华为：利用IP-Link技术实现静态路由冗余

USG5320A Config:
#配置接口IP
interface GigabitEthernet0/0/0
description TO_CoreSW_A
ip address 192.168.63.2 255.255.255.0
interface GigabitEthernet0/0/1
description TO_FWB
ip address 192.168.59.1 255.255.255.0
interface GigabitEthernet0/0/3            
description TO_LIANTONG
ip address x.x.x.x 255.255.255.240
#将接口加入zone
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
#配置域间策略
policy interzone trust untrust outbound
policy 1
action permit
policy source 10.0.0.0 0.0.255.255
policy source 172.16.0.0 0.0.255.255
#配置NAT策略
nat address-group 0 LIANTONG x.x.x.x 255.255.255.240
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 172.16.0.0 0.0.255.255
policy source 10.0.0.0 0.0.255.255
address-group LIANTONG
#配置链路可达性检查并与静态路由绑定
ip-link check enable
ip-link 1 destination x.x.x.z timer 5 mode icmp
ip route-static 0.0.0.0 0.0.0.0 x.x.x.z preference 50 ip-link 1
ip route-static 0.0.0.0 0.0.0.0 192.168.59.2
ip route-static 10.0.0.0 255.255.0.0 192.168.63.1
ip route-static 172.16.0.0 255.255.0.0 192.168.59.2


USG5320B Config:
#配置接口IP
interface GigabitEthernet0/0/0
description TO_CoreSW_B
ip address 192.168.62.2 255.255.255.0
interface GigabitEthernet0/0/1
description TO_FWA
ip address 192.168.59.2 255.255.255.0
interface GigabitEthernet0/0/3            
description TO_DIANXIN
ip address y.y.y.y 255.255.255.240
#将接口加入zone
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
#配置域间策略
policy interzone trust untrust outbound
policy 1
action permit
policy source 10.0.0.0 0.0.255.255
policy source 172.16.0.0 0.0.255.255
#配置NAT策略
nat address-group 0 DIANXIN y.y.y.y 255.255.255.240
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 172.16.0.0 0.0.255.255
policy source 10.0.0.0 0.0.255.255
address-group DIANXIN
#配置链路可达性检查并与静态路由绑定
ip-link check enable
ip-link 1 destination y.y.y.z timer 5 mode icmp
ip route-static 0.0.0.0 0.0.0.0 y.y.y.z preference 50 ip-link 1
ip route-static 0.0.0.0 0.0.0.0 192.168.59.1
ip route-static 172.16.0.0 255.255.0.0 192.168.62.1
ip route-static 10.0.0.0 255.255.0.0 192.168.59.1

注：
1、        当IP-Link自动侦测发现链路故障时，USG5300会将下一跳IP地址是IP-Link链路探测的目的IP地址的静态路由置为非激活状态，用display fib可以发现与IP-Link绑定的路由已经消失；同时防火墙会对自身的静态路由进行，选择次优静态路由，保持业务的持续。
2、        USG5300版本号V100R003SPC300才可支持IP-Link与静态路由绑定；
3、        IP-Link链路探测的目的IP地址必须与静态路由的下一跳IP地址相同；
4、        上面的配置虽然实现了运营商链路的冗余，但是如果核心交换VRRP主备倒换，则会出现办公区1或者办公区2上不了internet的情况，VRRP此时只能保证3层及以下数据的互通（无语，想了半天还是没有想出什么好的解决方法），保证VRRP的稳定只能靠设备了（双主控+双电源）。
还是希望有经验的朋友给出一个完整的解决方案，感觉这次配置还是有问题的，好多问题没有解决。