H3C防火墙PBR策略路由旁挂部署实验

网络拓扑

防火墙PBR策略路由旁挂方式 相比VPN实例旁挂的优势是 新增设备时 减少网络中断时间 是目前较为常见的一种旁挂方式
流量转发路径为 PCA -> S2 -> S1(VLANIF101) -> F1(VLAN101) -> F1(VLAN102) -> S1(VLAN102) -> R1
项目实施前 思考以下几点问题

1. 引流来回路径需一致
2. 华三快速转发负载机制
3. S1上行与下行属于同一OSPF区域是否可行？
4. 防火墙RBM双机热备部署
5. 双向PBR部署的位置

S1配置

# 创建VLAN
vlan 10 100 101 102

# 创建OSPF进程
ospf 1 route-id 2.2.2.2

# 划分VLAN
interface GigabitEthernet1/0/1
 port access vlan 10
#
interface GigabitEthernet1/0/2
 port access vlan 100
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk permit vlan 1 101 to 102
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk permit vlan 101 to 102

# 配置互联地址
interface Vlan-interface10
 ip address 10.10.10.254 255.255.255.0
 ospf 1 area 0.0.0.1
#
interface Vlan-interface100
 ip address 192.168.100.254 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface101
 ip address 192.168.101.254 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface102
 ip address 192.168.102.254 255.255.255.0
 ospf 1 area 0.0.0.1

# 匹配流量
acl basic 2000
 rule 0 permit source 192.168.10.0 0.0.0.255
#
acl basic 2001
 rule 0 permit source 1.1.1.1 0
 
# 配置PBR
policy-based-route to-R1 permit node 10
 if-match acl 2000
 apply next-hop 192.168.101.253
#
policy-based-route to-PC permit node 10
 if-match acl 2001
 apply next-hop 192.168.102.253
 
#应用PBR
interface Vlan-interface10
 ip policy-based-route to-PC
#
interface Vlan-interface100
 ip policy-based-route to-R1
 
# 关闭快速转发负载机制
undo ip fast-forwarding load-sharing

F1配置

ospf 1 router-id 4.4.4.4

vlan 101 102

# 配置双机热备
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.99.1 255.255.255.252
#
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 delay-time 1
 adjust-cost ospf enable absolute 65535
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary

# 划分VLAN
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk permit vlan 1 101 to 102
 
# 配置互联地址
interface Vlan-interface101
 ip address 192.168.101.251 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 1 virtual-ip 192.168.101.253 active
#
interface Vlan-interface102
 ip address 192.168.102.251 255.255.255.0
 ospf 1 area 0.0.0.1
 vrrp vrid 1 virtual-ip 192.168.102.253 active
 
# 划分区域
security-zone name Trust
 import interface Vlan-interface101
#
security-zone name DMZ
 import interface GigabitEthernet1/0/2
#
security-zone name Untrust
 import interface Vlan-interface102
 
#
security-policy ip
 rule 0 name ospf
  action pass  
  source-zone loca
  source-zone local
  source-zone untrust
  source-zone trust
  destination-zone trust
  destination-zone untrust
  destination-zone local
  service ospf
 rule 1 name Trust>Untrust
  action pass
  source-zone trust
  destination-zone untrust
 rule 2 name Untrust>Trust
  action pass
  source-zone untrust
  source-zone trust

快速转发负载分担导致三层环路

OSPF必须不同区域

如果VLANIF101与VLAN102属于同一区域 那么S1与F1之间存在负载分担 也就是S1数据可能是通过VLAN102转发给防火墙 然后防火墙通过VLAN101转发给S1 但是VLAN101属于Trust VLAN102属于Untrust 不符合目前网络规划目的