实验组网图:
在这里插入图片描述

背景需求
由于网络规模迅速扩大,当前中心设备(防火墙A)转发能力已经不能满足需求,现需要在保护现有投资的基础上将网络转发能力提高一倍,并要求网络易管理、易维护。
在这里插入图片描述

实验过程
步骤一:配置防火墙A
#配置IRF端口1/2,并将它与物理端口GE_0/0绑定,并保存配置。

<H3C>system-view
[H3C]int g 1/0/0
[H3C-GigabitEthernet1/0/0]shutdown
[H3C-GigabitEthernet1/0/0]quit

[H3C]irf-port 1/2

[H3C-irf-port1/2]port group interface GigabitEthernet 1/0/0
You must perform the following tasks for a successful IRF setup:
Save the configuration after completing IRF configuration.
Execute the "irf-port-configuration active" command to activate the IRF ports.
[H3C-irf-port1/2]dis thi
#
irf-port 1/2
 port group interface GigabitEthernet1/0/0
#
return
[H3C-irf-port1/2]quit

[H3C]interface GigabitEthernet 1/0/0
[H3C-GigabitEthernet1/0/0]undo shutdown
[H3C-GigabitEthernet1/0/0]quit

[H3C]int g 1/0/4
[H3C-GigabitEthernet1/0/4]shutdown
[H3C-GigabitEthernet1/0/4]quit
[H3C]irf-port 1/1
[H3C-irf-port1/1]port group interface GigabitEthernet 1/0/4
You must perform the following tasks for a successful IRF setup:
Save the configuration after completing IRF configuration.
Execute the "irf-port-configuration active" command to activate the IRF ports.
[H3C-irf-port1/1]dis thi
#
irf-port 1/1
 port group interface GigabitEthernet1/0/4
#
return
[H3C-irf-port1/1]quit

[H3C]interface GigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4]undo shutdown
[H3C-GigabitEthernet1/0/4]quit

[H3C]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.

[H3C]irf-port-configuration active

步骤二:配置防火墙B
#将防火墙B第二成员编号配置为2,并重启设备使新编号生效。

<H3C>system-view

[H3C]irf member 1 renumber 2
Renumbering the member ID may result in configuration change or loss. Continue?[Y/N]:y
[H3C]quit
<H3C>reboot
<H3C>system-view
System View: return to User View with Ctrl+Z.

[H3C]interface GigabitEthernet 2/0/0
[H3C-GigabitEthernet2/0/0]shutdown
[H3C-GigabitEthernet2/0/0]quit
[H3C]sa fo
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
[H3C]irf-port 2/1

[H3C-irf-port2/1]port group interface GigabitEthernet 2/0/0
You must perform the following tasks for a successful IRF setup:
Save the configuration after completing IRF configuration.
Execute the "irf-port-configuration active" command to activate the IRF ports.
[H3C-irf-port2/1]dis thi
#
irf-port 2/1
 port group interface GigabitEthernet2/0/0
 sa fo
#
return
[H3C-irf-port2/1]quit

[H3C]interface GigabitEthernet 2/0/0
[H3C-GigabitEthernet2/0/0]undo shutdown
[H3C-GigabitEthernet2/0/0]quit

[H3C]interface GigabitEthernet 2/0/4
[H3C-GigabitEthernet2/0/4]shutdown
[H3C-GigabitEthernet2/0/4]quit
[H3C]irf-port 2/2
[H3C-irf-port2/2]port group interface GigabitEthernet 2/0/4
You must perform the following tasks for a successful IRF setup:
Save the configuration after completing IRF configuration.
Execute the "irf-port-configuration active" command to activate the IRF ports.
[H3C-irf-port2/2]quit
[H3C]sa fo
[H3C]interface GigabitEthernet 2/0/4
[H3C-GigabitEthernet2/0/4]undo shutdown
[H3C-GigabitEthernet2/0/4]quit
[H3C]sa fo
[H3C]irf-port-configuration active

步骤三:设备竞选
防火墙A和防火墙B间将会进行主设备竞选,竞选失败的一方将重启,重启完成后,IRF形成。
在这里插入图片描述
在这里插入图片描述

步骤四:配置BFD MAD检测
#创建三层聚合接口3

<H3C>system-view
System View: return to User View with Ctrl+Z.

[H3C]interface Route-Aggregation 3
[H3C-Route-Aggregation3]quit

[H3C]interface GigabitEthernet 1/0/3

[H3C-GigabitEthernet1/0/3]port link-aggregation group 3
[H3C-GigabitEthernet1/0/3]quit

[H3C]interface GigabitEthernet 2/0/3

[H3C-GigabitEthernet2/0/3]port link-aggregation group 3
[H3C-GigabitEthernet2/0/3]quit

#配置三层聚合接口3的MAD IP地址。

[H3C]interface Route-Aggregation 3
[H3C-Route-Aggregation3]mad bfd enable
[H3C-Route-Aggregation3]mad ip address 192.168.2.1 24 member 1
[H3C-Route-Aggregation3]mad ip address 192.168.2.2 24 member 2
[H3C-Route-Aggregation3]quit

#向安全域Trust中添加三层聚合接口3。

<H3C>system-view
System View: return to User View with Ctrl+Z.

[H3C]security-zone name trust

[H3C-security-zone-Trust]import interface Route-Aggregation 3
[H3C-security-zone-Trust]quit

#配置ACL 2000,定义规则:今允许来自192.168.2.0网段的报文通过。

<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]acl number 2000

[H3C-acl-ipv4-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[H3C-acl-ipv4-basic-2000]quit

#创建源安全域Trust到目的安全域Local的安全域间实例,并在该域间实例上应用包过滤策略

[H3C]zone-pair security source trust destination local
[H3C-zone-pair-security-Trust-Local]packet-filter 2000
[H3C-zone-pair-security-Trust-Local]quit

#创建源安全域Local到目的安全域Trust的安全域间实例,并在该域间实例上应用包过滤策略

[H3C]zone-pair security source local destination trust
[H3C-zone-pair-security-Local-Trust]packet-filter 2000
[H3C-zone-pair-security-Local-Trust]quit
[H3C]sa fo

在这里插入图片描述

命令列表:

在这里插入图片描述

1

# 网络安全
Logo
腾讯云开发者社区

腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。

更多推荐

Elasticsearch复杂数据类型终极指南:从入门到精通

Elasticsearch作为功能强大的搜索引擎,支持多种复杂数据类型,让开发者能够灵活处理各种结构化和非结构化数据。本文将带你全面了解Elasticsearch中的复杂数据类型,从基础概念到实际应用,助你轻松掌握数据建模的核心技巧。## 内部对象:构建层级化数据结构在Elasticsearch中,对象类型(Object)是最基础的复杂数据类型之一,用于表示具有嵌套关系的数据。例如,我们可

avatar 腾讯云开发者社区

终极指南:Flink SQL连接器版本管理从混乱到有序的升级之路

Apache Flink作为流处理领域的佼佼者,其SQL连接器的版本管理一直是开发者面临的核心挑战。本文将系统讲解Flink SQL连接器版本管理的最佳实践,帮助你轻松应对版本兼容性问题,实现从混乱到有序的升级之旅。## 连接器版本管理的常见痛点 😫在Flink应用开发中,连接器版本管理常常让开发者头疼不已。不同版本的连接器可能导致各种兼容性问题,例如API变更、功能差异甚至运行时错误。

avatar 腾讯云开发者社区

如何快速搭建Neon无服务器PostgreSQL:面向初学者的完整指南

Neon是一款革命性的无服务器PostgreSQL解决方案,它通过分离存储和计算层,实现了自动扩缩容、类代码式数据库分支以及零级扩展能力。本指南将帮助你从零开始搭建Neon开发环境,体验这款创新数据库的强大功能。## 准备工作:环境要求与依赖项在开始搭建Neon环境前,请确保你的系统满足以下要求:- Linux操作系统(推荐Ubuntu 20.04+或Debian 11+)- Git

avatar 腾讯云开发者社区