- 1AUTODOCK分子对接_autodock蛋白质和脂质分子对接
- 2自回归语言模型(AR)和自编码语言模型(AE)_ar ae模型
- 3el-table 表格封装并改造实现单元格可编辑_el-table 编辑单元格
- 4STM笔记_AD9833的详解及其f407驱动_ad9833驱动程序详解
- 523-480、基于Arduino Uno驱动的面部识别跟踪相机设计-CSDN_arduino uno 图像识别
- 6推荐3款自动爬虫神器,再也不用手撸代码了_爬虫软件 最新
- 7An unhandled exception occurred: spawn UNKNOWN windows10本地powershell启动不了解决方案_windows打不开powershell
- 8下一代 AI 搜索引擎 MindSearch:多智能体 + 系统2,模拟人类认知过程的 AI 搜索引擎
- 9脚本不得关闭非脚本打开的窗口。_【自动化测试】Selenium IDE脚本编辑与操作(了解)...
- 10【Redis】使用 Java 客户端连接 Redis_java连接redis
华为防火墙智能选路_华为防火墙ip选路和负载均衡
赞
踩
-
配置内网IP地址及区域
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW2-GigabitEthernet1/0/1]ip add 10.1.1.2 24
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]service-manage ping permit
-
配置DMZ区域IP地址及区域
[FW1-GigabitEthernet1/0/6]ip add 10.1.2.1 24
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/6
[FW2-GigabitEthernet1/0/6]ip add 10.1.2.2 24
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/6 -
配置外网IP地址及其互通
[FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/3]ip add 20.1.5.11 24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/2
[FW1-zone-untrust]add interface g1/0/3
[FW2-GigabitEthernet1/0/2]ip add 20.1.2.2 24
[FW2-GigabitEthernet1/0/2]service-manage ping permit
[FW2-GigabitEthernet1/0/3]ip add 20.1.4.22 24
[FW2-GigabitEthernet1/0/3]service-manage ping permit
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet1/0/2
[FW2-zone-untrust]add interface GigabitEthernet1/0/3
[AR1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[AR1-GigabitEthernet0/0/2]ip add 20.1.4.23 24
[AR1-GigabitEthernet0/0/1]ip add 20.1.3.6 24
[AR2-GigabitEthernet0/0/0]ip add 20.1.2.3 24
[AR2-GigabitEthernet0/0/2]ip add 20.1.5.12 24
[AR2-GigabitEthernet0/0/1]ip add 20.1.3.7 24
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.5.12 preference 100
[FW2]ip route-static 0.0.0.0 0.0.0.0 20.1.4.23
[FW2]ip route-static 0.0.0.0 0.0.0.0 20.1.2.3 preference 100 -
配置域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name sec_policy
[FW1-policy-security-rule-sec_policy]source-zone trust
[FW1-policy-security-rule-sec_policy]source-zone local
[FW1-policy-security-rule-sec_policy]destination-zone untrust
[FW1-policy-security-rule-sec_policy]action permit
[FW2]security-policy
[FW2-policy-security]rule name sec_policy
[FW2-policy-security-rule-sec_policy]source-zone trust
[FW2-policy-security-rule-sec_policy]source-zone local
[FW2-policy-security-rule-sec_policy]destination-zone untrust
[FW2-policy-security-rule-sec_policy]action permit -
配置NAT功能
(1)在FW1上配置nat地址池和可分配的地址,nat策略
[FW1]nat address-group nat_isp1
[FW1-address-group-nat_isp1]section 20.1.1.100 20.1.1.110
[FW1]nat-policy
[FW1-policy-nat]rule name source_isp1
[FW1-policy-nat-rule-source_isp1]source-zone trust
[FW1-policy-nat-rule-source_isp1]destination-zone untrust
[FW1-policy-nat-rule-source_isp1]action source-nat address-group nat_isp1
