其他分享
首页 > 其他分享> > 华为防火墙静态路由绑定IP-link

华为防火墙静态路由绑定IP-link

作者:互联网

华为防火墙静态路由绑定IP-link

1.配置内网IP地址及其互通性
[FW1-GigabitEthernet1/0/0]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/0
华为防火墙静态路由绑定IP-link
2.配置外网IP地址及其互通性
[FW1-GigabitEthernet1/0/1]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/2]ip add 20.1.2.1 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/1
[FW1-zone-untrust]add interface g1/0/2
[ISP1-GigabitEthernet0/0/1]ip add 20.1.1.2 24
[ISP1-GigabitEthernet0/0/2]ip add 20.1.3.2 24
[ISP1-GigabitEthernet0/0/2]vrrp vrid 1 virtual-ip 20.1.3.254
[ISP2-GigabitEthernet0/0/1]ip add 20.1.2.3 24
[ISP2-GigabitEthernet0/0/2]ip add 20.1.3.3 24
[ISP2-GigabitEthernet0/0/2]vrrp vrid 1 virtual-ip 20.1.3.254
[ISP1]ospf
[ISP1-ospf-1]area 0
[ISP1-ospf-1-area-0.0.0.0]network 20.1.3.0 0.0.0.255
[ISP1-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[ISP2]ospf
[ISP2-ospf-1]area 0
[ISP2-ospf-1-area-0.0.0.0]network 20.1.2.0 0.0.0.255
[ISP2-ospf-1-area-0.0.0.0]network 20.1.3.0 0.0.0.255
华为防火墙静态路由绑定IP-link
3.配置nat策略为easy-ip
[FW1]nat-policy
[FW1-policy-nat]rule name out
[FW1-policy-nat-rule-out]source-zone trust
[FW1-policy-nat-rule-out]destination-zone untrust
[FW1-policy-nat-rule-out]action source-nat easy-ip
4.配置IP-link
[FW1]ip-link check enable
[FW1-iplink-ip_link1]destination 20.1.1.2 interface g1/0/1 mode icmp
[FW1-iplink-ip_link1]ip-link name ip_link2
[FW1-iplink-ip_link2]destination 20.1.2.3 interface g1/0/2 mode icmp
华为防火墙静态路由绑定IP-link
5.配置IP-link与静态路由联动
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2 track ip-link ip_link1
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.2.3 preference 100 track ip-link ip_link2
6.配置域间防火墙策略
[FW1]security-policy
[FW1-policy-security]rule name out
[FW1-policy-security-rule-out]source-zone trust
[FW1-policy-security-rule-out]destination-zone untrust
[FW1-policy-security-rule-out]action permit
[FW1-policy-security]rule name ip_link
[FW1-policy-security-rule-ip_link]source-zone local
[FW1-policy-security-rule-ip_link]destination-zone untrust
[FW1-policy-security-rule-ip_link]action permit
华为防火墙静态路由绑定IP-link
7.验证
在防火墙上tracert PC2,可以发现流量通过的是ISP1
华为防火墙静态路由绑定IP-link

关闭ISP1的g0/0/1接口后,流量自动切换至ISP2上了
华为防火墙静态路由绑定IP-link
华为防火墙静态路由绑定IP-link

标签:ip,20.1,0.0,rule,link,IP,policy,FW1,路由
来源: https://blog.51cto.com/u_13699905/2842888