cjh 华为USG防火墙双机热备修改HA接口的IP地址(不断网更换ip,但需要进行主备切换、双机热备的情况下,只有active设备,即设备才能修改ip地址的)
华为USG防火墙双机热备修改HA接口的IP地址(不断网更换ip,但需要进行主备切换、双机热备的情况下,只有active设备,即设备才能修改ip地址的)
ha-20230627-165009.zipeve拓扑图。
HA心跳接口修改前的配置:
HA心跳接口修改后的配置:
需求:心跳接口更换ip地址段
现有配置:
华为USG防火墙FW1(心跳接口):
G1/0/1 10.10.1.1/24
G1/0/0 10.10.0.1/24
华为USG防火墙FW2(心跳接口):
G1/0/1 10.10.1.2/24
G1/0/0 10.10.0.2/24
新配置:
华为USG防火墙FW1(心跳接口):
G1/0/1 11.10.1.1/24
G1/0/0 11.10.0.1/24
华为USG防火墙FW2(心跳接口):
G1/0/1 11.10.1.2/24
G1/0/0 11.10.0.2/24
(1)拓扑图
(2)基础配置
fw1:
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.12.3.1 255.255.0.0
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.0.1 255.255.255.0
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.16.2.1 255.255.255.0
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/0
#
ip route-static 192.168.125.0 255.255.255.0 10.12.12.253
fw2:
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.12.3.2 255.255.0.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.0.2 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.16.2.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/0
#
ip route-static 192.168.125.0 255.255.255.0 10.12.12.253
#
sw1:
interface Vlanif2
ip address 192.168.2.100 255.255.255.0
#
interface GE1/0/0
undo shutdown
port default vlan 2
#
interface GE1/0/1
undo shutdown
port default vlan 2
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 192.168.1.254 255.255.255.0
sw2:
interface Vlanif1
ip address 172.16.2.100 255.255.255.0
interface GE1/0/0
undo shutdown
#
interface GE1/0/1
undo shutdown
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 172.16.1.254 255.255.255.0
(3)ospf配置
fw1:
ospf 100
area 0.0.0.0
network 172.16.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
fw2:
ospf 100
area 0.0.0.0
network 172.16.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
sw1:
ospf 100
area 0.0.0.0
network 0.0.0.0 255.255.255.255
sw2:
ospf 100
area 0.0.0.0
network 0.0.0.0 255.255.255.255
(4)HA配置
fw1:
#
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.1.2
hrp interface GigabitEthernet1/0/0 remote 10.10.0.2
hrp track interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.2.254 active
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.16.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.2.254 active
fw2:
#
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.1.1
hrp interface GigabitEthernet1/0/0 remote 10.10.0.1
hrp track interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.2.254 standby
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.16.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.2.254 standby
HRP_M[fw1]display hrp state #命令用来查看双机热备的状态。
2023-06-27 12:30:49.580
Role: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 4 minutes
Last state change information: 2023-06-27 12:26:06 HRP core state changed, old_state = abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.
HRP_M[fw1]
HRP_S[fw2]display hrp state
2023-06-27 12:30:57.290
Role: standby, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 4 minutes
Last state change information: 2023-06-27 12:26:06 HRP core state changed, old_state = abnormal(active), new_state = normal, local_priority = 45000, peer_priority = 45000.
HRP_S[fw2]
查看心跳接口
HRP_M[fw1]display hrp interface
2023-06-27 12:36:19.310
GigabitEthernet1/0/1 : running
GigabitEthernet1/0/0 : ready
HRP_M[fw1]
HRP_S[fw2]display hrp interface
2023-06-27 12:36:36.020
GigabitEthernet1/0/1 : running
GigabitEthernet1/0/0 : ready
HRP_S[fw2]
(5.1)在两条心跳线都正常的前提下,修改主设备fw1第2个心跳接口的ip地址,即先修改ready状态的心跳接口
HRP_M[fw1]int GigabitEthernet 1/0/0 (+B)
HRP_M[fw1-GigabitEthernet1/0/0]dis this
2023-06-27 12:41:23.710
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.0.1 255.255.255.0
