本案例可以掌握:依据ip link探测出口路由是否正常,以此判断内网出口规则。依据策略路由学习防火墙的路由功能。
1、拓扑
注:学习说明,该案例可以在华为usg入门里学习,也可以在其它作者里找到,但未配置完所有设备,如路由的配置等。
2、业务需求
某企业主要分为市场部和研发部两个部门,组网如上图,FW位于企业网出口,
该企业部署了两条接入Internet的链路ISP-A、ISP-B,其中ISP-A网络速度最快。
要求:市场部对网速要求比较高,通过链路ISP-A访问Internet。研发部对网速要求不高,通过链路ISP-B来访问Internet。
3、配置步骤
2.1基本路由器配置
(1)R1基本配置
<Huawei>undo terminal monitor
<Huawei>sys
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.10.1.2 24
[R1-GigabitEthernet0/0/0]quit
[R1]
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 24
[R1-GigabitEthernet0/0/1]quit
[R1]
(2)R2基本配置
<Huawei>undo terminal mo
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.20.1.2 24
[R2-GigabitEthernet0/0/0]quit
[R2]
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 200.1.1.1 24
[R2-GigabitEthernet0/0/1]quit
[R2]
(3)R3基本配置
<Huawei>undo terminal mo
Info: Current terminal monitor is off.
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[R3-GigabitEthernet0/0/0]quit
[R3]
[R3]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 200.1.1.2 24
[R3-GigabitEthernet0/0/1]quit
[R3]int g0/0/2
[R3-GigabitEthernet0/0/1]ip add 172.16.1.1 24
[R3-GigabitEthernet0/0/1]quit
[R3]
2.2防火墙配置
(1)配置接口及IP
<USG6000V1>undo terminal monitor
<USG6000V1>sys
[USG6000V1]sysname FW
[FW] interface GigabitEthernet0/0/0
[FW] undo shutdown
[FW] ip binding vpn-instance default
[FW] ip address 192.168.100.1 255.255.255.0
[FW] alias GE0/METH
[FW] service-manage https permit
[FW] service-manage ping permit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.10.1.1 255.255.255.0
[FW-GigabitEthernet1/0/2] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.1.1.1 255.255.255.0
[FW-GigabitEthernet1/0/3] ip address 10.1.2.1 255.255.255.0 sub
[FW-GigabitEthernet1/0/3] quit
[FW] interface GigabitEthernet 1/0/4
[FW-GigabitEthernet1/0/4] ip address 10.20.1.1 255.255.255.0
[FW-GigabitEthernet1/0/4] quit
(2)配置区域
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-zone-untrust] quit
(3)设置防火墙的路由
[FW]ip route-static 100.1.1.0 24 10.10.1.2
[FW]ip route-static 200.1.1.0 24 10.20.1.2
(4)配置Trust区域和Untrust区域之间的安全策略,允许企业内部用户访问外网资源。假设内部用户网段为10.1.1.0/24和10.1.2.0/24。
[FW] security-policy
[FW-policy-security] rule name sec_1
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.1.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.2.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit
(5)配置IP-Link功能,检测链路状态。
[FW] ip-link check enable
[FW] ip-link name IPLIK_pbr_1
[FW-iplink-iplinkpbr_1] destination 10.10.1.2 interface GigabitEthernet1/0/2 mode icmp
[FW-iplink-iplinkpbr_1] quit
[FW]ip-link name IPLIK_pbr_2
[FW-iplink-iplinkpbr_2] destination 10.20.1.2 interface GigabitEthernet1/0/4 mode icmp
[FW-iplink-iplinkpbr_2] quit
(6)创建策略路由“pbr_1”和“pbr_2”,从Trust区域接收的属于市场部的报文发送到下一跳10.20.1.2,从Trust区域接收的属于研发部的报文发送到下一跳10.10.1.2。
**若出现iplinkpbr_1断线,则数据通过pbr_2路由出去,反之依然**
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_1
[FW-policy-pbr-rule-pbr_1] description pbr_1
[FW-policy-pbr-rule-pbr_1] source-zone trust
[FW-policy-pbr-rule-pbr_1] source-address 10.1.1.0 24
[FW-policy-pbr-rule-pbr_1] track ip-link IPLIK_pbr_1
[FW-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet1/0/2 next-hop 10.10.1.2
[FW-policy-pbr-rule-pbr_1] quit
[FW-policy-pbr] rule name pbr_2
[FW-policy-pbr-rule-pbr_2] description pbr_2
[FW-policy-pbr-rule-pbr_2] source-zone trust
[FW-policy-pbr-rule-pbr_2] source-address 10.1.2.0 24
[FW-policy-pbr-rule-pbr_2] track ip-link IPLIK_pbr_2
[FW-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet1/0/4 next-hop 10.20.1.2
[FW-policy-pbr-rule-pbr_2] quit
[FW-policy-pbr] quit
2.3配置路由器路由,保证数据通讯
以上配置基本完成,但无法从市场部、研发部PING通两个ISP链接的外网机器172.17.1.2。
因为路由不通,所以在这里需要配置路由,有很多种方式,这里只配置静态路由。
(1)R1静态路由,默认路由到防火墙接口,去172.16的数据从100.1.1.2出去
[R1]ip route-static 0.0.0.0 0.0.0.0 10.10.1.1
[R1]ip route-static 172.16.1.0 255.255.255.0 100.1.1.2
(2)R2静态路由,默认路由到防火墙接口,去172.16的数据从200.1.1.2出去
[R2]ip route-static 0.0.0.0 0.0.0.0 10.20.1.1
[R2]ip route-static 172.16.1.0 255.255.255.0 200.1.1.2
(3)R3静态路由
即默认数据从两个ISP出去
[R3]ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
[R3]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
4、数据验证
4.1 Ping 172.16.1.2
也可以在WEB页面上查看,此处略
4.2停止R1,查看路由变化/反之也可
5、全部配置文件
5.1 R1
<R1>disp cur
[V200R003C00]
#
sysname R1
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.1
ip route-static 172.16.1.0 255.255.255.0 100.1.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R1>
5.2 R2
<R2>disp cur
[V200R003C00]
#
sysname R2
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.20.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.20.1.1
ip route-static 172.16.1.0 255.255.255.0 200.1.1.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R2>
5.3 R3
<R3>disp cur
[V200R003C00]
#
sysname R3
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
drop illegal-mac alarm
#
wlan ac-global carrier id other ac id 0
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 172.16.1.1 255.255.255.0
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<R3>
5.4 FW
<FW>disp cur
2020-01-08 14:59:17.070
!Software Version V500R005C10SPC300
#
sysname FW
#
l2tp domain suffix-separator @
#
ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
clock timezone UTC add 00:00:00
#
update schedule location-sdb weekly Sun 23:10
#
firewall defend action discard
#
banner enable
#
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
undo web-manager config-guide enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
undo ips log merge enable
#
decoding uri-cache disable
#
update schedule ips-sdb daily 22:40
update schedule av-sdb daily 22:40
update schedule sa-sdb daily 22:40
update schedule cnc daily 22:40
update schedule file-reputation daily 22:40
#
ip vpn-instance default
ipv4-family
#
ip-link check enable
ip-link name IPLIK_pbr_1
destination 10.10.1.2 interface GigabitEthernet1/0/2 mode icmp
ip-link name IPLIK_pbr_2
destination 10.20.1.2 interface GigabitEthernet1/0/4 mode icmp
#
ip address-set trust_IP type object
address 0 10.1.1.0 mask 24
address 1 10.1.2.0 mask 24
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%781R1U<xwN.#[y!vfhwD\T{>bM75J=kLN0/JyFJPTKT)T{A\@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%@`=1"kw0o4%G5~,1(y,02-DDd3"a0i=X6>+44r(R'9fK-DG2@%@%
level 15
manager-user admin
password cipher @%@%Cj{4IPC61=+Sen6xwmf~bX8/9&pk5u2af1WkHU7W5RqTX82b@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.100.1 255.255.255.0
alias GE0/METH
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
#
interface GigabitEthernet1/0/1
undo shutdown
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.10.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.1.1.1 255.255.255.0
ip address 10.1.2.1 255.255.255.0 sub
service-manage ping permit
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 10.20.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/4
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
ip route-static 0.0.0.0 0.0.0.0 10.20.1.2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name policy_sec_trust_untrust
source-zone trust
destination-zone untrust
source-address address-set trust_IP
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
rule name pbr_1 1
description for market department
source-zone trust
source-address 10.1.1.0 mask 255.255.255.0
track ip-link IPLIK_pbr_1
action pbr egress-interface GigabitEthernet1/0/2 next-hop 10.10.1.2
rule name pbr_2 2
description for research department
source-zone trust
source-address 10.1.2.0 mask 255.255.255.0
track ip-link IPLIK_pbr_2
action pbr egress-interface GigabitEthernet1/0/4 next-hop 10.20.1.2
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
<FW>
5.5 最后
1、所有配置中,没有配置交换机,即适用了默认配置,所有口为Hybrid口。
2、在该文中也是本人拙解,若有问题、建议意见,请回复,多谢!
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
