知

华三&华为防火墙三层主备组网典型配置

2025-12-04 发表

0关注
0收藏 20浏览

zhiliao_eYrXHs

zhiliao_eYrXHs 四段

粉丝：0人关注：0人

组网及说明

配置步骤

华三：

配置接口IPv4地址

<Router> system-view

[Router] interface gigabitethernet 1/0/7

[Router-GigabitEthernet1/0/7] ip address 2.1.1.15 255.255.255.0

[Router-GigabitEthernet1/0/7] quit

请参考以上步骤配置其他接口的IP地址，具体配置步骤略。

配置静态路由，保证网络路由可达

[Router] ip route-static 10.1.1.0 255.255.255.0 2.1.1.3

[Router] ip route-static 0.0.0.0 0.0.0.0 3.1.1.15

配置Switch A

<SwitchA> system-view

[SwitchA] vlan 10

[SwitchA-vlan10] quit

[SwitchA] interface gigabitethernet 1/0/1

[SwitchA-GigabitEthernet1/0/1] port access vlan 10

[SwitchA-GigabitEthernet1/0/1] quit

[SwitchA] interface gigabitethernet 1/0/2

[SwitchA-GigabitEthernet1/0/2] port access vlan 10

[SwitchA-GigabitEthernet1/0/2] quit

[SwitchA] interface gigabitethernet 1/0/3

[SwitchA-GigabitEthernet1/0/3] port access vlan 10

[SwitchA-GigabitEthernet1/0/3] quit

配置Switch B

<SwitchB> system-view

[SwitchB] vlan 10

[SwitchB-vlan10] quit

[SwitchB] interface gigabitethernet 1/0/1

[SwitchB-GigabitEthernet1/0/1] port access vlan 10

[SwitchB-GigabitEthernet1/0/1] quit

[SwitchB] interface gigabitethernet 1/0/2

[SwitchB-GigabitEthernet1/0/2] port access vlan 10

[SwitchB-GigabitEthernet1/0/2] quit

[SwitchB] interface gigabitethernet 1/0/3

[SwitchB-GigabitEthernet1/0/3] port access vlan 10

[SwitchB-GigabitEthernet1/0/3] quit

配置Device A

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

[DeviceA] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-0-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-0-trust-untrust] action pass

[DeviceA-security-policy-ip-0-trust-untrust] quit

[DeviceA-security-policy-ip] rule name vrrp1

[DeviceA-security-policy-ip-1-vrrp1] source-zone trust

[DeviceA-security-policy-ip-1-vrrp1] destination-zone local

[DeviceA-security-policy-ip-1-vrrp1] service vrrp

[DeviceA-security-policy-ip-1-vrrp1] action pass

[DeviceA-security-policy-ip-1-vrrp1] quit

[DeviceA-security-policy-ip] rule name vrrp2

[DeviceA-security-policy-ip-2-vrrp2] source-zone local

[DeviceA-security-policy-ip-2-vrrp2] destination-zone trust

[DeviceA-security-policy-ip-2-vrrp2] service vrrp

[DeviceA-security-policy-ip-2-vrrp2] action pass

[DeviceA-security-policy-ip-2-vrrp2] quit

[DeviceA-security-policy-ip] rule name vrrp3

[DeviceA-security-policy-ip-3-vrrp3] source-zone untrust

[DeviceA-security-policy-ip-3-vrrp3] destination-zone local

[DeviceA-security-policy-ip-3-vrrp3] service vrrp

[DeviceA-security-policy-ip-3-vrrp3] action pass

[DeviceA-security-policy-ip-3-vrrp3] quit

[DeviceA-security-policy-ip] rule name vrrp4

[DeviceA-security-policy-ip-4-vrrp4] source-zone local

[DeviceA-security-policy-ip-4-vrrp4] destination-zone untrust

[DeviceA-security-policy-ip-4-vrrp4] service vrrp

[DeviceA-security-policy-ip-4-vrrp4] action pass

[DeviceA-security-policy-ip-4-vrrp4] quit

[DeviceA-security-policy-ip] quit

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] undo backup-mode

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] quit

# 配置VRRP备份组，并与HA关联。实现HA对VRRP备份组的统一管理和流量引导。

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 active

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

RBM_P[DeviceA] interface gigabitethernet 1/0/2

RBM_P[DeviceA-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.1.1.3 active

RBM_P[DeviceA-GigabitEthernet1/0/2] quit

配置Device B

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 2.1.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

[DeviceB] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] undo backup-mode

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] quit

RBM_S[DeviceB] interface gigabitethernet 1/0/1

RBM_S[DeviceB-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 standby

RBM_S[DeviceB-GigabitEthernet1/0/1] quit

RBM_S[DeviceB] interface gigabitethernet 1/0/2

RBM_S[DeviceB-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.1.1.3 standby

RBM_S[DeviceB-GigabitEthernet1/0/2] quit

华为

DeviceA

<HUAWEI> system-view

[HUAWEI] sysname DeviceA

[DeviceA] interface ge 0/0/1

[DeviceA-GE0/0/1] ip address 10.2.0.1 24

[DeviceA-GE0/0/1] quit

[DeviceA] interface ge 0/0/3

[DeviceA-GE0/0/3] ip address 10.3.0.1 24

[DeviceA-GE0/0/3] quit

[DeviceA] interface ge 0/0/7

[DeviceA-GE0/0/7] ip address 10.10.0.1 24

[DeviceA-GE0/0/7] quit
# [DeviceA] firewall zone untrust

[DeviceA-zone-untrust] add interface ge 0/0/1

[DeviceA-zone-untrust] quit

[DeviceA] firewall zone trust

[DeviceA-zone-trust] add interface ge 0/0/3

[DeviceA-zone-trust] quit

[DeviceA] firewall zone dmz

[DeviceA-zone-dmz] add interface ge 0/0/7

[DeviceA-zone-dmz] quit
# [DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#
[DeviceA] interface ge 0/0/1

[DeviceA-GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active

[DeviceA-GE0/0/1] quit
#
[DeviceA] interface ge 0/0/3

[DeviceA-GE0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active

[DeviceA-GE0/0/3] quit
# [DeviceA] security-policy

[DeviceA-policy-security] rule name ha_local_to_dmz

[DeviceA-policy-security-rule-ha_local_to_dmz] source-zone local dmz

[DeviceA-policy-security-rule-ha_local_to_dmz] destination-zone local dmz

[DeviceA-policy-security-rule-ha_local_to_dmz] service protocol udp destination-port 18514

[DeviceA-policy-security-rule-ha_local_to_dmz] action permit

[DeviceA-policy-security-rule-ha_local_to_dmz] quit

[DeviceA-policy-security] quit
#
[DeviceA] hrp interface ge 0/0/7 remote 10.10.0.2

[DeviceA] hrp authentication-key YsHsjx_202206

[DeviceA] hrp enable

# DeviceB

<HUAWEI> system-view

[HUAWEI] sysname DeviceB

[DeviceB] interface ge 0/0/1

[DeviceB-GE0/0/1] ip address 10.2.0.2 24

[DeviceB-GE0/0/1] quit

[DeviceB] interface ge 0/0/3

DeviceB-GE0/0/3] ip address 10.3.0.2 24

[DeviceB-GE0/0/3] quit

[DeviceB] interface ge 0/0/7

[DeviceB-GE0/0/7] ip address 10.10.0.2 24

[DeviceB-GE0/0/7] quit

#

[DeviceB] firewall zone untrust

[DeviceB-zone-untrust] add interface ge 0/0/1

[DeviceB-zone-untrust] quit

[DeviceB] firewall zone trust

[DeviceB-zone-trust] add interface ge 0/0/3

[DeviceB-zone-trust] quit

[DeviceB] firewall zone dmz

[DeviceB-zone-dmz] add interface ge 0/0/7

[DeviceB-zone-dmz] quit
# [DeviceB] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#
[DeviceB] interface ge 0/0/1

[DeviceB-GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby

[DeviceB-GE0/0/1] quit
[DeviceB] interface ge 0/0/3

[DeviceB-GE0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby

[DeviceB-GE0/0/3] quit

[DeviceB] security-policy

[DeviceB-policy-security] rule name ha_local_to_dmz

[DeviceB-policy-security-rule-ha_local_to_dmz] source-zone local dmz

[DeviceB-policy-security-rule-ha_local_to_dmz] destination-zone local dmz

[DeviceB-policy-security-rule-ha_local_to_dmz] service protocol udp destination-port 18514

[DeviceB-policy-security-rule-ha_local_to_dmz] action permit

[DeviceB-policy-security-rule-ha_local_to_dmz] quit

[DeviceB-policy-security] qui
[DeviceB] hrp interface ge 0/0/7 remote 10.10.0.1

[DeviceB] hrp authentication-key YsHsjx_202206

[DeviceB] hrp enable

HRP_M[DeviceA] security-policy

HRP_M[DeviceA-policy-security] rule name trust_to_untrust

HRP_M[DeviceA-policy-security-rule-trust_to_untrust] source-zone trust

HRP_M[DeviceA-policy-security-rule-trust_to_untrust] destination-zone untrust

HRP_M[DeviceA-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24

HRP_M[DeviceA-policy-security-rule-trust_to_untrust] action permit

HRP_M[DeviceA-policy-security-rule-trust_to_untrust] quit

HRP_M[DeviceA-policy-security] quit

HRP_M[DeviceA] nat address-group group1

HRP_M[DeviceA-address-group-group1] section 0 1.1.1.2 1.1.1.5

HRP_M[DeviceA-address-group-group1] quit

HRP_M[DeviceA] nat-policy

HRP_M[DeviceA-policy-nat] rule name policy_nat1

HRP_M[DeviceA-policy-nat-rule-policy_nat1] source-zone trust

HRP_M[DeviceA-policy-nat-rule-policy_nat1] destination-zone untrust

HRP_M[DeviceA-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16

HRP_M[DeviceA-policy-nat-rule-policy_nat1] action source-nat address-group group1

该案例对您是否有帮助：

您的评价：1

若您有关于案例的建议，请反馈：

作者在2025-12-04对此案例进行了修订

0 个评论

该案例暂时没有网友评论

编辑评论

侵犯我的权益 >

对根叔知了社区有害的内容 >

辱骂、歧视、挑衅等（不友善）

侵犯我的权益

泄露了我的隐私 >

侵犯了我企业的权益 >

抄袭了我的内容 >

诽谤我 >

辱骂、歧视、挑衅等（不友善）

骚扰我

泄露了我的隐私

您好，当您发现根叔知了上有泄漏您隐私的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您认为哪些内容泄露了您的隐私？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

侵犯了我企业的权益

您好，当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱，我们会在审核后尽快给您答复。

1. 您举报的内容是什么？（请在邮件中列出您举报的内容和链接地址）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）
3. 是哪家企业？（营业执照，单位登记证明等证件）
4. 您与该企业的关系是？（您是企业法人或被授权人，需提供企业委托授权书）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

原文链接或出处

诽谤我

您好，当您发现根叔知了上有诽谤您的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您举报的内容以及侵犯了您什么权益？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

垃圾广告信息

色情、暴力、血腥等违反法律法规的内容

政治敏感

不规范转载 >

辱骂、歧视、挑衅等（不友善）

骚扰我

诱导投票

不规范转载

举报说明

✖

案例意见反馈

➤

网站相关: 关于我们; 服务条款; 隐私政策; 帮助中心; 经验与权限; 积分规则

联系我们: 联系我们; 建议反馈

常用链接: 标杆的神器下载

关注我们: H3C官网; 新华三服务公众号; 安仔远程运维服务; 新华三商城

内容许可: 除特别说明外，用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

本图标版权归新华三集团所有，仅限本社区使用，切勿用做商业目的，违者必究

浙ICP备09064986号-1 浙公网安备 33010802004416号

✖

亲~登录后才可以操作哦!

确定

✖

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

✖

你的邮箱还未认证，请认证邮箱或绑定手机后进行当前操作

✖

产品线		搜索取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式	默认策略匹配全词匹配整句

华三&华为防火墙三层主备组网典型配置

组网及说明

配置步骤

配置Switch A

配置Switch B

配置Device A

配置Device B

编辑评论

提出建议