H3C防火墙VPN实例旁挂+双机热备部署实验

不做菜鸟的网工2025-04-01 14:33

网络拓扑

S1

接口 VLAN IP
VLAN100 100 192.168.100.254
VLAN200 200 192.168.200.254
AGG1 100 200 ---
AGG2 100 200 ---
G1/0/5 20 192.168.20.254
G1/0/6 10 192.168.10.254

F1

接口 VLAN IP
VLAN100 100 192.168.100.251
VLAN200 200 192.168.200.251
VRRP 100 200 192.168.100.253 192.168.200.253
AGG1 100 200 ---
G1/0/2 --- 192.168.99.1

F2

接口 VLAN IP
VLAN100 100 192.168.100.252
VLAN200 200 192.168.200.252
VRRP 100 200 192.168.100.253 192.168.200.253
AGG2 100 200 ---
G1/0/2 --- 192.168.99.2

配置过程

S1

kotlin 复制代码 
# 创建链路聚合
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
# 将接口添加至链路聚合组
int range GigabitEthernet 1/0/1 to g1/0/2
 port link-aggregation group 1

int range GigabitEthernet 1/0/3 to g1/0/4
 port link-aggregation group 2

# 划分VLAN
vlan 10 20 100 200
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200
 
interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

interface GigabitEthernet1/0/5
 port access vlan 2
 
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 10
 
# 创建VPN实例
ip vpn-instance a
 address-family ipv4
 
ip vpn-instance b
 address-family ipv4
 
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.254 255.255.255.0

interface Vlan-interface20
 ip binding vpn-instance b
 ip address 192.168.20.254 255.255.255.0
 
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.254 255.255.255.0

interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.254 255.255.255.0
 
# 写缺省路由 PC>F1/F2
ip route-static vpn-instance a 0.0.0.0 0 192.168.100.253
ip route-static vpn-instance b 0.0.0.0 0 192.168.20.1

# 写回程明细路由 R1>F1/F2
ip route-static vpn-instance b 192.168.10.0 24 192.168.200.253

F1配置

kotlin 复制代码 
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 1

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.251 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.251 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.1 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 active
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 active
 
# 配置放行策略
security-policy ip
 rule 5 name Trust>Untrust
  action pass
  source-zone Trust
  destination-zone Untrust

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

F2配置

kotlin 复制代码 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 2

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.252 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.252 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.2 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.2
 remote-ip 192.168.99.1
 device-role secondary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 standby
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 standby

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

R1配置

java 复制代码 
interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.20.1 255.255.255.0
 
ip route-static 192.168.10.0 24 192.168.20.254

配置验证

查看双机热备建立情况

查看数据转发路径

相关推荐
汤愈韬4 小时前
三种常用 NAT 的经典案例
网络协议·网络安全·security
汤愈韬5 小时前
NAT Server 与目的Nat
网络·网络协议·网络安全·security
7ACE7 小时前
Wireshark TS | TLP 超时时间
网络·网络协议·tcp/ip·wireshark·tcpdump
凯瑟琳.奥古斯特12 小时前
NAT原理及作用详解
网络·网络协议
_Evan_Yao14 小时前
从 IP 路由到 Agent 路由:最长前缀匹配如何帮你分发任务?
java·网络·后端·网络协议·tcp/ip
数据法师1 天前
开源情报收集工具GhostTrack深度测评:IP、手机号、用户名的合规信息查询方案
网络·网络协议·tcp/ip
想成为优秀工程师的爸爸1 天前
第三十篇技术笔记:郭大侠学UDS - 人有生老三千疾,望闻问切良方医
网络·笔记·网络协议·tcp/ip·信息与通信
灰子学技术1 天前
Envoy HTTP Connection Manager (HCM) 技术文档
网络·网络协议·http
日取其半万世不竭1 天前
WordPress建站 + 免费SSL证书配置完整教程
网络·网络协议·ssl
七七powerful2 天前
AI+运维提效--HTTPS 证书有效期监控方案
网络协议·http·https
热门推荐
01要裂开了!ChatGPT要手机号验证了?注册Codex要求验证电话号码怎么办?2026年登陆Codex要手机号验证的解决办法02GitHub 镜像站点03Codex 接入 DeepSeek API 完整配置文档04【AI】2026 年具身智能模型和世界模型总结05裂开!ChatGPT 居然开始要手机号验证,附详细解决方法06零基础教你claude code 接入 deepseek V4072026年AI前瞻:量子AI、具身智能与科学发现的新纪元08实测可用|小米 MiMo 百万亿 Token 免费领,开发者速冲09在Windows 11上安装Docker的踩坑记录10CC-Switch & Claude 基于 Linux 服务器安装使用指南