防火墙如何使用IP_Link策略路由
创建外网zone,并配置优先级
[FW]firewall zone name ISP1
[FW-zone-ISP1]set priority 10
[FW-zone-ISP1]q
创建外网zone,并配置优先级
[FW]firewall zone name ISP2
[FW-zone-ISP2]set priority 20
[FW-zone-ISP2]q
配置接口IP地址
[FW]int g1/0/0
[FW-GigabitEthernet1/0/0]ip add 100.1.1.1 24
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW-GigabitEthernet1/0/0]q
[FW]int g1/0/1
[FW-GigabitEthernet1/0/1]ip add 200.1.1.1 24
[FW-GigabitEthernet1/0/1]service-manage ping permit
[FW-GigabitEthernet1/0/1]q
[FW]
[FW]int g1/0/5
[FW-GigabitEthernet1/0/5]ip add 172.16.1.1 24
[FW-GigabitEthernet1/0/5]service-manage ping permit
[FW-GigabitEthernet1/0/5]q
[FW]int g1/0/6
[FW-GigabitEthernet1/0/6]ip add 192.168.1.1 24
[FW-GigabitEthernet1/0/6]service-manage ping permit
[FW-GigabitEthernet1/0/6]q
[FW]
把对应的接口加入相应的安全zone
[FW]firewall zone ISP1
[FW-zone-ISP1]add int g1/0/0
[FW-zone-ISP1]q
[FW]firewall zone ISP2
[FW-zone-ISP2]add int g1/0/1
[FW-zone-ISP2]q
[FW]firewall zone trust
[FW-zone-trust]add int g1/0/5
[FW-zone-trust]add int g1/0/6
[FW-zone-trust]q
[FW]
创建安全策略放行流量
[FW]security-policy
[FW-policy-security]rule name turst_ISP1
[FW-policy-security-rule-turst_ISP1]source-zone trust
[FW-policy-security-rule-turst_ISP1]destination-zone ISP1
[FW-policy-security-rule-turst_ISP1]source-address 172.16.1.0 24
[FW-policy-security-rule-turst_ISP1]action permit
[FW-policy-security-rule-turst_ISP1]q
[FW-policy-security]rule name turst_ISP2
[FW-policy-security-rule-turst_ISP2]source-zone trust
[FW-policy-security-rule-turst_ISP2]destination-zone ISP2
[FW-policy-security-rule-turst_ISP2]source-address 192.168.1.0 24
[FW-policy-security-rule-turst_ISP2]action permit
[FW-policy-security-rule-turst_ISP2]q
创建策略路由
[FW]policy-based-route
[FW-policy-pbr]rule name Trust_ISP1
[FW-policy-pbr-rule-Trust_ISP1]source-zone trust //源trust
[FW-policy-pbr-rule-Trust_ISP1]source-address 172.16.1.0 24 //源IP地址
[FW-policy-pbr-rule-Trust_ISP1]action pbr next-hop 100.1.1.254 //下一路出接口IP
[FW-policy-pbr-rule-Trust_ISP1]q
[FW-policy-pbr]rule name Turst_ISP2
[FW-policy-pbr-rule-Turst_ISP2]source-zone trust
[FW-policy-pbr-rule-Turst_ISP2]source-address 192.168.1.0 24
[FW-policy-pbr-rule-Turst_ISP2]action pbr next-hop 200.1.1.254
[FW-policy-pbr-rule-Turst_ISP2]q
创建NAT策略
[FW]nat-policy
[FW-policy-nat]rule name snat
[FW-policy-nat-rule-snat]source-zone trust
[FW-policy-nat-rule-snat]destination-zone ISP1
[FW-policy-nat-rule-snat]destination-zone ISP2
[FW-policy-nat-rule-snat]source-address 172.16.1.0 24
[FW-policy-nat-rule-snat]source-address 192.168.1.0 24
[FW-policy-nat-rule-snat]action source-nat easy-ip
[FW-policy-nat-rule-snat]
开启IP-link
[FW]ip-link check enable //开启IP-link功能
[FW]ip-link name ISP1 //建立名字
[FW-iplink-ISP1]destination 100.1.1.254 interface GigabitEthernet 1/0/0 //目的地是下一步跳,可不指定出接口。默认是ICMP模式,默认每5秒发一次包,3次失败切自动执行IP-link功能
[FW-iplink-ISP1]q
[FW]ip-link name ISP2
[FW-iplink-ISP2]destination 200.1.1.254 interface g1/0/1
[FW-iplink-ISP2]q
[FW-policy-pbr-rule-Trust_ISP1]track ip-link ISP1 //在策略路下调用
[FW-policy-pbr-rule-Turst_ISP2]track ip-link ISP2 //在策略路下调用