此时如果将PC1网关设为FW1的g1/0/1的地址,就可PING通20.1.1.0网段
查看NAT转换
(2)在FW2上配置nat地址池和可分配的地址,nat策略
[FW2]nat address-group nat_isp1
[FW2-address-group-nat_isp1]section 20.1.4.100 20.1.4.110
[FW2]nat-policy
[FW2-policy-nat]rule name source_isp1
[FW2-policy-nat-rule-source_isp1]source-zone trust
[FW2-policy-nat-rule-source_isp1]destination-zone untrust
[FW2-policy-nat-rule-source_isp1]action source-nat address-group nat_isp1
- 配置健康检查功能
[FW1]healthcheck enable
[FW1]healthcheck name isp1_health
[FW1-healthcheck-isp1_health]destination 20.1.1.2 interface g1/0/2 protocol icmp
[FW1]healthcheck name isp2_health
[FW1-healthcheck-isp2_health]destination 20.1.5.12 int g1/0/3 protocol icmp
[FW2]healthcheck enable
[FW2]healthcheck name isp1_health
[FW2-healthcheck-isp1_health]destination 20.1.4.23 interface g1/0/3 protocol icmp
[FW2]healthcheck name isp2_health
[FW2-healthcheck-isp2_health]destination 20.1.2.3 interface g1/0/2 protocol icmp
-
配置接口带宽
[FW1-GigabitEthernet1/0/2]healthcheck isp1_health
[FW1-GigabitEthernet1/0/2]bandwidth ingress 50000 threshold 90
[FW1-GigabitEthernet1/0/2]bandwidth egress 50000 threshold 90
[FW1-GigabitEthernet1/0/3]healthcheck isp2_health
[FW1-GigabitEthernet1/0/3]bandwidth egress 50000 threshold 90
[FW1-GigabitEthernet1/0/3]bandwidth ingress 50000 threshold 90
[FW2-GigabitEthernet1/0/2]healthcheck isp2_health
[FW2-GigabitEthernet1/0/2]bandwidth ingress 50000 threshold 90
[FW2-GigabitEthernet1/0/2]bandwidth egress 50000 threshold 90
[FW2-GigabitEthernet1/0/3]healthcheck isp1_health
[FW2-GigabitEthernet1/0/3]bandwidth ingress 50000 threshold 90
[FW2-GigabitEthernet1/0/3]bandwidth egress 50000 threshold 90 -
配置双机热备
[FW1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 active
[FW1-GigabitEthernet1/0/1]vrrp virtual-mac enable
[FW1]hrp enable
[FW1]hrp interface GigabitEthernet 1/0/6 remote 10.1.2.2
[FW2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 10.1.1.254 standby
[FW2-GigabitEthernet1/0/1]vrrp virtual-mac enable
[FW2]hrp enable
[FW2]hrp interface g1/0/6 remote 10.1.2.1
[AR1-GigabitEthernet0/0/1]vrrp vrid 1 virtual-ip 20.1.3.254
[AR2-GigabitEthernet0/0/1]vrrp vrid 1 virtual-ip 20.1.3.254
PC可以ping通服务器
-
配置全局选路策略
HRP_M[FW1]link-interface 0 name ISP1 (+B)
HRP_M[FW1-linkif-0]interface GigabitEthernet 1/0/2 next-hop 20.1.1.2 (+B)
HRP_M[FW1-linkif-0]healthcheck isp1_health (+B)
HRP_M[FW1]link-interface 1 name ISP2 (+B)
HRP_M[FW1-linkif-1]interface GigabitEthernet 1/0/3 next-hop 20.1.5.12 (+B)
HRP_M[FW1-linkif-1]healthcheck isp2_health (+B)
HRP_M[FW1]multi-linkif (+B)
HRP_M[FW1-multi-linkif]mode priority-of-link-quality (+B)
HRP_M[FW1-multi-linkif]priority-of-link-quality parameter loss (+B)
HRP_M[FW1-multi-linkif]priority-of-link-quality protocol tcp-simple (+B)
HRP_M[FW1-multi-linkif]add linkif ISP1 (+B)
HRP_M[FW1-multi-linkif]add linkif ISP2 (+B)
FW2上不用配置,会自动生成以上配置
