基金赎回enspUSG6000v双机热备实验
练海棠注意:接⼝位置的接⼝都必须⼀样,(⽐⽅说上⾯俩⼝都是1/0/0)不然你的主防⽕墙坏了,备份的防⽕墙策略和主防⽕墙⼀致,备份过去不起会不起作⽤
1:配置接⼝ip(略)
2:设置区域
[fw1]firewall zone trust
[fw1-zone-trust]add interface GigabitEthernet 1/0/1
[fw1-zone-trust]q
[fw1]firewall zone untrust
[fw1-zone-untrust]add interface g1/0/0
[fw1-zone-untrust]q
[fw1]firewall zone dmz
[fw1-zone-dmz]add int g1/0/6
[fw1-zone-dmz]q
给女朋友的生日礼物
[fw2]firewall zone trust
[fw2-zone-trust]add int g1/0/1
[fw2-zone-trust]q
[fw2]firewall zone untrust
[fw2-zone-untrust]add int g1/0/0
[fw2-zone-untrust]q
[fw2]firewall zone dmzqq注册帐号
[fw2-zone-dmz]add int g1/0/6
内存卡不能格式化[fw2-zone-dmz]q
3:设置vrrp组 (本实验需要设置两个vrrp组,上⾯俩g1/0/0⼝⼀组,下⾯俩1/0/1⼀组,上⾯的vrid2,下⾯为1)
>>>##组2配置 [fw1]int g1/0/0                                [fw1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip
192.168.1.254 active //组为2并设置为组2的master [fw1-GigabitEthernet1/0/0]q,
[fw2]int g1/0/0
[fw2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 192.168.1.254 standby //组为2并设置为组2standby
[fw2-GigabitEthernet1/0/0]q
>>>##组1配置 [fw1]int g1/0/1 [fw1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 active  [fw1-GigabitEthernet1/0/1]q
[fw2]int g1/0/1穿搭
[fw2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 standby
[fw2-GigabitEthernet1/0/1]q
4:设置hrp⼼跳线
[fw1]hrp interface g1/0/6 remote 172.16.1.2
[fw2]hrp interface g1/0/6 remote 172.16.1.1 //指定⼼跳⼝并且指定对端⼝的ip
[fw2]hrp standby-device //指定备份设备
[fw2]hrp enable//开启hrp
[fw1]hrp enable//开启hrp
防⽕墙的状态会变成这样↓
5:配置安全策略(现在只需要在主设备上配置就可以了,策略会⾃动同步到备⽤设备)(+B)是⾃动出现的敲完回车⾃动出现的
HRP_M[fw1]security-policy (+B)
HRP_M[fw1-policy-security]rule name name1  (+B)
HRP_M[fw1-policy-security-rule-name1]source-zone trust  (+B)
HRP_M[fw1-policy-security-rule-name1]destination-zone untrust  (+B)
HRP_M[fw1-policy-security-rule-name1]source-address 10.1.1.1 24 (+B)
HRP_M[fw1-policy-security-rule-name1]destination-address 192.168.1.1 24 (+B)
HRP_M[fw1-policy-security-rule-name1]service icmp (+B)
HRP_M[fw1-policy-security-rule-name1]action permit  (+B)
HRP_M[fw1-policy-security-rule-name1]q
HRP_M[fw1-policy-security]q
down掉⼀个⼝
丢俩包正常ping