Verifying the configuration – H3C Technologies H3C SecPath F1000-E User Manual
Page 68
56
# Configure a static route to the headquarters network with the outgoing interface being Tunnel0
and priority value being 1.
[SecPathC] ip route-static 192.168.11.0 255.255.255.0 tunnel 0 preference 1
# Create tunnel interface Tunnel 1 and configure an IP address for it.
[SecPathC] interface tunnel 1
[SecPathC-Tunnel1] ip address 172.168.2.3 255.255.255.0
# Configure the tunnel encapsulation mode of interface Tunnel1 as GRE over IPv4.
[SecPathC-Tunnel1] tunnel-protocol gre
# Configure the source and destination IP addresses of interface Tunnel1.
[SecPathC-Tunnel1] source 11.1.1.3
[SecPathC-Tunnel1] destination 11.1.1.2
[SecPathC-Tunnel1] quit
# Configure a static route to the headquarters network with the outgoing interface being Tunnel1
and priority value being 10. This makes the priority of this route lower than that of the static route
of interface Tunnel0, making sure that SecPath C prefers the tunnel between SecPath A and
SecPath C for packet forwarding.
[SecPathC] ip route-static 192.168.11.0 255.255.255.0 tunnel 1 preference 10
NOTE:
If the link between SecPath A and SecPath C goes down, SecPath C will sense the failure and try to send
packets to SecPath B, initiating the establishment of the tunnel between SecPath B and SecPath C. Only
then can SecPath B learn the tunnel entry.
If SecPath A and SecPath C are directly connected, configuring a static route on SecPath C can make sure
that SecPath C senses the failure of the link between SecPath A and SecPath C. If the two are not directly
connected, you need to use either of the following methods to achieve the effect:
•
Configure dynamic routing on SecPath A, SecPath B, and SecPath C.
•
On SecPath C, associate the static route with a track entry, so as to use the track entry to track the status
of the static route. For details about track entry, see
High Availability Configuration Guide.
Verifying the configuration
# Ping Host A from Host C. The ping operation succeeds. View the tunnel entries on SecPath A and
SecPath B.
[SecPathA] display gre p2mp tunnel-table interface tunnel 0
Dest Addr Mask Tunnel Dest Addr Gre Key
192.168.12.0 255.255.255.0 11.1.1.3
[SecPathB] display gre p2mp tunnel-table interface tunnel 0
Dest Addr Mask Tunnel Dest Addr Gre Key
The output shows that SecPath A has a tunnel entry to the branch network. Packets to the branch network
are forwarded through SecPath A.
# On SecPath C, shut down interface Tunnel0 to cut off the tunnel link between SecPath A and SecPath
C.
[SecPathC] interface tunnel 0
[SecPathC-Tunnel0] shutdown
# After the tunnel entry aging time (20 seconds in this example) elapses, view the tunnel entry
information on SecPath A.
[SecPathA] display gre p2mp tunnel-table interface tunnel 0
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS