網絡拓撲:
vlan2所在網段訪問Internet的報文正常情況下流入鏈路ISP1;
vlan3所在網段訪問Internet的報文正常情況下流入鏈路ISP2;
vlan2和vlan3所在鏈路互爲備份,當某vlan的鏈路(主鏈路)出現故障時,流量切換到另一vlan所在的鏈路(備鏈路)上。
配置思路:
策略路由和IP-Link聯動配置思路如下:
爲實現不同鏈路分擔不同流量,需要配置基於源地址的策略路由,使來自vlan2的訪問Internet報文流向鏈路ISP1,來自vlan3的訪問Internet報文流向鏈路ISP2。
爲實現vlan2和vlan3所在鏈路互爲備份,保證鏈路不中斷,需要配置如下:
配置策略路由和IP-Link聯動,由IP-Link來監視vlan2和vlan3各自主鏈路的可達性。當主鏈路出現故障時,策略路由失效,設備將查找備份路由,以保持業務的持續流通。
配置vlan2到鏈路ISP2的靜態路由和vlan3到鏈路ISP1的靜態路由,作爲vlan2和vlan3的備份路由。同時,將靜態路由與IP-Link聯動,由IP-Link來監視vlan2和vlan3各自備鏈路的可達性。
操作步驟:
一、配置ISP1
1、配置vlan IP
[ISP1]vlan batch 101 103
[ISP1]interface Vlanif 101
[ISP1-Vlanif101]ip address 100.1.1.5 255.255.255.248
[ISP1-Vlanif101]quit
[ISP1]interface Vlanif 103
[ISP1-Vlanif103]ip address 100.1.3.5 255.255.255.248
[ISP1-Vlanif103]quit
2、配置端口
[ISP1]interface GigabitEthernet 0/0/1
[ISP1-GigabitEthernet0/0/1]port link-type access
[ISP1-GigabitEthernet0/0/1]port default vlan 101
[ISP1-GigabitEthernet0/0/1]quit
[ISP1]interface GigabitEthernet 0/0/2
[ISP1-GigabitEthernet0/0/2]port link-type access
[ISP1-GigabitEthernet0/0/2]port default vlan 103
[ISP1-GigabitEthernet0/0/2]quit
3、配置靜態路由
[ISP1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
4、配置OSPF
[ISP1]ospf router-id 1.1.1.1
[ISP1-ospf-1]area 1
[ISP1-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]return
二、配置ISP2
1、配置vlan IP
[ISP2]vlan batch 102 104
[ISP2]interface Vlanif 102
[ISP2-Vlanif102]ip address 100.1.2.5 255.255.255.248
[ISP2-Vlanif102]quit
[ISP2]interface Vlanif 104
[ISP2-Vlanif104]ip address 100.1.4.5 255.255.255.248
[ISP2-Vlanif104]quit
2、配置端口
[ISP2]interface GigabitEthernet 0/0/1
[ISP2-GigabitEthernet0/0/1]port link-type access
[ISP2-GigabitEthernet0/0/1]port default vlan 102
[ISP2-GigabitEthernet0/0/1]quit
[ISP2]interface GigabitEthernet 0/0/2
[ISP2-GigabitEthernet0/0/2]port link-type access
[ISP2-GigabitEthernet0/0/2]port default vlan 104
[ISP2-GigabitEthernet0/0/2]quit
3、配置靜態路由
[ISP2]ip route-static 0.0.0.0 0.0.0.0 100.1.2.1
4、配置OSPF
[ISP2]ospf router-id 2.2.2.2
[ISP2-ospf-1]area 1
[ISP2-ospf-1-area-0.0.0.1]network 100.1.2.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]return
三、配置Internet
1、配置vlan IP
[Internet]vlan batch 103 104
[Internet]interface Vlanif 103
[Internet-Vlanif103]ip address 100.1.3.1 255.255.255.248
[Internet-Vlanif103]quit
[Internet]interface Vlanif 104
[Internet-Vlanif104]ip address 100.1.4.1 255.255.255.248
[Internet-Vlanif104]quit
[Internet]interface LoopBack 0
[Internet-LoopBack0]ip address 3.3.3.3 32
[Internet-LoopBack0]quit
2、配置端口
[Internet]interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1]port link-type access
[Internet-GigabitEthernet0/0/1]port default vlan 103
[Internet-GigabitEthernet0/0/1]quit
[Internet]interface GigabitEthernet 0/0/
[Internet-GigabitEthernet0/0/2]port link-type access
[Internet-GigabitEthernet0/0/2]port default vlan 104
[Internet-GigabitEthernet0/0/2]quit
3、配置OSPF
[Internet]ospf router-id 3.3.3.3
[Internet-ospf-1]area 1
[Internet-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.0
[Internet-ospf-1-area-0.0.0.1]return
四、配置防火牆
1、配置上聯接口
[FW1]interface GigabitEthernet 0/0/3
[FW1-GigabitEthernet0/0/3]ip address 100.1.2.1 255.255.255.248
[FW1-GigabitEthernet0/0/3]description connect to ISP2
[FW1-GigabitEthernet0/0/3]quit
2、配置端口區域
[FW1]firewall zone name isp1
[FW1-zone-isp1]set priority 10
