上海鸣沃网络—基于VRRP的三层架构数据中心网络部署举例

基于VRRP的三层架构数据中心网络部署举例

2024/7/1 15:15:13

信息内容

基于VRRP的三层架构数据中心网络部署举例

适用产品和版本

· CloudEngine系列交换机V300R020C00或更高版本。

· USG5500系列产品V300R001版本。

· 如果需要了解软件版本与交换机具体型号的配套信息，请查看硬件中心。

组网需求

在数据中心场景中，采用接入层、汇聚层和核心层三层方式部署。用户希望：

· 考虑到业务的可靠性，接入层和汇聚层之间部署VRRP，在一条上行链路断开的时候，流量能切换到另外一条上行链路转发。

· 避免冗余备份链路导致的环网问题，消除接入层和汇聚层之间的环路。

· 核心层设备外挂防火墙，对业务流量提供安全过滤功能。

· 汇聚层和核心层部署OSPF协议实现三层互通。

图1 基于VRRP的三层架构数据中心网络组网

表1 数据准备表（以DeviceA、DeviceB、DeviceC和DeviceD为例）
设备	VLAN及IP地址	接口编号	描述
DeviceA	VLAN：2 IP地址：10.1.2.102/24 虚拟IP地址：10.1.2.100	100GE1/0/1	TO-CE6800-DEVICEC
	VLAN：2 IP地址：10.1.2.102/24 虚拟IP地址：10.1.2.100	100GE1/0/3	TO-CE16800-DEVICEB
	VLAN：3 IP地址：10.1.3.102/24 虚拟IP地址：10.1.3.100	100GE1/0/2	TO-CE6800-DEVICED
	VLAN：3 IP地址：10.1.3.102/24 虚拟IP地址：10.1.3.100	100GE1/0/3	TO-CE16800-DEVICEB
	VLAN：6 IP地址：10.1.6.102/24	100GE1/0/4	TO-CE16800-DEVICEI
	VLAN：7 IP地址：10.1.7.102/24	100GE1/0/5	TO-CE16800-DEVICEJ
DeviceB	VLAN：2 IP地址：10.1.2.103/24 虚拟IP地址：10.1.2.100	100GE1/0/2	TO-CE6800-DEVICEC
	VLAN：2 IP地址：10.1.2.103/24 虚拟IP地址：10.1.2.100	100GE1/0/3	TO-CE16800-DEVICEA
	VLAN：3 IP地址：10.1.3.103/24 虚拟IP地址：10.1.3.100	100GE1/0/1	TO-CE6800-DEVICED
	VLAN：3 IP地址：10.1.3.103/24 虚拟IP地址：10.1.3.100	100GE1/0/3	TO-CE16800-DEVICEA
	VLAN：6 IP地址：10.1.6.103/24	100GE1/0/4	TO-CE16800-DEVICEI
	VLAN：7 IP地址：10.1.7.103/24	100GE1/0/5	TO-CE16800-DEVICEJ
DeviceC	VLAN：2	100GE1/0/1	TO-CE16800-DEVICEA
		100GE1/0/2	TO-CE16800-DEVICEB
		100GE1/0/3	TO-HOSTA
DeviceD	VLAN：3	100GE1/0/1	TO-CE16800-DEVICEB
		100GE1/0/2	TO-CE16800-DEVICEA
		100GE1/0/3	TO-HOSTB
DeviceI	VLAN：6 IP地址：10.1.6.104/24	100GE1/0/1	TO-CE16800-DEVICEA
		100GE1/0/2	TO-CE16800-DEVICEB
		100GE1/0/3	TO-CE16800-DEVICEE
		100GE1/0/4	TO-CE16800-DEVICEF
	VLAN：8 IP地址：10.1.8.104/24	100GE1/0/5	TO-ROUTERA
	VLAN：9 IP地址：172.16.1.2/24	100GE1/0/6	TO-FW-1
	VLAN：10 IP地址：172.16.2.2/24	100GE1/0/7	TO-FW-1
	VLAN：11 IP地址：172.16.3.2/24	100GE1/0/8	TO-FW-2
	VLAN：12 IP地址：172.16.4.2/24	100GE1/0/9	TO-FW-2
	VLAN：13 IP地址：10.1.13.102/24	100GE1/0/14	TO-CE16800-DEVICEJ
DeviceJ	VLAN：7 IP地址：10.1.7.104/24	100GE1/0/1	TO-CE16800-DEVICEA
		100GE1/0/2	TO-CE16800-DEVICEB
		100GE1/0/3	TO-CE16800-DEVICEE
		100GE1/0/4	TO-CE16800-DEVICEF
	VLAN：8 IP地址：10.1.8.105/24	100GE1/0/5	TO-ROUTERB
	VLAN：9 IP地址：172.16.6.2/24	100GE1/0/6	TO-FW-1
	VLAN：10 IP地址：172.16.7.2/24	100GE1/0/7	TO-FW-1
	VLAN：11 IP地址：172.16.8.2/24	100GE1/0/8	TO-FW-2
	VLAN：12 IP地址：172.16.9.2/24	100GE1/0/9	TO-FW-2
	VLAN：13 IP地址：10.1.13.103/24	100GE1/0/14	TO-CE16800-DEVICEI
FW-1	172.16.1.1/24	GE1/0/1	TO-DEVICEI-Upstream
	172.16.2.1/24	GE1/0/2	TO-DEVICEI-Downstream
	172.16.3.1/24	GE1/0/3	TO-DEVICEJ-Upstream
	172.16.4.1/24	GE1/0/4	TO-DEVICEJ-Downstream
	172.16.5.1/24	Eth-Trunk1：GE2/0/0	TO-FW-2-HRP
		Eth-Trunk1：GE2/0/1
		Eth-Trunk1：GE2/0/2
		Eth-Trunk1：GE2/0/3
	172.16.100.1/24	Loopback1	NA
	172.16.100.2/24	Loopback2	NA
	172.16.100.3/24	Loopback3	NA
	172.16.100.4/24	Loopback4	NA
FW-2	172.16.6.1/24	GE1/0/1	TO-DEVICEJ-Upstream
	172.16.7.1/24	GE1/0/2	TO-DEVICEJ-Downstream
	172.16.8.1/24	GE1/0/3	TO-DEVICEI-Upstream
	172.16.9.1/24	GE1/0/4	TO-DEVICEI-Downstream
	172.16.10.1/24	Eth-Trunk1：GE2/0/0	TO-FW-1-HRP
		Eth-Trunk1：GE2/0/1
		Eth-Trunk1：GE2/0/2
		Eth-Trunk1：GE2/0/3
	172.16.100.1/24	Loopback1	NA
	172.16.100.2/24	Loopback2	NA
	172.16.100.3/24	Loopback3	NA
	172.16.100.4/24	Loopback4	NA

配置思路

1. 通过在汇聚层设备DeviceA和DeviceB之间部署VRRP，实现链路冗余备份。

2. 通过在汇聚层设备DeviceA、汇聚层设备DeviceB和接入层设备DeviceC之间部署MSTP，消除网络中的环路。

3. 配置出口防火墙FW-1和FW-2双机热备，从核心层设备DeviceI或DeviceJ转发的流量经防火墙的安全策略处理，再分别流向数据中心或Internet。

4. 通过在汇聚层设备DeviceA、汇聚层设备DeviceB、核心层设备DeviceI和DeviceJ之间部署OSPF，实现网络三层互通。

操作步骤

1. 配置MSTP基本功能。

只要两台设备的以下配置相同，这两台设备就属于同一个MST域。

· MST域的域名。

· 多生成树实例和VLAN的映射关系。

· MST域的修订级别。

d. 配置DeviceA、DeviceB、DeviceC到域名为RG1的域内，创建实例MSTI1和实例MSTI2。

# 配置汇聚层设备DeviceA的MST域。

<HUAWEI> system-view

[~HUAWEI] sysname DeviceA

[*HUAWEI] commit

[~DeviceA] stp region-configuration

[~DeviceA-mst-region]region-name RG1

[*DeviceA-mst-region] instance 1 vlan 2

[*DeviceA-mst-region] instance 2 vlan 3

[*DeviceA-mst-region] commit

[~DeviceA-mst-region]quit

# 配置汇聚层设备DeviceB的MST域。

<HUAWEI> system-view

[~HUAWEI] sysname DeviceB

[*HUAWEI] commit

[~DeviceB] stp region-configuration

[~DeviceB-mst-region]region-name RG1

[*DeviceB-mst-region] instance 1 vlan 2

[*DeviceB-mst-region] instance 2 vlan 3

[*DeviceB-mst-region] commit

[~DeviceB-mst-region]quit

# 配置接入层设备DeviceC的MST域。

<HUAWEI> system-view

[~HUAWEI] sysname DeviceC

[*HUAWEI] commit

[~DeviceC] stp region-configuration

[~DeviceC-mst-region]region-name RG1

[*DeviceC-mst-region] instance 1 vlan 2

[*DeviceC-mst-region] instance 2 vlan 3

[*DeviceC-mst-region] commit

[~DeviceC-mst-region]quit

# 配置接入层设备DeviceD的MST域。

<HUAWEI> system-view

[~HUAWEI] sysname DeviceD

[*HUAWEI] commit

[~DeviceD] stp region-configuration

[~DeviceD-mst-region]region-name RG1

[*DeviceD-mst-region] instance 1 vlan 2

[*DeviceD-mst-region] instance 2 vlan 3

[*DeviceD-mst-region] commit

[~DeviceD-mst-region]quit

e. 在域RG1内，配置MSTI1与MSTI2的根桥与备份根桥。

· 配置MSTI1的根桥与备份根桥。

# 配置汇聚层设备DeviceA为MSTI1的根桥。

[~DeviceA] stp instance 1 root primary

[*DeviceA] commit

# 配置汇聚层设备DeviceB为MSTI1的备份根桥。

[~DeviceB] stp instance 1 root secondary

[*DeviceB] commit

· 配置MSTI2的根桥与备份根桥。

# 配置汇聚层设备DeviceB为MSTI2的根桥。

[~DeviceB] stp instance 2 root primary

[*DeviceB] commit

# 配置汇聚层设备DeviceA为MSTI2的备份根桥。

[~DeviceA] stp instance 2 root secondary

[*DeviceA] commit

f. 配置实例MSTI1和MSTI2中将要被阻塞端口的路径开销值大于缺省值。

· 端口路径开销值取值范围由路径开销计算方法决定，这里选择使用华为私有计算方法为例，配置实例MSTI1和MSTI2中将被阻塞端口的路径开销值为20000。

· 同一网络内所有交换设备的端口路径开销应使用相同的计算方法。

# 配置汇聚层设备DeviceA的端口路径开销的计算方法为华为私有计算方法。

[~DeviceA] stp pathcost-standard legacy

[*DeviceA] commit

# 配置汇聚层设备DeviceB的端口路径开销的计算方法为华为的私有计算方法。

[~DeviceB] stp pathcost-standard legacy

[*DeviceB] commit

# 配置接入层设备DeviceC的端口路径开销的计算方法为华为的私有计算方法，将端口100GE1/0/2在实例MSTI1中的路径开销值配置为20000。

[~DeviceC] stp pathcost-standard legacy

[*DeviceC] interface 100ge 1/0/2

[*DeviceC-100GE1/0/2] description TO-CE16800-DEVICEB

[*DeviceC-100GE1/0/2] stp instance 1 cost 20000

[*DeviceC-100GE1/0/2] commit

[~DeviceC-100GE1/0/2] quit

# 配置接入层设备DeviceD的端口路径开销的计算方法为华为的私有计算方法，将端口100GE1/0/2在实例MSTI2中的路径开销值配置为20000。

[~DeviceD] stp pathcost-standard legacy

[*DeviceD] interface 100ge 1/0/2

[*DeviceD-100GE1/0/2] description TO-CE16800-DEVICEA

[*DeviceD-100GE1/0/2] stp instance 2 cost 20000

[*DeviceD-100GE1/0/2] commit

[~DeviceD-100GE1/0/2] quit

g. 使能MSTP，实现破除环路。

设备上MSTP功能默认使能。

· 设备全局使能MSTP。

# 在汇聚层设备DeviceA上启动MSTP。

[~DeviceA] stp enable

[*DeviceA] commit

# 在汇聚层设备DeviceB上启动MSTP。

[~DeviceB] stp enable

[*DeviceB] commit

# 在接入层设备DeviceC上启动MSTP。

[~DeviceC] stp enable

[*DeviceC] commit

# 在接入层设备DeviceD上启动MSTP。

[~DeviceD] stp enable

[*DeviceD] commit

· 将与Host相连的端口配置为边缘端口。

# 配置接入层设备DeviceC端口100GE1/0/3为边缘端口。

[~DeviceC] interface 100ge 1/0/3

[*DeviceC-100GE1/0/3] description TO-HOSTA

[*DeviceC-100GE1/0/3] stp edged-port enable

[*DeviceC-100GE1/0/3] commit

[~DeviceC-100GE1/0/3] quit

# 配置接入层设备DeviceD端口100GE1/0/3为边缘端口。

[~DeviceD] interface 100ge 1/0/3

[*DeviceD-100GE1/0/3] description TO-HOSTB

[*DeviceD-100GE1/0/3] stp edged-port enable

[*DeviceD-100GE1/0/3] commit

[~DeviceD-100GE1/0/3] quit

2. 配置保护功能，如在各实例的根桥设备的指定端口配置根保护功能。

# 在汇聚层设备DeviceA端口100GE1/0/1上启动根保护。

[~DeviceA] interface 100ge 1/0/1

[~DeviceA-100GE1/0/1] description TO-CE6800-DEVICEC

[*DeviceA-100GE1/0/1] stp root-protection

[*DeviceA-100GE1/0/1] commit

[~DeviceA-100GE1/0/1] quit

# 在汇聚层设备DeviceB端口100GE1/0/1上启动根保护。

[~DeviceB] interface 100ge 1/0/1

[~DeviceB-100GE1/0/1] description TO-CE6800-DEVICED

[*DeviceB-100GE1/0/1] stp root-protection

[*DeviceB-100GE1/0/1] commit

[~DeviceB-100GE1/0/1] quit

3. 配置处于环网中的设备的二层转发功能。

· 在交换设备DeviceA、DeviceB、DeviceC、DeviceD上创建VLAN2～3。

# 在汇聚层设备DeviceA上创建VLAN2～3。

[~DeviceA] vlan batch 2 to 3

# 在汇聚层设备DeviceB上创建VLAN2～3。

[~DeviceB] vlan batch 2 to 3

# 在接入层设备DeviceC上创建VLAN2。

[~DeviceC] vlan batch 2

# 在接入层设备DeviceD上创建VLAN3。

[~DeviceD] vlan batch 3

· 将交换设备上接入环路中的端口加入VLAN。

# 将汇聚层设备DeviceA端口100GE1/0/1加入VLAN。

[~DeviceA] interface 100ge 1/0/1

[~DeviceA-100GE1/0/1] port link-type trunk

[*DeviceA-100GE1/0/1] undo port trunk allow-pass vlan 1

[*DeviceA-100GE1/0/1] port trunk allow-pass vlan 2

[*DeviceA-100GE1/0/1] commit

[~DeviceA-100GE1/0/1] quit

# 将汇聚层设备DeviceA端口100GE1/0/2加入VLAN。

[~DeviceA] interface 100ge 1/0/2

[~DeviceA-100GE1/0/2] description TO-CE6800-DEVICED

[*DeviceA-100GE1/0/2] port link-type trunk

[*DeviceA-100GE1/0/2] undo port trunk allow-pass vlan 1

[*DeviceA-100GE1/0/2] port trunk allow-pass vlan 3

[*DeviceA-100GE1/0/2] commit

[~DeviceA-100GE1/0/2] quit

# 将汇聚层设备DeviceA端口100GE1/0/3加入VLAN。

[~DeviceA] interface 100ge 1/0/3

[~DeviceA-100GE1/0/3] description TO-CE16800-DEVICEB

