双机热备
将FW_A各接口加入相应的安全区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/5
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/6
将FW_B各接口加入相应的安全区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/5
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/6
在FW_A上行业务接口GE1/0/0上配置VRRP备份组1,并设置其状态为Active
在FW_A下行业务接口GE1/0/5上配置VRRP备份组2,并设置其状态为Active
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.2.0.3 active
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/5
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active
在FW_B上行业务接口GE1/0/0上配置VRRP备份组1,并设置其状态为Standby
在FW_B下行业务接口GE1/0/5上配置VRRP备份组2,并设置其状态为Standby
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.2.0.3 standby
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet1/0/5
undo shutdown
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 standby
在FW_A上指定心跳口并启用双机热备功能。
hrp interface g1/0/6 remote 10.10.0.2(对端ip)
hrp enable
在FW_B上指定心跳口并启用双机热备功能。
hrp interface g1/0/6 remote 10.10.0.1
hrp enable
在FW_A上配置安全策略。双机热备状态成功建立后,FW_A的安全策略配置会自动备份到FW_B上
配置安全策略,允许内网用户访问Internet
HRP_M[USG6000V1]security-policy (+B)
HRP_M[USG6000V1-policy-security]dis this
2019-08-30 03:26:34.740
#
security-policy
rule name permit_trust_untrust
source-zone trust
destination-zone untrust
service icmp
action permit
在FW_A上配置NAT策略。双机热备状态成功建立后,FW_A的NAT策略配置会自动备份到FW_B上
nat address-group group1
section 0 1.1.1.2 1.1.1.5
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.0.0
action source-nat address-group group1
现在要求全网通:
AR1:
ip route-static 10.2.0.0 255.255.255.0 1.1.1.1
LSW1;
interface Vlanif100
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.2.0.5 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
FW_A:
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.2.0.3 active
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/5
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 10.10.0.1 255.255.255.0
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/5
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/6
#
ip route-static 0.0.0.0 0.0.0.0 10.2.0.5
#
security-policy
rule name permit_trust_untrust
source-zone trust
destination-zone untrust
service icmp
action permit
rule name untrust_local
source-zone untrust
destination-zone local
service icmp
action permit
最后的nat策略 easy-ip:
LSW2:
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
AR1:
原文地址:https://www.cnblogs.com/mqqq/p/11434138.html
- 1295: [SCOI2009]最长距离
- 1644: [Usaco2007 Oct]Obstacle Course 障碍训练课
- 数据结构之哈夫曼树和编码器的构造
- 1578: [Usaco2009 Feb]Stock Market 股票市场
- webp图片实践之路
- 3522: [Poi2014]Hotel
- 3299: [USACO2011 Open]Corn Maze玉米迷宫
- 2272: [Usaco2011 Feb]Cowlphabet 奶牛文字
- 1632: [Usaco2007 Feb]Lilypad Pond
- 1630/2023: [Usaco2005 Nov]Ant Counting 数蚂蚁
- Java设计模式(七)Decorate装饰器模式
- 1623: [Usaco2008 Open]Cow Cars 奶牛飞车
- 1622: [Usaco2008 Open]Word Power 名字的能量
- 3297: [USACO2011 Open]forgot
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 硬核看房利器——Web 全景的实现
- 超级播放器tcplayer如何设置logo
- 【Flutter 实战】1.20版本更新及新增组件
- 手把手教你使用Python实现常用的假设检验 !
- Oracle 每日一题系列合集
- Arrow更好用的python时间序列处理库,你用过吗?
- 死信队列监听补充
- 手把手教你用Python查询你的物流信息
- Selenium自动登录淘宝,我无意间发现了登录漏洞!
- 【DB宝20】在Docker中分分钟即可拥有OGG Director环境
- mq监听死信队列后如何处理
- 【小白学PyTorch】7 最新版本torchvision.transforms常用API翻译与讲解
- 小白学PyTorch | 8 实战之MNIST小试牛刀
- 干货:用好VSCode这13款插件和8个快捷键,工作效率提升10倍
- 使用dplyr包对表格整理