网络拓扑:
文章图片
vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
vlan2和vlan3所在链路互为备份,当某vlan的链路(主链路)出现故障时,流量切换到另一vlan所在的链路(备链路)上。
配置思路: 策略路由和IP-Link联动配置思路如下:
为实现不同链路分担不同流量,需要配置基于源地址的策略路由,使来自vlan2的访问Internet报文流向链路ISP1,来自vlan3的访问Internet报文流向链路ISP2。
为实现vlan2和vlan3所在链路互为备份,保证链路不中断,需要配置如下:
配置策略路由和IP-Link联动,由IP-Link来监视vlan2和vlan3各自主链路的可达性。当主链路出现故障时,策略路由失效,设备将查找备份路由,以保持业务的持续流通。
配置vlan2到链路ISP2的静态路由和vlan3到链路ISP1的静态路由,作为vlan2和vlan3的备份路由。同时,将静态路由与IP-Link联动,由IP-Link来监视vlan2和vlan3各自备链路的可达性。
操作步骤:
一、配置ISP1 1、配置vlan IP
[ISP1]vlan batch101 103[ISP1]interfaceVlanif101
[ISP1-Vlanif101]ip address 100.1.1.5 255.255.255.248
[ISP1-Vlanif101]quit[ISP1]interfaceVlanif103
[ISP1-Vlanif103]ip address 100.1.3.5 255.255.255.248
[ISP1-Vlanif103]quit
2、配置端口
[ISP1]interfaceGigabitEthernet0/0/1
[ISP1-GigabitEthernet0/0/1]port link-type access
[ISP1-GigabitEthernet0/0/1]port default vlan 101
[ISP1-GigabitEthernet0/0/1]quit[ISP1]interfaceGigabitEthernet0/0/2
[ISP1-GigabitEthernet0/0/2]port link-type access
[ISP1-GigabitEthernet0/0/2]port default vlan 103
[ISP1-GigabitEthernet0/0/2]quit
3、配置静态路由
[ISP1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
4、配置OSPF
[ISP1]ospf router-id 1.1.1.1
[ISP1-ospf-1]area 1
[ISP1-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]return
二、配置ISP2 1、配置vlan IP
[ISP2]vlan batch 102 104[ISP2]interfaceVlanif102
[ISP2-Vlanif102]ip address 100.1.2.5 255.255.255.248
[ISP2-Vlanif102]quit[ISP2]interfaceVlanif104
[ISP2-Vlanif104]ip address 100.1.4.5 255.255.255.248
[ISP2-Vlanif104]quit
2、配置端口
[ISP2]interfaceGigabitEthernet0/0/1
[ISP2-GigabitEthernet0/0/1]port link-type access
[ISP2-GigabitEthernet0/0/1]port defaultvlan102
[ISP2-GigabitEthernet0/0/1]quit[ISP2]interfaceGigabitEthernet0/0/2
[ISP2-GigabitEthernet0/0/2]port link-typeaccess
[ISP2-GigabitEthernet0/0/2]port defaultvlan104
[ISP2-GigabitEthernet0/0/2]quit
3、配置静态路由
[ISP2]ip route-static 0.0.0.0 0.0.0.0 100.1.2.1
4、配置OSPF
[ISP2]ospf router-id 2.2.2.2
[ISP2-ospf-1]area 1
[ISP2-ospf-1-area-0.0.0.1]network 100.1.2.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]return
三、配置Internet 1、配置vlan IP
[Internet]vlan batch 103 104[Internet]interfaceVlanif103
[Internet-Vlanif103]ip address100.1.3.1 255.255.255.248
[Internet-Vlanif103]quit[Internet]interfaceVlanif104
[Internet-Vlanif104]ip address100.1.4.1 255.255.255.248
[Internet-Vlanif104]quit[Internet]interfaceLoopBack 0
[Internet-LoopBack0]ip address 3.3.3.3 32
[Internet-LoopBack0]quit
2、配置端口
[Internet]interfaceGigabitEthernet0/0/1
[Internet-GigabitEthernet0/0/1]port link-type access
[Internet-GigabitEthernet0/0/1]port defaultvlan103
[Internet-GigabitEthernet0/0/1]quit[Internet]interfaceGigabitEthernet0/0/
[Internet-GigabitEthernet0/0/2]port link-type access
[Internet-GigabitEthernet0/0/2]port defaultvlan104
[Internet-GigabitEthernet0/0/2]quit
3、配置OSPF
[Internet]ospf router-id 3.3.3.3
[Internet-ospf-1]area 1
[Internet-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.0
[Internet-ospf-1-area-0.0.0.1]return
四、配置防火墙 1、配置上联接口
[FW1]interfaceGigabitEthernet0/0/3
[FW1-GigabitEthernet0/0/3]ip address100.1.2.1 255.255.255.248
[FW1-GigabitEthernet0/0/3]description connect to ISP2
[FW1-GigabitEthernet0/0/3]quit
2、配置端口区域
[FW1]firewall zone name isp1
[FW1-zone-isp1]set priority 10
[FW1-zone-isp1]add interface GigabitEthernet 0/0/0
[FW1-zone-isp1]quit[FW1]firewall zonename isp2
[FW1-zone-isp2]set priority 15
[FW1-zone-isp2]add interface GigabitEthernet 0/0/3
[FW1-zone-isp2]quit[FW1]firewall packet-filter default permit all
