H3C 防火墻和UTM系列產(chǎn)品典型配置案例集-6W101-H3C 防火墻插卡+S5800 IRF透明模式雙機(jī)熱備典型配置舉例

1、H3C 防火墻插卡+S5800 IRF透明模式雙機(jī)熱備典型配置舉例Copyright © 2013 杭州華三通信技術(shù)有限公司 版權(quán)所有，保留一切權(quán)利。非經(jīng)本公司書面許可，任何單位和個人不得擅自摘抄、復(fù)制本文檔內(nèi)容的部分或全部，并不得以任何形式傳播。本文檔中的信息可能變動，恕不另行通知。 i目 錄1 特性簡介 ·······················&#

2、183;·················································&#

3、183;·················································&#

4、183;··················· 1 1.1 IRF ···························

5、3;·················································

6、3;·················································

7、3;······················· 1 1.2 雙機(jī)熱備 ························

8、;··················································

9、;··················································

10、;··················· 1 1.3 鏈路聚合 ····························

11、··················································

12、··················································

13、··············· 1 1.4 Smart Link ·······························&

14、#183;·················································&

15、#183;·················································&

16、#183;········ 1 2 應(yīng)用場合 ······································

17、3;·················································

18、3;·················································

19、3;···· 2 3 注意事項 ···········································&

20、#183;·················································&

21、#183;·················································

22、2 4 配置前提 ···············································

23、3;·················································

24、3;············································· 2 5 配置舉例 ··&

25、#183;·················································&

26、#183;·················································&

27、#183;········································ 2 5.1 組網(wǎng)需求與配置思路·····

28、3;·················································

29、3;·················································

30、3;··················· 2 5.2 使用版本 ····························

31、;··················································

32、;··················································

33、;··············· 3 5.3 配置步驟 ································

34、··················································

35、··················································

36、··········· 3 5.3.1 S5800-1 ···································&#

37、183;·················································&#

38、183;··············································· 3 5.3.2

39、S5800-2 ················································

40、3;·················································

41、3;·································· 4 5.3.3 堆疊成功后的S5800-1配置 ··········

42、3;·················································

43、3;·········································· 4 5.3.4 FW1的配置 ····&

44、#183;·················································&

45、#183;·················································&

46、#183;······················ 7 5.3.5 FW2的配置 ·······················

47、3;·················································

48、3;·················································

49、3;· 13 5.4 配置文件 ·············································

50、3;·················································

51、3;············································· 14 5.4.1 堆疊成功后的S5800-1

52、配置 ·················································

53、83;·················································

54、83;· 14 5.4.2 S5800-2 ············································

55、3;·················································

56、3;···································· 16 5.4.3 FW1 ··········

57、83;·················································

58、83;·················································

59、83;·························· 16 5.4.4 FW2 ····················&#

60、183;·················································&#

61、183;·················································&#

62、183;················ 17 6 相關(guān)資料 ······························

63、3;·················································

64、3;·················································

65、3;·········· 17 ii1 特性簡介1.1 IRFIRF（Intelligent Resilient Framework，智能彈性架構(gòu)）是H3C自主研發(fā)的軟件虛擬化技術(shù)。它的核心思想是將多臺設(shè)備通過IRF物理端口連接在一起，進(jìn)行必要的配置后，虛擬化成一臺“分布式設(shè)備”。使用這種虛擬化技術(shù)可以集合多臺設(shè)備的硬件資源和軟件處理能力，實現(xiàn)多臺設(shè)備的協(xié)同工作、統(tǒng)一管理和不間斷維護(hù)。IRF主要具有以下優(yōu)點(diǎn)： 簡化管理。IRF形成之后，用戶通過任意成員設(shè)備的任意端口都可以登錄IRF系統(tǒng)

