国产无码综合区,色欲AV无码国产永久播放,无码天堂亚洲国产AV,国产日韩欧美女同一区二区

【華為_安全】防火墻IPsec雙機(jī)實(shí)驗(yàn)

2年前作者：苗楊分類：Toy博客閱讀(32)違法舉報(bào)

這篇具有很好參考價(jià)值的文章主要介紹了【華為_安全】防火墻IPsec雙機(jī)實(shí)驗(yàn)。希望對(duì)大家有所幫助。如果存在錯(cuò)誤或未考慮完全的地方，請(qǐng)大家不吝賜教，您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問。

1. 前言

學(xué)習(xí)華為防火墻IPsec雙機(jī)實(shí)驗(yàn)記錄

ensp拓?fù)滏溄樱和負(fù)?/p>

防火墻登錄賬號(hào)都為admin
密碼為Huawei@123

2. 拓?fù)?/h2>

總部：
兩臺(tái)防火墻采用雙機(jī)部署，分別連接到ISP1、ISP2
總部?jī)膳_(tái)防火墻的 ISP1 出口是 G0/0/3，連接 ISP2 的出口是 G0/0/5，缺省情況下，流量走 FW1 的 G0/0/3 接口
兩臺(tái)防火墻作為內(nèi)網(wǎng)用戶的上網(wǎng)網(wǎng)關(guān)
兩臺(tái)防火墻需要基于雙機(jī)雙出口與兩個(gè)分公司分別建立 IPSec VPN。

分公司1：
路由器NAT-Device作為NAT設(shè)備，連接到ISP3
出口防火墻Fw3作為內(nèi)網(wǎng)用戶的上網(wǎng)網(wǎng)關(guān)，以及與總部對(duì)接IPSec VPN。

分公司2：
出口防火墻Fw4連接到ISP4，作為內(nèi)網(wǎng)用戶的上網(wǎng)網(wǎng)關(guān)，以及與總部對(duì)接IPSec VPN。

3. 需求

鏈路故障：

FW1連接 ISP1 鏈路故障，但是 ISP1 未故障，流量走 FW2 的 G0/0/3；

FW1 連接 ISP1 鏈路未故障，但是 ISP1 故障，流量走 FW2 的 G0/0/5；

FW1 連接 ISP1 鏈路恢復(fù)，ISP1 恢復(fù)，流量走 FW1 的 G0/0/3；

設(shè)備故障：

FW1 正常情況下，流量走 FW1 的 G0/0/3；

FW1 設(shè)備故障，流量走 FW2 的 G0/0/3；

FW1 及 ISP1 設(shè)備故障，流量走 FW2 的 G0/0/5

4. 解法

4.1 思路

總部

IP-Link

在Fw1、Fw2上開啟IP-Link探測(cè)功能，探測(cè)連接到IPS1的網(wǎng)絡(luò)，當(dāng)ISP1網(wǎng)絡(luò)發(fā)生故障，可以及時(shí)發(fā)現(xiàn)故障。

雙機(jī)熱備

在Fw1、Fw2配置雙機(jī)熱備，采用主備備份模式，F(xiàn)w1作為主設(shè)備、Fw2作為備設(shè)備。同時(shí)配置VGMP組監(jiān)控接口和IP-Link狀態(tài)，確保在遇到故障的時(shí)候?qū)崿F(xiàn)快速切換。
1. 配置VGMP組監(jiān)控連接到ISP1、ISP2、內(nèi)網(wǎng)的接口
2. 配置VGMP組監(jiān)控連接到ISP1的網(wǎng)絡(luò)，即關(guān)聯(lián)上一步的IP-Link
在Fw1、Fw2配置部署VRRP備份組：
1. Fw1、Fw2連接到ISP1的接口加入到同一VRRP備份組中，虛擬IP地址配置為ISP1的公網(wǎng)地址，同時(shí)啟用虛擬MAC地址功能。
2. Fw1、Fw2連接到ISP2的接口加入到同一VRRP備份組中，虛擬IP地址配置為ISP2的公網(wǎng)地址，同時(shí)啟用虛擬MAC地址功能。
3. Fw1、Fw2連接到內(nèi)網(wǎng)的接口加入到同一VRRP備份組中，虛擬IP地址配置為內(nèi)網(wǎng)網(wǎng)關(guān)地址，同時(shí)啟用虛擬MAC地址功能。
4. 因?yàn)镕1作為主設(shè)備，所以Fw1的VRRP備份組的狀態(tài)都設(shè)置為active。
5. 因?yàn)镕2作為備設(shè)備，所以Fw2的VRRP備份組的狀態(tài)都設(shè)置為standby。

IPsec

總部對(duì)接IPSec VPN的分公司，存在對(duì)端為非固定公網(wǎng)IP和固定公網(wǎng)IP的情況，所以總部對(duì)接非固定公網(wǎng)IP的Fw3采用IPSec策略模板方式，對(duì)接固定公網(wǎng)IP的Fw4采用IPSec策略方式。
根據(jù)總部和分部需要互訪的流量，使用高級(jí)ACL定義需要受IPSec VPN保護(hù) 的感興趣流。
配置IKE提議、IPSec提議，根據(jù)用戶需求配置安全參數(shù)，確保兩端參數(shù)一致。
配置針對(duì)Fw3的IKE Peer。使用預(yù)共享密鑰進(jìn)行認(rèn)證，引用IKE提議，由于對(duì)端為非固定公網(wǎng)IP，無需配置對(duì)端IP地址，但是需要開啟NAT穿越功能。
配置針對(duì)Fw4的IKE Peer。使用預(yù)共享密鑰進(jìn)行認(rèn)證，引用IKE提議，配置對(duì)端IP地址。
配置針對(duì)Fw3的IPsec策略模板。引用感興趣流、IPSec提議、Fw3的IKE Peer，配置本端地址。
配置針對(duì)從ISP1和ISP2到達(dá)Fw4的2個(gè)IPsec策略。引用感興趣流、IPSec提議、Fw4的IKE Peer，配置本端地址、對(duì)端地址。
將IPsec策略模板引用到2個(gè)IPsec策略中。切記 IPsec策略模板的序列號(hào) 一定要大于 IPsec策略的序列號(hào)。
分別在兩個(gè)出接口調(diào)用對(duì)應(yīng)的IPsec策略。
由于配置了雙機(jī)熱備，只需在主墻配置，配置會(huì)自動(dòng)同步到備墻。

路由部署

根據(jù)需求，需要配置兩條缺省路由，一主一備：
1. 主路由為去往ISP1，并綁定IP-Link “to_isp1”，實(shí)現(xiàn)ISP1故障時(shí)的路由快速切換。
2. 備路由為去往ISP2。

