#|11、中小企业网络架构-扩展配置防火墙双出口

网络拓扑: #|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
vlan2和vlan3所在链路互为备份,当某vlan的链路(主链路)出现故障时,流量切换到另一vlan所在的链路(备链路)上。
配置思路: 策略路由和IP-Link联动配置思路如下:
为实现不同链路分担不同流量,需要配置基于源地址的策略路由,使来自vlan2的访问Internet报文流向链路ISP1,来自vlan3的访问Internet报文流向链路ISP2。
为实现vlan2和vlan3所在链路互为备份,保证链路不中断,需要配置如下:
配置策略路由和IP-Link联动,由IP-Link来监视vlan2和vlan3各自主链路的可达性。当主链路出现故障时,策略路由失效,设备将查找备份路由,以保持业务的持续流通。
配置vlan2到链路ISP2的静态路由和vlan3到链路ISP1的静态路由,作为vlan2和vlan3的备份路由。同时,将静态路由与IP-Link联动,由IP-Link来监视vlan2和vlan3各自备链路的可达性。
操作步骤: 一、配置ISP1 1、配置vlan IP

[ISP1]vlan batch101 103[ISP1]interfaceVlanif101 [ISP1-Vlanif101]ip address 100.1.1.5 255.255.255.248 [ISP1-Vlanif101]quit[ISP1]interfaceVlanif103 [ISP1-Vlanif103]ip address 100.1.3.5 255.255.255.248 [ISP1-Vlanif103]quit

2、配置端口
[ISP1]interfaceGigabitEthernet0/0/1 [ISP1-GigabitEthernet0/0/1]port link-type access [ISP1-GigabitEthernet0/0/1]port default vlan 101 [ISP1-GigabitEthernet0/0/1]quit[ISP1]interfaceGigabitEthernet0/0/2 [ISP1-GigabitEthernet0/0/2]port link-type access [ISP1-GigabitEthernet0/0/2]port default vlan 103 [ISP1-GigabitEthernet0/0/2]quit

3、配置静态路由
[ISP1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

4、配置OSPF
[ISP1]ospf router-id 1.1.1.1 [ISP1-ospf-1]area 1 [ISP1-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.7 [ISP1-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7 [ISP1-ospf-1-area-0.0.0.1]return

二、配置ISP2 1、配置vlan IP
[ISP2]vlan batch 102 104[ISP2]interfaceVlanif102 [ISP2-Vlanif102]ip address 100.1.2.5 255.255.255.248 [ISP2-Vlanif102]quit[ISP2]interfaceVlanif104 [ISP2-Vlanif104]ip address 100.1.4.5 255.255.255.248 [ISP2-Vlanif104]quit

2、配置端口
[ISP2]interfaceGigabitEthernet0/0/1 [ISP2-GigabitEthernet0/0/1]port link-type access [ISP2-GigabitEthernet0/0/1]port defaultvlan102 [ISP2-GigabitEthernet0/0/1]quit[ISP2]interfaceGigabitEthernet0/0/2 [ISP2-GigabitEthernet0/0/2]port link-typeaccess [ISP2-GigabitEthernet0/0/2]port defaultvlan104 [ISP2-GigabitEthernet0/0/2]quit

3、配置静态路由
[ISP2]ip route-static 0.0.0.0 0.0.0.0 100.1.2.1

4、配置OSPF
[ISP2]ospf router-id 2.2.2.2 [ISP2-ospf-1]area 1 [ISP2-ospf-1-area-0.0.0.1]network 100.1.2.0 0.0.0.7 [ISP2-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7 [ISP2-ospf-1-area-0.0.0.1]return

三、配置Internet 1、配置vlan IP
[Internet]vlan batch 103 104[Internet]interfaceVlanif103 [Internet-Vlanif103]ip address100.1.3.1 255.255.255.248 [Internet-Vlanif103]quit[Internet]interfaceVlanif104 [Internet-Vlanif104]ip address100.1.4.1 255.255.255.248 [Internet-Vlanif104]quit[Internet]interfaceLoopBack 0 [Internet-LoopBack0]ip address 3.3.3.3 32 [Internet-LoopBack0]quit

2、配置端口
[Internet]interfaceGigabitEthernet0/0/1 [Internet-GigabitEthernet0/0/1]port link-type access [Internet-GigabitEthernet0/0/1]port defaultvlan103 [Internet-GigabitEthernet0/0/1]quit[Internet]interfaceGigabitEthernet0/0/ [Internet-GigabitEthernet0/0/2]port link-type access [Internet-GigabitEthernet0/0/2]port defaultvlan104 [Internet-GigabitEthernet0/0/2]quit

3、配置OSPF
[Internet]ospf router-id 3.3.3.3 [Internet-ospf-1]area 1 [Internet-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7 [Internet-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7 [Internet-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.0 [Internet-ospf-1-area-0.0.0.1]return

四、配置防火墙 1、配置上联接口
[FW1]interfaceGigabitEthernet0/0/3 [FW1-GigabitEthernet0/0/3]ip address100.1.2.1 255.255.255.248 [FW1-GigabitEthernet0/0/3]description connect to ISP2 [FW1-GigabitEthernet0/0/3]quit

2、配置端口区域
[FW1]firewall zone name isp1 [FW1-zone-isp1]set priority 10 [FW1-zone-isp1]add interface GigabitEthernet 0/0/0 [FW1-zone-isp1]quit[FW1]firewall zonename isp2 [FW1-zone-isp2]set priority 15 [FW1-zone-isp2]add interface GigabitEthernet 0/0/3 [FW1-zone-isp2]quit[FW1]firewall packet-filter default permit all

3、配置ACL,确定要进行策略路由转发的报文
[FW1]acl number 3001 [FW1-acl-adv-3001]rulepermit ip source 192.168.2.0 0.0.0.255 [FW1-acl-adv-3001]quit[FW1]acl number 3002 [FW1-acl-adv-3002]rulepermit ip source 192.168.3.0 0.0.0.255 [FW1-acl-adv-3002]quit

4、配置策略路由
#策略to-isp,源地址192.168.2.0/24的报文被发到下一跳100.1.1.5 [FW1]policy-based-route to-isp permit node 5 [FW1-policy-based-route-to-isp-5]if-match acl 3001 [FW1-policy-based-route-to-isp-5]apply ip-address next-hop 100.1.1.5 [FW1-policy-based-route-to-isp-5]quit#策略to-isp,源地址192.168.3.0/24的报文被发到下一跳100.1.2.5 [FW1]policy-based-route to-isp permit node 10 [FW1-policy-based-route-to-isp-10]if-match acl 3002 [FW1-policy-based-route-to-isp-10]apply ip-address next-hop 100.1.2.5 [FW1-policy-based-route-to-isp-10]quit#分别在接口应用策略路由 [FW1]interfaceGigabitEthernet0/0/0 [FW1-GigabitEthernet0/0/0]ip policy-based-route to-isp [FW1-GigabitEthernet0/0/0]quit[FW1]interfaceGigabitEthernet0/0/3 [FW1-GigabitEthernet0/0/3]ip policy-based-route to-isp [FW1-GigabitEthernet0/0/3]quit

5、配置IP-Link
说明:其中大家觉得可以用NQA的,但是在防火墙上面NQA不支持关联路由,只能用IP-Link,而且IP-link技术有一个莫大的优势,就是可以跟 策略路由联动
[FW1]ip-link checkenable#侦测FW1到目的地址为100.1.1.5之间的链路可达性 [FW1]ip-link 1 destination 100.1.1.5 interface GigabitEthernet 0/0/0 mode icmp #侦测FW1到目的地址为100.1.2.5之间的链路可达性 [FW1]ip-link 2 destination 100.1.2.5 interface GigabitEthernet 0/0/3 mode icmp


#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

6、配置缺省路由,并关联IP-Link
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1 [FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2

7、NAT定义
[FW1]nat-policy interzone trust isp1 outbound [FW1-nat-policy-interzone-trust-isp1-outbound]policy 1 [FW1-nat-policy-interzone-trust-isp1-outbound-1]action source-nat [FW1-nat-policy-interzone-trust-isp1-outbound-1]policy source 192.168.0.0 mask 16 [FW1-nat-policy-interzone-trust-isp1-outbound-1]easy-ip GigabitEthernet0/0/0 [FW1-nat-policy-interzone-trust-isp1-outbound-1]return[FW1]nat-policy interzone trust isp2 outbound [FW1-nat-policy-interzone-trust-isp2-outbound]policy 1 [FW1-nat-policy-interzone-trust-isp2-outbound-1]action source-nat [FW1-nat-policy-interzone-trust-isp2-outbound-1]policy source 192.168.0.0 mask 16 [FW1-nat-policy-interzone-trust-isp2-outbound-1]easy-ip GigabitEthernet0/0/3 [FW1-nat-policy-interzone-trust-isp2-outbound-1]return

8、下联接口应用策略
[FW1]interfaceGigabitEthernet0/0/1 [FW1-GigabitEthernet0/0/1]ip address 192.168.7.254 255.255.255.0 [FW1-GigabitEthernet0/0/1]ip policy-based-route to-isp [FW1-GigabitEthernet0/0/1]description connecct to SW1 [FW1-GigabitEthernet0/0/1]quit[FW1]interfaceGigabitEthernet0/0/2 [FW1-GigabitEthernet0/0/2]ip address 192.168.6.254 255.255.255.0 [FW1-GigabitEthernet0/0/2]ip policy-based-route to-isp [FW1-GigabitEthernet0/0/2]description connect to SW2 [FW1-GigabitEthernet0/0/2]quit

五、故障演示 1、正常状态下
vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

2、手动模拟FW1上联ISP1的G0/0/1接口故障
#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

查看链路,流量都走ISP2
#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

【#|11、中小企业网络架构-扩展配置防火墙双出口】#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

3、手动模拟FW1上联ISP2的G0/0/1接口故障
#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

查看链路,流量都走ISP1
#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

#|11、中小企业网络架构-扩展配置防火墙双出口
文章图片

至此,完成。
[FW1]displaycurrent-configuration # stp region-configuration region-name 703bd915f09b active region-configuration # acl number 3001 rule 5 permit ip source 192.168.2.0 0.0.0.255 # acl number 3002 rule 5 permit ip source 192.168.3.0 0.0.0.255 # interface Vlanif1 alias Vlanif1 # interface Virtual-Template1 alias Virtual-Template1 # interface GigabitEthernet0/0/0 description connect to ISP1 alias GE0/MGMT ip address 100.1.1.1 255.255.255.248 # interface GigabitEthernet0/0/1 description connecct to SW1 ip address 192.168.7.254 255.255.255.0 ip policy-based-route to-isp # interface GigabitEthernet0/0/2 description connect to SW2 ip address 192.168.6.254 255.255.255.0 ip policy-based-route to-isp # interface GigabitEthernet0/0/3 description connect to ISP2 ip address 100.1.2.1 255.255.255.248 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 # interface GigabitEthernet0/0/6 # interface GigabitEthernet0/0/7 # interface GigabitEthernet0/0/8 # interface NULL0 alias NULL0 # interface LoopBack0 alias LoopBack0 ip address 1.1.1.1 255.255.255.255 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 add interface GigabitEthernet0/0/2 # firewall zone untrust description ithis set priority 5 # firewall zone dmz set priority 50 # firewall zone name isp1 set priority 10 add interface GigabitEthernet0/0/0 # firewall zone name isp2 set priority 15 add interface GigabitEthernet0/0/3 # aaa local-user admin password cipher %$%$y@N.>~B^$O\xLy0F^K%=rZQH%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # nqa-jitter tag-version 1# ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1 ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2 ip route-static 192.168.0.0 255.255.0.0 192.168.7.253 ip route-static 192.168.0.0 255.255.0.0 192.168.6.253 # banner enable # user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all # policy-based-route to-isp permit node 5 if-match acl 3001 apply ip-address next-hop 100.1.1.5 policy-based-route to-isp permit node 10 if-match acl 3002 apply ip-address next-hop 100.1.2.5 # slb # right-manager server-group # sysname FW1 # domain suffix-separator @ # firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outboun d firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone local isp1 direction inbound firewall packet-filter default permit interzone local isp1 direction outbound firewall packet-filter default permit interzone local isp2 direction inbound firewall packet-filter default permit interzone local isp2 direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outboun d firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone trust isp1 direction inbound firewall packet-filter default permit interzone trust isp1 direction outbound firewall packet-filter default permit interzone trust isp2 direction inbound firewall packet-filter default permit interzone trust isp2 direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interzone isp1 untrust direction inbound firewall packet-filter default permit interzone isp1 untrust direction outbound firewall packet-filter default permit interzone isp2 untrust direction inbound firewall packet-filter default permit interzone isp2 untrust direction outbound firewall packet-filter default permit interzone dmz isp1 direction inbound firewall packet-filter default permit interzone dmz isp1 direction outbound firewall packet-filter default permit interzone dmz isp2 direction inbound firewall packet-filter default permit interzone dmz isp2 direction outbound firewall packet-filter default permit interzone isp2 isp1 direction inbound firewall packet-filter default permit interzone isp2 isp1 direction outbound # ip ttl-expires enable ip df-unreachables enable # undo dhcp enable # firewall ipv6 session link-state check firewall ipv6 statistic system enable # dns resolve # vlan batch 1 101 103 # firewall statistic system enable # pki ocsp response cache refresh interval 0 pki ocsp response cache number 0 # undo dns proxy # license-server domain lic.huawei.com # web-manager enable # policy interzone trust untrust inbound policy 1 action permit # policy interzone trust isp1 inbound policy 1 action permit # policy interzone trust isp2 inbound policy 1 action permit # nat-policy interzone trust isp1 outbound policy 1 description tihsi action source-nat policy source 192.168.0.0 mask 16 easy-ip GigabitEthernet0/0/0 # nat-policy interzone trust isp2 outbound policy 1 action source-nat policy source 192.168.0.0 mask 16 easy-ip GigabitEthernet0/0/3 # return


    推荐阅读