基于防火墙的VRRP技术--华为防火墙双机热备--VGMP

目录

主备备份双机热备配置

负载分担双机热备配置

---

为了解决多个VRRP备份组状态不一致的问题，华为防火墙引入VGMP（VRRP Group Management Protocol）来实现对VRRP备份组的统一管理，保证多个VRRP备份组状态的一致性。我们将防火墙上的所有VRRP备份组都加入到一个VGMP组中，由VGMP组来集中监控并管理所有的VRRP备份组状态。如果VGMP组检测到其中一个VRRP备份组的状态变化，则VGMP组会控制组中的所有VRRP备份组统一进行状态切换，保证各VRRP备份组状态的一致性。双机热备协议HRP（Huawei Redundancy Protocol）协议是承载在VGMP(Vrrp Group Management Protocol)报文上进行传输的，在Master和Backup防火墙设备之间备份关键配置命令和会话表状态信息，是双机热备协议。VGMP、HRP是华为私有协议

主备备份双机热备配置

在主备备份双机热备模式下，FW1既是PC1的网关也是PC2的网关，也是AR1回去的路由的默认下一跳。在主备备份双机热备模式下，假如FW1宕机了，FW2会立刻切换到Active状态，从而不影响主机与外界通信。

如图，PC1和PC2是企业内网的主机，属于不同的VLAN。AR1是边界路由器。FW1和FW2是企业内部防火墙，他们之间形成双机热备，FW1是active状态，FW2是standby状态。企业内网通过AR1的出端口通过NAT方式访问外网。在防火墙FW1上还配置链路追踪功能，追踪AR2的g0/0/0口，如果到达不了，则切换状态。AR1下面的配置

PC1

PC>ipconfig

IPv4 address......................: 192.168.1.10
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-30-73-39
Vlan .............................: 10

PC2

PC>ipconfig

IPv4 address......................: 192.168.2.10
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.2.254
Physical address..................: 54-89-98-AF-62-C9
Vlan..............................: 20

LSW1

#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 20
#

FW1

#
 hrp enable
 hrp interface GigabitEthernet1/0/0 remote 10.1.1.2
 hrp preempt delay 10
 hrp track ip-link track
#
ip-link check enable
ip-link name track
 destination 20.0.0.2 mode icmp
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/1.10
 vlan-type dot1q 10
 ip address 192.168.1.1 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.1.254 active
#
interface GigabitEthernet1/0/1.20
 vlan-type dot1q 20
 ip address 192.168.2.1 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.2.254 active
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.3.1 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.3.254 active
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1.10
 add interface GigabitEthernet1/0/1.20
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone name heartbeat id 4
 set priority 80
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.3
#
#
security-policy
 rule name TRUST_UN_TRUST
  source-zone trust
  destination-zone untrust
  service icmp
  action permit
#              

FW2

#
 hrp enable
 hrp interface GigabitEthernet1/0/0 remote 10.1.1.1
 hrp preempt delay 10
#
interface GigabitEthernet1/0/1
 undo shutdown
#
interface GigabitEthernet1/0/1.10
 vlan-type dot1q 10
 ip address 192.168.1.2 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.1.254 standby
#
interface GigabitEthernet1/0/1.20
 vlan-type dot1q 20
 ip address 192.168.2.2 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.2.254 standby
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.3.2 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.3.254 standby
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1.10
 add interface GigabitEthernet1/0/1.20
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone name heartbeat id 4
 set priority 80
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.3
#
security-policy
 rule name TRUST_UN_TRUST
  source-zone trust
  destination-zone untrust
  service icmp
  action permit
#                                         

AR1

#
acl number 2000
 rule 5 permit source 192.168.2.0 0.0.0.255
 rule 10 permit source 192.168.1.0 0.0.0.255
#
interface GigabitEthernet0/0/0
 ip address 192.168.3.3 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 20.0.0.1 255.255.255.0
 nat outbound 2000
#
ip route-static 192.168.1.0 255.255.255.0 192.168.3.254
ip route-static 192.168.2.0 255.255.255.0 192.168.3.254
#

