SecPath 防火墻雙機(jī)熱備典型配置

1、SecPath防火墻雙機(jī)熱備典型配置舉例關(guān)鍵詞：雙機(jī)熱備、主備模式、負(fù)載分擔(dān)模式、數(shù)據(jù)同步、流量切換摘要：防火墻設(shè)備是所有信息流都必須通過的單一點(diǎn)，一旦故障所有信息流都會中斷。保障 信息流不中斷至關(guān)重要，這就需要解決防火墻設(shè)備單點(diǎn)故障問題。雙機(jī)熱備技術(shù)可以 保障即使在防火墻設(shè)備故障的情況下，信息流仍然不中斷。本文將介紹雙機(jī)熱備的概 念、工作模式及典型應(yīng)用等?？s略語:縮略語英文全名中文解釋ALGApplication Level Gateway應(yīng)用層網(wǎng)關(guān)ASPFApplication Specific Packet Filter基于應(yīng)用層的包過濾NATNetwork Address Transl

2、ator網(wǎng)絡(luò)地址轉(zhuǎn)換VRRPVirtual Router Redundancy Protocol虛擬路由冗余協(xié)議OSPFOpen Shortest Path First開放最短路徑優(yōu)先 TOC o 1-5 h z HYPERLINK l bookmark4 o Current Document 1特性簡介3 HYPERLINK l bookmark7 o Current Document 1.1雙機(jī)熱備的工作機(jī)制3 HYPERLINK l bookmark15 o Current Document 2特性使用指南4 HYPERLINK l bookmark18 o Current Docume

3、nt 2.1使用場合4 HYPERLINK l bookmark21 o Current Document 2.2配置指南4 HYPERLINK l bookmark24 o Current Document 2.2.1雙機(jī)熱備組網(wǎng)應(yīng)用配置指南4 HYPERLINK l bookmark33 o Current Document 2.2.2雙機(jī)熱備應(yīng)用涉及的配置4 HYPERLINK l bookmark36 o Current Document 2.3注意事項4 HYPERLINK l bookmark39 o Current Document 3支持的設(shè)備和版本5 HYPERLINK l

4、bookmark42 o Current Document 3.1設(shè)備版本5 HYPERLINK l bookmark45 o Current Document 3.2支持的設(shè)備5 HYPERLINK l bookmark51 o Current Document 3.3配置保存5 HYPERLINK l bookmark58 o Current Document 4配置舉例6 HYPERLINK l bookmark61 o Current Document 4.1典型組網(wǎng)6 HYPERLINK l bookmark69 o Current Document 4.2設(shè)備基本配置9 HYPER

5、LINK l bookmark72 o Current Document 4.2.1其他共同配置：9 HYPERLINK l bookmark78 o Current Document 4.3雙機(jī)熱備業(yè)務(wù)典型配置舉例9 HYPERLINK l bookmark81 o Current Document 4.3.1透明模式+主備模式9 HYPERLINK l bookmark157 o Current Document 4.3.2透明模式+負(fù)載分擔(dān)模式14 HYPERLINK l bookmark224 o Current Document 4.3.3路由模式+主備模式17 HYPERLINK

6、l bookmark265 o Current Document 4.3.4路由模式+負(fù)載分擔(dān)模式19 HYPERLINK l bookmark300 o Current Document 4.3.5路由模式+主備模式+支持非對稱路徑21 HYPERLINK l bookmark337 o Current Document 4.3.6路由模式+負(fù)載分擔(dān)模式+支持非對稱路徑28 HYPERLINK l bookmark363 o Current Document 4.3.7動態(tài)路由模式組網(wǎng)33 HYPERLINK l bookmark366 o Current Document 5相關(guān)資料331

7、特性簡介雙機(jī)熱備在鏈路切換前，對會話信息進(jìn)行主備同步；在設(shè)備故障后能將流量切換到其他 備份設(shè)備，由備份設(shè)備繼續(xù)處理業(yè)務(wù)，從而保證了當(dāng)前的會話不被中斷。secpath防火墻具有 多樣化的組網(wǎng)方式，雙機(jī)的組網(wǎng)應(yīng)用也會很多種，本文試舉幾種雙機(jī)熱備的典型應(yīng)用。1.1雙機(jī)熱備的工作機(jī)制互為備份的兩臺防火墻只負(fù)責(zé)會話信息備份，保證流量切換后會話連接不中斷。而 流量的切換則依靠傳統(tǒng)備份技術(shù)（如VRRP、動態(tài)路由）來實現(xiàn)，應(yīng)用靈活，能適應(yīng)各種組網(wǎng) 環(huán)境。另外需要使用專有的備份鏈路口進(jìn)行會話信息的備份，該備份鏈路口不作數(shù)據(jù)轉(zhuǎn)發(fā)， 從而保障了備份的高可靠性及高性能。在命令行下無法配置雙機(jī)熱備，只能在WEB頁面上配

8、置；WEB配置頁面：戲機(jī)熱備狀態(tài)配置:巧建能雙機(jī)熱備功能備份類型：|不支持非對稱路徑二|備份接口 ：當(dāng)前熱備狀態(tài)：靜默當(dāng)前生效的備份接口 ：lnner-EthernetO/1星號為必須埴寫項確定|取消|必須配置心跳口，心跳口也須在WEB頁面上配置，指定一個物理口后保存，重啟， 心跳口開始工作，心跳口在命令行和WEB頁面下的接口管理中都不可見，但是雙機(jī) 熱備配置頁面下可見。沒有主備設(shè)備之分，工作中的設(shè)備稱為主用設(shè)備比較合適些，兩臺防火墻的會話信 息相互備份，主用設(shè)備上產(chǎn)生的會話會自動通過心跳口備份到備用設(shè)備上，目前只 有穩(wěn)態(tài)的會話才會進(jìn)行備份；主要有兩種模式的組網(wǎng)：靜態(tài)路由模式和動態(tài)路由模式，靜

9、態(tài)路由模式組網(wǎng)依賴于 VRRP，當(dāng)一臺設(shè)備Down機(jī)后，Vrrp的主備狀態(tài)發(fā)生切換，工作的防火墻隨之切換； 動態(tài)路由模式依賴于動態(tài)路由協(xié)議，由于動態(tài)路由協(xié)議進(jìn)行路由學(xué)習(xí)比VRRP切換 慢，所以路由模式的雙機(jī)熱備主用設(shè)備切換時間較長；在這兩種組網(wǎng)的基礎(chǔ)上又可 以配置為雙主用模式、主備用模式；目前版本僅支持對稱路徑的雙機(jī)熱備份，即報文來回都要通過同一臺防火墻；若出 報文從A出，回來的報文從B返回的話，稱為非對稱路徑，在以后的版本將支持非對 稱的報文轉(zhuǎn)發(fā)。2特性使用指南2.1使用場合Secpath防火墻作為內(nèi)外網(wǎng)的接入點(diǎn)，當(dāng)設(shè)備出現(xiàn)故障便會導(dǎo)致內(nèi)外網(wǎng)之間的網(wǎng)絡(luò)業(yè)務(wù) 的全部中斷。在這種關(guān)鍵業(yè)務(wù)點(diǎn)上如果

10、只使用一臺設(shè)備的話，無論其可靠性多高，系統(tǒng)都必 然要承受因單點(diǎn)故障而導(dǎo)致網(wǎng)絡(luò)中斷的風(fēng)險。雙機(jī)熱備解決方案能夠很好的解決這個問題。2.2配置指南2.2.1雙機(jī)熱備組網(wǎng)應(yīng)用配置指南雙機(jī)熱備典型組網(wǎng)應(yīng)用包括以下內(nèi)容：透明模式+主備模式透明模式+負(fù)載分擔(dān)模式路由模式+主備模式路由模式+負(fù)載分擔(dān)模式路由模式+主備模式+支持非對稱路徑路由模式+負(fù)載分擔(dān)模式+支持非對稱路徑2.2.2雙機(jī)熱備應(yīng)用涉及的配置用戶必須在Web設(shè)置雙機(jī)熱備功能，命令行無法配置。2.3注意事項雙機(jī)熱備關(guān)于Web配置根據(jù)具體實例再作說明。3支持的設(shè)備和版本3.1設(shè)備版本f5000a-1_dis verH3C Comware Platf

11、orm SoftwareComware Software, Version 5.20, Beta 3203Comware Platform Software Version COMWAREV500R002B62D001H3C SecPath F5000-A5 Software Version V300R002B01D012Copyright (c) 2004-2008 Hangzhou H3C Tech. Co., Ltd. All rights reserved.Compiled Oct 31 2008 14:56:27, RELEASE SOFTWAREH3C SecPath F5000-

12、A5 uptime is 0 week, 0 day, 0 hour, 51 minutesCPU type: RMI XLR732 1000MHz CPU2048M bytes DDR2 SDRAM Memory4M bytes Flash MemoryMPUA PCBVersion:Ver.ASWBA PCBVersion:Ver.AMPUA Basic Logic Version:133.0MPUA ExtendLogic Version:133.0SWBA LogicVersion:132.0MPUA LX30T FPGA Version:3.08Basic BootWare Vers

13、ion:1.02Extend BootWare Version:1.02FIXED PORTCON(Hardware)Ver.A,(Driver)1.0,(Cpld)133.0FIXED PORTAUX(Hardware)Ver.A,(Driver)1.0,(Cpld)133.0FIXED PORTM-GE0/0(Hardware)Ver.A,(Driver)1.0,(Cpld)133.0SUBCARD 1NSQ1GT8C40(Hardware)Ver.A,(Driver)1.0,(Cpld)134.0SUBSLOT 2The SubCardis not presentSUBSLOT 3The

14、 SubCardis not presentSUBSLOT 4The SubCardis not present3.2支持的設(shè)備Secpath F5000-A53.3配置保存每次配置完成后，注意進(jìn)行配置的保存。系統(tǒng)管理 配置維護(hù) 配置保存，點(diǎn)擊 確定。H3CRoot淄設(shè)備概覽淄配置向?qū)ё拖到y(tǒng)管理卜日期和時間-軟件升熊淄配置維護(hù)I-配置保存配置保存本次操作要將當(dāng)前配置保存到設(shè)備中。確認(rèn)要保存當(dāng)前配置嗎？確定4配置舉例4.1典型組網(wǎng)G1/0G1/0F5000a-1F5000a-2G1/1G1/1S56-aS56-b圖1雙機(jī)熱備（路由）典型組網(wǎng)（主）F1000EG0/0/3vG1/6BG1/8G1/

15、0/14S56AS56BvlanlPC-A:0PC-C /C12B圖2雙機(jī)熱備（透明）典型組網(wǎng)G1/8vl/llG1/911vlUntrust 域:Trus t域:G1/0/1PC-B:Http/ftp/dns serverF1000e-01G0/2G0/1G1/0G0/3G0/1G1/0F1000e-02G0/2圖3雙機(jī)熱備（非對稱主備）典型組網(wǎng)圖4雙機(jī)熱備（非對稱雙主）典型組網(wǎng)4.2設(shè)備基本配置4.2.1其他共同配置：(1)接口模式：M-G0/0為管理接口InterfacePhysical Protocol IP AddressM-GigabitEthernet0/0upup4.3雙機(jī)熱備

16、業(yè)務(wù)典型配置舉例4.3.1透明模式+主備模式功能簡述主備模式就是只有一臺防火墻處于工作狀態(tài)，另一臺處于備用狀態(tài)，當(dāng)主用設(shè) 備Down機(jī)后，備用設(shè)備會接管工作。典型配置步驟(組網(wǎng)圖2 )1、防火墻運(yùn)行在二層模式，配置如圖所示的Vlan；F5000A-B 配置:f5000a-2dis cu sysname f5000a-2#vlan 12#interface GigabitEthernet1/6 port link-mode bridge port access vlan 12#interface GigabitEthernet1/8port link-mode bridge port acces

17、s vlan 12#interface GigabitEthernet1/9port link-mode bridge port access vlan 12F5000A-A 配置:f5000a-1dis cusysname f5000a-1#vlan 11#interface GigabitEthernet1/6port link-mode bridgeport access vlan 11#interface GigabitEthernet1/8port link-mode bridgeport access vlan 11#interface GigabitEthernet1/9port

18、 link-mode bridgeport access vlan 112、路由器F1000E上配置兩個網(wǎng)段(和)對應(yīng)交換機(jī)的vlanll、vlan12兩個網(wǎng)段；提供兩個網(wǎng)關(guān)(和)，并分別指回程路由。F1000E 配置:f1000edis cu#interface GigabitEthernet0/2port link-mode routeip address #interface GigabitEthernet0/3port link-mode routeip address #ip route-static ip route-static preference 100ip route-st

19、atic ip route-static preference 1003、S56A和S56B上配置靜態(tài)路由分別指向這兩個網(wǎng)關(guān)，配置兩條路由，使優(yōu)先級 不同。實現(xiàn)當(dāng)鏈路斷時，使優(yōu)先級高的靜態(tài)路由失效。S56A配置:lsw-updis cu#vlan 11 to 14#interface Vlan-interface11ip address #interface Vlan-interface12ip address #interface Vlan-interface13ip address #interface GigabitEthernet1/0/11port access vlan 11#in

20、terface GigabitEthernet1/0/12port access vlan 12#interface GigabitEthernet1/0/13port access vlan 13#interface GigabitEthernet1/0/14port access vlan 14#ip route-static preference 60ip route-static preference 100S56B配置：lsw-downdis cu#sysname lsw-down#vlan 11 to 14#interface Vlan-interface11ip address

21、#interface Vlan-interface12ip address #interface Vlan-interface13ip address #interface GigabitEthernet1/0/11port access vlan 11#interface GigabitEthernet1/0/12port access vlan 12#interface GigabitEthernet1/0/13port access vlan 13#interface GigabitEthernet1/0/14port access vlan 14#ip route-static pre

22、ference 60ip route-static preference 100B.WEB配置：1 .首先把F5000A相關(guān)接口加入域;把需要聯(lián)動的接口加入到同一聯(lián)動組。一旦其中一個接口 down丟，組內(nèi) 其他接口同樣down丟。配置切換時F5000A結(jié)合透明方式接口組聯(lián)動來實現(xiàn)聯(lián)動組70多支持3個接口）r接口名稱接口狀態(tài)rGigabitEthemetVSDownpGigabitEthemetVGUprGigabitEthernetl/7DownpGigabitEthemetVSUppGigabitEthemetVSUp3.驗證結(jié)果從PC-B到PC-A,從PC-C到PC-A通過默認(rèn)路由，默認(rèn)都

23、走F5000A-Atracert 0traceroute to 0(0) 30 hops max,40 bytes packetPress CTRL_C to break 2 ms 1 ms 1 ms 1 ms 0 ms 1 ms0 0 ms 1 ms 0 mstracert 0traceroute to 0(0) 30 hops max,40 bytes packet 11 ms 5 ms 6 ms 19 ms 3 ms 8 ms0 9 ms 3 ms 3 ms當(dāng)F5000A-A出現(xiàn)故障后，則切換到F5000A-B上PC-Btracert 0traceroute to 0(0) 30 hop

24、s max,40 bytes packetPress CTRL_C to break 1 ms 2 ms 1 ms 0 ms 1 ms 0 ms0 1 ms 1 ms 0 msPC-Ctracert 0traceroute to 0(0) 30 hops max,40 bytes packet 11 ms 4 ms 7 ms 19 ms 3 ms 9 ms0 8 ms 3 ms 4 ms注意事項本配置完成，清除防火墻中所做的配置，以防對其他配置產(chǎn)生影響。4.3.2透明模式+負(fù)載分擔(dān)模式功能簡述雙主組網(wǎng)就是兩臺防火墻都處于工作狀態(tài)，每臺設(shè)備負(fù)責(zé)轉(zhuǎn)發(fā)一部分流量，實 現(xiàn)負(fù)載分擔(dān)，而當(dāng)任一臺設(shè)備Dow

25、n機(jī)后，另一臺設(shè)備會接管全部工作。典型配置步驟(組網(wǎng)圖2 )1、負(fù)載分擔(dān)模式和主備模式區(qū)別在于路由配置。2、路由器F1000E上配置兩個網(wǎng)段(和)對應(yīng)交換機(jī)的vlanll、 vlan12兩個網(wǎng)段；提供兩個網(wǎng)關(guān)(和)，F(xiàn)1000E 配置:f1000edis cu#interface GigabitEthernet0/2port link-mode routeip address #interface GigabitEthernet0/3port link-mode routeip address #ip route-static ip route-static preference 100ip

