拓展任務(wù)4部署雙防火墻負載分擔(dān)工作方式，提高網(wǎng)絡(luò)可靠性如1所示，某企業(yè)的兩臺防火墻的業(yè)務(wù)接口都工作在三層，上下行分別連接二層交換機。上行交換機連接運營商的接入點，運營商為企業(yè)分配的IP地址為1.1.1.3～1.1.1.10。其中，1.1.1.1、1.1.1.2作為VRRP備份組的虛擬IP地址，1.1.1.3～1.1.1.10作為內(nèi)網(wǎng)訪問Internet時NAT的地址池地址。現(xiàn)在希望兩臺防火墻以負載分擔(dān)方式工作。正常情況下，防火墻A和防火墻B共同轉(zhuǎn)發(fā)流量。當(dāng)其中一臺防火墻出現(xiàn)故障時，另外一臺防火墻轉(zhuǎn)發(fā)全部業(yè)務(wù)，保證業(yè)務(wù)不中斷。圖1負載分擔(dān)組網(wǎng)示意圖【配置思路】1.配置接口IP地址、安全區(qū)域和默認路由，完成網(wǎng)絡(luò)基本參數(shù)配置。2.配置VRRP備份組并指定主備狀態(tài)。3.配置會話快速備份，指定心跳口并啟用雙機熱備功能。4.配置安全策略，允許內(nèi)網(wǎng)用戶訪問Internet。5.配置NAT策略，當(dāng)內(nèi)網(wǎng)用戶訪問Internet時進行源NAT轉(zhuǎn)換。6.配置路由器、交換機和主機的網(wǎng)絡(luò)參數(shù)，實現(xiàn)網(wǎng)絡(luò)的互聯(lián)互通。7.驗證和調(diào)試，檢查能否實現(xiàn)任務(wù)需求。【任務(wù)實施】配置接口IP地址、安全區(qū)域和默認路由，完成網(wǎng)絡(luò)基本參數(shù)配置。（1）配置防火墻接口IP地址配置防火墻A的接口IP地址。<FW_A>system-view[FW_A]interfaceGigabitEthernet1/0/1[FW_A-GigabitEthernet1/0/1]ipaddress10.1.1.324[FW_A-GigabitEthernet1/0/1]quit[FW_A]interfaceGigabitEthernet1/0/2[FW_A-GigabitEthernet1/0/2]ipaddress10.2.2.324[FW_A-GigabitEthernet1/0/2]quit[FW_A]interfaceGigabitEthernet1/0/3[FW_A-GigabitEthernet1/0/3]ipaddress10.10.0.130[FW_A-GigabitEthernet1/0/3]quit配置防火墻B的接口IP地址。<FW_B>system-view[FW_B]interfaceGigabitEthernet1/0/1[FW_B-GigabitEthernet1/0/1]ipaddress10.1.1.424[FW_B-GigabitEthernet1/0/1]quit[FW_B]interfaceGigabitEthernet1/0/2[FW_B-GigabitEthernet1/0/2]ipaddress10.2.2.424[FW_B-GigabitEthernet1/0/2]quit[FW_B]interfaceGigabitEthernet1/0/3[FW_B-GigabitEthernet1/0/3]ipaddress10.10.0.230[FW_B-GigabitEthernet1/0/3]quit（2）將接口加入安全區(qū)域?qū)⒎阑饓各接口加入相應(yīng)區(qū)域。[FW_A]firewallzoneuntrust[FW_A-zone-untrust]addinterfaceGigabitEthernet1/0/1[FW_A-zone-untrust]quit[FW_A]firewallzonetrust[FW_A-zone-trust]addinterfaceGigabitEthernet1/0/2[FW_A-zone-trust]quit[FW_A]firewallzonedmz[FW_A-zone-dmz]addinterfaceGigabitEthernet1/0/3[FW_A-zone-dmz]quit將防火墻B各接口加入相應(yīng)區(qū)域。[FW_B]firewallzoneuntrust[FW_B-zone-untrust]addinterfaceGigabitEthernet1/0/1[FW_B-zone-untrust]quit[FW_B]firewallzonetrust[FW_B-zone-trust]addinterfaceGigabitEthernet1/0/2[FW_B-zone-trust]quit[FW_B]firewallzonedmz[FW_B-zone-dmz]addinterfaceGigabitEthernet1/0/3[FW_B-zone-dmz]quit（3）配置默認路由為防火墻A配置默認路由。[FW_A]iproute-static0.0.0.001.1.1.100為防火墻B配置默認路由。[FW_B]iproute-static0.0.0.001.1.1.100配置VRRP備份組并指定主備狀態(tài)為了實現(xiàn)負載分擔(dān)組網(wǎng)需要在每個業(yè)務(wù)接口上配置兩個VRRP備份組，一個設(shè)置狀態(tài)為Active，另一個設(shè)置狀態(tài)為Standby。（1）在防火墻A上行業(yè)務(wù)接口GE0/0/1上配置VRRP備份組1，并將其狀態(tài)設(shè)置為Active；配置VRRP備份組2，并將其狀態(tài)設(shè)置為Standby。在防火墻A下行業(yè)務(wù)接口GE0/0/2上配置VRRP備份組3，并將其狀態(tài)設(shè)置為Active；配置VRRP備份組4，并將其狀態(tài)設(shè)置為Standby。[FW_A]interfaceGigabitEthernet1/0/1[FW_A-GigabitEthernet1/0/1]vrrpvrid1virtual-ip1.1.1.124active[FW_A-GigabitEthernet1/0/1]vrrpvrid2virtual-ip1.1.1.224standby[FW_A-GigabitEthernet1/0/1]quit[FW_A]interfaceGigabitEthernet1/0/2[FW_A-GigabitEthernet1/0/2]vrrpvrid3virtual-ip10.2.2.1active[FW_A-GigabitEthernet1/0/2]vrrpvrid4virtual-ip10.2.2.2standby[FW_A-GigabitEthernet1/0/2]quit（2）在防火墻B上行業(yè)務(wù)接口GE0/0/1上配置VRRP備份組1，并將其狀態(tài)設(shè)置為Active；配置VRRP備份組2，并將其狀態(tài)設(shè)置為Standby。在防火墻B下行業(yè)務(wù)接口GE0/0/2上配置VRRP備份組3，并將其狀態(tài)設(shè)置為Standby；配置VRRP備份組4，并將其狀態(tài)設(shè)置為Active。[FW_B]interfaceGigabitEthernet1/0/1[FW_B-GigabitEthernet1/0/1]vrrpvrid1virtual-ip1.1.1.124standby[FW_B-GigabitEthernet1/0/1]vrrpvrid2virtual-ip1.1.1.224active[FW_B-GigabitEthernet1/0/1]quit[FW_B]interfaceGigabitEthernet1/0/2[FW_B-GigabitEthernet1/0/2]vrrpvrid3virtual-ip10.2.2.1standby[FW_B-GigabitEthernet1/0/2]vrrpvrid4virtual-ip10.2.2.2active[FW_B-GigabitEthernet1/0/2]quit配置會話快速備份，指定心跳口并啟用雙機熱備功能。負載分擔(dān)組網(wǎng)下，兩臺防火墻都轉(zhuǎn)發(fā)流量，為了防止來回路徑不一致，需要在兩臺防火墻上都配置會話快速備份功能。（1）配置防火墻A[FW_A]hrpmirrorsessionenable//啟用會話快速備份[FW_A]hrpinterfaceGigabitEthernet1/0/3remote10.10.0.2[FW_A]hrpenable（2）配置防火墻B[FW_B]hrpmirrorsessionenable[FW_B]hrpinterfaceGigabitEthernet1/0/3remote10.10.0.1[FW_B]hrpenable配置安全策略，允許內(nèi)網(wǎng)用戶訪問Internet。安全策略只能在主用設(shè)備防火墻A上配置，配置后會自動備份到防火墻B。HRP_M[FW_A]security-policyHRP_M[FW_A-policy-security]rulenametrust_to_untrustHRP_M[FW_A-policy-security-rule-trust_to_untrust]source-zonetrustHRP_M[FW_A-policy-security-rule-trust_to_untrust]source-address10.2.2.024HRP_M[FW_A-policy-security-rule-trust_to_untrust]destination-zoneuntrustHRP_M[FW_A-policy-security-rule-trust_to_untrust]actionpermitHRP_M[FW_A-policy-security-rule-trust_to_untrust]quitHRP_M[FW_A-policy-security]quit配置NAT策略，當(dāng)內(nèi)網(wǎng)用戶訪問Internet時進行源NAT轉(zhuǎn)換。NAT也只能在主用設(shè)備防火墻A上配置，配置后會自動備份到備用設(shè)備防火墻B。（1）配置NAT地址池HRP_M[FW_A]nataddress-groupaddressgroup1HRP_M[FW_A-address-group-addressgroup1]section01.1.1.31.1.1.10HRP_M[FW_A-address-group-addressgroup1]routeenableHRP_M[FW_A-address-group-addressgroup1]quit（2）配置NAT策略HRP_M[FW_A]nat-policyHRP_M[FW_A-policy-nat]rulenametrust_to_untrustHRP_M[FW_A-policy-nat-rule-trust_to_untrust]source-zonetrustHRP_M[FW_A-policy-nat-rule-trust_to_untrust]source-address10.2.2.024HRP_M[FW_A-policy-nat-rule-trust_to_untrust]destination-zoneuntrustHRP_M[FW_A-policy-nat-rule-trust_to_untrust]actionsource-nataddress-groupaddressgroup1HRP_M[FW_A-policy-nat-rule-trust_to_untrust]quitHRP_M[FW_A-policy-nat]quit（3）配置主備防火墻上NAT地址池分別可以使用的資源范圍在負載分擔(dān)雙機熱備份模式下，兩臺設(shè)備都會承載業(yè)務(wù)流量。