华为Eudemon配置文档.doc

华为Eudemon配置文档Eudemon防火墙的双机热备份需要三个协议的支持：VRRP（Virtual Router Redundancy Protocol）是由RFC2338定义的一种容错协议，通过实现物理设备和逻辑设备的分离，实现在多个出口网关之间进行选路。VGMP（VRRP Group Management Protocol）是华为公司为防止VRRP状态不一致现象的发生，在VRRP的基础上自主开发出的扩展协议。该协议负责统一管理加入其中的各备份组VRRP的状态。HRP（Huawei Redundancy Protocol）协议用来进行防火墙的动态状态数据的实时备份。此配置文档适用于不支持VGMP的Eudemon系统版本，该系统默认有master和slave两个管理组，master用于管理主防火墙VRRP备份组，slave用于管理备防火墙VRRP备份组，主要区别体现在它们的优先级上。一、Eudemon双机配置的二个步骤如下：1、接口划分和VRRP备份组配置Eudemonfirewall zone trustEudemon-zone-untrust add interface GigabitEthernet0/0/0Eudemonfirewall zone untrustEudemon-zone-untrust add interface GigabitEthernet5/0/0Eudemonfirewall zone dmzEudemon-zone-dmz add interface GigabitEthernet0/0/1 Eudemon-zone-dmz add interface GigabitEthernet6/0/0 注：Eudemon防火墙默认有四个区域，local（本机）、untrust（连接外网）、trust（连接内网）、dmz（中立区），安全级别系数分别是100、5、85、50，这四个默认区域不能删除，也不能修改安全级别系数；并且四个区域默认是不允许所有IP进行互访的。Eudemoninterface GigabitEthernet0/0/0Eudemon-GigabitEthernet0/0/0ip addres 10.154.164.251 24Eudemon-GigabitEthernet0/0/0vrrp vrid 1 virtual-ip 10.154.164.253 master #备机配置时修改接口IP，关键词由master变为slave，下同Eudemon-GigabitEthernet0/0/0undo shutdownEudemoninterface GigabitEthernet0/0/1 Eudemon-GigabitEthernet0/0/1ip addres 10.155.80.1 28 Eudemon-GigabitEthernet0/0/1vrrp vrid 2 virtual-ip 10.155.80.3 master Eudemon-GigabitEthernet0/0/1undo shutdownEudemoninterface Gigabi tEthernet5/0/0Eudemon-GigabitEthernet5/0/0ip addres 10.0.0.251 24 Eudemon-GigabitEthernet5/0/0vrrp vrid 3 virtufal-ip 10.0.0.202 master Eudemon-GigabitEthernet5/0/0undo shutdownEudemoninterface GigabitEthernet6/0/0 #用于双机的心跳线Eudemon-GigabitEthernet6/0/0ip addres 172.16.0.1 24 Eudemon-GigabitEthernet6/0/0vrrp vrid 4 virtual-ip 172.16.0.3 master Eudemon-GigabitEthernet6/0/0undo shutdown2、HRP配置Eudemonhrp enable #启用HRP功能HRP_MEudemonhrp interface GigabitEthernet6/0/0 #配置备份会话表的接口 HRP_MEudemonhrp auto-sync #同时启动配置命令和连接状态的自动备份 HRP_MEudemonhrp configuration check hrp|acl #主备防火墙一致性检查HRP_MEudemondisplay hrp configuration check all|acl|hrp #查看检查结果注：主备防火墙的配置基本一样，主要区别在于接口实际IP和管理组，在使用命令hrp enable后，主机的Eudemon前面会HRP_M标识，备机Eudemon前面会有HRP_S标识。下图是检查结果一致的截图。当然也可通过在主机上添加ACL，在备机上查看是否有同样的ACL来验证双机配置是否正确；同样还要进行双机切换测试。二、地址集和端口集配置将要进行同一动作的地址和端口加入到同一个集合中，这样方便策略了叙写，也减少了ACL的条数。HRP_M Eudemon ip address-set mwaaddress 0 10.0.0.233 0 # 0为0.0.0.0的缩写，标识这个IP为一个主机，下同address 1 10.0.0.50 0 HRP_M Eudemonip address-set mwbaddress 0 10.0.0.50 0 address 1 10.0.0.51 0 HRP_M Eudemonip address-set zcaaddress 0 10.154.164.103 0 address 1 10.154.164.104 0HRP_M Eudemonip address-set zcbaddress 0 10.154.164.98 0 address 1 10.154.164.108 0 HRP_M Eudemonip addres-set nataddress 0 10.0.0.242 0address 1 10.0.0.243 0HRP_M Eudemonip port-set fwdk protocol tcpport 0 eq 211port 1 eq 1521 port 2 range 6789 6790 三、策略配置HRP_MEudemonacl number 3001HRP_MEudemon-acl-adv-3001 rule 0 permit tcp source 10.0.0.54 0 destination 10.154.164.98 0 destination-port eq 1521 #规则0允许主机10.0.0.54访问主机10.154.164.98的1521端口HRP_MEudemon-acl-adv-3001 rule 1 permit tcp source 10.0.0.54 0 destination 10.154.164.98 0 destination-port eq sshHRP_MEudemon-acl-adv-3001 rule 2 permit ip source address-set mwa destination address-set zcaHRP_MEudemon-acl-adv-3001 rule 3 permit tcp source address-set mwa destination 10.154.164.98 0 destination-port range 6558 65535HRP_MEudemon-acl-adv-3001 rule 4 permit tcp source address-set mwa destination address-set zcb destination-port eq 1521HRP_MEudemon-acl-adv-3001 rule 5 permit tcp source address-set mwb destination 10.154.164.109 0 destination-port port-set fwdkHRP_MEudemon-acl-adv-3001 rule 6 permit tcp source address-set mwb destination 10.154.164.110 0 destination-port port-set fwdkHRP_MEudemon-acl-adv-3001 rule 7 permit tcp source 10.0.0.54 0 destination 10.154.164.110 0 destination-port eq sshHRP_MEudemon-acl-adv-3001 rule 8 permit tcp source address-set mwb destination 10.154.164.111 0 destination-port range 6789 6790HRP_MEudemon-acl-adv-3001 rule 9 permit ip source any destination address-set nat HRP_MEudemonacl number 3003 HRP_MEudemon-acl-adv-3003rule 1 permit ip source any destination any 四、ACL应用HRP_MEudemonfirewall packet-filter default permit interzone trust untrust direction outbound #默认允许数据包从trust区域到untrust区域HRP_MEudemonfirewall interzone untrust trustHRP_MEudemon-interzone-untrust-trustpacket-filter 3001 inbound #将ACL 3001应用在untrust区域到trust区域入方向HRP_MEudemonfirewall interzone trust untrust HRP_MEudemon-interzone-trust-untrustpacket-filter 3002 outbound HRP_MEudemonfirewall interzone local dmzHRP_MEudemon-interzone-local-dmzpacket-filter 3003 inboundHRP_MEudemon-interzone-local-dmzpacket-filter 3003 outbound HRP_MEudemonfirewall interzone local trust HRP_MEudemon-interzone-local-trustpacket-filter 3003 inboundHRP_MEudemon-interzone-local-trustpacket-filter 3003 outboundHRP_MEudemonfirewall interzone local untrust HRP_MEudemon-interzone-local-untrustpacket-filter 3003 inboundHRP_MEudemon-interzone-local-untrustpacket-filter 3003 outbound 备注：(1)入方向（inbound） 数据由低安全级别的安全区域向高安全级别的安全区域传输的方向。 (2)出方向（outbound） 数据由高安全级别的安全区域向低安全级别的安全区域传输的方向。 五、路由配置和NATHRP_MEudemonip route-static 0.0.0.0 0.0.0.0 10.154.164.254 #添加默认路由HRP_MEudemonnat server global 10.0.0.58 inside 10.154.164.108 #将内部地址10.154.164.108转换成10.0.0.58HRP_MEudemonnat server global 10.0.0.109 inside 10.154.164.109HRP_MEudemonnat server global 10.0.0.110 inside 10.154.164.110 HRP_MEudemonnat server global 10.0.0.111 inside 10.154.164.111HRP_MEudemonnat server global 10.0.0.241 inside 10.154.164.103HRP_MEudemonnat server global 10.0.0.242 inside 10.154.164.98HRP_MEudemonnat server global 10.0.0.243 inside 10.154.164.104六、Telnet配置进行Telnet配置，用于远程管理和维护HRP_M system-view HRP_MEudemon aaa #进入AAA视图HRP_MEudemon-aaa local-user sxit password cipher sxit #配置本地用户的用户名和密码，密码有明文和加密两种形式HRP_MEudemon-aaa local-user sxit service-type telnet #配置本地用户的类型HRP_MEudemon-