11、中小企业网络架构-扩展配置防火墙双出口

网络拓扑:

vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
vlan2和vlan3所在链路互为备份,当某vlan的链路(主链路)出现故障时,流量切换到另一vlan所在的链路(备链路)上。

配置思路:

策略路由和IP-Link联动配置思路如下:

为实现不同链路分担不同流量,需要配置基于源地址的策略路由,使来自vlan2的访问Internet报文流向链路ISP1,来自vlan3的访问Internet报文流向链路ISP2。

为实现vlan2和vlan3所在链路互为备份,保证链路不中断,需要配置如下:
配置策略路由和IP-Link联动,由IP-Link来监视vlan2和vlan3各自主链路的可达性。当主链路出现故障时,策略路由失效,设备将查找备份路由,以保持业务的持续流通。
配置vlan2到链路ISP2的静态路由和vlan3到链路ISP1的静态路由,作为vlan2和vlan3的备份路由。同时,将静态路由与IP-Link联动,由IP-Link来监视vlan2和vlan3各自备链路的可达性。

操作步骤:

一、配置ISP1

1、配置vlan IP

[ISP1]vlan batch  101 103

[ISP1]interface  Vlanif  101
[ISP1-Vlanif101]ip address 100.1.1.5 255.255.255.248
[ISP1-Vlanif101]quit

[ISP1]interface  Vlanif  103
[ISP1-Vlanif103]ip address 100.1.3.5 255.255.255.248
[ISP1-Vlanif103]quit

2、配置端口

[ISP1]interface  GigabitEthernet  0/0/1	
[ISP1-GigabitEthernet0/0/1]port link-type access
[ISP1-GigabitEthernet0/0/1]port default vlan 101
[ISP1-GigabitEthernet0/0/1]quit

[ISP1]interface  GigabitEthernet  0/0/2	
[ISP1-GigabitEthernet0/0/2]port link-type access	
[ISP1-GigabitEthernet0/0/2]port default vlan 103
[ISP1-GigabitEthernet0/0/2]quit

3、配置静态路由

[ISP1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

4、配置OSPF

[ISP1]ospf router-id 1.1.1.1
[ISP1-ospf-1]area 1
[ISP1-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7	
[ISP1-ospf-1-area-0.0.0.1]return

二、配置ISP2

1、配置vlan IP

[ISP2]vlan batch 102 104

[ISP2]interface  Vlanif  102
[ISP2-Vlanif102]ip address 100.1.2.5 255.255.255.248
[ISP2-Vlanif102]quit

[ISP2]interface  Vlanif  104
[ISP2-Vlanif104]ip address 100.1.4.5 255.255.255.248
[ISP2-Vlanif104]quit

2、配置端口

[ISP2]interface  GigabitEthernet  0/0/1	
[ISP2-GigabitEthernet0/0/1]port link-type access	
[ISP2-GigabitEthernet0/0/1]port default  vlan  102
[ISP2-GigabitEthernet0/0/1]quit

[ISP2]interface  GigabitEthernet  0/0/2	
[ISP2-GigabitEthernet0/0/2]port link-type  access
[ISP2-GigabitEthernet0/0/2]port default  vlan  104
[ISP2-GigabitEthernet0/0/2]quit

3、配置静态路由

[ISP2]ip route-static 0.0.0.0 0.0.0.0 100.1.2.1 

4、配置OSPF

[ISP2]ospf router-id 2.2.2.2
[ISP2-ospf-1]area 1
[ISP2-ospf-1-area-0.0.0.1]network 100.1.2.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]return

三、配置Internet

1、配置vlan IP

[Internet]vlan batch 103 104

[Internet]interface  Vlanif  103
[Internet-Vlanif103]ip address  100.1.3.1 255.255.255.248
[Internet-Vlanif103]quit

[Internet]interface  Vlanif  104
[Internet-Vlanif104]ip address  100.1.4.1 255.255.255.248
[Internet-Vlanif104]quit

[Internet]interface  LoopBack 0
[Internet-LoopBack0]ip address 3.3.3.3 32
[Internet-LoopBack0]quit 

2、配置端口

[Internet]interface  GigabitEthernet  0/0/1
[Internet-GigabitEthernet0/0/1]port link-type access
[Internet-GigabitEthernet0/0/1]port default  vlan  103
[Internet-GigabitEthernet0/0/1]quit

[Internet]interface  GigabitEthernet  0/0/
[Internet-GigabitEthernet0/0/2]port link-type access
[Internet-GigabitEthernet0/0/2]port default  vlan  104
[Internet-GigabitEthernet0/0/2]quit

3、配置OSPF

[Internet]ospf router-id 3.3.3.3 
[Internet-ospf-1]area 1
[Internet-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.0
[Internet-ospf-1-area-0.0.0.1]return