66、，對IRF內(nèi)所有成員設(shè)備進(jìn)行統(tǒng)一管理。 高可靠性。IRF的高可靠性體現(xiàn)在多個方面，例如：IRF由多臺成員設(shè)備組成，Master設(shè)備負(fù)責(zé)IRF的運(yùn)行、管理和維護(hù)，Slave設(shè)備在作為備份的同時也可以處理業(yè)務(wù)。一旦Master設(shè)備故障，系統(tǒng)會迅速自動選舉新的Master，以保證業(yè)務(wù)不中斷，從而實現(xiàn)了設(shè)備的1:N備份；此外，成員設(shè)備之間的IRF鏈路支持聚合功能，IRF和上、下層設(shè)備之間的物理鏈路也支持聚合功能，多條鏈路之間可以互為備份也可以進(jìn)行負(fù)載分擔(dān)，從而進(jìn)一步提高了IRF的可靠性。 強(qiáng)大的網(wǎng)絡(luò)擴(kuò)展能力。通過增加成員設(shè)備，可以輕松自如的擴(kuò)展IRF的端口數(shù)、帶寬。因為各成員設(shè)備都有CPU，能夠獨(dú)立處

67、理協(xié)議報文、進(jìn)行報文轉(zhuǎn)發(fā)，所以IRF還能夠輕松自如的擴(kuò)展處理能力。 1.2 雙機(jī)熱備隨著用戶對網(wǎng)絡(luò)可靠性的要求越來越高，如何保證網(wǎng)絡(luò)的不間斷傳輸，已成為一個必須解決的問題。特別是在一些重要業(yè)務(wù)的入口或接入點(diǎn)上，需要保證網(wǎng)絡(luò)的不間斷運(yùn)行，如企業(yè)的Internet接入點(diǎn)、銀行的數(shù)據(jù)庫服務(wù)器等。在這些業(yè)務(wù)點(diǎn)上如果只使用一臺設(shè)備，無論其可靠性多高，系統(tǒng)都必然要承受因單點(diǎn)故障而導(dǎo)致網(wǎng)絡(luò)業(yè)務(wù)中斷的風(fēng)險。為解決上述問題，引入了雙機(jī)熱備。在兩臺使能了雙機(jī)熱備功能的設(shè)備上建立備份鏈路，可以實現(xiàn)雙機(jī)業(yè)務(wù)備份（支持的業(yè)務(wù)包括NAT、ALG、Portal、IPSec、黑名單、DHCP server、負(fù)載均衡和ASPF

68、）和雙機(jī)配置同步功能。1.3 鏈路聚合以太網(wǎng)鏈路聚合簡稱鏈路聚合，它通過將多條以太網(wǎng)物理鏈路捆綁在一起成為一條邏輯鏈路，從而實現(xiàn)增加鏈路帶寬的目的。同時，這些捆綁在一起的鏈路通過相互間的動態(tài)備份，可以有效地提高鏈路的可靠性。1.4 Smart Link當(dāng)下游設(shè)備連接到上游設(shè)備時，使用單上行方式容易出現(xiàn)單點(diǎn)故障，造成業(yè)務(wù)中斷。因此通常采用雙上行方式，即將一臺下游設(shè)備同時連接到兩臺上游設(shè)備，以最大限度地避免單點(diǎn)故障，提高網(wǎng)絡(luò)可靠性，雙上行組網(wǎng)雖然能提高網(wǎng)絡(luò)可靠性，但又引入了環(huán)路問題。為了滿足用戶對鏈路快速收斂的要求，同時又能簡化配置，我們針對雙上行組網(wǎng)提出了Smart Link解決方案，實現(xiàn)了主備

69、鏈路的冗余備份，并在主用鏈路發(fā)生故障后使流量能夠迅速切換到備用鏈路上，因此具備較高的收斂速度。Smart Link的主要特點(diǎn)如下：1 專用于雙上行組網(wǎng)； 收斂速度快（達(dá)到亞秒級）； 配置簡單，便于用戶操作。2 應(yīng)用場合此組網(wǎng)方案具有如下特點(diǎn)： 高可靠性：方案中采用IRF、鏈路聚合、雙機(jī)熱備、Smart Link的等特性的使用，使整個方案具備高可靠性； 故障恢復(fù)時間短：鏈路故障的切換時間<1秒；設(shè)備故障切換時間<3秒?；谏鲜鎏攸c(diǎn)，該組網(wǎng)方案適用于SecBlade FW插卡雙機(jī)透明模式部署。3 注意事項 情況一： FW插卡的邏輯版本需要升級到4.0及以上，否則可能出現(xiàn)重啟FW插卡時導(dǎo)

