华为防火墙热备的案例分解Word格式文档下载.docx
- 文档编号:22304199
- 上传时间:2023-02-03
- 格式:DOCX
- 页数:35
- 大小:983.76KB
华为防火墙热备的案例分解Word格式文档下载.docx
《华为防火墙热备的案例分解Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《华为防火墙热备的案例分解Word格式文档下载.docx(35页珍藏版)》请在冰豆网上搜索。
24:
27FW-B%%01IFNET/4/LINK_STATE(l):
LineprotocoloninterfaceG
igabitEthernet0/0/2hasturnedintoDOWNstate.
25FW-B%%01VRRP/4/STATEWARNING(l):
Interface:
GigabitEthernet0
/0/0,VirtualRouter1:
BACKUPchangedtoMASTER!
/0/1,VirtualRouter2:
25FW-B%%01VGMP/4/STATE(l):
VirtualRouterManagementGroupSL
AVE:
SLAVE-->
MASTER
-------------------------------------------------------------------------------------------------------------------------
防火墙B上的HRP状态
HRP_M<
FW-B>
displayhrpstate
14:
29:
102015/12/23
Thefirewall'
sconfigstateis:
Currentstateofvirtualroutersconfiguredasslave:
GigabitEthernet0/0/1vrid2:
master(peerdown)
GigabitEthernet0/0/0vrid1:
防火墙上B的会话表(实时同步防火墙A上的会话表,保证业务的连续性)
----------------------------------------------------------------------------------------------------------------------
displayfirewallsessiontable
30:
182015/12/23
CurrentTotalSessions:
5
icmpVPN:
public-->
public192.168.3.253:
30527[222.222.222.2:
2092]-->
222.222.2
22.1:
2048
30783[222.222.222.2:
2093]-->
31039[222.222.222.2:
2094]-->
31295[222.222.222.2:
2095]-->
31551[222.222.222.2:
2096]-->
核心交换A和B上的vrrp主备情况(因为和防火墙A的互联端口联动,如果防火墙A的状态异常会触发核心交换机VRRP组的切换)
--------------------------------------------------------------------------------------------------------------------------------
<
Core-A>
displayvrrpbrief
VRIDStateInterfaceTypeVirtualIP
----------------------------------------------------------------
1BackupVlanif2Normal10.0.0.1
3BackupVlanif3Normal192.168.3.254
4BackupVlanif4Normal192.168.4.254
Total:
3Master:
0Backup:
3Non-active:
0
Core-B>
1MasterVlanif2Normal10.0.0.1
3MasterVlanif3Normal192.168.3.254
4MasterVlanif4Normal192.168.4.254
3
----------------------------------------------------------------------------------------------------------------------------
此时的流量走向情况
3.主核心交换机故障的情况
内网主机ping外网测试的情况(由于核心交换机A故障会触发STP的计算,所以收敛速度相比交换机stack和css的速度是要慢点,真实情况会在15秒左右)
核心交换机B上的vrrp情况(由于核心交换机A异常,触发核心交换机B抢占VRRP组的master)
------------------------------------------------------------------------------------------------------------------------------
disvrrpbrief
1MasterVlanif2Normal10.0.0.1
3Backup:
0Non-active:
-------------------------------------------------------------------------------------------------------------------------------
防火墙A和防火墙B上的HRP主备情况
FW-A>
2015-12-2314:
46:
28FW-A%%01IFNET/4/LINK_STATE(l):
LineprotocoloninterfaceGi
gabitEthernet0/0/1hasturnedintoDOWNstate.
28FW-A%%01VRRP/4/STATEWARNING(l):
GigabitEthernet0/
0/1,VirtualRouter2:
MASTERchangedtoINITIALIZE!
28FW-A%%01VGMP/4/STATE(l):
VirtualRouterManagementGroupMAS
TER:
MASTER-->
MASTER_TO_SLAVE
MASTER_TO_SLAVE-->
SLAVE
0/0,VirtualRouter1:
MASTERchangedtoBACKUP!
HRP_S<
53:
362015/12/23
Currentstateofvirtualroutersconfiguredasmaster:
GigabitEthernet0/0/1vrid2:
initialize(down)
slave
55:
162015/12/23
master
这种情况下流量的走向情况
4.主链路中断的情况
内网主机ping外网地址时候的情况(让主链路中断的情况下,会触发防火墙的hrp主备切换,但是不会触发核心交换机的vrrp主备切换)
15:
05:
392015/12/23
displayhrpstate
07:
002015/12/23
核心交换机A和核心交换机B的vrrp主备情况
---------------------------------------------------------------------------------------------------------------------------------
3MasterVlanif3Normal192.168.3.254
4MasterVlanif4Normal192.168.4.254
1BackupVlanif2Normal10.0.0.1
4BackupVlanif4Normal192.168.4.254
这种情况下的流量走向
六、设备配置
1.防火墙A配置
displaycurrent-configuration
13:
442015/12/23
#
stpregion-configuration
region-namea07fd81520e0
activeregion-configuration
interfaceGigabitEthernet0/0/0
aliasGE0/MGMT
ipaddress172.31.0.1255.255.255.0
vrrpvrid1virtual-ip222.222.222.2255.255.255.0master
vrrpvirtual-macenable
interfaceGigabitEthernet0/0/1
ipaddress10.0.0.2255.255.255.0
vrrpvrid2virtual-ip10.0.0.254master
interfaceGigabitEthernet0/0/2
ipaddress1.1.1.1255.255.255.252
interfaceGigabitEthernet0/0/3
interfaceGigabitEthernet0/0/4
interfaceGigabitEthernet0/0/5
interfaceGigabitEthernet0/0/6
interfaceGigabitEthernet0/0/7
interfaceGigabitEthernet0/0/8
interfaceNULL0
aliasNULL0
firewallzonelocal
setpriority100
firewallzonetrust
setpriority85
addinterfaceGigabitEthernet0/0/1
firewallzoneuntrust
setpriority5
addinterfaceGigabitEthernet0/0/0
firewallzonedmz
setpriority50
firewallzonenamehrp
setpriority95
addinterfaceGigabitEthernet0/0/2
aaa
local-useradminpasswordcipher%$%$wJn>
:
F9}OK>
IC%K%pW8"
1md[%$%$
local-useradminservice-typewebterminaltelnet
local-useradminlevel15
authentication-schemedefault
#
authorization-schemedefault
accounting-schemedefault
domaindefault
nqa-jittertag-version1
iproute-static192.168.3.0255.255.255.010.0.0.1
iproute-static192.168.4.0255.255.255.010.0.0.1
bannerenable
user-interfacecon0
authentication-modenone
user-interfacevty04
protocolinboundall
slb
right-managerserver-group
sysnameFW-A
l2tpdomainsuffix-separator@
hrpmirrorsessionenable
hrpenable
hrpinterfaceGigabitEthernet0/0/2
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninbound
firewallpacket-filterdefault
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 华为 防火墙 案例 分解