NGFW-ISP选路
一,拓扑
二,需求说明
通过配置运营商地址库,ISP选路时,大量的路由配置可以选择最优路径。1.1.1.1和2.2.2.2下一条ISP1最优,3.3.3.3和4.4.4.4下一跳ISP2最优。在发生链路故障时候,也可以通过备份链路,恢复通信。
三,接口下配置
3.1配置SP地址库
1.编辑地址库文件
2.上传地址库文件
也可以使用命令#ips name isp_file2 set filename file2.csv来指定文件为运营商地址库。
3.2配置健康检查
[FW1]healthcheck enable [FW1]healthcheck name isp1 [FW1-healthcheck-isp1]destination 202.100.1.254 interface GigabitEthernet 0/0/2 protocol icmp [FW1-healthcheck-isp1]tx-interval 3 [FW1-healthcheck-isp1]times 2
[FW1]healthcheck name isp2 [FW1-healthcheck-isp2]destination 202.100.2.254 interface GigabitEthernet 0/0/3 protocol icmp [FW1-healthcheck-isp2]tx-interval 3 [FW1-healthcheck-isp2]times 2
3.3在接口下配置ISP
[FW1-GigabitEthernet0/0/2]healthcheck isp1 [FW1-GigabitEthernet0/0/2]gateway 202.100.1.254 [FW1]interface-group 0 isp isp_file1 [FW1-interface-isp-group-0]add interface GigabitEthernet 0/0/2
[FW1-GigabitEthernet0/0/3]healthcheck isp2 [FW1-GigabitEthernet0/0/3]gateway 202.100.2.254 [FW1]interface-group 1 isp isp_file2 [FW1-interface-isp-group-1]add interface GigabitEthernet 0 face-isp-group-1]add interface GigabitEthernet 0/0/3
3.4现象测试
1.查看路由表
2.使用PC1与1.1.1.1通信,PC2与3.3.3.3 通信。查看会话表。访问1.1.1.1的通过ISP1访问。访问2.2.2.2的通过ISP2访问。
icmp VPN: public --> public ID: a587fa5cb1d507f184634049f3 Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:17 Recv Interface: Eth-Trunk1.1 Interface: GigabitEthernet0/0/2 NextHop: 202.100.1.254 <==packets: 50 bytes: 3,000 ==> packets: 50 bytes: 3,000 10.1.1.1:1[202.100.1.10:2049] --> 1.1.1.1:2048 PolicyName: trust_pc icmp VPN: public --> public ID: a587fa5cb1a508e275634049ec Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:17 Recv Interface: Eth-Trunk1.2 Interface: GigabitEthernet0/0/3 NextHop: 202.100.2.254 <==packets: 57 bytes: 3,420 ==> packets: 57 bytes: 3,420 10.1.2.1:1[202.100.2.10:2048] --> 3.3.3.3:2048 PolicyName: trust_pc
3.断开FW1与ISP1连接的链路
健康检查:
[FW1]display healthcheck 2022-10-07 15:53:57.920 +08:00 Current Total Healthcheck Number : 2 Name Member State Up/Down/Init isp1 1 down 0 1 0 isp2 1 up 1 0 0
会话表:
icmp VPN: public --> public ID: a587fa5ca72507f18463404b6a Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:19 Recv Interface: Eth-Trunk1.1 Interface: GigabitEthernet0/0/3 NextHop: 202.100.2.254 <==packets: 60 bytes: 3,600 ==> packets: 60 bytes: 3,600 10.1.1.1:1[202.100.2.10:2048] --> 1.1.1.1:2048 PolicyName: trust_pc icmp VPN: public --> public ID: a587fa5cb1a508e275634049ec Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:18 Recv Interface: Eth-Trunk1.2 Interface: GigabitEthernet0/0/3 NextHop: 202.100.2.254 <==packets: 436 bytes: 26,160 ==> packets: 436 bytes: 26,160 10.1.2.1:1[202.100.2.10:2048] --> 3.3.3.3:2048 PolicyName: trust_pc
路由表:
[FW1]display ip routing-table 2022-10-07 15:56:10.030 +08:00 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 16 Routes : 16 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 Unr 70 0 D 202.100.2.254 GigabitEthernet0/0/3 3.3.3.3/32 Unr 70 0 D 202.100.2.254 GigabitEthernet0/0/3 4.4.4.4/32 Unr 70 0 D 202.100.2.254 GigabitEthernet0/0/3
PC1现象:
注意:
如果FW与ISP并非直连,则配置接口下ISP选路时产生的缺省路由并不会消失,会导致报文丢包。解决方法是使用4.1的配置中静态路由与ip-link绑定。
四,全局下配置
4.1配置
1.将接口下配置是ISP选路配置删除(略)
2.配置IP-Link
[FW1]ip-link check enable [FW1]ip-link name isp1 [FW1-iplink-isp1]destination 202.100.1.254 interface GigabitEthernet 0/0/2 mode icmp [FW1-iplink-isp1]tx-interval 3 [FW1-iplink-isp1]times 2 [FW1]ip-link name isp2 [FW1-iplink-isp2]destination 202.100.2.254 interface GigabitEthernet 0/0/3 mode icmp [FW1-iplink-isp2]tx-interval 3 [FW1-iplink-isp2]times 2
3.配置缺省路由和ISP路由指向两个ISP指定出接口,联动IP-link
[FW1]ip route-static 0.0.0.0 0 GigabitEthernet 0/0/2 202.100.1.254 track ip-link isp1 [FW1]ip route-static 0.0.0.0 0 GigabitEthernet 0/0/3 202.100.2.254 track ip-link isp2 [FW1]ip route-isp isp_file1 interface GigabitEthernet 0/0/2 nexthop 202.100.1.254 preference 59 track ip-link isp1 ip-l [FW1]ip route-isp isp_file2 interface GigabitEthernet 0/0/3 nexthop 202.100.2.254 preference 59 track ip-link isp2
4.2测试现象
1.查看路由表
[FW1]display ip routing-table 2022-10-07 16:08:37.230 +08:00 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 21 Routes : 22 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 Static 60 0 D 202.100.2.254 GigabitEthernet0/0/3 Static 60 0 D 202.100.1.254 GigabitEthernet0/0/2 1.1.1.1/32 Unr 59 0 D 202.100.1.254 GigabitEthernet0/0/2 2.2.2.2/32 Unr 59 0 D 202.100.1.254 GigabitEthernet0/0/2 3.3.3.3/32 Unr 59 0 D 202.100.2.254 GigabitEthernet0/0/3 4.4.4.4/32 Unr 59 0 D 202.100.2.254 GigabitEthernet0/0/3
2.断开与ISP1的链路,IP-link一段延迟后状态变为down,联动的静态路由与ISP路由均失效。访问1.1.1.1和2.2.2.2则需要走ISP2,恢复通信。
浙公网安备 33010602011771号