双出口网络链路和设备双冗余案例
1、AR3模拟联通和电信运营商
2、2台防火墙vrrp+hrp双冗余,下联局域网vrrp 10.3.0.3地址,上联两条外线每条外线都分别vrrp虚拟一个地址1.1.1.1.和2.2.2.2.1。
3、防火墙外线地址和运营商给的外线地址不在同一个网段,每条都用vrrp冗余链路,涉及vrrp虚拟地址和接口地址非同网段原理配置(非同网段要带子网掩码)。
4、局域网一台服务器10.3.0.100对外发布web只在电信那条线上对外映射,并且要做源进源出,防止外线 联通用户回不了包,访问不到web服务器。
5、用防火墙ip-link功能对2条外线进行icmp测试,发现不通就自动切换线路。
6、保证局域网用户都能nat上网,两台防火墙上都做nat配置
7、10.0.0.0段用于本机对两台防火墙做web配置管理。
8、核心交换机应该是2台做css,但是模拟器不支持
FW1的配置:
HRP_M[USG6000V1]dis current-configuration
2023-06-05 14:00:41.590 +08:00
!Software Version V500R005C10SPC300
sysname USG6000V1
domain suffix-separator @
undo info-center enable
ipsec sha2 compatible enable
undo telnet server enable
undo telnet ipv6 server enable
clock timezone Beijing add 08:00:00
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.10.2
hrp auto-sync config static-route
update schedule location-sdb weekly Sun 06:23
firewall defend action discard
banner enable
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
firewall dataplane to manageplane application-apperceive default-action drop
undo ips log merge enable
decoding uri-cache disable
update schedule ips-sdb daily 03:25
update schedule av-sdb daily 03:25
update schedule sa-sdb daily 03:25
update schedule cnc daily 03:25
update schedule file-reputation daily 03:25
ip -instance default
ipv4-family
ip-link check enable
ip-link name dianxian
source-ip 1.1.1.1
destination 1.1.1.10 interface GigabitEthernet1/0/0 mode icmp
tx-interval 3
times 2
ip-link name liantong
source-ip 2.2.2.1
destination 2.2.2.10 interface GigabitEthernet1/0/6 mode icmp
tx-interval 3
times 2
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl- ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%8F-~%Vzyf8|!9{#yY^S=V-iK_qrjP|_TCJ)@c2G{|]7"-iNV@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%.2py+nH=|Ca]fN,2\49A/IPR^o97@QlGu@'Q7[+7o3eMIPU/@%@%
level 15
manager-user admin
password cipher @%@%ff~*28sVO7O,(dS)gf;Y.v==5E=%)DA21UV&CzRHL,:.v=@.@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
-group default-lns
interface GigabitEthernet0/0/0
undo shutdown
ip binding -instance default
ip address 10.0.0.6 255.255.255.0
alias GE0/METH
service-manage https permit
service-manage ping permit
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
service-manage ping permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active
service-manage ping permit
interface GigabitEthernet1/0/3
undo shutdown
interface GigabitEthernet1/0/4
undo shutdown
interface GigabitEthernet1/0/5
undo shutdown
interface GigabitEthernet1/0/6
undo shutdown
ip address 10.0.12.1 255.255.255.0
vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.0 active
service-manage ping permit
interface Virtual-if0
interface NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/6
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 track ip-link dianxian
ip route-static 0.0.0.0 0.0.0.0 2.2.2.10 track ip-link liantong
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
firewall detect ftp
nat server web protocol tcp global 1.1.1.1 www inside 10.3.0.100 www no-reverse
unr-route
nat server web2 protocol tcp global 2.2.2.1 www inside 10.3.0.100 www no-revers
e unr-route
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
pki realm default
sa
location
nat address-group group1 0
mode pat
section 0 1.1.1.1 1.1.1.1
nat address-group group2 1
mode pat
section 0 2.2.2.1 2.2.2.1
multi-linkif
mode proportion-of-weight
right-manager server-group
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
user-manage server-sync tsm
security-policy
default action permit
rule name dmz_local
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit
auth-policy
traffic-policy
policy-based-route
rule name web_80 1
ingress-interface GigabitEthernet1/0/2
source-address 10.3.0.100 mask 255.255.255.255
action pbr egress-interface GigabitEthernet1/0/0 next-hop 1.1.1.10
nat-policy
rule name out
source-zone trust
egress-interface GigabitEthernet1/0/0
source-address 10.3.0.0 mask 255.255.0.0
action source-nat address-group group1
rule name out2
source-zone trust
egress-interface GigabitEthernet1/0/6
source-address 10.3.0.0 mask 255.255.0.0