3、配置ACL,确定要进行策略路由转发的报文
[FW1]acl number 3001
[FW1-acl-adv-3001]rulepermit ip source 192.168.2.0 0.0.0.255
[FW1-acl-adv-3001]quit[FW1]acl number 3002
[FW1-acl-adv-3002]rulepermit ip source 192.168.3.0 0.0.0.255
[FW1-acl-adv-3002]quit
4、配置策略路由
#策略to-isp,源地址192.168.2.0/24的报文被发到下一跳100.1.1.5
[FW1]policy-based-route to-isp permit node 5
[FW1-policy-based-route-to-isp-5]if-match acl 3001
[FW1-policy-based-route-to-isp-5]apply ip-address next-hop 100.1.1.5
[FW1-policy-based-route-to-isp-5]quit#策略to-isp,源地址192.168.3.0/24的报文被发到下一跳100.1.2.5
[FW1]policy-based-route to-isp permit node 10
[FW1-policy-based-route-to-isp-10]if-match acl 3002
[FW1-policy-based-route-to-isp-10]apply ip-address next-hop 100.1.2.5
[FW1-policy-based-route-to-isp-10]quit#分别在接口应用策略路由
[FW1]interfaceGigabitEthernet0/0/0
[FW1-GigabitEthernet0/0/0]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/0]quit[FW1]interfaceGigabitEthernet0/0/3
[FW1-GigabitEthernet0/0/3]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/3]quit
5、配置IP-Link
说明:其中大家觉得可以用NQA的,但是在防火墙上面NQA不支持关联路由,只能用IP-Link,而且IP-link技术有一个莫大的优势,就是可以跟 策略路由联动
[FW1]ip-link checkenable#侦测FW1到目的地址为100.1.1.5之间的链路可达性
[FW1]ip-link 1 destination 100.1.1.5 interface GigabitEthernet 0/0/0 mode icmp #侦测FW1到目的地址为100.1.2.5之间的链路可达性
[FW1]ip-link 2 destination 100.1.2.5 interface GigabitEthernet 0/0/3 mode icmp
文章图片
6、配置缺省路由,并关联IP-Link
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2
7、NAT定义
[FW1]nat-policy interzone trust isp1 outbound
[FW1-nat-policy-interzone-trust-isp1-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp1-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp1-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp1-outbound-1]easy-ip GigabitEthernet0/0/0
[FW1-nat-policy-interzone-trust-isp1-outbound-1]return[FW1]nat-policy interzone trust isp2 outbound
[FW1-nat-policy-interzone-trust-isp2-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp2-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp2-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp2-outbound-1]easy-ip GigabitEthernet0/0/3
[FW1-nat-policy-interzone-trust-isp2-outbound-1]return
8、下联接口应用策略
[FW1]interfaceGigabitEthernet0/0/1
[FW1-GigabitEthernet0/0/1]ip address 192.168.7.254 255.255.255.0
[FW1-GigabitEthernet0/0/1]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/1]description connecct to SW1
[FW1-GigabitEthernet0/0/1]quit[FW1]interfaceGigabitEthernet0/0/2
[FW1-GigabitEthernet0/0/2]ip address 192.168.6.254 255.255.255.0
[FW1-GigabitEthernet0/0/2]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/2]description connect to SW2
[FW1-GigabitEthernet0/0/2]quit
五、故障演示 1、正常状态下
vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
文章图片
vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
文章图片
2、手动模拟FW1上联ISP1的G0/0/1接口故障
文章图片
查看链路,流量都走ISP2
文章图片
文章图片
【#|11、中小企业网络架构-扩展配置防火墙双出口】
文章图片
3、手动模拟FW1上联ISP2的G0/0/1接口故障
文章图片
查看链路,流量都走ISP1
文章图片
文章图片
文章图片
至此,完成。
[FW1]displaycurrent-configuration
#
stp region-configuration
region-name 703bd915f09b
active region-configuration
#
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
acl number 3002
rule 5 permit ip source 192.168.3.0 0.0.0.255
#
interface Vlanif1
alias Vlanif1
#
interface Virtual-Template1
alias Virtual-Template1
#
interface GigabitEthernet0/0/0
description connect to ISP1
alias GE0/MGMT
ip address 100.1.1.1 255.255.255.248
#
interface GigabitEthernet0/0/1
description connecct to SW1
ip address 192.168.7.254 255.255.255.0
ip policy-based-route to-isp
#
interface GigabitEthernet0/0/2
description connect to SW2
ip address 192.168.6.254 255.255.255.0
ip policy-based-route to-isp
#
interface GigabitEthernet0/0/3
description connect to ISP2
ip address 100.1.2.1 255.255.255.248
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
interface LoopBack0
alias LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
#
firewall zone untrust
description ithis
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet0/0/0
#
firewall zone name isp2
set priority 15
add interface GigabitEthernet0/0/3
#
aaa
local-user admin password cipher %$%$y@N.>~B^$O\xLy0F^K%=rZQH%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2
ip route-static 192.168.0.0 255.255.0.0 192.168.7.253
ip route-static 192.168.0.0 255.255.0.0 192.168.6.253
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
policy-based-route to-isp permit node 5
if-match acl 3001
apply ip-address next-hop 100.1.1.5
policy-based-route to-isp permit node 10
if-match acl 3002
apply ip-address next-hop 100.1.2.5
#
slb
#
right-manager server-group
#
sysname FW1
#
domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local isp1 direction inbound
firewall packet-filter default permit interzone local isp1 direction outbound
firewall packet-filter default permit interzone local isp2 direction inbound
firewall packet-filter default permit interzone local isp2 direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust isp1 direction inbound
firewall packet-filter default permit interzone trust isp1 direction outbound
firewall packet-filter default permit interzone trust isp2 direction inbound
firewall packet-filter default permit interzone trust isp2 direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone isp1 untrust direction inbound
firewall packet-filter default permit interzone isp1 untrust direction outbound
firewall packet-filter default permit interzone isp2 untrust direction inbound
firewall packet-filter default permit interzone isp2 untrust direction outbound
firewall packet-filter default permit interzone dmz isp1 direction inbound
firewall packet-filter default permit interzone dmz isp1 direction outbound
firewall packet-filter default permit interzone dmz isp2 direction inbound
firewall packet-filter default permit interzone dmz isp2 direction outbound
firewall packet-filter default permit interzone isp2 isp1 direction inbound
firewall packet-filter default permit interzone isp2 isp1 direction outbound
#
ip ttl-expires enable
ip df-unreachables enable
#
undo dhcp enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1 101 103
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone trust untrust inbound
policy 1
action permit
#
policy interzone trust isp1 inbound
policy 1
action permit
#
policy interzone trust isp2 inbound
policy 1
action permit
#
nat-policy interzone trust isp1 outbound
policy 1
description tihsi
action source-nat
policy source 192.168.0.0 mask 16
easy-ip GigabitEthernet0/0/0
#
nat-policy interzone trust isp2 outbound
policy 1
action source-nat
policy source 192.168.0.0 mask 16
easy-ip GigabitEthernet0/0/3
#
return
推荐阅读
- 数据结构和算法|LeetCode 的正确使用方式
- #|7.分布式事务管理
- #|算法设计与分析(Java实现)——贪心算法(集合覆盖案例)
- #|算法设计与分析(Java实现)—— 动态规划 (0-1 背包问题)
- #|阿尔法点亮LED灯(一)汇编语言
- #|Multimedia
- #|ARM裸机开发(汇编LED灯实验(I.MX6UL芯片))
- 基础课|使用深度优先搜索(DFS)、广度优先搜索(BFS)、A* 搜索算法求解 (n^2 -1) 数码难题,耗时与内存占用(时空复杂度)对比(附((n^2 - 1) 数码问题控
- #|学习笔记 | Ch05 Pandas数据清洗 —— 缺失值、重复值、异常值
- win10|搏一搏 单车变摩托,是时候捣鼓一下家中的小米电视机啦。