ENSP验证防火墙的策略路由、IP-Link绑定案例

 

本案例可以掌握：依据ip link探测出口路由是否正常，以此判断内网出口规则。依据策略路由学习防火墙的路由功能。

 

1、拓扑

 

注：学习说明，该案例可以在华为usg入门里学习，也可以在其它作者里找到，但未配置完所有设备，如路由的配置等。

2、业务需求

某企业主要分为市场部和研发部两个部门，组网如上图，FW位于企业网出口，

该企业部署了两条接入Internet的链路ISP-A、ISP-B，其中ISP-A网络速度最快。

要求：市场部对网速要求比较高，通过链路ISP-A访问Internet。研发部对网速要求不高，通过链路ISP-B来访问Internet。

3、配置步骤

 2.1基本路由器配置

（1）R1基本配置

undo terminal monitor

sys

[Huawei]sysname R1

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 10.10.1.2 24

[R1-GigabitEthernet0/0/0]quit

[R1]

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 100.1.1.1 24

[R1-GigabitEthernet0/0/1]quit

[R1]

（2）R2基本配置

undo terminal mo

Info: Current terminal monitor is off.

sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname R2

[R2]int g0/0/0

[R2-GigabitEthernet0/0/0]ip add 10.20.1.2 24

[R2-GigabitEthernet0/0/0]quit

[R2]

[R2]int g0/0/1

[R2-GigabitEthernet0/0/1]ip add 200.1.1.1 24

[R2-GigabitEthernet0/0/1]quit

[R2]

（3）R3基本配置

undo terminal mo

Info: Current terminal monitor is off.

sys

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname R3

[R3]int g0/0/0

[R3-GigabitEthernet0/0/0]ip address 100.1.1.2  24

[R3-GigabitEthernet0/0/0]quit

[R3]

[R3]int g0/0/1

[R3-GigabitEthernet0/0/1]ip add 200.1.1.2  24

[R3-GigabitEthernet0/0/1]quit

[R3]int g0/0/2

[R3-GigabitEthernet0/0/1]ip add 172.16.1.1  24

[R3-GigabitEthernet0/0/1]quit

[R3]

2.2防火墙配置

（1）配置接口及IP

undo terminal monitor

sys

[USG6000V1]sysname FW

[FW] interface GigabitEthernet0/0/0

 [FW] undo shutdown

 [FW] ip binding -instance default

 [FW] ip address 192.168.100.1 255.255.255.0

 [FW] alias GE0/METH

 [FW] service-manage https permit

[FW]  service-manage ping permit

[FW] interface GigabitEthernet 1/0/2

[FW-GigabitEthernet1/0/2] ip address 10.10.1.1 255.255.255.0

[FW-GigabitEthernet1/0/2] quit

[FW] interface GigabitEthernet 1/0/3

[FW-GigabitEthernet1/0/3] ip address 10.1.1.1 255.255.255.0

[FW-GigabitEthernet1/0/3] ip address 10.1.2.1 255.255.255.0 sub

[FW-GigabitEthernet1/0/3] quit

[FW] interface GigabitEthernet 1/0/4

[FW-GigabitEthernet1/0/4] ip address 10.20.1.1 255.255.255.0

[FW-GigabitEthernet1/0/4] quit

（2）配置区域

[FW] firewall zone trust

[FW-zone-trust] add interface GigabitEthernet 1/0/3

[FW-zone-trust] quit

 

[FW] firewall zone untrust

[FW-zone-untrust] add interface GigabitEthernet 1/0/2

[FW-zone-untrust] add interface GigabitEthernet 1/0/4

[FW-zone-untrust] quit

 

（3）设置防火墙的路由

[FW]ip route-static 100.1.1.0 24 10.10.1.2

[FW]ip route-static 200.1.1.0 24 10.20.1.2

 

（4）配置Trust区域和Untrust区域之间的安全策略，允许企业内部用户访问外网资源。假设内部用户网段为10.1.1.0/24和10.1.2.0/24。

[FW] security-policy

[FW-policy-security] rule name sec_1

[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust

[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust

[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.1.0 24

[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.2.0 24

[FW-policy-security-rule-policy_sec_trust_untrust] action permit

[FW-policy-security-rule-policy_sec_trust_untrust] quit

[FW-policy-security] quit

 

（5）配置IP-Link功能，检测链路状态。

[FW] ip-link check enable

[FW] ip-link name IPLIK_pbr_1

[FW-iplink-iplinkpbr_1] destination 10.10.1.2 interface GigabitEthernet1/0/2 mode icmp

[FW-iplink-iplinkpbr_1] quit

 

[FW]ip-link name IPLIK_pbr_2

[FW-iplink-iplinkpbr_2] destination 10.20.1.2 interface GigabitEthernet1/0/4 mode icmp

[FW-iplink-iplinkpbr_2] quit

 