AR2

#
interface GigabitEthernet0/0/0
 ip address 20.0.0.2 255.255.255.0
#

负载分担双机热备配置

在负载分担双机热备模式下，FW1是PC1的网关，FW2是PC2的网关。AR1回往PC1的下一跳是PC1，AR2回往PC2的下一跳是PC2。FW1和FW2之间形成负载分担双机热备关系，其实任何一个防火墙的接口down了，都不影响主机和外接通信。

如图，PC1和PC2是企业内网的主机，属于不同的VLAN。AR1是边界路由器。FW1和FW2是企业内部防火墙，他们之间形成双机热备，FW1既有active状态也有standby状态，FW2既有active状态也有standby状态。企业内网通过AR1的出端口通过NAT方式访问外网。

PC1

PC>ipconfig

IPv4 address......................: 192.168.1.10
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-30-73-39
Vlan..............................: 10

PC2

PC>ipconfig

IPv4 address......................: 192.168.2.10
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.2.254
Physical address..................: 54-89-98-AF-62-C9
Vlan..............................: 20

LSW1

[SW1]display current-configuration
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 10
 stp edged-port enable
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 20
 stp edged-port enable
#

FW1

HRP_M[FW1]display current-configuration
#
 hrp enable
 hrp interface GigabitEthernet1/0/0 remote 10.1.1.2
#
interface GigabitEthernet1/0/1.10
 vlan-type dot1q 10
 ip address 192.168.1.1 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.1.254 active
#
interface GigabitEthernet1/0/1.20
 vlan-type dot1q 20
 ip address 192.168.2.1 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.2.254 standby
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.3.1 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.3.253 active
 vrrp vrid 40 virtual-ip 192.168.3.254 standby
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1.10
 add interface GigabitEthernet1/0/1.20
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone name heartbeat id 4
 set priority 80
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.3
#
security-policy
 rule name TRUST_TO_UNTRUST
  source-zone trust
  destination-zone untrust
  service icmp
  action permit
#

FW2

HRP_S[FW2]display current-configuration
#
 hrp enable
 hrp interface GigabitEthernet1/0/0 remote 10.1.1.1
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/1.10
 vlan-type dot1q 10
 ip address 192.168.1.2 255.255.255.0
 vrrp vrid 10 virtual-ip 192.168.1.254 standby
#
interface GigabitEthernet1/0/1.20
 vlan-type dot1q 20
 ip address 192.168.2.2 255.255.255.0
 vrrp vrid 20 virtual-ip 192.168.2.254 active
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.3.2 255.255.255.0
 vrrp vrid 30 virtual-ip 192.168.3.253 standby
 vrrp vrid 40 virtual-ip 192.168.3.254 active
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/1.10
 add interface GigabitEthernet1/0/1.20
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone name heartbeat id 4
 set priority 80
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.3
#
security-policy
 rule name TRUST_TO_UNTRUST
  source-zone trust
  destination-zone untrust
  service icmp
  action permit
#

AR1

[AR1]display current-configuration
#
acl number 2000
 rule 5 permit source 192.168.1.0 0.0.0.255
 rule 10 permit source 192.168.2.0 0.0.0.255
#
interface GigabitEthernet0/0/0
 ip address 192.168.3.3 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 20.0.0.1 255.255.255.0
 nat outbound 2000
#
ip route-static 192.168.1.0 255.255.255.0 192.168.3.253
ip route-static 192.168.2.0 255.255.255.0 192.168.3.254
#

AR2

[AR2]display current-configuration
#
interface GigabitEthernet0/0/0
 ip address 20.0.0.2 255.255.255.0
#

VRRP和VGMP官方参考：https://forum.huawei.com/enterprise/zh/thread-282263.html

附上负载分担模式下的ensp源文件：链接: https://pan.baidu.com/s/1S5xzALnyg8cmn_lTB_jd_w 密码: yez5

基于路由器的 VRRP ------------>基于路由器的VRRP技术--VRRP的应用

基于三层交换机的VRRP-------->基于三层交换机的VRRP--MSTP、VRRP的综合运用