H3C
H3C- F1005 IDC双线策略路由
BGP线路+电信管理网,指定管理部分主机走电信线路 电信网关: 123.123.123.123 指定IP地址: 10.4.230.1,10.4.233.1
acl advanced 3000
description TEL policy routing
rule 10 permit ip source 10.4.230.1 0
rule 11 permit ip source 10.4.233.1 0
#配置ACL策略定义抓取的主机地址范围
policy-based-route aaa permit node 0
if-match acl 3000
apply next-hop 123.123.123.123
#匹配ACL,指定下一跳路由地址
policy-based-route aaa permit node 1
#
interface GigabitEthernet1/0/6
description to SW-1-1
ip address 192.168.100.1 255.255.255.0
ip policy-based-route aaa
# 内网出接口引用规则
ip route-static 0.0.0.0 0 123.123.123.123 preference 70
#浮动路由;默认路由挂了走优先级低的这一条路由
h3c F1005 防火墙主备模式
加入冗余组
redundancy group 1
member interface Reth2
member interface Reth20
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet1/0/8
track 3 interface GigabitEthernet1/0/10
node 2
bind slot 2
priority 80
track 2 interface GigabitEthernet2/0/8
track 4 interface GigabitEthernet2/0/10
冗余虚接口配置
interface Reth2
description to WAN
ip address 103.100.100.100 255.255.255.240
member interface GigabitEthernet1/0/10 priority 255 #主
member interface GigabitEthernet2/0/10 priority 50
nat outbound #启用NAT
#对端普通口,不需要做聚合
interface Reth20
description to LAN
ip address 192.168.120.1 255.255.255.0
member interface GigabitEthernet1/0/8 priority 255
member interface GigabitEthernet2/0/8 priority 50
#对端普通口,不需要做聚合
接口授信
security-zone name Trust
#内网接口加入到信任区域(虚接口,物理口)
import interface GigabitEthernet1/0/8
import interface GigabitEthernet2/0/8
import interface Reth20
security-zone name Untrust
#外网处出接口加入此区域
import interface GigabitEthernet1/0/10
import interface GigabitEthernet2/0/10
import interface Reth2
查看状态
dis reth interface Reth 2
dis reth interface Reth 20