热门标签
热门文章
- 1git/github学习笔记-阅读笔记二_error: unable to create '/home/stormyjack/recon/de
- 2一、环境准备(Python、Anaconda、Git)最新版安装教程_anaconda git
- 3裁员?内卷?拿不到offer?这份阿里高工整理的Java核心知识点一定能帮到你!_精通java核心
- 4【DL】循环神经网络RNN、长短期记忆网络LSTM、门控循环单元网络GRU_循环神经网络(rnn),长短期记忆网络(lstm),门控循环单元(gru)网络结构
- 5GitHubDesktop:学习:三:(第一次操作)GitHubDesktop进行创建分支+合并分支:成功_github桌面版怎么合并分支
- 6基于蚁群算法的二维路径规划算法_基于蚁群算法的路径规划
- 7iPhone真机运行App提示“不再可用“(No Longer Available)的原因及解决_app is no longer available
- 8命名实体识别(NER)_命名实体识别ner
- 9python中复数用法_Python中的复数?
- 10数据结构 单链表 C语言实现_数据结构单链表c语言
当前位置: article > 正文
华为防火墙 策略路由实现多ISP接入Internet_防火墙多点接入
作者:菜鸟追梦旅行 | 2024-04-12 00:23:55
赞
踩
防火墙多点接入
组网需求:
企业分别从ISP1和ISP2租用了一条链路
- PC3用户上网访问Server1时走ISP1
- PC4用户上网访问Server1时走ISP2
一、ISP1 运营商 R1路由器
- <Huawei>sys
- [Huawei]sys R1
- [R1]un in en
-
- [R1]int g0/0/0
- [R1-GigabitEthernet0/0/0]ip addr 2.2.2.2 24
- [R1-GigabitEthernet0/0/0]quit
-
- [R1]int g0/0/1
- [R1-GigabitEthernet0/0/1]ip addr 10.2.2.2 24
- [R1-GigabitEthernet0/0/1]quit
-
- # 配置OSPF
- [R1]ospf 1
- [R1-ospf-1]area 0
- [R1-ospf-1-area-0.0.0.0]network 10.2.2.0 0.0.0.255
- [R1-ospf-1-area-0.0.0.0]network 2.2.2.0 0.0.0.255
二、ISP2 运营商 R2路由器
- <Huawei>sys
- [Huawei]sys R2
- [R2]un in en
-
- [R2]int g0/0/0
- [R2-GigabitEthernet0/0/0]ip addr 3.3.3.3 24
- [R2-GigabitEthernet0/0/0]quit
-
- [R2]
- [R2]int g0/0/1
- [R2-GigabitEthernet0/0/1]ip addr 10.3.3.3 24
- [R2-GigabitEthernet0/0/1]quit
-
- # 配置OSPF
- [R2]ospf 1
- [R2-ospf-1]area 0
- [R2-ospf-1-area-0.0.0.0]network 10.3.3.0 0.0.0.255
- [R2-ospf-1-area-0.0.0.0]network 3.3.3.0 0.0.0.255
三、R6路由器
- <Huawei>sys
- [Huawei]sys R6
- [R6]un in en
-
- [R6]int g0/0/0
- [R6-GigabitEthernet0/0/0]ip addr 10.2.2.1 24
- [R6-GigabitEthernet0/0/0]quit
-
- [R6]int g0/0/1
- [R6-GigabitEthernet0/0/1]ip addr 10.3.3.1 24
- [R6-GigabitEthernet0/0/1]quit
-
- [R6]int g0/0/2
- [R6-GigabitEthernet0/0/2]ip addr 10.1.1.1 24
- [R6-GigabitEthernet0/0/2]quit
-
- # 配置OSPF
- [R6]ospf 1
- [R6-ospf-1]area 0
- [R6-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
- [R6-ospf-1-area-0.0.0.0]network 10.2.2.0 0.0.0.255
- [R6-ospf-1-area-0.0.0.0]network 10.3.3.0 0.0.0.255
四、防火墙
1、配置接口IP并加入相应的安全区域
- <USG6000V1>sys
- [USG6000V1]sys FW1
- [FW1]un in en
- [FW1]dhcp enable
-
- # 桥接本地环回网卡,实现登陆WEB管理页面
- [FW1]int g0/0/0
- [FW1-GigabitEthernet0/0/0]undo ip addr 192.168.0.1 24
- [FW1-GigabitEthernet0/0/0]ip addr 192.168.137.10 24
- [FW1-GigabitEthernet0/0/0]service-manage all permit
- [FW1-GigabitEthernet0/0/0]quit
-
- [FW1]int g1/0/0
- [FW1-GigabitEthernet1/0/0]ip addr 2.2.2.1 24
- [FW1-GigabitEthernet1/0/0]service-manage all permit
- [FW1-GigabitEthernet1/0/0]quit
-
- [FW1]int g1/0/1
- [FW1-GigabitEthernet1/0/1]ip addr 3.3.3.1 24
- [FW1-GigabitEthernet1/0/1]service-manage all permit
- [FW1-GigabitEthernet1/0/1]quit
-
- [FW1]firewall zone untrust
- [FW1-zone-untrust]add int g1/0/0
- [FW1-zone-untrust]add int g1/0/1
- [FW1-zone-untrust]quit
-
- [FW1]int g1/0/2
- [FW1-GigabitEthernet1/0/2]ip addr 172.16.1.1 24
- [FW1-GigabitEthernet1/0/2]service-manage all permit
- [FW1-GigabitEthernet1/0/2]dhcp select int
- [FW1-GigabitEthernet1/0/2]quit
-
- [FW1]int g1/0/3
- [FW1-GigabitEthernet1/0/3]ip addr 172.16.2.1 24
- [FW1-GigabitEthernet1/0/3]service-manage all permit
- [FW1-GigabitEthernet1/0/3]dhcp select int
- [FW1-GigabitEthernet1/0/3]quit
-
- [FW1]firewall zone trust
- [FW1-zone-trust]add int g1/0/2
- [FW1-zone-trust]add int g1/0/3
- [FW1-zone-trust]quit
2、创建地址列表
- [FW1]ip address-set 172.16.1.* type object
- [FW1-object-address-set-172.16.1.*]address 0 172.16.1.0 mask 24
- [FW1-object-address-set-172.16.1.*]ip address-set 172.16.2.* type object
- [FW1-object-address-set-172.16.2.*]address 0 172.16.2.0 mask 24
- [FW1-object-address-set-172.16.2.*]quit
3、配置安全策略
- [FW1]security-policy
- [FW1-policy-security]rule name "untrust to local"
- [FW1-policy-security-rule-untrust to local]source-zone untrust
- [FW1-policy-security-rule-untrust to local]destination-zone local
- [FW1-policy-security-rule-untrust to local]action permit
-
- [FW1-policy-security-rule-untrust to local]rule name "local to untrust"
- [FW1-policy-security-rule-local to untrust]source-zone local
- [FW1-policy-security-rule-local to untrust]destination-zone untrust
- [FW1-policy-security-rule-local to untrust]action permit
-
- [FW1-policy-security-rule-local to untrust]rule name "trust to untrust"
- [FW1-policy-security-rule-trust to untrust]source-zone trust
- [FW1-policy-security-rule-trust to untrust]destination-zone untrust
- [FW1-policy-security-rule-trust to untrust]source-address address-set 172.16.1.*
- [FW1-policy-security-rule-trust to untrust]source-address address-set 172.16.2.*
- [FW1-policy-security-rule-trust to untrust]action permit
- [FW1-policy-security-rule-trust to untrust]quit
4、配置NAT策略
- [FW1-policy-security]nat-policy
-
- [FW1-policy-nat]rule name "snat 1"
- [FW1-policy-nat-rule-snat 1]source-zone trust
- [FW1-policy-nat-rule-snat 1]egress-interface GigabitEthernet1/0/0
- [FW1-policy-nat-rule-snat 1]source-address address-set 172.16.1.*
- [FW1-policy-nat-rule-snat 1]action source-nat easy-ip
-
- [FW1-policy-nat-rule-snat 1]rule name "snat 2"
- [FW1-policy-nat-rule-snat 2]source-zone trust
- [FW1-policy-nat-rule-snat 2]egress-interface GigabitEthernet1/0/1
- [FW1-policy-nat-rule-snat 2]source-address address-set 172.16.2.*
- [FW1-policy-nat-rule-snat 2]action source-nat easy-ip
- [FW1-policy-nat-rule-snat 2]quit
5、配置策略路由
- [FW1]policy-based-route
