防火墙旁挂，策略路由引流

1、案例拓扑图

2、核心设备AR2的主要配置

2.1
AR2
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255 //匹配需要过滤的路由
#
traffic classifier liu operator or
if-match acl 2000
#
traffic behavior liu
redirect ip-nexthop 2.1.1.6
#
traffic policy liu
classifier liu behavior liu

interface GigabitEthernet0/0/0
ip address 1.1.1.5 255.255.255.252
traffic-policy liu inbound //策略应用在数据的入方向
2.2
关键点，困扰了我很久（如果不下发默认路由，会导致两个ospf进程，相互学习不到对方的业务地址）
ospf 1
default-route-advertise always //都要下发一条默认路由
ospf 2
default-route-advertise always //都要下发一条默认路由

3、防火墙关键配置

3.1
安全策略
#
security-policy
rule name trust-local
source-zone trust
destination-zone local
action permit
rule name local-trust
source-zone local
destination-zone trust
action permit
rule name untrust-local
source-zone untrust
destination-zone local
action permit
rule name local-untrust
source-zone local
destination-zone untrust
action permit
rule name pc-server
source-address 192.168.1.1 mask 255.255.255.255
destination-address 10.1.1.1 mask 255.255.255.255
action permit
3.2
防火墙接口安全区域

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0

4、验证pc1---> server 是否经过防火墙
查看防火墙的session table

防火墙上查看session列表，说明策略生效

display firewall session table
2019-04-04 14:48:43.930
Current Total Sessions : 6
icmp ×××: public --> public 192.168.1.1:18713 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:20249 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:19225 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:19993 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:18969 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:19481 --> 10.1.1.1:2048

转载于:https://blog.51cto.com/1823203/2374467