分公司(Fw3 動(dòng)態(tài)公網(wǎng)IP)

IPsec

根據(jù)總部和分部需要互訪的流量，使用高級(jí)ACL定義需要受IPSec VPN保護(hù) 的感興趣流。
配置IKE提議、IPSec提議，根據(jù)用戶需求配置安全參數(shù)，確保兩端參數(shù)一致。
配置針對(duì)總部ISP1和ISP2的兩個(gè)IKE Peer。使用預(yù)共享密鑰進(jìn)行認(rèn)證（需要與總部一致），引用IKE提議，由于本端為非固定公網(wǎng)IP，需要開啟NAT穿越功能。在ISP1的IKE Peer中，對(duì)端IP地址為總部連接到ISP1的VRRP備份組虛擬IP地址；在ISP2的IKE Peer中，對(duì)端IP地址為總部連接到ISP2的VRRP備份組虛擬IP地址。
配置針對(duì)總部ISP1和ISP2的兩個(gè)IPsec策略。引用感興趣流、IPSec提議。對(duì)接總部ISP1的IPsec策略中，調(diào)用ISP1的IKE Peer；對(duì)接總部ISP2的IPsec策略中，調(diào)用ISP2的IKE Peer。
配置兩個(gè)tunnel接口，分別為tunnel1和tunnel2，加入到與外網(wǎng)側(cè)物理接口相同的安全區(qū)域中，協(xié)議類型為IPSec，同時(shí)借用外網(wǎng)側(cè)接口的IP地址。Tunnel1作為主隧道，調(diào)用對(duì)接總部ISP1的IPsec策略；Tunnel2作為備隧道，調(diào)用對(duì)接總部ISP2的IPsec策略

IP-Link

在Fw3上開啟IP-Link探測(cè)功能，探測(cè) 總部連接到ISP1 所在的 VRRP備份組虛擬IP地址，當(dāng)發(fā)生故障時(shí)，可以及時(shí)發(fā)現(xiàn)故障。

路由部署

配置一條到達(dá)運(yùn)營(yíng)商的缺省路由。
配置兩條到達(dá) 總部?jī)?nèi)部網(wǎng)絡(luò) 的路由，一主一備：
1. 主路由：下一跳指向Tunnel1，并綁定IP-Link“to_ZongBu_isp1”，實(shí)現(xiàn)總部ISP1故障時(shí)的路由快速切換。
2. 備路由：下一跳指向Tunnel2。

4.2 參考命令

Fw1

#
sysname Fw1

#
 hrp enable
 hrp interface GigabitEthernet1/0/6 remote 100.1.1.2
 hrp track interface GigabitEthernet1/0/1
 hrp track interface GigabitEthernet1/0/3
 hrp track interface GigabitEthernet1/0/5
 hrp track ip-link to_isp1
#
ip-link check enable
ip-link name to_isp1
 destination 202.2.2.6 interface GigabitEthernet1/0/3 mode icmp next-hop 202.2.2.6

#
acl number 3000
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
acl number 3001
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
ipsec proposal 1                          
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer to_fw4
 pre-shared-key Huawei@123
 ike-proposal 1
 remote-address 205.1.1.2
ike peer to_fw3
 pre-shared-key Huawei@123
 ike-proposal 1
 dpd type periodic
 dpd idle-time 10
 dpd retransmit-interval 2
#
ipsec policy-template FenBu 10
 security acl 3001
 ike-peer to_fw3
 proposal 1
#
ipsec policy POLICY_1 5 isakmp
 security acl 3000
 ike-peer to_fw4
 proposal 1
 tunnel local 202.2.2.1
ipsec policy POLICY_1 50 isakmp template FenBu
ipsec policy POLICY_2 5 isakmp
 security acl 3000
 ike-peer to_fw4
 proposal 1
 tunnel local 40.1.1.1
 sa trigger-mode auto
ipsec policy POLICY_2 50 isakmp template FenBu

#                                         
interface GigabitEthernet1/0/1

 ip address 10.1.1.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.1.1.254 active
 vrrp virtual-mac enable
 link-group 1
 service-manage ping permit
 dhcp select interface
#
interface GigabitEthernet1/0/3
 ip address 202.2.2.2 255.255.255.248
 vrrp vrid 1 virtual-ip 202.2.2.1 active
 vrrp virtual-mac enable
 link-group 1
 service-manage ping permit
 ipsec policy POLICY_1

#                                         
interface GigabitEthernet1/0/5
 ip address 40.1.1.2 255.255.255.248
 vrrp vrid 2 virtual-ip 40.1.1.1 active
 vrrp virtual-mac enable
 link-group 1
 service-manage ping permit
 ipsec policy POLICY_2
#
interface GigabitEthernet1/0/6
 ip address 100.1.1.1 255.255.255.0
 service-manage ping permit

#
firewall zone trust
 set priority 85     
 add interface GigabitEthernet1/0/1
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/6
#
firewall zone name isp1 id 4
 set priority 10
 add interface GigabitEthernet1/0/3
#
firewall zone name isp2 id 5
 set priority 20
 add interface GigabitEthernet1/0/5
#
ip route-static 0.0.0.0 0.0.0.0 202.2.2.6 track ip-link to_isp1
ip route-static 0.0.0.0 0.0.0.0 40.1.1.6 preference 70

#
security-policy
 rule name ipsec_ike
  source-zone isp1
  source-zone isp2
  source-zone local
  destination-zone isp1
  destination-zone isp2
  destination-zone local
  source-address 202.2.2.1 mask 255.255.255.255
  source-address 205.1.1.2 mask 255.255.255.255
  source-address 40.1.1.1 mask 255.255.255.255
  destination-address 202.2.2.1 mask 255.255.255.255
  destination-address 205.1.1.2 mask 255.255.255.255
  destination-address 40.1.1.1 mask 255.255.255.255
  service protocol udp source-port 500 destination-port 500
  action permit                           
 rule name ipsec_office_FengGongSi_2
  source-zone isp1
  source-zone isp2
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit
 rule name ipsec_esp
  source-zone isp1
  source-zone isp2
  destination-zone local
  destination-address 202.2.2.1 mask 255.255.255.255
  destination-address 40.1.1.1 mask 255.255.255.255
  service esp
  action permit
 rule name ipsec_ike_ChanYue
  source-zone isp1
  source-zone isp2
  source-zone local                       
  destination-zone isp1
  destination-zone isp2
  destination-zone local
  service protocol udp destination-port 500 4500
  action permit
 rule name icmp
  source-zone local
  service icmp
  action permit
 rule name to_internet
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name ipsec_office_FengGongSi_1
  source-zone isp1
  source-zone isp2
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 192.168.3.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 192.168.3.0 mask 255.255.255.0
  action permit

