设备直路部署，上下行连接交换机

如
图所示，DeviceA和DeviceB的业务接口都工作在三层，上下行分别连接二层交换机。上行交换机连接运营商的接入点，运营商为企业分配的IP地址为1.1.1.3和1.1.1.4。现在希望DeviceA和DeviceB以负载分担方式工作。正常情况下，DeviceA和DeviceB共同转发流量；当其中一台设备出现故障时，另外一台设备转发全部业务，保证业务不中断。

操作步骤

1. 完成网络基本配置。

   DeviceA	DeviceB
   # 配置DeviceA和DeviceB各接口的IP地址。
   <HUAWEI> system-view [HUAWEI] sysname DeviceA [DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] ip address 10.2.0.1 24 [DeviceA-10GE0/0/1] quit [DeviceA] interface 10ge 0/0/3 [DeviceA-10GE0/0/3] ip address 10.3.0.1 24 [DeviceA-10GE0/0/3] quit [DeviceA] interface 10ge 0/0/7 [DeviceA-10GE0/0/7] ip address 10.10.0.1 24 [DeviceA-10GE0/0/7] quit	<HUAWEI> system-view [HUAWEI] sysname DeviceB [DeviceB] interface 10ge 0/0/1 [DeviceB-10GE0/0/1] ip address 10.2.0.2 24 [DeviceB-10GE0/0/1] quit [DeviceB] interface 10ge 0/0/3 [DeviceB-10GE0/0/3] ip address 10.3.0.2 24 [DeviceB-10GE0/0/3] quit [DeviceB] interface 10ge 0/0/7 [DeviceB-10GE0/0/7] ip address 10.10.0.2 24 [DeviceB-10GE0/0/7] quit
   # 将DeviceA和DeviceB各接口加入相应的安全区域。
   [DeviceA] firewall zone untrust [DeviceA-zone-untrust] add interface 10ge 0/0/1 [DeviceA-zone-untrust] quit [DeviceA] firewall zone trust [DeviceA-zone-trust] add interface 10ge 0/0/3 [DeviceA-zone-trust] quit [DeviceA] firewall zone dmz [DeviceA-zone-dmz] add interface 10ge 0/0/7 [DeviceA-zone-dmz] quit	[DeviceB] firewall zone untrust [DeviceB-zone-untrust] add interface 10ge 0/0/1 [DeviceB-zone-untrust] quit [DeviceB] firewall zone trust [DeviceB-zone-trust] add interface 10ge 0/0/3 [DeviceB-zone-trust] quit [DeviceB] firewall zone dmz [DeviceB-zone-dmz] add interface 10ge 0/0/7 [DeviceB-zone-dmz] quit
   # 在DeviceA和DeviceB上配置一条缺省路由，下一跳为1.1.1.10，使内网用户的流量可以正常转发至Router。
   [DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10	[DeviceB] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

2. 配置VRRP备份组。

   为了实现负载分担组网需要在每个业务接口上配置两个VRRP备份组，一个设置状态为Active，另一个设置状态为Standby。

   DeviceA	DeviceB
   # 在DeviceA上行业务接口10GE0/0/1上配置VRRP备份组1，并将其状态设置为Active；配置VRRP备份组2，并将其状态设置为Standby。在DeviceB上行业务接口10GE0/0/1上配置VRRP备份组1，并将其状态设置为Standby；配置VRRP备份组2，并将其状态设置为Active。需要注意的是：如果接口的IP地址与VRRP备份组地址不在同一网段，则配置VRRP备份组地址时需要指定掩码。
   [DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 active [DeviceA-10GE0/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 standby [DeviceA-10GE0/0/1] quit	[DeviceB] interface 10ge 0/0/1 [DeviceB-10GE0/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 standby [DeviceB-10GE0/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 active [DeviceB-10GE0/0/1] quit
   # 在DeviceA下行业务接口10GE0/0/3上配置VRRP备份组3，并将其状态设置为Active；配置VRRP备份组4，并将其状态设置为Standby。在DeviceB下行业务接口10GE0/0/3上配置VRRP备份组3，并将其状态设置为Standby；配置VRRP备份组4，并将其状态设置为Active。
   [DeviceA] interface 10ge 0/0/3 [DeviceA-10GE0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active [DeviceA-10GE0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby [DeviceA-10GE0/0/3] quit	[DeviceB] interface 10ge 0/0/3 [DeviceB-10GE0/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby [DeviceB-10GE0/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active [DeviceB-10GE0/0/3] quit

3. 配置安全策略，允许心跳接口之间交互HRP报文。

[DeviceA] security-policy
[DeviceA-policy-security] rule name ha_local_to_dmz
[DeviceA-policy-security-rule-ha_local_to_dmz] source-zone local dmz
[DeviceA-policy-security-rule-ha_local_to_dmz] destination-zone local dmz
[DeviceA-policy-security-rule-ha_local_to_dmz] service protocol udp destination-port 18514
[DeviceA-policy-security-rule-ha_local_to_dmz] action permit
[DeviceA-policy-security-rule-ha_local_to_dmz] quit
[DeviceA-policy-security] quit

[DeviceB] security-policy
[DeviceB-policy-security] rule name ha_local_to_dmz
[DeviceB-policy-security-rule-ha_local_to_dmz] source-zone local dmz
[DeviceB-policy-security-rule-ha_local_to_dmz] destination-zone local dmz
[DeviceB-policy-security-rule-ha_local_to_dmz] service protocol udp destination-port 18514
[DeviceB-policy-security-rule-ha_local_to_dmz] action permit
[DeviceB-policy-security-rule-ha_local_to_dmz] quit
[DeviceB-policy-security] quit

4. 配置会话快速备份功能，指定心跳口并启用双机热备功能。

[DeviceA] hrp mirror session enable

[DeviceB] hrp mirror session enable

[DeviceA] hrp interface 10ge 0/0/7 remote 10.10.0.2 
[DeviceA] hrp authentication-key Admin@123
[DeviceA] hrp enable 

[DeviceB] hrp interface 10ge 0/0/7 remote 10.10.0.1 
[DeviceB] hrp authentication-key Admin@123
[DeviceB] hrp enable 

5. 在DeviceA上配置安全策略。双机热备状态成功建立后，DeviceA的安全策略配置会自动备份到DeviceB上。

# 配置安全策略，允许内网用户访问Internet。

HRP_M[DeviceA] security-policy
HRP_M[DeviceA-policy-security] rule name trust_to_untrust  
HRP_M[DeviceA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[DeviceA-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[DeviceA-policy-security-rule-trust_to_untrust] action permit
HRP_M[DeviceA-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[DeviceA-policy-security-rule-trust_to_untrust] quit
HRP_M[DeviceA-policy-security] quit  

6. 在DeviceA上配置NAT策略。双机热备状态成功建立后，DeviceA的NAT策略配置会自动备份到DeviceB上。

# 配置NAT策略，当内网用户访问Internet时，将源地址由10.3.0.0/24网段转换为地址池中的地址（1.1.2.5-1.1.2.8）。

HRP_M[DeviceA] nat address-group group1
HRP_M[DeviceA-address-group-group1] section 0 1.1.2.5 1.1.2.8
HRP_M[DeviceA-address-group-group1] quit
HRP_M[DeviceA] nat-policy
HRP_M[DeviceA-policy-nat] rule name policy_nat1  
HRP_M[DeviceA-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[DeviceA-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[DeviceA-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 
HRP_M[DeviceA-policy-nat-rule-policy_nat1] action source-nat address-group group1
HRP_M[DeviceA-policy-nat-rule-policy_nat1] quit
HRP_M[DeviceA-policy-nat] quit 

# 对于双机热备的负载分担组网，为了防止两台设备进行NAT转换时端口冲突，需要在DeviceA和DeviceB上分别配置可用的端口范围。在DeviceA上进行如下配置：

HRP_M[DeviceA] hrp nat resource primary-group

DeviceA配置此命令后，DeviceB上会自动备份此命令，并转换成hrp nat resource secondary-group命令。

7. 配置Switch和PC。

        a.分别将两台Switch的三个接口加入同一个VLAN，具体配置命令请参考交换机的相关文档。

        b. 在内网的部分PC上将VRRP备份组3的地址10.3.0.3设置为默认网关，在内网的另一部分PC上将VRRP备份组4的地址10.3.0.4设置为默认网关，从而实现内网流量的负载分担。

8. 配置Router。

        在Router上配置到NAT地址池的等价路由，路由下一跳分别指向VRRP备份组1和VRRP备份组2的虚拟IP地址。