DS002104Eudemon防火墻雙機(jī)熱備業(yè)務(wù)上機(jī)指導(dǎo)書ISSUE1

修訂記錄課程編碼適用產(chǎn)品產(chǎn)品版本課程版本ISSUEDS002104EudemonALL1.00開發(fā)/優(yōu)化者時間審核人開發(fā)類型（新開發(fā)/優(yōu)化）盧希2009-5-15凃昭新開發(fā)頁路由模式+主備組網(wǎng)方式的雙機(jī)熱備技術(shù)在Eudemon防火墻上的部署組網(wǎng)及業(yè)務(wù)描述路由模式+主備組網(wǎng)方式Eudemon作為安全設(shè)備被部署在業(yè)務(wù)節(jié)點(diǎn)上。其中上下行設(shè)備均是交換機(jī)，EudemonA、EudemonB分別充當(dāng)主用設(shè)備和備用設(shè)備，且均工作在路由模式下。網(wǎng)絡(luò)規(guī)劃如下：需要保護(hù)的網(wǎng)段地址為/24，與防火墻的GigabitEthernet0/0/0接口相連，部署在Trust區(qū)域。外部網(wǎng)絡(luò)與防火墻的GigabitEthernet0/0/2接口相連，部署在Untrust區(qū)域。兩臺防火墻的HRP備份通道接口GigabitEthernet0/0/1部署在DMZ區(qū)域。兩臺防火墻分別通過交換機(jī)連接各個安全區(qū)域。其中，各安全區(qū)域?qū)?yīng)的備份組虛擬IP地址如下：Trust區(qū)域?qū)?yīng)的備份組虛擬IP地址為。Untrust區(qū)域?qū)?yīng)的備份組虛擬IP地址為。DMZ區(qū)域?qū)?yīng)的備份組虛擬IP地址為。防火墻和PC地址規(guī)劃如下：EudemonA：GE0/0/0：/24；GE0/0/1：/24；GE0/0/2：/24EudemonB：GE0/0/0：/24；GE0/0/1：/24；GE0/0/2：/24PC1：~54/24PC2：~54/24實驗要求：1、完成防火墻雙機(jī)熱備配置，使PC1可以ping通PC2，PC2無法ping通PC1。2、宕掉主用防火墻的一個HRP備份通道接口，主用防火墻管理組優(yōu)先級發(fā)生變化，導(dǎo)致主備倒換。查看主備防火墻倒換對于從PC1發(fā)往PC2的數(shù)據(jù)包的影響。命令行列表操作版本命令配置VRRP備份組的虛擬IP地址并指定備份組所屬的管理組。VRP3.30vrrpvridvirtual-router-IDvirtual-ipvirtual-address[ip-mask|ip-mask-length]{slave|master}使能HRP功能。VRP3.30hrpenable創(chuàng)建備份會話表的通道接口。VRP3.30hrpinterfaceinterface-typeinterface-numbertransfer-only使能配置命令和連接狀態(tài)的自動備份。VRP3.30hrpauto-sync[config[batch-backup]|connection-status]配置流程圖防火墻基本配置防火墻基本配置配置VRRP備份組配置HRP配置步驟基本配置：配置接口的IP地址；將接口分別添加到對應(yīng)的區(qū)域；配置區(qū)域間包過濾規(guī)則。配置VRRP備份組并制定備份組所屬的管理組。創(chuàng)建備份會話表的通道接口并使能HRP功能。使能配置命令和連接狀態(tài)的自動備份功能。具體配置及實驗結(jié)果驗證EudemonA的基本配置：#配置主機(jī)名<Eudemon>system-view[Eudemon]sysnameEudemonA#配置接口IP地址[EudemonA]interfaceGigabitEthernet0/0/0[EudemonA-GigabitEthernet0/0/0]ipaddress24[EudemonA-GigabitEthernet0/0/0]quit[EudemonA]interfaceGigabitEthernet0/0/1[EudemonA-GigabitEthernet0/0/1]ipaddress24[EudemonA-GigabitEthernet0/0/1]quit[EudemonA]interfaceGigabitEthernet0/0/2[EudemonA-Ethernet0/0/2]ipaddress24[EudemonA-Ethernet0/0/2]quit#添加接口至對應(yīng)區(qū)域[EudemonA]firewallzonetrust[EudemonA-zone-trust]addinterfaceGigabitEthernet0/0/0[EudemonA-zone-trust]quit[EudemonA]firewallzonedmz[EudemonA-zone-dmz]addinterfaceGigabitEthernet0/0/1[EudemonA-zone-dmz]quit[EudemonA]firewallzoneuntrust[EudemonA-zone-untrust]addinterfaceGigabitEthernet0/0/2[EudemonA-zone-untrust]quit#配置VRRP備份組，并指定備份組所屬的管理組。[EudemonA]interfaceGigabitEthernet0/0/0[EudemonA-GigabitEthernet0/0/0]vrrpvrid1virtual-ipmaster[EudemonA]quit[EudemonA]interfaceGigabitEthernet0/0/1[EudemonA-GigabitEthernet0/0/1]vrrpvrid2virtual-ipmaster[EudemonA]quit[EudemonA]interfaceGigabitEthernet0/0/2[EudemonA-GigabitEthernet0/0/2]vrrpvrid3virtual-ipmaster#配置local區(qū)域和dmz區(qū)域的域間包過濾規(guī)則，以便VRRP報文、VGMP報文和HRP報文能夠通過心跳接口正常交互。[EudemonA]acl2000[EudemonA-acl-basic-2000]rulepermitsource55[EudemonA-acl-basic-2000]quit[EudemonA]firewallinterzonelocaldmz[EudemonA-interzone-local-dmz]packet-filter2000inbound[EudemonA-interzone-local-dmz]packet-filter2000outbound#配置HRP備份通道。