设备 | 接口 | 安全区域 | IP地址 |
FW1 | GE0/0/0 | Local | 192.168.0.10/24 |
GE1/0/0 | Local | 202.100.2.10/24 | |
GE1/0/1 | Local | 202.100.1.10/24 | |
GE1/0/2 | Local | 10.1.1.10/24 | |
GE1/0/3 | Local | 10.1.2.10/24 | |
GE1/0/4 | Local | 10.1.3.10/24 | |
GE1/0/5 | Local | 192.168.34.10/24 | |
ISP1 | GE0/0/0 | untrust | 11.1.1.20/24 |
GE0/0/1 | untrust | 202.100.1.20/24 | |
Loopback0 | untrust | 1.1.1.1/32 | |
Loopback1 | untrust | 2.2.2.2/32 | |
ISP2 | GE0/0/0 | untrust | 12.1.1.20/24 |
GE0/0/1 | untrust | 202.100.2.20/24 | |
Loopback0 | untrust | 3.3.3.3/32 | |
Loopback1 | untrust | 4.4.4/32 | |
Internet | GE0/0/0 | untrust | 11.1.1.30/24 |
GE0/0/1 | untrust | 12.1.1.30/24 | |
GE0/0/2 | untrust | 120.1.1.30/24 | |
http_server | Ethernet0/0/0 | untrust | 120.1.1.2/24 |
DMZ_Server | Ethernet0/0/0 | dmz | 192.168.34.1/24 |
kali_linux | Ethernet0/0/0 | trust | 10.1.1.1/24 |
PC1 | Ethernet0/0/0 | trust | 10.1.2.1/24 |
PC2 | Ethernet0/0/0 | trust | 10.1.3.1/24 |
MGMT_PC | Ethernet0/0/0 | trust | 192.168.0.1/24 |
策略路由是在路由表已经产生的情况下,不按照现有的路由表进行转发,而是根据用户制定的策略进行路由选择的机制。策略路由并没有替代路由表机制,而是优先于路由表生效,为某些特殊业务指定转发方向。
策略路由可以匹配的条件有:
·源安全区域、入接口、IP地址
·服务类型、应用类型、用户
匹配后的动作:
·策略路由
·发送报文到指定下一跳
·发送报文到指定出口
·不做策略路由
匹配条件可以将要做策略路由的流量区分开来,在一个策略路由规则中,可以包含多个匹配条件,各匹配条件之间是“与”的关系,报文必须同时满足所有匹配条件,才可以执行后续转发动作!
策略路由的优势:
·防火墙可以基于用户,服务,应用和时间段来配置。
在本次实验中,配置策略路由,使得kali_linux通过ISP1访问互联网的服务器,而其他PC通过ISP2访问互联网。在ISP1或者ISP2不可达时,可以通过其他ISP继续上网。
<Huawei>system-view [Huawei]sysname ISP1 [ISP1]user-interface con 0 [ISP1-ui-console0]idle-timeout 0 0 [ISP1]interface GigabitEthernet 0/0/0 [ISP1-GigabitEthernet0/0/0]ip address 11.1.1.20 24 [ISP1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP1-GigabitEthernet0/0/1]ip address 202.100.1.20 24 [ISP1-GigabitEthernet0/0/1]interface Loopback 0 [ISP1-LoopBack0]ip address 1.1.1.1 32 [ISP1-LoopBack0]interface Loopback 1 [ISP1-LoopBack1]ip address 2.2.2.2 32 [ISP1-LoopBack1]ip route-static 0.0.0.0 0 11.1.1.30
<Huawei>system-view [Huawei]sysname ISP2 [ISP2]user-interface con 0 [ISP2-ui-console0]idle-timeout 0 0 [ISP2-ui-console0]interface GigabitEthernet 0/0/0 [ISP2-GigabitEthernet0/0/0]ip address 12.1.1.20 24 [ISP2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP2-GigabitEthernet0/0/1]ip address 202.100.2.20 24 [ISP2-GigabitEthernet0/0/1]interface Loopback 0 [ISP2-LoopBack0]ip address 3.3.3.3 32 [ISP2-LoopBack0]interface Loopback 1 [ISP2-LoopBack1]ip address 4.4.4.4 32 [ISP2-LoopBack1]ip route-static 0.0.0.0 0 12.1.1.30
<Huawei>system-view [Huawei]sysname Internet [Internet]user-interface con 0 [Internet-ui-console0]idle-timeout 0 0 [Internet-ui-console0]interface GigabitEthernet 0/0/0 [Internet-GigabitEthernet0/0/0]ip address 11.1.1.30 24 [Internet-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [Internet-GigabitEthernet0/0/1]ip address 12.1.1.30 24 [Internet-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip route-static 202.100.1.0 24 11.1.1.20 [Internet]ip route-static 1.1.1.1 32 11.1.1.20 [Internet]ip route-static 2.2.2.2 32 11.1.1.20 [Internet]ip route-static 202.100.2.0 24 12.1.1.20 [Internet]ip route-static 3.3.3.3 32 12.1.1.20 [Internet]ip route-static 4.4.4.4 32 12.1.1.20
Http Server是使用ENSP桥接的一台vmware workstation的一台虚机,简单的配置了http。
MGPT_PC是ENSP桥接到我本地的物理机,可以通过浏览器进行图形化管理FW1。
