11、中小企业网络架构-扩展配置防火墙双出口
网络拓扑:
vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
vlan2和vlan3所在链路互为备份,当某vlan的链路(主链路)出现故障时,流量切换到另一vlan所在的链路(备链路)上。
配置思路:
策略路由和IP-Link联动配置思路如下:
为实现不同链路分担不同流量,需要配置基于源地址的策略路由,使来自vlan2的访问Internet报文流向链路ISP1,来自vlan3的访问Internet报文流向链路ISP2。
为实现vlan2和vlan3所在链路互为备份,保证链路不中断,需要配置如下:
配置策略路由和IP-Link联动,由IP-Link来监视vlan2和vlan3各自主链路的可达性。当主链路出现故障时,策略路由失效,设备将查找备份路由,以保持业务的持续流通。
配置vlan2到链路ISP2的静态路由和vlan3到链路ISP1的静态路由,作为vlan2和vlan3的备份路由。同时,将静态路由与IP-Link联动,由IP-Link来监视vlan2和vlan3各自备链路的可达性。
操作步骤:
一、配置ISP1
1、配置vlan IP
[ISP1]vlan batch 101 103
[ISP1]interface Vlanif 101
[ISP1-Vlanif101]ip address 100.1.1.5 255.255.255.248
[ISP1-Vlanif101]quit
[ISP1]interface Vlanif 103
[ISP1-Vlanif103]ip address 100.1.3.5 255.255.255.248
[ISP1-Vlanif103]quit2、配置端口
[ISP1]interface GigabitEthernet 0/0/1
[ISP1-GigabitEthernet0/0/1]port link-type access
[ISP1-GigabitEthernet0/0/1]port default vlan 101
[ISP1-GigabitEthernet0/0/1]quit
[ISP1]interface GigabitEthernet 0/0/2
[ISP1-GigabitEthernet0/0/2]port link-type access
[ISP1-GigabitEthernet0/0/2]port default vlan 103
[ISP1-GigabitEthernet0/0/2]quit3、配置静态路由
[ISP1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.14、配置OSPF
[ISP1]ospf router-id 1.1.1.1
[ISP1-ospf-1]area 1
[ISP1-ospf-1-area-0.0.0.1]network 100.1.1.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[ISP1-ospf-1-area-0.0.0.1]return二、配置ISP2
1、配置vlan IP
[ISP2]vlan batch 102 104
[ISP2]interface Vlanif 102
[ISP2-Vlanif102]ip address 100.1.2.5 255.255.255.248
[ISP2-Vlanif102]quit
[ISP2]interface Vlanif 104
[ISP2-Vlanif104]ip address 100.1.4.5 255.255.255.248
[ISP2-Vlanif104]quit2、配置端口
[ISP2]interface GigabitEthernet 0/0/1
[ISP2-GigabitEthernet0/0/1]port link-type access
[ISP2-GigabitEthernet0/0/1]port default vlan 102
[ISP2-GigabitEthernet0/0/1]quit
[ISP2]interface GigabitEthernet 0/0/2
[ISP2-GigabitEthernet0/0/2]port link-type access
[ISP2-GigabitEthernet0/0/2]port default vlan 104
[ISP2-GigabitEthernet0/0/2]quit3、配置静态路由
[ISP2]ip route-static 0.0.0.0 0.0.0.0 100.1.2.1 4、配置OSPF
[ISP2]ospf router-id 2.2.2.2
[ISP2-ospf-1]area 1
[ISP2-ospf-1-area-0.0.0.1]network 100.1.2.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[ISP2-ospf-1-area-0.0.0.1]return三、配置Internet
1、配置vlan IP
[Internet]vlan batch 103 104
[Internet]interface Vlanif 103
[Internet-Vlanif103]ip address 100.1.3.1 255.255.255.248
[Internet-Vlanif103]quit
[Internet]interface Vlanif 104
[Internet-Vlanif104]ip address 100.1.4.1 255.255.255.248
[Internet-Vlanif104]quit
[Internet]interface LoopBack 0
[Internet-LoopBack0]ip address 3.3.3.3 32
[Internet-LoopBack0]quit 2、配置端口
[Internet]interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1]port link-type access
[Internet-GigabitEthernet0/0/1]port default vlan 103
[Internet-GigabitEthernet0/0/1]quit
[Internet]interface GigabitEthernet 0/0/
[Internet-GigabitEthernet0/0/2]port link-type access
[Internet-GigabitEthernet0/0/2]port default vlan 104
[Internet-GigabitEthernet0/0/2]quit
3、配置OSPF
[Internet]ospf router-id 3.3.3.3
[Internet-ospf-1]area 1
[Internet-ospf-1-area-0.0.0.1]network 100.1.3.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 100.1.4.0 0.0.0.7
[Internet-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.0
[Internet-ospf-1-area-0.0.0.1]return四、配置防火墙
1、配置上联接口
[FW1]interface GigabitEthernet 0/0/3
[FW1-GigabitEthernet0/0/3]ip address 100.1.2.1 255.255.255.248
[FW1-GigabitEthernet0/0/3]description connect to ISP2
[FW1-GigabitEthernet0/0/3]quit2、配置端口区域
[FW1]firewall zone name isp1
[FW1-zone-isp1]set priority 10
[FW1-zone-isp1]add interface GigabitEthernet 0/0/0
[FW1-zone-isp1]quit
[FW1]firewall zone name isp2
[FW1-zone-isp2]set priority 15
[FW1-zone-isp2]add interface GigabitEthernet 0/0/3
[FW1-zone-isp2]quit
[FW1]firewall packet-filter default permit all 3、配置ACL,确定要进行策略路由转发的报文
[FW1]acl number 3001
[FW1-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255
[FW1-acl-adv-3001]quit
[FW1]acl number 3002
[FW1-acl-adv-3002]rule permit ip source 192.168.3.0 0.0.0.255
[FW1-acl-adv-3002]quit4、配置策略路由
#策略to-isp,源地址192.168.2.0/24的报文被发到下一跳100.1.1.5
[FW1]policy-based-route to-isp permit node 5
[FW1-policy-based-route-to-isp-5]if-match acl 3001
[FW1-policy-based-route-to-isp-5]apply ip-address next-hop 100.1.1.5
[FW1-policy-based-route-to-isp-5]quit
#策略to-isp,源地址192.168.3.0/24的报文被发到下一跳100.1.2.5
[FW1]policy-based-route to-isp permit node 10
[FW1-policy-based-route-to-isp-10]if-match acl 3002
[FW1-policy-based-route-to-isp-10]apply ip-address next-hop 100.1.2.5
[FW1-policy-based-route-to-isp-10]quit
#分别在接口应用策略路由
[FW1]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/0]quit
[FW1]interface GigabitEthernet 0/0/3
[FW1-GigabitEthernet0/0/3]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/3]quit5、配置IP-Link
说明:其中大家觉得可以用NQA的,但是在防火墙上面NQA不支持关联路由,只能用IP-Link,而且IP-link技术有一个莫大的优势,就是可以跟 策略路由联动
[FW1]ip-link check enable
#侦测FW1到目的地址为100.1.1.5之间的链路可达性
[FW1]ip-link 1 destination 100.1.1.5 interface GigabitEthernet 0/0/0 mode icmp
#侦测FW1到目的地址为100.1.2.5之间的链路可达性
[FW1]ip-link 2 destination 100.1.2.5 interface GigabitEthernet 0/0/3 mode icmp
6、配置缺省路由,并关联IP-Link
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 27、NAT定义
[FW1]nat-policy interzone trust isp1 outbound
[FW1-nat-policy-interzone-trust-isp1-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp1-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp1-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp1-outbound-1]easy-ip GigabitEthernet0/0/0
[FW1-nat-policy-interzone-trust-isp1-outbound-1]return
[FW1]nat-policy interzone trust isp2 outbound
[FW1-nat-policy-interzone-trust-isp2-outbound]policy 1
[FW1-nat-policy-interzone-trust-isp2-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-isp2-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-isp2-outbound-1]easy-ip GigabitEthernet0/0/3
[FW1-nat-policy-interzone-trust-isp2-outbound-1]return8、下联接口应用策略
[FW1]interface GigabitEthernet 0/0/1
[FW1-GigabitEthernet0/0/1]ip address 192.168.7.254 255.255.255.0
[FW1-GigabitEthernet0/0/1]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/1]description connecct to SW1
[FW1-GigabitEthernet0/0/1]quit
[FW1]interface GigabitEthernet 0/0/2
[FW1-GigabitEthernet0/0/2]ip address 192.168.6.254 255.255.255.0
[FW1-GigabitEthernet0/0/2]ip policy-based-route to-isp
[FW1-GigabitEthernet0/0/2]description connect to SW2
[FW1-GigabitEthernet0/0/2]quit五、故障演示
1、正常状态下
vlan2所在网段访问Internet的报文正常情况下流入链路ISP1;
vlan3所在网段访问Internet的报文正常情况下流入链路ISP2;
2、手动模拟FW1上联ISP1的G0/0/1接口故障
查看链路,流量都走ISP2
3、手动模拟FW1上联ISP2的G0/0/1接口故障
查看链路,流量都走ISP1
至此,完成。
[FW1]display current-configuration
#
stp region-configuration
region-name 703bd915f09b
active region-configuration
#
acl number 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
acl number 3002
rule 5 permit ip source 192.168.3.0 0.0.0.255
#
interface Vlanif1
alias Vlanif1
#
interface Virtual-Template1
alias Virtual-Template1
#
interface GigabitEthernet0/0/0
description connect to ISP1
alias GE0/MGMT
ip address 100.1.1.1 255.255.255.248
#
interface GigabitEthernet0/0/1
description connecct to SW1
ip address 192.168.7.254 255.255.255.0
ip policy-based-route to-isp
#
interface GigabitEthernet0/0/2
description connect to SW2
ip address 192.168.6.254 255.255.255.0
ip policy-based-route to-isp
#
interface GigabitEthernet0/0/3
description connect to ISP2
ip address 100.1.2.1 255.255.255.248
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
interface LoopBack0
alias LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
#
firewall zone untrust
description ithis
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet0/0/0
#
firewall zone name isp2
set priority 15
add interface GigabitEthernet0/0/3
#
aaa
local-user admin password cipher %$%$y@N.>~B^$O\xLy0F^K%=rZQH%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.5 track ip-link 1
ip route-static 0.0.0.0 0.0.0.0 100.1.2.5 track ip-link 2
ip route-static 192.168.0.0 255.255.0.0 192.168.7.253
ip route-static 192.168.0.0 255.255.0.0 192.168.6.253
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
policy-based-route to-isp permit node 5
if-match acl 3001
apply ip-address next-hop 100.1.1.5
policy-based-route to-isp permit node 10
if-match acl 3002
apply ip-address next-hop 100.1.2.5
#
slb
#
right-manager server-group
#
sysname FW1
#
domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local isp1 direction inbound
firewall packet-filter default permit interzone local isp1 direction outbound
firewall packet-filter default permit interzone local isp2 direction inbound
firewall packet-filter default permit interzone local isp2 direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust isp1 direction inbound
firewall packet-filter default permit interzone trust isp1 direction outbound
firewall packet-filter default permit interzone trust isp2 direction inbound
firewall packet-filter default permit interzone trust isp2 direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone isp1 untrust direction inbound
firewall packet-filter default permit interzone isp1 untrust direction outbound
firewall packet-filter default permit interzone isp2 untrust direction inbound
firewall packet-filter default permit interzone isp2 untrust direction outbound
firewall packet-filter default permit interzone dmz isp1 direction inbound
firewall packet-filter default permit interzone dmz isp1 direction outbound
firewall packet-filter default permit interzone dmz isp2 direction inbound
firewall packet-filter default permit interzone dmz isp2 direction outbound
firewall packet-filter default permit interzone isp2 isp1 direction inbound
firewall packet-filter default permit interzone isp2 isp1 direction outbound
#
ip ttl-expires enable
ip df-unreachables enable
#
undo dhcp enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
#
vlan batch 1 101 103
#
firewall statistic system enable
#
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
#
undo dns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
policy interzone trust untrust inbound
policy 1
action permit
#
policy interzone trust isp1 inbound
policy 1
action permit
#
policy interzone trust isp2 inbound
policy 1
action permit
#
nat-policy interzone trust isp1 outbound
policy 1
description tihsi
action source-nat
policy source 192.168.0.0 mask 16
easy-ip GigabitEthernet0/0/0
#
nat-policy interzone trust isp2 outbound
policy 1
action source-nat
policy source 192.168.0.0 mask 16
easy-ip GigabitEthernet0/0/3
#
return