Play with Huawei ENSP simulator series | IPSec gateway load sharing dual-machine hot backup, uplink and downlink connection routers

Enterprise 2023-06-11 20:56:43 views: null

Source: Huawei Firewall Configuration Guide

Organize the test notes while studying, and share with everyone, the infringement will be deleted, thank you for your support!

Attach a summary post: Playing with Huawei ENSP Simulator Series | Collection_COCOgsta's Blog-CSDN Blog_Huawei Simulator Experiment

Target

Introduces how to configure IPSec VPN when the load sharing dual-system hot standby network is connected to the router.

Networking requirements

As shown in Figure 1 , the headquarters and branches of the company are connected to the Internet through the FW. FW_C and FW_D in the headquarters work in load sharing mode, and their service interfaces work at Layer 3, and run OSPF protocol with upstream and downstream routers. The enterprise expects the traffic from branch users to access the headquarters to be protected by the IPSec tunnel. FW_C processes the traffic sent from FW_A to the headquarters, and FW_D processes the traffic sent from FW_B to the headquarters. When a device in FW_C or FW_D fails, all traffic sent from the branch to the headquarters is switched to another device that is running normally.

Configuration idea

  1. Configure FW_C and FW_D to work in load balancing mode.
  1. Create Tunnel and Tunnel2 interfaces on FW_C, and create Tunnel and Tunnel2 interfaces on FW_D. The IP address of the Tunnel1 interface created on the two devices is the same, and the IP address of the Tunnel2 interface is the same. Tunnel1 created on FW_C is the primary interface and is used to create a primary IPSec tunnel with FW_A; Tunnel1 created on FW_D is a backup interface and is used to create a backup IPSec tunnel with FW_A. Similarly, the Tunnel2 interface on FW_D is used to establish a primary IPSec tunnel with FW_B, and the Tunnel2 interface on FW_C is used to establish a backup IPSec tunnel with FW_B. Thus, FW_A and FW_B will each have two IPSec tunnels connected to the two machines (FW_C and FW_D). When the two nodes are running normally, FW_A and FW_B each use the primary IPSec tunnel to send traffic to the headquarters. When the two machines are running abnormally, FW_A or FW_B will enable the backup IPSec tunnel to send the traffic to the headquarters.
  1. Configure routing policies on FW_C and FW_D, and change the routing priority according to the change of device status. When the two servers are running normally, the status is load-balanced . The traffic returned from the headquarters to FW_A is diverted to FW_C for processing, and the traffic returned to FW_B from the headquarters is diverted to FW_D for processing. If the FW_C device in the dual-system fails, the device status of FW_C changes to Standby , and the status of FW_D device becomes Active . The traffic returned from the headquarters to FW_A and FW_B will be diverted to FW_D.
  1. Apply IPSec policies to the public network interfaces of FW_A and FW_B that access the Internet, and establish IPSec tunnels with FW_C and FW_D respectively.

Steps

  1. Configure the interface IP address of FW_C (headquarters).

    1. Configure an IP address for the GE1/0/1 interface and add the interface to the Untrust zone.
    2. <sysname> system-view
[sysname] sysname FW_C
[FW_C] interface gigabitethernet 1 / 0 / 1
[FW_C-GigabitEthernet1/0/1] ip address 2.2.2.1  24
[FW_C-GigabitEthernet1/0/1] quit
[FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface gigabitethernet 1 / 0 / 1
[FW_C-zone-untrust] quit
复制代码
    3. Configure an IP address for the interface on GE1/0/2, and add the interface to the corresponding security zone.
    4. [FW_C] interface gigabitethernet 1 / 0 / 2
[FW_C-GigabitEthernet1/0/2] ip address 10.10.0.1  24
[FW_C-GigabitEthernet1/0/2] quit
[FW_C] firewall zone dmz
[FW_C-zone-dmz] add interface gigabitethernet 1 / 0 / 2
[FW_C-zone-dmz] quit
复制代码
    5. Configure the IP address of GE1/0/3 interface and add the interface to the Trust domain.
    6. [FW_C] gigabitethernet 1 / 0 / 3
[FW_C-GigabitEthernet1/0/3] ip address 10.3.3.1  24
[FW_C-GigabitEthernet1/0/3] quit
[FW_C] firewall zone trust
[FW_C-zone-trust] add interface gigabitethernet 1 / 0 / 3
[FW_C-zone-trust] quit
复制代码
    7. Configure a VGMP group to monitor uplink and downlink service interfaces.
    8. [FW_C] hrp track interface GigabitEthernet  1 / 0 / 1
[FW_C] hrp track interface GigabitEthernet  1 / 0 / 3
复制代码
    9. Configure two interfaces, Tunnel1 and Tunnel2, on FW_C.
    10. [FW_C] interface tunnel 1
[FW_C_Tunnel1] tunnel-protocol ipsec
[FW_C_Tunnel1] ip address 2.2.4.1  24
[FW_C_Tunnel1] quit
[FW_C] interface tunnel 2
[FW_C_Tunnel2] tunnel-protocol ipsec
[FW_C_Tunnel2] ip address 2.2.5.1  24
[FW_C_Tunnel2] quit
[FW_C] firewall zone untrust
[FW_C-zone-untrust] add interface Tunnel  1
[FW_C-zone-untrust] add interface Tunnel  2
[FW_C-zone-untrust] quit
复制代码

  1. Configure an interzone security policy on FW_C (headquarters).

    1. Configure interzone security policies for the Trust zone and Untrust zone.
    2. [FW_C] security-policy
[FW_C-policy-security] rule name 1
[FW_C-policy-security-rule-1] source-zone untrust
[FW_C-policy-security-rule-1] destination-zone trust
[FW_C-policy-security-rule-1] source-address 10.1.3.0  24
[FW_C-policy-security-rule-1] source-address 10.1.4.0  24
[FW_C-policy-security-rule-1] destination-address 10.1.2.0  24
[FW_C-policy-security-rule-1] action permit
[FW_C-policy-security-rule-1] quit
[FW_C-policy-security] rule name 2
[FW_C-policy-security-rule-2] source-zone trust
[FW_C-policy-security-rule-2] destination-zone untrust
[FW_C-policy-security-rule-2] source-address 10.1.2.0  24
[FW_C-policy-security-rule-2] destination-address 10.1.3.0  24
[FW_C-policy-security-rule-2] destination-address 10.1.4.0  24
[FW_C-policy-security-rule-2] action permit
[FW_C-policy-security-rule-2] quit
[FW_C-policy-security] rule name 3
[FW_C-policy-security-rule-3] source-zone local dmz
[FW_C-policy-security-rule-3] destination-zone local dmz
[FW_C-policy-security-rule-3] action permit
[FW_C-policy-security-rule-3] quit
复制代码
    3. Configure local policies in the Local and Untrust domains to allow IKE negotiation packets to pass through FW_C normally.
    4. [FW_C-policy-security] rule name 4
[FW_C-policy-security-rule-4] source-zone local
[FW_C-policy-security-rule-4] destination-zone untrust
[FW_C-policy-security-rule-4] source-address 2.2.0.0  16
[FW_C-policy-security-rule-4] destination-address 1.1.0.0  16
[FW_C-policy-security-rule-4] action permit
[FW_C-policy-security-rule-4] quit
[FW_C-policy-security] rule name 5
[FW_C-policy-security-rule-5] source-zone untrust
[FW_C-policy-security-rule-5] destination-zone local
[FW_C-policy-security-rule-5] source-address 1.1.0.0  16
[FW_C-policy-security-rule-5] destination-address 2.2.0.0  16
[FW_C-policy-security-rule-5] action permit
[FW_C-policy-security-rule-5] quit
复制代码
  1. Configure static routes to FW_A (branch) and FW_B (branch) on FW_C (headquarters).
[FW_C] ip route- static  10.1.3.0  24 tunnel 1
[FW_C] ip route- static  10.1.4.0  24 tunnel 2
复制代码
  1. Configure and run OSPF dynamic routing protocol on FW_C (headquarters).

To make the traffic sent from FW_A to the headquarters pass along the path FW_A<->Router1<->FW_C<->Router2, and the traffic sent from FW_B to the headquarters pass along the path FW_B<->Router1<->FW_D<->Router2, you need Configure routing policies on FW_C and FW_D to control the routing information of Router1 and Router2.

When FW_C and FW_D are in the load classification state, both FW_C and FW_D will advertise the direct route to the Tunnel1 interface to Router1, and at the same time advertise the private network route (static route) to FW_A to Router2. To forward different traffic according to different routes, it is necessary to control the direct routes and static routes advertised by FW_C and FW_D.

According to requirements, when FW_C is in the load balancing state, Router1 should send the traffic of FW_A to the Tunnel1 interface of FW_C instead of the Tunnel1 interface of FW_D. Therefore, when FW_C advertises the route to Tunnel1, it needs to subtract 10 from the cost value; when FW_D advertises the route to Tunnel1, it needs to add 10 to the cost value, so that Router1 will choose to send the traffic of FW_A to FW_C according to the route cost.

At the same time, Router2 will send the reverse traffic of FW_A to FW_C instead of FW_D. Therefore, when FW_C advertises the private network route (static route) to FW_A, it needs to reduce the cost value of this route by 10; when FW_D advertises the route to FW_A's private network route (static route), it needs to add 10 to the cost value. In this way, Router2 will choose to send the reverse traffic of FW_A to FW_C according to the routing cost.

When FW_D fails and FW_C works in the active state, FW_C will subtract 10 from the direct routes and static routes advertised externally, and FW_D will add 10 to the direct routes and static routes advertised externally, so that FW_A and FW_B will all send to FW_C processing.

When FW_C fails and the device works in standby state, FW_C will add 10 to the direct route and static route advertised to the outside world, and FW_D will subtract 10 to the direct route and static route advertised to the outside world, so that FW_A and FW_B will all send to FW_D processing.

[FW_C] ospf 1
[FW_C-ospf-1] import -route direct route-policy rp
[FW_C-ospf-1] import -route static route-policy rp
[FW_C-ospf-1] area 0.0.0.0
[FW_C-ospf-1-area-0.0.0.0] network 10.3.3.0  0.0.0.255
[FW_C-ospf-1-area-0.0.0.0] network 2.2.2.0  0.0.0.255
[FW_C-ospf-1-area-0.0.0.0] quit
[FW_C-ospf-1] quit
[FW_C] route-policy rp permit node 1
[FW_C-route-policy] if -match acl 2000
[FW_C-route-policy] if -match backup-status load-balance
[FW_C-route-policy] apply cost - 10
[FW_C-route-policy] quit
[FW_C] route-policy rp permit node 2
[FW_C-route-policy] if -match acl 2001
[FW_C-route-policy] if -match backup-status load-balance
[FW_C-route-policy] apply cost + 10
[FW_C-route-policy] quit
[FW_C] route-policy rp permit node 3
[FW_C-route-policy] if -match acl 2002
[FW_C-route-policy] if -match backup-status active
[FW_C-route-policy] apply cost - 10
[FW_C-route-policy] quit
[FW_C] route-policy rp permit node 4
[FW_C-route-policy] if -match acl 2002
[FW_C-route-policy] if -match backup-status standby
[FW_C-route-policy] apply cost + 10
[FW_C-route-policy] quit
[FW_C] acl 2000
[FW_C-acl-basic-2000] rule permit source 2.2.4.0  0.0.0.255
[FW_C-acl-basic-2000] rule permit source 10.1.3.0  0.0.0.255
[FW_C-acl-basic-2000] quit
[FW_C] acl 2001
[FW_C-acl-basic-2001] rule permit source 2.2.5.0  0.0.0.255
[FW_C-acl-basic-2001] rule permit source 10.1.4.0  0.0.0.255
[FW_C-acl-basic-2001] quit
[FW_C] acl 2002
[FW_C-acl-basic-2002] rule permit source 2.2.4.0  0.0.0.255
[FW_C-acl-basic-2002] rule permit source 10.1.3.0  0.0.0.255
[FW_C-acl-basic-2002] rule permit source 2.2.5.0  0.0.0.255
[FW_C-acl-basic-2002] rule permit source 10.1.4.0  0.0.0.255
[FW_C-acl-basic-2002] quit
复制代码

  1. Configure IPSec on FW_C (headquarters).

    1. Define data flow to FW_A, FW_B.
    2. [FW_C] acl 3005
[FW_C-acl-adv-3005] rule permit ip source 10.1.2.0  0.0.0.255 destination 10.1.3.0  0.0.0.255
[FW_C-acl-adv-3005] quit
[FW_C] acl 3006
[FW_C-acl-adv-3006] rule permit ip source 10.1.2.0  0.0.0.255 destination 10.1.4.0  0.0.0.255
[FW_C-acl-adv-3006] quit
复制代码
    3. Configure an IPSec security proposal.
    4. [FW_C] ipsec proposal tran1
[FW_C-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_C-ipsec-proposal-tran1] transform esp
[FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_C-ipsec-proposal-tran1] quit
复制代码
    5. Configure an IKE security proposal.
    6. [FW_C] ike proposal 10
[FW_C-ike-proposal-10] authentication-method pre-share
[FW_C-ike-proposal-10] authentication-algorithm sha2- 256
[FW_C-ike-proposal-10] quit
复制代码
    7. Placement IKE Peer.
    8. [FW_C] ike peer ngfw_a
[FW_C-ike-peer-b] ike-proposal 10
[FW_C-ike-peer-b] remote-address 1.1.1.1
[FW_C-ike-peer-b] pre-shared-key Admin @ 123
[FW_C-ike-peer-b] undo version 2
[FW_C-ike-peer-b] quit
[FW_C] ike peer ngfw_b
[FW_C-ike-peer-c] ike-proposal 10
[FW_C-ike-peer-c] remote-address 1.1.2.1
[FW_C-ike-peer-c] pre-shared-key Admin @ 123
[FW_C-ike-peer-c] undo version 2
[FW_C-ike-peer-c] quit
复制代码
    9. Configure two non-template IPSec policies.
    10. [FW_C] ipsec policy map1 10 isakmp
[FW_C-ipsec-policy-isakmp-map1-10] security acl 3005
[FW_C-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_C-ipsec-policy-isakmp-map1-10] ike-peer ngfw_a
[FW_C-ipsec-policy-isakmp-map1-10] quit
[FW_C] ipsec policy map2 10 isakmp
[FW_C-ipsec-policy-isakmp-map2-10] security acl 3006
[FW_C-ipsec-policy-isakmp-map2-10] proposal tran1
[FW_C-ipsec-policy-isakmp-map2-10] ike-peer ngfw_b
[FW_C-ipsec-policy-isakmp-map2-10] quit
复制代码
    11. Apply an IPSec policy to the tunnel interface.
    12. [FW_C] interface Tunnel  1
[FW_C-Tunnel1] ipsec policy map1 master
[FW_C-Tunnel1] quit
[FW_C] interface Tunnel  2
[FW_C-Tunnel2] ipsec policy map2 slave
[FW_C-Tunnel2] quit
复制代码
  1. Enable the dual-system configuration of FW_C (headquarters).
[FW_C] hrp interface gigabitethernet 1 / 0 / 2
[FW_C] hrp enable
HRP_M[FW_C] hrp load balance device
HRP_M[FW_C] hrp auto-sync config
HRP_M[FW_C] hrp mirror session enable
复制代码

  1. Configure FW_D (headquarters). After the dual-device configuration is enabled on FW_D, the ACLs, security policies, and IPSec services configured on FW_C will be automatically backed up to FW_D. Only the interface configuration and routing information will not be backed up, so it needs to be manually configured on FW_D.

    1. Configure the interface IP address of FW_D and add the interface to the security zone. For details about the configuration process, see FW_C.
    2. Configure routing data for FW_D.
    3. [FW_D] ip route- static  10.1.3.0  24 tunnel 1
[FW_D] ip route- static  10.1.4.0  24 tunnel 2
[FW_D] ospf 1
[FW_D-ospf-1] import -route direct route-policy rp
[FW_D-ospf-1] import -route static route-policy rp
[FW_D-ospf-1] area 0.0.0.0
[FW_D-ospf-1-area-0.0.0.0] network 10.3.4.0  0.0.0.255
[FW_D-ospf-1-area-0.0.0.0] network 2.2.3.0  0.0.0.255
[FW_D-ospf-1-area-0.0.0.0] quit
[FW_D-ospf-1] quit
[FW_D] route-policy rp permit node 1
[FW_D-route-policy] if -match acl 2000
[FW_D-route-policy] if -match backup-status load-balance
[FW_D-route-policy] apply cost + 10
[FW_D-route-policy] quit
[FW_D] route-policy rp permit node 2
[FW_D-route-policy] if -match acl 2001
[FW_D-route-policy] if -match backup-status load-balance
[FW_D-route-policy] apply cost - 10
[FW_D-route-policy] quit
[FW_D] route-policy rp permit node 3
[FW_D-route-policy] if -match acl 2002
[FW_D-route-policy] if -match backup-status active
[FW_D-route-policy] apply cost - 10
[FW_D-route-policy] quit
[FW_D] route-policy rp permit node 4
[FW_D-route-policy] if -match acl 2002
[FW_D-route-policy] if -match backup-status standby
[FW_D-route-policy] apply cost + 10
[FW_D-route-policy] quit
复制代码
    4. Apply an IPSec policy to the tunnel interface.
    5. [FW_D] interface Tunnel  1
[FW_D-Tunnel1] ipsec policy map1 master
[FW_D-Tunnel1] quit
[FW_D] interface Tunnel  2
[FW_D-Tunnel2] ipsec policy map2 slave
[FW_D-Tunnel2] quit
复制代码
  1. Enable the dual-system configuration of FW_D (headquarters).
[FW_D] hrp enable
HRP_S[FW_D] hrp load balance device
HRP_S[FW_D] hrp auto-sync config
HRP_S[FW_D] hrp mirror session enable
复制代码

  1. Configure FW_A (branch).

    1. Configure an IP address for the interface and add the interface to the corresponding security zone.

    2. <sysname> system-view
[sysname] sysname FW_A
[FW_A] interface gigabitethernet 1 / 0 / 1
[FW_A-GigabitEthernet1/0/1] ip address 1.1.1.1  24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface gigabitethernet 1 / 0 / 2
[FW_A-GigabitEthernet1/0/2] ip address 10.1.3.1  24
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface gigabitethernet 1 / 0 / 1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface gigabitethernet 1 / 0 / 2
[FW_A-zone-trust] quit
复制代码

    3. Configure firewall policies.

      1. Configure forwarding policies in the Trust and Untrust domains to allow packets before encapsulation and after decapsulation to pass through FW_A.
      2. [FW_A] security-policy
[FW_A-policy-security] rule name 1
[FW_A-policy-security-rule-1] source-zone trust
[FW_A-policy-security-rule-1] destination-zone untrust
[FW_A-policy-security-rule-1] source-address 10.1.3.0  24
[FW_A-policy-security-rule-1] destination-address 10.1.2.0  24
[FW_A-policy-security-rule-1] action permit
[FW_A-policy-security-rule-1] quit
[FW_A-policy-security] rule name 2
[FW_A-policy-security-rule-2] source-zone untrust
[FW_A-policy-security-rule-2] destination-zone trust
[FW_A-policy-security-rule-2] source-address 10.1.2.0  24
[FW_A-policy-security-rule-2] destination-address 10.1.3.0  24
[FW_A-policy-security-rule-2] action permit
[FW_A-policy-security-rule-2] quit
复制代码
      3. Configure local policies in the Local and Untrust domains to allow IKE negotiation packets to pass through FW_A normally.
      4. [FW_A-policy-security] rule name 3
[FW_A-policy-security-rule-3] source-zone local
[FW_A-policy-security-rule-3] destination-zone untrust
[FW_A-policy-security-rule-3] source-address 1.1.0.0  16
[FW_A-policy-security-rule-3] destination-address 2.2.0.0  16
[FW_A-policy-security-rule-3] action permit
[FW_A-policy-security-rule-3] quit
[FW_A-policy-security] rule name 4
[FW_A-policy-security-rule-4] source-zone untrust
[FW_A-policy-security-rule-4] destination-zone local
[FW_A-policy-security-rule-4] source-address 2.2.0.0  16
[FW_A-policy-security-rule-4] destination-address 1.1.0.0  16
[FW_A-policy-security-rule-4] action permit
[FW_A-policy-security-rule-4] quit
[FW_A-policy-security] quit
复制代码

    4. Configure a default route. Assume that the next hop of the route to the public network is 1.1.1.2.

    5. [FW_A] ip route- static  0.0.0.0  0.0.0.0  1.1.1.2
复制代码

    6. Configure access control lists to define data flows that need to be protected.

    7. [FW_A] acl 3000 
[FW_A-acl-adv-3000] rule permit ip source 10.1.3.0  0.0.0.255 destination 10.1.2.0  0.0.0.255
[FW_A-acl-adv-3000] quit
复制代码

    8. Configure an IPSec proposal named tran1.

    9. [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode tunnel
[FW_A-ipsec-proposal-tran1] transform esp
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2- 256
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes- 256
[FW_A-ipsec-proposal-tran1] quit
复制代码

    10. Configure an IKE proposal with sequence number 10.

    11. [FW_A] ike proposal 10
[FW_A-ike-proposal-10] authentication-method pre-share
[FW_A-ike-proposal-10] authentication-algorithm sha2- 256
[FW_A-ike-proposal-10] quit
复制代码

    12. Placement IKE Peer.

    13. [FW_A] ike peer ngfw_c
[FW_A-ike-peer-c] ike-proposal 10
[FW_A-ike-peer-c] remote-address 2.2.4.1
[FW_A-ike-peer-c] pre-shared-key Admin @ 123
[FW_A-ike-peer-c] undo version 2
[FW_A-ike-peer-c] quit
复制代码

    14. Configure IPSec security policy group map1.

    15. [FW_A] ipsec policy map1 10 isakmp
[FW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[FW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[FW_A-ipsec-policy-isakmp-map1-10] ike-peer ngfw_c
[FW_A-ipsec-policy-isakmp-map1-10] quit
复制代码

    16. Apply the security policy group map1 to the outbound interface GE1/0/1.

    17. [FW_A] interface gigabitethernet 1 / 0 / 1
[FW_A-GigabitEthernet1/0/1] ipsec policy map1
[FW_A-GigabitEthernet1/0/1] quit
复制代码
  1. Configure FW_B (branch). The configuration method of FW_B is the same as that of FW_A, please refer to FW_A to configure FW_B.

Result verification

  1. After the configuration is complete, run the display hrp state command on FW_C to check the current HRP status. If the following information is displayed, the HRP is established successfully.
[FW_C] display hrp state
 Role: active, peer: active                                                    
 Running priority: 47002, peer: 47002                                         
 Core state: normal, peer: normal                                    
 Backup channel usage: 0.00%                                                    
 Stable time: 0 days, 0 hours, 18 minutes
复制代码
  1. Executing the display ipsec sa command on FW_A and FW_B respectively will display the establishment of the IPSec SA. Taking FW_A as an example, the following display shows that the IPSec security association is established successfully.
<FW_A> display ipsec sa brief
Current ipsec sa num:2

Spu board slot 1, cpu 1 ipsec sa information:                                   
Number of SAs:2                                                              
    Src address   Dst address      SPI        VPN  Protocol     Algorithm       
------------------------------------------------------------------------------- 
    2.2.4.1         1.1.1.1       4001819557        ESP      E:AES-256 A:SHA2-256-128
    1.1.2.1         2.2.4.1       3923280450        ESP      E:AES-256 A:SHA2-256-128
复制代码

  1. Verify that the two-machine switchover is normal.

    1. When FW_A and FW_B are running normally, use the user PCs under FW_A and FW_B to access headquarters resources respectively. If the access is successful, the configuration is OK.
    2. DOWN the FW_C device, and then observe whether the two branches can still access the resources of the headquarters normally. If the access is successful, it means that the traffic can be switched from the FW_C to the FW_D device normally.
    3. Restore the FW_C device, and then DOWN the FW_D device, and observe whether the two branches can still access the resources of the headquarters normally. If the access is successful, it means that the traffic can be switched from the FW_D to the FW_C device normally.
    4. If in the above three scenarios, the two branches can normally access the resources of the headquarters, it indicates that the configuration of this business scenario is OK.

 

Guess you like

Origin blog.csdn.net/guolianggsta/article/details/127394658
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com