[FW1-zone-isp1]add interface GigabitEthernet 0/0/0
[FW1-zone-isp1]quit
[FW1]firewall zone name isp2
[FW1-zone-isp2]set priority 15
[FW1-zone-isp2]add interface GigabitEthernet 0/0/3
[FW1-zone-isp2]quit
[FW1]firewall packet-filter default permit all
3、配置ACL,確定要進行策略路由轉發的報文
[FW1]acl number 3001
[FW1-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255
[FW1-acl-adv-3001]quit
[FW1]acl number 3002
[FW1-acl-adv-3002]rule permit ip source 192.168.3.0 0.0.0.255
[FW1-acl-adv-3002]quit
4、配置策略路由
#策略to-isp,源地址192.168.2.0/24的報文被髮到下一跳100.1.1.5
[FW1]policy-based-route to-isp permit node 5
[FW1-policy-based-route-to-isp-5]if-match acl 3001
[FW1-policy-based-route-to-isp-5]apply ip-address next-hop 100.1.1.5
[FW1-policy-based-route-to-isp-5]quit
#策略to-isp,源地址192.168.3.0/24的報文被髮到下一跳100.1.2.5
[FW1]policy-based-route to-isp permit node 10
[FW1-policy-based-route-to-isp-10]if-match acl 3002
[FW1-policy-based-route-to-isp-10]apply ip-address next-hop 100.1.2.5
[FW1-policy-based-route-to-isp-10]quit
#分別在接口應用策略路由
[FW1]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/0]quit
[FW1]interface GigabitEthernet 0/0/3
[FW1-GigabitEthernet0/0/3]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/3]quit
5、配置IP-Link
說明:其中大家覺得可以用NQA的,但是在防火牆上面NQA不支持關聯路由,只能用IP-Link,而且IP-link技術有一個莫大的優勢,就是可以跟 策略路由聯動
[FW1]ip-link check enable
#偵測FW1到目的地址爲100.1.1.5之間的鏈路可達性
[FW1]ip-link 1 destination 100.1.1.5 interface GigabitEthernet 0/0/0 mode icmp
#偵測FW1到目的地址爲100.1.2.5之間的鏈路可達性
[FW1]ip-link 2 destination 100.1.2.5 interface GigabitEthernet 0/0/3 mode icmp
6、配置缺省路由,並關聯IP-Link
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2
7、NAT定義
[FW1]nat-policy interzone trust isp1 outbound
[FW1-nat-policy-interzone-trust-isp1-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp1-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp1-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp1-outbound-1]easy-ip GigabitEthernet0/0/0
[FW1-nat-policy-interzone-trust-isp1-outbound-1]return
[FW1]nat-policy interzone trust isp2 outbound
[FW1-nat-policy-interzone-trust-isp2-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp2-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp2-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp2-outbound-1]easy-ip GigabitEthernet0/0/3
[FW1-nat-policy-interzone-trust-isp2-outbound-1]return
8、下聯接口應用策略
[FW1]interface GigabitEthernet 0/0/1
[FW1-GigabitEthernet0/0/1]ip address 192.168.7.254 255.255.255.0
[FW1-GigabitEthernet0/0/1]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/1]description connecct to SW1
[FW1-GigabitEthernet0/0/1]quit
[FW1]interface GigabitEthernet 0/0/2
[FW1-GigabitEthernet0/0/2]ip address 192.168.6.254 255.255.255.0
[FW1-GigabitEthernet0/0/2]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/2]description connect to SW2
[FW1-GigabitEthernet0/0/2]quit
五、故障演示
1、正常狀態下
vlan2所在網段訪問Internet的報文正常情況下流入鏈路ISP1;
vlan3所在網段訪問Internet的報文正常情況下流入鏈路ISP2;
2、手動模擬FW1上聯ISP1的G0/0/1接口故障
查看鏈路,流量都走ISP2
3、手動模擬FW1上聯ISP2的G0/0/1接口故障
查看鏈路,流量都走ISP1
至此,完成。
[FW1]display current-configuration
#
stp region-configuration
region-name 703bd915f09b
active region-configuration
#
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
acl number 3002
rule 5 permit ip source 192.168.3.0 0.0.0.255
#
interface Vlanif1
alias Vlanif1
#
interface Virtual-Template1
alias Virtual-Template1
#
interface GigabitEthernet0/0/0
description connect to ISP1
alias GE0/MGMT
ip address 100.1.1.1 255.255.255.248
#
interface GigabitEthernet0/0/1
description connecct to SW1
ip address 192.168.7.254 255.255.255.0
ip policy-based-route to-isp
#
interface GigabitEthernet0/0/2
description connect to SW2
ip address 192.168.6.254 255.255.255.0
ip policy-based-route to-isp
#
interface GigabitEthernet0/0/3
description connect to ISP2
ip address 100.1.2.1 255.255.255.248
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
interface LoopBack0
alias LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
#
firewall zone untrust
description ithis
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet0/0/0
#
firewall zone name isp2
set priority 15
add interface GigabitEthernet0/0/3
#
aaa
local-user admin password cipher %$%$y@N.>~B^$O\xLy0F^K%=rZQH%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2
ip route-static 192.168.0.0 255.255.0.0 192.168.7.253
ip route-static 192.168.0.0 255.255.0.0 192.168.6.253
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
policy-based-route to-isp permit node 5
if-match acl 3001
apply ip-address next-hop 100.1.1.5
policy-based-route to-isp permit node 10
if-match acl 3002
apply ip-address next-hop 100.1.2.5
#
slb
#
right-manager server-group
#
sysname FW1
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local isp1 direction inbound
firewall packet-filter default permit interzone local isp1 direction outbound
firewall packet-filter default permit interzone local isp2 direction inbound
firewall packet-filter default permit interzone local isp2 direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust isp1 direction inbound
firewall packet-filter default permit interzone trust isp1 direction outbound
firewall packet-filter default permit interzone trust isp2 direction inbound
firewall packet-filter default permit interzone trust isp2 direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone isp1 untrust direction inbound
firewall packet-filter default permit interzone isp1 untrust direction outbound
firewall packet-filter default permit interzone isp2 untrust direction inbound
firewall packet-filter default permit interzone isp2 untrust direction outbound
firewall packet-filter default permit interzone dmz isp1 direction inbound
firewall packet-filter default permit interzone dmz isp1 direction outbound
firewall packet-filter default permit interzone dmz isp2 direction inbound
firewall packet-filter default permit interzone dmz isp2 direction outbound
firewall packet-filter default permit interzone isp2 isp1 direction inbound
firewall packet-filter default permit interzone isp2 isp1 direction outbound
#
ip ttl-expires enable
ip df-unreachables enable
#
undo dhcp enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1 101 103
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone trust untrust inbound
policy 1
action permit
#
policy interzone trust isp1 inbound
policy 1
action permit
#
policy interzone trust isp2 inbound
policy 1
action permit
#
nat-policy interzone trust isp1 outbound
policy 1
description tihsi
action source-nat
policy source 192.168.0.0 mask 16
easy-ip GigabitEthernet0/0/0
#
nat-policy interzone trust isp2 outbound
policy 1
action source-nat
policy source 192.168.0.0 mask 16
easy-ip GigabitEthernet0/0/3
#
return