H3C Technologies H3C SecPath F1000-E User Manual
Page 228
216
# Configure SecPath A to work in preemption mode in VRRP group 1 and set the preemption delay
to 255 seconds.
[SecPathA-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 255
# Configure SecPath A to monitor the status of the uplink interface GigabitEthernet 0/2 and, when
the interface becomes unavailable, reduce its own priority in VRRP group 1 to a value lower than
the priority value of SecPath B so that SecPath B can become the master. In this example, the
priority value decrement is 60.
[SecPathA-GigabitEthernet0/1] vrrp vrid 1 track interface GigabitEthernet 0/2 reduced
60
[SecPathA-GigabitEthernet0/1] quit
# Create VRRP group 2 and assign a virtual IP address to the group.
[SecPathA] interface GigabitEthernet 0/2
[SecPathA-GigabitEthernet0/2] vrrp vrid 2 virtual-ip 192.168.0.1
# Set the priority of SecPath A in VRRP group 2 to 150.
[SecPathA-GigabitEthernet0/2] vrrp vrid 2 priority 150
# Configure SecPath A to work in preemption mode in VRRP group 2 and set the preemption delay
to 255 seconds.
[SecPathA-GigabitEthernet0/2] vrrp vrid 2 preempt-mode timer delay 255
# Configure SecPath A to monitor the status of the downlink interface GigabitEthernet 0/1 and,
when the interface becomes unavailable, reduce its own priority in VRRP group 2 to a value lower
than the priority value of SecPath B so that SecPath B can become the master. In this example, the
priority value decrement is 60.
[SecPathA-GigabitEthernet0/2] vrrp vrid 2 track interface GigabitEthernet 0/1 reduced
60
[SecPathA-GigabitEthernet0/2] quit
3.
Configure IPsec and enable IPsec stateful failover:
# Create ACL 3101, and add a rule to permit traffic from subnet 10.1.1.0/24 to subnet
10.2.2.0/24.
[SecPathA] acl number 3101
[SecPathA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0
0.0.0.255
[SecPathA-acl-adv-3101] quit
# Configure a static route to Host B.
[SecPathA] ip route-static 10.2.2.0 255.255.255.0 192.168.0.2
# Create IPsec proposal tran1.
[SecPathA] ipsec proposal tran1
# Configure the proposal to use the tunnel encapsulation mode.
[SecPathA-ipsec-proposal-tran1] encapsulation-mode tunnel
# Configure the proposal to use the ESP security protocol.
[SecPathA-ipsec-proposal-tran1] transform esp
# Configure ESP to use the DES encryption algorithm and the SHA1 authentication algorithm.
[SecPathA-ipsec-proposal-tran1] esp encryption-algorithm des
[SecPathA-ipsec-proposal-tran1] esp authentication-algorithm sha1
[SecPathA-ipsec-proposal-tran1] quit
# Create and configure IKE peer branch.
[SecPathA] ike peer branch
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS