当前位置:
文档之家› 华为USG防火墙ip-link与静态路由、PBR(策略路由)联动 lsc
华为USG防火墙ip-link与静态路由、PBR(策略路由)联动 lsc
lsc
----------------------------------------------------
policy-based-route PBR1 permit node 1
if-match acl 3001
apply ip-address next-hop 202.100.1.2
匹配acl3001的流量设置下一跳为202.100.1.2
------
policy-based-route PBR2 permit node 2
if-match acl 3002
apply ip-address next-hop 202.100.2.2
匹配acl3002的流量设置下一跳为202.100.2.2
-----
acl number 3001
rule 5 deny ip destination 192.168.3.0 0.0.0.255 目标到达192.168.3.0的路由不匹配策略
rule 10 permit ip source 192.168.2.0 0.0.0.255
------
acl number 3002
rule 1 deny ip destination 192.168.2.0 0.0.0.255 目标到达192.168.2.0的路由不匹配策略
rule 5 permit ip source 192.168.3.0 0.0.0.255
rule 1 deny ip destination 192.168.2.0 0.0.0.255
rule 5 permit ip source 192.168.3.0 0.0.0.255
policy-based-route PBR1 permit node 1 策略路由
if-match acl 3001
vlan2的网关
vlan-type dot1q 2
ip address 192.168.2.254 255.255.255.0
ip policy-based-route PBR1
---------------
interface GigabitEthernet0/0/0.3
vlan3的网关
vlan-type dot1q 3
华为USG防火墙ip-link与静态路由、PBR(策略路 由)联动
2015年11月9日 23:53
拓扑图 ---------
--------------RI int g0/0/0 ip add 192.168.2.1 24 undo shut ip route-static 0.0.0.0 0.0.0.0 192.168.2.254 R2 int g0/0/0 ip add 92.168.3.1 24 undo shut ip route-static 0.0.0.0 0.0.0.0 192.168.3.254 ----------------交换机的配置
Physical Protocol Description
up
down Huawei, SRG Seri
up
up
Huawei, SRG Seri
up
up
Huawei, SRG Seri
up
up
Huawei, SRG Seri
up
up
Huawei, SRG Seri
-----------
firewall zone name ctc 给新建立的zone 起名字为 ctc set priority 10 建立优先级(手动) add interface GigabitEthernet0/0/1 添加接口 -firewall zone name cnc 给新建立的zone 起名字为 cnc set priority 20 建立优先级(手动) add interface GigabitEthernet0/0/2 添加接口
lsc
分区 华为防火墙 的第 3 页
实验完成
lsc
分区 华为防火墙 的第 4 页
ip address 192.168.3.254 255.255.255.0 ip policy-based-route PBR2
-------------------------------------firewall zone trust 将子接口添加到trust
add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/0.2 add interface GigabitEthernet0/0/0.3
vlan batch 2 to 3 创建vlan 2和3
int e0/0/0 port link-type trunk trunk干道 port trunk allow-pass vlan 2 to 3 ----int e0/0/2 port link-type access port default vlan 2 stp edged-port enable ----int e0/0/3 port link-type access port default vlan 3 stp edged-port enable
ห้องสมุดไป่ตู้
------------访问控制列表
acl number 3001 把访问控制列表调用至ip地址
rule 5 deny ip destination 192.168.3.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255
------
acl number 3002
在防火墙上查看会话表(随机的,)
-------长时间ping 命令 Ping -c 20 202.100.1.2 -c 后面的参数是包的数量 -------尝试把运营商线路暂停,看看流量前后变化 R2 ping 100.100.100.100 查看会话表,流量优选cnc
当cnc线路挂了,线路会自动切换到ctc
分区 华为防火墙 的第 2 页
----------------------------------------------------------------好了,开始在路由器上ping通ISP网络,测试连通性
RI ping ISP CTC
R2 ping ISP cnc
还可以尝试RI ping ISP cnc
interface GigabitEthernet0/0/0.2 ip policy-based-route PBR1 # interface GigabitEthernet0/0/0.3 ip policy-based-route PBR2
--------------------------------------------------------------Ip-link检测开启 ip-link check enable (必须敲上) -----------------------------------------------------------------
---------------策略 policy interzone trust ctc outbound policy 0
action permit policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24
policy interzone trust cnc outbound policy 0
调用访问控制列表
apply ip-address next-hop 202.100.1.2 应用到下一跳地址(运营商)
-------
policy-based-route PBR2 permit node 2
if-match acl 3002
apply ip-address next-hop 202.100.2.2
允许通过
--------------ISP int g0/0/0 ip add 202.100.1.2 24 undo shut int g0/0/1 ip add 202.100.2.2 24
-------------
防火墙配置
-------
配置ip
interface GigabitEthernet0/0/0.2
ip-link 2 destination 202.100.2.2 interface GigabitEthernet 0/0/2 mode icmp ip-link 1 destination 202.100.1.2 interface GigabitEthernet 0/0/1 mode icmp ip route-static 0.0.0.0 0.0.0.0 202.100.1.2 track ip-link 1 ip route-static 0.0.0.0 0.0.0.0 202.100.2.2 track ip-link 2
action permit policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24 # nat-policy interzone trust ctc outbound policy 0 action source-nat policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24 easy-ip GigabitEthernet0/0/1 # nat-policy interzone trust cnc outbound policy 0 action source-nat policy source 192.168.2.0 mask 24 policy source 192.168.3.0 mask 24 easy-ip GigabitEthernet0/0/2
