V7防火墙RBM+VRRP主备部署作为园区出口(下行交换机使用IRF或单机)

本端接口

vlan/ip

补充

对端

运营商接入交换机

G1/0/1

VLAN10

ISP1

ISP1

G1/0/2

VLAN10

FW1:G1/0/1

G1/0/3

VLAN10

FW2:G1/0/1

G1/0/4

VLAN20

ISP2

G1/0/5

VLAN20

FW1:G1/0/2

G1/0/6

VLAN20

FW2:G1/0/2

出口防火墙FW1

G1/0/1

10.0.0.1/30

VRRP1:200.0.1.1/24 active

G1/0/2

10.0.0.5/30

VRRP2:200.0.2.1/24 active

G1/0/5

10.0.1.2/24

VRRP10:10.0.1.1/24 active

核心交换机6:G1/0/5

G1/0/22

Route-agg64，1.1.1.1/30

HA接口

FW2:G1/0/22

G1/0/23

FW2:G1/0/23

出口防火墙FW2

G1/0/1

10.0.0.2/30

VRRP1:200.0.1.1/24 standby

G1/0/2

10.0.0.6/30

VRRP2:200.0.2.1/24 standby

G1/0/5

10.0.1.3/24

VRRP10:10.0.1.1/24 standby

核心交换机7:G2/0/5

G1/0/22

Route-agg64，1.1.1.2/30

HA接口

FW1:G1/0/22

G1/0/23

FW1:G1/0/23

核心交换机6-slot1/核心交换机7-slot2(IRF)

G1/0/5

VLAN10

Vlan-int:10:10.0.1.4/24

FW1:G1/0/5

G2/0/5

VLAN10

FW2:G2/0/5

G1/0/48

VLAN4000

BFD MAD检测，1.1.1.5/30

核心交换机7:G2/0/48

G2/0/48

VLAN4000

BFD MAD检测，1.1.1.6/30

核心交换机6:G1/0/48

XG1/0/49

IRF-PORT1/1

IRF接口

核心交换机7:XG2/0/49

XG1/0/50

核心交换机7:XG2/0/50

XG2/0/49

IRF-PORT2/2

IRF接口

核心交换机6:XG1/0/49

XG2/0/50

核心交换机6:XG1/0/50

G1/0/6

Bridge-agg100

VLAN100

Trunk

Vlan-int100:172.16.100.1/24

接入交换机:G1/0/6

G2/0/6

接入交换机:G1/0/7

接入交换机

G1/0/6

Bridge-agg100

VLAN100

Trunk

核心交换机6:G1/0/6

G1/0/7

核心交换机7:G2/0/6

G1/0/1

Access

Vlan100

PC1

G1/0/2

PC2

G1/0/3

Server

终端

PC1

Dhcp自动获取

获取固定ip 172.16.100.15

接入交换机:G1/0/1

PC2

Dhcp自动获取

自动分配

接入交换机:G1/0/2

Server

172.16.100.22

对外提供ssh服务

接入交换机:G1/0/3

#创建vlan10，并将接口g1/0/1~g1/0/3划分到vlan10

#

system-view

#

vlan 10

port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3

quit

#

#创建vlan20，并将接口g1/0/4~g1/0/6划分到vlan20

#

vlan 20

port GigabitEthernet 1/0/4 GigabitEthernet 1/0/5 GigabitEthernet 1/0/6

quit

#

#保存配置

save force

#创建三层聚合口64，并将接口g1/0/22和接口g1/0/23加入该聚合口。该聚合口将作为FW之间RBM的数据/控制通道，同时为接口配置控制通道IP。

#

system-view

#

sysname FW1

#

interface Route-Aggregation64

ip address 1.1.1.1 255.255.255.252

#

interface GigabitEthernet1/0/22

port link-aggregation group 64

#

interface GigabitEthernet1/0/23

port link-aggregation group 64

#完成RBM配置，指定数据通道为Route-Aggregation64，HA回切时间为10分钟，控制通道本段ip地址为1.1.1.1，对端ip地址为1.1.1.2，本设备作为主管理设备。

remote-backup group

 data-channel interface Route-Aggregation64

 delay-time 10

 local-ip 1.1.1.1

 remote-ip 1.1.1.2

 device-role primary

#

#FW2此部分配置与FW1类似。

#

system-view

#

sysname FW2

#

interface Route-Aggregation64

ip address 1.1.1.2 255.255.255.252

#

interface GigabitEthernet1/0/22

port link-aggregation group 64

#

interface GigabitEthernet1/0/23

port link-aggregation group 64

#

remote-backup group

 data-channel interface Route-Aggregation64

 delay-time 10

 local-ip 1.1.1.2

 remote-ip 1.1.1.1

 device-role secondary

#

#ISP只提供了1个公网ip，所以防火墙上行连接到同一组ISP的接口可配置同网段的私网ip地址，将vrrp虚拟地址配置为ISP的ip地址即可，注意配置虚拟IP时需要配置掩码，掩码以ISP给的为准。

#配置VRRP时需要与RBM关联(主设备命令后增加active，反之standby)

#因防火墙为双出口，为了保证源进源出，在公网口配置ip last-hop hold。

#

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.0.0.1 255.255.255.252

vrrp vrid 1 virtual-ip 200.0.1.1 255.255.255.0 active

ip last-hop hold

#

interface GigabitEthernet1/0/2

port link-mode route

ip address 10.0.0.5 255.255.255.252

vrrp vrid 2 virtual-ip 200.0.2.1 255.255.255.0 active

ip last-hop hold

#

interface GigabitEthernet1/0/5

port link-mode route

ip address 10.0.1.2 255.255.255.0

vrrp vrid 10 virtual-ip 10.0.1.1 255.255.255.0 active

#

#FW2此部分配置与FW1类似。

#

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.0.0.2 255.255.255.252

vrrp vrid 1 virtual-ip 200.0.1.1 255.255.255.0 standby

ip last-hop hold

#

interface GigabitEthernet1/0/2

port link-mode route

ip address 10.0.0.6 255.255.255.252

vrrp vrid 2 virtual-ip 200.0.2.1 255.255.255.0 standby

ip last-hop hold

#

interface GigabitEthernet1/0/5

port link-mode route

ip address 10.0.1.3 255.255.255.0

vrrp vrid 10 virtual-ip 10.0.1.1 255.255.255.0 standby

#

#完成nqa配置，用于探测防火墙到各ISP网关地址的连通性，探测方式为icmp，探测间隔为100ms，超时时间为500ms，连续5次不通即探测失败。

#

nqa entry isp1 main

type icmp-echo

destination ip 200.0.1.254

frequency 1000

next-hop ip 200.0.1.254

probe timeout 500

reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only

#             

nqa entry isp2 main

type icmp-echo

destination ip 200.0.2.254

frequency 1000

next-hop ip 200.0.2.254

probe timeout 500

reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only

#

#启动nqa探测，并配置track项与nqa联动

#

nqa schedule isp1 main start-time now lifetime forever

nqa schedule isp2 main start-time now lifetime forever

#

track 1 nqa entry isp1 main reaction 1

#

track 2 nqa entry isp2 main reaction 1

#

#配置缺省路由与track项关联，同时配置去往内网vlan100的回程路由

#

ip route-static 0.0.0.0 0 200.0.1.254 track 1

ip route-static 0.0.0.0 0 200.0.2.254 track 2

ip route-static 172.16.100.0 24 10.0.1.4

#

#FW2此部分配置与FW1类似。

#

nqa entry isp1 main

type icmp-echo

destination ip 200.0.1.254

frequency 1000

next-hop ip 200.0.1.254

probe timeout 500

reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only

#             

nqa entry isp2 main

type icmp-echo

destination ip 200.0.2.254

frequency 1000

next-hop ip 200.0.2.254

probe timeout 500

reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only

#

nqa schedule isp1 main start-time now lifetime forever

nqa schedule isp2 main start-time now lifetime forever

#

track 1 nqa entry isp1 main reaction 1

#

track 2 nqa entry isp2 main reaction 1

#

ip route-static 0.0.0.0 0 200.0.1.254 track 1

ip route-static 0.0.0.0 0 200.0.2.254 track 2

ip route-static 172.16.100.0 24 10.0.1.4

#

#配置将内网接口g1/0/5加入trust区域，将ISP1接口g1/0/1加入untrust区域，将ISP2接口g1/0/2加入untrust2区域。

#

security-zone name Trust

import interface GigabitEthernet1/0/5

quit

#

security-zone name Untrust

import interface GigabitEthernet1/0/1

quit

#

security-zone name Untrust2

import interface GigabitEthernet1/0/2

quit

#

#配置服务对象组，用于匹配访问tcp目的端口为2222的流量

#

object-group service tcp2222

0 service tcp destination eq 2222

quit

#

#配置nat地址组，用于源地址转换，同时各地址组与接口的VRRP备份组关联

#

nat address-group 1 name isp1

address 200.0.1.1 200.0.1.1

vrrp vrid 1

quit

#

nat address-group 2 name isp2

address 200.0.2.1 200.0.2.1

vrrp vrid 2

quit

#

nat address-group 5 name trust

address 10.0.1.1 10.0.1.1

vrrp vrid 5

quit

#

nat global-policy

 #配置名为isp1vlan100server的规则，用于匹配由untrust域访问目的地址为200.0.1.1，目的端口为tcp 2222的流量，匹配上后执行目的地址+端口转换，转换后的目的ip为172.16.100.22，目的端口为tcp 22.

 rule name isp1vlan100server

  service tcp2222

  source-zone untrust

  destination-ip host 200.0.1.1

  action dnat ip-address 172.16.100.22 local-port 22

 rule name isp2vlan100server

  service tcp2222

  source-zone untrust2

  destination-ip host 200.0.2.1

  action dnat ip-address 172.16.100.22 local-port 22

#配置名为vlan100toserver的规则，用于匹配由trust域访问目的地址为200.0.1.1或200.0.2.1，目的端口为tcp 2222的流量，匹配上后执行目的地址+端口转换，转换后的目的ip为172.16.100.22，目的端口为tcp 22。同时执行源地址转换，转换后的源ip为nat地址组5中的地址。

rule name vlan100toserver

 service tcp2222

 source-zone trust

 destination-ip host 200.0.1.1

 destination-ip host 200.0.2.1

 action snat address-group 5 vrrp 5

 action dnat ip-address 172.16.100.22 local-port 22

#配置名为vlan100snat1的规则，用于匹配由trust域到untrust域，源地址为172.16.100.0/24的流量，匹配上后执行源地址转换，转换后的源ip为nat地址组1中的地址。

 rule name vlan100snat1

  source-zone trust

  destination-zone untrust

  source-ip subnet 172.16.100.0 24

  action snat address-group 1 vrrp 1

 rule name vlan100snat2

  source-zone trust

  destination-zone untrust2

  source-ip subnet 172.16.100.0 24

  action snat address-group 2 vrrp 2

#

#

security-policy ip

#创建名为trust2untrust的安全策略规则rule 1，匹配源域为trust，目的域为untrust或untrust2，源地址为172.16.100.0/24的流量，动作为允许。（对应内网vlan100访问互联网的需求）

 rule 1 name trust2untrust

  action pass

  source-zone trust

  destination-zone untrust

  destination-zone untrust2

  source-ip-subnet 172.16.100.0 255.255.255.0

#创建名为2vlan100server的安全策略规则rule 5，匹配源域为untrust或untrust2，目的域为trust，目的地址为172.16.100.22/32的流量，动作为允许。（对应公网侧访问内网server的需求）

 rule 5 name 2vlan100server

  action pass

  source-zone untrust

  source-zone untrust2

  destination-zone trust

  destination-ip-host 172.16.100.22

#创建名为nqa的安全策略规则rule 10，匹配源域为local即防火墙自身，目的域为untrust或untrust2的流量，动作为允许。（对应防火墙nqa探测ISP网关地址的需求）

 rule 10 name nqa

  action pass

  source-zone local

  destination-zone untrust

  destination-zone untrust2

#创建名为vlan100toserver的安全策略规则rule 15，匹配源域为trust，目的地址为172.16.100.22的流量，动作为允许。（对应内网使用公网地址访问server的需求）

 rule 15 name vlan100toserver

  action pass

  source-zone trust

  destination-ip-host 172.16.100.22

#

#核心交换机IRF配置，

#核心交换机6

system-view

#

sysname COREsw

#

interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50

shutdown

quit

#

irf-port 1/1

port group interface Ten-GigabitEthernet1/0/49

port group interface Ten-GigabitEthernet1/0/50

quit

#

interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50

undo shutdown

quit

#

#激活IRF配置，保存配置

#

irf-port-configuration active

save force

#

#核心交换机7

system-view

#

sysname COREsw2

#

interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50

shutdown

quit

#

irf-port 1/2

port group interface Ten-GigabitEthernet1/0/49

port group interface Ten-GigabitEthernet1/0/50

quit

#

interface range Ten-GigabitEthernet 1/0/49 Ten-GigabitEthernet1/0/50

undo shutdown

quit

#

irf-port-configuration active

#

#修改核心交换机7的成员编号为2，最后保存配置，重启即可

#

irf member 1 renumber 2

save force

#

#核心交换机BFD MAD检测配置

#

vlan 4000

port GigabitEthernet 1/0/48 GigabitEthernet 2/0/48

quit

#

interface Vlan-interface4000

mad bfd enable

mad ip address 1.1.1.5 255.255.255.252 member 1

mad ip address 1.1.1.6 255.255.255.252 member 2

quit

#

#创建与防火墙互联的vlan10，并配置互联ip

#

vlan 10

port GigabitEthernet 1/0/5 GigabitEthernet 2/0/5

#

interface Vlan-interface10

ip address 10.0.1.4 255.255.255.0

#

#配置缺省路由指向防火墙内网口vrrp虚拟地址

#

 ip route-static 0.0.0.0 0 10.0.1.1

#

#创建业务vlan100，并配置二层聚合口100，将内网接口g1/0/6和g2/0/6加入聚合100。这里需要按照：创建聚合口、接口空配加入聚合口、进入聚合口完成vlan配置的顺序操作。

#

vlan 100

#

interface Bridge-Aggregation100

quit

#

interface range GigabitEthernet 1/0/6 GigabitEthernet2/0/6

port link-aggregation group 100

quit

#

interface Bridge-Aggregation100

 port link-type trunk

 port trunk permit vlan 100

#

#配置vlan100网关接口vlan-int100，地址为172.16.100.1/24

#

interface Vlan-interface100

 ip address 172.16.100.1 255.255.255.0

#

#配置名为vlan100的dhcp地址池，分配网关地址172.16.100.1，dns地址114.114.114.114。分配的网段为172.16.100.0/24，分配的地址范围为172.16.100.10~172.16.100.254。其中172.16.100.22不参与自动分配，172.16.100.15固定分配给mac地址为90b0-b0f5-0a06的终端。

#

dhcp server ip-pool vlan100

 gateway-list 172.16.100.1

 network 172.16.100.0 mask 255.255.255.0

 address range 172.16.100.10 172.16.100.254

 dns-list 114.114.114.114

 forbidden-ip 172.16.100.22

 static-bind ip-address 172.16.100.15 mask 255.255.255.0 hardware-address 90b0-b0f5-0a06

#

#开启dhcp服务器功能

#

dhcp enable

#

#保存配置

#

save force

#创建业务vlan100

#

system-view

#

sysname ACCESSsw1

#

vlan 100

#

#配置二层聚合口100，将上行接口g1/0/6和g1/0/7加入二层聚合口100，同时放行vlan100。这里需要按照：创建聚合口、接口空配加入聚合口、进入聚合口完成vlan配置的顺序操作。

#

interface Bridge-Aggregation100

quit

#

interface range GigabitEthernet 1/0/6 GigabitEthernet1/0/7

port link-aggregation group 100

quit

#

interface Bridge-Aggregation100

port link-type trunk

port trunk permit vlan 100

#

#配置下行接终端的接口加入vlan100，并开启stp边缘端口

#

interface GigabitEthernet1/0/1

port access vlan 100

stp edged-port

#

interface GigabitEthernet1/0/2

port access vlan 100

stp edged-port

#             

interface GigabitEthernet1/0/3

port access vlan 100

stp edged-port

#

#保存配置

save force

#FW1：

RBM_P<FW1>dis remote-backup-group status

Remote backup group information:

  Backup mode: Active/standby    -----------备份组模式为主/备

  Device management role: Primary -----------设备管理状态为主

  Device running status: Active     -----------设备运行状态为主

  Data channel interface: Route-Aggregation64

  Local IP: 1.1.1.1

  Remote IP: 1.1.1.2    Destination port: 60064

  Control channel status: Connected

  Keepalive interval: 1s

  Keepalive count: 10

  Configuration consistency check interval: 24 hour

  Configuration consistency check result: Not Performed

  Configuration backup status: Auto sync enabled

  Session backup status: Hot backup enabled

  Delay-time: 10 min

  Uptime since last switchover: 0 days, 15 hours, 29 minutes

  Switchover records:

    Time                  Status change        Cause

    2023-02-25 22:31:08   Standby to Active    Interface status changed

RBM_P<FW1> 

RBM_P<FW1>dis vrrp

IPv4 Virtual Router Information: 

 Running mode      : Standard

 RBM control channel is established

   VRRP active group status : Master

   VRRP standby group status: Master

 Total number of virtual routers : 3

 Interface          VRID  State        Running Adver   Auth             Virtual

                                       Pri     Timer   Type             IP

 ----------------------------------------------------------------------------

 GE1/0/1            1     Master       100     100     Not supported    200.0.1.1      

 GE1/0/2            2     Master       100     100     Not supported    200.0.2.1      

 GE1/0/5            10    Master       100     100     Not supported    10.0.1.1       

RBM_P<FW1>

#FW2:

RBM_S<FW2>dis remote-backup-group status

Remote backup group information:

  Backup mode: Active/standby

  Device management role: Secondary

  Device running status: Standby

  Data channel interface: Route-Aggregation64

  Local IP: 1.1.1.2

  Remote IP: 1.1.1.1    Destination port: 60064

  Control channel status: Connected

  Keepalive interval: 1s

  Keepalive count: 10

  Configuration consistency check interval: 24 hour

  Configuration consistency check result: Not Performed

  Configuration backup status: Auto sync enabled

  Session backup status: Hot backup enabled

  Delay-time: 10 min

  Uptime since last switchover: 0 days, 15 hours, 32 minutes

  Switchover records:

    Time                  Status change        Cause

    2023-02-25 22:31:08   Active to Standby    Interface status changed

RBM_S<FW2>

RBM_S<FW2>dis vrrp

IPv4 Virtual Router Information: 

 Running mode      : Standard

 RBM control channel is established

   VRRP active group status : Backup

   VRRP standby group status: Backup

 Total number of virtual routers : 3

 Interface          VRID  State        Running Adver   Auth             Virtual

                                       Pri     Timer   Type             IP

 ----------------------------------------------------------------------------

 GE1/0/1            1     Backup       100     100     Not supported    200.0.1.1      

 GE1/0/2            2     Backup       100     100     Not supported    200.0.2.1      

 GE1/0/5            10    Backup       100     100     Not supported    10.0.1.1       

RBM_S<FW2>

<COREsw>dis irf

MemberID    Role    Priority  CPU-Mac         Description

 *+1        Master  1         902f-b99b-0604  ---

   2        Standby 1         9035-7748-0704  ---

--------------------------------------------------

 * indicates the device is the master.

 + indicates the device through which the user logs in.

 The bridge MAC of the IRF is: 902f-b99b-0600

 Auto upgrade                : yes

 Mac persistent              : 6 min

 Domain ID                   : 0

<COREsw>

#

<PC1>dis ip int brief

*down: administratively down

(s): spoofing  (l): loopback

Interface      Physical Protocol   IP address/Mask    VPN instance

GE0/1        up       up       172.16.100.15/24   --          

<PC1>ping 200.0.1.254

Ping 200.0.1.254 (200.0.1.254): 56 data bytes, press CTRL+C to break

56 bytes from 200.0.1.254: icmp_seq=0 ttl=253 time=80.068 ms

56 bytes from 200.0.1.254: icmp_seq=1 ttl=253 time=105.987 ms

56 bytes from 200.0.1.254: icmp_seq=2 ttl=253 time=109.447 ms

56 bytes from 200.0.1.254: icmp_seq=3 ttl=253 time=104.588 ms

56 bytes from 200.0.1.254: icmp_seq=4 ttl=253 time=69.499 ms

--- Ping statistics for 200.0.1.254 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 69.499/93.918/109.447/16.055 ms

<PC1>%Feb 26 14:05:10:104 2023 PC1 PING/6/PING_STATISTICS: Ping statistics for 200.0.1.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 69.499/93.918/109.447/16.055 ms.

<PC1>ping 200.0.2.254

Ping 200.0.2.254 (200.0.2.254): 56 data bytes, press CTRL+C to break

56 bytes from 200.0.2.254: icmp_seq=0 ttl=253 time=2.502 ms

56 bytes from 200.0.2.254: icmp_seq=1 ttl=253 time=4.952 ms

56 bytes from 200.0.2.254: icmp_seq=2 ttl=253 time=1.950 ms

56 bytes from 200.0.2.254: icmp_seq=3 ttl=253 time=11.966 ms

56 bytes from 200.0.2.254: icmp_seq=4 ttl=253 time=10.717 ms

--- Ping statistics for 200.0.2.254 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.950/6.417/11.966/4.164 ms

<PC1>%Feb 26 14:05:13:660 2023 PC1 PING/6/PING_STATISTICS: Ping statistics for 200.0.2.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.950/6.417/11.966/4.164 ms.

<PC1>

<PC1>ssh 200.0.1.1 2222

Username: ssh

Press CTRL+C to abort.

Connecting to 200.0.1.1 port 2222.

The server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

ssh@200.0.1.1's password:

Enter a character ~ and a dot to abort.

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

<Server1>

<Server1>quit

Connection to 200.0.1.1 closed.

<PC1>

<PC1>ssh 200.0.2.1 2222

Username: ssh

Press CTRL+C to abort.

Connecting to 200.0.2.1 port 2222.

The server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

ssh@200.0.2.1's password:

Enter a character ~ and a dot to abort.

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

<Server1>

<Server1>quit

Connection to 200.0.2.1 closed.

<PC1>

#

<ISP1>ssh 200.0.1.1 2222

Username: ssh

Press CTRL+C to abort.

Connecting to 200.0.1.1 port 2222.

The server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

ssh@200.0.1.1's password:

Enter a character ~ and a dot to abort.

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

<Server1>

<ISP2>ssh 200.0.2.1 2222

Username: ssh

Press CTRL+C to abort.

Connecting to 200.0.2.1 port 2222.

The server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

ssh@200.0.2.1's password:

Enter a character ~ and a dot to abort.

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

<Server1>