华为eNSP-双机热备实验:配置防火墙双机热备
实验环境
实验需求
配置防火墙双机热备
实验步骤
配置FW1 [FW1]int g1/0/0 [FW1-GigabitEthernet1/0/0]ip ad 200.1.1.2 24 [FW1-GigabitEthernet1/0/0]int g1/0/1 [FW1-GigabitEthernet1/0/1]ip ad 192.168.1.2 24 [FW1]int g1/0/2 [FW1-GigabitEthernet1/0/0]ip ad 192.168.2.2 24
[FW1]firewall zone trust [FW1-zone-trust]add interface g1/0/1 [FW1]firewall zone untrust [FW1-zone-untrust]add interface g1/0/0[FW1]firewall zone dmz [FW1-zone-dmz]add interface g1/0/2 [FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 200.1.1. 254 active [FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 192.168. 1.254 active [FW1]hrp interface g1/0/2 remote 192.168.2.2 [FW1]hrp enable
配置FW2 [FW2]int g1/0/0 [FW2-GigabitEthernet1/0/0]ip ad 200.1.1.3 24 [FW2-GigabitEthernet1/0/0]int g1/0/1 [FW2-GigabitEthernet1/0/1]ip ad 192.168.1.3 24 [FW2]int g1/0/2 [FW2-GigabitEthernet1/0/0]ip ad 192.168.2.3 24
[FW2]firewall zone trust [FW2-zone-trust]add interface g1/0/1 [FW2]firewall zone dmz [FW2-zone-dmz]add interface g1/0/2 [FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 200.1.1. 254 standby [FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 192.168. 1.254 standby [FW2]hrp interface g1/0/2 remote 192.168.2.1 [FW2]hrp enable
-
进入安全策略视图:HRP_M[FW1]security-policy(+B) 创建安全策略规则: HRP_M[FW1-policy-security]rule name PC1-PC2(+B) 源区域:source-zone trust(+B) 目的区域:destination-zone untrust(+B) 源地址:source-address 192.168.1.11 24(+B) 目的地址:destination-addrs s 200.1.1.22 24(+B) 匹配该策略的流量允许通过:action permit(+B)
PC1能ping通PC2:
