防火墙一:
步骤一:
完成USG6330-1上、下行业务接口的配置。配置各接口IP地址并加入相应安全区域。
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 10.1.2.1 24
[USG6000V1]interface GigabitEthernet 1/0/4
[USG6000V1-GigabitEthernet1/0/4]ip address 40.1.1.1 24
[USG6000V1-GigabitEthernet1/0/4]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/4
[USG6000V1-zone-untrust]q
步骤二:
1.配置接口GigabitEthernet1/0/4的VRRP备份组1,并加入到状态为Active的VGMP 管理组。
[USG6000V1]interface GigabitEthernet 1/0/4
[USG6000V1-GigabitEthernet1/0/4]vrrp vrid 1 virtual-ip 2.2.2.1 24 active
[USG6000V1-GigabitEthernet1/0/4]q
2.配置接口GigabitEthernet1/0/1的VRRP备份组2,并加入到状态为Active的VGMP 管理组。
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.2.3 active
[USG6000V1-GigabitEthernet1/0/1]q
步骤三:
完成USG6330-1的心跳线配置,配置GigabitEthernet1/0/3的IP地址。
[USG6000V1]interface GigabitEthernet 1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip address 30.1.1.1 24
[USG6000V1-GigabitEthernet1/0/3]q
步骤四:
1.配置GigabitEthernet1/0/3加入DMZ区域。
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-dmz]q
2.指定GigabitEthernet1/0/3为心跳口
[USG6000V1]hrp interface GigabitEthernet 1/0/3 remote 30.1.1.2
步骤五:
配置Trust区域和Untrust区域的域间转发策略
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_sec
[USG6000V1-policy-security-rule-policy_sec]source-zone trust
[USG6000V1-policy-security-rule-policy_sec]destination-zone untrust
[USG6000V1-policy-security-rule-policy_sec]action permit
[USG6000V1-policy-security-rule-policy_sec]q
[USG6000V1-policy-security]q
步骤六:
启用HRP备份功能
步骤七:
查看VRRP信息
[USG6000V1]hrp enable
HRP_M[USG6000V1]display vrrp
HRP_M[USG6000V1]telnet server enable //开启Telnet服务
防火墙二:(与防火墙一类似)
步骤一:
完成USG6330-1上、下行业务接口的配置。配置各接口IP地址并加入相应安全区域。
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 10.1.2.2 24
[USG6000V1-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/4
[USG6000V1-GigabitEthernet1/0/4]ip address 40.1.1.2 24
[USG6000V1-GigabitEthernet1/0/4]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/4
[USG6000V1-zone-untrust]q
步骤二:
1.配置接口GigabitEthernet1/0/4的VRRP备份组1,并加入到状态为Active的VGMP 管理组。
[USG6000V1]interface GigabitEthernet 1/0/4
[USG6000V1-GigabitEthernet1/0/4]vrrp vrid 1 virtual-ip 2.2.2.1 24 active
[USG6000V1-GigabitEthernet1/0/4]q
2.配置接口GigabitEthernet1/0/1的VRRP备份组2,并加入到状态为Active的VGMP 管理组。
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.2.3 active
[USG6000V1-GigabitEthernet1/0/1]q
步骤三:
完成USG6330-1的心跳线配置,配置GigabitEthernet1/0/3的IP地址
[USG6000V1]interface GigabitEthernet 1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip address 30.1.1.2 24
[USG6000V1-GigabitEthernet1/0/3]q
步骤四:
1.配置GigabitEthernet1/0/3加入DMZ区域。
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-dmz]q
2.指定GigabitEthernet1/0/3为心跳口
[USG6000V1]hrp interface GigabitEthernet 1/0/3 remote 30.1.1.1
步骤五:
配置Trust区域和Untrust区域的域间转发策略
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_sec
[USG6000V1-policy-security-rule-policy_sec]source-zone trust
[USG6000V1-policy-security-rule-policy_sec]destination-zone untrust
[USG6000V1-policy-security-rule-policy_sec]action permit
[USG6000V1-policy-security-rule-policy_sec]q
[USG6000V1-policy-security]q
步骤六:
启用HRP备份功能
[USG6000V1]hrp enable
步骤七:
查看VRRP信息
HRP_S[USG6000V1]display vrrp
HRP_M[USG6000V1]telnet server enable //开启Telnet服务