26、route-static ip route-static preference 1003、S56A和S56B上配置靜態(tài)路由分別指向這兩個網(wǎng)關(guān)，配置兩條路由，使優(yōu)先級 不同。為了實現(xiàn)當(dāng)鏈路斷時，使優(yōu)先級高的靜態(tài)路由失效，配置切換時結(jié)合透 明方式接口組聯(lián)動來實現(xiàn)。F1000E上分別指回程路由，使防火墻負(fù)載分擔(dān)。S56A配置:lsw-updis cu# vlan 11 to 14 #interface Vlan-interface11ip address #interface Vlan-interface12ip address #interface Vlan-interface13ip addre

27、ss #interface GigabitEthernet1/0/11port access vlan 11#interface GigabitEthernet1/0/12port access vlan 12#interface GigabitEthernet1/0/13port access vlan 13#interface GigabitEthernet1/0/14port access vlan 14#ip route-static preference 60ip route-static preference 100S56B配置：lsw-downdis cu#sysname lsw

28、-down#vlan 11 to 14#interface Vlan-interface11ip address #interface Vlan-interface12ip address #interface Vlan-interface13ip address #interface GigabitEthernet1/0/11port access vlan 11#interface GigabitEthernet1/0/12port access vlan 12#interface GigabitEthernet1/0/13port access vlan 13#interface Gig

29、abitEthernet1/0/14port access vlan 14#ip route-static preference 60ip route-static preference 1003.驗證結(jié)果從PC-B到PC-A,從PC-C到PC-A通過默認(rèn)路由進(jìn)行負(fù)載分擔(dān)，分別走F5000A-1 和 F5000A-2PC-Btracert 0traceroute to 0(0) 30 hops max,40 bytes packet 11 ms 6 ms 8 ms 16 ms 3 ms 9 ms0 8 ms 4 ms 3 msPC-Ctracert 0traceroute to 0(0) 30

30、 hops max,40 bytes packetPress CTRL_C to break 1 ms 2 ms 1 ms 0 ms 1 ms 0 ms0 1 ms 0 ms 1 ms當(dāng)F5000A-1和F5000A-2中有一個接口 down 了，則切換到另一臺上。如F5000A-1 一個接口 down，則切換到F5000-B上。PC-Btracert 0traceroute to 0(0) 30 hops max,40 bytes packet 11 ms 4 ms 7 ms 9 ms 3 ms 3 ms0 14 ms 3 ms 9 msPC-Ctracert 0traceroute to

31、0(0) 30 hops max,40 bytes packet 11 ms 4 ms 7 ms 9 ms 3 ms 3 ms0 14 ms 3 ms 9 ms注意事項本配置完成，清除防火墻中所做的配置，以防對其他配置產(chǎn)生影響。4.3.3路由模式+主備模式功能簡述靜態(tài)路由模式需要同時配置Vrrp以支持主備用設(shè)備的切換。所謂主備模式就是 只有一臺防火墻處于工作狀態(tài)，另一臺處于備用狀態(tài)，當(dāng)主用設(shè)備Down機(jī)后，備 用設(shè)備會接管工作。典型配置步驟（組網(wǎng)圖2 ）（1）命令行下進(jìn)行如下配置：F5000a-1配置：（作為主用設(shè)備）nat address-group 1 54 level 1#acl num

32、ber 3001rule 0 permit ip source 55rule 5 permit ip source 55#interface GigabitEthernet1/0port link-mode routeip address 54 vrrp vrid 1 virtual-ip vrrp vrid 1 priority 105vrrp vrid 1 track interface GigabitEthernet1/1#interface GigabitEthernet1/1port link-mode routeip address 54 vrrp vrid 1 virtual-i

33、p vrrp vrid 1 priority 105vrrp vrid 1 track interface GigabitEthernet1/0nat outbound static track vrrp 1nat outbound 3001 address-group 1 track vrrp 1nat server protocol icmp global 3 inside 3 track vrrp 1 nat server protocol udp global 3 any inside 3 any track vrrp 1（track vrrp關(guān)鍵字，意思是當(dāng)接口收到對nat地址的ar