[*DeviceA-100GE1/0/3] port link-type trunk

[*DeviceA-100GE1/0/3] undo port trunk allow-pass vlan 1

[*DeviceA-100GE1/0/3] port trunk allow-pass vlan 2 to 3

[*DeviceA-100GE1/0/3] commit

[~DeviceA-100GE1/0/3] quit

# 将汇聚层设备DeviceB端口100GE1/0/1加入VLAN。

[~DeviceB] interface 100ge 1/0/1

[~DeviceB-100GE1/0/1] port link-type trunk

[*DeviceB-100GE1/0/1] undo port trunk allow-pass vlan 1

[*DeviceB-100GE1/0/1] port trunk allow-pass vlan 3

[*DeviceB-100GE1/0/1] commit

[~DeviceB-100GE1/0/1] quit

# 将汇聚层设备DeviceB端口100GE1/0/2加入VLAN。

[~DeviceB] interface 100ge 1/0/2

[~DeviceB-100GE1/0/2] description TO-CE6800-DEVICEC

[*DeviceB-100GE1/0/2] port link-type trunk

[*DeviceB-100GE1/0/2] undo port trunk allow-pass vlan 1

[*DeviceB-100GE1/0/2] port trunk allow-pass vlan 2

[*DeviceB-100GE1/0/2] commit

[~DeviceB-100GE1/0/2] quit

# 将汇聚层设备DeviceB端口100GE1/0/3加入VLAN。

[~DeviceB] interface 100ge 1/0/3

[~DeviceB-100GE1/0/3] description TO-CE16800-DEVICEA

[*DeviceB-100GE1/0/3] port link-type trunk

[*DeviceB-100GE1/0/3] undo port trunk allow-pass vlan 1

[*DeviceB-100GE1/0/3] port trunk allow-pass vlan 2 to 3

[*DeviceB-100GE1/0/3] commit

[~DeviceB-100GE1/0/3] quit

# 将接入层设备DeviceC端口100GE1/0/1加入VLAN。

[~DeviceC] interface 100ge 1/0/1

[~DeviceC-100GE1/0/1] description TO-CE16800-DEVICEA

[*DeviceC-100GE1/0/1] port link-type trunk

[*DeviceC-100GE1/0/1] undo port trunk allow-pass vlan 1

[*DeviceC-100GE1/0/1] port trunk allow-pass vlan 2

[*DeviceC-100GE1/0/1] commit

[~DeviceC-100GE1/0/1] quit

# 将接入层设备DeviceC端口100GE1/0/2加入VLAN。

[~DeviceC] interface 100ge 1/0/2

[~DeviceC-100GE1/0/2] port link-type trunk

[*DeviceC-100GE1/0/2] undo port trunk allow-pass vlan 1

[*DeviceC-100GE1/0/2] port trunk allow-pass vlan 2

[*DeviceC-100GE1/0/2] commit

[~DeviceC-100GE1/0/2] quit

# 将接入层设备DeviceC端口100GE1/0/3加入VLAN。

[~DeviceC] interface 100ge 1/0/3

[~DeviceC-100GE1/0/3] port link-type access

[*DeviceC-100GE1/0/3] port default vlan 2

[*DeviceC-100GE1/0/3] commit

[~DeviceC-100GE1/0/3] quit

# 将接入层设备DeviceD端口100GE1/0/1加入VLAN。

[~DeviceD] interface 100ge 1/0/1

[~DeviceD-100GE1/0/1] description TO-CE16800-DEVICEB

[*DeviceD-100GE1/0/1] port link-type trunk

[*DeviceD-100GE1/0/1] undo port trunk allow-pass vlan 1

[*DeviceD-100GE1/0/1] port trunk allow-pass vlan 3

[*DeviceD-100GE1/0/1] commit

[~DeviceD-100GE1/0/1] quit

# 将接入层设备DeviceD端口100GE1/0/2加入VLAN。

[~DeviceD] interface 100ge 1/0/2

[~DeviceD-100GE1/0/2] port link-type trunk

[*DeviceD-100GE1/0/2] undo port trunk allow-pass vlan 1

[*DeviceD-100GE1/0/2] port trunk allow-pass vlan 3

[*DeviceD-100GE1/0/2] commit

[~DeviceD-100GE1/0/2] quit

# 将接入层设备DeviceD端口100GE1/0/3加入VLAN。

[~DeviceD] interface 100ge 1/0/3

[~DeviceD-100GE1/0/3] port link-type access

[*DeviceD-100GE1/0/3] port default vlan 3

[*DeviceD-100GE1/0/3] commit

[~DeviceD-100GE1/0/3] quit

4. 配置VRRP备份组。

# 在汇聚层设备DeviceA和DeviceB上创建VRRP备份组1，配置DeviceA的优先级为120，抢占延时为20秒，作为Master设备；DeviceB的优先级为缺省值，作为Backup设备。

· DeviceA

· [~DeviceA] interface vlanif 2

· [*DeviceA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100

· [*DeviceA-Vlanif2] vrrp vrid 1 priority 120

· [*DeviceA-Vlanif2] vrrp vrid 1 preempt timer delay 20

· [*DeviceA-Vlanif2] commit

[~DeviceA-Vlanif2] quit

· DeviceB

· [~DeviceB] interface vlanif 2

· [*DeviceB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100

· [*DeviceB-Vlanif2] commit

[~DeviceB-Vlanif2] quit

# 在汇聚层设备DeviceA和DeviceB上创建VRRP备份组2，配置DeviceB的优先级为120，抢占延时为20秒，作为Master设备；DeviceA的优先级为缺省值，作为Backup设备。

· DeviceB

· [~DeviceB] interface vlanif 3

· [*DeviceB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100

· [*DeviceB-Vlanif3] vrrp vrid 2 priority 120

· [*DeviceB-Vlanif3] vrrp vrid 2 preempt timer delay 20

· [*DeviceB-Vlanif3] commit

[~DeviceB-Vlanif3] quit

· DeviceA

· [~DeviceA] interface vlanif 3

· [*DeviceA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100

· [*DeviceA-Vlanif3] commit

[~DeviceA-Vlanif3] quit

# 配置主机HostA的缺省网关为备份组1的虚拟IP地址10.1.2.100，配置主机HostB的缺省网关为备份组2的虚拟IP地址10.1.3.100。

5. 配置设备间的网络互连。

# 配置设备各接口的IP地址，以汇聚层设备DeviceA为例。DeviceB、DeviceI和DeviceJ的配置与之类似，详见配置脚本。

[~DeviceA] vlan batch 6 7

[*DeviceA] interface 100ge 1/0/4

[*DeviceA-100GE1/0/4] description TO-CE16800-DEVICEI

[*DeviceA-100GE1/0/4] port link-type trunk

[*DeviceA-100GE1/0/4] undo port trunk allow-pass vlan 1

[*DeviceA-100GE1/0/4] port trunk allow-pass vlan 6

[*DeviceA-100GE1/0/4] quit

[*DeviceA] interface 100ge 1/0/5

[*DeviceA-100GE1/0/5] description TO-CE16800-DEVICEJ

[*DeviceA-100GE1/0/5] port link-type trunk

[*DeviceA-100GE1/0/5] undo port trunk allow-pass vlan 1

[*DeviceA-100GE1/0/5] port trunk allow-pass vlan 7

[*DeviceA-100GE1/0/5] quit

[*DeviceA] interface vlanif 2

[*DeviceA-Vlanif2] ip address 10.1.2.102 24

[*DeviceA-Vlanif2] quit

[*DeviceA] interface vlanif 3

[*DeviceA-Vlanif3] ip address 10.1.3.102 24

[*DeviceA-Vlanif3] quit

[*DeviceA] interface vlanif 6

[*DeviceA-Vlanif6] ip address 10.1.6.102 24

[*DeviceA-Vlanif6] quit

[*DeviceA] interface vlanif 7

[*DeviceA-Vlanif7] ip address 10.1.7.102 24

[*DeviceA-Vlanif7] quit

[*DeviceA] commit

# 配置汇聚层设备DeviceA、汇聚层设备DeviceB、核心层设备DeviceI、核心层设备DeviceJ和出口路由器间采用OSPF协议进行互连。以汇聚层设备DeviceA为例。DeviceB、DeviceI和DeviceJ的配置与之类似，详见配置脚本。

