问
h3c-F1000-AK115-HA切换问题咨询
2024-05-30提问
- 0关注
- 0收藏,178浏览
问题描述:
请问下HA配置中,这个位置没有配置接口的话,
问题1:默认是监控所有的接口状态变化吗?
问题2:那如果加了接口,是只监控个别接口吗?
现在没有加配置接口,当在用的接口状态发生变化时会切换到备用防火墙上。有大佬知道上面两个问题不?
- 2024-05-30提问
- 举报
-
(0)
最佳答案
zhiliao_mQO3Ib
知了小白
但是现在我这边没有配置监控端口,和图片的一样,当主防火墙上的某个端口状态发生变化的时候,就切换到备防火墙上了,是哪里有问题吗?
这个是HA的配置
#
remote-backup group
data-channel interface GigabitEthernet1/0/11
undo configuration auto-sync enable
undo configuration sync-check
local-ip 10.10.0.1
remote-ip 10.10.0.2
device-role primary
备防火墙的HA配置
#
remote-backup group
data-channel interface GigabitEthernet1/0/11
undo configuration auto-sync enable
undo configuration sync-check
local-ip 10.10.0.2
remote-ip 10.10.0.1
device-role secondary
#
主防火墙完整配置
#
version 7.1.064, Release 9560P26
#
sysname H3C
#
clock protocol none
#
context Admin id 1
#
ip vpn-instance intranet_MGT
description intranet_MGT
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
object 6
#
password-recovery enable
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip binding vpn-instance intranet_MGT
ip address 10.20.42.8 255.255.255.224
ip last-hop hold
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
gateway 10.20.42.1
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
description TO_SW1361_10GE0/0/49
ip address 10.10.4.2 255.255.255.248
vrrp vrid 4 virtual-ip 10.10.4.1 255.255.255.248 active
undo vrrp vrid 4 preempt-mode
ip last-hop hold
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
#
interface GigabitEthernet1/0/8
port link-mode route
description To_SEAWAN_ETH0
speed 1000
ip address 10.10.3.2 255.255.255.240
ip address 10.10.8.1 255.255.255.252 sub
vrrp vrid 3 virtual-ip 10.10.3.1 255.255.255.248 active
undo vrrp vrid 3 preempt-mode
ip last-hop hold
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
#
interface GigabitEthernet1/0/9
port link-mode route
description PG_CTC02
ip address 10.10.2.1 255.255.255.0
vrrp vrid 202 virtual-ip 10.10.2.3 255.255.255.0 active
undo vrrp vrid 202 preempt-mode
ip last-hop hold
nat outbound 3005 address-group 4 counting
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
#
interface GigabitEthernet1/0/10
port link-mode route
description PG_CTC01
ip address 10.10.1.1 255.255.255.0
vrrp vrid 201 virtual-ip 10.10.1.3 255.255.255.0 active
undo vrrp vrid 201 preempt-mode
ip last-hop hold
nat outbound 3005 address-group 3 counting
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
ipsec apply policy DG_IPSEC
#
interface GigabitEthernet1/0/11
port link-mode route
description HA_HEART_LINE
ip address 10.10.0.1 255.255.255.252
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
#
interface SSLVPN-AC1
ip address 10.10.10.1 255.255.255.0
manage http inbound
manage https inbound
manage ping inbound
manage ssh inbound
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/7
import interface GigabitEthernet1/0/8
import interface GigabitEthernet1/0/11
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
security-zone name DG_Untrust
import interface GigabitEthernet1/0/10
#
security-zone name SSLVPN
import interface SSLVPN-AC1
#
security-zone name SZbgp_Untrust
import interface GigabitEthernet1/0/9
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 10.10.1.3 preference 70
ip route-static 0.0.0.0 0 10.10.2.3 track 7 preference 50
ip route-static 10.10.7.0 24 10.10.3.4
ip route-static 10.10.7.0 24 10.10.4.4 preference 70
ip route-static 10.144.64.0 24 103.191.242.1
ip route-static 10.144.65.0 24 103.191.242.1
ip route-static 10.144.66.0 24 10.10.3.4
ip route-static 10.144.66.0 24 10.10.4.4 preference 70
ip route-static 10.144.68.0 24 10.10.4.4 preference 70
ip route-static 10.144.68.0 24 10.10.3.4
#
info-center timestamp loghost no-year-date
info-center loghost 172.21.100.222 facility local6
info-center loghost vpn-instance intranet_MGT 172.21.100.222 facility local6
info-center source FFILTER logfile deny
info-center filter logh.222 default level notification
#
snmp-agent
snmp-agent local-engineid 800063A28074D6CB008EB300000001
snmp-agent community read cipher $c$3$kIeub09u2nVNcoaGvMFXsmEOLTU0dNBSIgIsmrrt
snmp-agent sys-info version v2c v3
#
performance-management
#
ssh server enable
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$cYJ0oGLSjcuiiBBE$J3K+yW06zldnGRSniekXKdwwpo3wGUifWzHjPMkHaXik5nVb3esmT4x0WTq2KgfM2ZxPmbH8IftxaA1mKVMHJA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user fanjm class network
password cipher $c$3$3Hl1BNegWTFLb1IAheirG/A6OzHS8twHog+hGbFE
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user heyn class network
password cipher $c$3$pzoc1I2rhPMqb+BOqeTbCd2ColGIulNxYw==
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user suzx class network
password cipher $c$3$S8bJ43vO0Xxo2AK/w6VFG9UrmiRtxlrQnvI=
access-limit 2
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user user01 class network
password cipher $c$3$i0ro5a2p135j8DZvFw+LxzoScqaXjEptNQ==