[EudemonA]hrpinterfaceGigabitEthernet0/0/1transfer-only[EudemonA]hrpinterfaceGigabitEthernet0/0/0[EudemonA]hrpinterfaceGigabitEthernet0/0/2#使能HRP功能[EudemonA]hrpenableEudemonB的基本配置：#配置主機(jī)名<Eudemon>system-view[Eudemon]sysnameEudemonB#配置接口IP地址[EudemonB]interfaceGigabitEthernet0/0/0[EudemonB-GigabitEthernet0/0/0]ipaddress24[EudemonB-GigabitEthernet0/0/0]quit[EudemonB]interfaceGigabitEthernet0/0/1[EudemonB-GigabitEthernet0/0/1]ipaddress24[EudemonB-GigabitEthernet0/0/1]quit[EudemonB]interfaceGigabitEthernet0/0/2[EudemonB-GigabitEthernet0/0/2]ipaddress24[EudemonB-GigabitEthernet0/0/2]quit#添加接口至對應(yīng)區(qū)域[EudemonB]firewallzonetrust[EudemonB-zone-trust]addinterfaceGigabitEthernet0/0/0[EudemonB-zone-trust]quit[EudemonB]firewallzonedmz[EudemonB-zone-dmz]addinterfaceGigabitEthernet0/0/1[EudemonB-zone-dmz]quit[EudemonB]firewallzoneuntrust[EudemonB-zone-untrust]addinterfaceGigabitEthernet0/0/2[EudemonB-zone-untrust]quit#配置VRRP備份組，并指定備份組所屬的管理組。[EudemonB]interfaceGigabitEthernet0/0/0[EudemonB-GigabitEthernet0/0/0]vrrpvrid1virtual-ipslave[EudemonB]quit[EudemonB]interfaceGigabitEthernet0/0/1[EudemonB-GigabitEthernet0/0/1]vrrpvrid2virtual-ipslave[EudemonB]quit[EudemonB]interfaceGigabitEthernet0/0/2[EudemonB-GigabitEthernet0/0/2]vrrpvrid3virtual-ipslave#配置local區(qū)域和dmz區(qū)域的域間包過濾規(guī)則，以便VRRP報文、VGMP報文和HRP報文能夠通過心跳接口正常交互。[EudemonB]acl2000[EudemonB-acl-basic-2000]rulepermitsource55[EudemonB-acl-basic-2000]quit[EudemonB]firewallinterzonelocaldmz[EudemonB-interzone-local-dmz]packet-filter2000inbound[EudemonB-interzone-local-dmz]packet-filter2000outbound#配置HRP備份通道。[EudemonB]hrpinterfaceGigabitEthernet0/0/1transfer-only[EudemonB]hrpinterfaceGigabitEthernet0/0/0[EudemonB]hrpinterfaceGigabitEthernet0/0/2#使能HRP功能[EudemonB]hrpenableSwitch和PC的基本配置：本實驗中使用的Switch都是二層交換機(jī)，不需要任何配置；給PC1和PC2配上IP地址和默認(rèn)網(wǎng)關(guān)，PC1和PC2的網(wǎng)關(guān)分別對應(yīng)VRRP管理組1和VRRP管理組2的虛擬IP地址。實驗結(jié)果驗證實驗結(jié)果驗證一：通過命令displayvrrp查看VRRP備份組的狀態(tài)。HRP_M[EudemonA]displayvrrpGigabitEthernet0/0/2|VirtualRouter3state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/1|VirtualRouter2state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/0|VirtualRouter1state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESHRP_S[EudemonB]displayvrrpGigabitEthernet0/0/2|VirtualRouter3state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/1|VirtualRouter2state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/0|VirtualRouter1state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YES通過以上結(jié)果可知，EudemonA在三個備份組中都處于Master狀態(tài)；EudemonB在三個備份組中都處于Backup狀態(tài)。實驗結(jié)果驗證二：通過命令displayhrpstate查看HRP管理組的狀態(tài)。HRP_M[EudemonA]displayhrpstateThefirewall'sconfigstateis:MASTERCurrentstateofvirtualroutersconfiguredasmaster:GigabitEthernet0/0/2vrid3:masterGigabitEthernet0/0/1vrid2:masterGigabitEthernet0/0/0vrid1:masterHRP_S[EudemonB]displayhrpstateThefirewall'sconfigstateis:SLAVECurrentstateofvirtualroutersconfiguredasslave:GigabitEthernet0/0/2vrid3:slaveGigabitEthernet0/0/1vrid2:slaveGigabitEthernet0/0/0vrid1:slave通過以上結(jié)果可知，EudemonA的三個接口屬于Master管理組，狀態(tài)為MASTER；EudemonB的三個接口屬于Slave管理組，狀態(tài)為SLAVE。只有當(dāng)Master管理組的優(yōu)先級發(fā)生變化，低于Slave管理組的優(yōu)先級時，EudemonB才開始負(fù)責(zé)所有域間數(shù)據(jù)轉(zhuǎn)發(fā)。實驗結(jié)果驗證三：使用命令displayhrpgroup查看VGMP管理組的信息，包括Master管理組的信息和運(yùn)行狀態(tài)、Slave管理組的信息和運(yùn)行狀態(tài)以及管理組的優(yōu)先級等。HRP_M[EudemonA]displayhrpgroupMastergroupstatus:Groupenabled:yesState:masterPriorityrunning:65001TotalVRRPmembers:3Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:yesSlavegroupstatus:Groupenabled:noState:initializePriorityrunning:65000TotalVRRPmembers:0Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:noHRP_S[EudemonB]displayhrpgroupMastergroupstatus:Groupenabled:noState:initializePriorityrunning:65001TotalVRRPmembers:0Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:0Peer'smembersame:yesSlavegroupstatus:Groupenabled:yesState:slavePriorityrunning:65000TotalVRRPmembers:3Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:yes在EudemonA上，我們只配置了Master管理組，在EudemonB上我們只配置了Slave管理組。所以由以上實驗結(jié)果可以看出，EudemonA上的Slave管理組和EudemonB上的Master管理組的狀態(tài)均為“initialize”。注：在主備組網(wǎng)方式中，任何一臺防火墻上都只存在一個管理組。只有負(fù)載分擔(dān)組網(wǎng)方式中，兩臺防火墻上才會同時使能Master管理組和Slave管理組。實驗結(jié)果驗證四：在PC1上使用ping命令，是否能ping通PC2呢？如果不能，為什么？在EudemonA上配置以下命令：[EudemonA]acl2001[EudemonA-acl-basic-2001]rulepermitsource55[EudemonA-acl-basic-2001]quit[EudemonA]firewallinterzonetrustuntrust[EudemonA-interzone-trust-untrust]packet-filter2001outbound再次使用ping命令，PC1是否能ping通PC2呢？以上命令用戶配置trust區(qū)域和untrust區(qū)域的域間包過濾規(guī)則，如果宕掉EudemonA的接口GE0/0/2，PC1是否還能ping通PC2呢？檢查的配置發(fā)現(xiàn)，在EudemonB上并沒有配置trust區(qū)域和untrust區(qū)域的域間包過濾規(guī)則，所以PC1無法ping通PC2?？梢酝ㄟ^在EudemonB上配置trust區(qū)域和untrust區(qū)域的域間包過濾規(guī)則解決上述問題。除了這種方法，有沒有其他方法可以解決上述問題呢？HRP用戶在主備設(shè)備間備份會話表信息及關(guān)鍵配置信息，為什么域間包過濾規(guī)則沒有備份到EudemonB上呢？在EudemonA和EudemonB上配置以下命令，使用displaycurrent-configuration查看EudemonB的配置信息。HRP_M[EudemonA]hrpauto-syncHRP_S[EudemonB]hrpauto-sync通過配置以上命令，可以發(fā)現(xiàn)EudemonB上多了以下配置命令：firewallinterzonetrustuntrustpacket-filter2000outbound也就是說，域間包過濾規(guī)則已經(jīng)備份到EudemonB。此時，再次驗證PC1是否可以ping通PC2：C:\DocumentsandSettings\Administrator>pingPingingwith32bytesofdata:Replyfrom:bytes=32time=3msTTL=254Replyfrom:bytes=32time=2msTTL=254Replyfrom:bytes=32time=2msTTL=254Replyfrom:bytes=32time=2msTTL=254實驗結(jié)果驗證五：在EudemonA和EudemonB上使用displayfirewallsessiontableverbose查看會話：HRP_M[EudemonA]displayfirewallsessiontableverboseCurrentTotalSessions:1icmp(vpn:public->public)zone:trust->untrusttag:0x3588State:0x0ttl:00:00:20left:00:00:19Id:1c979878SlvId:2cc412d0Interface:G0/0/2Nexthop:Mac:00-e0-fc-35-ff-f4<--packets:0bytes:0-->packets:0bytes:0:512-->:512HRP_S[EudemonB]displayfirewallsessiontableverboseCurrentTotalSessions:1icmp(vpn:public->public)Remotezone:trust->untrusttag:0x35b8State:0x0ttl:00:00:20left:00:00:14Id:1c979878SlvId:2cc412d0Interface:G0/0/0Nexthop:Mac:00-00-00-00-00-00<--packets:0bytes:0-->packets:0bytes:0:512-->:512可以看到EudemonB上存在帶有Remote標(biāo)記的會話，表示配置雙機(jī)熱備份功能后，會話備份成功。實驗結(jié)果驗證六：在PC1上執(zhí)行“ping–t”，宕掉EudemonA的接口GE0/0/2，觀察防火墻的主備倒換以及對數(shù)據(jù)包轉(zhuǎn)發(fā)的影響。

