HCIP-Security1.1多出口选路3(智能选路之全局与策略路由)
一,网络拓扑
二,规划说明
2.1IP地址规划
| 设备 | 接口 | 安全区域 | IP地址 |
| FW1 | GE0/0/0 | Local | 192.168.0.10/24 |
| GE1/0/0 | Local | 202.100.2.10/24 | |
| GE1/0/1 | Local | 202.100.1.10/24 | |
| GE1/0/2 | Local | 10.1.1.10/24 | |
| GE1/0/3 | Local | 10.1.2.10/24 | |
| GE1/0/4 | Local | 10.1.3.10/24 | |
| GE1/0/5 | Local | 192.168.34.10/24 | |
| ISP1 | GE0/0/0 | untrust | 11.1.1.20/24 |
| GE0/0/1 | untrust | 202.100.1.20/24 | |
| Loopback0 | untrust | 1.1.1.1/32 | |
| Loopback1 | untrust | 2.2.2.2/32 | |
| ISP2 | GE0/0/0 | untrust | 12.1.1.20/24 |
| GE0/0/1 | untrust | 202.100.2.20/24 | |
| Loopback0 | untrust | 3.3.3.3/32 | |
| Loopback1 | untrust | 4.4.4/32 | |
| Internet | GE0/0/0 | untrust | 11.1.1.30/24 |
| GE0/0/1 | untrust | 12.1.1.30/24 | |
| GE0/0/2 | untrust | 120.1.1.30/24 | |
| http_server | Ethernet0/0/0 | untrust | 120.1.1.2/24 |
| DMZ_Server | Ethernet0/0/0 | dmz | 192.168.34.1/24 |
| kali_linux | Ethernet0/0/0 | trust | 10.1.1.128/24 |
| RHEL | Ethernet0/0/0 | trust | 10.1.2.2/24 |
| PC2 | Ethernet0/0/0 | trust | 10.1.3.1/24 |
| MGMT_PC | Ethernet0/0/0 | trust | 192.168.0.1/24 |
2.2实验需求
根据链路带宽负载分担是默认的智能选路方式。当企业从不同ISP处获得多条带宽不等的链路时,为了充分利用各链路的带宽,提高链路的利用率,可以选择此种选路方式。
这里所说的“带宽”是管理员在FW上为各个接口指定的带宽,一般来说,管理员需要根据实际链路带宽设置合理的带宽值。FW按照带宽比例将流量分配到各条链路上,所以带宽大的链路转发较多的流量,带宽小的链路转发较少的流量,所有链路都会被充分利用,不会有链路闲置的情况。
三,配置部分
3.1防火墙以外的配置
3.1.1 ISP1路由器
system-view [Huawei]sysname ISP1 [ISP1]user-interface con 0 [ISP1-ui-console0]idle-timeout 0 0 [ISP1]interface GigabitEthernet 0/0/0 [ISP1-GigabitEthernet0/0/0]ip address 11.1.1.20 24 [ISP1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP1-GigabitEthernet0/0/1]ip address 202.100.1.20 24 [ISP1-GigabitEthernet0/0/1]interface Loopback 0 [ISP1-LoopBack0]ip address 1.1.1.1 32 [ISP1-LoopBack0]interface Loopback 1 [ISP1-LoopBack1]ip address 2.2.2.2 32 [ISP1-LoopBack1]ip route-static 0.0.0.0 0 11.1.1.30
3.1.2ISP2路由器
system-view [Huawei]sysname ISP2 [ISP2]user-interface con 0 [ISP2-ui-console0]idle-timeout 0 0 [ISP2-ui-console0]interface GigabitEthernet 0/0/0 [ISP2-GigabitEthernet0/0/0]ip address 12.1.1.20 24 [ISP2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP2-GigabitEthernet0/0/1]ip address 202.100.2.20 24 [ISP2-GigabitEthernet0/0/1]interface Loopback 0 [ISP2-LoopBack0]ip address 3.3.3.3 32 [ISP2-LoopBack0]interface Loopback 1 [ISP2-LoopBack1]ip address 4.4.4.4 32 [ISP2-LoopBack1]ip route-static 0.0.0.0 0 12.1.1.30
3.1.3Internet路由器
system-view [Huawei]sysname Internet [Internet]user-interface con 0 [Internet-ui-console0]idle-timeout 0 0 [Internet-ui-console0]interface GigabitEthernet 0/0/0 [Internet-GigabitEthernet0/0/0]ip address 11.1.1.30 24 [Internet-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [Internet-GigabitEthernet0/0/1]ip address 12.1.1.30 24 [Internet-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip route-static 202.100.1.0 24 11.1.1.20 [Internet]ip route-static 1.1.1.1 32 11.1.1.20 [Internet]ip route-static 2.2.2.2 32 11.1.1.20 [Internet]ip route-static 202.100.2.0 24 12.1.1.20 [Internet]ip route-static 3.3.3.3 32 12.1.1.20 [Internet]ip route-static 4.4.4.4 32 12.1.1.20
3.1.4 Http Server
Http Server是使用ENSP桥接的一台vmware workstation的一台虚机,简单的配置了http。
3.1.5MGMT_PC
MGPT_PC是ENSP桥接到我本地的物理机,可以通过浏览器进行图形化管理FW1。
3.1.6 内网测试主机
①kali_linux
②RHEL
3.2 防火墙配置
3.2.1接口地址以及安全区域
