扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
作者:51CTO.COM 2007年10月24日
关键字: 路由 防火墙 Secpath1000F H3C
一、 组网需求:
当防火墙有双公网出口时,根据用户的源地址或者需要访问目的地址来选择防火墙的转发出口,从而实现路由选择。
二、 配置步骤:
适用版本:Secpath1800F 所有VRP版本
acl number 2001rule 0 permit source 10.1.0.0 0.0.255.255
acl number 3001 // 定义与策略路由相关的
aclrule 0 deny ip source 10.1.1.0 0.0.0.255 // 10.1.1.0 网段不作策略路由
rule 5 permit ip source 10.1.2.0 0.0.0.255 // 源地址为10.1.2.0 的网段做策略路由
rule 10 permit ip destination 202.96.199.0 0.0.0.255// 目的地址为202.96.199.0 的网段做策略路由
sysname Eudemon
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
dfirewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local test direction inbound
firewall packet-filter default permit interzone local test direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
dfirewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust test direction inbound
firewall packet-filter default permit interzone trust test direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone test untrust direction inbound
firewall packet-filter default permit interzone test untrust direction outbound
firewall packet-filter default permit interzone test dmz direction inbound
firewall packet-filter default permit interzone test dmz direction outbound
nat address-group 2 2.2.2.10 2.2.2.10nat address-group 4 4.4.4.10 4.4.4.10
firewall mode route
firewall statistic system enable
traffic classifier test // 定义traffic 名字 及感兴趣数据流if-match acl 3001
traffic behavior test_do // 定义策略路由的转发出口及地址
remark ip-nexthop 4.4.4.2 output-interface Ethernet1/0/4 // 地址 4.4.4.2 为相应的网关地址
qos policy po_ro // 定义相应的策略路由组classifier test behavior test_do
interface Aux0async mode flowlink-protocol ppp
interface Ethernet0/0/0
interface Ethernet0/0/1
interface Ethernet1/0/0
interface Ethernet1/0/1ip address 192.168.1.254 255.255.255.0
interface Ethernet1/0/2ip address 2.2.2.1 255.255.255.0
interface Ethernet1/0/3
interface Ethernet1/0/4ip address 4.4.4.1 255.255.255.0
interface Ethernet1/0/5
interface Ethernet1/0/6
interface Ethernet1/0/7
interface NULL0
firewall zone localset priority 100
firewall zone trustset priority 85qos apply policy po_ro outbound // 在相应的域上绑定策略路由add interface Ethernet1/0/1
firewall zone untrustset priority 5add interface Ethernet1/0/2
firewall zone dmzset priority 50
firewall zone name testset priority 75add interface Ethernet1/0/4
firewall interzone local trust
firewall interzone local untrust
firewall interzone local dmz
firewall interzone local test
firewall interzone trust untrustnat outbound 2001 address-group 2
firewall interzone trust dmz
firewall interzone trust testnat outbound 2001 address-group 4
firewall interzone dmz untrust
firewall interzone test untrust
firewall interzone test dmz
aaaauthentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 // 定义默认路由
ip route-static 10.1.0.0 255.255.0.0 192.168.1.133
user-interface con 0
user-interface aux 0
user-interface vty 0 4
三、 配置关键点:
配置策略路由时,主要要打开做相应的策略路由的域之间的规则。特别要注意的是,对于Version 3.30 Release 0336 以前的版本,存在策略路由根据默认路由域之间的规则来决定是否允许转发的问题。
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者