34、p查詢時以vrrp 1的虛接地址作為應(yīng)答?。〧5O00a-2配置：（作為備用設(shè)備）nat address-group 1 54 level 1#acl number 3001rule 0 permit ip source 55rule 5 permit ip source 55/與主用設(shè)備配置要一致#interface GigabitEthernet1/0port link-mode routeip address 53 vrrp vrid 1 virtual-ip vrrp vrid 1 track interface GigabitEthernet1/1#interface Gigabit

35、Ethernet1/1port link-mode routeip address 53 vrrp vrid 1 virtual-ip vrrp vrid 1 track interface GigabitEthernet1/0nat outbound static track vrrp 1nat outbound 3001 address-group 1 track vrrp 1nat server protocol icmp global 3 inside 3 track vrrp 1nat server protocol udp global 3 any inside 3 any tra

36、ck vrrp 1# （track vrrp關(guān)鍵字，意思是當(dāng)接口收到對nat地址的arp查詢時以vrrp 1的虛接地址作為 應(yīng)答?。㏄C機(jī)IP配置：Server： 0PC1： 3PC2： 驗證結(jié)果（1）從Server可以ping通pci （轉(zhuǎn)換后的 3）。（2）從pci 可以訪問Server 的ftp/http/telnet等業(yè)務(wù)。注意事項.4.3.4路由模式+負(fù)載分擔(dān)模式功能簡述雙主組網(wǎng)就是兩臺防火墻都處于工作狀態(tài)，每臺設(shè)備負(fù)責(zé)轉(zhuǎn)發(fā)一部分流量，實 現(xiàn)負(fù)載分擔(dān)，而當(dāng)任一臺設(shè)備Down機(jī)后，另一臺設(shè)備會接管全部工作，要實現(xiàn)雙 主組網(wǎng)要配置至少兩個VRRP組以產(chǎn)生兩個網(wǎng)關(guān)，每臺設(shè)備分別是一個網(wǎng)關(guān)的

37、主用 設(shè)備，若使用NAT則至少要配置兩個地址池以進(jìn)行地址轉(zhuǎn)換。典型配置步驟(組網(wǎng)圖2 )(1)命令行配置如下：F5000a-1 配置：#nat address-group 1 54 level 1nat address-group 2 54 level 1#acl number 3001rule0permitip source 55rule5permitip source 55acl number 3002rule 0 permitip source 55rule5permitip source 55#interface GigabitEthernet1/0port link-mode rou

38、teip address 54 vrrp vrid 1 virtual-ip vrrp vrid 1 priority 105vrrp vrid 1 track interface GigabitEthernet1/1vrrp vrid 2 virtual-ip vrrp vrid 2 track interface GigabitEthernet1/1#interface GigabitEthernet1/1port link-mode routeip address 54 vrrp vrid 1 virtual-ip vrrp vrid 1 priority 105vrrp vrid 1

39、track interface GigabitEthernet1/0vrrp vrid 2 virtual-ip vrrp vrid 2 track interface GigabitEthernet1/0 nat outbound static track vrrp 1nat outbound 3002 address-group 2 track vrrp 2nat outbound 3001 address-group 1 track vrrp 1nat server protocol icmp global 3 inside 3 track vrrp 1nat server protoc

40、ol udp global 3 any inside 3 any track vrrp 1# （track vrrp關(guān)鍵字，意思是當(dāng)接口收到對nat地址的arp查詢時以vrrp 1的虛接地址作為 應(yīng)答?。〧5000a-2 配置：nat address-group 1 54 level 1nat address-group 2 54 level 1#acl number 3001rule 0permitipsource55rule 5permitipsource55acl number 3002rule 0permitipsource55rule 5permitipsource55#（這兒與主用

41、設(shè)備配置要一致！）#interface GigabitEthernet1/0port link-mode routeip address 53 vrrp vrid 1 virtual-ip vrrp vrid 1 track interface GigabitEthernet1/1vrrp vrid 2 virtual-ip vrrp vrid 2 priority 105vrrp vrid 2 track interface GigabitEthernet1/1#interface GigabitEthernet1/1port link-mode routeip address 53 vrr