system-view [USG6000V1]sysname FW1 [FW1]user-interface con 0 [FW1-ui-console0]idle-timeout 0 0 [FW1-ui-console0]interface GigabitEthernet 0/0/0 [FW1-GigabitEthernet0/0/0]ip address 192.168.0.10 24 [FW1-GigabitEthernet0/0/0]service-manage http permit [FW1-GigabitEthernet0/0/0]service-manage https permit [FW1-GigabitEthernet0/0/0]service-manage ping permit [FW1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip address 202.100.2.10 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]ip address 202.100.1.10 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/2 [FW1-GigabitEthernet1/0/2]ip address 10.1.1.10 24 [FW1-GigabitEthernet1/0/2]service-manage ping permit [FW1-GigabitEthernet1/0/2]interface GigabitEthernet 1/0/3 [FW1-GigabitEthernet1/0/3]ip address 10.1.2.10 24 [FW1-GigabitEthernet1/0/3]service-manage ping permit [FW1-GigabitEthernet1/0/3]interface GigabitEthernet 1/0/4 [FW1-GigabitEthernet1/0/4]ip address 10.1.3.10 24 [FW1-GigabitEthernet1/0/4]service-manage ping permit [FW1-GigabitEthernet1/0/4]interface GigabitEthernet 1/0/5 [FW1-GigabitEthernet1/0/5]ip address 192.168.34.10 24 [FW1-GigabitEthernet1/0/5]service-manage ping permit [FW1-GigabitEthernet1/0/5]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 0/0/0 [FW1-zone-trust]add interface GigabitEthernet 1/0/2 [FW1-zone-trust]add interface GigabitEthernet 1/0/3 [FW1-zone-trust]add interface GigabitEthernet 1/0/4 [FW1-zone-trust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/5 [FW1-zone-dmz]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/0 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1
3.2.2 智能选路配置
1.配置接口带宽值
①CLI
[FW1]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]gateway 202.100.1.20 [FW1-GigabitEthernet1/0/1]bandwidth ingress 1000 threshold 80 [FW1-GigabitEthernet1/0/1]bandwidth egress 1000 threshold 80
②GUI
2.配置健康检查
[FW1]healthcheck enable [FW1]healthcheck name isp1 [FW1-healthcheck-isp1]destination 202.100.1.20 interface GigabitEthernet 1/0/1 protocol icmp [FW1]healthcheck name isp2 [FW1-healthcheck-isp2]destination 202.100.2.20 interface GigabitEthernet 1/0/0 protocol icmp
3.创建链路接口调用健康检查
①CLI
[FW1]link-interface 0 name isp1 [FW1-linkif-0]interface GigabitEthernet 1/0/1 next-hop 202.100.1.20 [FW1-linkif-0]healthcheck isp1
②GUI
4.配置策略路由智能选路
①CLI
[FW1]policy-based-route [FW1-policy-pbr]rule name bandwidth [FW1-policy-pbr-rule-isp1]source-zone trust [FW1-policy-pbr-rule-isp1]action pbr multi-linkif [FW1-policy-pbr-rule-isp1-multi-linkif]mode proportion-of-bandwidth [FW1-policy-pbr-rule-isp1-multi-linkif]add linkif isp1 [FW1-policy-pbr-rule-isp1-multi-linkif]add linkif isp2
②GUI
5.配置全局智能选路
注:先删除策略路由智能选路
①CLI
[FW1]multi-linkif [FW1-multi-linkif] mode proportion-of-bandwidth [FW1-multi-linkif] add linkif isp1 [FW1-multi-linkif] add linkif isp2
②GUI
3.2.3 安全策略
[FW1]ip address-set pc type object [FW1-object-address-set-pc]address 10.1.1.0 mask 24 [FW1-object-address-set-pc]address 10.1.2.0 mask 24 [FW1-object-address-set-pc]address 10.1.3.0 mask 24 [FW1]security-policy [FW1-policy-security]rule name trust_untrust [FW1-policy-security-rule-trust_untrust]source-zone trust [FW1-policy-security-rule-trust_untrust]destination-zone untrust [FW1-policy-security-rule-trust_untrust]source-address address-set pc [FW1-policy-security-rule-trust_untrust]action permit
3.2.4 源NAT
[FW1]nat-policy [FW1-policy-nat]rule name easy-ip [FW1-policy-nat-rule-easy-ip]source-zone trust [FW1-policy-nat-rule-easy-ip]destination-zone untrust [FW1-policy-nat-rule-easy-ip]source-address address-set pc [FW1-policy-nat-rule-easy-ip]action source-nat easy-ip
四,测试效果
1.使用两台测试机,访问http,看视频和下载文件应该会有大流量的现象吧?
2.查看防火墙全局选路的状态,现象虽然不是很明显但也差不多。根据流量负载分担。根据Hedex文档上解释为:
FW是根据各接口指定带宽的比例来分流的,而不是根据流量的实时流速。所以实际上各接口链路上分配的流量比例很难和设置的带宽比例一致,总是会有波动。
比如有3条接口链路,带宽比例设置为2:1:1,此时有4条流量,FW分别将这4条流量按照2:1:1分配到这3条接口链路上,即接口1分了2条流,接口2和3各分了1条流。但每条流的流速不一样,所以此时接口上转发的流量大小比例并不是2:1:1。
3.查看会话表,分别走两个出接口
4.这个现象在模拟器上表现的不是很明显,但是意思差不多是这样哈哈! XD