路由模式+負(fù)載分擔(dān)方式的雙機(jī)熱備技術(shù)在Eudemon防火墻上的部署組網(wǎng)及業(yè)務(wù)描述路由模式+負(fù)載分擔(dān)組網(wǎng)方式Eudemon作為安全設(shè)備被部署在業(yè)務(wù)節(jié)點(diǎn)上。其中上下行設(shè)備均是交換機(jī)，EudemonA、EudemonB采用負(fù)載分擔(dān)方式組網(wǎng)，且均工作在路由模式下。網(wǎng)絡(luò)規(guī)劃如下：需要保護(hù)的網(wǎng)段地址為/24，與防火墻的GigabitEthernet0/0/0接口相連，部署在Trust區(qū)域。外部網(wǎng)絡(luò)與防火墻的GigabitEthernet0/0/2接口相連，部署在Untrust區(qū)域。兩臺防火墻的HRP備份通道接口GigabitEthernet0/0/1部署在DMZ區(qū)域。兩臺防火墻分別通過交換機(jī)連接各個安全區(qū)域。其中，各安全區(qū)域?qū)?yīng)的備份組虛擬IP地址如下：Trust區(qū)域?qū)?yīng)的備份組1的虛擬IP地址為；備份組4的虛擬IP地址為。Untrust區(qū)域?qū)?yīng)的備份組2的虛擬IP地址為；備份組5的虛擬IP地址為。DMZ區(qū)域?qū)?yīng)的備份組3虛擬IP地址為；備份組6的虛擬IP地址為。防火墻和PC地址規(guī)劃如下：EudemonA：GE0/0/0：/24；GE0/0/1：/24；GE0/0/2：/24EudemonB：GE0/0/0：/24；GE0/0/1：/24；GE0/0/2：/24PC1：~54/24PC2：~54/24實驗要求：1、完成防火墻雙機(jī)熱備配置，使PC1可以ping通PC2，PC2無法ping通PC1。2、宕掉主用防火墻的一個HRP備份通道接口，主用防火墻管理組優(yōu)先級發(fā)生變化，導(dǎo)致主備倒換。查看主備防火墻倒換對于從PC1發(fā)往PC2的數(shù)據(jù)包的影響。命令行列表操作版本命令配置VRRP備份組的虛擬IP地址并指定備份組所屬的管理組。VRP3.30vrrpvridvirtual-router-IDvirtual-ipvirtual-address[ip-mask|ip-mask-length]{slave|master}使能HRP功能。VRP3.30hrpenable創(chuàng)建備份會話表的通道接口。VRP3.30hrpinterfaceinterface-typeinterface-numbertransfer-only使能配置命令和連接狀態(tài)的自動備份。VRP3.30hrpauto-sync[config[batch-backup]|connection-status]配置流程圖防火墻基本配置防火墻基本配置配置VRRP備份組配置HRP配置步驟基本配置：配置接口的IP地址；將接口分別添加到對應(yīng)的區(qū)域；配置區(qū)域間包過濾規(guī)則。配置VRRP備份組并制定備份組所屬的管理組。創(chuàng)建備份會話表的通道接口并使能HRP功能。使能配置命令和連接狀態(tài)的自動備份功能。具體配置及實驗結(jié)果驗證EudemonA的基本配置：#配置主機(jī)名<Eudemon>system-view[Eudemon]sysnameEudemonA#配置接口IP地址[EudemonA]interfaceGigabitEthernet0/0/0[EudemonA-GigabitEthernet0/0/0]ipaddress24[EudemonA-GigabitEthernet0/0/0]quit[EudemonA]interfaceGigabitEthernet0/0/1[EudemonA-GigabitEthernet0/0/1]ipaddress24[EudemonA-GigabitEthernet0/0/1]quit[EudemonA]interfaceGigabitEthernet0/0/2[EudemonA-Ethernet0/0/2]ipaddress24[EudemonA-Ethernet0/0/2]quit#添加接口至對應(yīng)區(qū)域[EudemonA]firewallzonetrust[EudemonA-zone-trust]addinterfaceGigabitEthernet0/0/0[EudemonA-zone-trust]quit[EudemonA]firewallzonedmz[EudemonA-zone-dmz]addinterfaceGigabitEthernet0/0/1[EudemonA-zone-dmz]quit[EudemonA]firewallzoneuntrust[EudemonA-zone-untrust]addinterfaceGigabitEthernet0/0/2[EudemonA-zone-untrust]quit#配置VRRP備份組，并指定備份組所屬的管理組。[EudemonA]interfaceGigabitEthernet0/0/0[EudemonA-GigabitEthernet0/0/0]vrrpvrid1virtual-ipmaster[EudemonA-GigabitEthernet0/0/0]vrrpvrid4virtual-ipslave[EudemonA]quit[EudemonA]interfaceGigabitEthernet0/0/1[EudemonA-GigabitEthernet0/0/1]vrrpvrid2virtual-ipmaster[EudemonA-GigabitEthernet0/0/1]vrrpvrid5virtual-ipslave[EudemonA]quit[EudemonA]interfaceGigabitEthernet0/0/2[EudemonA-GigabitEthernet0/0/2]vrrpvrid3virtual-ipmaster[EudemonA-GigabitEthernet0/0/2]vrrpvrid6virtual-ipslave#配置local區(qū)域和dmz區(qū)域的域間包過濾規(guī)則，以便VRRP報文、VGMP報文和HRP報文能夠通過心跳接口正常交互。