H3C防火墙VPN实例旁挂+双机热备部署实验

不做菜鸟的网工2025-04-01 14:33

网络拓扑

S1

接口 VLAN IP
VLAN100 100 192.168.100.254
VLAN200 200 192.168.200.254
AGG1 100 200 ---
AGG2 100 200 ---
G1/0/5 20 192.168.20.254
G1/0/6 10 192.168.10.254

F1

接口 VLAN IP
VLAN100 100 192.168.100.251
VLAN200 200 192.168.200.251
VRRP 100 200 192.168.100.253 192.168.200.253
AGG1 100 200 ---
G1/0/2 --- 192.168.99.1

F2

接口 VLAN IP
VLAN100 100 192.168.100.252
VLAN200 200 192.168.200.252
VRRP 100 200 192.168.100.253 192.168.200.253
AGG2 100 200 ---
G1/0/2 --- 192.168.99.2

配置过程

S1

kotlin 复制代码 
# 创建链路聚合
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
# 将接口添加至链路聚合组
int range GigabitEthernet 1/0/1 to g1/0/2
 port link-aggregation group 1

int range GigabitEthernet 1/0/3 to g1/0/4
 port link-aggregation group 2

# 划分VLAN
vlan 10 20 100 200
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200
 
interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

interface GigabitEthernet1/0/5
 port access vlan 2
 
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 10
 
# 创建VPN实例
ip vpn-instance a
 address-family ipv4
 
ip vpn-instance b
 address-family ipv4
 
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.254 255.255.255.0

interface Vlan-interface20
 ip binding vpn-instance b
 ip address 192.168.20.254 255.255.255.0
 
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.254 255.255.255.0

interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.254 255.255.255.0
 
# 写缺省路由 PC>F1/F2
ip route-static vpn-instance a 0.0.0.0 0 192.168.100.253
ip route-static vpn-instance b 0.0.0.0 0 192.168.20.1

# 写回程明细路由 R1>F1/F2
ip route-static vpn-instance b 192.168.10.0 24 192.168.200.253

F1配置

kotlin 复制代码 
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 1

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.251 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.251 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.1 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 active
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 active
 
# 配置放行策略
security-policy ip
 rule 5 name Trust>Untrust
  action pass
  source-zone Trust
  destination-zone Untrust

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

F2配置

kotlin 复制代码 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 2

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.252 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.252 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.2 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.2
 remote-ip 192.168.99.1
 device-role secondary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 standby
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 standby

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

R1配置

java 复制代码 
interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.20.1 255.255.255.0
 
ip route-static 192.168.10.0 24 192.168.20.254

配置验证

查看双机热备建立情况

查看数据转发路径

相关推荐
27669582922 小时前
泡泡玛特app 腾讯企业加固/支付宝加固脱修frida rpc调用
网络·网络协议·rpc·frida·泡泡玛特·ppmt·泡泡玛特app-rpc调用
未来侦察班3 小时前
网络协议 网络层,万物归于IP
网络·网络协议·协议·ip·网络层·tcpip
colofullove4 小时前
实时游玩页与 WebSocket 状态管理实现
websocket·网络协议·状态模式
小短腿的代码世界4 小时前
WebSocket协议在Qt中的工业级实现:5层架构设计与万级并发压测验证
qt·websocket·网络协议
葡萄皮sandy6 小时前
SSE和WebSocket
网络·websocket·网络协议
hyunbar7776 小时前
配置 Cloudflare Tunnel:把 Mac 上的 Web 服务变成安全域名
网络协议
酉鬼女又兒7 小时前
零基础入门IPv4地址:从基本概念、分类编址、子网划分到无分类编址与应用规划全解
网络·网络协议·计算机网络·考研·职场和发展·分类·智能路由器
未来侦察班7 小时前
网络协议 数据链路层,“帧”建立统一新秩序
网络·网络协议
极创信息8 小时前
信创产品适配测试认证,域名和SSL是必须的吗?
java·开发语言·网络·python·网络协议·ruby·ssl
未来侦察班8 小时前
网络协议物理层,“地基“是怎么练成的
网络·物联网·网络协议·物理层·tcpip
热门推荐
01HTTP 与 HTTPS 的区别:从原理到实战详解022026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?032026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?04【AI】2026 年具身智能模型和世界模型总结052026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf06AI科技热点日报 | 2026年6月1日07GitHub 镜像站点08Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析09《置身钉内》原文-可播放阅读10上线仅72小时被强制下架:Claude Fable 5 的短命