双机主备三出口智能选路

发布时间:  2016-11-11 浏览次数:  188 下载次数:  9
问题描述

某学校有中国电信、中国移动、教育网三条出口链路,我们防火墙为两台USG9560 V500R002C30 如何实现双机主备三出口智能选路呢?拓扑图同下使用eNSP绘制,由于客户网络IP地址信息保密,我举例中重新规划了IP。


万兆交换机配置:


vlan batch 10 to 30

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 10 to 30

#

interface GigabitEthernet0/0/2

 port link-type trunk

 port trunk allow-pass vlan 10 to 30

#

interface GigabitEthernet0/0/3

 port link-type access

 port default vlan 10

#

interface GigabitEthernet0/0/4

 port link-type access

 port default vlan 20

#

interface GigabitEthernet0/0/5

 port link-type access

 port default vlan 30

#

USG9560A配置:

hrp enable

 hrp interface GigabitEthernet1/0/3 remote 1.1.1.2

 hrp track interface GigabitEthernet1/0/0

 hrp track interface GigabitEthernet1/0/1

 hrp track interface GigabitEthernet1/0/2

#

interface GigabitEthernet1/0/0

 undo shutdown

 ip address 172.31.100.2 255.255.255.0

 vrrp vrid 100 virtual-ip 172.31.100.1 active

 link-group 1

 service-manage ping permit

#

interface GigabitEthernet1/0/1.10

 vlan-type dot1q 10

 ip address 10.1.1.252 255.255.255.0

 vrrp vrid 10 virtual-ip 10.1.1.254 active

 service-manage ping permit

#

interface GigabitEthernet1/0/1.20

 vlan-type dot1q 20

 ip address 20.1.1.252 255.255.255.0

 vrrp vrid 20 virtual-ip 20.1.1.254 active

 service-manage ping permit

#

interface GigabitEthernet1/0/1.30

 vlan-type dot1q 30

 ip address 30.1.1.252 255.255.255.0

 vrrp vrid 30 virtual-ip 30.1.1.254 active

service-manage ping permit

#

interface GigabitEthernet1/0/2

 undo shutdown

 ip address 172.31.200.3 255.255.255.0

 vrrp vrid 200 virtual-ip 172.31.200.1 active

 link-group 1

 service-manage ping permit

#

interface GigabitEthernet1/0/3

 undo shutdown

 ip address 1.1.1.1 255.255.255.0

 service-manage ping permit

#

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet1/0/0

 add interface GigabitEthernet1/0/2

#

firewall zone dmz

 set priority 50

 add interface GigabitEthernet1/0/3

#

firewall zone name jyw id 4

 set priority 10

 add interface GigabitEthernet1/0/1.10

#

firewall zone name cmcc id 5

 set priority 20

 add interface GigabitEthernet1/0/1.30

#

firewall zone name dx id 6

 set priority 30

 add interface GigabitEthernet1/0/1.20

#

ip route-static 192.168.60.0 255.255.255.0 172.31.100.254

ip route-static 192.168.70.0 255.255.255.0 172.31.200.254

 

nat address-group jyw 0

 mode pat

 section 0 10.1.1.2 10.1.1.10

#

nat address-group dx 1

 mode pat

 section 0 20.1.1.2 20.1.1.10

#

nat address-group cmcc 2

 mode pat

 section 0 30.1.1.2 30.1.1.10

security-policy

 rule name hrp

  source-zone local

  source-zone dmz

  destination-zone local

  destination-zone dmz

  source-address 1.1.1.1 32

  source-address 1.1.1.2 32

  destination-address 1.1.1.1 32

  destination-address 1.1.1.2 32

  service protocol tcp destination-port 18514

  service protocol tcp source-port 49152

  action permit

 rule name jyw

  source-zone trust

  destination-zone jyw

  action permit

 rule name cmcc

  source-zone trust

  destination-zone cmcc

  action permit

 rule name dx

  source-zone trust

  destination-zone dx

  action permit

nat-policy

 rule name jyw

  source-zone trust

  destination-zone jyw

  action nat address-group jyw

 rule name dx

  source-zone trust

  destination-zone dx

  action nat address-group dx

 rule name cmcc

  source-zone trust

  destination-zone cmcc

  action nat address-group cmcc

USG9560B关键配置:

hrp enable

 hrp standby-device

 hrp interface GigabitEthernet1/0/3 remote 1.1.1.1

 hrp track interface GigabitEthernet1/0/0

 hrp track interface GigabitEthernet1/0/1

 hrp track interface GigabitEthernet1/0/2

interface GigabitEthernet1/0/0

 undo shutdown

 ip address 172.31.200.2 255.255.255.0

 vrrp vrid 200 virtual-ip 172.31.200.1 standby

 link-group 1

 service-manage ping permit

#

interface GigabitEthernet1/0/1.10

 vlan-type dot1q 10

 ip address 10.1.1.253 255.255.255.0

 vrrp vrid 10 virtual-ip 10.1.1.254 standby

 service-manage ping permit

#

interface GigabitEthernet1/0/1.20

 vlan-type dot1q 20

 ip address 20.1.1.253 255.255.255.0

 vrrp vrid 20 virtual-ip 20.1.1.254 standby

 service-manage ping permit

#

interface GigabitEthernet1/0/1.30

 vlan-type dot1q 30

 ip address 30.1.1.253 255.255.255.0

 vrrp vrid 30 virtual-ip 30.1.1.254 standby

link-group 1

 service-manage ping permit

#

interface GigabitEthernet1/0/3

 undo shutdown

 ip address 1.1.1.2 255.255.255.0

 service-manage ping permit

#

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet1/0/0

 add interface GigabitEthernet1/0/2

#

firewall zone dmz

 set priority 50

 add interface GigabitEthernet1/0/3

#

firewall zone name jyw id 4

 set priority 10

 add interface GigabitEthernet1/0/1.10

#

firewall zone name cmcc id 5

 set priority 20

 add interface GigabitEthernet1/0/1.30

#

firewall zone name dx id 6

 set priority 30

 add interface GigabitEthernet1/0/1.20

#

ip route-static 192.168.60.0 255.255.255.0 172.31.100.254

ip route-static 192.168.70.0 255.255.255.0 172.31.200.254

nat address-group jyw 0

 mode pat

 section 0 10.1.1.2 10.1.1.10

#

nat address-group dx 1

 mode pat

 section 0 20.1.1.2 20.1.1.10

#

nat address-group cmcc 2

 mode pat

 section 0 30.1.1.2 30.1.1.10

#

security-policy

 rule name hrp

  source-zone local

  source-zone dmz

  destination-zone local

  destination-zone dmz

  source-address 1.1.1.1 32

  source-address 1.1.1.2 32

  destination-address 1.1.1.1 32

  destination-address 1.1.1.2 32

  service protocol tcp destination-port 18514

  service protocol tcp source-port 49152

  action permit

 rule name jyw

  source-zone trust

  destination-zone jyw

  action permit

 rule name cmcc

  source-zone trust

  destination-zone cmcc

  action permit

 rule name dx

  source-zone trust

  destination-zone dx

  action permit

#

nat-policy

 rule name jyw

  source-zone trust

  destination-zone jyw

  action nat address-group jyw

 rule name dx

  source-zone trust

  destination-zone dx

  action nat address-group dx

 rule name cmcc

  source-zone trust

  destination-zone cmcc

  action nat address-group cmcc

12708A关键配置:

vlan batch 60 100

#

interface Vlanif60

 ip address 192.168.60.1 255.255.255.0

#

interface Vlanif100

 ip address 172.31.100.254 255.255.255.0

#

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 100

#

interface GigabitEthernet0/0/2

 port link-type access

 port default vlan 100

#

#

interface GigabitEthernet0/0/4

 port link-type access

 port default vlan 60

#

ip route-static 0.0.0.0 0.0.0.0 172.31.100.1

 

 

12708B关键配置:

vlan batch 70 200

#

interface Vlanif70

 ip address 192.168.70.1 255.255.255.0

#

interface Vlanif200

 ip address 172.31.200.254 255.255.255.0

#

interface MEth0/0/1

#

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 200

#

interface GigabitEthernet0/0/2

 port link-type access

 port default vlan 200

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

 port link-type access

 port default vlan 70

#

ip route-static 0.0.0.0 0.0.0.0 172.31.200.1

#

 


告警信息

如果不配置智能选路,那么只跑一条,流量就会备打满。内部网络呈现缓慢、中断等。

处理过程

查看流量的走势,发现所有流量从nat策略最高的出去了,其他两路空闲,即使这条ISP跑满了,也不走其他。

根因

不能自己选路出去,需要配合智能选路。

解决方案

1.需要在公网接口上开启源进源出,主备墙相同。

interface GigabitEthernet1/0/1.10

 vlan-type dot1q 10

 ip address 10.1.1.252 255.255.255.0

 vrrp vrid 10 virtual-ip 10.1.1.254 active

 gateway 10.1.1.1     指定网关

 service-manage ping permit

 redirect-reverse enable  开启源进源出

#

interface GigabitEthernet1/0/1.20

 vlan-type dot1q 20

 ip address 20.1.1.252 255.255.255.0

 vrrp vrid 20 virtual-ip 20.1.1.254 active

 gateway 20.1.1.1

 service-manage ping permit

 redirect-reverse enable

#

interface GigabitEthernet1/0/1.30

 vlan-type dot1q 30

 ip address 30.1.1.252 255.255.255.0

 vrrp vrid 30 virtual-ip 30.1.1.254 active

 gateway 30.1.1.1

service-manage ping permit

 redirect-reverse enable


2.启用智能选路,方法有很多,这里选基于优先级的,主备墙相同

 multi-interface

  mode priority-of-link-quality

  priority-of-link-quality parameter loss

  priority-of-link-quality protocol tcp-simple

  add interface GigabitEthernet1/0/1.10

  add interface GigabitEthernet1/0/1.20 priority 2

  add interface GigabitEthernet1/0/1.30 priority 3

建议与总结

当我们的网络中有多条ISP接入时,需要开启智能选路功能,实现多出口智能选路。

END