一、拓扑
二、需求
1、
2、
3、
4、
5、
6、
7、
三、配置思路
1、
2、
3、
4、
5、
四、接口及地址规划
本端接口 |
vlan/ip |
补充 |
对端 |
运营商接入交换机 |
|||
G1/0/1 |
VLAN10 |
ISP1 |
ISP1 |
G1/0/2 |
VLAN10 |
|
FW1:G1/0/1 |
G1/0/3 |
VLAN10 |
|
FW2:G1/0/1 |
G1/0/4 |
VLAN20 |
ISP2 |
|
G1/0/5 |
VLAN20 |
|
FW1:G1/0/2 |
G1/0/6 |
VLAN20 |
|
FW2:G1/0/2 |
出口防火墙FW1 |
|||
G1/0/1 |
10.0.0.1/30 |
VRRP1:200.0.1.1/24 active |
|
G1/0/2 |
10.0.0.5/30 |
VRRP2:200.0.2.1/24 active |
|
G1/0/5 |
10.0.1.2/24 |
VRRP10:10.0.1.1/24 active |
核心交换机6:G1/0/5 |
G1/0/22 |
Route-agg64,1.1.1.1/30 |
HA接口 |
FW2:G1/0/22 |
G1/0/23 |
FW2:G1/0/23 |
||
出口防火墙FW2 |
|||
G1/0/1 |
10.0.0.2/30 |
VRRP1:200.0.1.1/24 standby |
|
G1/0/2 |
10.0.0.6/30 |
VRRP2:200.0.2.1/24 standby |
|
G1/0/5 |
10.0.1.3/24 |
VRRP10:10.0.1.1/24 standby |
核心交换机7:G2/0/5 |
G1/0/22 |
Route-agg64,1.1.1.2/30 |
HA接口 |
FW1:G1/0/22 |
G1/0/23 |
FW1:G1/0/23 |
||
核心交换机6-slot1/核心交换机7-slot2(IRF) |
|||
G1/0/5 |
VLAN10 |
Vlan-int:10:10.0.1.4/24 |
FW1:G1/0/5 |
G2/0/5 |
VLAN10 |
FW2:G2/0/5 |
|
G1/0/48 |
VLAN4000 |
BFD MAD检测,1.1.1.5/30 |
核心交换机7:G2/0/48 |
G2/0/48 |
VLAN4000 |
BFD MAD检测,1.1.1.6/30 |
核心交换机6:G1/0/48 |
XG1/0/49 |
IRF-PORT1/1 |
IRF接口 |
核心交换机7:XG2/0/49 |
XG1/0/50 |
核心交换机7:XG2/0/50 |
||
XG2/0/49 |
IRF-PORT2/2 |
IRF接口 |
核心交换机6:XG1/0/49 |
XG2/0/50 |
核心交换机6:XG1/0/50 |
||
G1/0/6 |
Bridge-agg100 VLAN100 |
Trunk Vlan-int100:172.16.100.1/24 |
接入交换机:G1/0/6 |
G2/0/6 |
接入交换机:G1/0/7 |
||
接入交换机 |
|||
G1/0/6 |
Bridge-agg100 VLAN100 |
Trunk |
核心交换机6:G1/0/6 |
G1/0/7 |
核心交换机7:G2/0/6 |
||
G1/0/1 |
Access Vlan100 |
|
PC1 |
G1/0/2 |
|
PC2 |
|
G1/0/3 |
|
Server |
|
终端 |
|||
PC1 |
Dhcp自动获取 |
获取固定ip 172.16.100.15 |
接入交换机:G1/0/1 |
PC2 |
Dhcp自动获取 |
自动分配 |
接入交换机:G1/0/2 |
Server |
172.16.100.22 |
对外提供ssh服务 |
接入交换机:G1/0/3 |
HCL模拟器工程文件已上传至HCLhub:http://hclhub.h3c.com/project/9466/summary/master?path=README.md&type=text
如连接失效可登录http://hclhub.h3c.com/ 搜索:v7_防火墙_rbm_vrrp_出口主备
(1)
1、
#创建vlan10,并将接口g1/0/1~g1/0/3划分到vlan10 # system-view # vlan 10 port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 quit # #创建vlan20,并将接口g1/0/4~g1/0/6划分到vlan20 # vlan 20 port GigabitEthernet 1/0/4 GigabitEthernet 1/0/5 GigabitEthernet 1/0/6 quit # #保存配置 save force |
(2)
1、
#创建三层聚合口64,并将接口g1/0/22和接口g1/0/23加入该聚合口。该聚合口将作为FW之间RBM的数据/控制通道,同时为接口配置控制通道IP。 # system-view # sysname FW1 # interface Route-Aggregation64 ip address 1.1.1.1 255.255.255.252 # interface GigabitEthernet1/0/22 port link-aggregation group 64 # interface GigabitEthernet1/0/23 port link-aggregation group 64 #完成RBM配置,指定数据通道为Route-Aggregation64,HA回切时间为10分钟,控制通道本段ip地址为1.1.1.1,对端ip地址为1.1.1.2,本设备作为主管理设备。 remote-backup group data-channel interface Route-Aggregation64 delay-time 10 local-ip 1.1.1.1 remote-ip 1.1.1.2 device-role primary # |
