华为USG6000v的双机主备实验-上下接交换机场景-VRRP-VGMP

点击查看代码

HRP_M<FW1>sys
Enter system view, return user view with Ctrl+Z.
HRP_M[FW1]dis cur
2025-10-10 09:31:37.560 +08:00
!Software Version V500R005C00SPC100
#
sysname FW1
#
 l2tp domain suffix-separator @
#
info-center source default channel 0 trap state off
#
 ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone utc add 08:00:00
#
 hrp enable
 hrp interface GigabitEthernet1/0/4 remote 1.1.1.2
#
 update schedule location-sdb weekly Sun 00:08
#
 firewall defend action discard
#
 log type traffic enable
 log type syslog enable
 log type policy enable                   
#
 undo dataflow enable
#
 sa force-detection enable
#
 banner enable
#
password-policy
 level high
user-manage single-sign-on radius
#
icmp ttl-exceeded send
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
 undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 update schedule ips-sdb daily 00:22
 update schedule av-sdb daily 00:22
 update schedule sa-sdb daily 00:22
 update schedule cnc daily 00:22          
 update schedule file-reputation daily 00:22
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
acl number 3000
 description "Acl for Quintuple Packet Capture"
 rule 0 permit ip
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local 
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authentication-scheme admin_ldap
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode auto-online
  reference user current-domain
 manager-user password valid-days 0
 manager-user hhbi
  password cipher @%@%ag]6's"i*N`\.NHZDZ,"`=:a&sZf*7!EtH_G[%X[<+qP=:d`@%@%
  service-type web terminal ssh
  level 15

 manager-user admin
  password cipher @%@%q!I[F'3{YAGQgv0lf2i."qB4:=NEO(=V@K4sMl)IS)GNqB7"@%@%
  service-type web terminal ssh
  level 15
                                          
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.91.141 255.255.255.0
 gateway 192.168.91.1
 service-manage http permit
 service-manage https permit
 service-manage ping permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.10 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.1.254 active
 vrrp virtual-mac enable
 service-manage http permit
 service-manage https permit              
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
#
interface GigabitEthernet1/0/2
 undo shutdown
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 200.1.1.10 255.255.255.0
 vrrp vrid 2 virtual-ip 200.1.1.254 active
 vrrp virtual-mac enable                  
 service-manage ping permit
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 undo service-manage enable
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/3
#                                         
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/4
#
api
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/3 200.1.1.253
#
undo ssh server compatible-ssh1x enable
stelnet server enable
ssh authentication-type default password
#
user-interface password complexity-check disable
#
firewall detect ftp
#
user-interface con 0
 authentication-mode password
 set authentication password cipher $1c$cL2jXWd8]"$cGG=Z9)DMBkIO).0II#0fQzZ5-m,wL;[q3GbiI;/$
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#                                         
pki realm default
#
sa
#
location
#
 multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
security-policy
 default action permit
 rule name permit
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#                                         
proxy-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

几点总结： 1.在模拟器中可以做双机实验，但是困难重重 2.在防火墙中shutdown网卡，双机倒换很快，终端丢一个包就能继续通信 3.eve-ng中的6000V与实际的USG设备命令不一样