1.防火墙主备架构配置
1)FW1多出口选路基础配置
(1)区域配置
firewall zone trust
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
(2)配置去往内网路由
ip route-static 192.168.1.0 24 GigabitEthernet 1/0/0 10.1.11.2
ip route-static 192.168.2.0 24 GigabitEthernet 1/0/0 10.1.11.2
(3)配置安全策略
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
source-address 192.168.2.0 mask 255.255.255.0
action permit
(4)配置去往外网路由
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/1 88.8.1.1
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/2 99.9.1.1 preference 100
(5)配置NAT策略
nat-policy
rule name internal_nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
source-address 192.168.2.0 mask 255.255.255.0
action source-nat easy-ip
2)防火墙安全状态检测配置,防火墙不支持bfd单臂回声,对端设备也需要做bfd。
(1)nqa配置
test-instance isp01 ping
test-type icmp
destination-address ipv4 88.8.1.1
frequency 10
interval seconds 1
timeout 1
probe-count 5
start now
(2)配置local到untrust安全策略
security-policy
rule name l_2_un
source-zone local
destination-zone untrust
action permit
(3)配置路由绑定nqa
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/1 88.8.1.1 track nqa isp01 ping
2.防火墙负载均衡配置(基于路由方式的负载均衡)
(1)配置nqa isp02 ping
nqa test-instance isp02 ping
test-type icmp
destination-address ipv4 99.9.1.1
frequency 10
interval seconds 1
timeout 1
probe-count 5
start now
(2)默认路由配置(恢复去往外网2的默认路由优先级60,绑定nqa)
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 99.9.1.1 track nqa isp02 ping
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 88.8.1.1 track nqa isp01 ping
ip route-static 192.168.1.0 255.255.255.0 GigabitEthernet1/0/0 10.1.11.2
ip route-static 192.168.2.0 255.255.255.0 GigabitEthernet1/0/0 10.1.11.2
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容