配置流量根据链路优先级负载分担
通过配置根据链路优先级负载分担,FW可以在主接口链路故障或过载时,使用备份接口链路转发流量,提高传输的可靠性。
配置思路
由于企业希望优先使用ISP1链路,所以智能选路方式可以设置为根据链路优先级主备备份,并指定ISP1链路的优先级为2,ISP2链路的优先级为1。为了使ISP2链路平时的状态为DOWN,传输流量时状态才变为UP,需要配置备份接口自动关闭功能。为了保证链路故障或过载时,FW可以使用其他链路转发流量,还需要配置健康检查功能和链路过载保护功能。
- 可选:配置健康检查功能,分别为ISP1和ISP2链路配置健康检查。
-
配置全局选路策略。配置智能选路方式为根据链路优先级主备备份,指定FW和ISP1、ISP2网络直连的出接口作为智能选路成员接口,并为接口设置优先级。开启备份接口自动关闭功能。
本例着重介绍智能选路相关的配置,其余配置如NAT请根据实际组网进行配置。
操作步骤
- 可选:开启健康检查功能,并为ISP1和ISP2链路分别新建一个健康检查。假设ISP1网络的目的地址网段为3.3.10.0/24,ISP2网络的目的地址网段为9.9.20.0/24。
<FW> system-view [FW] healthcheck enable [FW] healthcheck name isp1_health [FW-healthcheck-isp1_health] destination 3.3.10.10 interface GigabitEthernet 1/0/1 protocol tcp-simple destination-port 10001 [FW-healthcheck-isp1_health] destination 3.3.10.11 interface GigabitEthernet 1/0/1 protocol tcp-simple destination-port 10002 [FW-healthcheck-isp1_health] quit [FW] healthcheck name isp2_health [FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet 1/0/7 protocol tcp-simple destination-port 10003 [FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet 1/0/7 protocol tcp-simple destination-port 10004 [FW-healthcheck-isp2_health] quit
此处假设3.3.10.10、3.3.10.11和9.9.20.20、9.9.20.21分别为ISP1和ISP2网络中已知的设备地址。
如果健康检查配置完后,状态一直为down,请检查健康检查的配置。
对于V500R001C80之前的版本,需要在FW上配置对应的安全策略,允许FW向目的设备发送健康检查探测报文。对于V500R001C80及之后的版本,健康检查的探测报文不受安全策略控制,默认放行,无需配置相应安全策略。
- 配置接口的IP地址和网关地址,配置接口所在链路的带宽和过载保护阈值,并应用对应的健康检查。
[FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0 [FW-GigabitEthernet1/0/1] gateway 1.1.1.254 [FW-GigabitEthernet1/0/1] bandwidth ingress 50000 threshold 90 [FW-GigabitEthernet1/0/1] bandwidth egress 50000 threshold 90 [FW-GigabitEthernet1/0/1] healthcheck isp1_health [FW-GigabitEthernet1/0/1] quit [FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0 [FW-GigabitEthernet1/0/3] quit [FW] interface GigabitEthernet 1/0/7 [FW-GigabitEthernet1/0/7] ip address 2.2.2.2 255.255.255.0 [FW-GigabitEthernet1/0/7] gateway 2.2.2.254 [FW-GigabitEthernet1/0/7] bandwidth ingress 10000 threshold 90 [FW-GigabitEthernet1/0/7] bandwidth egress 10000 threshold 90 [FW-GigabitEthernet1/0/7] healthcheck isp2_health [FW-GigabitEthernet1/0/7] quit
- 配置全局选路策略,流量根据链路优先级负载分担。
[FW] multi-interface [FW-multi-inter] mode priority-of-userdefine [FW-multi-inter] standby-interface status down [FW-multi-inter] add interface GigabitEthernet1/0/1 priority 2 [FW-multi-inter] add interface GigabitEthernet1/0/7 [FW-multi-inter] quit
- 将接口加入安全区域。
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW-zone-trust] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 1/0/1 [FW-zone-untrust] add interface GigabitEthernet 1/0/7 [FW-zone-untrust] quit
- 配置Local到Untrust区域的安全策略,允许FW向目的设备发送相应的健康检查探测报文。
对于V500R001C80之前的版本,需要在FW上配置对应的安全策略,允许FW向目的设备发送健康检查探测报文。对于V500R001C80及之后的版本,健康检查的探测报文不受安全策略控制,默认放行,无需配置相应安全策略。
[FW] security-policy [FW-policy-security] rule name policy_sec_local_untrust [FW-policy-security-rule-policy_sec_local_untrust] source-zone local [FW-policy-security-rule-policy_sec_local_untrust] destination-zone untrust [FW-policy-security-rule-policy_sec_local_untrust] destination-address 3.3.10.10 32 [FW-policy-security-rule-policy_sec_local_untrust] destination-address 3.3.10.11 32 [FW-policy-security-rule-policy_sec_local_untrust] destination-address 9.9.20.20 32 [FW-policy-security-rule-policy_sec_local_untrust] destination-address 9.9.20.21 32 [FW-policy-security-rule-policy_sec_local_untrust] service tcp [FW-policy-security-rule-policy_sec_local_untrust] action permit [FW-policy-security-rule-policy_sec_local_untrust] quit
- 配置Trust到Untrust区域的安全策略,允许企业内网用户访问外网资源。假设内部用户网段为10.3.0.0/24。
[FW-policy-security] rule name policy_sec_trust_untrust [FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust [FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust [FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_trust_untrust] action permit [FW-policy-security-rule-policy_sec_trust_untrust] quit [FW-policy-security] quit
配置脚本
# healthcheck enable healthcheck name isp1_health destination 3.3.10.10 interface GigabitEthernet1/0/1 protocol tcp-simple destination-port 10001 destination 3.3.10.11 interface GigabitEthernet1/0/1 protocol tcp-simple destination-port 10002 healthcheck name isp2_health destination 9.9.20.20 interface GigabitEthernet1/0/7 protocol tcp-simple destination-port 10003 destination 9.9.20.21 interface GigabitEthernet1/0/7 protocol tcp-simple destination-port 10004 # interface GigabitEthernet1/0/1 ip address 1.1.1.1 255.255.255.0 gateway 1.1.1.254 bandwidth ingress 50000 threshold 90 bandwidth egress 50000 threshold 90 healthcheck isp1_health # interface GigabitEthernet1/0/3 ip address 10.3.0.1 255.255.255.0 # interface GigabitEthernet1/0/7 ip address 2.2.2.2 255.255.255.0 gateway 2.2.2.254 bandwidth ingress 10000 threshold 90 bandwidth egress 10000 threshold 90 healthcheck isp2_health # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/7 # multi-interface mode priority-of-userdefine standby-interface status down add interface GigabitEthernet1/0/1 priority 2 add interface GigabitEthernet1/0/7 # security-policy rule name policy_sec_local_untrust source-zone local destination-zone untrust destination-address 3.3.10.10 mask 255.255.255.255 destination-address 3.3.10.11 mask 255.255.255.255 destination-address 9.9.20.20 mask 255.255.255.255 destination-address 9.9.20.21 mask 255.255.255.255 service tcp action permit rule name policy_sec_trust_untrust source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 action permit # return
阅读剩余
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/9301.html
文章版权归作者所有,未经允许请勿转载。
THE END
