H3C防火墙VPN实例旁挂+双机热备部署实验

不做菜鸟的网工2025-04-01 14:33

网络拓扑

S1

接口 VLAN IP
VLAN100 100 192.168.100.254
VLAN200 200 192.168.200.254
AGG1 100 200 ---
AGG2 100 200 ---
G1/0/5 20 192.168.20.254
G1/0/6 10 192.168.10.254

F1

接口 VLAN IP
VLAN100 100 192.168.100.251
VLAN200 200 192.168.200.251
VRRP 100 200 192.168.100.253 192.168.200.253
AGG1 100 200 ---
G1/0/2 --- 192.168.99.1

F2

接口 VLAN IP
VLAN100 100 192.168.100.252
VLAN200 200 192.168.200.252
VRRP 100 200 192.168.100.253 192.168.200.253
AGG2 100 200 ---
G1/0/2 --- 192.168.99.2

配置过程

S1

kotlin 复制代码 
# 创建链路聚合
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
# 将接口添加至链路聚合组
int range GigabitEthernet 1/0/1 to g1/0/2
 port link-aggregation group 1

int range GigabitEthernet 1/0/3 to g1/0/4
 port link-aggregation group 2

# 划分VLAN
vlan 10 20 100 200
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200
 
interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

interface GigabitEthernet1/0/5
 port access vlan 2
 
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 10
 
# 创建VPN实例
ip vpn-instance a
 address-family ipv4
 
ip vpn-instance b
 address-family ipv4
 
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.254 255.255.255.0

interface Vlan-interface20
 ip binding vpn-instance b
 ip address 192.168.20.254 255.255.255.0
 
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.254 255.255.255.0

interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.254 255.255.255.0
 
# 写缺省路由 PC>F1/F2
ip route-static vpn-instance a 0.0.0.0 0 192.168.100.253
ip route-static vpn-instance b 0.0.0.0 0 192.168.20.1

# 写回程明细路由 R1>F1/F2
ip route-static vpn-instance b 192.168.10.0 24 192.168.200.253

F1配置

kotlin 复制代码 
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 1

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.251 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.251 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.1 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 active
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 active
 
# 配置放行策略
security-policy ip
 rule 5 name Trust>Untrust
  action pass
  source-zone Trust
  destination-zone Untrust

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

F2配置

kotlin 复制代码 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 2

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.252 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.252 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.2 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.2
 remote-ip 192.168.99.1
 device-role secondary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 standby
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 standby

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

R1配置

java 复制代码 
interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.20.1 255.255.255.0
 
ip route-static 192.168.10.0 24 192.168.20.254

配置验证

查看双机热备建立情况

查看数据转发路径

相关推荐
Hello.Reader2 小时前
ngx_http_limit_conn_module精准连接控制
网络·网络协议·http
巴巴_羊5 小时前
前端面经 计网 http和https区别
网络协议·http·https
LyaJpunov8 小时前
HTTPS全解析:从证书签发到TLS握手优化
网络协议·http·https
你曾经是少年8 小时前
HTTPS
网络协议·http·https
2501_915918418 小时前
多账号管理与自动化中的浏览器指纹对抗方案
websocket·网络协议·tcp/ip·http·网络安全·https·udp
-九斤-12 小时前
http和https的区别
网络协议·http·https
whoarethenext12 小时前
https的发展历程
网络协议·http·https
摸鱼仙人~12 小时前
HTTP 响应状态码总结
网络·网络协议·http
Suckerbin12 小时前
基于HTTP头部字段的SQL注入:SQLi-labs第17-20关
网络·笔记·网络协议·安全·http·网络安全
张一不吃豆芽16 小时前
TCPIP详解 卷1协议 八 ICMPv4和ICMPv6 Internet控制报文协议
网络·网络协议·tcp/ip
热门推荐
01YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】02从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑03KGG转MP3工具|非KGM文件|解密音频04YOLOv5改进 | 添加CA注意力机制 + 增加预测层 + 更换损失函数之GIoU05【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!06Coze扣子平台完整体验和实践(附国内和国际版对比)07组基轨迹建模 GBTM的介绍与实现(Stata 或 R)08yolov8,yolo11,yolo12 服务器训练到部署全流程 笔记09DeepSeek各版本说明与优缺点分析10【操作系统】Linux之网络编程(TCP)(头歌作业)