[~DeviceA] ospf 1

[*DeviceA-ospf-1] area 0

[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255

[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255

[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.6.0 0.0.0.255

[*DeviceA-ospf-1-area-0.0.0.0] network 10.1.7.0 0.0.0.255

[*DeviceA-ospf-1-area-0.0.0.0] quit

[*DeviceA-ospf-1] quit

[*DeviceA] commit

6. 配置防火墙。

配置FW-1和FW-2进行双机热备，从DeviceI、DeviceJ转发的报文经FW-1或FW-2的安全策略处理，再分别流向数据中心或Internet。

FW-1和FW-2进行负载分担，均同时转发流量，当一台FW故障时，业务可以平滑切换到另一台FW。

以下FW-1和FW-2以华为USG统一安全网关为例，介绍FW双机热备负载分担配置步骤。

. 在出口防火墙FW-1上完成基础配置，包括配置设备名称、接口、安全区域等。

a. system-view

b. [USG]sysname FW-1

c. [FW-1]interface GigabitEthernet 1/0/1

d. [FW-1-GigabitEthernet1/0/1]ip address 172.16.1.1 24

e. [FW-1-GigabitEthernet1/0/1]quit

f. [FW-1]interface GigabitEthernet 1/0/2

g. [FW-1-GigabitEthernet1/0/2]ip address 172.16.2.1 24

h. [FW-1-GigabitEthernet1/0/2]quit

i. [FW-1]interface GigabitEthernet 1/0/3

j. [FW-1-GigabitEthernet1/0/3]ip address 172.16.3.1 24

k. [FW-1-GigabitEthernet1/0/3]quit

l. [FW-1]interface GigabitEthernet 1/0/4

m. [FW-1-GigabitEthernet1/0/4]ip address 172.16.4.1 24

n. [FW-1-GigabitEthernet1/0/4]quit

p. [FW-1]interface Eth-Trunk 1

q. [FW-1-Eth-Trunk1]trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3

r. [FW-1-Eth-Trunk1]ip address 172.16.5.1 24

s. [FW-1-Eth-Trunk1]quit

u. [FW-1]firewall zone trust

v. [FW-1-zone-trust]add interface GigabitEthernet 1/0/1

w. [FW-1-zone-trust]add interface GigabitEthernet 1/0/3

x. [FW-1-zone-trust]quit

y. [FW-1]firewall zone untrust

z. [FW-1-zone-untrust]add interface GigabitEthernet 1/0/2

aa. [FW-1-zone-untrust]add interface GigabitEthernet 1/0/4

bb. [FW-1-zone-untrust]quit

cc. [FW-1]firewall zone dmz

dd. [FW-1-zone-dmz]add interface Eth-Trunk 1

ee. [FW-1-zone-dmz]quit

ff.

gg. [FW-1]interface LoopBack 1

hh. [FW-1-LoopBack1]ip address 172.16.100.1 32

ii. [FW-1-LoopBack1]quit

jj. [FW-1]interface LoopBack 2

kk. [FW-1-LoopBack2]ip address 172.16.100.2 32

ll. [FW-1-LoopBack2]quit

mm. [FW-1]interface LoopBack 3

nn. [FW-1-LoopBack3]ip address 172.16.100.3 32

oo. [FW-1-LoopBack3]quit

pp. [FW-1]interface LoopBack 4

qq. [FW-1-LoopBack4]ip address 172.16.100.4 32

[FW-1-LoopBack4] quit

rr. 在出口防火墙FW-2上完成基础配置，包括配置设备名称、接口、安全区域等。

ss. system-view

tt. [USG]sysname FW-2

uu. [FW-2]interface GigabitEthernet 1/0/1

vv. [FW-2-GigabitEthernet1/0/1]ip address 172.16.6.1 24

ww. [FW-2-GigabitEthernet1/0/1]quit

xx. [FW-2]interface GigabitEthernet 1/0/2

yy. [FW-2-GigabitEthernet1/0/2]ip address 172.16.7.1 24

zz. [FW-2-GigabitEthernet1/0/2]quit

aaa. [FW-2]interface GigabitEthernet 1/0/3

bbb. [FW-2-GigabitEthernet1/0/3]ip address 172.16.8.1 24

ccc. [FW-2-GigabitEthernet1/0/3]quit

ddd. [FW-2]interface GigabitEthernet 1/0/4

eee. [FW-2-GigabitEthernet1/0/4]ip address 172.16.9.1 24

fff. [FW-2-GigabitEthernet1/0/4]quit

ggg.

hhh. [FW-2]interface Eth-Trunk 1

iii. [FW-2-Eth-Trunk1]trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3

jjj. [FW-2-Eth-Trunk1]ip address 172.16.10.1 24

kkk. [FW-2-Eth-Trunk1]quit

lll.

mmm. [FW-2]firewall zone trust

nnn. [FW-2-zone-trust]add interface GigabitEthernet 1/0/1

ooo. [FW-2-zone-trust]add interface GigabitEthernet 1/0/3

ppp. [FW-2-zone-trust]quit

qqq. [FW-2]firewall zone untrust

rrr. [FW-2-zone-untrust]add interface GigabitEthernet 1/0/2

sss. [FW-2-zone-untrust]add interface GigabitEthernet 1/0/4

ttt. [FW-2-zone-untrust]quit

uuu. [FW-2]firewall zone dmz

vvv. [FW-2-zone-dmz]add interface Eth-Trunk 1

www. [FW-2-zone-dmz]quit

xxx.

yyy. [FW-2]interface LoopBack 1

zzz. [FW-2-LoopBack1]ip address 172.16.100.1 32

aaaa. [FW-2-LoopBack1] quit

bbbb. [FW-2] interface LoopBack 2

cccc. [FW-2-LoopBack2] ip address 172.16.100.2 32

dddd. [FW-2-LoopBack2] quit

eeee. [FW-2] interface LoopBack 3

ffff. [FW-2-LoopBack3] ip address 172.16.100.3 32

gggg. [FW-2-LoopBack3] quit

hhhh. [FW-2] interface LoopBack 4

iiii. [FW-2-LoopBack4] ip address 172.16.100.4 32

[FW-2-LoopBack4] quit

jjjj. 分别在出口防火墙FW-1、FW-2上配置OSPF。配置router-id时，需要为不同的进程指定不同的router-id。另外，主备防火墙也需要为OSPF进程指定不同的router-id，防止OSPF路由震荡。

kkkk. [FW-1] ospf 1 router-id 172.16.100.1

llll. [FW-1-ospf-1] area 0

mmmm. [FW-1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255

nnnn. [FW-1-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0

oooo. [FW-1-ospf-1-area-0.0.0.0] quit

pppp. [FW-1-ospf-1] quit

qqqq. [FW-1] ospf 2 router-id 172.16.100.2

rrrr. [FW-1-ospf-2] area 0

ssss. [FW-1-ospf-2-area-0.0.0.0] network 172.16.2.0 0.0.0.255

tttt. [FW-1-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0

uuuu. [FW-1-ospf-2-area-0.0.0.0] quit

vvvv. [FW-1-ospf-2] quit

wwww. [FW-1] ospf 3 router-id 172.16.100.3

xxxx. [FW-1-ospf-3] area 0

yyyy. [FW-1-ospf-3-area-0.0.0.0] network 172.16.3.0 0.0.0.255

zzzz. [FW-1-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0

aaaaa. [FW-1-ospf-3-area-0.0.0.0]quit

bbbbb. [FW-1-ospf-3]quit

ccccc. [FW-1]ospf 4 router-id 172.16.100.4

ddddd. [FW-1-ospf-4]area 0

eeeee. [FW-1-ospf-4-area-0.0.0.0]network 172.16.4.0 0.0.0.255

fffff. [FW-1-ospf-4-area-0.0.0.0]network 172.16.100.4 0.0.0.0

ggggg. [FW-1-ospf-4-area-0.0.0.0]quit

hhhhh. [FW-1-ospf-4]quit

iiiii.

