网络拓扑
防火墙PBR策略路由旁挂方式 相比VPN实例旁挂的优势是 新增设备时 减少网络中断时间 是目前较为常见的一种旁挂方式
流量转发路径为 PCA -> S2 -> S1(VLANIF101) -> F1(VLAN101) -> F1(VLAN102) -> S1(VLAN102) -> R1
项目实施前 思考以下几点问题
- 引流来回路径需一致
- 华三快速转发负载机制
- S1上行与下行属于同一OSPF区域是否可行?
- 防火墙RBM双机热备部署
- 双向PBR部署的位置
S1配置
python
# 创建VLAN
vlan 10 100 101 102
# 创建OSPF进程
ospf 1 route-id 2.2.2.2
# 划分VLAN
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 100
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan 1 101 to 102
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan 101 to 102
# 配置互联地址
interface Vlan-interface10
ip address 10.10.10.254 255.255.255.0
ospf 1 area 0.0.0.1
#
interface Vlan-interface100
ip address 192.168.100.254 255.255.255.0
ospf 1 area 0.0.0.0
#
interface Vlan-interface101
ip address 192.168.101.254 255.255.255.0
ospf 1 area 0.0.0.0
#
interface Vlan-interface102
ip address 192.168.102.254 255.255.255.0
ospf 1 area 0.0.0.1
# 匹配流量
acl basic 2000
rule 0 permit source 192.168.10.0 0.0.0.255
#
acl basic 2001
rule 0 permit source 1.1.1.1 0
# 配置PBR
policy-based-route to-R1 permit node 10
if-match acl 2000
apply next-hop 192.168.101.253
#
policy-based-route to-PC permit node 10
if-match acl 2001
apply next-hop 192.168.102.253
#应用PBR
interface Vlan-interface10
ip policy-based-route to-PC
#
interface Vlan-interface100
ip policy-based-route to-R1
# 关闭快速转发负载机制
undo ip fast-forwarding load-sharingF1配置
kotlin
ospf 1 router-id 4.4.4.4
vlan 101 102
# 配置双机热备
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 192.168.99.1 255.255.255.252
#
remote-backup group
data-channel interface GigabitEthernet1/0/2
delay-time 1
adjust-cost ospf enable absolute 65535
local-ip 192.168.99.1
remote-ip 192.168.99.2
device-role primary
# 划分VLAN
interface GigabitEthernet1/0/0
port link-type trunk
port trunk permit vlan 1 101 to 102
# 配置互联地址
interface Vlan-interface101
ip address 192.168.101.251 255.255.255.0
ospf 1 area 0.0.0.0
vrrp vrid 1 virtual-ip 192.168.101.253 active
#
interface Vlan-interface102
ip address 192.168.102.251 255.255.255.0
ospf 1 area 0.0.0.1
vrrp vrid 1 virtual-ip 192.168.102.253 active
# 划分区域
security-zone name Trust
import interface Vlan-interface101
#
security-zone name DMZ
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface Vlan-interface102
#
security-policy ip
rule 0 name ospf
action pass
source-zone loca
source-zone local
source-zone untrust
source-zone trust
destination-zone trust
destination-zone untrust
destination-zone local
service ospf
rule 1 name Trust>Untrust
action pass
source-zone trust
destination-zone untrust
rule 2 name Untrust>Trust
action pass
source-zone untrust
source-zone trust快速转发负载分担导致三层环路
OSPF必须不同区域
如果VLANIF101与VLAN102属于同一区域 那么S1与F1之间存在负载分担 也就是S1数据可能是通过VLAN102转发给防火墙 然后防火墙通过VLAN101转发给S1 但是VLAN101属于Trust VLAN102属于Untrust 不符合目前网络规划目的
