H3C防火墙VRF旁挂+双机热备部署实验

网络拓扑

S1

接口	VLAN	IP
VLAN100	100	192.168.100.254
VLAN200	200	192.168.200.254
AGG1	100 200	---
AGG2	100 200	---
G1/0/5	20	192.168.20.254
G1/0/6	10	192.168.10.254

F1

接口	VLAN	IP
VLAN100	100	192.168.100.251
VLAN200	200	192.168.200.251
VRRP	100 200	192.168.100.253 192.168.200.253
AGG1	100 200	---
G1/0/2	---	192.168.99.1

F2

接口	VLAN	IP
VLAN100	100	192.168.100.252
VLAN200	200	192.168.200.252
VRRP	100 200	192.168.100.253 192.168.200.253
AGG2	100 200	---
G1/0/2	---	192.168.99.2

配置过程

S1

# 创建链路聚合
interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
# 将接口添加至链路聚合组
int range GigabitEthernet 1/0/1 to g1/0/2
 port link-aggregation group 1

int range GigabitEthernet 1/0/3 to g1/0/4
 port link-aggregation group 2

# 划分VLAN
vlan 10 20 100 200
interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200
 
interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

interface GigabitEthernet1/0/5
 port access vlan 2
 
interface GigabitEthernet1/0/6
 port link-type trunk
 port trunk permit vlan 10
 
# 创建VPN实例
ip vpn-instance a
 address-family ipv4
 
ip vpn-instance b
 address-family ipv4
 
interface Vlan-interface10
 ip binding vpn-instance a
 ip address 192.168.10.254 255.255.255.0

interface Vlan-interface20
 ip binding vpn-instance b
 ip address 192.168.20.254 255.255.255.0
 
interface Vlan-interface100
 ip binding vpn-instance a
 ip address 192.168.100.254 255.255.255.0

interface Vlan-interface200
 ip binding vpn-instance b
 ip address 192.168.200.254 255.255.255.0
 
# 写缺省路由 PC>F1/F2
ip route-static vpn-instance a 0.0.0.0 0 192.168.100.253
ip route-static vpn-instance b 0.0.0.0 0 192.168.20.1

# 写回程明细路由 R1>F1/F2
ip route-static vpn-instance b 192.168.10.0 24 192.168.200.253

F1配置

interface Bridge-Aggregation1
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 1

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation1
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.251 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.251 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.1 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 active
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 active
 
# 配置放行策略
security-policy ip
 rule 5 name Trust>Untrust
  action pass
  source-zone Trust
  destination-zone Untrust

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

F2配置

interface Bridge-Aggregation2
 link-aggregation mode dynamic
 
int range GigabitEthernet 1/0/0 to g1/0/1
 port link-aggregation group 2

# 划分VLAN
vlan 100 200

interface Bridge-Aggregation2
 port link-type trunk
 port trunk permit vlan 100 200

# 配置IP地址
interface Vlan-interface100
 ip address 192.168.100.252 255.255.255.0
 
interface Vlan-interface200
 ip address 192.168.200.252 255.255.255.0
 
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.2 255.255.255.252

# 划分安全区域
security-zone name Trust
 import interface Vlan-interface100

security-zone name DMZ
 import interface GigabitEthernet1/0/2

security-zone name Untrust
 import interface Vlan-interface200

# 配置双机热备
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 configuration sync-check interval 1
 delay-time 1
 local-ip 192.168.99.2
 remote-ip 192.168.99.1
 device-role secondary
 
interface Vlan-interface100
 vrrp vrid 1 virtual-ip 192.168.100.253 standby
 
interface Vlan-interface200
 vrrp vrid 1 virtual-ip 192.168.200.253 standby

# 配置路由条目
ip route-static 0.0.0.0 0 192.168.200.254
ip route-static 192.168.10.0 24 192.168.100.254

R1配置

interface GigabitEthernet0/0
 port link-mode route
 ip address 192.168.20.1 255.255.255.0
 
ip route-static 192.168.10.0 24 192.168.20.254

配置验证

查看双机热备建立情况

查看数据转发路径