#
nat-policy
 rule name no-nat
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 172.16.1.0 mask 255.255.255.0
  source-address 192.168.3.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  destination-address 192.168.3.0 mask 255.255.255.0
  action no-nat
 rule name to_internet
  source-zone trust
  destination-zone isp1                   
  destination-zone isp2
  source-address 10.1.1.0 mask 255.255.255.0
  action source-nat easy-ip
#

Fw2

Fw2只配置基礎(chǔ)命令，雙機(jī)熱備會(huì)同步配置

sys
sys Fw2

interface GigabitEthernet1/0/3
 ip address 202.2.2.3 255.255.255.248
 vrrp vrid 1 virtual-ip 202.2.2.1 s
 vrrp virtual-mac enable
 service-manage ping permit 
interface GigabitEthernet1/0/5
 ip address 40.1.1.3 255.255.255.248
 vrrp vrid 2 virtual-ip 40.1.1.1 s
 vrrp virtual-mac enable
 service-manage ping permit 

interface GigabitEthernet1/0/6
 ip add 100.1.1.2 24
 service-manage ping permit 

dhcp enable
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.1.3 255.255.255.0
 vrrp vrid 3 virtual-ip 10.1.1.254 s
 vrrp virtual-mac enable
 service-manage ping permit
 dhcp select interface


firewall zone trust
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/6
#
firewall zone name isp1 id 4
 add interface GigabitEthernet1/0/3
#
firewall zone name isp2 id 5
 add interface GigabitEthernet1/0/5
 

ipsec policy POLICY_1 5 isakmp
 security acl 3000
 proposal 1
 tunnel local 202.2.2.1
ipsec policy POLICY_2 5 isakmp
 security acl 3000
 proposal 1
 tunnel local 40.1.1.1

ip-link check enable
ip-link name to_isp1
 destination 202.2.2.6 interface GigabitEthernet1/0/3 mode icmp next-hop 202.2.2.6

ip route-static 0.0.0.0 0.0.0.0 202.2.2.6 track ip-link to_isp1
ip route-static 0.0.0.0 0.0.0.0 40.1.1.6 preference 70

 hrp enable
 hrp interface GigabitEthernet1/0/6 remote 100.1.1.1

Fw3

sysname Fw3
#
ip-link check enable
ip-link name to_isp1
 destination 202.2.2.1 interface GigabitEthernet1/0/1 mode icmp next-hop 201.1.1.1

#
acl number 3000
 rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal 1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer to_isp1
 pre-shared-key Huawei@123
 ike-proposal 1
 dpd type periodic
 dpd idle-time 10
 dpd retransmit-interval 2
 remote-address 202.2.2.1
ike peer to_isp2
 pre-shared-key Huawei@123
 ike-proposal 1
 dpd type periodic
 dpd idle-time 10
 dpd retransmit-interval 2
 remote-address 40.1.1.1                  
#
ipsec policy POLICY_1 5 isakmp
 security acl 3000
 ike-peer to_isp1
 proposal 1
 sa trigger-mode auto
ipsec policy POLICY_2 5 isakmp
 security acl 3000
 ike-peer to_isp2
 proposal 1
 sa trigger-mode auto

#
interface GigabitEthernet1/0/0
 ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address dhcp-alloc

#
interface Tunnel1
 ip address unnumbered interface GigabitEthernet1/0/1
 tunnel-protocol ipsec
 ipsec policy POLICY_1
#
interface Tunnel2
 ip address unnumbered interface GigabitEthernet1/0/1
 tunnel-protocol ipsec
 ipsec policy POLICY_2
                     
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
 add interface Tunnel1
 add interface Tunnel2
 
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1
ip route-static 10.1.1.0 255.255.255.0 Tunnel1 track ip-link to_isp1
ip route-static 10.1.1.0 255.255.255.0 Tunnel2 preference 70

#
security-policy
 rule name to_internet
  source-zone trust
  destination-zone untrust
  source-address 192.168.3.0 mask 255.255.255.0
  action permit
 rule name ipsec_ike
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service protocol udp destination-port 500 4500
  action permit
 rule name ipsec_office
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust                
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 192.168.3.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 192.168.3.0 mask 255.255.255.0
  action permit
 rule name icmp
  source-zone local
  service icmp
  action permit

#
nat-policy
 rule name no-nat
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 192.16.3.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 192.16.3.0 mask 255.255.255.0
  action no-nat
 rule name to_internet
  source-zone trust
  destination-zone untrust
  source-address 192.16.3.0 mask 255.255.255.0
  action source-nat easy-ip

Fw4

sysname fw4

#
acl number 3000
 rule 5 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal 1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256        
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer to_isp1
 pre-shared-key Huawei@123
 ike-proposal 1
 dpd type periodic
 dpd idle-time 10
 dpd retransmit-interval 2
 remote-address 202.2.2.1
ike peer to_isp2
 pre-shared-key Huawei@123
 ike-proposal 1
 remote-address 40.1.1.1
#
ipsec policy POLICY_1 5 isakmp
 security acl 3000
 ike-peer to_isp1
 proposal 1
ipsec policy POLICY_2 5 isakmp
 security acl 3000
 ike-peer to_isp2
 proposal 1                               

#
interface GigabitEthernet1/0/0
 undo shutdown                            
 ip address 172.16.1.1 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 205.1.1.2 255.255.255.0
 service-manage ping permit

#
interface Tunnel1
 ip address unnumbered interface GigabitEthernet1/0/1
 tunnel-protocol ipsec
 ipsec policy POLICY_1
#
interface Tunnel2
 ip address unnumbered interface GigabitEthernet1/0/1
 tunnel-protocol ipsec
 ipsec policy POLICY_2

#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1       
 add interface Tunnel1
 add interface Tunnel2
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 205.1.1.1

#
security-policy
 rule name to_internet
  source-zone trust
  destination-zone untrust
  source-address 172.16.1.0 mask 255.255.255.0
  action permit
 rule name ipsec_ike
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  source-address 202.2.2.1 mask 255.255.255.255
  source-address 205.1.1.2 mask 255.255.255.255
  source-address 40.1.1.1 mask 255.255.255.255
  destination-address 202.2.2.1 mask 255.255.255.255
  destination-address 205.1.1.2 mask 255.255.255.255
  destination-address 40.1.1.1 mask 255.255.255.255
  service protocol udp source-port 500 destination-port 500
  action permit
 rule name ipsec_esp
  source-zone untrust
  destination-zone local
  source-address 202.2.2.1 mask 255.255.255.255
  source-address 40.1.1.1 mask 255.255.255.255
  destination-address 205.1.1.2 mask 255.255.255.255
  service esp
  action permit
 rule name ipsec_office
  source-zone trust                       
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 172.16.1.0 mask 255.255.255.0
  action permit

