通过静态路由实现防火墙备份+NQA链路检测

当配置完静态路由之后，为什么还是不能实现主备切换呢？NQA要如何与静态路由联动呢？

   今天手把手教你如何实现，保姆及教程，小白也能看得懂！！！     

步骤一：

        首先，创建一个拓扑图·

        [SW1]vlan batch 10 20 30
        [SW1]int vlan 10
        [SW1-Vlanif10]ip add 192.168.1.2 24
        [SW1-Vlanif10]int vlan 20
        [SW1-Vlanif20]ip add 10.1.1.1 24
        [SW1-Vlanif20]int vlan 30
        [SW1-Vlanif30]ip add 10.1.4.1 24
        [SW1-Vlanif30]int g0/0/1
        [SW1-GigabitEthernet0/0/1]port link-type access
        [SW1-GigabitEthernet0/0/1]p de vlan 10
        [SW1-GigabitEthernet0/0/2]port link-type access
        [SW1-GigabitEthernet0/0/2]p de vlan 20
        [SW1-GigabitEthernet0/0/3]port link-type access
        [SW1-GigabitEthernet0/0/3]p de vlan 30

         [SW3]vlan batch 10 20
         [SW3]int vlan 10
         [SW3-Vlanif10]ip add 10.1.1.2 24
         [SW3]int vlan 20
         [SW3-Vlanif20]ip add 10.1.2.1 24
         [SW3-Vlanif20]int g0/0/1
         [SW3-GigabitEthernet0/0/1]port link-type access
         [SW3-GigabitEthernet0/0/1]port default vlan 10
         [SW3-GigabitEthernet0/0/1]int g0/0/2
         [SW3-GigabitEthernet0/0/2]port link-type access
         [SW3-GigabitEthernet0/0/2]port default vlan 20  

        Username:admin
        Password:Admin@123
        Please enter new password:Huawei@123
        [FW1]int g0/0/0
        [FW1-GigabitEthernet0/0/0]ip add 10.1.2.2 24
        [FW1-GigabitEthernet0/0/0]int g1/0/0
        [FW1-GigabitEthernet1/0/0]ip add 10.1.3.1 24   

        [SW2]vlan b 10 20 30
        [SW2]int vlan 10
        [SW2-Vlanif10]ip add 10.1.3.2 24
        [SW2-Vlanif10]int vlan 20
        [SW2-Vlanif20]ip add 10.1.6.2 24
        [SW2-Vlanif20]int vlan 30
        [SW2-Vlanif30]ip add 192.168.2.2 24
        [SW2-Vlanif30]int g0/0/1
        [SW2-GigabitEthernet0/0/1]port link-type access
        [SW2-GigabitEthernet0/0/1]port default vlan 10
        [SW2-GigabitEthernet0/0/1]int g0/0/2
        [SW2-GigabitEthernet0/0/2]port link-type access
        [SW2-GigabitEthernet0/0/2]port default vlan 20
        [SW2-GigabitEthernet0/0/3]port link-type access 
        [SW2-GigabitEthernet0/0/3]port default vlan 30

        [SW4]vlan b 10 20 
        [SW4]int vlan 10
        [SW4-Vlanif10]ip add 10.1.4.2 24
        [SW4]int vlan 20
        [SW4-Vlanif20]ip add 10.1.5.1 24
        [SW4-Vlanif20]int g0/0/1
        [SW4-GigabitEthernet0/0/1]port link-type access 
        [SW4-GigabitEthernet0/0/1]port default vlan 10
        [SW4-GigabitEthernet0/0/1]int g0/0/2
        [SW4-GigabitEthernet0/0/2]port link-type access
        [SW4-GigabitEthernet0/0/2]port default vlan 20      

        Username:admin
        Password:Admin@123
        Please enter new password:Huawei@123 
        [FW2]int g0/0/0
        [FW2-GigabitEthernet0/0/0]ip add 10.1.5.2 24
        [FW2-GigabitEthernet0/0/0]int g1/0/0
        [FW2-GigabitEthernet1/0/0]ip add 10.1.6.1 2 24        

  步骤二：

        在防火墙的接口中把ping功能开启，以及配置安全访问策略

        [FW1]int g0/0/0                             //在接口中加入ping功能
        [FW1-GigabitEthernet0/0/0]service-manage ping permit
        [FW1-GigabitEthernet0/0/0]int g1/0/0
        [FW1-GigabitEthernet1/0/0]service-manage ping permit
        [FW1]firewall zone trust                //在防火墙安全区域中加入相对于的接口
        [FW1-zone-trust]add interface g0/0/0
        [FW1-zone-trust]q
        [FW1]firewall zone untrust 
        [FW1-zone-untrust]add interface g1/0/0     

        [FW2]int g0/0/0                                //FW2同FW1
        [FW2-GigabitEthernet0/0/0]service-manage ping permit
        [FW2-GigabitEthernet0/0/0]int g1/0/0
        [FW2-GigabitEthernet1/0/0]service-manage ping permit
        [FW2]firewall zone trust                
        [FW2-zone-trust]add interface g0/0/0
        [FW2-zone-trust]q
        [FW2]firewall zone untrust 
        [FW2-zone-untrust]add interface g1/0/0

        [FW1]security-policy      // 设置FW1的安全访问策略，使trust区域可以访问untrust区域
        [FW1-policy-security]rule name tr-un
        [FW1-policy-security-rule-tr-un]source-zone trust 
        [FW1-policy-security-rule-tr-un]destination-zone untrust
        [FW1-policy-security-rule-tr-un]source-address 192.168.1.0 24
        [FW1-policy-security-rule-tr-un]destination-address 10.1.3.2 32
        [FW1-policy-security-rule-tr-un]destination-address 192.168.2.0 24
        [FW1-policy-security-rule-tr-un]action permit 

        [FW2]security-policy                 //FW2配置同FW1
        [FW2-policy-security]rule name tr-un
        [FW2-policy-security-rule-tr-un]source-zone trust
        [FW2-policy-security-rule-tr-un]destination-zone untrust
        [FW2-policy-security-rule-tr-un]source-address 192.168.1.0 24
        [FW2-policy-security-rule-tr-un]destination-address 10.1.6.2 32
        [FW2-policy-security-rule-tr-un]destination-address 192.168.2.0 24
        [FW2-policy-security-rule-tr-un]action permit 

 步骤三：

        在交换机和防火墙中添加路由表条目信息 

        [SW1]ip route-static 10.1.2.0 24 10.1.1.2                //SW1主链路路由
        [SW1]ip route-static 10.1.3.0 24 10.1.1.2
        [SW1]ip route-static 192.168.2.0 24 10.1.1.2
        [SW1]ip route-static  192.168.2.0 24 10.1.4.2 preference 70        //SW1备份链路路由
        [SW1]ip route-static 10.1.6.0 24 10.1.4.2
        [SW1]ip route-static 10.1.5.0 24 10.1.4.2

        [SW3]ip route-static 192.168.1.0 24 10.1.1.1                 //添加SW3路由条目
        [SW3]ip route-static 10.1.3.0 24 10.1.2.2
        [SW3]ip route-static 192.168.2.0 24 10.1.2.2

        [FW1]ip route-static 10.1.1.0 24 10.1.2.1                        //添加FW1的路由条目
        [FW1]ip route-static 192.168.1.0 24 10.1.2.1
        [FW1]ip route-static 192.168.2.0 24 10.1.3.2 

        [SW2]ip route-static 192.168.1.0 24 10.1.3.1                //SW2上行链路的路由条目
        [SW2]ip route-static 10.1.1.0 24 10.1.3.1
        [SW2]ip route-static10.1.2.0 24 10.1.3.1
        [SW2]ip route-static 192.168.1.0 24 10.1.6.1 preference 70        //备份链路路由条目
        [SW2]ip route-static  10.1.4.0 24 10.1.6.1
        [SW2]ip route-static 10.1.5.0 24 10.1.6.1

        [SW4]ip route-static 192.168.1.0 24 10.1.4.1                //SW4路由条目 
        [SW4]ip route-static 10.1.6.0 24 10.1.5.2
        [SW4]ip route-static 192.168.2.0 24 10.1.5.2

        [FW2]ip route-static 192.168.1.0 24 10.1.5.1                 //添加FW2的路由条目
        [FW2]ip route-static 10.1.4.0 24 10.1.5.1
        [FW2]ip route-static 192.168.2.0 24 10.1.6.2

步骤四：

        PC1pingPC2测试 

        查看SW1的路由表项

         

                通过测试可以看出PC1访问PC2走的使上行链路

步骤五：

        分析SW1down掉之后，PC1能否通过备份链路访问PC2

1）我们首先把SW2的G0/0/2口down掉

        down掉之后PC1ping不通PC2了，正常应该是走下面的备份链路，这是为什么呢？

        我们首先来查看SW1的路由表，看它是否切换到了备份链路​​​​​​​

        SW1已经切换到备份链路，那么我们在来查看SW2的路由表项 

        通过测试发现，SW2并没有切换到备份链路

2）分析原因

当我们把SW2的上行链路也down掉之后发现，又通了​​​​​​​

由此可以得出问题出在SW2的上行链路

                我们首先在SW2的G0/0/2口上面抓包分析

                发现G0/0/2口只有PC1发送的request请求报文，并没有收到回包信息

                我们在通过查看SW2的G0/0/1上的抓包信息

                发现reply回复报文走的使SW2的上行链路，而SW1的上行链路被咱们阻塞掉了，它的回复报文并没有从下行链路走，所以导致SW1的上行链路阻塞掉之后ping不通PC2

3）静态路由机制：

        静态路由与动态路由不同，它自身没有检测机制，当网络发生故障的时候，需要管理员的介入。

        解决办法：NQAfor静态路由特性可为静态路由绑定BFD会话，利用NQA会话来检测静态路由所在链路的状态

步骤六：配置NQA链路检测机制

        [SW1]nqa test-instance user 1
        [SW1-nqa-user-1]test-type icmp
        [SW1-nqa-user-1]destination-address ipv4 10.1.3.1
        [SW1-nqa-user-1]frequency 11
        [SW1-nqa-user-1]probe-count 2
        [SW1-nqa-user-1]interval seconds 5
        [SW1-nqa-user-1]timeout 4
        [SW1-nqa-user-1]start now 
        [SW1-nqa-user-1]q
        [SW1]nqa test-instance user 2
        [SW1-nqa-user-2]test-type icmp 10.1.6.1
        [SW1-nqa-user-2]frequency 11
        [SW1-nqa-user-2]probe-count 2
        [SW1-nqa-user-2]interval seconds 5
        [SW1-nqa-user-2]timeout 4
        [SW1-nqa-user-2]start now 

        [SW1-nqa-user-2]q
        [SW1]ip route-static 192.168.2.0 255.255.255.0 10.1.1.2 track nqa user 1
        [SW1]ip route-static 192.168.2.0 255.255.255.0 10.1.4.2 preference 70 track nqa 
        teat 2
        [SW1]display current-configuration | include nqa                     //查看nqa配置
        [SW1]display nqa results test-instance user 1                        //测试链路丢包率

    

        [SW2]nqa test-instance user 1
        [SW2-nqa-user-1]test-type icmp
        [SW2-nqa-user-1]destination-address ipv4 10.1.1.2
        [SW2-nqa-user-1]frequency 11
        [SW2-nqa-user-1]probe-count 2
        [SW2-nqa-user-1]interval seconds 5
        [SW2-nqa-user-1]timeout 4
        [SW2-nqa-user-1]start now 
        [SW2-nqa-user-1]q
        [SW2]nqa test-instance user 2
        [SW2-nqa-user-2]test-type icmp 10.1.4.2
        [SW2-nqa-user-2]frequency 11
        [SW2-nqa-user-2]probe-count 2
        [SW2-nqa-user-2]interval seconds 5
        [SW2-nqa-user-2]timeout 4
        [SW2-nqa-user-2]start now 

        [SW2-nqa-user-2]q
        [SW2]ip route-static 192.168.1.0 255.255.255.0 10.1.3.1 track nqa  user 1
        [SW2]ip route-static 192.168.1.0 255.255.255.0 10.1.6.1 preference 70 track nqa 
         user 2
        [SW2]display current-configuration | include nqa                     //查看nqa配置
        [SW2]display nqa results test-instance user 1                        //测试链路丢包率

​​​​​​​

        之后我们再次把SW1的上行接口down掉

        发现PC1可以ping通PC2

       

    我们查看PC1以及SW2的路由表项

                通过测试发现PC1的报文链路走的是下行链路，SW2走的也是下行链路