低端防火墙HRP配置错误导致切换不成功

发布时间:  2014-09-11 浏览次数:  979 下载次数:  0
问题描述
 两台防火墙对内网做VRRP主备,当外部链路(到C厂家7X00)断开,要求业务流和主防火墙都切换到备用防火墙,测试过程中,发现断开Master防火墙到C厂家7X00时,防火墙主备不能发生倒换。 
告警信息
N/A
处理过程
[USG] interface GigabitEthernet 1/0/0
[USG-GigabitEthernet1/0/0] ip address 10.48.3.35 27
[USG-GigabitEthernet1/0/0] vrrp vrid 21 virtual-ip 10.48.3.34
[USG-GigabitEthernet1/0/0] vrrp vrid 21 priority 110
[USG-GigabitEthernet1/0/0] vrrp vrid 21 track GigabitEthernet 1/0/1 reduced 20      /**之前少配置该命令,导致主防火墙与C厂家7X00链路断开后,该防火墙对内网仍作为为主设备,收到内网数据后不能转发到外部**/
[USG-GigabitEthernet1/0/0] quit

[USG] firewall zone trust
[USG-zone-trust] add interface GigabitEthernet 1/0/0   #这个将接口加入哪个域请根据现网实际情况确定
[USG-zone-trust] quit

[USG] interface e2/0/1
[USG-Ethernet2/0/1] ip address 1.1.1.2 29
[USG-Ethernet2/0/1] vrrp vrid 31 virtual-ip 1.1.1.1
[USG-Ethernet2/0/1] quit

[USG] firewall zone dmz
[USG-zone-dmz] add interface Ethernet 2/0/1    #这个将接口加入哪个域请根据现网实际情况确定
[USG-zone-dmz] quit

[USG] vrrp group 1
[USG-vrrpgroup-1] add interface Ethernet 2/0/1 vrrp vrid 31 data
[USG-vrrpgroup-1] add interface GigabitEthernet 1/0/0 vrrp vrid 21 data
[USG-vrrpgroup-1] vrrp-group enable
[USG-vrrpgroup-1] vrrp-group priority using-vrrppriority
[USG-vrrpgroup-1] vrrp-group preempt delay 20000
[USG-vrrpgroup-1] quit

[USG] hrp enable
[USG] hrp interface Ethernet 2/0/1
[USG] hrp ospf-cost adjust-enable

<USG> save


备防火墙配置脚本:
[USG] interface GigabitEthernet 1/0/0
[USG-GigabitEthernet1/0/0] ip address 10.48.3.36 27
[USG-GigabitEthernet1/0/0] vrrp vrid 21 virtual-ip 10.48.3.34

[USG] firewall zone trust
[USG-zone-trust] add interface GigabitEthernet 1/0/0   #这个将接口加入哪个域请根据现网实际情况确定
[USG-zone-trust] quit

[USG] interface e2/0/1
[USG-Ethernet2/0/1] ip address 1.1.1.3 29
[USG-Ethernet2/0/1] vrrp vrid 31 virtual-ip 1.1.1.1
[USG-Ethernet2/0/1] quit

[USG] firewall zone dmz
[USG-zone-dmz] add interface Ethernet 2/0/1    #这个将接口加入哪个域请根据现网实际情况确定
[USG-zone-dmz] quit

[USG] vrrp group 1
[USG-vrrpgroup-1] add interface Ethernet 2/0/1 vrrp vrid 31 data
[USG-vrrpgroup-1] add interface GigabitEthernet 1/0/0 vrrp vrid 21 data
[USG-vrrpgroup-1] vrrp-group enable
[USG-vrrpgroup-1] vrrp-group priority using-vrrppriority
[USG-vrrpgroup-1] quit

[USG] hrp enable
[USG] hrp interface Ethernet 2/0/1
[USG] hrp ospf-cost adjust-enable
根因
VRRP配置不对,导致HRP切换不成功
建议与总结

END