详解防火墙VRRP、双机热备、MSTP综合配置

组网要求：

1. PC1（属于VLAN10）的网关在核心交换机SW1及SW2上；PC2的网关在FW1及FW2上；

2. PC1属于安全域Trust；PC2属于安全域Untrust；

3. 网络中一共存在四组VRRP，VRRP组1的虚拟IP地址作为PC1的网关；VRRP组3的虚拟IP地址作为SW1及SW2上默认路由的下一跳；VRRP组2的虚拟IP地址作为FW1及FW2上回程路由的下一跳；VRRP组4的虚拟IP地址作为PC2的网关；

4. FW1及FW2上不激活HRP（也就是说不运行双机热备）的情况下完成配置使得PC1能够ping通PC2，并且流量从PC1发出后，路径是PC1 -> SW1 -> FW1 -> SW4 -> PC2。

5. 断开FW1-SW1的互联线路，检查PC1及PC2的连通性，分析原因。

6. 在FW1的GE0/0/2口及FW2的GE0/0/2口之间增加一根连线（GE0/0/2口划入安全区域ha），激活HRP，防火墙以主备模式运行，FW1为主，FW2为备。

一、eNSP详解视频：

二、IP设置：

PC1:192.168.10.100/24，vlan10，网关：192.168.10.1

SW1：vlanif10:192.168.10.3/24,VRRP 1 virtual-ip:192.168.10.1

Vlanif210:192.168.210.12/24,VRRP 2 virtual-ip:192.168.210.1

SW2：vlanif10:192.168.10.2/24,VRRP 1 virtual-ip:192.168.10.1

Vlanif210:192.168.210.11/24,VRRP 2 virtual-ip:192.168.210.1

FW1：192.168.210.22/24,VRRP 3 virtual-ip:192.168.210.2

10.1.1.3/24,VRRP 4 virtual-ip:10.1.1.1

FW2：192.168.210.21/24,VRRP 3 virtual-ip:192.168.210.2

10.1.1.4/24,VRRP 4 virtual-ip:10.1.1.1

PC2:10.1.1.100/24，网关：10.1.1.1/24

三、SW3的主要配置文件：

#

sysname SW3

#

vlan batch 10

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/21

port link-type trunk

port trunk allow-pass vlan 10

#

interface GigabitEthernet0/0/22

port link-type trunk

port trunk allow-pass vlan 10

#

return

四、SW1的主要配置文件：

#

sysname SW1

#

vlan batch 10 210

#

stp instance 0 root primary   #将该设备设置为主根桥

#

interface Vlanif10

ip address 192.168.10.3 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.10.1 #创建VRRP组1

vrrp vrid 1 priority 120

vrrp vrid 1 track interface GigabitEthernet0/0/20 reduced 30  #监控接口的状态，如果down掉了，就将VRRP的优先级减少30，变优先级为90

#

interface Vlanif210

ip address 192.168.210.12 255.255.255.0

vrrp vrid 2 virtual-ip 192.168.210.1

vrrp vrid 2 priority 120

#

interface GigabitEthernet0/0/20

port link-type access

port default vlan 210

#

interface GigabitEthernet0/0/21

port link-type trunk

port trunk allow-pass vlan 10

#

interface GigabitEthernet0/0/24

port link-type trunk

port trunk allow-pass vlan 10 210

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 192.168.210.2

#

return

五、SW2的主要配置文件：

#

sysname SW2

#

vlan batch 10 210

#

stp instance 0 root secondary

#

interface Vlanif10

ip address 192.168.10.2 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.10.1

#

interface Vlanif210

ip address 192.168.210.11 255.255.255.0

vrrp vrid 2 virtual-ip 192.168.210.1

#

interface GigabitEthernet0/0/20

port link-type access

port default vlan 210

#

interface GigabitEthernet0/0/22

port link-type trunk

port trunk allow-pass vlan 10

#

interface GigabitEthernet0/0/24

port link-type trunk

port trunk allow-pass vlan 10 210

#

ip route-static 0.0.0.0 0.0.0.0 192.168.210.2

#

return

六、FW1的主要配置文件：

#

sysname FW1

#

hrp enable  #开启双机热备功能

hrp interface GigabitEthernet1/0/2 remote 1.1.1.2 #配置双击热备的设备接口和远端地址

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

ip address 192.168.0.1 255.255.255.0

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 192.168.210.22 255.255.255.0

vrrp vrid 3 virtual-ip 192.168.210.2 active #创建VRRP组3，为主设备

service-manage ping permit #开启接口的ping权限

#

interface GigabitEthernet1/0/1

undo shutdown

#

interface GigabitEthernet1/0/2

undo shutdown

ip address 1.1.1.1 255.255.255.0

service-manage ping permit

#

interface GigabitEthernet1/0/3

undo shutdown

ip address 10.1.1.3 255.255.255.0

vrrp vrid 4 virtual-ip 10.1.1.1 active

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/3

#

firewall zone dmz

set priority 50

#

firewall zone name ha id 4

set priority 99

add interface GigabitEthernet1/0/2

#

firewall zone name fa id 5

#

ip route-static 192.168.10.0 255.255.255.0 192.168.210.1

#

security-policy

rule name LtoU

source-zone local

destination-zone trust

action permit

rule name TtoU

source-zone trust

destination-zone untrust

source-address 192.168.10.0 mask 255.255.255.0

action permit

rule name HtoH

source-zone ha

destination-zone ha

action permit

rule name LtoH

source-zone local

destination-zone ha

action permit

#

Return

七、FW2的主要配置文件：

#

sysname FW2

#

hrp enable

hrp interface GigabitEthernet1/0/2 remote 1.1.1.1

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

ip address 192.168.0.1 255.255.255.0

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 192.168.210.21 255.255.255.0

vrrp vrid 3 virtual-ip 192.168.210.2 standby

#

interface GigabitEthernet1/0/1

undo shutdown

#

interface GigabitEthernet1/0/2

undo shutdown

ip address 1.1.1.2 255.255.255.0

service-manage ping permit

#

interface GigabitEthernet1/0/3

undo shutdown

ip address 10.1.1.4 255.255.255.0

vrrp vrid 4 virtual-ip 10.1.1.1 standby

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/3

#

firewall zone dmz

set priority 50

#

firewall zone name ha id 4

set priority 99

add interface GigabitEthernet1/0/2

#

ip route-static 192.168.10.0 255.255.255.0 192.168.210.1

#

security-policy

rule name TtoU

source-zone trust

destination-zone untrust

source-address 192.168.10.0 mask 255.255.255.0

action permit

rule name HtoH

source-zone ha

destination-zone ha

action permit

rule name LtoH

source-zone local

destination-zone ha

action permit

#

return

八、验证结果

1、PC1能正常ping通PC2。

PC>ping 10.1.1.100 -t

Ping 10.1.1.100: 32 data bytes, Press Ctrl_C to break

From 10.1.1.100: bytes=32 seq=1 ttl=126 time=78 ms

From 10.1.1.100: bytes=32 seq=2 ttl=126 time=62 ms

From 10.1.1.100: bytes=32 seq=3 ttl=126 time=78 ms

--- 10.1.1.100 ping statistics ---

3 packet(s) transmitted

3 packet(s) received

0.00% packet loss

round-trip min/avg/max = 62/72/78 ms

2、在SW3——SW1——FW1——FW4的链路上断开，PC1能够正常Ping通PC2。