- [FW1-policy-pbr]rule name "no policy route 1" 3
- [FW1-policy-pbr-rule-no policy route 1]ingress-interface GigabitEthernet1/0/2
- [FW1-policy-pbr-rule-no policy route 1]source-address address-set 172.16.1.*
- [FW1-policy-pbr-rule-no policy route 1]destination-address address-set 172.16.2.*
- [FW1-policy-pbr-rule-no policy route 1]action no-pbr
-
- [FW1-policy-pbr]rule name "no policy route 2" 4
- [FW1-policy-pbr-rule-no policy route 2]ingress-interface GigabitEthernet1/0/3
- [FW1-policy-pbr-rule-no policy route 2]source-address address-set 172.16.2.*
- [FW1-policy-pbr-rule-no policy route 2]destination-address address-set 172.16.1.*
- [FW1-policy-pbr-rule-no policy route 2]action no-pbr
-
- [FW1-policy-pbr-rule-no policy route 2]rule name "policy route 1" 1
- [FW1-policy-pbr-rule-policy route 1]ingress-interface GigabitEthernet1/0/2
- [FW1-policy-pbr-rule-policy route 1]source-address address-set 172.16.1.*
- [FW1-policy-pbr-rule-policy route 1]action pbr egress-interface GigabitEthernet1/0/0 next-hop 2.2.2.2
-
- [FW1-policy-pbr-rule-policy route 1]rule name "policy route 2" 2
- [FW1-policy-pbr-rule-policy route 2]ingress-interface GigabitEthernet1/0/3
- [FW1-policy-pbr-rule-policy route 2]source-address address-set 172.16.2.*
- [FW1-policy-pbr-rule-policy route 2]action pbr egress-interface GigabitEthernet1/0/1 next-hop 3.3.3.3
- [FW1-policy-pbr-rule-policy route 2]quit
-
6、配置OSPF
- [FW1-policy-nat]ospf 1
- [FW1-ospf-1]area 0
- [FW1-ospf-1-area-0.0.0.0]network 2.2.2.0 0.0.0.255
- [FW1-ospf-1-area-0.0.0.0]network 3.3.3.0 0.0.0.255
- [FW1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
- [FW1-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255
五、WEB 端查看
1、接口列表
2、安全策略
(1)untrust to local
(2)local to untrust
(3)trust to untrust
3、NAT策略
(1)snat 1
(2)snat 2
4、地址表
5、策略路由
(1)policy route 1
(2)policy route 2
(3)no policy route 1
(4)no policy route 4
六、测试
1、PC3 访问 Server1
PC4 访问 Server1
通过上图分析得知,PC3 所在的172.16.1.0网段 访问 10.1.1.2 时出接口为 GE1/0/0。PC4 所在的172.16.2.0网段 访问 10.1.1.2 时出接口为 GE1/0/1
2、我们拿 PC3 访问 PC4,看下内网是否正常
- PC3>ping 172.16.2.81
-
- Ping 172.16.2.81: 32 data bytes, Press Ctrl_C to break
- From 172.16.2.81: bytes=32 seq=1 ttl=127 time=63 ms
- From 172.16.2.81: bytes=32 seq=2 ttl=127 time=62 ms
- From 172.16.2.81: bytes=32 seq=3 ttl=127 time=63 ms
- From 172.16.2.81: bytes=32 seq=4 ttl=127 time=46 ms
- From 172.16.2.81: bytes=32 seq=5 ttl=127 time=47 ms
-
- --- 172.16.2.81 ping statistics ---
- 5 packet(s) transmitted
- 5 packet(s) received
- 0.00% packet loss
- round-trip min/avg/max = 46/56/63 ms
我们发现是互通的,这里要注意一下,因为我已经在上面配置了 no pbr 不做策略路由,否则是不通的。 如果你的环境有 IPSecVPN 也需要做 no pbr
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/菜鸟追梦旅行/article/detail/408362
推荐阅读
相关标签