（6）创建策略路由“pbr_1”和“pbr_2”，从Trust区域接收的属于市场部的报文发送到下一跳10.20.1.2，从Trust区域接收的属于研发部的报文发送到下一跳10.10.1.2。

**若出现iplinkpbr_1断线，则数据通过pbr_2路由出去，反之依然**

[FW] policy-based-route

[FW-policy-pbr] rule name pbr_1

[FW-policy-pbr-rule-pbr_1] description pbr_1

[FW-policy-pbr-rule-pbr_1] source-zone trust

[FW-policy-pbr-rule-pbr_1] source-address 10.1.1.0 24

[FW-policy-pbr-rule-pbr_1] track ip-link IPLIK_pbr_1

[FW-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet1/0/2 next-hop 10.10.1.2

[FW-policy-pbr-rule-pbr_1] quit

 

[FW-policy-pbr] rule name pbr_2

[FW-policy-pbr-rule-pbr_2] description pbr_2

[FW-policy-pbr-rule-pbr_2] source-zone trust

[FW-policy-pbr-rule-pbr_2] source-address 10.1.2.0 24

[FW-policy-pbr-rule-pbr_2] track ip-link IPLIK_pbr_2

[FW-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet1/0/4 next-hop 10.20.1.2

[FW-policy-pbr-rule-pbr_2] quit

[FW-policy-pbr] quit

 

2.3配置路由器路由，保证数据通讯

以上配置基本完成，但无法从市场部、研发部PING通两个ISP链接的外网机器172.17.1.2。

因为路由不通，所以在这里需要配置路由，有很多种方式，这里只配置静态路由。

（1）R1静态路由，默认路由到防火墙接口，去172.16的数据从100.1.1.2出去

[R1]ip route-static 0.0.0.0 0.0.0.0 10.10.1.1

[R1]ip route-static 172.16.1.0 255.255.255.0 100.1.1.2

（2）R2静态路由，默认路由到防火墙接口，去172.16的数据从200.1.1.2出去

[R2]ip route-static 0.0.0.0 0.0.0.0 10.20.1.1

[R2]ip route-static 172.16.1.0 255.255.255.0 200.1.1.2

（3）R3静态路由

即默认数据从两个ISP出去

[R3]ip route-static 0.0.0.0 0.0.0.0 200.1.1.1

[R3]ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

4、数据验证

4.1 Ping 172.16.1.2

 

 

 

也可以在WEB页面上查看，此处略

 

4.2停止R1，查看路由变化/反之也可

 

5、全部配置文件

5.1 R1

disp cur

[V200R003C00]

#

 sysname R1

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

 ip address 10.10.1.2 255.255.255.0

#

interface GigabitEthernet0/0/1

 ip address 100.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 10.10.1.1

ip route-static 172.16.1.0 255.255.255.0 100.1.1.2

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

 

 5.2 R2

disp cur

[V200R003C00]

#

 sysname R2

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

 ip address 10.20.1.2 255.255.255.0

#

interface GigabitEthernet0/0/1

 ip address 200.1.1.1 255.255.255.0

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 10.20.1.1

ip route-static 172.16.1.0 255.255.255.0 200.1.1.2

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

  

5.3 R3

disp cur

[V200R003C00]

#

 sysname R3

#

 snmp-agent local-engineid 800007DB03000000000000

 snmp-agent

#

 clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load flash:/portalpage.zip

#

 drop illegal-mac alarm

#

 wlan ac-global carrier id other ac id 0

#

 set cpu-usage threshold 80 restore 75

#

aaa

 authentication-scheme default

 authorization-scheme default

 accounting-scheme default

 domain default

 domain default_admin

 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

 local-user admin service-type http

#

firewall zone Local

 priority 15

#

interface GigabitEthernet0/0/0

 ip address 100.1.1.2 255.255.255.0

#

interface GigabitEthernet0/0/1

 ip address 200.1.1.2 255.255.255.0

#

interface GigabitEthernet0/0/2

 ip address 172.16.1.1 255.255.255.0

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 200.1.1.1

ip route-static 0.0.0.0 0.0.0.0 100.1.1.1

#

user-interface con 0

 authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

  