ISP1

sys
sys isp1

int g0/0/1
 ip add 202.2.2.6 29
int g0/0/0
 ip add 18.1.1.1 24

ospf 10 router-id 1.1.1.1
a 0
 net 202.2.2.6 0.0.0.7
 net 18.1.1.0 0.0.0.255

ISP2

sys
sys isp2

int g0/0/1
 ip add 40.1.1.6 29
int g0/0/0
 ip add 18.1.1.2 24

ospf 10 router-id 2.2.2.2
a 0
 net 40.1.1.6 0.0.0.7
 net 18.1.1.0 0.0.0.255

ISP3

sys
sys isp3

int g0/0/2
 ip add 200.1.1.1 24
int g0/0/0
 ip add 18.1.1.3 24

ospf 10 router-id 3.3.3.3
a 0
 net 200.1.1.2 0.0.0.255
 net 18.1.1.0 0.0.0.255

ISP4

sys
sys isp4

int g0/0/1
 ip add 205.1.1.1 24
int g0/0/0
 ip add 18.1.1.4 24

ospf 10 router-id 4.4.4.4
a 0
 net 205.1.1.1 0.0.0.255
 net 18.1.1.0 0.0.0.255

NAT-Device

sys
sys NAT-Device

acl number 2000  
 rule 5 permit source 201.1.1.0 0.0.0.255

dhcp en
 nat address-group 1 200.1.1.100 200.1.1.200

interface GigabitEthernet0/0/1
 ip address 201.1.1.1 255.255.255.0 
 dhcp select interface
interface GigabitEthernet0/0/2
 ip address 200.1.1.2 255.255.255.0 
 nat outbound 2000 address-group 1 

ip route-static 0.0.0.0 0.0.0.0 200.1.1.1

4.3 故障測(cè)試

FW1正常時(shí)

HRP_M[Fw1]
HRP_M[Fw1]display ip routing-table 
2023-12-08 03:33:19.840 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 14       Routes : 14       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   202.2.2.6       GigabitEthernet1/0/3
       10.1.1.0/24  Direct  0    0           D   10.1.1.2        GigabitEthernet1/0/1
       10.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
     10.1.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
       40.1.1.0/29  Direct  0    0           D   40.1.1.2        GigabitEthernet1/0/5
       40.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/5
       40.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/5
      100.1.1.0/24  Direct  0    0           D   100.1.1.1       GigabitEthernet1/0/6
      100.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/6
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
      202.2.2.0/29  Direct  0    0           D   202.2.2.2       GigabitEthernet1/0/3
      202.2.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/3
      202.2.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/3

HRP_M[Fw1]
HRP_M[Fw1]display vrrp brief 
2023-12-08 03:28:56.630 
Total:3     Master:3     Backup:0     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/3                  Vgmp     202.2.2.1      
2     Master       GE1/0/5                  Vgmp     40.1.1.1       
3     Master       GE1/0/1                  Vgmp     10.1.1.254     
HRP_M[Fw1]
HRP_M[Fw1]display ike sa
2023-12-08 03:29:08.260 

IKE SA information :
 Conn-ID    Peer                                          VPN              Flag(s)               Phase  RemoteType  RemoteID        
------------------------------------------------------------------------------------------------------------------------------------
 33         200.1.1.198:65064                                              RD|M                  v2:2   IP          201.1.1.254     
 30         200.1.1.198:65064                                              RD|M                  v2:1   IP          201.1.1.254     
 44         205.1.1.2:500                                                  RD|ST|M               v2:2   IP          205.1.1.2       
 39         205.1.1.2:500                                                  RD|ST|M               v2:1   IP          205.1.1.2       
 32         200.1.1.198:64552                                              RD|M                  v2:2   IP          201.1.1.254     
 31         200.1.1.198:64552                                              RD|M                  v2:1   IP          201.1.1.254     
 43         205.1.1.2:500                                                  RD|M                  v2:2   IP          205.1.1.2       
 41         205.1.1.2:500                                                  RD|M                  v2:1   IP          205.1.1.2       

  Number of IKE SA : 8
------------------------------------------------------------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

HRP_M[Fw1]
HRP_M[Fw1]display ipsec sa brief
2023-12-08 03:29:26.490 

IPSec SA information:
   Src address                             Dst address                             SPI
   VPN                                     Protocol                                Algorithm
 --------------------------------------------------------------------------------------------------------------------------
   202.2.2.1                               200.1.1.198                             196662029 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   40.1.1.1                                200.1.1.198                             194138009 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   40.1.1.1                                205.1.1.2                               200362542 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   200.1.1.198                             202.2.2.1                               194760684 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   205.1.1.2                               40.1.1.1                                185700354 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   202.2.2.1                               205.1.1.2                               197910612 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   205.1.1.2                               202.2.2.1                               190270246 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   200.1.1.198                             40.1.1.1                                194466263 
                                           ESP                                     E:AES-256 A:SHA2_256_128

  Number of IPSec SA : 8
 --------------------------------------------------------------------------------------------------------------------------
HRP_M[Fw1]
HRP_M[Fw1]

PC1測(cè)試

PC>
PC>ping 172.16.1.10

Ping 172.16.1.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
From 172.16.1.10: bytes=32 seq=3 ttl=126 time=94 ms
From 172.16.1.10: bytes=32 seq=4 ttl=126 time=78 ms
From 172.16.1.10: bytes=32 seq=5 ttl=126 time=78 ms

--- 172.16.1.10 ping statistics ---
  5 packet(s) transmitted
  3 packet(s) received
  40.00% packet loss
  round-trip min/avg/max = 0/83/94 ms

PC>
PC>
PC>ping 192.168.3.10

Ping 192.168.3.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.3.10: bytes=32 seq=2 ttl=126 time=78 ms
From 192.168.3.10: bytes=32 seq=3 ttl=126 time=109 ms
From 192.168.3.10: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.3.10: bytes=32 seq=5 ttl=126 time=79 ms

--- 192.168.3.10 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/86/109 ms

PC>

isp1鏈路故障模擬

關(guān)閉ISP1接口

[isp1-GigabitEthernet0/0/1]shutdown

Fw1成為備墻

HRP_M[Fw1]
HRP_M[Fw1]
Dec  8 2023 03:34:52 Fw1 %%01HEALTHCHECK/4/DOWN(l)[93]:Detect changed status to down (Protocol=icmp,DestinationIp=202.2.2.6,DestinationPort=0).
Dec  8 2023 03:34:52 Fw1 %%01HRPI/4/PRIORITY_CHANGE(l)[94]:The priority of the local VGMP group changed. (change_reason="The IP-link went Down.", local_old_priority=45000, local_new_priority=44998)
Dec  8 2023 03:34:52 Fw1 %%01HEALTHCHECK/3/DOWN(l)[95]:IP-Link to_isp1 changed status to down (Protocol=icmp,DestinationIp=202.2.2.6,DestinationPort=0).
Dec  8 2023 03:34:52 Fw1 HEALTHCHECK/2/DOWN:OID 1.3.6.1.4.1.2011.6.122.45.2.2 IP-link to_isp1 changes status to down.
Dec  8 2023 03:34:52 Fw1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Ip-link change to Down". (old_state=normal,new_state=abnormal(standby), local_priority=44998, peer_priority=45000)
Dec  8 2023 03:34:52 Fw1 %%01RM/4/IPV4_DEFT_RT_CHG(l)[96]:IPV4 default Route is changed. (ChangeType=Delete, InstanceId=0, Protocol=Static, ExitIf=GigabitEthernet1/0/3, Nexthop=202.2.2.6, Neighbour=0.0.0.0, Preference=60, Label=NULL, Metric=0)
Dec  8 2023 03:34:52 Fw1 %%01RM/4/IPV4_DEFT_RT_CHG(l)[97]:IPV4 default Route is changed. (ChangeType=Add, InstanceId=0, Protocol=Static, ExitIf=GigabitEthernet1/0/5, Nexthop=40.1.1.6, Neighbour=0.0.0.0, Preference=70, Label=NULL, Metric=0)
Dec  8 2023 03:34:52 Fw1 %%01HRPI/4/CORE_STATE(l)[98]:The HRP core state changed due to "Ip-link change to Down". (old_state=normal, new_state=abnormal(standby), local_priority=44998, peer_priority=45000)
HRP_S[Fw1]

Fw2成為主墻

HRP_M<Fw2>
HRP_M<Fw2>display ip routing-table 
2023-12-08 03:35:47.240 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 14       Routes : 14       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  70   0          RD   40.1.1.6        GigabitEthernet1/0/5
       10.1.1.0/24  Direct  0    0           D   10.1.1.3        GigabitEthernet1/0/1
       10.1.1.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
     10.1.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
       40.1.1.0/29  Direct  0    0           D   40.1.1.3        GigabitEthernet1/0/5
       40.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/5
       40.1.1.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/5
      100.1.1.0/24  Direct  0    0           D   100.1.1.2       GigabitEthernet1/0/6
      100.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/6
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
      202.2.2.0/29  Direct  0    0           D   202.2.2.3       GigabitEthernet1/0/3
      202.2.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/3
      202.2.2.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/3

HRP_M<Fw2>
HRP_M<Fw2>display ip-link 
2023-12-08 03:35:52.990 
Current Total Ip-link Number : 1
Name                              Member   State   Up/Down/Init
to_isp1                           1        down    0  1    0   
HRP_M<Fw2>
HRP_M<Fw2>display ike sa
2023-12-08 03:36:00.940 

IKE SA information :
 Conn-ID    Peer                                          VPN              Flag(s)               Phase  RemoteType  RemoteID        
------------------------------------------------------------------------------------------------------------------------------------
 22         200.1.1.198:64552                                              RD|M                  v2:2   IP          201.1.1.254     
 21         200.1.1.198:64552                                              RD|M                  v2:1   IP          201.1.1.254     
 20         205.1.1.2:500                                                  RD|ST|M               v2:2   IP          205.1.1.2       
 19         205.1.1.2:500                                                  RD|ST|M               v2:1   IP          205.1.1.2       
 18         205.1.1.2:500                                                  RD|M                  v2:2   IP          205.1.1.2       
 17         205.1.1.2:500                                                  RD|M                  v2:1   IP          205.1.1.2       

  Number of IKE SA : 6
------------------------------------------------------------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

HRP_M<Fw2>
HRP_M<Fw2>
HRP_M<Fw2>display vrrp brief 
2023-12-08 03:36:23.660 
Total:3     Master:3     Backup:0     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/3                  Vgmp     202.2.2.1      
2     Master       GE1/0/5                  Vgmp     40.1.1.1       
3     Master       GE1/0/1                  Vgmp     10.1.1.254     
HRP_M<Fw2>
HRP_M<Fw2>
HRP_M<Fw2>display ipsec sa brief 
2023-12-08 03:36:09.140 

IPSec SA information:
   Src address                             Dst address                             SPI
   VPN                                     Protocol                                Algorithm
 --------------------------------------------------------------------------------------------------------------------------
   40.1.1.1                                200.1.1.198                             196406332 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   40.1.1.1                                205.1.1.2                               200362542 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   205.1.1.2                               40.1.1.1                                185700354 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   202.2.2.1                               205.1.1.2                               197910612 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   205.1.1.2                               202.2.2.1                               190270246 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   200.1.1.198                             40.1.1.1                                200558179 
                                           ESP                                     E:AES-256 A:SHA2_256_128

  Number of IPSec SA : 6
 --------------------------------------------------------------------------------------------------------------------------
HRP_M<Fw2>
HRP_M<Fw2>display hrp state 
2023-12-08 03:36:41.460 
 Role: active, peer: standby (should be "standby-active")
 Running priority: 45000, peer: 44998
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 3 minutes
 Last state change information: 2023-12-08 3:33:36 HRP core state changed, old_state = normal, new_state = abnormal(active), local_priority = 45000, peer_priority = 44998.

HRP_M<Fw2>
HRP_M<Fw2>

PC1測(cè)試

PC>
PC>ping 172.16.1.10

Ping 172.16.1.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 172.16.1.10: bytes=32 seq=2 ttl=126 time=94 ms
From 172.16.1.10: bytes=32 seq=3 ttl=126 time=94 ms
From 172.16.1.10: bytes=32 seq=4 ttl=126 time=78 ms
From 172.16.1.10: bytes=32 seq=5 ttl=126 time=94 ms

--- 172.16.1.10 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/90/94 ms

PC>
PC>ping 192.168.3.10

Ping 192.168.3.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.3.10: bytes=32 seq=2 ttl=126 time=125 ms
From 192.168.3.10: bytes=32 seq=3 ttl=126 time=110 ms
From 192.168.3.10: bytes=32 seq=4 ttl=126 time=78 ms
From 192.168.3.10: bytes=32 seq=5 ttl=126 time=93 ms

--- 192.168.3.10 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/101/125 ms

PC>

isp1鏈路故障恢復(fù)

恢復(fù)ISP1接口

[isp1-GigabitEthernet0/0/1]undo shutdown

Fw1成為主墻

HRP_S[Fw1]
HRP_S[Fw1]
Dec  8 2023 03:43:22 Fw1 %%01HRPI/4/PRIORITY_CHANGE(l)[99]:The priority of the local VGMP group changed. (change_reason="The IP-link went Up.", local_old_priority=44998, local_new_priority=45000)
Dec  8 2023 03:43:22 Fw1 HEALTHCHECK/6/UP:OID 1.3.6.1.4.1.2011.6.122.45.2.1 IP-link to_isp1 changes status to up.
Dec  8 2023 03:43:22 Fw1 %%01RM/4/IPV4_DEFT_RT_CHG(l)[100]:IPV4 default Route is changed. (ChangeType=Add, InstanceId=0, Protocol=Static, ExitIf=GigabitEthernet1/0/3, Nexthop=202.2.2.6, Neighbour=0.0.0.0, Preference=60, Label=NULL, Metric=0)
Dec  8 2023 03:43:22 Fw1 %%01RM/4/IPV4_DEFT_RT_CHG(l)[101]:IPV4 default Route is changed. (ChangeType=Delete, InstanceId=0, Protocol=Static, ExitIf=GigabitEthernet1/0/5, Nexthop=40.1.1.6, Neighbour=0.0.0.0, Preference=70, Label=NULL, Metric=0)
HRP_S[Fw1]
Dec  8 2023 03:44:23 Fw1 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Ip-link change to UP". (old_state=abnormal(standby),new_state=normal, local_priority=45000, peer_priority=45000)
Dec  8 2023 03:44:23 Fw1 %%01HRPI/4/CORE_STATE(l)[102]:The HRP core state changed due to "Ip-link change to UP". (old_state=abnormal(standby), new_state=normal, local_priority=45000, peer_priority=45000)
HRP_M[Fw1]
HRP_M[Fw1]

HRP_M<Fw1>
HRP_M<Fw1>
HRP_M<Fw1>display ip routing-table 
2023-12-08 04:49:14.320 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 14       Routes : 14       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   202.2.2.6       GigabitEthernet1/0/3
       10.1.1.0/24  Direct  0    0           D   10.1.1.2        GigabitEthernet1/0/1
       10.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
     10.1.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
       40.1.1.0/29  Direct  0    0           D   40.1.1.2        GigabitEthernet1/0/5
       40.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/5
       40.1.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/5
      100.1.1.0/24  Direct  0    0           D   100.1.1.1       GigabitEthernet1/0/6
      100.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/6
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
      202.2.2.0/29  Direct  0    0           D   202.2.2.2       GigabitEthernet1/0/3
      202.2.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/3
      202.2.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/3

HRP_M<Fw1>
HRP_M<Fw1>display ip-link 
2023-12-08 04:49:19.270 
Current Total Ip-link Number : 1
Name                              Member   State   Up/Down/Init
to_isp1                           1        up      1  0    0   
HRP_M<Fw1>
HRP_M<Fw1>display vrrp brief 
2023-12-08 04:49:22.630 
Total:3     Master:3     Backup:0     Non-active:0      
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
1     Master       GE1/0/3                  Vgmp     202.2.2.1      
2     Master       GE1/0/5                  Vgmp     40.1.1.1       
3     Master       GE1/0/1                  Vgmp     10.1.1.254     
HRP_M<Fw1> 
HRP_M<Fw1>
HRP_M<Fw1>dis
HRP_M<Fw1>display ike sa
2023-12-08 04:49:26.730 

IKE SA information :
 Conn-ID    Peer                                          VPN              Flag(s)               Phase  RemoteType  RemoteID        
------------------------------------------------------------------------------------------------------------------------------------
 54         200.1.1.198:23849                                              RD|ST|M               v2:2   IP          201.1.1.254     
 47         200.1.1.198:23849                                              RD|M                  v2:1   IP          201.1.1.254     
 52         200.1.1.198:64552                                              RD|ST|M               v2:2   IP          201.1.1.254     
 45         200.1.1.198:64552                                              RD|M                  v2:1   IP          201.1.1.254     
 51         205.1.1.2:500                                                  RD|ST|M               v2:2   IP          205.1.1.2       
 39         205.1.1.2:500                                                  RD|ST|M               v2:1   IP          205.1.1.2       
 53         205.1.1.2:500                                                  RD|ST|M               v2:2   IP          205.1.1.2       
 49         205.1.1.2:500                                                  RD|M                  v2:1   IP          205.1.1.2       

  Number of IKE SA : 8
------------------------------------------------------------------------------------------------------------------------------------

 Flag Description:
 RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
 HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
 M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

HRP_M<Fw1>
HRP_M<Fw1>
HRP_M<Fw1>display ipsec sa brief 
2023-12-08 04:49:45.770 

IPSec SA information:
   Src address                             Dst address                             SPI
   VPN                                     Protocol                                Algorithm
 --------------------------------------------------------------------------------------------------------------------------
   40.1.1.1                                205.1.1.2                               185561417 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   202.2.2.1                               200.1.1.198                             189671080 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   40.1.1.1                                200.1.1.198                             184812195 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   205.1.1.2                               40.1.1.1                                199431858 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   200.1.1.198                             202.2.2.1                               198882347 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   200.1.1.198                             40.1.1.1                                199012368 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   205.1.1.2                               202.2.2.1                               195484779 
                                           ESP                                     E:AES-256 A:SHA2_256_128
   202.2.2.1                               205.1.1.2                               194413064 
                                           ESP                                     E:AES-256 A:SHA2_256_128

  Number of IPSec SA : 8
 --------------------------------------------------------------------------------------------------------------------------
HRP_M<Fw1>
HRP_M<Fw1>

