ospf 1 router-id 1.1.1.1
HRP_M[FW1-ospf-1]area 0
HRP_M[FW1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.7 FW2 :(配置OSPF)
HRP_S[FW2]ospf 1 router-id 2.2.2.2
HRP_S[FW2-ospf-1] area 0.0.0.0
HRP_S[FW2-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.7
HRP_S[FW2-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255ISP:(配置OSPF)
[ISP]inter g1/0
[ISP-GigabitEthernet1/0]ip address 1.1.1.4 29
[ISP]inter g2/0
[ISP-GigabitEthernet2/0]ip address 39.156.66.1 28
[ISP]ospf 1 router-id 3.3.3.3
[ISP-ospf-1]area 0
[ISP-ospf-1-area-0.0.0.0]network 39.156.66.0 0.0.0.15
[ISP-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.7PC (测试访问外部的服务器 )
VPCS> ping 39.156.66.14
84 bytes from 39.156.66.14 icmp_seq=1 ttl=62 time=15.340 ms
84 bytes from 39.156.66.14 icmp_seq=2 ttl=62 time=24.609 ms
84 bytes from 39.156.66.14 icmp_seq=3 ttl=62 time=16.693 ms
84 bytes from 39.156.66.14 icmp_seq=4 ttl=62 time=16.757 ms
84 bytes from 39.156.66.14 icmp_seq=5 ttl=62 time=15.839 ms查看会话表
FW1:
HRP_M[FW1]display firewall session table
2025-03-16 03:34:32.710 Current Total Sessions : 8icmp VPN: public --> public 192.168.10.10:49990 --> 39.156.66.14:2048FW2:(因为是备墙,所以会同步主墙的会话表,所以带有remote字样)
HRP_S[FW2]display firewall session table
2025-03-16 03:34:26.770 Current Total Sessions : 5icmp VPN: public --> public Remote 192.168.10.10:49990 --> 39.156.66.14:2048
