? SecPath核心防火墙双机热备典型配置举例 interface GigabitEthernet1/0/12 port access vlan 12 # interface GigabitEthernet1/0/13 port access vlan 13 # interface GigabitEthernet1/0/14
port access vlan 14 # ip route-static 0.0.0.0 0.0.0.0 16.1.1.1 preference 60
ip route-static 0.0.0.0 0.0.0.0 15.1.1.1 preference 100
3. 验证结果
?
从PC-B到PC-A,从PC-C到PC-A通过默认路由进行负载分担,分别走F5000A-1 和F5000A-2
[PC-B]tracert 155.1.1.10
traceroute to 155.1.1.10(155.1.1.10) 30 hops max,40 bytes packet 1 150.1.1.1 11 ms 6 ms 8 ms 2 15.1.1.1 16 ms 3 ms 9 ms 3 155.1.1.10 8 ms 4 ms 3 ms [PC-C]tracert 155.1.1.10
traceroute to 155.1.1.10(155.1.1.10) 30 hops max,40 bytes packet Press CTRL_C to break
1 160.1.1.1 1 ms 2 ms 1 ms 2 16.1.1.1 0 ms 1 ms 0 ms
3 155.1.1.10 1 ms 0 ms 1 ms
?
当F5000A-1 和F5000A-2中有一个接口down了,则切换到另一台上。
如F5000A-1一个接口down,则切换到F5000-B上。
[PC-B]tracert 155.1.1.10
traceroute to 155.1.1.10(155.1.1.10) 30 hops max,40 bytes packet 1 150.1.1.1 11 ms 4 ms 7 ms 2 16.1.1.1 9 ms 3 ms 3 ms 3 155.1.1.10 14 ms 3 ms 9 ms [PC-C]tracert 155.1.1.10
traceroute to 155.1.1.10(155.1.1.10) 30 hops max,40 bytes packet 1 150.1.1.1 11 ms 4 ms 7 ms 2 16.1.1.1 9 ms 3 ms 3 ms 3 155.1.1.10 14 ms 3 ms 9 ms
杭州华三通信技术有限公司
www.h3c.com.cn
第16页, 共33页
? SecPath核心防火墙双机热备典型配置举例
4. 注意事项
?
本配置完成,清除防火墙中所做的配置,以防对其他配置产生影响。
4.3.3 路由模式+主备模式
1. 功能简述
静态路由模式需要同时配置Vrrp以支持主备用设备的切换。所谓主备模式就是只有一台防火墙处于工作状态,另一台处于备用状态,当主用设备Down机后,备用设备会接管工作。 2. 典型配置步骤(组网图2 ) (1) 命令行下进行如下配置:
F5000a-1 配置 :(作为主用设备)
nat address-group 1 102.0.1.1 102.0.1.254 level 1 #
acl number 3001 rule 0 permit ip source 101.0.5.0 0.0.0.255 rule 5 permit ip source 101.0.6.0 0.0.0.255 # interface GigabitEthernet1/0 port link-mode route
ip address 101.0.0.254 255.255.0.0 vrrp vrid 1 virtual-ip 101.0.0.1 vrrp vrid 1 priority 105 vrrp vrid 1 track interface GigabitEthernet1/1
# interface GigabitEthernet1/1 port link-mode route
ip address 102.0.0.254 255.255.0.0 vrrp vrid 1 virtual-ip 102.0.0.1 vrrp vrid 1 priority 105 vrrp vrid 1 track interface GigabitEthernet1/0
nat outbound static track vrrp 1 nat outbound 3001 address-group 1 track vrrp 1 nat server protocol icmp global 102.0.0.13 inside 101.0.0.13 track vrrp 1 nat server protocol udp global 102.0.0.13 any inside 101.0.0.13 any track vrrp 1
#(track vrrp关键字,意思是当接口收到对nat 地址的arp查询时以vrrp 1的虚接地址作为
杭州华三通信技术有限公司
www.h3c.com.cn
第17页, 共33页
应答!)
? SecPath核心防火墙双机热备典型配置举例 F5000a-2配置:(作为备用设备)
nat address-group 1 102.0.1.1 102.0.1.254 level 1 #
acl number 3001 rule 0 permit ip source 101.0.5.0 0.0.0.255
rule 5 permit ip source 101.0.6.0 0.0.0.255 //与主用设备配置要一致 # interface GigabitEthernet1/0 port link-mode route
ip address 101.0.0.253 255.255.0.0 vrrp vrid 1 virtual-ip 101.0.0.1 vrrp vrid 1 track interface GigabitEthernet1/1
# interface GigabitEthernet1/1 port link-mode route
ip address 102.0.0.253 255.255.0.0 vrrp vrid 1 virtual-ip 102.0.0.1 vrrp vrid 1 track interface GigabitEthernet1/0
nat outbound static track vrrp 1 nat outbound 3001 address-group 1 track vrrp 1 nat server protocol icmp global 102.0.0.13 inside 101.0.0.13 track vrrp 1 nat server protocol udp global 102.0.0.13 any inside 101.0.0.13 any track vrrp 1
#(track vrrp关键字,意思是当接口收到对nat 地址的arp查询时以vrrp 1的虚接地址作为应答!)