jjjjj. [FW-2]ospf 1 router-id 172.16.100.6

kkkkk. [FW-2-ospf-1]area 0

lllll. [FW-2-ospf-1-area-0.0.0.0]network 172.16.6.0 0.0.0.255

mmmmm. [FW-2-ospf-1-area-0.0.0.0]network 172.16.100.1 0.0.0.0

nnnnn. [FW-2-ospf-1-area-0.0.0.0]quit

ooooo. [FW-2-ospf-1]quit

ppppp. [FW-2]ospf 2 router-id 172.16.100.7

qqqqq. [FW-2-ospf-2]area 0

rrrrr. [FW-2-ospf-2-area-0.0.0.0]network 172.16.7.0 0.0.0.255

sssss. [FW-2-ospf-2-area-0.0.0.0]network 172.16.100.2 0.0.0.0

ttttt. [FW-2-ospf-2-area-0.0.0.0]quit

uuuuu. [FW-2-ospf-2]quit

vvvvv. [FW-2]ospf 3 router-id 172.16.100.8

wwwww. [FW-2-ospf-3]area 0

xxxxx. [FW-2-ospf-3-area-0.0.0.0]network 172.16.8.0 0.0.0.255

yyyyy. [FW-2-ospf-3-area-0.0.0.0]network 172.16.100.3 0.0.0.0

zzzzz. [FW-2-ospf-3-area-0.0.0.0]quit

aaaaaa. [FW-2-ospf-3]quit

bbbbbb. [FW-2]ospf 4 router-id 172.16.100.9

cccccc. [FW-2-ospf-4]area 0

dddddd. [FW-2-ospf-4-area-0.0.0.0]network 172.16.9.0 0.0.0.255

eeeeee. [FW-2-ospf-4-area-0.0.0.0]network 172.16.100.4 0.0.0.0

ffffff. [FW-2-ospf-4-area-0.0.0.0]quit

[FW-2-ospf-4] quit

gggggg. 分别在出口防火墙FW-1、FW-2配置双机热备。

· 在FW-1上配置双机热备。

· [FW-1]hrp track interface GigabitEthernet 1/0/1

· [FW-1]hrp track interface GigabitEthernet 1/0/2

· [FW-1]hrp track interface GigabitEthernet 1/0/3

· [FW-1]hrp track interface GigabitEthernet 1/0/4

· [FW-1]hrp adjust ospf-cost enable

· [FW-1]hrp interface Eth-Trunk 1 remote 172.16.10.1

· [FW-1]hrp enable

[FW-1] hrp mirror session enable

· 在FW-2上配置双机热备。

· [FW-2]hrp track interface GigabitEthernet 1/0/1

· [FW-2]hrp track interface GigabitEthernet 1/0/2

· [FW-2]hrp track interface GigabitEthernet 1/0/3

· [FW-2]hrp track interface GigabitEthernet 1/0/4

· [FW-2]hrp adjust ospf-cost enable

· [FW-2]hrp interface Eth-Trunk 1 remote 172.16.5.1

· [FW-2]hrp enable

[FW-2] hrp mirror session enable

hhhhhh. 配置安全策略和入侵防御。

iiiiii. HRP_M[FW-1]policy interzone trust untrust outbound

jjjjjj. HRP_M[FW-1-policy-interzone-trust-untrust-outbound]policy 1

kkkkkk. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]policy source 10.1.2.0 mask 24

llllll. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]policy source 10.1.3.0 mask 24

mmmmmm. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]policy source 10.1.4.0 mask 24

nnnnnn. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]policy source 10.1.5.0 mask 24

oooooo. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]action permit

pppppp. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]profile ips default

qqqqqq. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1]quit

rrrrrr. HRP_M[FW-1-policy-interzone-trust-untrust-outbound]quit

ssssss. HRP_M[FW-1]policy interzone trust untrust inbound

tttttt. HRP_M[FW-1-policy-interzone-trust-untrust-inbound]policy 1

uuuuuu. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]policy destination 10.1.2.0 mask 24

vvvvvv. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]policy destination 10.1.3.0 mask 24

wwwwww. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]policy destination 10.1.4.0 mask 24

xxxxxx. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]policy destination 10.1.5.0 mask 24

yyyyyy. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]policy service service-set ftp http

zzzzzz. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]action permit

aaaaaaa. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]profile ips default

