华为防火墙双机热备，电信、联通双接入，核心交换机配置VRRP

本文配置目标：华为防火墙双机热备，电信和联通双运营商、固定IP接入，华为核心交换机配置VRRP。

为保护客户隐私，电信和联通的IP地址为虚构，如有雷同，纯属巧合。

真实拓扑图如下所示，电信和联通给的掩码都是29，如果掩码都是30，恐怕不能这么连接。

回来用模拟器还原了配置，注意AR3以及下面的两台交换机，是用来模拟运营商接入的，实际环境中只是两个光猫而已。

一、配置模拟运营商接入的设备

1、路由器的配置：

配置各接口IP，并且宣告进OSPF

interface GigabitEthernet0/0/0

ip address 33.1.1.3 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 34.1.1.3 255.255.255.0

#

interface LoopBack0

ip address 3.3.3.3 255.255.255.255

#

ospf 1 router-id 3.3.3.3

area 0.0.0.0

network 3.3.3.3 0.0.0.0

network 33.1.1.3 0.0.0.0

network 34.1.1.3 0.0.0.0

#

2、交换机SW3的配置：

创建VLAN，配置IP，并且宣告进OSPF

vlan batch 33 130 222

#

interface Vlanif33

ip address 33.1.1.1 255.255.255.0

#

interface Vlanif222

ip address 222.92.76.1 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 222

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 222

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 33

#

ospf 1 router-id 1.1.1.1

area 0.0.0.0

network 222.92.76.1 0.0.0.0

network 33.1.1.1 0.0.0.0

#

3、交换机SW4的配置：

vlan batch 34 130

#

interface Vlanif34

ip address 34.1.1.4 255.255.255.0

#

interface Vlanif130

ip address 130.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 130

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 130

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 34

#

ospf 1 router-id 4.4.4.4

area 0.0.0.0

network 130.1.1.1 0.0.0.0

network 34.1.1.4 0.0.0.0

#

二、防火墙的配置

以FW1的配置为例说明

1、配置各接口IP

2、配置NAT策略

电信的NAT策略：

联通的NAT策略：

3、配置上网案例策略：

4、配置IP-LINK，也可以在创建默认的路由顺便创建

5、配置默认路由

电信和联通各有一条默认路由

6、配置通向局域网的回程路由

7、配置FW2，过程略，方法同上；

8、在FW1上配置双机热备（主）

9、在FW2上配置双机热备（备）

三、核心交换机和接入交换机的配置

1、核心交换机CE1的配置

vlan batch 9 to 10

#

stp enable

Stp mode mstp

#

stp region-configuration

region-name test

revision-level 1

instance 1 vlan 9 to 10

#

stp instance 1 root primary

#

interface Vlanif9

description ith

ip address 192.168.9.1 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.9.254

vrrp vrid 1 priority 120

vrrp vrid 1 preempt timer delay 15

vrrp vrid 1 track interface GE1/0/0 reduce 40

#

interface Vlanif10

ip address 192.168.10.1 255.255.255.0

vrrp vrid 2 virtual-ip 192.168.10.254

vrrp vrid 2 priority 120

vrrp vrid 2 track interface GE1/0/0 reduce 40

#

interface GE1/0/0

undo portswitch

undo shutdown

ip address 11.1.1.1 255.255.255.248

#

interface GE1/0/1

undo shutdown

port link-type trunk

port trunk allow-pass vlan all

#

interface GE1/0/2

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/3

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

ip route-static 0.0.0.0 0.0.0.0 11.1.1.2 preference 50

ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 70

#

2、核心交换机CE2的配置

vlan batch 9 to 10

#

stp enable

Stp mode mstp

#

stp region-configuration

region-name test

revision-level 1

instance 1 vlan 9 to 10

#

stp instance 1 root secondary

#

interface Vlanif9

ip address 192.168.9.2 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.9.254

#

interface Vlanif10

ip address 192.168.10.2 255.255.255.0

vrrp vrid 2 virtual-ip 192.168.10.254

#

interface MEth0/0/0

undo shutdown

#

interface GE1/0/0

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/1

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/2

undo shutdown

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface GE1/0/3

undo portswitch

undo shutdown

ip address 13.1.1.1 255.255.255.248

#

ip route-static 0.0.0.0 0.0.0.0 11.1.1.2 preference 70

ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 50

#

3、接入交换机SW1的配置：

vlan batch 9 to 10

#

stp region-configuration

region-name test

revision-level 1

instance 1 vlan 9 to 10

active region-configuration

#

interface Ethernet0/0/1

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface Ethernet0/0/2

port link-type trunk

port trunk allow-pass vlan 9 to 10

#

interface Ethernet0/0/3

port link-type access

port default vlan 9

stp edged-port enable

#

interface Ethernet0/0/4

port link-type access

port default vlan 10

stp edged-port enable

#

4、接入交换机SW2的配置

和SW1的配置非常接近，就不再重复贴出来了。

四、灾难测试

1、模拟VRRP Master交换机故障

如上图所示，停止CE1交换机后，上网流量切换到右边了；

2、模拟防火墙FW1故障

关停防火墙FW1之后，HRP状态切换了，右侧备机切换为激活状态，上网流量切换到FW2上面了，说明配置正确。