70、致流量中斷時間過長； 情況二：當(dāng)S5800與FW插卡內(nèi)連10GE接口物理狀態(tài)為UP時，如果FW插卡內(nèi)部出現(xiàn)不轉(zhuǎn)發(fā)報文的異常情況，這種故障無法探測，此時會導(dǎo)致流量中斷。這個問題目前沒有好的解決辦法，暫時列為缺陷；情況三：本方案只適用于每臺交換機(jī)配置一塊FW插卡的情況。 4 配置前提本文檔中的配置均是在實驗室環(huán)境下進(jìn)行的配置和驗證，配置前設(shè)備的所有參數(shù)均采用出廠時的缺省配置。如果您已經(jīng)對設(shè)備進(jìn)行了配置，為了保證配置效果，請確認(rèn)現(xiàn)有配置和以下舉例中的配置不沖突。5 配置舉例5.1 組網(wǎng)需求與配置思路本方案為S5800 IRF+SecBlade FW透明模式雙機(jī)熱備組網(wǎng)： 兩臺S5800組成IRF；

71、每臺S5800配備一塊SecBlade FW插卡； vlan119與vlan121通過SecBlade FW插卡的虛擬防火墻1（VFW1）實現(xiàn)跨Vlan二層互訪； vlan118與vlan120通過SecBlade FW插卡的虛擬防火墻2（VFW2）實現(xiàn)跨Vlan二層互訪； 兩臺SecBlade FW插卡組成雙機(jī)熱備且要求支持雙機(jī)非對稱路徑； S5800與SecBlade FW插卡內(nèi)部互連的10GE接口上配置Smart Link（消除環(huán)路、加快收斂速度）； 對于上、下游交換機(jī)設(shè)備，通過鏈路聚合方式與S5800交換機(jī)互連；2圖1 組網(wǎng)圖5.2 使用版本 本文檔基于S5800交換機(jī)Release

72、1211P06版本、防火墻插卡Feature 3171P14版本驗證通過。該配置舉例適用于S5800交換機(jī)Release 1211P06版本、防火墻插卡Feature 3171P14版本及其以上版本。 本文檔所有配置均在實驗室環(huán)境下進(jìn)行，僅供參考。如果在線部署，請根據(jù)實際組網(wǎng)環(huán)境進(jìn)行配置。 5.3 配置步驟 5.3.1 S5800-1 # 配置S5800-1的設(shè)備名稱。 <Sysname> System-view Sysname sysname 5820-1 5820-1 # 配置IRF的域編號為2。 5820-1 irf domain 2 # 配置IRF的橋MAC地址保留時間為6

73、分鐘。當(dāng)Master設(shè)備離開IRF時，IRF橋MAC地址6分鐘內(nèi)不變化。如果Master設(shè)備在6分鐘內(nèi)重新又加入IRF，則IRF橋MAC不會變化。如果6分鐘后Master設(shè)備沒有回到IRF，則會使用新選舉出來的Master設(shè)備的橋MAC地址作為IRF橋MAC地址。5820-1 irf mac-address persistent timer# 使能IRF系統(tǒng)啟動文件的自動加載功能。5820-1 irf auto-update enable# 恢復(fù)延遲上報IRF鏈路down為缺省情況（缺省情況下，S5800關(guān)閉延遲上報IRF鏈路down的功能)。35820-1 undo irf link-del

74、ay# 配置IRF中ID為1及設(shè)備的優(yōu)先級。5820-1 irf member 1 priority 31# 配置版本回滾定時器的時長為120分鐘。版本自動回滾功能用于當(dāng)ISSU升級失?。ū热缧掳姹居腥毕輰?dǎo)致設(shè)備無法啟動）時，系統(tǒng)能夠自動恢復(fù)到升級前的狀態(tài)。5820-1 issu rollback-timer 120# 配置按報文目的IP地址和源IP地址實現(xiàn)全局的IRF鏈路負(fù)載分擔(dān)模式。5820-1 irf-port load-sharing mode destination-ip source-ip# 將成員設(shè)備（編號為1）的物理接口Ten-GigabitEthernet1/0/12、Ten

75、-GigabitEthernet1/0/13和IRF端口1綁定。5820-1 irf-port 1/15820-1-irf-port 1/1 port group interface Ten-GigabitEthernet1/0/12 mode enhanced5820-1-irf-port 1/1 port group interface Ten-GigabitEthernet1/0/13 mode enhanced5.3.2 S5800-2# 配置S5800-2的設(shè)備名稱。<Sysname> System-viewSysname sysname 5820-25820-2# 配置

76、IRF的域編號為2。5820-2 irf domain 2# 配置IRF中ID為2。5820-2 irf member 1 renumber 2# 配置IRF中ID為2的設(shè)備優(yōu)先級。5820-2 irf member 2 priority 30# 將成員設(shè)備（編號為2）的物理接口Ten-GigabitEthernet2/0/12、Ten-GigabitEthernet2/0/13和IRF端口2綁定。5820-2 irf-port 2/25820-2-irf-port 2/2 port group interface Ten-GigabitEthernet2/0/12 mode enhanced

77、5820-2-irf-port 2/2 port group interface Ten-GigabitEthernet2/0/13 mode enhanced5.3.3 堆疊成功后的S5800-1配置# 使能聚合流量重定向功能。使能該功能后，當(dāng)重啟某臺成員設(shè)備時，系統(tǒng)可以將待重啟成員設(shè)備上的聚合成員端口的流量重定向到其它成員設(shè)備上，從而實現(xiàn)聚合鏈路上流量的不中斷。5820-1 link-aggregation lacp traffic-redirect-notification enable# 配置全局按報文的目的IP地址和源IP地址進(jìn)行聚合負(fù)載分擔(dān)。5820-1 link-aggregat

78、ion load-sharing mode destination-ip source-ip# 配置VLAN 118與VLAN 120，這兩個VLAN屬于同一個互訪區(qū)域。5820-1 vlan 1185820-1-vlan118 description 118<->FW<->1205820-1-vlan118 quit5820-1 vlan 12045820-1-vlan120 description servers zone B5820-1-vlan120 quit# 配置VLAN 119與VLAN 121，這兩個VLAN屬于同一個互訪區(qū)域。5820-1 vlan 1

79、195820-1-vlan119 description 119<->FW<->1215820-1-vlan119 quit5820-1 vlan 1215820-1-vlan121 description servers zone A5820-1-vlan121 quit# 配置Smart Link組的保護(hù)VLAN。由于保護(hù)VLAN的配置是通過引用MSTI來實現(xiàn)的，因此在配置保護(hù)VLAN之前，應(yīng)先配置好MSTI與所要保護(hù)的VLAN之間的映射關(guān)系。5820-1 stp region-configuration /進(jìn)入MST域視圖5820-1-mst-region ins

80、tance 1 vlan 118 120 /將VLAN 118和VLAN 120映射到MSTI 1上5820-1-mst-region instance 2 vlan 119 121 /將VLAN 119和VLAN 121映射到MSTI 2上5820-1-mst-region active region-configuration /激活MST域的配置5820-1-mst-region quit# 配置Smart-Link Group。需要為不同的Smart Link組配置不同的控制VLAN；用戶需要保證控制VLAN存在，且Smart Link組的端口允許控制VLAN的報文通過；某Smart

81、Link組的控制VLAN應(yīng)同時為該Smart Link組的保護(hù)VLAN，且不要將已配置為控制VLAN的VLAN刪除，否則會影響Flush報文的發(fā)送。5820-1 smart-link group 1 /創(chuàng)建Smart Link組1，并進(jìn)入Smart Link組視圖5820-1-smlk-group1 preemption mode role /配置搶占模式為角色搶占模式5820-1-smlk-group1 protected-vlan reference-instance 1 /通過引用MSTI1的方式來配置Smart Link組的保護(hù)VLAN5820-1-smlk-group1 flush

82、enable control-vlan 120 /使能發(fā)送Flush報文的功能5820-1-smlk-group1 quit5820-1 smart-link group 2 /創(chuàng)建Smart Link組2，并進(jìn)入Smart Link組視圖5820-1-smlk-group2 preemption mode role /配置搶占模式為角色搶占模式5820-1-smlk-group2 protected-vlan reference-instance 2 /通過引用MSTI2的方式來配置Smart Link組的保護(hù)VLAN5820-1-smlk-group2 flush enable contr

83、ol-vlan 121 /使能發(fā)送Flush報文的功能5820-1-smlk-group2 quit# 配置S5800-1與FW-1插卡的內(nèi)連10GE接口：Ten-GigabitEthernet1/3/1為Smart-Link Group 1的master，為Smart-Link Group 2的slave。 在接口配置Smart Link，需先手工關(guān)閉該端口，并待Smart Link組配置完成后再開啟該端口，以避免形成環(huán)路，導(dǎo)致廣播風(fēng)暴 需先關(guān)閉該端口的生成樹協(xié)議和RRPP功能，并確保該端口不是聚合成員端口或業(yè)務(wù)環(huán)回組成員端口。5820-1 interface Ten-GigabitEthe

84、rnet1/3/15820-1-Ten-GigibitEthernet1/3/1 port link-mode bridge5820-1-Ten-GigibitEthernet1/3/1 port link-type trunk5820-1-Ten-GigibitEthernet1/3/1 undo port trunk permit vlan 155820-1-Ten-GigibitEthernet1/3/1 port trunk permit vlan 118 to 1215820-1-Ten-GigibitEthernet1/3/1 shutdown5820-1-Ten-GigibitE

85、thernet1/3/1 stp disable5820-1-Ten-GigibitEthernet1/3/1 port smart-link group 1 master5820-1-Ten-GigibitEthernet1/3/1 port smart-link group 2 slave5820-1-Ten-GigibitEthernet1/3/1 undo shutdown5820-1-Ten-GigibitEthernet1/3/1 quit# 配置S5800-2與FW-2插卡的內(nèi)連10GE接口：Ten-GigabitEthernet2/3/1為Smart-Link Group 1的

86、slave，為Smart-Link Group 2的master。5820-1 interface Ten-GigabitEthernet2/3/15820-1-Ten-GigibitEthernet2/3/1 port link-mode bridge5820-1-Ten-GigibitEthernet2/3/1 port link-type trunk5820-1-Ten-GigibitEthernet2/3/1 undo port trunk permit vlan 15820-1-Ten-GigibitEthernet2/3/1 port trunk permit vlan 118 t

87、o 1215820-1-Ten-GigibitEthernet2/3/1 shutdown5820-1-Ten-GigibitEthernet2/3/1 stp disable5820-1-Ten-GigibitEthernet2/3/1 port smart-link group 1 slave5820-1-Ten-GigibitEthernet2/3/1 port smart-link group 2 master5820-1-Ten-GigibitEthernet2/3/1 undo shutdown5820-1-Ten-GigibitEthernet2/3/1 quit# 配置鏈路聚合

88、接口1和2，用于連接上、下游交換機(jī)設(shè)備。5820-1 interface Bridge-Aggregation15820-1-Bridge-Aggregation1 description LACP-A to SW-15820-1-Bridge-Aggregation1 port link-type trunk5820-1-Bridge-Aggregation1 port trunk permit vlan 119 1185820-1-Bridge-Aggregation1 link-aggregation mode dynamic5820-1-Bridge-Aggregation1 quit

89、5820-1 interface Bridge-Aggregation25820-1-Bridge-Aggregation2 description LACP-B to SW-25820-1-Bridge-Aggregation2 port link-type trunk5820-1-Bridge-Aggregation2 port trunk permit vlan 120 1215820-1-Bridge-Aggregation2 link-aggregation mode dynamic5820-1-Bridge-Aggregation2 quit# 配置鏈路聚合接口成員Ten-Giga

90、bitEthernet1/0/1，分別連接上、下游交換機(jī)設(shè)備。5820-1 interface Ten-GigabitEthernet1/0/15820-1-Ten-GigabitEthernet1/0/1 port link-mode bridge5820-1-Ten-GigabitEthernet1/0/1 description LACP-A to SW-15820-1-Ten-GigabitEthernet1/0/1 port link-type trunk5820-1-Ten-GigabitEthernet1/0/1 port trunk permit vlan 119 118582