bbbbbbb. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1]quit

ccccccc. HRP_M[FW-1-policy-interzone-trust-untrust-inbound]quit

HRP_M[FW-1] ips enable

ddddddd. 配置攻击防范。

本举例中的攻击防范阈值仅供参考，实际配置时，请管理员根据网络实际流量进行配置。

HRP_M[FW-1] firewall defend syn-flood enable

HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000

HRP_M[FW-1] firewall defend udp-flood enable

HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500

HRP_M[FW-1] firewall defend icmp-flood enable

HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000

HRP_M[FW-1] firewall blacklist enable

HRP_M[FW-1] firewall defend ip-sweep enable

HRP_M[FW-1] firewall defend ip-sweep max-rate 4000

HRP_M[FW-1] firewall defend port-scan enable

HRP_M[FW-1] firewall defend port-scan max-rate 4000

HRP_M[FW-1] firewall defend ip-fragment enable

HRP_M[FW-1] firewall defend ip-spoofing enable

7. 配置策略路由将所有流经核心层设备DeviceI和DeviceJ的流量通过策略路由重定向到防火墙，防火墙对流量进行过滤。

# 以核心层设备DeviceI的配置为例，核心层设备DeviceJ配置与之类似，详见配置文件。

[~DeviceI] acl 3001

[*DeviceI-acl4-advance-3001] rule 5 permit ip source 10.1.2.0 24

[*DeviceI-acl4-advance-3001] rule 10 permit ip source 10.1.3.0 24

[*DeviceI-acl4-advance-3001] rule 15 permit ip source 10.1.4.0 24

[*DeviceI-acl4-advance-3001] rule 20 permit ip source 10.1.5.0 24

[*DeviceI-acl4-advance-3001] commit

[~DeviceI-acl4-advance-3001] quit

[~DeviceI] traffic classifier c1

[*DeviceI-classifier-c1] if-match acl 3001

[*DeviceI-classifier-c1] quit

[*DeviceI] commit

[~DeviceI] traffic behavior b1

[*DeviceI-behavior-b1] redirect load-balance nexthop 172.16.100.1 172.16.100.3

[*DeviceI-behavior-b1] quit

[*DeviceI] commit

[~DeviceI] traffic policy p1

[*DeviceI-trafficpolicy-p1] classifier c1 behavior b1

[*DeviceI-trafficpolicy-p1] quit

[*DeviceI] commit

[~DeviceI] interface 100ge 1/0/1

[~DeviceI-100GE1/0/1] traffic-policy p1 inbound

[*DeviceI-100GE1/0/1] quit

[*DeviceI] commit

[~DeviceI] interface 100ge 1/0/2

[~DeviceI-100GE1/0/2] traffic-policy p1 inbound

[*DeviceI-100GE1/0/2] quit

[*DeviceI] commit

[~DeviceI] interface 100ge 1/0/3

[~DeviceI-100GE1/0/3] traffic-policy p1 inbound

[*DeviceI-100GE1/0/3] quit

[*DeviceI] commit

[~DeviceI] interface 100ge 1/0/4

[~DeviceI-100GE1/0/4] traffic-policy p1 inbound

[*DeviceI-100GE1/0/4] quit

[*DeviceI] commit

[~DeviceI] interface 100ge 1/0/14

[~DeviceI-100GE1/0/14] traffic-policy p1 inbound

[*DeviceI-100GE1/0/14] quit

[*DeviceI] commit

[~DeviceI] acl 3003

[*DeviceI-acl4-advance-3003] rule 5 permit ip destination 10.1.2.0 24

[*DeviceI-acl4-advance-3003] rule 10 permit ip destination 10.1.3.0 24

[*DeviceI-acl4-advance-3003] rule 15 permit ip destination 10.1.4.0 24

[*DeviceI-acl4-advance-3003] rule 20 permit ip destination 10.1.5.0 24

[*DeviceI-acl4-advance-3003] commit

[~DeviceI-acl4-advance-3003] quit

[~DeviceI] traffic classifier c3

[*DeviceI-classifier-c3] if-match acl 3003

[*DeviceI-classifier-c3] quit

[*DeviceI] commit

[~DeviceI] traffic behavior b3

[*DeviceI-behavior-b3] redirect load-balance nexthop 172.16.100.2 172.16.100.4

[*DeviceI-behavior-b3] quit

[*DeviceI] commit

[~DeviceI] traffic policy p2

[*DeviceI-trafficpolicy-p2] classifier c3 behavior b3

[*DeviceI-trafficpolicy-p2] quit

[*DeviceI] commit

[~DeviceI] interface 100ge 1/0/5

[~DeviceI-100GE1/0/5] traffic-policy p2 inbound

[*DeviceI-100GE1/0/5] quit

[*DeviceI] commit

检查配置结果

1. 完成上述配置后，在汇聚层设备DeviceA上执行display vrrp命令，可以看到DeviceA在备份组1中作为Master设备，在备份组2中作为Backup设备。

2. <DeviceA> display vrrp verbose

3. Vlanif2 | Virtual Router 1

4. State : Master

5. Virtual IP : 10.1.2.100

6. Master IP : 10.1.2.102

7. PriorityRun : 120

8. PriorityConfig : 120

9. MasterPriority : 120

10. Preempt : YES Delay Time : 20s Remain : --

11. Hold Multiplier: 3

12. TimerRun : 1s

13. TimerConfig : 1s

14. Auth Type : NONE

15. Virtual MAC : 0000-5e00-0101

16. Check TTL : YES

17. Config Type : Normal

18. Create Time : 2023-04-14 09:57:22

19. Last Change Time : 2023-04-14 09:58:37

20.

21. Vlanif3 | Virtual Router 2

22. State : Backup

23. Virtual IP : 10.1.3.100

24. Master IP : 10.1.3.103

25. PriorityRun : 100

26. PriorityConfig : 100

27. MasterPriority : 120

28. Preempt : YES Delay Time : 0s Remain : --

29. Hold Multiplier: 3

30. TimerRun : 1s

31. TimerConfig : 1s

32. Auth Type : NONE

33. Virtual MAC : 0000-5e00-0102

34. Check TTL : YES

35. Config Type : Normal

36. Create Time : 2023-04-14 09:57:22

Last Change Time : 2023-04-14 10:38:00

37. 在汇聚层设备DeviceB上执行display vrrp命令，可以看到DeviceB在备份组1中作为Backup设备，在备份组2中作为Master设备。

38. <DeviceB> display vrrp verbose

39. Vlanif2 | Virtual Router 1

40. State : Backup

41. Virtual IP : 10.1.2.100

42. Master IP : 10.1.2.102

43. PriorityRun : 100

44. PriorityConfig : 100

45. MasterPriority : 120

46. Preempt : YES Delay Time : 0s Remain : --

47. Hold Multiplier: 3

48. TimerRun : 1s

49. TimerConfig : 1s

50. Auth Type : NONE

51. Virtual MAC : 0000-5e00-0101

52. Check TTL : YES

53. Config Type : Normal

54. Create Time : 2023-04-14 10:00:37

55. Last Change Time : 2023-04-14 10:30:13

56.