Fw2成為備墻

HRP_M<Fw2>
HRP_M<Fw2>
Dec  8 2023 03:42:09 Fw2 HEALTHCHECK/6/UP:OID 1.3.6.1.4.1.2011.6.122.45.2.1 IP-link to_isp1 changes status to up.
Dec  8 2023 03:42:09 Fw2 %%01RM/4/IPV4_DEFT_RT_CHG(l)[1]:IPV4 default Route is changed. (ChangeType=Add, InstanceId=0, Protocol=Static, ExitIf=GigabitEthernet1/0/3, Nexthop=202.2.2.6, Neighbour=0.0.0.0, Preference=60, Label=NULL, Metric=0)
Dec  8 2023 03:42:09 Fw2 %%01RM/4/IPV4_DEFT_RT_CHG(l)[2]:IPV4 default Route is changed. (ChangeType=Delete, InstanceId=0, Protocol=Static, ExitIf=GigabitEthernet1/0/5, Nexthop=40.1.1.6, Neighbour=0.0.0.0, Preference=70, Label=NULL, Metric=0)
HRP_M<Fw2>
HRP_M<Fw2>
HRP_M<Fw2>
HRP_M<Fw2>
HRP_M<Fw2>
HRP_M<Fw2>
Dec  8 2023 03:43:07 Fw2 HRPI/1/CORE_STATE:1.3.6.1.4.1.2011.6.122.51.2.2.1 The HRP core state changed due to "Unknown". (old_state=abnormal(active),new_state=normal, local_priority=45000, peer_priority=45000)
Dec  8 2023 03:43:07 Fw2 %%01HRPI/4/CORE_STATE(l)[3]:The HRP core state changed due to "Unknown". (old_state=abnormal(active), new_state=normal, local_priority=45000, peer_priority=45000)
HRP_S<Fw2>
HRP_S<Fw2>

PC1測(cè)試

PC>
PC>ping 192.168.3.10

Ping 192.168.3.10: 32 data bytes, Press Ctrl_C to break
From 192.168.3.10: bytes=32 seq=1 ttl=126 time=93 ms
From 192.168.3.10: bytes=32 seq=2 ttl=126 time=63 ms
From 192.168.3.10: bytes=32 seq=3 ttl=126 time=94 ms
From 192.168.3.10: bytes=32 seq=4 ttl=126 time=110 ms
From 192.168.3.10: bytes=32 seq=5 ttl=126 time=94 ms

--- 192.168.3.10 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 63/90/110 ms

PC>
PC>
PC>ping 172.16.1.10

Ping 172.16.1.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 172.16.1.10: bytes=32 seq=2 ttl=126 time=109 ms
From 172.16.1.10: bytes=32 seq=3 ttl=126 time=63 ms
From 172.16.1.10: bytes=32 seq=4 ttl=126 time=93 ms
From 172.16.1.10: bytes=32 seq=5 ttl=126 time=94 ms

--- 172.16.1.10 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/89/109 ms

PC>

4.4 流量走向訴求描述

當(dāng)FW1 連接 ISP1 鏈路故障 或者設(shè)備故障，但是 ISP1 未故障?？梢酝ㄟ^VRRP感知故障，并聯(lián)動(dòng)雙機(jī)熱備觸發(fā)防火墻主備切換，即Fw2成為主墻。此時(shí)FW2上主用缺省路由綁定的 ip-link isp1并未感知ISP1網(wǎng)絡(luò)出現(xiàn)故障，流量通過去往ISP1的G0/0/3口轉(zhuǎn)發(fā)，且通過雙機(jī)熱備技術(shù) 同步狀態(tài)會(huì)話表項(xiàng)，保證業(yè)務(wù)不中斷。
當(dāng)FW1 連接 ISP1 鏈路未故障，但是 ISP1 故障?？梢酝ㄟ^IP-Link感知故障，并聯(lián)動(dòng)雙機(jī)熱備觸發(fā)防火墻主備切換，即Fw2成為主墻。此時(shí)FW2上主用缺省路由綁定的 ip-link isp1感知ISP1網(wǎng)絡(luò)出現(xiàn)故障，流量通過去往ISP2的G0/0/5口轉(zhuǎn)發(fā)，且通過雙機(jī)熱備技術(shù) 同步狀態(tài)會(huì)話表項(xiàng)，保證業(yè)務(wù)不中斷。
當(dāng)FW1 設(shè)備故障，但是 ISP1 故障?？梢酝ㄟ^VRRP感知故障，并聯(lián)動(dòng)雙機(jī)熱備觸發(fā)防火墻主備切換，即Fw2成為主墻。此時(shí)FW2上主用缺省路由綁定的 ip-link isp1感知ISP1網(wǎng)絡(luò)出現(xiàn)故障，流量通過去往ISP2的G0/0/5口轉(zhuǎn)發(fā)，且通過雙機(jī)熱備技術(shù) 同步狀態(tài)會(huì)話表項(xiàng)，保證業(yè)務(wù)不中斷。
當(dāng)FW1 連接 ISP1 鏈路恢復(fù)，ISP1 恢復(fù)?？梢酝ㄟ^VRRP、IP-Link感知故障恢復(fù)，觸發(fā)防火墻以及浮動(dòng)缺省路由主備回切，流量通過FW1的G0/0/3接口轉(zhuǎn)發(fā)，且通過雙機(jī)熱備技術(shù) 同步狀態(tài)會(huì)話表項(xiàng)，保證業(yè)務(wù)不中斷。文章來源地址http://www.zghlxwxcb.cn/news/detail-759380.html

到了這里，關(guān)于【華為_安全】防火墻IPsec雙機(jī)實(shí)驗(yàn)的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！

本文來自互聯(lián)網(wǎng)用戶投稿，該文觀點(diǎn)僅代表作者本人，不代表本站立場(chǎng)。本站僅提供信息存儲(chǔ)空間服務(wù)，不擁有所有權(quán)，不承擔(dān)相關(guān)法律責(zé)任。如若轉(zhuǎn)載，請(qǐng)注明出處：如若內(nèi)容造成侵權(quán)/違法違規(guī)/事實(shí)不符，請(qǐng)點(diǎn)擊違法舉報(bào)進(jìn)行投訴反饋，一經(jīng)查實(shí)，立即刪除！

