该文介绍了FW的ISP选路功能,用于在多ISP链路环境中确保流量通过最优路径转发。配置包括接口下的健康检查设置、运营商地址库模板的导入与应用,以及Easy-ip和静态路由的配置,以实现不同服务器访问通过不同ISP链路。在链路故障时,健康检查能自动切换到备用链路,保证网络连通性。
一,简介
1.1定义
ISP选路功能也称为运营商地址库选路功能,当FW作为出口网关设备连接多个ISP网络时,通过ISP选路功能可以使访问特定ISP网络的流量从相应出接口转发出去,保证流量转发使用最短路径。
1.2目的
当FW的出口链路属于不同ISP链路时,当内网用户访问的地址存在等价路由,而其中一条路由是次优路径那么另一条路径才是用户所期望的路径。配置ISP选路功能后,FW回根据目的地址所在的ISP网络选择相应的出接口,从而使访问流量通过最优路径转发。
1.3应用场景
如图所示,配置ISP选路,当企业从不同的ISP获得多个出口链路,访问Server1时始终从连接ISP1的链路转发,访问Server2时始终从ISP2的链路转发。
二,配置ISP选路
2.1接口下配置
1.拓扑
2.配置过程
①按拓扑配置IP地址,划分安全区域(略)。
②导出运营商地址库模板
②配置运营商地址库模板,并导入。
③配置健康检查
[FW]healthcheck enable
[FW]healthcheck name isp1
[FW-healthcheck-isp1]destination 202.100.1.1 interface GigabitEthernet 1/0/0 next-hop 202.100.1.1 protocol icmp
[FW-healthcheck-isp1]tx-interval 3
[FW-healthcheck-isp1]times 2
[FW]healthcheck name isp2
[FW-healthcheck-isp2]destination 202.100.2.2 interface GigabitEthernet 1/0/1 next-hop 202.100.2.2 protocol icmp
[FW-healthcheck-isp2]tx-interval 3
[FW-healthcheck-isp2]times 2
④在接口下调用运营商地址库和健康检查
[FW]interface-group 0 isp isp1
[FW-interface-isp-group-0]add interface GigabitEthernet 1/0/0
[FW]interface-group 1 isp isp2
[FW-interface-isp-group-1]add interface GigabitEthernet 1/0/1
[FW]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]healthcheck isp1
[FW-GigabitEthernet1/0/0]gateway 202.100.1.1
[FW-GigabitEthernet1/0/0]redirect-reverse next-hop 202.100.1.1
[FW]interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1]healthcheck isp2
[FW-GigabitEthernet1/0/1]gateway 202.100.2.2
[FW-GigabitEthernet1/0/1]redirect-reverse next-hop 202.100.2.2
⑤配置Easy-ip
[FW]nat-policy
[FW-policy-nat]rule name PC_Internet
[FW-policy-nat-rule-PC_Internet]source-zone trust
[FW-policy-nat-rule-PC_Internet]destination-zone untrust
[FW-policy-nat-rule-PC_Internet]source-address 10.1.1.0 24
[FW-policy-nat-rule-PC_Internet]source-address 10.1.2.0 24
[FW-policy-nat-rule-PC_Internet]action source-nat easy-ip
3.验证现象
①查看路由表
[FW]display ip routing-table
2023-02-18 08:15:54.660
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 16
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Unr 70 0 D 202.100.1.1 GigabitEthernet1/0/0
Unr 70 0 D 202.100.2.2 GigabitEthernet1/0/1
1.1.1.1/32 Unr 70 0 D 202.100.1.1 GigabitEthernet1/0/0
2.2.2.2/32 Unr 70 0 D 202.100.1.1 GigabitEthernet1/0/0
3.3.3.3/32 Unr 70 0 D 202.100.2.2 GigabitEthernet1/0/1
4.4.4.4/32 Unr 70 0 D 202.100.2.2 GigabitEthernet1/0/1
②查看健康检查
[FW]display healthcheck
2023-02-18 08:17:06.080
Current Total Healthcheck Number : 2
Name Member State Up/Down/Init
isp1 1 up 1 0 0
isp2 1 up 1 0 0
③使用PC1ping2.2.2.2和3.3.3.3。访问2.2.2.2走的ISP1的链路,访问3.3.3.3走的ISP2的链路。
icmp VPN: public --> public ID: c387f80aad046a8c7663f08a75
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:19
Recv Interface: GigabitEthernet1/0/2
Interface: GigabitEthernet1/0/0 NextHop: 202.100.1.1 MAC: 00e0-fcfa-7a3f
<--packets: 1 bytes: 60 --> packets: 1 bytes: 60
10.1.1.1:27018[202.100.1.10:2050] --> 2.2.2.2:2048 PolicyName: PC_Internet
icmp VPN: public --> public ID: c487f80aad04b3029c663f08a8c
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:19
Recv Interface: GigabitEthernet1/0/2
Interface: GigabitEthernet1/0/1 NextHop: 202.100.2.2 MAC: 00e0-fc20-1d28
<--packets: 1 bytes: 60 --> packets: 1 bytes: 60
10.1.1.1:33162[202.100.2.10:2049] --> 3.3.3.3:2048 PolicyName: PC_Internet
④PC1ping2.2.2.2带参数t,关闭接口G1/0/0观察现象。
出现短暂故障后恢复通信,健康检查检测到故障,从ISP2链路访问外网。
[FW-GigabitEthernet1/0/0]display ip routing-table
2023-02-18 08:23:22.650
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Unr 70 0 D 202.100.2.2 GigabitEthernet1/0/1
3.3.3.3/32 Unr 70 0 D 202.100.2.2 GigabitEthernet1/0/1
4.4.4.4/32 Unr 70 0 D 202.100.2.2 GigabitEthernet1/0/1
[FW]display healthcheck
2023-02-18 08:23:48.020
Current Total Healthcheck Number : 2
Name Member State Up/Down/Init
isp1 1 down 0 1 0
isp2 1 up 1 0 0
icmp VPN: public --> public ID: c487f80aad021381d4f63f08b20
Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:17
Recv Interface: GigabitEthernet1/0/2
Interface: GigabitEthernet1/0/1 NextHop: 202.100.2.2 MAC: 00e0-fc20-1d28
<--packets: 1 bytes: 60 --> packets: 1 bytes: 60
10.1.1.1:5515[202.100.2.10:2054] --> 1.1.1.1:2048 PolicyName: PC_Internet
2.2全局下配置ISP路由
1.将2.1接口下配置删除,拓扑不变
2.配置过程
①配置IP-Link
[FW]ip-link check enable
[FW]ip-link name isp1
[FW-iplink-isp1]destination 202.100.1.1 interface GigabitEthernet 1/0/0 mode icmp next-hop 202.100.1.1
[FW-iplink-isp1]ip-link name isp2
[FW-iplink-isp2]destination 202.100.2.2 interface GigabitEthernet 1/0/1 mode icmp next-hop 202.100.2.2
②配置ISP路由
[FW]ip route-isp isp1 interface GigabitEthernet1/0/0 nexthop 202.100.1.1 track ip-link isp1
[FW]ip route-isp isp2 interface GigabitEthernet1/0/1 nexthop 202.100.2.2 track ip-link isp2
③配置静态路由绑定IP-Link
[FW]ip route-static 0.0.0.0 0 202.100.1.1 track ip-link isp1
[FW]ip route-static 0.0.0.0 0 202.100.2.2 track ip-link isp2
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
