配置基于源地址的策略路由

操作步骤

1. 配置接口IP地址和安全区域，完成网络基本参数配置。 

   [FW] interface GigabitEthernet 1/0/2
   [FW-GigabitEthernet1/0/2] ip address 10.10.1.1 255.255.255.0
   [FW-GigabitEthernet1/0/2] quit
   [FW] interface GigabitEthernet 1/0/3
   [FW-GigabitEthernet1/0/3] ip address 10.1.1.1 255.255.255.0
   [FW-GigabitEthernet1/0/3] ip address 10.1.2.1 255.255.255.0 sub
   [FW-GigabitEthernet1/0/3] quit
   [FW] interface GigabitEthernet 1/0/4
   [FW-GigabitEthernet1/0/4] ip address 10.20.1.1 255.255.255.0
   [FW-GigabitEthernet1/0/4] quit
   [FW] firewall zone trust
   [FW-zone-trust] add interface GigabitEthernet 1/0/3
   [FW-zone-trust] quit
   [FW] firewall zone untrust
   [FW-zone-untrust] add interface GigabitEthernet 1/0/2
   [FW-zone-untrust] add interface GigabitEthernet 1/0/4
   [FW-zone-untrust] quit

    

2. 配置IP-Link功能，检测链路状态。 

   [FW] ip-link check enable
   [FW] ip-link name pbr_1
   [FW-iplink-pbr_1] destination 10.10.1.2 interface GigabitEthernet 1/0/2
   [FW-iplink-pbr_1] quit
   [FW] ip-link name pbr_2
   [FW-iplink-pbr_2] destination 10.20.1.2 interface GigabitEthernet 1/0/4
   [FW-iplink-pbr_2] quit

    

3. 配置安全策略。 
   # 配置Trust区域和Untrust区域之间的安全策略，允许企业内网用户访问外网资源。假设内部用户网段为10.1.1.0/24和10.1.2.0/24。

   [FW] security-policy
   [FW-policy-security] rule name policy_sec_trust_untrust
   [FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
   [FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
   [FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.1.0 24
   [FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.2.0 24
   [FW-policy-security-rule-policy_sec_trust_untrust] action permit
   [FW-policy-security-rule-policy_sec_trust_untrust] quit

   # 配置安全策略，允许FW发送IP-Link探测报文。

   

   对于V500R001C80之前的版本，IP-Link探测报文受安全策略控制，需要在Local区域与报文出接口所在安全区域之间配置安全策略，允许FW发送IP-Link探测报文。对于V500R001C80及之后的版本，IP-Link探测报文不受安全策略控制，默认被放行，无需配置安全策略。

   [FW-policy-security] rule name ip_link
   [FW-policy-security-rule-ip_link] source-zone local
   
   [FW-policy-security-rule-ip_link] destination-zone untrust
   [FW-policy-security-rule-ip_link] action permit
   [FW-policy-security-rule-ip_link] quit
   [FW-policy-security] quit

    

4. 创建策略路由“pbr_1”和“pbr_2”，从Trust区域接收的属于市场部的报文发送到下一跳10.10.1.2，从Trust区域接收的属于研发部的报文发送到下一跳10.20.1.2。 

   [FW] policy-based-route
   [FW-policy-pbr] rule name pbr_1
   [FW-policy-pbr-rule-pbr_1] description pbr_1
   [FW-policy-pbr-rule-pbr_1] source-zone trust
   [FW-policy-pbr-rule-pbr_1] source-address 10.1.1.0 24
   [FW-policy-pbr-rule-pbr_1] track ip-link pbr_1
   [FW-policy-pbr-rule-pbr_1] action pbr next-hop 10.10.1.2
   [FW-policy-pbr-rule-pbr_1] quit
   [FW-policy-pbr] rule name pbr_2
   [FW-policy-pbr-rule-pbr_2] description pbr_2
   [FW-policy-pbr-rule-pbr_2] source-zone trust
   [FW-policy-pbr-rule-pbr_2] source-address 10.1.2.0 24
   [FW-policy-pbr-rule-pbr_2] track ip-link pbr_2
   [FW-policy-pbr-rule-pbr_2] action pbr next-hop 10.20.1.2
   [FW-policy-pbr-rule-pbr_2] quit
   [FW-policy-pbr] quit