H3C防火墙VPN实例旁挂+双机热备部署实验

不做菜鸟的网工2025-04-01 14:33

网络拓扑

S1

接口 VLAN IP
VLAN100 100 192.168.100.254
VLAN200 200 192.168.200.254
AGG1 100 200 ---
AGG2 100 200 ---
G1/0/5 20 192.168.20.254
G1/0/6 10 192.168.10.254

F1

接口 VLAN IP
VLAN100 100 192.168.100.251
VLAN200 200 192.168.200.251
VRRP 100 200 192.168.100.253 192.168.200.253
AGG1 100 200 ---
G1/0/2 --- 192.168.99.1

F2

接口 VLAN IP
VLAN100 100 192.168.100.252
VLAN200 200 192.168.200.252
VRRP 100 200 192.168.100.253 192.168.200.253
AGG2 100 200 ---
G1/0/2 --- 192.168.99.2

配置过程

S1

kotlin 复制代码 
# 创建链路聚合
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
# 将接口添加至链路聚合组
int range GigabitEthernet 1/0/1 to g1/0/2
 port link-aggregation group 1

int range GigabitEthernet 1/0/3 to g1/0/4
 port link-aggregation group 2

# 划分VLAN
vlan 10 20 100 200
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200
 
interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

interface GigabitEthernet1/0/5
 port access vlan 2
 
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 10
 
# 创建VPN实例
ip vpn-instance a
 address-family ipv4
 
ip vpn-instance b
 address-family ipv4
 
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.254 255.255.255.0

interface Vlan-interface20
 ip binding vpn-instance b
 ip address 192.168.20.254 255.255.255.0
 
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.254 255.255.255.0

interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.254 255.255.255.0
 
# 写缺省路由 PC>F1/F2
ip route-static vpn-instance a 0.0.0.0 0 192.168.100.253
ip route-static vpn-instance b 0.0.0.0 0 192.168.20.1

# 写回程明细路由 R1>F1/F2
ip route-static vpn-instance b 192.168.10.0 24 192.168.200.253

F1配置

kotlin 复制代码 
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 1

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.251 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.251 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.1 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 active
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 active
 
# 配置放行策略
security-policy ip
 rule 5 name Trust>Untrust
  action pass
  source-zone Trust
  destination-zone Untrust

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

F2配置

kotlin 复制代码 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 2

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.252 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.252 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.2 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.2
 remote-ip 192.168.99.1
 device-role secondary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 standby
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 standby

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

R1配置

java 复制代码 
interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.20.1 255.255.255.0
 
ip route-static 192.168.10.0 24 192.168.20.254

配置验证

查看双机热备建立情况

查看数据转发路径

相关推荐
liulilittle20 小时前
OPENPPP2 —— IP标准校验和算法深度剖析:从原理到SSE2优化实现
网络·c++·网络协议·tcp/ip·算法·ip·通信
阿昭L1 天前
HTTP原理
网络·网络协议·http
zhao3266857511 天前
2025年代理IP三强横评:LoongProxy、神龙海外动态IP代理、全民HTTP怎么选?看完这篇不踩坑
网络协议·tcp/ip·http
on the way 1231 天前
多线程之HardCodedTarget(type=OssFileClient, name=file, url=http://file)异常
网络·网络协议·http
Chan161 天前
消息推送的三种常见方式:轮询、SSE、WebSocket
java·网络·websocket·网络协议·http·sse
Darenm1112 天前
计算机⽹络及TCP⽹络应⽤程序开发
网络·网络协议·tcp/ip
兰雪簪轩2 天前
分布式通信平台测试报告
开发语言·网络·c++·网络协议·测试报告
只因在人海中多看了你一眼2 天前
B.50.10.09-RPC核心原理与电商应用
qt·网络协议·rpc
小鸟啄米2 天前
Elixir通过Onvif协议控制IP摄像机,扩展ExOnvif的摄像头停止移动 Stop 功能
网络协议·elixir·onvif
热门推荐
01UV安装并设置国内源022025 年高教社杯全国大学生数学建模竞赛C 题 NIPT 的时点选择与胎儿的异常判定 完整成品思路模型代码分享,全网首发高质量!!!032025年数学建模国赛C题超详细解题思路04A股预测还能更准?开源大模型Kronos带你跑通预测+回测全流程05不再让Windows更新!&Edge游戏助手卸载及关闭自动更新06KGG转MP3工具|非KGM文件|解密音频07UV 工具安装与国内镜像源配置指南08教你如何认证 Gemini 教育优惠的二次验证,薅个 1年的 Gemini Pro 会员09Linux下V2Ray安装配置指南10突破百度网盘的下载限速,两种方法教会你【超详细】