四、配置防火墙

1、配置上联接口

[FW1]interface  GigabitEthernet  0/0/3
[FW1-GigabitEthernet0/0/3]ip address  100.1.2.1 255.255.255.248
[FW1-GigabitEthernet0/0/3]description connect to ISP2
[FW1-GigabitEthernet0/0/3]quit

2、配置端口区域

[FW1]firewall zone name isp1
[FW1-zone-isp1]set priority 10
[FW1-zone-isp1]add interface GigabitEthernet 0/0/0
[FW1-zone-isp1]quit

[FW1]firewall zone  name isp2
[FW1-zone-isp2]set priority 15
[FW1-zone-isp2]add interface GigabitEthernet 0/0/3
[FW1-zone-isp2]quit

[FW1]firewall packet-filter default permit all 

3、配置ACL,确定要进行策略路由转发的报文

[FW1]acl number 3001
[FW1-acl-adv-3001]rule  permit ip source 192.168.2.0 0.0.0.255
[FW1-acl-adv-3001]quit

[FW1]acl number 3002
[FW1-acl-adv-3002]rule  permit ip source 192.168.3.0 0.0.0.255
[FW1-acl-adv-3002]quit

4、配置策略路由

#策略to-isp,源地址192.168.2.0/24的报文被发到下一跳100.1.1.5
[FW1]policy-based-route to-isp permit node 5
[FW1-policy-based-route-to-isp-5]if-match acl 3001
[FW1-policy-based-route-to-isp-5]apply ip-address next-hop 100.1.1.5
[FW1-policy-based-route-to-isp-5]quit

#策略to-isp,源地址192.168.3.0/24的报文被发到下一跳100.1.2.5
[FW1]policy-based-route to-isp permit node 10
[FW1-policy-based-route-to-isp-10]if-match acl 3002
[FW1-policy-based-route-to-isp-10]apply ip-address next-hop 100.1.2.5
[FW1-policy-based-route-to-isp-10]quit

#分别在接口应用策略路由
[FW1]interface  GigabitEthernet  0/0/0
[FW1-GigabitEthernet0/0/0]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/0]quit

[FW1]interface  GigabitEthernet  0/0/3
[FW1-GigabitEthernet0/0/3]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/3]quit

5、配置IP-Link

说明:其中大家觉得可以用NQA的,但是在防火墙上面NQA不支持关联路由,只能用IP-Link,而且IP-link技术有一个莫大的优势,就是可以跟 策略路由联动

[FW1]ip-link check  enable

#侦测FW1到目的地址为100.1.1.5之间的链路可达性
[FW1]ip-link 1 destination 100.1.1.5 interface GigabitEthernet 0/0/0 mode icmp 

#侦测FW1到目的地址为100.1.2.5之间的链路可达性
[FW1]ip-link 2 destination 100.1.2.5 interface GigabitEthernet 0/0/3 mode icmp

 

6、配置缺省路由,并关联IP-Link

[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2

7、NAT定义

[FW1]nat-policy interzone trust isp1 outbound
[FW1-nat-policy-interzone-trust-isp1-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp1-outbound-1]action source-nat 
[FW1-nat-policy-interzone-trust-isp1-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp1-outbound-1]easy-ip GigabitEthernet0/0/0
[FW1-nat-policy-interzone-trust-isp1-outbound-1]return

[FW1]nat-policy interzone trust isp2 outbound
[FW1-nat-policy-interzone-trust-isp2-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp2-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp2-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp2-outbound-1]easy-ip GigabitEthernet0/0/3
[FW1-nat-policy-interzone-trust-isp2-outbound-1]return

8、下联接口应用策略

[FW1]interface  GigabitEthernet  0/0/1
[FW1-GigabitEthernet0/0/1]ip address 192.168.7.254 255.255.255.0
[FW1-GigabitEthernet0/0/1]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/1]description connecct to SW1
[FW1-GigabitEthernet0/0/1]quit

[FW1]interface  GigabitEthernet  0/0/2
[FW1-GigabitEthernet0/0/2]ip address 192.168.6.254 255.255.255.0
[FW1-GigabitEthernet0/0/2]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/2]description connect to SW2
[FW1-GigabitEthernet0/0/2]quit

五、故障演示

1、正常状态下

vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;

vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;

2、手动模拟FW1上联ISP1的G0/0/1接口故障

查看链路,流量都走ISP2

3、手动模拟FW1上联ISP2的G0/0/1接口故障

查看链路,流量都走ISP1

至此,完成。

[FW1]display  current-configuration
#
stp region-configuration
 region-name 703bd915f09b
 active region-configuration
#
acl number 3001
 rule 5 permit ip source 192.168.2.0 0.0.0.255
#
acl number 3002
 rule 5 permit ip source 192.168.3.0 0.0.0.255
#
interface Vlanif1
 alias Vlanif1
#
interface Virtual-Template1
 alias Virtual-Template1
#
interface GigabitEthernet0/0/0
 description connect to ISP1
 alias GE0/MGMT
 ip address 100.1.1.1 255.255.255.248
#
interface GigabitEthernet0/0/1
 description connecct to SW1
 ip address 192.168.7.254 255.255.255.0
 ip policy-based-route to-isp
#
interface GigabitEthernet0/0/2
 description connect to SW2
 ip address 192.168.6.254 255.255.255.0
 ip policy-based-route to-isp
#
interface GigabitEthernet0/0/3
 description connect to ISP2
 ip address 100.1.2.1 255.255.255.248
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
 alias NULL0
#
interface LoopBack0
 alias LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 description ithis
 set priority 5
#
firewall zone dmz
 set priority 50
#
firewall zone name isp1
 set priority 10
 add interface GigabitEthernet0/0/0
#
firewall zone name isp2
 set priority 15
 add interface GigabitEthernet0/0/3
#
aaa
 local-user admin password cipher %$%$y@N.>~B^$O\xLy0F^K%=rZQH%$%$
 local-user admin service-type web terminal telnet
 local-user admin level 15
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#
nqa-jitter tag-version 1

#
 ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
 ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2
 ip route-static 192.168.0.0 255.255.0.0 192.168.7.253
 ip route-static 192.168.0.0 255.255.0.0 192.168.6.253
#
 banner enable
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode none
 protocol inbound all
#
 policy-based-route to-isp permit node 5
  if-match acl 3001
  apply ip-address next-hop 100.1.1.5
 policy-based-route to-isp permit node 10
  if-match acl 3002
  apply ip-address next-hop 100.1.2.5
#
 slb
#
right-manager server-group
#
 sysname FW1
#
 l2tp domain suffix-separator @
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction inbound
 firewall packet-filter default permit interzone local untrust direction outboun
d
 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
 firewall packet-filter default permit interzone local isp1 direction inbound
 firewall packet-filter default permit interzone local isp1 direction outbound
 firewall packet-filter default permit interzone local isp2 direction inbound
 firewall packet-filter default permit interzone local isp2 direction outbound
 firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outboun
d
 firewall packet-filter default permit interzone trust dmz direction inbound
 firewall packet-filter default permit interzone trust dmz direction outbound
 firewall packet-filter default permit interzone trust isp1 direction inbound
 firewall packet-filter default permit interzone trust isp1 direction outbound
 firewall packet-filter default permit interzone trust isp2 direction inbound
 firewall packet-filter default permit interzone trust isp2 direction outbound
 firewall packet-filter default permit interzone dmz untrust direction inbound
 firewall packet-filter default permit interzone dmz untrust direction outbound
 firewall packet-filter default permit interzone isp1 untrust direction inbound
 firewall packet-filter default permit interzone isp1 untrust direction outbound
 firewall packet-filter default permit interzone isp2 untrust direction inbound
 firewall packet-filter default permit interzone isp2 untrust direction outbound
 firewall packet-filter default permit interzone dmz isp1 direction inbound
 firewall packet-filter default permit interzone dmz isp1 direction outbound
 firewall packet-filter default permit interzone dmz isp2 direction inbound
 firewall packet-filter default permit interzone dmz isp2 direction outbound
 firewall packet-filter default permit interzone isp2 isp1 direction inbound
 firewall packet-filter default permit interzone isp2 isp1 direction outbound
#
 ip ttl-expires enable
 ip df-unreachables enable
#
 undo dhcp enable
#
 firewall ipv6 session link-state check
 firewall ipv6 statistic system enable
#
 dns resolve
#
 vlan batch 1 101 103
#
 firewall statistic system enable
#
 pki ocsp response cache refresh interval 0
 pki ocsp response cache number 0
#
 undo dns proxy
#
 license-server domain lic.huawei.com
#
 web-manager enable
#
policy interzone trust untrust inbound
 policy 1
  action permit
#
policy interzone trust isp1 inbound
 policy 1
  action permit
#
policy interzone trust isp2 inbound
 policy 1
  action permit
#
nat-policy interzone trust isp1 outbound
 policy 1
 description tihsi
  action source-nat
  policy source 192.168.0.0 mask 16
  easy-ip GigabitEthernet0/0/0
#
nat-policy interzone trust isp2 outbound
 policy 1
  action source-nat
  policy source 192.168.0.0 mask 16
  easy-ip GigabitEthernet0/0/3
#
return

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

友人a笔记

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值