undo service-manage enable
#
return
HRP_M[fw1-GigabitEthernet1/0/0]ip address 11.10.0.1 24
HRP_M[fw1-GigabitEthernet1/0/0]dis this
2023-06-27 12:41:36.240
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 11.10.0.1 255.255.255.0
undo service-manage enable
#
return
HRP_M[fw1-GigabitEthernet1/0/0]
HRP_M[fw1]display hrp interface
2023-06-27 12:42:09.280
GigabitEthernet1/0/1 : running
GigabitEthernet1/0/0 : negotiation failed
HRP_M[fw1]
(5.2)修改主设备的心跳的配置
HRP_M[fw1]hrp interface GigabitEthernet1/0/0 remote 11.10.0.2
也可以在web界面配置:
(5.3)把备用设备fw2切换成主用设备
HRP_S[fw2]hrp switch active
(5.4)检查网络是否正常以及hrp的心跳线的状态等
(5.5)在第二台设备fw2(即现在的active设备)修改第2个接口的ip地址(即现状态为negotiation failed的接口)
HRP_M[fw2]display hrp interface
2023-06-27 12:45:18.240
GigabitEthernet1/0/1 : running
GigabitEthernet1/0/0 : negotiation failed
HRP_M[fw2]
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.10.0.2 255.255.255.0
service-manage ping permit
#
HRP_M[fw2]int GigabitEthernet 1/0/0
HRP_M[fw2-GigabitEthernet1/0/0]ip address 11.10.0.2 24
HRP_M[fw2]int GigabitEthernet 1/0/0 (+B)
HRP_M[fw2-GigabitEthernet1/0/0]dis this
interface GigabitEthernet1/0/0
undo shutdown
ip address 11.10.0.2 255.255.255.0
service-manage ping permit
hrp interface GigabitEthernet1/0/0 remote 11.10.0.1
HRP_M[fw2]display current-configuration | include remote
2023-06-27 13:52:59.360
hrp interface GigabitEthernet1/0/1 remote 10.10.1.1
hrp interface GigabitEthernet1/0/0 remote 11.10.0.1
HRP_M[fw2]
HRP_M[fw2]display hrp interface
2023-06-27 13:53:05.980
GigabitEthernet1/0/1 : running
GigabitEthernet1/0/0 : ready
HRP_M[fw2]
(5.6)确认第二台设备fw2(即现在的active设备)第2个接口,即G1/0/0(刚刚修改ip的那接口)的状态是ready,然后再修改第1个接口G1/0/1的配置
HRP_M[fw2]int GigabitEthernet 1/0/1
HRP_M[fw2-GigabitEthernet1/0/1]ip address 11.10.1.2 255.255.255.0
HRP_M[fw2-GigabitEthernet1/0/1]quit
HRP_M[fw2]hrp interface GigabitEthernet1/0/1 remote 11.10.1.1
HRP_M[fw2]
(5.7)把fw1切换成活动设备(主设备)
HRP_S[fw1]hrp switch active
(5.8)修改G1/0/1的ip地址与修改心跳接口的对端的ip地址
完成。
总结:
需求:心跳接口更换ip地址段
现有配置:
华为FW1(心跳接口):
G1/0/1 10.10.1.1/24
G1/0/0 10.10.0.1/24
华为FW2(心跳接口):
G1/0/1 10.10.1.2/24
G1/0/0 10.10.0.2/24
新配置:
华为FW1(心跳接口):
G1/0/1 11.10.1.1/24
G1/0/0 11.10.0.1/24
华为FW2(心跳接口):
G1/0/1 11.10.1.2/24
G1/0/0 11.10.1.2/24
备注:
(1)双机热备的情况下,只有active设备,即设备才能修改ip地址的。
display hrp state #查看双机热备的状态
display hrp interface #查看心跳接口的状态
running:表示该接口为当前使用的心跳接口。
ready:表示该接口为备份心跳接口。
实施步聚:
---#FW1--------------------------------------------
(1.1)在两条心跳线都正常的前提下,修改主设备FW1(第2个心跳接口的ip地址,即先修改ready状态的心跳接口
#FW1
display hrp interface #查看心跳接口的状态
(1.2) 修改G1/0/0的ip
#FW1
interface GigabitEthernet1/0/0
ip address 11.10.0.1 255.255.255.0
(1.3)修改心跳接口的对端的ip地址
#FW1
hrp interface GigabitEthernet1/0/0 remote 11.10.1.2
---#FW2--------------------------------------------
(2)把备机切换成active设备
#FW2
hrp switch active
(3.1)修改FW2的接口G1/0/0的ip
#FW2
interface GigabitEthernet1/0/0
ip address 11.10.0.2 255.255.255.0
(3.2)修改FW2的心跳配置
hrp interface GigabitEthernet1/0/0 remote 11.10.0.1
(3.3)确认G1/0/0接口的状态是ready或者running
display hrp interface #查看心跳接口的状态
(4.1)修改FW2的接口G1/0/1的ip
#FW2
interface GigabitEthernet1/0/1
ip address 11.10.1.2 255.255.255.0
(4.2)修改FW2的心跳配置
hrp interface GigabitEthernet1/0/1 remote 11.10.1.1
---#FW1--------------------------------------------
(5)确认#FW1的G1/0/0接口的状态是running
#FW1
display hrp interface #查看心跳接口的状态
(6.1)修改FW2的接口G1/0/1的ip
#FW1
interface GigabitEthernet1/0/1
ip address 11.10.1.1 255.255.255.0
(6.2)修改FW2的心跳配置
hrp interface GigabitEthernet1/0/1 remote 11.10.1.2
(7)检查最终配置
display hrp state #查看双机热备的状态
display hrp interface #查看心跳接口的状态
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为USG防火墙双机热备修改HA接口的IP地址(不断网更换ip,但需要进行主备切换、双机热备的情况下,只有active设备,即设备才能修改ip地址的)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm