cjh 华为USG防火墙:智能选路:全局选路策略:配置流量根据链路优先级主备备份(数字越大,优先级越高)(策略路由选路的优先级高于全局策略选路。)
华为USG防火墙:智能选路:全局选路策略:配置流量根据链路优先级主备备份(数字越大,优先级越高)(策略路由选路的优先级高于全局策略选路。)
通过配置根据链路优先级主备备份,FW可以在主接口链路故障时,使用备份接口链路转发流量,提高传输的可靠性。
(1)组网需求
如图所示,企业从ISP1租用2条链路,带宽均为50M,从ISP2租用1条链路,带宽为10M。
企业希望优先使用ISP1的2条链路传输上网流量,只有当ISP1的2条链路均故障时,才使用ISP2链路。
企业的访问web(ip8.8.8.8,)业务优先使用ISP2链路,只有当ISP2链路故障时,才使用ISP1链路。
备注:此实验中,当pc走isp1去访问8.8.8.8 tcp 80时是不通的。
(2)拓扑图
(3)配置
isp1:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 100.100.100.200 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 200.200.200.200 255.255.255.0
ip route-static 192.168.1.0 255.255.255.0 100.100.100.100 preference 61
ip route-static 192.168.1.0 255.255.255.0 200.200.200.100 preference 70
ISP2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 2.2.2.254 255.255.255.0
interface GE1/0/1
undo portswitch
undo shutdown
ip address 8.8.8.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
FW:
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.4.4 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.100.100.100 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.200.200.100 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 2.2.2.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
security-policy
default action permit
SW1:
二层交换机
(4.1)配置健康检查功能,分别为ISP1和ISP2链路配置健康检查。
healthcheck enable
healthcheck name isp_health_01
source-ip 100.100.100.100
destination 100.100.100.200 interface GigabitEthernet1/0/0 protocol icmp
[FW]display healthcheck
2023-02-10 13:54:35.070
Current Total Healthcheck Number : 1
Name Member State Up/Down/Init
isp_health_01 1 up 1 0 0
[FW]
fw:
healthcheck enable
healthcheck name isp_health_01
source-ip 100.100.100.100
destination 100.100.100.200 interface GigabitEthernet1/0/0 protocol icmp
healthcheck name isp1_health_02
source-ip 200.200.200.100
destination 200.200.200.200 interface GigabitEthernet1/0/1 protocol icmp
healthcheck name isp2_health_01
source-ip 2.2.2.2
destination 2.2.2.254 interface GigabitEthernet1/0/2 protocol icmp
[FW]display healthcheck
2023-02-10 14:06:53.640
Current Total Healthcheck Number : 3
Name Member State Up/Down/Init
isp_health_01 1 up 1 0 0
isp2_health_01 2 up 1 1 0
isp1_health_02 1 up 1 0 0
[FW]
[FW]
(4.2)配置接口所在链路的带宽,并应用对应的健康检查。
interface GigabitEthernet1/0/0
healthcheck isp_health_01
bandwidth ingress 50000
bandwidth egress 50000
#
interface GigabitEthernet1/0/1
healthcheck isp1_health_02
bandwidth ingress 50000
bandwidth egress 50000
#
interface GigabitEthernet1/0/2
healthcheck isp2_health_01
bandwidth ingress 10000
bandwidth egress 10000
(5)新建接口组ifgrp1,并将接口GE1/0/0和GE1/0/1加入接口组。
新建链路接口:
建立3个链路接口:
建立链路接口组,名称ifgrp1:
link-interface 0 name ip100.100.100.100
interface GigabitEthernet1/0/0 next-hop 100.100.100.200 route disable
healthcheck isp_health_01
redirect-reverse enable
#
link-interface 1 name ip200.200.200.100
interface GigabitEthernet1/0/1 next-hop 200.200.200.200 route disable
healthcheck isp1_health_02
redirect-reverse enable
#
link-interface 2 name ip2.2.2.2
interface GigabitEthernet1/0/2 next-hop 2.2.2.254 route disable
healthcheck isp2_health_01
redirect-reverse enable
#
link-interface-group 0 name ifgrp1
add linkif ip100.100.100.100
add linkif ip200.200.200.100
(6)配置全局选路策略,流量根据链路优先级主备备份。
配置全局选路策略:
multi-linkif
mode priority-of-userdefine
add linkif ip2.2.2.2
add linkif-group ifgrp1 priority 2
(7.1)自定web应用,假设应用服务器的IP地址为8.8.8.8。
选择“对象 > 应用 > 应用”,单击“新建”。
sa
user-defined-application name UD_ip8.8.8.8_tcp80
rule name tcp80
protocol tcp
ip-address 8.8.8.8 32
port 80
(7.2)配置策略路由。为web应用配置策略路由智能选路,流量根据链路优先级主备备份。
policy-based-route
rule name policy1 1
source-zone trust
application app UD_ip8.8.8.8_tcp80
action pbr multi-linkif
mode priority-of-userdefine
add linkif ip2.2.2.2 priority 2
add linkif-group ifgrp1
#
测试:ping流量没有走了isp2, 然后访问80端口也是走isp1
结论:有可能是这个模拟器不支持“应用”。
修改策略路由后再测试:
policy-based-route
rule name policy1 1
source-zone trust
destination-address 8.8.8.8 mask 255.255.255.255
service http
action pbr multi-linkif
mode priority-of-userdefine
add linkif ip2.2.2.2 priority 2
add linkif-group ifgrp1
再测试:ping 8.8.8.8 的流量走的isp1, 访问8.8.8.8的tcp 80端口是走的isp2
实验完成。
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为USG防火墙:智能选路:全局选路策略:配置流量根据链路优先级主备备份(数字越大,优先级越高)(策略路由选路的优先级高于全局策略选路。)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm