华为配置基于源地址的策略路由

2023-06-05 18:01:55

网络拓扑图

网络拓扑图

组网需求

1）vlan200通过链路ISP-A访问Internet

2）vlan300通过链路ISP-B来访问Internet

配置思路

通过在FW上配置策略路由实现不同源地址数据通过不同的链路转发

操作步骤

配置FW设备

a）配置接口的IP地址

[FW]inter g1/0/0 [FW-GigabitEthernet1/0/0]ip add 1.1.1.2 29 [FW-GigabitEthernet1/0/0]service-manage ping per [FW-GigabitEthernet1/0/0]quit [FW]inter g1/0/1 [FW-GigabitEthernet1/0/1]ip add 2.2.2.2 29 [FW-GigabitEthernet1/0/1]service-manage ping per [FW-GigabitEthernet1/0/1]quit [FW]inter g1/0/6 [FW-GigabitEthernet1/0/6]ip add 10.1.1.1 24 [FW-GigabitEthernet1/0/6]service-manage ping per [FW-GigabitEthernet1/0/6]quit [FW]inter loopb0 [FW-LoopBack0]ip add 10.10.10.1 32 [FW-LoopBack0]quit

a）将接口加入安全区域

[FW]firewall zone untrust [FW-zone-untrust]add inter g1/0/0 [FW-zone-untrust]add inter g1/0/1 [FW-zone-untrust]quit [FW]firewall zone trust [FW-zone-trust]add inter g1/0/6 [FW-zone-trust]quit

b）配置Trust区域和Untrust区域之间的安全策略，允许企业内网用户访问外网资源

[FW-policy-security]rule name policy1 [FW-policy-security-rule-policy1]source-zone trust [FW-policy-security-rule-policy1]destination-zone untrust [FW-policy-security-rule-policy1]source-address 10.1.1.0 24 [FW-policy-security-rule-policy1]source-address 10.1.2.0 24 [FW-policy-security-rule-policy1]source-address 10.1.3.0 24 [FW-policy-security-rule-policy1]act per [FW-policy-security-rule-policy1]quit

c）配置IP-Link功能，检测链路状态

[FW]ip-link check enable [FW]ip-link name ISP_A [FW-iplink-ISP_A]destination 1.1.1.1 interface g1/0/0 [FW-iplink-ISP_A]quit [FW]ip-link name ISP_B [FW-iplink-ISP_B]destination 2.2.2.1 interface g1/0/1 [FW-iplink-ISP_B]quit

d）创建策略路由“ISP_A”和“ISP_B”，从Trust区域接收的属于vlan200的报文发送到下一跳1.1.1.1，从Trust区域接收的属于vlan300的报文发送到下一跳2.2.2.1

[FW-policy-pbr]rule name ISP_A [FW-policy-pbr-rule-ISP_A]source-zone trust [FW-policy-pbr-rule-ISP_A]source-address 10.1.2.0 24 [FW-policy-pbr-rule-ISP_A]track ip-link ISP_A [FW-policy-pbr-rule-ISP_A]action pbr next-hop 1.1.1.1 [FW-policy-pbr-rule-ISP_A]quit [FW-policy-pbr]rule name ISP_B [FW-policy-pbr-rule-ISP_B]source-zone trust [FW-policy-pbr-rule-ISP_B]source-address 10.1.3.0 24 [FW-policy-pbr-rule-ISP_B]track ip-link ISP_B [FW-policy-pbr-rule-ISP_B]action pbr next-hop 2.2.2.1 [FW-policy-pbr-rule-ISP_B]quit

e）配置OSPF路由

[FW]ospf 1 router-id 10.10.10.1 [FW-ospf-1]area 0 [FW-ospf-1-area-0.0.0.0]net 10.10.10.1 0.0.0.0 [FW-ospf-1-area-0.0.0.0]net 10.1.1.0 0.0.0.255 [FW-ospf-1-area-0.0.0.0]quit

f）配置net

[FW-policy-nat]rule name policy_nat1 [FW-policy-nat-rule-policy_nat1]source-zone trust [FW-policy-nat-rule-policy_nat1]destination-zone untrust [FW-policy-nat-rule-policy_nat1]source-address 10.1.1.0 24 [FW-policy-nat-rule-policy_nat1]source-address 10.1.2.0 24 [FW-policy-nat-rule-policy_nat1]source-address 10.1.3.0 24 [FW-policy-nat-rule-policy_nat1]act source-nat easy-ip [FW-policy-nat-rule-policy_nat1]quit

结果验证

a)PC1和PC2能够ping通internet 5.5.5.5

PC1能够ping通5.5.5.5

PC2能够ping通5.5.5.5

b）PC1用户流量走的是ISP_A的运营商

PC1跟踪显示ISP_A

c）PC2用户流量走的是ISP_B的运营商

PC2跟踪路由显示ISP_B

随便看看