最佳答案
参考案例
1、交换机1将g0/1引用路由策略去往交换机2路由,改至10.2.2.2。
2、交换机2将g0/2引用路由策略从交换机2回去路由,改至10.1.1.2
目前就是,从交换机3去往交换机2流量,在交换机1和防火墙来回发,出现路由环路
交换机1配置
[H3C]display current-configuration
#
version 7.1.070, Alpha 7170
#
sysname H3C
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip ttl-expires enable
#
lldp global enable
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
stp global enable
#
policy-based-route aaa permit node 1
if-match acl 3000
apply next-hop 10.1.1.2
#
policy-based-route bbb permit node 1
if-match acl 3001
apply next-hop 10.2.2.2
#
interface NULL0
#
interface FortyGigE1/0/53
port link-mode bridge
#
interface FortyGigE1/0/54
port link-mode bridge
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
ip address 1.1.1.1 255.255.255.0
ip policy-based-route bbb
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable fiber
ip address 2.2.2.1 255.255.255.0
ip policy-based-route aaa
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable fiber
ip address 10.2.2.1 255.255.255.252
#
interface GigabitEthernet1/0/5
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/6
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/7
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/8
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/9
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/10
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/11
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/12
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/13
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/14
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/15
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/16
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/21
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/22
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/23
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/24
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/25
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/26
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/27
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/28
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/29
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/30
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/31
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/32
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/33
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/34
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/35
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/36
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/37
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/38
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/39
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/40
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/41
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/42
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/43
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/44
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/45
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/46
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/47
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/48
port link-mode bridge
combo enable fiber
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/49
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/50
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/51
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/52
port link-mode bridge
combo enable fiber
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
acl advanced 3000
rule 0 permit ip source 2.2.2.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip destination 2.2.2.0 0.0.0.255
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
防火墙配置
<H3C>display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip ttl-expires enable
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 11.11.11.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 10.2.2.2 255.255.255.252
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/4
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 10.2.2.1
ip route-static 2.2.2.0 24 10.1.1.1
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl basic 2000
rule 0 permit source 1.1.1.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$MKVVV6yuS8P36pPn$LC0CUf4NLzlDup3kMQXzJ9JHTBcmIq0Ip3c9V2lwfqo5hoOZ/U9cwrgwIqnZgUeLPJayreTttl5CDDTs9nzCmg==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name 0
action pass
source-zone Trust
source-zone local
source-zone Untrust
destination-zone local
destination-zone Trust
destination-zone Untrust
#
return
<H3C>
最佳答案
参考下案例:
如图,交换机的int vlan 10和防火墙的RAGG1.10处于同一网段,交换机的int vlan20、路由器的GE0/0以及防火墙的RAGG1.20处于同一网段。
现在客户需要实现如下需求:防火墙工作正常的时候,终端前往边界路由器的流量需要经过防火墙,但是当防火墙异常的时候,流量直接从交换机转发给防火墙。
在交换机和路由器上通过配置静态路由结合track NQA,使防火墙正常的时候路由指向防火墙,当防火墙出问题后,路由不再指向防火墙,直接在交换机转发。
防火墙配置:
interface Route-Aggregation1.10
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
#
interface Route-Aggregation1.20
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/0
port link-mode route
port link-aggregation group 1
#
interface GigabitEthernet1/0/1
port link-mode route
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.10
#
security-zone name Untrust
import interface Route-Aggregation1.20
#
ip route-static 0.0.0.0 0 192.168.20.3
ip route-static 192.168.100.0 24 192.168.10.2
#
security-policy ip
rule 0 name permit-all
action pass
source-zone untrust
source-zone trust
source-zone local
destination-zone untrust
destination-zone trust
destination-zone local
交换机配置
track 1 nqa entry fw 1 reaction 1 //track nqa状态
#
nqa entry fw 1 //配置nqa,探测10.1是否可达,频率1秒(100厘秒),探测三次
type icmp-echo
destination ip 192.168.10.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule fw 1 start-time now lifetime forever //开启nqa探测
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 10 20
#
interface Vlan-interface10
ip address 192.168.10.2 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.2 255.255.255.0
#
interface Vlan-interface100
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
port link-aggregation group 1
#
ip route-static 0.0.0.0 0 192.168.10.1 track 1 //配置静态路由指向防火墙并调用track,当nqa探测失败的时候自动失效
ip route-static 0.0.0.0 0 192.168.20.3 preference 70 //配置浮动路由指向路由器,当上面的静态路由失效的时候生效
路由器配置
track 1 nqa entry fw 1 reaction 1 //track nqa状态
#
nqa entry fw 1 //配置nqa,探测20.1是否可达,频率1秒(100厘秒),探测三次
type icmp-echo
destination ip 192.168.20.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule fw 1 start-time now lifetime forever //开启nqa探测
#
interface LoopBack0 //模拟的外网地址
ip address 100.100.100.100 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.20.3 255.255.255.0
#
ip route-static 192.168.100.0 24 192.168.20.1 track 1 //配置静态路由指向防火墙并调用track,当nqa探测失败的时候自动失效
ip route-static 192.168.100.0 24 192.168.20.2 preference 70 //配置浮动路由指向交换机,当上面的静态路由失效的时候生效
测试结果
正常情况下的交换机路由表
[SW]dis ip ro
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 192.168.10.1 Vlan10
......
