HCIE-Security Day14：防火牆雙機熱備實驗（二）防火牆直路部署，上下行連接配接路由器

vgmp與vrrp的配合隻适用于防火牆連接配接二層裝置的組網，如果上下行裝置是路由器，就不能使用vrrp備份組，這時vgmp組直接監控接口狀态來進行故障監控。具體是直接将接口加入vgmp組，當vgmp組中的接口故障時，vgmp組會直接感覺到接口狀态變化，進而降低自身優先級。

實驗二：防火牆直路部署，上下行連接配接路由器

需求和拓撲

兩台FW的業務接口都工作在三層，上下行分别連接配接路由器。FW與上下行路由器之間運作OSPF協定。現在希望兩台FW以主備備份方式工作。正常情況下，流量通過FW_A轉發。當FW_A出現故障時，流量通過FW_B轉發，保證業務不中斷。

操作步驟

1、配置接口ip和安全區域

2、配置ospf路由

r1/r2/r3/r4/f1/f2開啟ospf程序1，将相連網段加入區域0

3、配置雙機熱備功能

3.1 配置vgmp組監控上下行業務接口

//f1/f2

hrp track interface GigabitEthernet1/0/0
hrp track interface GigabitEthernet1/0/1      

3.2 配置根據vgmp狀态調整ospf cost值功能，配置這個指令後，fw釋出ospf路由時，會判斷自身是主用裝置還是備用裝置，如果是主用裝置，fw會把學習到的路由直接釋出出去，如果是備用裝置，fw會增加cost值後再将路由釋出出去，這樣上下行路由器在計算路由時，就能将下一跳指向主用裝置，并把封包轉發到主用裝置上。 

//f1/f2


hrp adjust ospf-cost enable      

3.3 指定心跳口并啟用雙機熱備功能

f1/f2
hrp interface g1/0/6 remote 10.10.0.1/2
hrp enable      

4、配置安全政策

4.1 允許fw與上下行路由器互動ospf封包

//f1配置，f2自動同步
security-policy
 rule name 1
  source-zone local
  destination-zone trust
  destination-zone untrust
  service ospf
  action permit
 rule name 2
  source-zone untrust
  destination-zone local
  service ospf
  action permit      

4.2 允許内網使用者通路外網

rule name 3
  source-zone trust
  destination-zone untrust
  source-address 10.3.2.0 mask 255.255.255.0
  source-address 10.3.3.0 mask 255.255.255.0
  action permit      

驗證和分析

1、檢查fw1和fw2的ospf鄰居建立關系

//f1
dis ospf peer brief
2022-02-16 00:14:41.880 

   OSPF Process 1 with Router ID 11.11.11.11
      Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet1/0/0             3.3.3.3          Full        
 0.0.0.0          GigabitEthernet1/0/1             1.1.1.1          Full        
 ----------------------------------------------------------------------------
 Total Peer(s):     2
//f2
dis ospf peer brief 
2022-02-16 00:18:02.950 

   OSPF Process 1 with Router ID 22.22.22.22
      Peer Statistic Information
 ----------------------------------------------------------------------------
 Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet1/0/0             4.4.4.4          Full        
 0.0.0.0          GigabitEthernet1/0/1             2.2.2.2          Full        
 ----------------------------------------------------------------------------
 Total Peer(s):     2      

2、檢查上下行路由器路由開銷

[r3]dis ip routing-table protocol ospf 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 8        Routes : 8        

OSPF routing table status : <Active>
         Destinations : 8        Routes : 8

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        5.5.5.5/32  OSPF    10   3           D   10.3.0.1        GigabitEthernet0/0/1
       10.2.0.0/24  OSPF    10   2           D   10.3.0.1        GigabitEthernet0/0/1
       10.2.1.0/24  OSPF    10   4           D   10.3.0.1        GigabitEthernet0/0/1
       10.3.1.0/24  OSPF    10   2           D   34.1.1.4        GigabitEthernet0/0/0
       10.3.3.0/24  OSPF    10   2           D   34.1.1.4        GigabitEthernet0/0/0
       12.1.1.0/24  OSPF    10   3           D   10.3.0.1        GigabitEthernet0/0/1
       15.1.1.0/24  OSPF    10   3           D   10.3.0.1        GigabitEthernet0/0/1
       25.1.1.0/24  OSPF    10   4           D   10.3.0.1        GigabitEthernet0/0/1


<r4>dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 8        Routes : 8        

OSPF routing table status : <Active>
         Destinations : 8        Routes : 8

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        5.5.5.5/32  OSPF    10   4           D   34.1.1.3        GigabitEthernet0/0/0
       10.2.0.0/24  OSPF    10   3           D   34.1.1.3        GigabitEthernet0/0/0
       10.2.1.0/24  OSPF    10   5           D   34.1.1.3        GigabitEthernet0/0/0
       10.3.0.0/24  OSPF    10   2           D   34.1.1.3        GigabitEthernet0/0/0
       10.3.2.0/24  OSPF    10   2           D   34.1.1.3        GigabitEthernet0/0/0
       12.1.1.0/24  OSPF    10   4           D   34.1.1.3        GigabitEthernet0/0/0
       15.1.1.0/24  OSPF    10   4           D   34.1.1.3        GigabitEthernet0/0/0
       25.1.1.0/24  OSPF    10   5           D   34.1.1.3        GigabitEthernet0/0/0

OSPF routing table status : <Inactive>
         Destinations : 0        Routes : 0      

可見經過r3通路r5開銷小于r4，r4的開銷比r3大1，這個1是因為從r4通路r5經過r3，為什麼不經過fw2呢？因為經過fw2的開銷太大了 。

dis ip routing-table protocol ospf | include 5.5.5.5
2022-02-16 00:38:09.180 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
         Destinations : 9        Routes : 9        

OSPF routing table status : <Active>
         Destinations : 9        Routes : 9

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        5.5.5.5/32  OSPF    10   65501       D   10.2.1.2        GigabitEthernet1/0/1

OSPF routing table status : <Inactive>
         Destinations : 0        Routes : 0      

如果fw1故障，業務會被上下行路由器的路由資訊引導到fw2上，fw2上有同步過fw1的會話表項，是以業務得以正常傳輸。

HRP_M<f1>dis fire session table 
2022-02-16 00:49:33.150 
 Current Total Sessions : 4
 udp  VPN: public --> public  10.10.0.2:16384 --> 10.10.0.1:18514
 udp  VPN: public --> public  10.10.0.1:49152 --> 10.10.0.2:18514
 udp  VPN: public --> public  10.10.0.2:49152 --> 10.10.0.1:18514
 telnet  VPN: public --> public  10.3.0.2:49804 --> 5.5.5.5:23

HRP_S<f2>dis fire sess table
2022-02-16 00:50:01.270 
 Current Total Sessions : 4
 udp  VPN: public --> public  10.10.0.1:49152 --> 10.10.0.2:18514
 udp  VPN: public --> public  10.10.0.2:49152 --> 10.10.0.1:18514
 udp  VPN: public --> public  10.10.0.1:16384 --> 10.10.0.2:18514
 telnet  VPN: public --> public  Remote 10.3.0.2:49804 --> 5.5.5.5:23
HRP_S<f2>