防火墙IRF堆叠配置命令+链路负载均衡配置命令_txt

(文档共2页)  

当前位置: 雨花文库>IT/计算机>计算机硬件及网络>防火墙IRF堆叠配置命令+链路负载均衡配置命令_txt


1. 主防火墙配置 #配置主防火墙的优先级为10 [H3C-A] irf member 1 priority 10 #将需要进行堆叠配置的端口加入到IRF端口中 [H3C-A] interface range g1/0/22 to g1/0/23 [H3C-A-if-range] shutdown [H3C-A-if-range] quit [H3C-A] irf-port 1/2 [H3C-A-irf-port 1/2] port group interface g1/0/22 [H3C-A-irf-port 1/2] port group interface g1/0/23 [H3C-A-irf-port 1/2] quit 2. 备防火墙配置 #将备防火墙成员ID配置为2 [H3C-B] irf member 1 renumber 2 [H3C-B] quit #重启备防火墙来生效配置 reboot #将需要进行堆叠的端口加入到IRF端口中 [H3C-B] interface range g1/0/22 to g1/0/23 [H3C-B-if-range] shutdown [H3C-B-if-range] quit [H3C-B] [H3C-B] irf-port 2/1 [H3C-B-irf-port 2/1] port group interface g1/0/22 [H3C-B-irf-port 2/1] port group interface g1/0/23 [H3C-B-irf-port 2/1] quit 3. 将堆叠端口开启,并激活配置 [H3C-A] interface range g1/0/22 to g1/0/23 [H3C-A-if-range] undo shutdown [H3C-A-if-range] quit [H3C-A] irf-port-configuration active [H3C-B] interface range g1/0/22 to g1/0/23 [H3C-B-if-range] undo shutdown [H3C-B-if-range] quit [H3C-B] irf-port-configuration active 4. 配置BFD MAD检测 #创建聚合组1并将物理端口接入聚合组 [H3C] interface route-aggregation 1 [H3C-Route-Aggregation1] quit [H3C] interface gigabitethernet 1/0/13 [H3C-GigabitEthernet1/0/13] port link-aggregation group 1 [H3C-GigabitEthernet1/0/13] quit [H3C] interface gigabitethernet 2/0/13 [H3C-GigabitEthernet2/0/13] port link-aggregation group 1 [H3C -GigabitEthernet2/0/13] quit #BFD MAD配置及MAD检测IP地址 [H3C] interface route-aggregation 1 [H3C-Route-Aggregation1] mad bfd enable [H3C-Route-Aggregation1] mad ip address 192.168.10.1 24 member 1 [H3C-Route-Aggregation1] mad ip address 192.168.10.2 24 member 2 [H3C-Route-Aggregation1] quit #安全域配置,将route-aggregation 1 接口加入“trust”区域 [H3C] security-zone name trust [H3C-security-zone-Trust] import interface route-aggregation 1 [H3C-security-zone-Trust] quit #放通安全策略 [H3C]display cu | in security-policy security-policy ip #创建安全策略并放通local到trust和trust到local的安全策略。 [H3C]security-policy ip [H3C-security-policy-ip]rule 10 name test [H3C-security-policy-ip-10-test]action pass [H3C-security-policy-ip-10-test]source-zone local [H3C-security-policy-ip-10-test]source-zone Trust [H3C-security-policy-ip-10-test]destination-zone local [H3C-security-policy-ip-10-test]destination-zone Trust [H3C-security-policy-ip-10-test]quit 5. 校验配置结果 [H3C] display mad [H3C] display mad verbose ================================================================================ ================================================================================ 1. 配置链路组 #创建ICMP类型的NQA模板 t1 ,并配置每次探测结果发送机制 [H3C] nqa template icmp t1 [H3C-nqatplt-icmp-t1] reaction t

rigger per-probe [H3C-nqatplt-icmp-t1] quit #指定默认就近性探测方法为 t1 ,并配置就近性计算的网络延迟权值为200 [H3C] loadbalance proximity [H3C-lb-proximity] match default probe t1 [H3C-lb-proximity] rtt weight 200 [H3C-lb-proximity] quit #创建链路组ISP,并开启就近性功能 [H3C] loadbalance link-group ISP [H3C-lb-lgroup-isp] proximity enable #关闭NAT功能 [H3C-lb-lgroup-isp] transparent enable [H3C-lb-lgroup-isp] quit 2. 配置链路 #创建 link1 ,配置其下一跳IPV4地址为 61.175.192.50,并加入链路组ISP中 [H3C] loadbalance link link1 [H3C-lb-link-link1] router ip 61.175.192.50 [H3C-lb-link-link1] link-group ISP [H3C-lb-link-link1] quit #创建 link2 ,配置其下一跳IPV4地址为 61.175.192.51,并加入链路组ISP中 [H3C] loadbalance link link2 [H3C-lb-link-link2] router ip 61.175.192.51 [H3C-lb-link-link2] link-group ISP [H3C-lb-link-link2] quit 3. 配置虚服务器 #创建 link-ip 类型的虚服务器 vs ,配置其VSIP为通配 0.0.0.0/0 ,指定其默认主用链路组为ISP,并开启虚服务器。 [H3C] virtual-server vs type link-ip [H3C-vs-link-ip-vs] virtual ip address 0.0.0.0 0 [H3C-vs-link-ip-vs] default link-group ISP [H3C-vs-link-ip-vs] service enable [H3C-vs-link-ip-vs] quit 4. 验证配置 #显示所有链路的简要信息 [H3C] dispaly loadbalance link brief #显示所有链路组的详细信息 [H3C] dispaly loadbablance link-group #显示所有虚服务器的详细信息 [H3C] dispaly virtual-server #显示所有IPV4就近性表项的简要信息 [H3C] dispaly loadbalance proximity ip

(文档共2页)