42、p vrid 1 virtual-ip vrrp vrid 1 track interface GigabitEthernet1/0vrrp vrid 2 virtual-ip vrrp vrid 2 priority 105vrrp vrid 2 track interface GigabitEthernet1/0nat outbound static track vrrp 1nat outbound 3002 address-group 2 track vrrp 2nat outbound 3001 address-group 1 track vrrp 1nat server protoc

43、ol icmp global 3 inside 3 track vrrp 1 nat server protocol udp global 3 any inside 3 any track vrrp 1# （track vrrp關(guān)鍵字，意思是當(dāng)接口收到對nat地址的arp查詢時以vrrp 1的虛接地址作為 應(yīng)答！ /PC機(jī)IP配置：PC1： PC2： 驗證結(jié)果pci業(yè)務(wù)默認(rèn)從F5000A-1走。Pc2業(yè)務(wù)默認(rèn)從F5000A-2走。當(dāng)主機(jī)F5000A-1down全部切換到F5000A-2注意事項該組網(wǎng)要注意報文來回路徑要保持一致。4.3.5路由模式+主備模式+支持非對稱路徑功能簡述（F1000E

44、為例）功能。典型配置步驟（組網(wǎng)錯誤！未找到引用源。）（1）命令行配置：f1000E01:#version 5.20, Feature 3101#sysname fw01#undo voice vlan mac-address 00e0-bb00-0000#domain default enable system#vlan 1#domain systemaccess-limit disablestate activeidle-cut disableself-service-url disable#user-group system#local-user h3cpassword cipher GM

45、aBSDBBQ=aQMAF41!authorization-attribute level 3service-type telnet#interface Aux0async mode flowlink-protocol ppp#interface NULL0#interface GigabitEthernet0/0port link-mode routeip address 1 #interface GigabitEthernet0/2port link-mode routeip address 1 vrrp vrid 11 virtual-ip vrrp vrid 11 priority 1

46、05vrrp vrid 11 track interface GigabitEthernet0/3#interface GigabitEthernet0/3port link-mode routeip address 1 vrrp vrid 122 virtual-ip #interface GigabitEthernetl/1port link-mode route#interface GigabitEthernetl/2port link-mode route#interface GigabitEthernetl/3port link-mode route#interface Gigabi

47、tEthernetl/4port link-mode route#interface GigabitEthernet1/5port link-mode route#interface GigabitEthernet1/6port link-mode route#interface GigabitEthernet1/7port link-mode route#ip route-static 54#arp timer aging 1440#load xml-configuration#user-interface con 0idle-timeout 0 0user-interface aux 0u

48、ser-interface vty 0 4F1000e02:#version 5.20, Feature 3101#sysname fw02#undo voice vlan mac-address 00e0-bb00-0000#domain default enable system#vlan 1#domain systemaccess-limit disablestate activeidle-cut disableself-service-url disable#user-group system#local-user h3cpassword cipher GMaBSDBBQ=aQMAF4

49、1!authorization-attribute level 3service-type telnet#interface Aux0async mode flowlink-protocol ppp#interface NULL0#interface GigabitEthernet0/0port link-mode routeip address 2 #interface GigabitEthernet0/2port link-mode routeip address 2 vrrp vrid 11 virtual-ip #interface GigabitEthernet0/3port lin

50、k-mode routeip address 2 vrrp vrid 122 virtual-ip vrrp vrid 122 priority 105vrrp vrid 122 track interface GigabitEthernet0/2#interface GigabitEthernet1/1port link-mode route#interface GigabitEthernet1/2port link-mode route#interface GigabitEthernet1/3port link-mode route#interface GigabitEthernet1/4

51、port link-mode route#interface GigabitEthernet1/5port link-mode route#interface GigabitEthernet1/6port link-mode route#interface GigabitEthernet1/7port link-mode route#ip route-static 54#load xml-configuration#user-interface con 0idle-timeout 0 0user-interface aux 0user-interface vty 0 4數(shù)據(jù)流向：WEB配置:雙