57. Vlanif3 | Virtual Router 2

58. State : Master

59. Virtual IP : 10.1.3.100

60. Master IP : 10.1.3.103

61. PriorityRun : 120

62. PriorityConfig : 120

63. MasterPriority : 120

64. Preempt : YES Delay Time : 20s Remain : --

65. Hold Multiplier: 3

66. TimerRun : 1s

67. TimerConfig : 1s

68. Auth Type : NONE

69. Virtual MAC : 0000-5e00-0102

70. Check TTL : YES

71. Config Type : Normal

72. Create Time : 2023-04-14 10:00:37

Last Change Time : 2023-04-14 10:30:34

配置脚本

· 汇聚层设备DeviceA的配置脚本

· #

· sysname DeviceA

· #

· vlan batch 2 to 3 6 to 7

· #

· stp instance 1 root primary

· stp instance 2 root secondary

· stp pathcost-standard legacy

· #

· stp region-configuration

· region-name RG1

· instance 1 vlan 2

· instance 2 vlan 3

· #

· interface Vlanif2

· ip address 10.1.2.102 255.255.255.0

· vrrp vrid 1 virtual-ip 10.1.2.100

· vrrp vrid 1 priority 120

· vrrp vrid 1 preempt timer delay 20

· #

· interface Vlanif3

· ip address 10.1.3.102 255.255.255.0

· vrrp vrid 2 virtual-ip 10.1.3.100

· #

· interface Vlanif6

· ip address 10.1.6.102 255.255.255.0

· #

· interface Vlanif7

· ip address 10.1.7.102 255.255.255.0

· #

· interface100GE1/0/1

· description TO-CE6800-DEVICEC

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 2

· stp root-protection

· #

· interface100GE1/0/2

· description TO-CE6800-DEVICED

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 3

· #

· interface100GE1/0/3

· description TO-CE16800-DEVICEB

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 2 to 3

· #

· interface100GE1/0/4

· description TO-CE16800-DEVICEI

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 6

· #

· interface100GE1/0/5

· description TO-CE16800-DEVICEJ

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 7

· #

· ospf 1

· area 0.0.0.0

· network 10.1.2.0 0.0.0.255

· network 10.1.3.0 0.0.0.255

· network 10.1.6.0 0.0.0.255

· network 10.1.7.0 0.0.0.255

· #

return

· 汇聚层设备DeviceB的配置脚本

· #

· sysname DeviceB

· #

· vlan batch 2 to 3 6 to 7

· #

· stp instance 1 root secondary

· stp instance 2 root primary

· stp pathcost-standard legacy

· #

· stp region-configuration

· region-name RG1

· instance 1 vlan 2

· instance 2 vlan 3

· #

· interface Vlanif2

· ip address 10.1.2.103 255.255.255.0

· vrrp vrid 1 virtual-ip 10.1.2.100

· #

· interface Vlanif3

· ip address 10.1.3.103 255.255.255.0

· vrrp vrid 2 virtual-ip 10.1.3.100

· vrrp vrid 2 priority 120

· vrrp vrid 2 preempt timer delay 20

· #

· interface Vlanif6

· ip address 10.1.6.103 255.255.255.0

· #

· interface Vlanif7

· ip address 10.1.7.103 255.255.255.0

· #

· interface100GE1/0/1

· description TO-CE6800-DEVICED

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 3

· stp root-protection

· #

· interface100GE1/0/2

· description TO-CE6800-DEVICEC

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 2

· #

· interface100GE1/0/3

· description TO-CE16800-DEVICEA

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 2 to 3

· #

· interface100GE1/0/4

· description TO-CE16800-DEVICEI

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 6

· #

· interface100GE1/0/5

· description TO-CE16800-DEVICEJ

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 7

· #

· ospf 1

· area 0.0.0.0

· network 10.1.2.0 0.0.0.255

· network 10.1.3.0 0.0.0.255

· network 10.1.6.0 0.0.0.255

· network 10.1.7.0 0.0.0.255

· #

return

· 接入层设备DeviceC的配置脚本

· #

· sysname DeviceC

· #

· vlan batch 2

· #

· stp pathcost-standard legacy

· #

· stp region-configuration

· region-name RG1

· instance 1 vlan 2

· instance 2 vlan 3

· #

· interface100GE1/0/1

· description TO-CE16800-DEVICEA

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 2

· #

· interface100GE1/0/2

· description TO-CE16800-DEVICEB

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 2

· stp instance 1 cost 20000

· #

· interface100GE1/0/3

· description TO-HOSTA

· port default vlan 2

· stp edged-port enable

· #

return

· 接入层设备DeviceD的配置脚本

· #

· sysname DeviceD

· #

· vlan batch 3

· #

· stp pathcost-standard legacy

· #

· stp region-configuration

· region-name RG1

· instance 1 vlan 2

· instance 2 vlan 3

· #

· interface100GE1/0/1

· description TO-CE16800-DEVICEB

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 3

· #

· interface100GE1/0/2

· description TO-CE16800-DEVICEA

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 3

· stp instance 2 cost 20000

· #

· interface100GE1/0/3

· description TO-HOSTB

· port default vlan 3

· stp edged-port enable

· #

return

· 核心层设备DeviceI的配置脚本

· #

· sysname DeviceI

· #

· vlan batch 6 8 to 13

· #

· acl number 3001

· rule 5 permit ip source 10.1.2.0 0.0.0.255

· rule 10 permit ip source 10.1.3.0 0.0.0.255

· rule 15 permit ip source 10.1.4.0 0.0.0.255

· rule 20 permit ip source 10.1.5.0 0.0.0.255

· #

· acl number 3003

· rule 5 permit ip destination 10.1.2.0 0.0.0.255

· rule 10 permit ip destination 10.1.3.0 0.0.0.255

· rule 15 permit ip destination 10.1.4.0 0.0.0.255

· rule 20 permit ip destination 10.1.5.0 0.0.0.255

· #

· traffic classifier c1 type or

· if-match acl 3001

· #

· traffic classifier c3 type or

· if-match acl 3003

· #

· traffic behavior b1

· redirect load-balance nexthop 172.16.100.1 172.16.100.3

· #

· traffic behavior b3

· redirect load-balance nexthop 172.16.100.2 172.16.100.4

· #

· traffic policy p1

· classifier c1 behavior b1 precedence 5

· #

· traffic policy p2

· classifier c3 behavior b3 precedence 5

· #

· interface Vlanif6

· ip address 10.1.6.104 255.255.255.0

· #

· interface Vlanif8

· ip address 10.1.8.104 255.255.255.0

· #

· interface Vlanif9

· ip address 172.16.1.2 255.255.255.0

· #

· interface Vlanif10

· ip address 172.16.2.2 255.255.255.0

· #

· interface Vlanif11

· ip address 172.16.3.2 255.255.255.0

· #

· interface Vlanif12

· ip address 172.16.4.2 255.255.255.0

· #

· interface Vlanif13

· ip address 10.1.13.102 255.255.255.0

· #

· interface100GE1/0/1

· description TO-CE16800-DEVICEA

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 6

· traffic-policy p1 inbound

· #

· interface100GE1/0/2

· description TO-CE16800-DEVICEB

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 6

· traffic-policy p1 inbound

· #

· interface100GE1/0/3

· description TO-CE16800-DEVICEE

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 6

· traffic-policy p1 inbound

· #

· interface100GE1/0/4

· description TO-CE16800-DEVICEF

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 6

· traffic-policy p1 inbound

· #

· interface100GE1/0/5

· description TO-ROUTERA

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 8

· traffic-policy p2 inbound

· #

· interface100GE1/0/6

· description TO-FW-1

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 9

· #

· interface100GE1/0/7

· description TO-FW-1

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 10

· #

· interface100GE1/0/8

· description TO-FW-2

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 11

· #

· interface100GE1/0/9

· description TO-FW-2

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 12

· #

· interface100GE1/0/14

· description TO-CE16800-DEVICEJ

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 13

· traffic-policy p1 inbound

· #

· ospf 1

· area 0.0.0.0

· network 10.1.6.0 0.0.0.255

· network 10.1.8.0 0.0.0.255

· network 10.1.13.0 0.0.0.255

· network 172.16.1.0 0.0.0.255

· network 172.16.2.0 0.0.0.255

· network 172.16.3.0 0.0.0.255

· network 172.16.4.0 0.0.0.255

· #

return

· 核心层设备DeviceJ的配置脚本

· #

· sysname DeviceJ

· #

· vlan batch 7 to 13

· #

· acl number 3001

· rule 5 permit ip source 10.1.2.0 0.0.0.255

· rule 10 permit ip source 10.1.3.0 0.0.0.255

· rule 15 permit ip source 10.1.4.0 0.0.0.255

· rule 20 permit ip source 10.1.5.0 0.0.0.255

· #

· acl number 3003

· rule 5 permit ip destination 10.1.2.0 0.0.0.255

· rule 10 permit ip destination 10.1.3.0 0.0.0.255

· rule 15 permit ip destination 10.1.4.0 0.0.0.255

· rule 20 permit ip destination 10.1.5.0 0.0.0.255

· #

· traffic classifier c1 type or

· if-match acl 3001

· #

· traffic classifier c3 type or

· if-match acl 3003

· #

· traffic behavior b1

· redirect load-balance nexthop 172.16.100.1 172.16.100.3

· #

· traffic behavior b3

· redirect load-balance nexthop 172.16.100.2 172.16.100.4

· #

· traffic policy p1

· classifier c1 behavior b1 precedence 5

· #

· traffic policy p2

· classifier c3 behavior b3 precedence 5

· #

· interface Vlanif7

· ip address 10.1.7.105 255.255.255.0

· #

· interface Vlanif8

· ip address 10.1.8.105 255.255.255.0

· #

· interface Vlanif9

· ip address 172.16.6.2 255.255.255.0

· #

· interface Vlanif10

· ip address 172.16.7.2 255.255.255.0

· #

· interface Vlanif11

· ip address 172.16.8.2 255.255.255.0

· #

· interface Vlanif12

· ip address 172.16.9.2 255.255.255.0

· #

· interface Vlanif13

· ip address 10.1.13.103 255.255.255.0

· #

· interface100GE1/0/1

· description TO-CE16800-DEVICEA

