华为USG防火墙ip-link与静态路由、PBR(策略路由)联动
interfaceGigabitEthernet0/0/0.2 vlan-type dot1q 2//vlan2的网关// ip address 192.168.2.254 255.255.255.0 # interfaceGigabitEthernet0/0/0.3 vlan-type dot1q 3//vlan3的网关// ip address 192.168.3.254 255.255.255.0 # interfaceGigabitEthernet0/0/1 ip address 202.100.1.1 255.255.255.0 # trust priority is 85 interface of the zone is (3): GigabitEthernet0/0/0.2 GigabitEthernet0/0/0.3 # ctc priority is 10 interface of the zone is (1): GigabitEthernet0/0/1 # cnc priority is 20 interface of the zone is (1): GigabitEthernet0/0/2 # ------------------------------------------------------------------------------------ policy interzonetrust ctc outbound policy 0 action permit policy source 192.168.2.0 mask 24 【华为USG防火墙ip-link与静态路由、PBR(策略路由)联动】policy source 192.168.3.0 mask 24 # policy interzonetrust cnc outbound policy 0 action permit policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24 # ---------------------------------------------------------------------- nat-policy interzonetrust ctc outbound policy 0 action source-nat policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24 easy-ip GigabitEthernet0/0/1 # nat-policy interzonetrust cnc outbound policy 0 action source-nat policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24 easy-ip GigabitEthernet0/0/2 ---------------------------------------------------------------------------- policy-based-routePBR1 permit node 1 if-match acl 3001 apply ip-address next-hop 202.100.1.2匹配acl3001的流量设置下一跳为202.100.1.2 # policy-based-route PBR2 permit node 2 if-match acl 3002 apply ip-address next-hop 202.100.2.2匹配acl3001的流量设置下一跳为202.100.2.2 # acl number 3001 rule 5 deny ip destination192.168.3.0 0.0.0.255目标到达192.168.3.0的路由不匹配策略 rule 10 permit ip source 192.168.2.0 0.0.0.255 # acl number 3002 rule 1 deny ip destination192.168.2.0 0.0.0.255目标到达192.168.2.0的路由不匹配策略 rule 5 permit ip source 192.168.3.0 0.0.0.255 ip-link 2destination 202.100.2.2 interface GigabitEthernet 0/0/2 mode icmp ip-link 1destination 202.100.1.2 interface GigabitEthernet 0/0/1 mode icmp ip route-static 0.0.0.0 0.0.0.0 202.100.1.2track ip-link 1 ip route-static 0.0.0.0 0.0.0.0 202.100.2.2track ip-link 2 interfaceGigabitEthernet0/0/0.2 ip policy-based-route PBR1 # interfaceGigabitEthernet0/0/0.3 ip policy-based-route PBR2 假设ip-link检测目标202.100.1.2失效,则对应的静态路由失效,对应的PBR1策略路由也失效。所以源地址 192.168.2.0网段选择下一跳202.100.2.2作为出口路由,当ip-link检测目标202.100.1.2成功,则对应的静态路由生效,对应的PBR1策略路由也随之生效,所以源地址192.168.2.0网段依然选择下一条202.100.1.2作为出口路由。 综述:ip-link检测影响静态路由,静态路由影响策略路由。 |
转载于:https://blog.51cto.com/9238665/1534087
推荐阅读
- 华为旁!大社区、地铁新盘,佳兆业城市广场五期!
- 当荣耀V9把华为mate9的脸打得啪啪作响
- 华为销售高手是这样拿下大客户的,你知道有几个
- 华为可翻转全面屏手机专利亮相(折叠方式好比翻书一样)
- 从华为胡玲事件看人力资源与职场
- java人生|35K 入职华为Java开发那天,我哭了(这 5 个月做的一切都值了)
- 5G芯片发热功耗测试(华为、高通和MediaTek,谁拥有最冷的核心())
- 华为王成录(鸿蒙系统将超越安卓和IOS,2021年装机量将达3到4亿)
- (基础+优化+架构)太厉害了!华为大牛终于把MySQL讲的明明白白
- 03年一篇价值被严重低估的文章(隐藏着华为ipd成功的秘密)