當(dāng)設(shè)備上配置了NAT功能時，在NAPT模式下有可能兩臺設(shè)備分配的公網(wǎng)端口出現(xiàn)沖突，導(dǎo)致端口分配失敗，無法正常訪問公網(wǎng)。為了避免這種可能存在的沖突，需要在兩臺設(shè)備上分別配置各自可使用的NAT資源。HRP_M[FW_A]hrpnatresourceprimary-group防火墻A配置此命令后，防火墻B上會自動備份此命令，并轉(zhuǎn)換成hrpnatresourcesecondary-group命令。配置此功能后，主備設(shè)備上的資源平分成兩段，primary-group表示前段資源組，secondary-group表示后段資源組。當(dāng)采用NAPT方式時，將公網(wǎng)IP地址的端口平分。配置路由器、交換機和主機的網(wǎng)絡(luò)參數(shù)，實現(xiàn)網(wǎng)絡(luò)的互聯(lián)互通。（1）配置交換機VLAN配置交換機1的VLAN，將GE0/0/1～GE0/0/3這3個接口加入同一個VLAN。<SW1>system-view[SW1]vlanbatch2[SW1]interfaceGigabitEthernet0/0/1 [SW1-GigabitEthernet0/0/1]portlink-typeaccess[SW1-GigabitEthernet0/0/1]portdefaultvlan2[SW1-GigabitEthernet0/0/1]quit[SW1]interfaceGigabitEthernet0/0/2 [SW1-GigabitEthernet0/0/2]portlink-typeaccess [SW1-GigabitEthernet0/0/2]portdefaultvlan2[SW1-GigabitEthernet0/0/2]quit[SW1]interfaceGigabitEthernet0/0/3[SW1-GigabitEthernet0/0/3]portlink-typeaccess [SW1-GigabitEthernet0/0/3]portdefaultvlan2[SW1-GigabitEthernet0/0/3]quit配置交換機2的VLAN，將GE0/0/1～GE0/0/4這3個接口加入同一個VLAN。<SW2>system-view[SW2]vlanbatch3[SW2]interfaceGigabitEthernet0/0/1 [SW2-GigabitEthernet0/0/1]portlink-typeaccess[SW2-GigabitEthernet0/0/1]portdefaultvlan3[SW2-GigabitEthernet0/0/1]quit[SW2]interfaceGigabitEthernet0/0/2 [SW2-GigabitEthernet0/0/2]portlink-typeaccess [SW2-GigabitEthernet0/0/2]portdefaultvlan3[SW2-GigabitEthernet0/0/2]quit[SW2]interfaceGigabitEthernet0/0/3[SW2-GigabitEthernet0/0/3]portlink-typeaccess [SW2-GigabitEthernet0/0/3]portdefaultvlan3[SW2-GigabitEthernet0/0/3]quit[SW2]interfaceGigabitEthernet0/0/4[SW2-GigabitEthernet0/0/3]portlink-typeaccess [SW2-GigabitEthernet0/0/3]portdefaultvlan3[SW2-GigabitEthernet0/0/3]quit（2）配置路由器R1<R1>system-view[R1]interfaceGigabitEthernet0/0/0[R1-GigabitEthernet0/0/0]ipaddress1.1.1.10024[R1]interfaceLoopBack0[R1-LoopBack0]ipaddress2.2.2.232[R1-LoopBack0]quit（3）配置內(nèi)網(wǎng)主機的網(wǎng)絡(luò)參數(shù)配置內(nèi)網(wǎng)主機的IP地址和掩碼，并將內(nèi)網(wǎng)主機PC1的網(wǎng)關(guān)設(shè)置為備份組3的虛擬IP地址10.2.2.1，內(nèi)網(wǎng)主機PC2的網(wǎng)關(guān)設(shè)置為備份組4的虛擬IP地址10.2.2.2，具體操作步驟省略。驗證和調(diào)試，檢查能否實現(xiàn)任務(wù)需求。在防火墻A和防火墻B上檢查VRRP備份組、VGMP組的狀態(tài)信息和配置參數(shù)，并測試網(wǎng)絡(luò)連通性和故障切換功能。