#FW2此部分配置与FW1类似。 # system-view # sysname FW2 # interface Route-Aggregation64 ip address 1.1.1.2 255.255.255.252 # interface GigabitEthernet1/0/22 port link-aggregation group 64 # interface GigabitEthernet1/0/23 port link-aggregation group 64 # remote-backup group data-channel interface Route-Aggregation64 delay-time 10 local-ip 1.1.1.2 remote-ip 1.1.1.1 device-role secondary # |
2、
#ISP只提供了1个公网ip,所以防火墙上行连接到同一组ISP的接口可配置同网段的私网ip地址,将vrrp虚拟地址配置为ISP的ip地址即可,注意配置虚拟IP时需要配置掩码,掩码以ISP给的为准。 #配置VRRP时需要与RBM关联(主设备命令后增加active,反之standby) #因防火墙为双出口,为了保证源进源出,在公网口配置ip last-hop hold。 # interface GigabitEthernet1/0/1 port link-mode route ip address 10.0.0.1 255.255.255.252 vrrp vrid 1 virtual-ip 200.0.1.1 255.255.255.0 active ip last-hop hold # interface GigabitEthernet1/0/2 port link-mode route ip address 10.0.0.5 255.255.255.252 vrrp vrid 2 virtual-ip 200.0.2.1 255.255.255.0 active ip last-hop hold # interface GigabitEthernet1/0/5 port link-mode route ip address 10.0.1.2 255.255.255.0 vrrp vrid 10 virtual-ip 10.0.1.1 255.255.255.0 active # |
#FW2此部分配置与FW1类似。 # interface GigabitEthernet1/0/1 port link-mode route ip address 10.0.0.2 255.255.255.252 vrrp vrid 1 virtual-ip 200.0.1.1 255.255.255.0 standby ip last-hop hold # interface GigabitEthernet1/0/2 port link-mode route ip address 10.0.0.6 255.255.255.252 vrrp vrid 2 virtual-ip 200.0.2.1 255.255.255.0 standby ip last-hop hold # interface GigabitEthernet1/0/5 port link-mode route ip address 10.0.1.3 255.255.255.0 vrrp vrid 10 virtual-ip 10.0.1.1 255.255.255.0 standby # |
3、
#完成nqa配置,用于探测防火墙到各ISP网关地址的连通性,探测方式为icmp,探测间隔为100ms,超时时间为500ms,连续5次不通即探测失败。 # nqa entry isp1 main type icmp-echo destination ip 200.0.1.254 frequency 1000 next-hop ip 200.0.1.254 probe timeout 500 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # nqa entry isp2 main type icmp-echo destination ip 200.0.2.254 frequency 1000 next-hop ip 200.0.2.254 probe timeout 500 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # #启动nqa探测,并配置track项与nqa联动 # nqa schedule isp1 main start-time now lifetime forever nqa schedule isp2 main start-time now lifetime forever # track 1 nqa entry isp1 main reaction 1 # track 2 nqa entry isp2 main reaction 1 # #配置缺省路由与track项关联,同时配置去往内网vlan100的回程路由 # ip route-static 0.0.0.0 0 200.0.1.254 track 1 ip route-static 0.0.0.0 0 200.0.2.254 track 2 ip route-static 172.16.100.0 24 10.0.1.4 # |
#FW2此部分配置与FW1类似。 # nqa entry isp1 main type icmp-echo destination ip 200.0.1.254 frequency 1000 next-hop ip 200.0.1.254 probe timeout 500 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # nqa entry isp2 main type icmp-echo destination ip 200.0.2.254 frequency 1000 next-hop ip 200.0.2.254 probe timeout 500 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # nqa schedule isp1 main start-time now lifetime forever nqa schedule isp2 main start-time now lifetime forever # track 1 nqa entry isp1 main reaction 1 # track 2 nqa entry isp2 main reaction 1 # ip route-static 0.0.0.0 0 200.0.1.254 track 1 ip route-static 0.0.0.0 0 200.0.2.254 track 2 ip route-static 172.16.100.0 24 10.0.1.4 # |