 5.4 FW

disp cur

2020-01-08 14:59:17.070

!Software Version V500R005C10SPC300

#

sysname FW

#

  domain suffix-separator @

#

 ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

clock timezone UTC add 00:00:00

#

 update schedule location-sdb weekly Sun 23:10

#

 firewall defend action discard

#

 banner enable

#

 user-manage web-authentication security port 8887

 undo privacy-statement english

 undo privacy-statement chinese

page-setting

 user-manage security version tlsv1.1 tlsv1.2

password-policy

 level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

 web-manager security version tlsv1.1 tlsv1.2

 web-manager enable

 web-manager security enable

 undo web-manager config-guide enable

#

firewall dataplane to manageplane application-apperceive default-action drop

#

 undo ips log merge enable

#

 decoding uri-cache disable

#

 update schedule ips-sdb daily 22:40

 update schedule av-sdb daily 22:40

 update schedule sa-sdb daily 22:40

 update schedule cnc daily 22:40

 update schedule file-reputation daily 22:40

#

ip -instance default

 ipv4-family

#

ip-link check enable

ip-link name IPLIK_pbr_1

 destination 10.10.1.2 interface GigabitEthernet1/0/2 mode icmp

ip-link name IPLIK_pbr_2

 destination 10.20.1.2 interface GigabitEthernet1/0/4 mode icmp

#

ip address-set trust_IP type object

 address 0 10.1.1.0 mask 24

 address 1 10.1.2.0 mask 24

#

 time-range worktime

  period-range 08:00:00 to 18:00:00 working-day

#

ike proposal default

 encryption-algorithm aes-256 aes-192 aes-128

 dh group14

 authentication-algorithm sha2-512 sha2-384 sha2-256

 authentication-method pre-share

 integrity-algorithm hmac-sha2-256

 prf hmac-sha2-256

#

aaa

 authentication-scheme default

 authentication-scheme admin_local

 authentication-scheme admin_radius_local

 authentication-scheme admin_hwtacacs_local

 authentication-scheme admin_ad_local

 authentication-scheme admin_ldap_local

 authentication-scheme admin_radius

 authentication-scheme admin_hwtacacs

 authentication-scheme admin_ad

 authorization-scheme default

 accounting-scheme default

 domain default

  service-type internetaccess ssl- ike

  internet-access mode password

  reference user current-domain

 manager-user audit-admin

  password cipher @%@%781R1UbM75J=kLN0/JyFJPTKT)T{A\@%@%

  service-type web terminal

  level 15

 

 manager-user api-admin

  password cipher @%@%@`=1"kw0o4%G5~,1(y,02-DDd3"a0i=X6>+44r(R'9fK-DG2@%@%

  level 15

 

 manager-user admin

  password cipher @%@%Cj{4IPC61=+Sen6xwmf~bX8/9&pk5u2af1WkHU7W5RqTX82b@%@%

  service-type web terminal

  level 15

 

 role system-admin

 role device-admin

 role device-admin(monitor)

 role audit-admin

 bind manager-user audit-admin role audit-admin

 bind manager-user admin role system-admin

#

-group default-lns

#

interface GigabitEthernet0/0/0

 undo shutdown

 ip binding -instance default

 ip address 192.168.100.1 255.255.255.0

 alias GE0/METH

 service-manage https permit

 service-manage ping permit

#

interface GigabitEthernet1/0/0

 undo shutdown

#

interface GigabitEthernet1/0/1

 undo shutdown

#

interface GigabitEthernet1/0/2

 undo shutdown

 ip address 10.10.1.1 255.255.255.0

 service-manage ping permit

#

interface GigabitEthernet1/0/3

 undo shutdown

 ip address 10.1.1.1 255.255.255.0

 ip address 10.1.2.1 255.255.255.0 sub

 service-manage ping permit

#

interface GigabitEthernet1/0/4

 undo shutdown

 ip address 10.20.1.1 255.255.255.0

 service-manage ping permit

#

interface GigabitEthernet1/0/5

 undo shutdown

#

interface GigabitEthernet1/0/6

 undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

firewall zone local

 set priority 100

#

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet1/0/3

#

firewall zone untrust

 set priority 5

 add interface GigabitEthernet1/0/2

 add interface GigabitEthernet1/0/4

#

firewall zone dmz

 set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 10.10.1.2

ip route-static 0.0.0.0 0.0.0.0 10.20.1.2

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

user-interface con 0

 authentication-mode aaa

user-interface vty 0 4

 authentication-mode aaa

 protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

multi-linkif

 mode proportion-of-weight

#

right-manager server-group

#

device-classification

 device-group pc

 device-group mobile-terminal

 device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

 rule name policy_sec_trust_untrust

  source-zone trust

  destination-zone untrust

  source-address address-set trust_IP

  action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

 rule name pbr_1 1

  description for market department

  source-zone trust

  source-address 10.1.1.0 mask 255.255.255.0

  track ip-link IPLIK_pbr_1

  action pbr egress-interface GigabitEthernet1/0/2 next-hop 10.10.1.2

 rule name pbr_2 2

  description for research department

  source-zone trust

  source-address 10.1.2.0 mask 255.255.255.0

  track ip-link IPLIK_pbr_2

  action pbr egress-interface GigabitEthernet1/0/4 next-hop 10.20.1.2

#

nat-policy

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

     

 5.5 最后

1、所有配置中，没有配置交换机，即适用了默认配置，所有口为Hybrid口。

2、在该文中也是本人拙解，若有问题、建议意见，请回复，多谢！