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 7

· traffic-policy p1 inbound

· #

· interface100GE1/0/2

· description TO-CE16800-DEVICEB

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 7

· traffic-policy p1 inbound

· #

· interface100GE1/0/3

· description TO-CE16800-DEVICEE

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 7

· traffic-policy p1 inbound

· #

· interface100GE1/0/4

· description TO-CE16800-DEVICEF

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 7

· traffic-policy p1 inbound

· #

· interface100GE1/0/5

· description TO-ROUTERB

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 8

· traffic-policy p2 inbound

· #

· interface100GE1/0/6

· description TO-FW-1

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 9

· #

· interface100GE1/0/7

· description TO-FW-1

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 10

· #

· interface100GE1/0/8

· description TO-FW-2

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 11

· #

· interface100GE1/0/9

· description TO-FW-2

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 12

· #

· interface100GE1/0/14

· description TO-CE16800-DEVICEI

· port link-type trunk

· undo port trunk allow-pass vlan 1

· port trunk allow-pass vlan 13

· traffic-policy p1 inbound

· #

· ospf 1

· area 0.0.0.0

· network 10.1.7.0 0.0.0.255

· network 10.1.8.0 0.0.0.255

· network 10.1.13.0 0.0.0.255

· network 172.16.6.0 0.0.0.255

· network 172.16.7.0 0.0.0.255

· network 172.16.8.0 0.0.0.255

· network 172.16.9.0 0.0.0.255

· #

return

· 出口防火墙FW-1的配置脚本

· #

· sysname FW-1

· #

· firewall packet-filter default permit interzone local dmz direction inbound

· firewall packet-filter default permit interzone local dmz direction outbound

· #

· firewall defend port-scan enable

· firewall defend ip-sweep enable

· firewall defend ip-fragment enable

· firewall defend icmp-flood enable

· firewall defend udp-flood enable

· firewall defend syn-flood enable

· firewall defend ip-spoofing enable

· firewall defend action discard

· firewall defend icmp-flood zone untrust max-rate 20000

· firewall defend udp-flood zone untrust max-rate 1500

· firewall defend syn-flood zone untrust max-rate 20000

· #

· hrp enable

· hrp adjust ospf-cost enable

· hrp interface Eth-Trunk1 remote 172.16.10.1

· hrp mirror session enable

· hrp track interface GigabitEthernet 1/0/1

· hrp track interface GigabitEthernet 1/0/2

· hrp track interface GigabitEthernet 1/0/3

· hrp track interface GigabitEthernet 1/0/4

· #

· ips enable

· #

· interface Eth-Trunk1

· ip address 172.16.5.1 255.255.255.0

· #

· interface GigabitEthernet1/0/1

· description TO-CE16800-DeviceI-Upstream

· ip address 172.16.1.1 255.255.255.0

· #

· interface GigabitEthernet1/0/2

· description TO-CE16800-DeviceI-Downstream

· ip address 172.16.2.1 255.255.255.0

· #

· interface GigabitEthernet1/0/3

· description TO-CE16800-DeviceJ-Upstream

· ip address 172.16.3.1 255.255.255.0

· #

· interface GigabitEthernet1/0/4

· description TO-CE16800-DeviceJ-Downstream

· ip address 172.16.4.1 255.255.255.0

· #

· interface GigabitEthernet2/0/0

· description TO-FW-2-HRP

· eth-trunk 1

· #

· interface GigabitEthernet2/0/1

· description TO-FW-2-HRP

· eth-trunk 1

· #

· interface GigabitEthernet2/0/2

· description TO-FW-2-HRP

· eth-trunk 1

· #

· interface GigabitEthernet2/0/3

· description TO-FW-2-HRP

· eth-trunk 1

· #

· interface LoopBack 1

· ip address 172.16.100.1 32

· #

· interface LoopBack 2

· ip address 172.16.100.2 32

· #

· interface LoopBack 3

· ip address 172.16.100.3 32

· #

· interface LoopBack 4

· ip address 172.16.100.4 32

· #

· profile type ips name default

· signature-set name default

· os both

· target both

· severity low medium high

· protocol all

· category all

· #

· firewall zone trust

· set priority 85

· add interface GigabitEthernet 1/0/1

· add interface GigabitEthernet 1/0/3

· #

· firewall zone untrust

· set priority 5

· add interface GigabitEthernet 1/0/2

· add interface GigabitEthernet 1/0/4

· #

· firewall zone dmz

· set priority 50

· add interface Eth-Trunk1

· #

· firewall interzone trust untrust

· detect ftp

· #

· policy interzone trust untrust inbound

· policy 1

· action permit

· profile ips default

· policy service service-set ftp

· policy service service-set http

· policy destination 10.1.2.0 mask 24

· policy destination 10.1.3.0 mask 24

· policy destination 10.1.4.0 mask 24

· policy destination 10.1.5.0 mask 24

· #

· policy interzone trust untrust outbound

· policy 1

· action permit

· profile ips default

· policy source 10.1.2.0 mask 24

· policy source 10.1.3.0 mask 24

· policy source 10.1.4.0 mask 24

· policy source 10.1.5.0 mask 24

· #

· ospf 1 router-id 172.16.100.1

· area 0.0.0.0

· network 172.16.1.0 0.0.0.255

· network 172.16.100.1 0.0.0.0

· #

· ospf 2 router-id 172.16.100.2

· area 0.0.0.0

· network 172.16.2.0 0.0.0.255

· network 172.16.100.2 0.0.0.0

· #

· ospf 3 router-id 172.16.100.3

· area 0.0.0.0

· network 172.16.3.0 0.0.0.255

· network 172.16.100.3 0.0.0.0

· #

· ospf 4 router-id 172.16.100.4

· area 0.0.0.0

· network 172.16.4.0 0.0.0.255

· network 172.16.100.4 0.0.0.0

· #

return

· 出口防火墙FW-2的配置脚本

· #

· sysname FW-2

· #

· firewall packet-filter default permit interzone local dmz direction inbound

· firewall packet-filter default permit interzone local dmz direction outbound

· #

· firewall defend port-scan enable

· firewall defend ip-sweep enable

· firewall defend ip-fragment enable

· firewall defend icmp-flood enable

· firewall defend udp-flood enable

· firewall defend syn-flood enable

· firewall defend ip-spoofing enable

· firewall defend action discard

· firewall defend icmp-flood zone untrust max-rate 20000

· firewall defend udp-flood zone untrust max-rate 1500

· firewall defend syn-flood zone untrust max-rate 20000

· #

· hrp enable

· hrp adjust ospf-cost enable

· hrp interface Eth-Trunk1 remote 172.16.5.1

· hrp mirror session enable

· hrp track interface GigabitEthernet 1/0/1

· hrp track interface GigabitEthernet 1/0/2

· hrp track interface GigabitEthernet 1/0/3

· hrp track interface GigabitEthernet 1/0/4

· #

· ips enable

· #

· interface Eth-Trunk1

· ip address 172.16.10.1 255.255.255.0

· #

· interface GigabitEthernet1/0/1

· description TO-CE16800-DeviceI-Upstream

· ip address 172.16.6.1 255.255.255.0

· #

· interface GigabitEthernet1/0/2

· description TO-CE16800-DeviceI-Downstream

· ip address 172.16.7.1 255.255.255.0

· #

· interface GigabitEthernet1/0/3

· description TO-CE16800-DeviceJ-Upstream

· ip address 172.16.8.1 255.255.255.0

· #

· interface GigabitEthernet1/0/4

· description TO-CE16800-DeviceJ-Downstream

· ip address 172.16.9.1 255.255.255.0

· #

· interface GigabitEthernet2/0/0

· description TO-FW-1-HRP

· eth-trunk 1

· #

· interface GigabitEthernet2/0/1

· description TO-FW-1-HRP

· eth-trunk 1

· #

· interface GigabitEthernet2/0/2

· description TO-FW-1-HRP

· eth-trunk 1

· #

· interface GigabitEthernet2/0/3

· description TO-FW-1-HRP

· eth-trunk 1

· #

· interface LoopBack 1

· ip address 172.16.100.1 32

· #

· interface LoopBack 2

· ip address 172.16.100.2 32

· #

· interface LoopBack 3

· ip address 172.16.100.3 32

· #

· interface LoopBack 4

· ip address 172.16.100.4 32

· #

· profile type ips name default

· signature-set name default

· os both

· target both

· severity low medium high

· protocol all

· category all

· #

· firewall zone trust

· set priority 85

· add interface GigabitEthernet 1/0/1

· add interface GigabitEthernet 1/0/3

· #

· firewall zone untrust

· set priority 5

· add interface GigabitEthernet 1/0/2

· add interface GigabitEthernet 1/0/4

· #

· firewall zone dmz

· set priority 50

· add interface Eth-Trunk1

· #

· firewall interzone trust untrust

· detect ftp

· #

· policy interzone trust untrust inbound

· policy 1

· action permit

· profile ips default

· policy service service-set ftp

· policy service service-set http

· policy destination 10.1.2.0 mask 24

· policy destination 10.1.3.0 mask 24

· policy destination 10.1.4.0 mask 24

· policy destination 10.1.5.0 mask 24

· #

· policy interzone trust untrust outbound

· policy 1

· action permit

· profile ips default

· policy source 10.1.2.0 mask 24

· policy source 10.1.3.0 mask 24

· policy source 10.1.4.0 mask 24

· policy source 10.1.5.0 mask 24

· #

· ospf 1 router-id 172.16.100.6

· area 0.0.0.0

· network 172.16.6.0 0.0.0.255

· network 172.16.100.1 0.0.0.0

· #

· ospf 2 router-id 172.16.100.7

· area 0.0.0.0

· network 172.16.7.0 0.0.0.255

· network 172.16.100.2 0.0.0.0

· #

· ospf 3 router-id 172.16.100.8

· area 0.0.0.0

· network 172.16.8.0 0.0.0.255

· network 172.16.100.3 0.0.0.0

· #

· ospf 4 router-id 172.16.100.9

· area 0.0.0.0

· network 172.16.9.0 0.0.0.255

· network 172.16.100.4 0.0.0.0

· #

return

[←]OceanStor 18500 V5 异步远程复制断开

[→]HUAWEI CE系列交换机资料书架