access-limit 2
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user user02 class network
password cipher $c$3$MUTsjpcdT2+L1JaFDn26huGxUkLFS2WibQ==
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user user03 class network
password cipher $c$3$v9ODVUqYlOOnHRB7xuQgVrzjuj7jQsvShg==
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user user04 class network
password cipher $c$3$/9jt0GSgLycmy7KVmjYtDKzNlo64p/i/b7orp5ab
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user wangcj class network
password cipher $c$3$T4ypvM+Gty6ritGBvxUr3z3YXmdXFOWFW6BFMPqX
access-limit 3
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user wangdd class network
password cipher $c$3$AtXVbGb0jnalKR3N8z0wa6iic5hT3xKFo7iLWJM=
access-limit 1
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user wangf class network
password cipher $c$3$caxf8gNz1Z+1WLsrB1zVCVsnEOwJu3MhE1Oc25zq
access-limit 2
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user wangz class network
password cipher $c$3$uX51UuItBAAbHIXPmZNE/XMrZHJjk7G1RsCX5rEO
access-limit 2
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user xianxs class network
password cipher $c$3$rf/O/YE5AOrDWzBScT6YUSCYj7i8JDtFYhwFCNwN
access-limit 2
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user xiongk class network
password cipher $c$3$+av0lqpLLEeRux6EQGwW/1mvDg/ttJKWwook
access-limit 3
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user zhaoyy class network
password cipher $c$3$vd87m54jVxNfM69maGU6M6PaLHZflBjwSUH+oWo9
access-limit 3
service-type sslvpn
authorization-attribute user-role network-operator
#
local-user zhuangmz class network
password cipher $c$3$3fVCMfc3AgW+jL+EiKxdICEruWeKnbY2ve5sHSG/
access-limit 2
service-type sslvpn
authorization-attribute user-role network-operator
#
public-key peer 10.10.3.1
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100B9F3254765DEED3E
282393F9F5274A37FE2FE0BB005CE3AE96F06DB17684A0FD261D3AA068FDCE215AE15E1FE4
A53C72551BB48DBF210809E30460C3B03B1DC66A219421D4A5D0CF7976C1D62B3E265C34E2
10F44FC60E6ED3E2833D2B7D027F3EEB58DA6064215C412275EBD3AE3A283C4CC854CDD016
C00B06DE2D2686EE210203010001
public-key-code end
peer-public-key end
#
ip https enable
#
blacklist global enable
#
app-profile 7_IPv4
ips apply policy default mode protect
anti-virus apply policy default mode protect
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
link-group bandwith
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
virtual ip address 0.0.0.0 0
lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
bandwidth interface statistics enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
user-identity online-user-name-match without-domain
#
packet-capture max-bytes 4096
packet-capture max-file-packets 1000
packet-capture storage local limit 10240
#
terminal-identification
#
security-policy ip
rule 0 name Local_untrust
action pass
source-zone Local
destination-zone DG_Untrust
destination-zone SZbgp_Untrust
rule 3 name Local_trust
action pass
source-zone Local
destination-zone Trust
destination-zone Local
destination-zone SSLVPN
rule 1 name Trust_untrust
action pass
source-zone Trust
destination-zone DG_Untrust
destination-zone SZbgp_Untrust
rule 2 name Trust_trust
action pass
source-zone Trust
destination-zone Local
destination-zone Trust
destination-zone SSLVPN
rule 4 name SSLVPN_untrust
action pass
source-zone SSLVPN
destination-zone DG_Untrust
destination-zone SZbgp_Untrust
rule 5 name SSLVPN_trust
action pass
logging enable
source-zone SSLVPN
destination-zone Local
destination-zone Trust
destination-zone SSLVPN
rule 7 name unstrust_local
action pass
logging enable
counting enable
profile 7_IPv4
source-zone DG_Untrust
source-zone SZbgp_Untrust
destination-zone Local
destination-zone Trust
destination-zone SSLVPN
destination-zone DG_Untrust
destination-zone SZbgp_Untrust
rule 6 name any
action pass
counting enable
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
remote-backup group
data-channel interface GigabitEthernet1/0/11
undo configuration auto-sync enable
undo configuration sync-check
local-ip 10.10.0.1
remote-ip 10.10.0.2
device-role primary
#
return
- 2024-05-31回答
- 评论(0)
- 举报
-
(0)
编辑答案
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖
举报
×
侵犯我的权益
>
对根叔社区有害的内容
>
辱骂、歧视、挑衅等(不友善)
侵犯我的权益
×
侵犯了我企业的权益
>
抄袭了我的内容
>
诽谤我
>
辱骂、歧视、挑衅等(不友善)
骚扰我
侵犯了我企业的权益
×
您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
抄袭了我的内容
×
原文链接或出处
诽谤我
×
您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
对根叔社区有害的内容
×
垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载
>
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票
不规范转载
×
举报说明
我现在的设备上面没有配置这个监控接口,但是防火墙上面的某端口的状态变化了,就会到HA切换
RBM?
RBM vrrp方式的话不需要联动
RBM+vrrp的方式的
那不需要单独配置联动,自动联动的
是因为配置了RBM+VRRP后这个接口就会自动进行HA切换?不配置的话,就和1楼的说的一样,默认是不监控所有端口?
嗯
那配置了RBM+VRRP,防火墙1个没有配置VRRP的接口,发生了接口状态变化,会进行HA的切换吗?