H3C
H3C- F1005 IDC雙線策略路由
BGP線路+電信管理網,指定管理部分主機走電信線路 電信網關: 123.123.123.123 指定IP地址: 10.4.230.1,10.4.233.1
acl advanced 3000
description TEL policy routing
rule 10 permit ip source 10.4.230.1 0
rule 11 permit ip source 10.4.233.1 0
#配置ACL策略定義抓取的主機地址範圍
policy-based-route aaa permit node 0
if-match acl 3000
apply next-hop 123.123.123.123
#匹配ACL,指定下一跳路由地址
policy-based-route aaa permit node 1
#
interface GigabitEthernet1/0/6
description to SW-1-1
ip address 192.168.100.1 255.255.255.0
ip policy-based-route aaa
# 內網出接口引用規則
ip route-static 0.0.0.0 0 123.123.123.123 preference 70
#浮動路由;默認路由掛了走優先級低的這一條路由
h3c F1005 防火牆主備模式
加入冗餘組
redundancy group 1
member interface Reth2
member interface Reth20
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet1/0/8
track 3 interface GigabitEthernet1/0/10
node 2
bind slot 2
priority 80
track 2 interface GigabitEthernet2/0/8
track 4 interface GigabitEthernet2/0/10
冗餘虛接口配置
interface Reth2
description to WAN
ip address 103.100.100.100 255.255.255.240
member interface GigabitEthernet1/0/10 priority 255 #主
member interface GigabitEthernet2/0/10 priority 50
nat outbound #啓用NAT
#對端普通口,不需要做聚合
interface Reth20
description to LAN
ip address 192.168.120.1 255.255.255.0
member interface GigabitEthernet1/0/8 priority 255
member interface GigabitEthernet2/0/8 priority 50
#對端普通口,不需要做聚合
接口授信
security-zone name Trust
#內網接口加入到信任區域(虛接口,物理口)
import interface GigabitEthernet1/0/8
import interface GigabitEthernet2/0/8
import interface Reth20
security-zone name Untrust
#外網處出接口加入此區域
import interface GigabitEthernet1/0/10
import interface GigabitEthernet2/0/10
import interface Reth2
查看狀態
dis reth interface Reth 2
dis reth interface Reth 20