action source-nat address-group group2
quota-policy
pcp-policy
dns-transparent-policy
rightm-policy
return
FW2配置:
HRP_S[USG6000V1]dis current-configuration
2023-06-05 14:05:41.700 +08:00
!Software Version V500R005C10SPC300
sysname USG6000V1
domain suffix-separator @
undo info-center enable
ipsec sha2 compatible enable
undo telnet server enable
undo telnet ipv6 server enable
clock timezone Beijing add 08:00:00
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.10.1
hrp auto-sync config static-route
update schedule location-sdb weekly Sun 01:28
firewall defend action discard
banner enable
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
firewall dataplane to manageplane application-apperceive default-action drop
undo ips log merge enable
decoding uri-cache disable
update schedule ips-sdb daily 03:25
update schedule av-sdb daily 03:25
update schedule sa-sdb daily 03:25
update schedule cnc daily 03:25
update schedule file-reputation daily 03:25
ip -instance default
ipv4-family
ip-link check enable
ip-link name dianxian
source-ip 1.1.1.1
destination 1.1.1.10 interface GigabitEthernet1/0/0 mode icmp
tx-interval 3
times 2
ip-link name liantong
source-ip 2.2.2.1
destination 2.2.2.10 interface GigabitEthernet1/0/6 mode icmp
tx-interval 3
times 2
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl- ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%8F-~%Vzyf8|!9{#yY^S=V-iK_qrjP|_TCJ)@c2G{|]7"-iNV@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%.2py+nH=|Ca]fN,2\49A/IPR^o97@QlGu@'Q7[+7o3eMIPU/@%@%
level 15
manager-user admin
password cipher @%@%ff~*28sVO7O,(dS)gf;Y.v==5E=%)DA21UV&CzRHL,:.v=@.@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
-group default-lns
interface GigabitEthernet0/0/0
undo shutdown
ip binding -instance default
ip address 10.0.0.5 255.255.255.0
alias GE0/METH
service-manage https permit
service-manage ping permit
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
service-manage ping permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.10.2 255.255.255.0
service-manage ping permit
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 standby
service-manage ping permit
interface GigabitEthernet1/0/3
undo shutdown
interface GigabitEthernet1/0/4
undo shutdown
interface GigabitEthernet1/0/5
undo shutdown
interface GigabitEthernet1/0/6
undo shutdown
ip address 10.0.12.2 255.255.255.0
vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.0 standby
service-manage ping permit
interface Virtual-if0
interface NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/6
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 track ip-link dianxian
ip route-static 0.0.0.0 0.0.0.0 2.2.2.10 track ip-link liantong
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
firewall detect ftp
nat server web protocol tcp global 1.1.1.1 www inside 10.3.0.100 www no-reverse
unr-route
nat server web2 protocol tcp global 2.2.2.1 www inside 10.3.0.100 www no-revers
e unr-route
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
pki realm default
sa
location
nat address-group group1 0
mode pat
section 0 1.1.1.1 1.1.1.1
nat address-group group2 1
mode pat
section 0 2.2.2.1 2.2.2.1
multi-linkif
mode proportion-of-weight
right-manager server-group
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
user-manage server-sync tsm
security-policy
default action permit
rule name dmz_local
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit
auth-policy
traffic-policy
policy-based-route
rule name web_80 1
ingress-interface GigabitEthernet1/0/2
source-address 10.3.0.100 mask 255.255.255.255
action pbr egress-interface GigabitEthernet1/0/0 next-hop 1.1.1.10
nat-policy
rule name out
source-zone trust
egress-interface GigabitEthernet1/0/0
source-address 10.3.0.0 mask 255.255.0.0
action source-nat address-group group1
rule name out2
source-zone trust
egress-interface GigabitEthernet1/0/6
source-address 10.3.0.0 mask 255.255.0.0
action source-nat address-group group2
quota-policy
pcp-policy
dns-transparent-policy
rightm-policy
return
关键配置:
源进源出:
vrrp检测:
ip-link检测配置
nat上外网配置:
对外服务80配置(这里可以考虑只写一条电信的来配置源进源出,多写了一条联通,不过没影响):
2个防火墙都要有两条默认路由
各接口配置:
