6.3 防火墙多出口选路

图片[1]-6.3 防火墙多出口选路-大赛人网

1.防火墙主备架构配置

1)FW1多出口选路基础配置
(1)区域配置
firewall zone trust
add interface GigabitEthernet1/0/0

firewall zone untrust
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2

(2)配置去往内网路由
ip route-static 192.168.1.0 24 GigabitEthernet 1/0/0 10.1.11.2
ip route-static 192.168.2.0 24 GigabitEthernet 1/0/0 10.1.11.2

(3)配置安全策略
security-policy
 rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  source-address 192.168.2.0 mask 255.255.255.0
  action permit

(4)配置去往外网路由
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/1 88.8.1.1 
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/2 99.9.1.1 preference 100

(5)配置NAT策略
nat-policy
 rule name internal_nat
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  source-address 192.168.2.0 mask 255.255.255.0
  action source-nat easy-ip

2)防火墙安全状态检测配置,防火墙不支持bfd单臂回声,对端设备也需要做bfd。
(1)nqa配置 
test-instance isp01 ping
 test-type icmp
 destination-address ipv4 88.8.1.1
 frequency 10
 interval seconds 1
 timeout 1
 probe-count 5
 start now

(2)配置local到untrust安全策略
security-policy
 rule name l_2_un
  source-zone local
  destination-zone untrust
  action permit

(3)配置路由绑定nqa
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/1 88.8.1.1 track nqa isp01 ping

2.防火墙负载均衡配置(基于路由方式的负载均衡)

(1)配置nqa isp02 ping
nqa test-instance isp02 ping
 test-type icmp
 destination-address ipv4 99.9.1.1
 frequency 10
 interval seconds 1
 timeout 1
 probe-count 5
 start now

(2)默认路由配置(恢复去往外网2的默认路由优先级60,绑定nqa)
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 99.9.1.1 track nqa isp02 ping
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 88.8.1.1 track nqa isp01 ping
ip route-static 192.168.1.0 255.255.255.0 GigabitEthernet1/0/0 10.1.11.2
ip route-static 192.168.2.0 255.255.255.0 GigabitEthernet1/0/0 10.1.11.2
© 版权声明
THE END
喜欢就支持一下吧
点赞5 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容