华为防火墙上部署热备份基础配置

topo如图（因为我的enspce突然启动不起来就在eve上演示）

简短的配置思路

usg之间做聚合配置心跳检测

hrp开启选图中usgv2为active，usgv3为standby

1/0/0 to 1/0/2 vrrp

ce12800和usgv2之间用bfd检测

usgv2和h3c做心跳检测

多余描述与重复配置不再赘述

ce12800：

vlan batch 10
#
bfd
#               
interface Vlanif10
 ip address 172.16.1.4 255.255.255.248
#               
bfd 1 bind peer-ip default-ip interface GE1/0/1
 discriminator local 10
 discriminator remote 20

华为usgv2：

#
 hrp enable
 hrp interface Eth-Trunk0 remote 172.16.2.2
#                                         
healthcheck enable                        
healthcheck name tele                     
 source-ip 10.1.1.2                       
 destination 10.1.1.5 interface GigabitEthernet1/0/2  next-hop 10.1.1.5 protocol tcp-simple destination-port 1000
#                                         
bfd                                       
#                                         
interface Eth-Trunk0                      
 ip address 172.16.2.1 255.255.255.248    
 mode lacp-static                         
 load-balance packet-all                  
#                                                                                 
interface GigabitEthernet1/0/0            
 undo shutdown                            
 ip address 11.1.1.2 255.255.255.248      
 vrrp vrid 3 virtual-ip 11.1.1.1 active   
#                                         
interface GigabitEthernet1/0/1            
 undo shutdown                            
 ip address 172.16.1.1 255.255.255.0      
 vrrp vrid 1 virtual-ip 172.16.1.3 active 
#                                         
interface GigabitEthernet1/0/2            
 undo shutdown                            
 ip address 10.1.1.2 255.255.255.248      
 vrrp vrid 2 virtual-ip 10.1.1.1 active   
#                                         
interface GigabitEthernet1/0/3            
 undo shutdown                            
 eth-trunk 0                              
#                                         
interface GigabitEthernet1/0/4            
 undo shutdown                            
 eth-trunk 0                                                    
#                                         
firewall zone local                       
 set priority 100                         
#                                         
firewall zone trust                       
 set priority 85                          
 add interface GigabitEthernet0/0/0       
 add interface GigabitEthernet1/0/1                      
#                                         
firewall zone name hrp id 4               
 set priority 55                          
 add interface Eth-Trunk0                 
#                                         
firewall zone name tele id 6              
 set priority 60                          
 add interface GigabitEthernet1/0/2       
#                                         
firewall zone name uni id 9               
 set priority 65                          
 add interface GigabitEthernet1/0/0                                            
#                                         
bfd 1 bind peer-ip default-ip interface GigabitEthernet1/0/1
 discriminator local 20                   
 discriminator remote 10                  
 commit                                                                          
#                                         
link-interface 0 name tele                
 interface GigabitEthernet1/0/2 next-hop 10.1.1.5              
#                                         
security-policy                           
 rule name tele                           
  source-zone local                       
  action permit                                                 
#                                         
return 

华为usgv3作为standby设备配置上将master的active改为standby其他重复配置不再赘述；华为usgv2设备的配置除了路由相关配置其他配置会同步给usgv3.【主设备上配置后面跟（+B）代表同步给备设备】

h3cvsr6交换机将左右两边切为二层【因为此topo为基本简单配置是个半成品没有加入业务与其他仅是主要为了基本双机热备份】

#
interface GigabitEthernet1/0
 port link-mode route

gi2/0也是

h3cvsr路由：

#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.1.1.5 255.255.255.248

在华为防火墙v2上检查健康检查状态

首先中间交换机为二层两边防火墙和路由ip在同网段，防火墙安全策略运行local访问外网，则健康检查up

华为防火墙v2检查vrrp为master，v3设备为backup是正确的与配置一致

华为防火墙v2的hrp会话信息查询

华为防火墙v3的hrp会话信息查询

华为防火墙bfd会话信息

that all，嗯