PC机IP配置:
Server:155.1.1.10 PC1:101.0.0.13 PC2:101.0.6.2
3. 验证结果
(1) 从Server可以ping通pc1(转换后的102.0.0.13)。 (2) 从pc1可以访问Server 的ftp/http/telnet等业务。
4. 注意事项
?
杭州华三通信技术有限公司
www.h3c.com.cn
第18页, 共33页
? SecPath核心防火墙双机热备典型配置举例 4.3.4 路由模式+负载分担模式
1. 功能简述
双主组网就是两台防火墙都处于工作状态,每台设备负责转发一部分流量,实现负载分担,而当任一台设备Down机后,另一台设备会接管全部工作,要实现双主组网要配置至少两个VRRP组以产生两个网关,每台设备分别是一个网关的主用设备,若使用NAT则至少要配置两个地址池以进行地址转换。 2. 典型配置步骤(组网图2 ) (1) 命令行配置如下:
F5000a-1配置:
#
nat address-group 1 102.0.1.1 102.0.1.254 level 1
nat address-group 2 102.0.2.1 102.0.2.254 level 1 #
acl number 3001 rule 0 permit ip source 101.0.5.0 0.0.0.255 rule 5 permit ip source 101.0.6.0 0.0.0.255 acl number 3002 rule 0 permit ip source 101.0.7.0 0.0.0.255 rule 5 permit ip source 101.0.8.0 0.0.0.255
# interface GigabitEthernet1/0 port link-mode route
ip address 101.0.0.254 255.255.0.0 vrrp vrid 1 virtual-ip 101.0.0.1 vrrp vrid 1 priority 105 vrrp vrid 1 track interface GigabitEthernet1/1
vrrp vrid 2 virtual-ip 101.0.0.2 vrrp vrid 2 track interface GigabitEthernet1/1
# interface GigabitEthernet1/1 port link-mode route
ip address 102.0.0.254 255.255.0.0 vrrp vrid 1 virtual-ip 102.0.0.1 vrrp vrid 1 priority 105 vrrp vrid 1 track interface GigabitEthernet1/0
vrrp vrid 2 virtual-ip 102.0.0.2 vrrp vrid 2 track interface GigabitEthernet1/0
杭州华三通信技术有限公司
www.h3c.com.cn
第19页, 共33页
? SecPath核心防火墙双机热备典型配置举例 nat outbound static track vrrp 1 nat outbound 3002 address-group 2 track vrrp 2 nat outbound 3001 address-group 1 track vrrp 1 nat server protocol icmp global 102.0.0.13 inside 101.0.0.13 track vrrp 1 nat server protocol udp global 102.0.0.13 any inside 101.0.0.13 any track vrrp 1
#(track vrrp关键字,意思是当接口收到对nat 地址的arp查询时以vrrp 1的虚接地址作为应答!)
F5000a-2 配置:
nat address-group 1 102.0.1.1 102.0.1.254 level 1
nat address-group 2 102.0.2.1 102.0.2.254 level 1 #
acl number 3001 rule 0 permit ip source 101.0.5.0 0.0.0.255 rule 5 permit ip source 101.0.6.0 0.0.0.255
acl number 3002 rule 0 permit ip source 101.0.7.0 0.0.0.255 rule 5 permit ip source 101.0.8.0 0.0.0.255 #(这儿与主用设备配置要一致!)
# interface GigabitEthernet1/0 port link-mode route
ip address 101.0.0.253 255.255.0.0 vrrp vrid 1 virtual-ip 101.0.0.1 vrrp vrid 1 track interface GigabitEthernet1/1
vrrp vrid 2 virtual-ip 101.0.0.2 vrrp vrid 2 priority 105 vrrp vrid 2 track interface GigabitEthernet1/1
# interface GigabitEthernet1/1 port link-mode route
ip address 102.0.0.253 255.255.0.0 vrrp vrid 1 virtual-ip 102.0.0.1 vrrp vrid 1 track interface GigabitEthernet1/0
vrrp vrid 2 virtual-ip 102.0.0.2 vrrp vrid 2 priority 105 vrrp vrid 2 track interface GigabitEthernet1/0
nat outbound static track vrrp 1 nat outbound 3002 address-group 2 track vrrp 2 nat outbound 3001 address-group 1 track vrrp 1 nat server protocol icmp global 102.0.0.13 inside 101.0.0.13 track vrrp 1 nat server protocol udp global 102.0.0.13 any inside 101.0.0.13 any track
杭州华三通信技术有限公司
www.h3c.com.cn
第20页, 共33页