<USG6000V1>system-view [USG6000V1]sysname FW1 [FW1]user-interface con 0 [FW1-ui-console0]idle-timeout 0 0 [FW1-ui-console0]interface GigabitEthernet 0/0/0 [FW1-GigabitEthernet0/0/0]ip address 192.168.0.10 24 [FW1-GigabitEthernet0/0/0]service-manage http permit [FW1-GigabitEthernet0/0/0]service-manage https permit [FW1-GigabitEthernet0/0/0]service-manage ping permit [FW1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip address 202.100.2.10 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]ip address 202.100.1.10 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/2 [FW1-GigabitEthernet1/0/2]ip address 10.1.1.10 24 [FW1-GigabitEthernet1/0/2]service-manage ping permit [FW1-GigabitEthernet1/0/2]interface GigabitEthernet 1/0/3 [FW1-GigabitEthernet1/0/3]ip address 10.1.2.10 24 [FW1-GigabitEthernet1/0/3]service-manage ping permit [FW1-GigabitEthernet1/0/3]interface GigabitEthernet 1/0/4 [FW1-GigabitEthernet1/0/4]ip address 10.1.3.10 24 [FW1-GigabitEthernet1/0/4]service-manage ping permit [FW1-GigabitEthernet1/0/4]interface GigabitEthernet 1/0/5 [FW1-GigabitEthernet1/0/5]ip address 192.168.34.10 24 [FW1-GigabitEthernet1/0/5]service-manage ping permit [FW1-GigabitEthernet1/0/5]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 0/0/0 [FW1-zone-trust]add interface GigabitEthernet 1/0/2 [FW1-zone-trust]add interface GigabitEthernet 1/0/3 [FW1-zone-trust]add interface GigabitEthernet 1/0/4 [FW1-zone-trust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/5 [FW1-zone-dmz]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/0 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1
①控制kali_linux的策略路由我们用CLI来演示
1.配置IP-Link,指定出接口和下一跳,icmp报文探测isp是否存活
[FW1]ip-link check enable [FW1]ip-link name isp1 [FW1-iplink-isp1]destination 202.100.1.20 interface GigabitEthernet 1/0/1 mode icmp [FW1]ip-link name isp2 [FW1-iplink-isp2]destination 202.100.2.20 interface GigabitEthernet 1/0/0 mode icmp
2.配置策略路由,kali_linux处于trust区域,10.1.1.0/24网段,调用IP-Link监测isp1存活。指定策略路由出接口是GE1/0/1且下一跳是202.100.1.20。
[FW1]policy-based-route [FW1-policy-pbr]rule name kali_linux [FW1-policy-pbr-rule-kali_linux]source-zone trust [FW1-policy-pbr-rule-kali_linux]source-address 10.1.1.0 24 [FW1-policy-pbr-rule-kali_linux]track ip-link isp1 [FW1-policy-pbr-rule-kali_linux]action pbr egress-interface GigabitEthernet 1/0/1 next-hop 202.100.1.20
②控制PC2选路的策略路由我们用图形化来演示
1.新建策略路由,命名PC2,安全区域trust,源地址10.1.2.0/24。
2.定义动作,从出接口GE1/0/0转发下一跳为202.100.2.20,并且调用IP-Link监测对端存活。
去往ISP1的优先级70,去往ISP2的优先级60,均联动IP-Link。IP-Link为up时优先级60的生效。其他主机均通过默认去往ISP2。当ISP2不可达,其他主机可以通过ISP1上网。
[FW1]ip route-static 0.0.0.0 0 GigabitEthernet 1/0/0 202.100.2.20 track ip-link isp2 [FW1]ip route-static 0.0.0.0 0 GigabitEthernet 1/0/1 202.100.1.20 preference 70 track ip-link isp1
[FW1]ip address-set pc type object [FW1-object-address-set-pc]address 10.1.1.0 mask 24 [FW1-object-address-set-pc]address 10.1.2.0 mask 24 [FW1-object-address-set-pc]address 10.1.3.0 mask 24 [FW1]security-policy [FW1-policy-security]rule name trust_untrust [FW1-policy-security-rule-trust_untrust]source-zone trust [FW1-policy-security-rule-trust_untrust]destination-zone untrust [FW1-policy-security-rule-trust_untrust]source-address address-set pc [FW1-policy-security-rule-trust_untrust]action permit
[FW1]nat-policy [FW1-policy-nat]rule name easy-ip [FW1-policy-nat-rule-easy-ip]source-zone trust [FW1-policy-nat-rule-easy-ip]destination-zone untrust [FW1-policy-nat-rule-easy-ip]source-address address-set pc [FW1-policy-nat-rule-easy-ip]action source-nat easy-ip
1.查看IP-Link状态
2.查看路由表
3.查看会话表,kali_linux走ISP1,PC1走ISP2.
4.断开ISP的链路,kali_linux访问网络未受到明显影响。查看会话表,路由表,IP-Link状态
5.恢复ISP1链路,断开ISP2链路查看效果。