分享到：

領(lǐng)支付寶紅包贊助服務(wù)器費(fèi)用

ensp華為防火墻雙機(jī)熱備
實(shí)驗(yàn)拓?fù)?實(shí)驗(yàn)要求構(gòu)建網(wǎng)絡(luò)拓?fù)?，根?jù)拓?fù)鋱D配置 IP 地址，配置 2 臺(tái)防火墻 VRRP 和心跳接口，接口區(qū)域劃分并配置訪問控制策略，使 PC2 可以 ping 通 PC1, 測(cè)試 FW1 接口宕機(jī)后， PC2 是否仍然可以與 PC1 通信。實(shí)驗(yàn)過程 ?配置IP地址注意PC的網(wǎng)關(guān)為虛擬IP ? FW1(這里g1/0/2ip為17
2024年02月05日
瀏覽(24)
華為防火墻IPsec點(diǎn)對(duì)點(diǎn)配置解析
主機(jī)直連的接口為trust區(qū)域，防火墻之間互聯(lián)的接口為untrust區(qū)域 ike proposal xx //首先創(chuàng)建ike proposal xx 這一步的作用就是創(chuàng)建協(xié)商ike SA的時(shí)候使用的相關(guān)安全套件，默認(rèn)防火墻就會(huì)設(shè)置了一些默認(rèn)的安全套件的組合。這一步設(shè)置的內(nèi)容就是用于IKE SA的協(xié)商，IPsec雙方使用協(xié)商好的
2024年02月05日
瀏覽(23)
設(shè)備安全——防火墻j基礎(chǔ)策略實(shí)驗(yàn)【華為NSP】
本實(shí)驗(yàn)為了熟悉基于云連接防火墻建立配置與攔截環(huán)境：使用華為eNSP模擬器點(diǎn)擊啟動(dòng)云進(jìn)行設(shè)置第三步：只要不是公網(wǎng)網(wǎng)卡就可以第七步映射，使1與2能互通在開啟防火墻時(shí)，如果你是第一次打開它需要你輸入原始賬號(hào)【admin】與密碼【Admin@123】、進(jìn)入后要求你重新設(shè)置密
2023年04月18日
瀏覽(28)
H3C防火墻及IPsec綜合實(shí)驗(yàn)
1.1 網(wǎng)絡(luò)拓?fù)?實(shí)驗(yàn)中所有設(shè)備的地址配置都如圖上標(biāo)注(下圖有處地方錯(cuò)了，防火墻的下行口左邊連接的是VLAN10，右邊是VLAN20)。設(shè)備名稱對(duì)應(yīng)表設(shè)備名稱對(duì)應(yīng)設(shè)備 F1000_1 FW S5820V2-54QS-GE_2 SW1 S5820V2-54QS-GE_3 SW2 MSR36-20_4 Master MSR36-20_5 ISP MSR36-20_6 Branch 1.2 實(shí)驗(yàn)需求總部所有業(yè)務(wù)網(wǎng)段
2024年02月05日
瀏覽(28)
網(wǎng)絡(luò)安全基礎(chǔ) 之防火墻雙機(jī)熱備、防火墻類型、組網(wǎng)方式、工作模式、邏輯區(qū)域劃分
目錄概念：特征：作用： ?? ?基本功能：防火墻的分類： ?? ?性能劃分： ?? ?設(shè)備形態(tài)分類： ?? ?技術(shù)劃分： ?? ??? ?包過濾防火墻： ?? ??? ??? ?ACL七元組：邏輯區(qū)域：配置方式： ?? ?自定義安全區(qū)域： ?? ?刪除自定義安全區(qū)域：防火墻組網(wǎng)方式：防火
2024年02月05日
瀏覽(21)
華為防火墻SSL VPN隧道連接實(shí)驗(yàn)配置
用于遠(yuǎn)程訪問VPN，工作在應(yīng)用層與傳輸層之間 SSL VPN是以SSL協(xié)議為安全基礎(chǔ)的VPN遠(yuǎn)程接入技術(shù)，移動(dòng)辦公人員（在SSL VPN中被稱為遠(yuǎn)程用戶）使用SSL VPN可以安全、方便的接入企業(yè)內(nèi)網(wǎng)，訪問企業(yè)內(nèi)網(wǎng)資源，提高工作效率。 SSL與IPSec、L2TP的區(qū)別： 1.IPSec、L2TP缺點(diǎn)：遠(yuǎn)程用戶終端
2024年02月12日
瀏覽(17)
華為防火墻nat(easy-ip)實(shí)驗(yàn)
目的： ????????掌握在防火墻上配置源NAT的方法，使內(nèi)網(wǎng)用戶可以通過NAT技術(shù)訪問外網(wǎng)資源，節(jié)省公網(wǎng)IP地址，增強(qiáng)網(wǎng)絡(luò)安全性。需求：辦公網(wǎng)內(nèi)網(wǎng)（trust)可以訪問生產(chǎn)服務(wù)器（dmz)和外網(wǎng)client2（untrust)。 client2可以訪問生產(chǎn)服務(wù)器，但不可以訪問辦公網(wǎng)。生產(chǎn)服務(wù)器不能
2024年02月09日
瀏覽(21)
華為防火墻的基本安全策略
280、常見的安全策略的配置實(shí)驗(yàn)topo： ①做安全策略，讓trust 區(qū)域的PC1 可以ping untrust區(qū)域；命令行配置： # security-policy ?default action permit ?rule name trust_untrust ? source-zone trust ? destination-zone untrust ? source-address 192.168.1.0 24 ? service icmp ? action permit # web界面配置：測(cè)試實(shí)驗(yàn)結(jié)果
2024年02月03日
瀏覽(22)
#華為 #usg 華為防火墻安全區(qū)域的概念
安全區(qū)域（Security Zone），或者簡(jiǎn)稱為區(qū)域（Zone），是設(shè)備所引入的一個(gè)安全概念，大部分的安全策略都基于安全區(qū)域?qū)嵤?定義一個(gè)安全區(qū)域是若干接口所連網(wǎng)絡(luò)的集合，這些網(wǎng)絡(luò)中的用戶具有相同的安全屬性。目的在網(wǎng)絡(luò)安全的應(yīng)用中，如果網(wǎng)絡(luò)安全設(shè)備對(duì)所有報(bào)文都
2023年04月09日
瀏覽(14)
防火墻USG5500安全實(shí)驗(yàn)-網(wǎng)絡(luò)地址轉(zhuǎn)換實(shí)驗(yàn)
防火墻USG5500安全實(shí)驗(yàn)-網(wǎng)絡(luò)地址轉(zhuǎn)換實(shí)驗(yàn) 實(shí)驗(yàn)?zāi)康?通過本實(shí)驗(yàn)，你將了解NAT outbound 的工作原理及詳細(xì)配置。組網(wǎng)設(shè)備 USG防火墻一臺(tái)，PC機(jī)兩臺(tái)。實(shí)驗(yàn)拓?fù)鋱D 實(shí)驗(yàn)步驟 - 1 配置PC1、PC3和PC2的IP地址分別為192.168.1.11/24、10.1.1.11/24、2.2.2.11/24。 2 設(shè)置防火墻GE0/0/0、GE0/0/3和GE0/0/1的
2024年02月03日
瀏覽(22)