52、機(jī)熱備狀態(tài)配置際使能雙機(jī)熱備功能備份類型：|支持非對稱路徑二備份接口：G i g ab itEth e rn et1 /O, G i g ab itEth e rn etO/1修改備價接口當(dāng)前熱備狀態(tài)：同步運(yùn)行當(dāng)前生效的備份接口：GigabitEthernetO/1,Gigab itEthernet1/O星號%*）為必須填寫項確定|取消修改HRRP備價組VRID11泰加-虛擬IP成員-虛擬IP冊臃優(yōu)先吸100（ 1 -254,缺省值=100）搶占方式|Preemptive刁搶占延舊0 ，秒（0-255,缺省值=0）認(rèn)證方式I_3認(rèn)證字通告時間間隔 1 秒（1 255,缺省值=1）顯示監(jiān)視配置

53、|星號（*）為必須填寫項修KVRRP備價組VRID11添加-虛擬F成員-虛擬舊冊臃*優(yōu)先吸100（1 -254,缺省值=100）搶占方式|Preemptive三搶占延詛0 ，秒（0255,缺省值=。）認(rèn)證方式I_3認(rèn)證字通告時間間隔1 秒（1255,缺省值=1）:二二膛藏監(jiān)巍配置二二二正疝守募對冢（1-1024） 添加|卜對象，降低優(yōu)先級徹?fù)Q模式-侈降低優(yōu)先級（1-25S缺省值=1r切換模式刪除|監(jiān)視接口接口N添加-揍口，降低優(yōu)先級- GigabitEthernetO/3, 10降低憂先級（1-255,缺省值=10）冊臃星號（*）為必須填寫項確定|取消3.驗證結(jié)果pci從server http

54、/ftp、方式get文件，連接不中斷;VRRP狀態(tài)：dis vrrpIPv4 Standby Information:Run Method: VIRTUAL-MACTotal number of virtual routers: 2AuthTypeVirtualIP Interface VRIDStateRunPriAdver.TimeGE0/211Master1051NONEGE0/3122Backup1001NONEfw02-GigabitEthernet0/3dis vrrpIPv4 Standby Information:Run Method: VIRTUAL-MACTotal num

55、ber of virtual routers: 2InterfaceVRIDStateRunAdver.AuthVirtualPriTimeTypeIPGE0/211Backup1001NONEGE0/3122Master1051NONE4.注意事項本配置完成，清除防火墻中所做的配置，以防對其他配置產(chǎn)生影響。4.3.6路由模式+負(fù)載分擔(dān)模式+支持非對稱路徑功能簡述（F1000E為例）通過Vla n虛接口實現(xiàn)三層轉(zhuǎn)發(fā)。典型配置步驟（組網(wǎng)4）（1）命令行配置：F1000E-1:# version 5.20, Feature 3101#sysname fw01# undo voice vlan ma

56、c-address 00e0-bb00-0000#nat address-group 1 54 level 1nat address-group 2 54 level 1# domain default enable system#acl number 3000rule 0 permit ip source 0 acl number 3001rule 0 permit ip source 0# vlan 1#domain system access-limit disable state active idle-cut disable self-service-url disable#user

57、-group system#local-user h3cpassword cipher GMaBSDBBQ=aQMAF41!authorization-attribute level 3service-type telnet#interface Aux0async mode flowlink-protocol ppp#interface NULL0#interface GigabitEthernet0/0port link-mode routeip address 1 #interface GigabitEthernet0/2port link-mode routeip address 1 v

58、rrp vrid 11 virtual-ip vrrp vrid 11 priority 105vrrp vrid 11 track interface GigabitEthernet0/3vrrp vrid Ill virtual-ip #interface GigabitEthernet0/3port link-mode routenat outbound 3001 address-group 2 track vrrp 12nat outbound 3000 address-group l track vrrp 122 ip address 1 vrrp vrid 12 virtual-i

59、p vrrp vrid 12 priority 105vrrp vrid 12 track interface GigabitEthernet0/2 vrrp vrid 122 virtual-ip #interface GigabitEthernetl/lport link-mode route#interface GigabitEthernetl/2port link-mode route#interface GigabitEthernetl/3port link-mode route#interface GigabitEthernet1/4port link-mode route#interface GigabitEthernet1/5port link-mode route#interface GigabitEthernet1/6port link-mode route#interface GigabitEthernet1/7port link-mode route#ip route-static 54#arp timer aging 1440#load