（1）查看VRRP備份組的狀態(tài)信息和配置參數(shù)在防火墻A上查看VRRP備份組的狀態(tài)信息和配置參數(shù)HRP_M<FW_A>displayvrrp2025-01-0402:56:25.600GigabitEthernet1/0/1|VirtualRouter1State:MasterVirtualIP:1.1.1.1MasterIP:10.1.1.3PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0101CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:43:23Lastchangetime:2025-01-0402:44:47GigabitEthernet1/0/1|VirtualRouter2State:BackupVirtualIP:1.1.1.2MasterIP:10.1.1.4PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0102CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:43:30Lastchangetime:2025-01-0402:43:30GigabitEthernet1/0/2|VirtualRouter3State:MasterVirtualIP:10.2.2.1MasterIP:10.2.2.3PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0103CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:43:42Lastchangetime:2025-01-0402:44:47GigabitEthernet1/0/2|VirtualRouter4State:BackupVirtualIP:10.2.2.2MasterIP:10.2.2.4PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0104CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:43:50Lastchangetime:2025-01-0402:43:50在防火墻B上查看VRRP備份組的狀態(tài)信息和配置參數(shù)HRP_S<FW_B>displayvrrp2025-01-0402:58:49.830GigabitEthernet1/0/1|VirtualRouter1State:BackupVirtualIP:1.1.1.1MasterIP:10.1.1.3PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0101CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:42:20Lastchangetime:2025-01-0402:42:20GigabitEthernet1/0/1|VirtualRouter2State:MasterVirtualIP:1.1.1.2MasterIP:10.1.1.4PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0102CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:42:28Lastchangetime:2025-01-0402:44:48GigabitEthernet1/0/2|VirtualRouter3State:BackupVirtualIP:10.2.2.1MasterIP:10.2.2.3PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0103CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:42:58Lastchangetime:2025-01-0402:42:58GigabitEthernet1/0/2|VirtualRouter4State:MasterVirtualIP:10.2.2.2MasterIP:10.2.2.4PriorityRun:120PriorityConfig:100MasterPriority:120Preempt:YESDelayTime:0sTimerRun:60sTimerConfig:60sAuthtype:NONEVirtualMAC:0000-5e00-0104CheckTTL:YESConfigtype:vgmp-vrrpBackup-forward:disabledCreatetime:2025-01-0402:43:06Lastchangetime:2025-01-0402:44:48以上輸出信息顯示，VRRP組建立成功，防火墻A作為VRRP備份組1和VRRP備份組3的主用設(shè)備、VRRP備份組2和VRRP備份組4的備用設(shè)備；防火墻B作為VRRP備份組1的備用設(shè)備和VRRP備份組3的備用設(shè)備、VRRP備份組2和VRRP備份組4的主用設(shè)備。（2）查看VGMP組的狀態(tài)在防火墻A上查看VGMP組狀態(tài)的詳細信息。