[EudemonA]acl2000[EudemonA-acl-basic-2000]rulepermitsource55[EudemonA-acl-basic-2000]quit[EudemonA]firewallinterzonelocaldmz[EudemonA-interzone-local-dmz]packet-filter2000inbound[EudemonA-interzone-local-dmz]packet-filter2000outbound#配置trust區(qū)域和untrust區(qū)域的域間包過濾規(guī)則[EudemonA]acl2001[EudemonA-acl-basic-2001]rulepermitsource55[EudemonA-acl-basic-2001]quit[EudemonA]firewallinterzonetrustuntrust[EudemonA-interzone-trust-untrust]packet-filter2001outbound#配置HRP備份通道。[EudemonA]hrpinterfaceGigabitEthernet0/0/1transfer-only[EudemonA]hrpinterfaceGigabitEthernet0/0/0[EudemonA]hrpinterfaceGigabitEthernet0/0/2#使能HRP功能[EudemonA]hrpenable[EudemonA]hrpauto-syncEudemonB的基本配置：#配置主機(jī)名<Eudemon>system-view[Eudemon]sysnameEudemonB#配置接口IP地址[EudemonB]interfaceGigabitEthernet0/0/0[EudemonB-GigabitEthernet0/0/0]ipaddress24[EudemonB-GigabitEthernet0/0/0]quit[EudemonB]interfaceGigabitEthernet0/0/1[EudemonB-GigabitEthernet0/0/1]ipaddress24[EudemonB-GigabitEthernet0/0/1]quit[EudemonB]interfaceGigabitEthernet0/0/2[EudemonB-GigabitEthernet0/0/2]ipaddress24[EudemonB-GigabitEthernet0/0/2]quit#添加接口至對應(yīng)區(qū)域[EudemonB]firewallzonetrust[EudemonB-zone-trust]addinterfaceGigabitEthernet0/0/0[EudemonB-zone-trust]quit[EudemonB]firewallzonedmz[EudemonB-zone-dmz]addinterfaceGigabitEthernet0/0/1[EudemonB-zone-dmz]quit[EudemonB]firewallzoneuntrust[EudemonB-zone-untrust]addinterfaceGigabitEthernet0/0/2[EudemonB-zone-untrust]quit#配置VRRP備份組，并指定備份組所屬的管理組。[EudemonB]interfaceGigabitEthernet0/0/0[EudemonB-GigabitEthernet0/0/0]vrrpvrid1virtual-ipslave[EudemonB-GigabitEthernet0/0/0]vrrpvrid4virtual-ipmaster[EudemonB]quit[EudemonB]interfaceGigabitEthernet0/0/1[EudemonB-GigabitEthernet0/0/1]vrrpvrid2virtual-ipslave[EudemonB-GigabitEthernet0/0/1]vrrpvrid5virtual-ipmaster[EudemonB]quit[EudemonB]interfaceGigabitEthernet0/0/2[EudemonB-GigabitEthernet0/0/2]vrrpvrid3virtual-ipslave[EudemonB-GigabitEthernet0/0/2]vrrpvrid6virtual-ipmaster#配置local區(qū)域和dmz區(qū)域的域間包過濾規(guī)則，以便VRRP報文、VGMP報文和HRP報文能夠通過心跳接口正常交互。[EudemonB]acl2000[EudemonB-acl-basic-2000]rulepermitsource55[EudemonB-acl-basic-2000]quit[EudemonB]firewallinterzonelocaldmz[EudemonB-interzone-local-dmz]packet-filter2000inbound[EudemonB-interzone-local-dmz]packet-filter2000outbound#配置HRP備份通道。[EudemonB]hrpinterfaceGigabitEthernet0/0/1transfer-only[EudemonB]hrpinterfaceGigabitEthernet0/0/0[EudemonB]hrpinterfaceGigabitEthernet0/0/2#使能HRP功能[EudemonB]hrpenable[EudemonB]hrpauto-syncSwitch和PC的基本配置：本實驗中使用的Switch都是二層交換機(jī)，不需要任何配置；給PC1和PC2配上IP地址和默認(rèn)網(wǎng)關(guān)，PC1和PC2的網(wǎng)關(guān)分別對應(yīng)VRRP管理組1和VRRP管理組2的虛擬IP地址。實驗結(jié)果驗證實驗結(jié)果驗證一：通過命令displayvrrp查看VRRP備份組的狀態(tài)。HRP_M[EudemonA]displayvrrpGigabitEthernet0/0/2|VirtualRouter2state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/2|VirtualRouter5state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/1|VirtualRouter3state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/1|VirtualRouter6state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/0|VirtualRouter1state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/0|VirtualRouter4state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESHRP_S[EudemonB]displayvrrpGigabitEthernet0/0/2|VirtualRouter2state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/2|VirtualRouter5state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/1|VirtualRouter3state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/1|VirtualRouter6state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/0|VirtualRouter1state:BackupVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/0|VirtualRouter4state:MasterVirtualIP:PriorityRun:100PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YES通過以上結(jié)果可知，EudemonA在備份組1、2、3中處于Master狀態(tài)，在備份組4、5、6中處于Backup狀態(tài)；而EudemonB則相反。實驗結(jié)果驗證二：通過命令displayhrpstate查看HRP管理組的狀態(tài)。HRP_M[EudemonA]displayhrpstateThefirewall'sconfigstateis:MASTERCurrentstateofvirtualroutersconfiguredasmaster:GigabitEthernet0/0/2vrid2:masterGigabitEthernet0/0/1vrid3:masterGigabitEthernet0/0/0vrid1:masterCurrentstateofvirtualroutersconfiguredasslave:GigabitEthernet0/0/2vrid5:slaveGigabitEthernet0/0/1vrid6:slaveGigabitEthernet0/0/0vrid4:slaveHRP_S[EudemonB]displayhrpstateThefirewall'sconfigstateis:SLAVECurrentstateofvirtualroutersconfiguredasmaster:GigabitEthernet0/0/2vrid5:masterGigabitEthernet0/0/1vrid6:masterGigabitEthernet0/0/0vrid4:masterCurrentstateofvirtualroutersconfiguredasslave:GigabitEthernet0/0/2vrid2:slaveGigabitEthernet0/0/1vrid3:slaveGigabitEthernet0/0/0vrid1:slave通過以上結(jié)果可知，在EudemonA上，VRRP備份組1、2、3屬于Master管理組，狀態(tài)為MASTER，同時這三個備份組又屬于Slave管理組，狀態(tài)為Slave；相反，在EudemonB上，VRRP備份組1、2、3屬于Slave管理組，狀態(tài)為Slave，同時這三個備份組又屬于Master管理組，狀態(tài)為Slave。也就是說，在每臺防火墻上都存在Master和Slave兩個管理組，管理組中處于Master狀態(tài)的備份組負(fù)責(zé)轉(zhuǎn)發(fā)數(shù)據(jù)，而處于Slave狀態(tài)的備份組接收處于Master狀態(tài)的備份組發(fā)出的VGMP報文和HRP報文。實驗結(jié)果驗證三：使用命令displayhrpgroup查看VGMP管理組的信息，包括Master管理組的信息和運(yùn)行狀態(tài)、Slave管理組的信息和運(yùn)行狀態(tài)以及管理組的優(yōu)先級等。HRP_M[EudemonA]displayhrpgroupMastergroupstatus:Groupenabled:yesState:masterPriorityrunning:65001TotalVRRPmembers:3Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:yesSlavegroupstatus:Groupenabled:yesState:slavePriorityrunning:65000TotalVRRPmembers:3Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:yesHRP_S[EudemonB]displayhrpgroupMastergroupstatus:Groupenabled:yesState:masterPriorityrunning:65001TotalVRRPmembers:3Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:yesSlavegroupstatus:Groupenabled:yesState:slavePriorityrunning:65000TotalVRRPmembers:3Hellointerval(ms):1000Preemptdelay(s):30Peergroupavailable:1Peer'smembersame:yes實驗結(jié)果驗證四：在PC1上執(zhí)行“ping–t”，宕掉EudemonA的接口GE0/0/2，觀察防火墻的主備倒換以及對數(shù)據(jù)包轉(zhuǎn)發(fā)的影響。