4、
#配置将内网接口g1/0/5加入trust区域,将ISP1接口g1/0/1加入untrust区域,将ISP2接口g1/0/2加入untrust2区域。 # security-zone name Trust import interface GigabitEthernet1/0/5 quit # security-zone name Untrust import interface GigabitEthernet1/0/1 quit # security-zone name Untrust2 import interface GigabitEthernet1/0/2 quit # |
5、
#配置服务对象组,用于匹配访问tcp目的端口为2222的流量 # object-group service tcp2222 0 service tcp destination eq 2222 quit # #配置nat地址组,用于源地址转换,同时各地址组与接口的VRRP备份组关联 # nat address-group 1 name isp1 address 200.0.1.1 200.0.1.1 vrrp vrid 1 quit # nat address-group 2 name isp2 address 200.0.2.1 200.0.2.1 vrrp vrid 2 quit # nat address-group 5 name trust address 10.0.1.1 10.0.1.1 vrrp vrid 5 quit # nat global-policy #配置名为isp1vlan100server的规则,用于匹配由untrust域访问目的地址为200.0.1.1,目的端口为tcp 2222的流量,匹配上后执行目的地址+端口转换,转换后的目的ip为172.16.100.22,目的端口为tcp 22. rule name isp1vlan100server service tcp2222 source-zone untrust destination-ip host 200.0.1.1 action dnat ip-address 172.16.100.22 local-port 22 rule name isp2vlan100server service tcp2222 source-zone untrust2 destination-ip host 200.0.2.1 action dnat ip-address 172.16.100.22 local-port 22
#配置名为vlan100toserver的规则,用于匹配由trust域访问目的地址为200.0.1.1或200.0.2.1,目的端口为tcp 2222的流量,匹配上后执行目的地址+端口转换,转换后的目的ip为172.16.100.22,目的端口为tcp 22。同时执行源地址转换,转换后的源ip为nat地址组5中的地址。 rule name vlan100toserver service tcp2222 source-zone trust destination-ip host 200.0.1.1 destination-ip host 200.0.2.1 action snat address-group 5 vrrp 5 action dnat ip-address 172.16.100.22 local-port 22
#配置名为vlan100snat1的规则,用于匹配由trust域到untrust域,源地址为172.16.100.0/24的流量,匹配上后执行源地址转换,转换后的源ip为nat地址组1中的地址。 rule name vlan100snat1 source-zone trust destination-zone untrust source-ip subnet 172.16.100.0 24 action snat address-group 1 vrrp 1 rule name vlan100snat2 source-zone trust destination-zone untrust2 source-ip subnet 172.16.100.0 24 action snat address-group 2 vrrp 2 # |
6、
# security-policy ip #创建名为trust2untrust的安全策略规则rule 1,匹配源域为trust,目的域为untrust或untrust2,源地址为172.16.100.0/24的流量,动作为允许。(对应内网vlan100访问互联网的需求) rule 1 name trust2untrust action pass source-zone trust destination-zone untrust destination-zone untrust2 source-ip-subnet 172.16.100.0 255.255.255.0
#创建名为2vlan100server的安全策略规则rule 5,匹配源域为untrust或untrust2,目的域为trust,目的地址为172.16.100.22/32的流量,动作为允许。(对应公网侧访问内网server的需求) rule 5 name 2vlan100server action pass source-zone untrust source-zone untrust2 destination-zone trust destination-ip-host 172.16.100.22
#创建名为nqa的安全策略规则rule 10,匹配源域为local即防火墙自身,目的域为untrust或untrust2的流量,动作为允许。(对应防火墙nqa探测ISP网关地址的需求) rule 10 name nqa action pass source-zone local destination-zone untrust destination-zone untrust2
#创建名为vlan100toserver的安全策略规则rule 15,匹配源域为trust,目的地址为172.16.100.22的流量,动作为允许。(对应内网使用公网地址访问server的需求) rule 15 name vlan100toserver action pass source-zone trust destination-ip-host 172.16.100.22 # |
(3)
1、
#核心交换机IRF配置, #核心交换机6 system-view # sysname COREsw # interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50 shutdown quit # irf-port 1/1 port group interface Ten-GigabitEthernet1/0/49 port group interface Ten-GigabitEthernet1/0/50 quit # interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50 undo shutdown quit # #激活IRF配置,保存配置 # irf-port-configuration active save force # |
#核心交换机7 system-view # sysname COREsw2 # interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50 shutdown quit # irf-port 1/2 port group interface Ten-GigabitEthernet1/0/49 port group interface Ten-GigabitEthernet1/0/50 quit # interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50 undo shutdown quit # irf-port-configuration active # #修改核心交换机7的成员编号为2,最后保存配置,重启即可 # irf member 1 renumber 2 save force # |
#核心交换机BFD MAD检测配置 # vlan 4000 port GigabitEthernet 1/0/48 GigabitEthernet 2/0/48 quit # interface Vlan-interface4000 mad bfd enable mad ip address 1.1.1.5 255.255.255.252 member 1 mad ip address 1.1.1.6 255.255.255.252 member 2 quit # |
2、
#创建与防火墙互联的vlan10,并配置互联ip # vlan 10 port GigabitEthernet 1/0/5 GigabitEthernet 2/0/5 # interface Vlan-interface10 ip address 10.0.1.4 255.255.255.0 # #配置缺省路由指向防火墙内网口vrrp虚拟地址 # ip route-static 0.0.0.0 0 10.0.1.1 # |
3、
#创建业务vlan100,并配置二层聚合口100,将内网接口g1/0/6和g2/0/6加入聚合100。这里需要按照:创建聚合口、接口空配加入聚合口、进入聚合口完成vlan配置的顺序操作。 # vlan 100 # interface Bridge-Aggregation100 quit # interface range GigabitEthernet 1/0/6 GigabitEthernet2/0/6 port link-aggregation group 100 quit # interface Bridge-Aggregation100 port link-type trunk port trunk permit vlan 100 # #配置vlan100网关接口vlan-int100,地址为172.16.100.1/24 # interface Vlan-interface100 ip address 172.16.100.1 255.255.255.0 # #配置名为vlan100的dhcp地址池,分配网关地址172.16.100.1,dns地址114.114.114.114。分配的网段为172.16.100.0/24,分配的地址范围为172.16.100.10~172.16.100.254。其中172.16.100.22不参与自动分配,172.16.100.15固定分配给mac地址为90b0-b0f5-0a06的终端。 # dhcp server ip-pool vlan100 gateway-list 172.16.100.1 network 172.16.100.0 mask 255.255.255.0 address range 172.16.100.10 172.16.100.254 dns-list 114.114.114.114 forbidden-ip 172.16.100.22 static-bind ip-address 172.16.100.15 mask 255.255.255.0 hardware-address 90b0-b0f5-0a06 # #开启dhcp服务器功能 # dhcp enable # #保存配置 # save force |
(4)
1、
#创建业务vlan100 # system-view # sysname ACCESSsw1 # vlan 100 # #配置二层聚合口100,将上行接口g1/0/6和g1/0/7加入二层聚合口100,同时放行vlan100。这里需要按照:创建聚合口、接口空配加入聚合口、进入聚合口完成vlan配置的顺序操作。 # interface Bridge-Aggregation100 quit # interface range GigabitEthernet 1/0/6 GigabitEthernet1/0/7 port link-aggregation group 100 quit # interface Bridge-Aggregation100 port link-type trunk port trunk permit vlan 100 # #配置下行接终端的接口加入vlan100,并开启stp边缘端口 # interface GigabitEthernet1/0/1 port access vlan 100 stp edged-port # interface GigabitEthernet1/0/2 port access vlan 100 stp edged-port # interface GigabitEthernet1/0/3 port access vlan 100 stp edged-port # #保存配置 save force |
1、