正常情况下的路由器路由表
[RT]dis ip ro
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
......
192.168.100.0/24 Static 60 0 192.168.20.1 GE0/0
......
PC(192.168.100.2)测试访问100.100.100.100
[PC]ping 100.100.100.100
Ping 100.100.100.100 (100.100.100.100): 56 data bytes, press CTRL_C to break
56 bytes from 100.100.100.100: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 100.100.100.100: icmp_seq=1 ttl=253 time=3.000 ms
56 bytes from 100.100.100.100: icmp_seq=2 ttl=253 time=3.000 ms
56 bytes from 100.100.100.100: icmp_seq=3 ttl=253 time=2.000 ms
56 bytes from 100.100.100.100: icmp_seq=4 ttl=253 time=4.000 ms
--- Ping statistics for 100.100.100.100 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/3.000/4.000/0.632 ms
此时防火墙能够看到会话,说明流量经过防火墙
[FW]dis session table ipv4 source-ip 192.168.100.2 destination-ip 100.100.100.100 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.100.2/225
Destination IP/port: 100.100.100.100/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.10
Source security zone: Trust
Responder:
Source IP/port: 100.100.100.100/225
Destination IP/port: 192.168.100.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.20
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: permit-all
Start time: 2020-04-30 03:10:17 TTL: 26s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
当防火墙故障的时候,track使静态路由失效
%Apr 30 03:25:36:153 2020 SW NQA/6/NQA_ENTRY_PROBE_RESULT: Reaction entry 1 of NQA entry admin-name fw operation-tag 1: probe-fail.
Track ID: 1
State: Negative
Duration: 0 days 0 hours 0 minutes 15 seconds
Tracked object type: NQA
Notification delay: Positive 0, Negative 0 (in seconds)
Tracked object:
NQA entry: fw 1
Reaction: 1
Remote IP/URL: 192.168.10.1
Local IP: --
Interface: --
%Apr 30 03:25:41:279 2020 RT NQA/6/NQA_ENTRY_PROBE_RESULT: Reaction entry 1 of NQA entry admin-name fw operation-tag 1: probe-fail.
Track ID: 1
State: Negative
Duration: 0 days 0 hours 2 minutes 43 seconds
Tracked object type: NQA
Notification delay: Positive 0, Negative 0 (in seconds)
Tracked object:
NQA entry: fw 1
Reaction: 1
Remote IP/URL: 192.168.20.1
Local IP: --
Interface: --
此时看静态路由,发现SW、RT的路由已切换不走防火墙
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 70 0 192.168.20.3 Vlan20
......
Destinations : 14 Routes : 14
......
192.168.100.0/24 Static 70 0 192.168.20.2 GE0/0
......
PC仍然能够ping通100.100.100.100
Ping 100.100.100.100 (100.100.100.100): 56 data bytes, press CTRL_C to break
56 bytes from 100.100.100.100: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 100.100.100.100: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 100.100.100.100: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 100.100.100.100: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 100.100.100.100: icmp_seq=4 ttl=254 time=2.000 ms
--- Ping statistics for 100.100.100.100 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
此时由于流量不经过防火墙,防火墙上没有会话
[FW-Route-Aggregation1.10]dis session table ipv4 source-ip 192.168.100.2 destination-ip 100.100.100.100 verbose
Slot 1:
Total sessions found: 0
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明