91、0-1-Ten-GigabitEthernet1/0/1 port link-aggregation group 15820-1-Ten-GigabitEthernet1/0/1 quit# 配置鏈路聚合接口成員Ten-GigabitEthernet1/0/2，分別連接上、下游交換機(jī)設(shè)備。5820-1 interface Ten-GigabitEthernet1/0/25820-1-Ten-GigabitEthernet1/0/2 port link-mode bridge5820-1-Ten-GigabitEthernet1/0/2 description LACP-A to SW-2582

92、0-1-Ten-GigabitEthernet1/0/2 port link-type trunk5820-1-Ten-GigabitEthernet1/0/2 port trunk permit vlan 120 12165820-1-Ten-GigabitEthernet1/0/2 port link-aggregation group 25820-1-Ten-GigabitEthernet1/0/2 quit# 配置鏈路聚合接口成員Ten-GigabitEthernet2/0/1，分別連接上、下游交換機(jī)設(shè)備。5820-1 interface Ten-GigabitEthernet2/0/

93、15820-1-Ten-GigabitEthernet2/0/1 port link-mode bridge5820-1-Ten-GigabitEthernet2/0/1 description LACP-A to SW-15820-1-Ten-GigabitEthernet2/0/1 port link-type trunk5820-1-Ten-GigabitEthernet2/0/1 port trunk permit vlan 119 1185820-1-Ten-GigabitEthernet2/0/1 port link-aggregation group 15820-1-Ten-Gi

94、gabitEthernet2/0/1 quit# 配置鏈路聚合接口成員Ten-GigabitEthernet2/0/2，分別連接上、下游交換機(jī)設(shè)備。5820-1 interface Ten-GigabitEthernet2/0/25820-1-Ten-GigabitEthernet2/0/2 port link-mode bridge5820-1-Ten-GigabitEthernet2/0/2description LACP-A to SW-25820-1-Ten-GigabitEthernet2/0/2 port link-type trunk5820-1-Ten-GigabitEther

95、net2/0/2 port trunk permit vlan 120 1215820-1-Ten-GigabitEthernet2/0/2 port link-aggregation group 25820-1-Ten-GigabitEthernet2/0/2 quit5.3.4 FW1的配置1. 通過命令行方式配置FW1# 配置FW1的設(shè)備名稱。<Sysname> System-viewSysname name 5820-1-FW5820-1-FW# 配置VLAN118、VLAN119、VLAN120、VLAN121。5820-1-FW vlan 118 to 121# 配置F

96、W插卡內(nèi)部轉(zhuǎn)發(fā)VLAN4091和VLAN4092，其中VLAN4091用于VLAN118和VLAN120的跨VLAN轉(zhuǎn)發(fā)；VLAN4092用于VLAN119和VLAN121的跨VLAN轉(zhuǎn)發(fā)。5820-1-FW vlan 40915820-1-FW-vlan4091 vlan 40925820-1-FW-vlan4092 quit5820-1-FW interface Ten-GigabitEthernet0/05820-1-FW-Ten-GigabitEthernet0/0 port link-mode bridge5820-1-FW-Ten-GigabitEthernet0/0 port l

97、ink-type trunk5820-1-FW-Ten-GigabitEthernet0/0 undo port trunk permit vlan 15820-1-FW-Ten-GigabitEthernet0/0 port trunk permit vlan 118 to 1215820-1-FW-Ten-GigabitEthernet0/0 quit5820-1-FW-Ten-GigabitEthernet0/0.118 port link-mode bridge5820-1-FW-Ten-GigabitEthernet0/0.118 port access vlan 40915820-

98、1-FW-Ten-GigabitEthernet0/0.118 quit5820-1-FW-Ten-GigabitEthernet0/0.120 port link-mode bridge5820-1-FW-Ten-GigabitEthernet0/0.120 port access vlan 409175820-1-FW-Ten-GigabitEthernet0/0.120 quit5820-1-FW-Ten-GigabitEthernet0/0.119 port link-mode bridge5820-1-FW-Ten-GigabitEthernet0/0.119 port access

99、 vlan 40925820-1-FW-Ten-GigabitEthernet0/0.119 quit5820-1-FW-Ten-GigabitEthernet0/0.121 port link-mode bridge5820-1-FW-Ten-GigabitEthernet0/0.121 port access vlan 40925820-1-FW-Ten-GigabitEthernet0/0.121 quit5820-1-FW2. 通過Web方式配置FW1(1) 創(chuàng)建虛擬防火墻vFW1和vFW2 在導(dǎo)航欄中選擇“Device Management > Virtual Device &

100、gt; Configuration”，進(jìn)入如下圖所示的頁面。圖1 虛擬設(shè)備配置 單擊頁面上的<Add>按鈕，進(jìn)入新建虛擬防火墻的頁面，分別創(chuàng)建vFW1和vFW2，如下圖所示。圖2 新建虛擬設(shè)備 單擊<確定>按鈕完成操作。8圖3 創(chuàng)建vFW1和vFW2后的頁面顯示(2) 給vFW1分配的VLAN范圍為118、120、4091；給vFW2分配的VLAN范圍為119、121、4092。 在導(dǎo)航欄中選擇“Device Management > Virtual Device > VLAN”，頁面顯示當(dāng)前所有虛擬設(shè)備的VLAN成員的情況。 點(diǎn)擊要對其進(jìn)行配置的虛擬設(shè)備所

101、對應(yīng)的框。 圖標(biāo)，相應(yīng)的“VLAN范圍”列將顯示一個文本在文本框中輸入要為該虛擬設(shè)備分配的VLAN范圍。 單擊<確定>按鈕完成操作。圖4 為虛擬防火墻vFW1和vFW2分配VLAN范圍(3) 配置虛擬防火墻vFW-1接口所屬的安全域 在導(dǎo)航欄中選擇“設(shè)備管理 > 安全域”，進(jìn)入安全域顯示頁面。9圖5 安全域顯示頁面 單擊需要修改的安全域?qū)?yīng)的圖標(biāo)，進(jìn)入修改安全域頁面，如下圖所示。 圖6 修改安全域（一）圖7 修改安全域（二）10(4) 配置虛擬防火墻vFW-2接口所屬的安全域 在導(dǎo)航欄中選擇“設(shè)備管理 > 安全域”，進(jìn)入安全域顯示頁面。 圖8 安全域顯示頁面 單擊需要修

102、改的安全域?qū)?yīng)的圖標(biāo)，進(jìn)入修改安全域頁面，如下圖所示。 圖9 修改安全域（一）11圖10 修改安全域（二）(5) 雙機(jī)熱備配置。 在導(dǎo)航欄中選擇“High Reliability > Stateful Failover”，進(jìn)入如圖11所示的頁面。 按照圖中所示，勾選相應(yīng)的配置項。 點(diǎn)擊“Apply”按鈕完成配置。圖11 配置雙機(jī)熱備其中FW1配置“Configuration Synchronization”；FW2不需要配置“Configuration Synchronization”125.3.5 FW2的配置1. 通過命令行方式配置FW2# 配置FW2的設(shè)備名稱。<Sysnam

103、e> System-viewSysname sysname 5820-2-FW5820-2-FW# 配置VLAN118、VLAN119、VLAN120、VLAN121。5820-2-FW vlan 118 to 121# 配置FW插卡內(nèi)部轉(zhuǎn)發(fā)VLAN4091和VLAN4092，其中VLAN4091用于VLAN118和VLAN120的跨VLAN轉(zhuǎn)發(fā)；其中VLAN4092用于VLAN119和VLAN121的跨VLAN轉(zhuǎn)發(fā)。5820-2-FW vlan 40915820-2-FW-vlan4091 vlan 40925820-2-FW-vlan4092 quit5820-2-FW interface Ten-GigabitEthernet0/05820-2-FW-Ten-GigabitEthernet0/0 port link-mode bridge5820-2-FW-Ten-GigabitEthernet0/0 port link-type trunk5820-2-FW-Ten-GigabitEthernet0/0 undo port trunk permit