#FW1: RBM_P<FW1>dis remote-backup-group status Remote backup group information: Backup mode: Active/standby -----------备份组模式为主/备 Device management role: Primary -----------设备管理状态为主 Device running status: Active -----------设备运行状态为主 Data channel interface: Route-Aggregation64 Local IP: 1.1.1.1 Remote IP: 1.1.1.2 Destination port: 60064 Control channel status: Connected Keepalive interval: 1s Keepalive count: 10 Configuration consistency check interval: 24 hour Configuration consistency check result: Not Performed Configuration backup status: Auto sync enabled Session backup status: Hot backup enabled Delay-time: 10 min Uptime since last switchover: 0 days, 15 hours, 29 minutes Switchover records: Time Status change Cause 2023-02-25 22:31:08 Standby to Active Interface status changed RBM_P<FW1> RBM_P<FW1>dis vrrp IPv4 Virtual Router Information: Running mode : Standard RBM control channel is established VRRP active group status : Master VRRP standby group status: Master Total number of virtual routers : 3 Interface VRID State Running Adver Auth Virtual Pri Timer Type IP ---------------------------------------------------------------------------- GE1/0/1 1 Master 100 100 Not supported 200.0.1.1 GE1/0/2 2 Master 100 100 Not supported 200.0.2.1 GE1/0/5 10 Master 100 100 Not supported 10.0.1.1 RBM_P<FW1> |
#FW2: RBM_S<FW2>dis remote-backup-group status Remote backup group information: Backup mode: Active/standby Device management role: Secondary Device running status: Standby Data channel interface: Route-Aggregation64 Local IP: 1.1.1.2 Remote IP: 1.1.1.1 Destination port: 60064 Control channel status: Connected Keepalive interval: 1s Keepalive count: 10 Configuration consistency check interval: 24 hour Configuration consistency check result: Not Performed Configuration backup status: Auto sync enabled Session backup status: Hot backup enabled Delay-time: 10 min Uptime since last switchover: 0 days, 15 hours, 32 minutes Switchover records: Time Status change Cause 2023-02-25 22:31:08 Active to Standby Interface status changed RBM_S<FW2> RBM_S<FW2>dis vrrp IPv4 Virtual Router Information: Running mode : Standard RBM control channel is established VRRP active group status : Backup VRRP standby group status: Backup Total number of virtual routers : 3 Interface VRID State Running Adver Auth Virtual Pri Timer Type IP ---------------------------------------------------------------------------- GE1/0/1 1 Backup 100 100 Not supported 200.0.1.1 GE1/0/2 2 Backup 100 100 Not supported 200.0.2.1 GE1/0/5 10 Backup 100 100 Not supported 10.0.1.1 RBM_S<FW2> |
2、
<COREsw>dis irf MemberID Role Priority CPU-Mac Description *+1 Master 1 902f-b99b-0604 --- 2 Standby 1 9035-7748-0704 --- -------------------------------------------------- * indicates the device is the master. + indicates the device through which the user logs in.