混合模式+主備組網(wǎng)方式的雙機(jī)熱備份技術(shù)在Eudemon防火墻上的部署組網(wǎng)及業(yè)務(wù)描述路由模式+負(fù)載分擔(dān)組網(wǎng)方式網(wǎng)絡(luò)規(guī)劃：防火墻上下行設(shè)備是二層交換模塊，并且是一種主備備份方式的組網(wǎng)，其中Switch-1、Swithc-3為主用設(shè)備；防火墻上下行業(yè)務(wù)端口工作在透明模式，心跳接口工作在路由模式；為了提高網(wǎng)絡(luò)的可靠性，要求采用兩臺防火墻形成雙機(jī)熱備份；防火墻EudemonA的G0/0/0、G0/0/1、G0/0/2接口分別位于trust、dmz和untrust區(qū)域，心跳接口GE0/0/1的IP地址為/24，備份組虛擬IP地址為/24；防火墻EudemonB的G0/0/0、G0/0/1、G0/0/2接口分別位于trust、dmz和untrust區(qū)域，心跳接口GE0/0/1的IP地址為/24，備份組虛擬IP地址為/24。注意：防火墻上下行端口工作在透明模式，無法配置IP地址，故PC1和PC2的IP地址應(yīng)屬于相同網(wǎng)段。本實驗中PC1和PC2的IP地址分別為：/24和/24。實驗要求：1、完成防火墻雙機(jī)熱備配置，使PC1可以ping通PC2，PC2無法ping通PC1。2、宕掉主用防火墻的一個HRP備份通道接口，主用防火墻管理組優(yōu)先級發(fā)生變化，導(dǎo)致主備倒換。查看主備防火墻倒換對于從PC1發(fā)往PC2的數(shù)據(jù)包的影響。命令行列表操作版本命令配置VRRP備份組的虛擬IP地址并指定備份組所屬的管理組。VRP3.30vrrpvridvirtual-router-IDvirtual-ipvirtual-address[ip-mask|ip-mask-length]{slave|master}使能HRP功能。VRP3.30hrpenable創(chuàng)建備份會話表的通道接口。VRP3.30hrpinterfaceinterface-typeinterface-numbertransfer-only使能配置命令和連接狀態(tài)的自動備份。VRP3.30hrpauto-sync[config[batch-backup]|connection-status]配置流程圖防火墻基本配置防火墻基本配置配置VRRP備份組配置HRP配置步驟基本配置：配置接口的IP地址；將接口分別添加到對應(yīng)的區(qū)域；配置區(qū)域間包過濾規(guī)則。配置VRRP備份組并制定備份組所屬的管理組。創(chuàng)建備份會話表的通道接口并使能HRP功能。使能配置命令和連接狀態(tài)的自動備份功能。具體配置及實驗結(jié)果驗證EudemonA的基本配置：#配置主機(jī)名<Eudemon>system-view[Eudemon]sysnameEudemonA#配置接口IP地址并將接口加入到相應(yīng)的VRRP備份組中[EudemonA]interfaceGigabitEthernet0/0/1[EudemonA-GigabitEthernet0/0/1]ipaddress24[EudemonA-GigabitEthernet0/0/1]vrrpvrid1virtual-ipmaster[EudemonA-GigabitEthernet0/0/1]quit注：混合模式中心跳接口必須配置IP地址，用于VRRP報文、VGMP報文和HRP報文的交互。#配置工作在透明模式的接口[EudemonA]interfacegigabitethernet0/0/0[EudemonA-GigabitEthernet0/0/0]portswitch[EudemonA-GigabitEthernet0/0/0]quit[EudemonA]interfacegigabitethernet0/0/2[EudemonA-GigabitEthernet0/0/2]portswitch[EudemonA-GigabitEthernet0/0/2]quit#添加接口至對應(yīng)區(qū)域[EudemonA]firewallzonetrust[EudemonA-zone-trust]addinterfaceGigabitEthernet0/0/0[EudemonA-zone-trust]quit[EudemonA]firewallzonedmz[EudemonA-zone-dmz]addinterfaceGigabitEthernet0/0/1[EudemonA-zone-dmz]quit[EudemonA]firewallzoneuntrust[EudemonA-zone-untrust]addinterfaceGigabitEthernet0/0/2[EudemonA-zone-untrust]quit#配置local區(qū)域和dmz區(qū)域的域間包過濾規(guī)則，以便VRRP報文、VGMP報文和HRP報文能夠通過心跳接口正常交互。[EudemonA]acl2000[EudemonA-acl-basic-2000]rulepermitsource55[EudemonA-acl-basic-2000]quit[EudemonA]firewallinterzonelocaldmz[EudemonA-interzone-local-dmz]packet-filter2000inbound[EudemonA-interzone-local-dmz]packet-filter2000outbound#配置trust區(qū)域和untrust區(qū)域的域間包過濾規(guī)則[EudemonA]acl2001[EudemonA-acl-basic-2001]rulepermitsource55[EudemonA-acl-basic-2001]quit[EudemonA]firewallinterzonetrustuntrust[EudemonA-interzone-trust-untrust]packet-filter2001outbound#建立VLAN2，將接口GE0/0/0和GE0/0/2加入VLAN2并指定由Master管理組監(jiān)視VLAN2。[EudemonA]vlan2[EudemonA-vlan-2]portinterfaceGigabitEthernet0/0/0[EudemonA-vlan-2]portinterfaceGigabitEthernet0/0/2[EudemonA-vlan-2]hrptrackmaster#配置HRP備份通道。[EudemonA]hrpinterfaceGigabitEthernet0/0/2transfer-only#使能HRP功能[EudemonA]hrpenable[EudemonA]hrpauto-syncEudemonB的基本配置：#配置主機(jī)名<Eudemon>system-view[Eudemon]sysnameEudemonB#配置接口IP地址并將接口加入到相應(yīng)的VRRP備份組中[EudemonB]interfaceGigabitEthernet0/0/1[EudemonB-GigabitEthernet0/0/1]ipaddress24[EudemonB-GigabitEthernet0/0/1]vrrpvrid1virtual-ipslave[EudemonB-GigabitEthernet0/0/1]quit注：混合模式中心跳接口必須配置IP地址，用于VRRP報文、VGMP報文和HRP報文的交互。#配置工作在透明模式的接口[EudemonA]interfacegigabitethernet0/0/0[EudemonA-GigabitEthernet0/0/0]portswitch[EudemonA-GigabitEthernet0/0/0]quit[EudemonA]interfacegigabitethernet0/0/2[EudemonA-GigabitEthernet0/0/2]portswitch[EudemonA-GigabitEthernet0/0/2]quit#添加接口至對應(yīng)區(qū)域[EudemonB]firewallzonetrust[EudemonB-zone-trust]addinterfaceGigabitEthernet0/0/0[EudemonB-zone-trust]quit[EudemonB]firewallzonedmz[EudemonB-zone-dmz]addinterfaceGigabitEthernet0/0/1[EudemonB-zone-dmz]quit[EudemonB]firewallzoneuntrust[EudemonB-zone-untrust]addinterfaceGigabitEthernet0/0/2[EudemonB-zone-untrust]quit#配置local區(qū)域和dmz區(qū)域的域間包過濾規(guī)則，以便VRRP報文、VGMP報文和HRP報文能夠通過心跳接口正常交互。[EudemonB]acl2000[EudemonB-acl-basic-2000]rulepermitsource55[EudemonB-acl-basic-2000]quit[EudemonB]firewallinterzonelocaldmz[EudemonB-interzone-local-dmz]packet-filter2000inbound[EudemonB-interzone-local-dmz]packet-filter2000outbound#建立VLAN2，將接口GE0/0/0和GE0/0/2加入VLAN2并指定由Master管理組監(jiān)視VLAN2。[EudemonB]vlan2[EudemonB-vlan-2]portinterfaceGigabitEthernet0/0/0[EudemonB-vlan-2]portinterfaceGigabitEthernet0/0/2[EudemonB-vlan-2]hrptrackslave#配置HRP備份通道。[EudemonB]hrpinterfaceGigabitEthernet0/0/2transfer-only#使能HRP功能[EudemonB]hrpenable[EudemonB]hrpauto-syncSwitch和PC的基本配置：本實驗中使用的Switch都是二層交換機(jī)，不需要任何配置。PC機(jī)IP地址的配置此處不再贅述。實驗結(jié)果驗證實驗結(jié)果驗證一：通過命令displayvrrp查看VRRP備份組的狀態(tài)。HRP_M[EudemonA]displayvrrpGigabitEthernet0/0/1|VirtualRouter1state:Master VirtualIP:PriorityRun:100 PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0 Timer:1AuthType:NONECheckTTL:YESHRP_S[EudemonB]displayvrrpGigabitEthernet0/0/1|VirtualRouter1 state:BackupVirtualIP: PriorityRun:100 PriorityConfig:100MasterPriority:100Preempt:YESDelayTime:0Timer:1AuthType:NONECheckTTL:YES通過以上結(jié)果可知，EudemonA在備份組1中都處于Master狀態(tài)；EudemonB在備份組1中都處于Backup狀態(tài)。實驗結(jié)果驗證二：通過命令displayhrpstate查看HRP管理組的狀態(tài)。HRP_M[EudemonA]displayhrpstate Thefirewall'sconfigstateis:MASTER Currentstateofvirtualroutersconfiguredasmaster: GigabitEthernet0/0/1vrid1:masterHRP_S[Eudemon]displayhrpstate Thefirewall'sconfigstateis:SLAVE Currentstateofvirtualroutersconfiguredasslave: GigabitEthernet0/0/1vrid1:slave從以上顯示信息可以看出，在EudemonA上，VRRP備份組1屬于Master管理組，狀態(tài)為Master；在EudemonB上，VRRP備份組1屬于Slave管理組，狀態(tài)為Slave。實驗結(jié)果驗證三：在PC1上執(zhí)行“ping–t”，宕掉EudemonA的接口GE0/0/2，觀察防火墻的主備倒換以及對數(shù)據(jù)包轉(zhuǎn)發(fā)的影響。附錄資料：不需要的可以自行刪除超全ARP知識什么是ARPARP（AddressResolutionProtocol）是地址解析協(xié)議，是一種將IP地址轉(zhuǎn)化成物理地址的協(xié)議。從IP地址到物理地址的映射有兩種方式：表格方式和非表格方式。ARP具體說來就是將網(wǎng)絡(luò)層（也就是相當(dāng)于OSI的第三層）地址解析為HYPERLINK"/