HRP_M<FW_A>displayhrpstateverbose2025-01-0403:08:16.020Role:active,peer:activeRunningpriority:45000,peer:45000Backupchannelusage:0.00%Stabletime:0days,0hours,23minutesLaststatechangeinformation:2025-01-042:44:48HRPlinkchangestoup.Configuration:hellointerval:1000mspreempt:60smirrorconfiguration:offmirrorsession:on//開啟會話快速備份tracktrunkmember:onauto-syncconfiguration:onauto-syncconnection-status:onadjustospf-cost:onadjustospfv3-cost:onadjustbgp-cost:onnatresource:primary//設(shè)備可以使用NAT地址池的資源范圍Detailinformation:GigabitEthernet1/0/1vrrpvrid1:activeGigabitEthernet1/0/1vrrpvrid2:standbyGigabitEthernet1/0/2vrrpvrid3:activeGigabitEthernet1/0/2vrrpvrid4:standbyospf-cost:+0ospfv3-cost:+0bgp-cost:+0在防火墻B上查看VGMP組狀態(tài)的詳細信息。HRP_S<FW_B>displayhrpstateverbose2025-01-0403:11:32.450Role:active,peer:activeRunningpriority:45000,peer:45000Backupchannelusage:0.00%Stabletime:0days,0hours,26minutesLaststatechangeinformation:2025-01-042:44:48HRPcorestatechanged,old_state=abnormal(standby),new_state=normal,local_priority=45000,peer_priority=45000.Configuration:hellointerval:1000mspreempt:60smirrorconfiguration:offmirrorsession:ontracktrunkmember:onauto-syncconfiguration:onauto-syncconnection-status:onadjustospf-cost:onadjustospfv3-cost:onadjustbgp-cost:onnatresource:secondary//設(shè)備可以使用NAT地址池的資源范圍Detailinformation:GigabitEthernet1/0/1vrrpvrid1:standbyGigabitEthernet1/0/1vrrpvrid2:activeGigabitEthernet1/0/2vrrpvrid3:standbyGigabitEthernet1/0/2vrrpvrid4:activeospf-cost:+0ospfv3-cost:+0bgp-cost:+0以上輸出信息顯示，雙機熱備建立成功，防火墻A和防火墻B的角色均為Active，即均為主用設(shè)備，雙機工作在負載分擔(dān)模式下。（3）連通性測試在內(nèi)網(wǎng)區(qū)域的PC主機上ping測試Untrust區(qū)域的路由器R1的LoopBack0接口，可正常ping通，分別在防火墻A和防火墻B上查看會話表。在防火墻A上查看會話表。HRP_M<FW_A>displayfirewallsessiontable2025-01-0403:16:49.340CurrentTotalSessions:10udpVPN:public-->public10.10.0.2:16384-->10.10.0.1:18514icmpVPN:public-->publicRemote10.2.2.200:63910[1.1.1.5:2083]-->2.2.2.2:2048icmpVPN:public-->publicRemote10.2.2.200:62886[1.1.1.5:2080]-->2.2.2.2:2048icmpVPN:public-->publicRemote10.2.2.200:63654[1.1.1.5:2082]-->2.2.2.2:2048icmpVPN:public-->public10.2.2.100:60070[1.1.1.8:2051]-->2.2.2.2:2048udpVPN:public-->public10.10.0.1:49152-->10.10.0.2:18514icmpVPN:public-->public10.2.2.100:60326[1.1.1.8:2052]-->2.2.2.2:2048udpVPN:public-->public10.10.0.2:49152-->10.10.0.1:18514icmpVPN:public-->publicRemote10.2.2.200:63398[1.1.1.5:2081]-->2.2.2.2:2048icmpVPN:public-->publicRemote10.2.2.200:62374[1.1.1.5:2079]-->2.2.2.2:2048在防火墻B上查看會話表。HRP_S<FW_B>displayfirewallsessiontable2025-01-0403:16:08.340CurrentTotalSessions:3udpVPN:public-->public10.10.0.1:49152-->10.10.0.2:18514udpVPN:public-->public10.10.0.2:49152-->10.10.0.1:18514udpVPN:public-->public10.10.0.1:16384-->10.10.0.2:18514HRP_S<FW_B>displayfirewallsessiontable2025-01-0403:16:53.090CurrentTotalSessions:8icmpVPN:public-->public10.2.2.200:63910[1.1.1.5:2083]-->2.2.2.2:2048icmpVPN:public-->public10.2.2.200:62886[1.1.1.5:2080]-->2.2.2.2:2048icmpVPN:public-->public10.2.2.200:63654[1.1.1.5:2082]-->2.2.2.2:2048udpVPN:public-->public10.10.0.1:49152-->10.10.0.2:18514udpVPN:public-->public10.10.0.2:49152-->10.10.0.1:18514icmpVPN:public-->public10.2.2.200:63398[1.1.1.5:2081]-->2.2.2.2:2048udpVPN:public-->public10.10.0.1:16384-->10.10.0.2:18514icmpVPN:public-->public10.2.2.200:62374[1.1.1.5:2079]-->2.2.2.2:2048以上輸出信息顯示，PC1訪問路由器R1的流量通過防火墻A進行轉(zhuǎn)發(fā)，生成會話表并備份到防火墻B上；主機2訪問路由器R1的流量通過防火墻B進行轉(zhuǎn)發(fā)，生成會話表并備份到防火墻B上。（4）故障切換將防火墻A的上行業(yè)務(wù)接口GE0/0/1置為Down狀態(tài)，觀察防火墻狀態(tài)的切換。查看防火墻A的VGMP組及VRRP組的狀態(tài)信息。HRP_S<FW_A>displayvrrpbrief2025-01-0403:40:46.550Total:4Master:0Backup:2Non-active:2VRIDStateInterfaceTypeVirtualIP----------------------------------------------------------------1InitializeGE1/0/1Vgmp1.1.1.12InitializeGE1/0/1Vgmp1.1.1.23BackupGE1/0/2Vgmp10.2.2.14BackupGE1/0/2Vgmp10.2.2.2 HRP_S<FW_A>displayhrpstate2025-01-0403:40:53.360Role:standby,peer:activeRunningpriority:44996,peer:45000Backupchannelusage:0.00%Stabletime:0days,0hours,0minutesLaststatechangeinformation:2025-01-043:40:32HRPcorestatechanged,old_state=normal,new_state=abnormal(standby),local_priority=44996,peer_priority=45000.查看防火墻B的VGMP組及VRRP組的狀態(tài)信息。HRP_M<FW_B>displayvrrpbrief2025-01-0403:42:27.950Total:4Master:4Backup:0Non-active:0VRIDStateInterfaceTypeVirtualIP----------------------------------------------------------------1MasterGE1/0/1Vgmp1.1.1.12MasterGE1/0/1Vgmp1.1.1.23MasterGE1/0/2Vgmp10.2.2.14MasterGE1/0/2Vgmp10.2.2.2 HRP_M<FW_B>displayhrpstate2025-01-0403:42:33.440Role:active,peer:standbyRunningpriority:45000,peer:44996Backupchannelusage:0.00%Stabletime:0days,0hours,2minutesLaststatechangeinformation:2025-01-043:40:32HRPcorestatechanged,old_state=normal,new_state=abnormal(active),local_priority=45000,peer_priority=44996.以上輸出信息顯示，防火墻A上行接口故障后，VRRP備份組1和2的狀態(tài)變?yōu)镮nitialize，VGMP組優(yōu)先級減為44996，低于對端設(shè)備，狀態(tài)變?yōu)镾tandby。同時，VGMP組將VRRP備份組3組優(yōu)先級不變，大于對端設(shè)備，狀態(tài)變?yōu)锳ctive，因此VGMP組將備份組1和備份組3的狀態(tài)切換為Master。防火墻B在雙機熱備中的角色