The bridge MAC of the IRF is: 902f-b99b-0600 Auto upgrade : yes Mac persistent : 6 min Domain ID : 0 <COREsw> |
3、
# <PC1>dis ip int brief *down: administratively down (s): spoofing (l): loopback Interface Physical Protocol IP address/Mask VPN instance GE0/1 up up 172.16.100.15/24 -- |
<PC1>ping 200.0.1.254 Ping 200.0.1.254 (200.0.1.254): 56 data bytes, press CTRL+C to break 56 bytes from 200.0.1.254: icmp_seq=0 ttl=253 time=80.068 ms 56 bytes from 200.0.1.254: icmp_seq=1 ttl=253 time=105.987 ms 56 bytes from 200.0.1.254: icmp_seq=2 ttl=253 time=109.447 ms 56 bytes from 200.0.1.254: icmp_seq=3 ttl=253 time=104.588 ms 56 bytes from 200.0.1.254: icmp_seq=4 ttl=253 time=69.499 ms --- Ping statistics for 200.0.1.254 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 69.499/93.918/109.447/16.055 ms <PC1>%Feb 26 14:05:10:104 2023 PC1 PING/6/PING_STATISTICS: Ping statistics for 200.0.1.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 69.499/93.918/109.447/16.055 ms. <PC1>ping 200.0.2.254 Ping 200.0.2.254 (200.0.2.254): 56 data bytes, press CTRL+C to break 56 bytes from 200.0.2.254: icmp_seq=0 ttl=253 time=2.502 ms 56 bytes from 200.0.2.254: icmp_seq=1 ttl=253 time=4.952 ms 56 bytes from 200.0.2.254: icmp_seq=2 ttl=253 time=1.950 ms 56 bytes from 200.0.2.254: icmp_seq=3 ttl=253 time=11.966 ms 56 bytes from 200.0.2.254: icmp_seq=4 ttl=253 time=10.717 ms --- Ping statistics for 200.0.2.254 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.950/6.417/11.966/4.164 ms <PC1>%Feb 26 14:05:13:660 2023 PC1 PING/6/PING_STATISTICS: Ping statistics for 200.0.2.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.950/6.417/11.966/4.164 ms. <PC1> |
<PC1>ssh 200.0.1.1 2222 Username: ssh Press CTRL+C to abort. Connecting to 200.0.1.1 port 2222. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n ssh@200.0.1.1's password: Enter a character ~ and a dot to abort.
****************************************************************************** * Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ******************************************************************************
<Server1> <Server1>quit
Connection to 200.0.1.1 closed. <PC1> <PC1>ssh 200.0.2.1 2222 Username: ssh Press CTRL+C to abort. Connecting to 200.0.2.1 port 2222. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n ssh@200.0.2.1's password: Enter a character ~ and a dot to abort.
****************************************************************************** * Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ******************************************************************************
<Server1> <Server1>quit Connection to 200.0.2.1 closed. <PC1> |
4、
# <ISP1>ssh 200.0.1.1 2222 Username: ssh Press CTRL+C to abort. Connecting to 200.0.1.1 port 2222. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n ssh@200.0.1.1's password: Enter a character ~ and a dot to abort.
****************************************************************************** * Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ******************************************************************************
<Server1> |
<ISP2>ssh 200.0.2.1 2222 Username: ssh Press CTRL+C to abort. Connecting to 200.0.2.1 port 2222. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n ssh@200.0.2.1's password: Enter a character ~ and a dot to abort.
****************************************************************************** * Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ******************************************************************************
<Server1> |
我想问一下 我能不能接口nat 然后nat ser 加上内网口的nat hairpin呀 这样做可以吗
然后还可以做出链路负载均衡吗
(0)
可以的,你说的这些属于接口nat,案例中的是策略nat,两个任选一个,不要混用就行。这里主要是有些产品的web界面只有策略nat,没有接口nat,如果你的设备也是这样的话,意味着你在命令行配置的nat server这些在web界面就看不到了,按需选择吧。
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
这个是现在的模拟器bug,会话同步相关的都有问题。
不能同步会话没法验证啊- -!
我在pnet上用vfw做实验也同步不了