标签：10.1 热备 bfd BFD rule policy 双机 FW1 FW2

 1.配置内网及其互通  [FW1-GigabitEthernet1/0/0]ip add 10.1.10.1 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1]firewall zone trust [FW1-zone-trust]add interface g1/0/0 [FW2-GigabitEthernet1/0/0]ip add 10.1.10.2 24 [FW2-GigabitEthernet1/0/0]service-manage ping permit [FW2]firewall zone trust [FW2-zone-trust]add interface g1/0/0 2.配置DMZ区域 [FW1-GigabitEthernet1/0/3]ip add 10.1.3.1 24 [FW1-GigabitEthernet1/0/3]service-manage ping permit [FW1]firewall zone dmz [FW1-zone-dmz]add interface g1/0/3 [FW2-GigabitEthernet1/0/3]ip add 10.1.3.2 24 [FW2-GigabitEthernet1/0/3]service-manage ping permit [FW2]firewall zone dmz [FW2-zone-dmz]add interface g1/0/3 3.配置外网及其互通  [FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1]firewall zone untrust [FW1-zone-untrust]add interface g1/0/1 [FW2-GigabitEthernet1/0/2]ip add 10.1.2.2 24 [FW2-GigabitEthernet1/0/2]service-manage ping permit [FW2]firewall zone untrust [FW2-zone-untrust]add interface g1/0/2 [AR1-GigabitEthernet0/0/1]ip add 10.1.1.3 24 [AR1-GigabitEthernet0/0/0]ip add 10.1.20.3 24 [AR1]ospf [AR1-ospf-1]area 0 [AR1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255 [AR1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.1.20.254  [AR2-GigabitEthernet0/0/2]ip add 10.1.2.4 24 [AR2-GigabitEthernet0/0/0]ip add 10.1.20.4 24 [AR2]ospf [AR2-ospf-1]area 0 [AR2-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255 [AR2-ospf-1-area-0.0.0.0]network 10.1.20.0 0.0.0.255 [AR2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 10.1.20.254  4.配置NAT功能（源地址池） [FW1]nat address-group nat_fw1 [FW1-address-group-nat_fw1]section 10.1.1.10 10.1.1.100 [FW1]nat-policy [FW1-policy-nat]rule name source_out [FW1-policy-nat-rule-source_out]source-zone trust [FW1-policy-nat-rule-source_out]destination-zone untrust [FW1-policy-nat-rule-source_out]action source-nat address-group nat_fw1 [FW2]nat address-group nat_fw2 [FW2-address-group-nat_fw2]section 10.1.2.10 10.1.2.100 [FW2]nat-policy [FW2-policy-nat]rule name source_out [FW2-policy-nat-rule-source_out]source-zone trust [FW2-policy-nat-rule-source_out]destination-zone untrust [FW2-policy-nat-rule-source_out]action source-nat address-group nat_fw2 5.配置BFD [FW1]bfd [FW1]bfd bfd_1 bind peer-ip 10.1.20.3 [FW1-bfd-session-bfd_1]discriminator local 13 [FW1-bfd-session-bfd_1]discriminator remote 31 [FW1-bfd-session-bfd_1]commit [FW2]bfd [FW2]bfd bfd_2 bind peer-ip 10.1.20.4 [FW2-bfd-session-bfd_2]discriminator local 24 [FW2-bfd-session-bfd_2]discriminator remote 42 [FW2-bfd-session-bfd_2]commit [AR1]bfd [AR1]bfd 1 bind peer-ip 10.1.1.1 [AR1-bfd-session-1]discriminator local 31 [AR1-bfd-session-1]discriminator remote 13 [AR1-bfd-session-1]commit [AR2]bfd [AR2]bfd 2 bind peer-ip 10.1.2.2 [AR2-bfd-session-2]discriminator remote 24 [AR2-bfd-session-2]commit 6.配置双机热备 [FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 active [FW1-GigabitEthernet1/0/0]vrrp virtual-mac enable [FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.10.254 standby [FW2-GigabitEthernet1/0/0]vrrp virtual-mac enable 7.配置安全策略 [FW1]security-policy [FW1-policy-security]rule name dmz_local [FW1-policy-security-rule-dmz_local]source-zone local dmz [FW1-policy-security-rule-dmz_local]destination-zone dmz local [FW1-policy-security-rule-dmz_local]action permit [FW1-policy-security]rule name trust_untrust [FW1-policy-security-rule-trust_untrust]source-zone trust [FW1-policy-security-rule-trust_untrust]destination-zone untrust [FW1-policy-security-rule-trust_untrust]action permit [FW1-policy-security]rule name bfd [FW1-policy-security-rule-bfd]source-zone local [FW1-policy-security-rule-bfd]destination-zone untrust [FW1-policy-security-rule-bfd]action permit  [FW2]security-policy [FW2-policy-security-rule-dmz_local]source-zone local dmz [FW2-policy-security-rule-dmz_local]destination-zone local dmz [FW2-policy-security-rule-dmz_local]action permit [FW2-policy-security]rule name trust_untrust [FW2-policy-security-rule-trust_untrust]source-zone trust [FW2-policy-security-rule-trust_untrust]destination-zone untrust [FW2-policy-security-rule-trust_untrust]action permit [FW2-policy-security]rule name bfd [FW2-policy-security-rule-bfd]source-zone local [FW2-policy-security-rule-bfd]destination-zone untrust [FW2-policy-security-rule-bfd]action permit  8.配置BFD与双机热备联动 [FW1]hrp enable HRP_S[FW1]hrp interface g1/0/3 remote 10.1.3.2 HRP_S[FW1]hrp track interface g1/0/1 HRP_S[FW1]hrp track bfd-session 13 [FW2]hrp enable HRP_S[FW2]hrp interface g1/0/3 remote 10.1.3.1 HRP_S[FW2]hrp track interface g1/0/2 HRP_S[FW2]hrp track bfd-session 24 9.配置静态默认路由 HRP_M[FW1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.3 HRP_S[FW2]ip route-static 0.0.0.0 0.0.0.0 10.1.2.4 9.验证 在PC1上ping PC2   关闭AR1上的g0/0/0接口后用tracert PC2时发现已经自动切换 

标签：10.1,热备,bfd,BFD,rule,policy,双机,FW1,FW2
来源： https://blog.51cto.com/u_13699905/2887253

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。