華為——策略路由(校園網配置)

作用：通過分析數據報的源地址和目標地址，按照策略規則選擇不同的網關，進行數據轉發。提供冗余，負載，但是還是單線路的速度。只是提供了不同的方向，并沒有進行合并線路。

拓撲圖如下：

配置思路：

配置命令：

1.LSW1配置：

[Huawei]vlan 10

[Huawei-vlan10]vlan 20

[Huawei-vlan20]quit

[Huawei]int e0/0/2

[Huawei-GigabitEthernet0/0/2]port link-type access

[Huawei]int e0/0/3

[Huawei-Ethernet0/0/3]port link-type access ???? //將接口類型定義為接入模式

[Huawei-Ethernet0/0/3]port default vlan 20???????? //將接口劃分vlan 20

[Huawei]int e0/0/1

[Huawei-Ethernet0/0/1]port link-type trunk ?????? //將該接口定義為Trunk中繼模式

[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all?? //允許所有vlan通過

2.AR1配置：

sys

Enter system view, return user view with Ctrl+Z.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip add 1.0.0.1 255.255.255.0

[Huawei-GigabitEthernet0/0/0]undo shutdown

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add 4.0.0.2 255.255.255.0

[Huawei-GigabitEthernet0/0/1]undo shutdown

[Huawei]int g0/0/2

[Huawei-GigabitEthernet0/0/2]ip add 3.0.0.1 255.255.255.0

[Huawei-GigabitEthernet0/0/2]undo shutdown

[Huawei-GigabitEthernet0/0/2]quit

配置OSPF，定義為area 0區域

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network 1.0.0.0 0.0.0.255

[Huawei-ospf-1-area-0.0.0.0]network 3.0.0.0 0.0.0.255

[Huawei-ospf-1-area-0.0.0.0]network 4.0.0.0 0.0.0.255

3.?AR3配置：

sys

Enter system view, return user view with Ctrl+Z.

[Huawei]undo info-center enable??????? //關閉consolo端接入設備信息中心發送的 調試/報警/日志消息

Info: Information center is disabled.

[Huawei]int g0/0/0

[Huawei-GigabitEthernet0/0/0]ip add 3.0.0.2 255.255.255.0

[Huawei-GigabitEthernet0/0/0]undo shutdown

[Huawei-GigabitEthernet0/0/0]quit

[Huawei]int g0/0/1

[Huawei-GigabitEthernet0/0/1]ip add 2.0.0.1 255.255.255.0

[Huawei-GigabitEthernet0/0/1]undo shutdown

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]int g0/0/2

[Huawei-GigabitEthernet0/0/2]ip add 5.0.0.2 255.255.255.0

[Huawei-GigabitEthernet0/0/2]undo shutdown

[Huawei-GigabitEthernet0/0/2]quit

配置OSPF，定義區域為area 0

[Huawei]ospf 1

[Huawei-ospf-1]area 0

[Huawei-ospf-1-area-0.0.0.0]network 3.0.0.0 0.0.0.255

[Huawei-ospf-1-area-0.0.0.0]network 5.0.0.0 0.0.0.255

[Huawei-ospf-1-area-0.0.0.0]network 2.0.0.0 0.0.0.255

[Huawei-ospf-1-area-0.0.0.0]quit

4.(USG5500)FW1配置：

SYS

11:46:33? 2020/03/03

Enter system view, return user view with Ctrl+Z.

[SRG]undo info-center enable ?????????? //關閉consolo端接入設備信息中心發送的 調試/報警/日志消息

[SRG]int g0/0/2

[SRG-GigabitEthernet0/0/2]ip add 4.0.0.1 255.255.255.0

[SRG-GigabitEthernet0/0/2]undo shutdown

[SRG]int g0/0/3

[SRG-GigabitEthernet0/0/3]ip add 5.0.0.1 255.255.255.0

[SRG-GigabitEthernet0/0/3]undo shutdown

[SRG]int g0/0/1.10

[SRG-GigabitEthernet0/0/1.10]description vlan 10??????? //劃分該子接口為vlan 10

[SRG-GigabitEthernet0/0/1.10]vlan-type dot1q 10?????? //vlan的封裝模式為802.1q

[SRG-GigabitEthernet0/0/1.10]ip add 192.168.1.1 255.255.255.0

[SRG-GigabitEthernet0/0/1.10]undo shutdown

[SRG]int g0/0/1.20

[SRG-GigabitEthernet0/0/1.20]description vlan 20??????? //劃分該子接口為vlan 20

[SRG-GigabitEthernet0/0/1.20]vlan-type dot1q 20?????? //vlan的封裝模式為802.1q

[SRG-GigabitEthernet0/0/1.20]ip add 192.168.2.1 255.255.255.0

[SRG-GigabitEthernet0/0/1.20]undo shutdown

[SRG]firewall zone trust ???? //劃分信任區域

[SRG-zone-trust]add interface GigabitEthernet 0/0/1.10????? //add將其添加進入trust(內網)

[SRG-zone-trust]add interface GigabitEthernet 0/0/1.20

[SRG]firewall zone untrust ???????? //劃分非信任區域

[SRG-zone-untrust]add interface GigabitEthernet 0/0/2?????? //add將其添加進入untrust(外網)

[SRG-zone-untrust]add interface GigabitEthernet 0/0/3

1) 策略規則

[SRG]policy interzone trust untrust outbound ???? //定義信任區域到非信任區域的輸出規則

[SRG-policy-interzone-trust-untrust-outbound]policy 1????? //定義規則序號1的

[SRG-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.0 0.0.0.255?? //定義源地址

[SRG-policy-interzone-trust-untrust-outbound-1]action permit //動作為允許

[SRG-policy-interzone-trust-untrust-outbound-1]quit

[SRG-policy-interzone-trust-untrust-outbound]policy 2????? //定義規則序號2的

[SRG-policy-interzone-trust-untrust-outbound-2]policy source 192.168.2.0 0.0.0.255 ?//定義源地址

[SRG-policy-interzone-trust-untrust-outbound-2]action permit //動作為允許

[SRG-policy-interzone-trust-untrust-outbound-2]quit

2) NAT轉換

[SRG]nat-policy interzone trust untrust outbound ?????? //定義nat的轉換區域為信任區域轉到非信任區域

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1??????? //策略規則序號為1

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.0 0.0.0.255???? //定義受規則的源地址

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat ??? //動作為允許nat轉換

[SRG-nat-policy-interzone-trust-untrust-outbound-1]easy-ip g0/0/2 //配置PAT，簡單IP轉換

[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 2??????? //策略規則序號為2

[SRG-nat-policy-interzone-trust-untrust-outbound-2]policy source 192.168.2.0 0.0.0.255???? //定義源地址

[SRG-nat-policy-interzone-trust-untrust-outbound-2]action source-nat ??? //動作定義為允許nat轉換

[SRG-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/3 //配置PAT

3) 創建訪問控制列表，添加內網地址池

[SRG]acl number 2000??????? //acl的序號定義為2000

[SRG-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255 //序號為10的規則允許192.168.1.0

[SRG-acl-basic-2000]quit

[SRG]acl number 2001??????? //acl的序號定義為2001

[SRG-acl-basic-2001]rule 10 permit source 192.168.2.0 0.0.0.255 //序號為10的規則允許192.168.2.0

[SRG-acl-basic-2001]quit

4) 創建策略路由

[SRG]policy-based-route clly permit node 5???????? //定義策略路由的名字為clly，路由點為5

[SRG-policy-based-route-clly-5]if-match acl 2000????? //綁定內網地址池為192.168.1.0的acl

[SRG-policy-based-route-clly-5]apply ip-address next-hop 4.0.0.2????? //指定下一條地址為4.0.0.2

[SRG-policy-based-route-clly-5]quit

[SRG]policy-based-route clly permit node 20?????? //定義策略路由的名字為clly，路由點為20

[SRG-policy-based-route-clly-20]if-match acl 2001??? //綁定內網地址池為192.168.2.0的acl

[SRG-policy-based-route-clly-20]apply ip-address next-hop 5.0.0.2??? //指定下一跳地址為5.0.0.2

[SRG-policy-based-route-clly-20]quit

5) 創建端接口檢查，網關檢查

[SRG]ip-link check enable //開啟鏈路檢查

12:17:59? 2020/03/03

[SRG]ip-link 1 destination 4.0.0.2 interface g0/0/2??????? //定義序號為1，綁定目標地址為4.0.0.2的要從g0/0/2端口出發

[SRG]ip-link 2 destination 5.0.0.2 interface g0/0/3??????? //定義序號為1，綁定目標地址為5.0.0.2的要從g0/0/3端口出發

[SRG]display ip-link??? //查看鏈路綁定表

num state timer vpn-instance???? ip-address????? interface-name? mode? vgmp? nex

t-hop

1?? up??? 3????????????????????? 4.0.0.2???????? GE0/0/2???????? icmp? none

2?? up??? 3????????????????????? 5.0.0.2???????? GE0/0/3???????? icmp? none

6) 設置靜態路由

[SRG]ip route-static 0.0.0.0 0.0.0.0 4.0.0.2 track ip-link 1?????? //將該綁定策略應用到這條默認路由條目上

[SRG]ip route-static 0.0.0.0 0.0.0.0 5.0.0.2 track ip-link 2

7) 驗證

使用Clinet 2訪問Server 1、Server 2的web，并對AB兩處進行抓包

1)?? 訪問Server 1時

a)??????? A點抓包沒有發現Clinet 2的數據包

b)??????? B點抓包發現Clinet 2的數據包，并且IP已經替換為5.0.0.1

2)?? 訪問Server 2時

a)??????? A點抓包沒有發現Clinet 2的數據包

b)??????? B點抓包發現Clinet 2的數據包，并且已經替換為5.0.0.1

創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的华为策略路由加等价路由_华为——防火墙——策略路由配置及思路的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。