华为数通 双链路 配置IP-Link与策略路由联动

华为数通 双链路 配置IP-Link与策略路由联动

这里为了精简命令,放行了安全策略。实际生产环境需只放行指定的流量以达到安全生产目的。
AR3、AR4配置接口ip和回城路由即可

FW1:
[USG6000V1]interface GigabitEthernet0/0/0
            undo shutdown
            ip address 10.0.0.254 255.255.255.0
            service-manage ping permit
[USG6000V1]interface GigabitEthernet1/0/0
            undo shutdown
            ip address 11.0.0.254 255.255.255.0
            service-manage ping permit
[USG6000V1]interface GigabitEthernet1/0/1
            undo shutdown
            ip address 1.1.1.2 255.255.255.0
            service-manage ping permit
[USG6000V1]interface GigabitEthernet1/0/2
            undo shutdown
            ip address 2.2.2.2 255.255.255.0
            service-manage ping permit

[USG6000V1]firewall zone trust
            set priority 85
            add interface GigabitEthernet0/0/0
            add interface GigabitEthernet1/0/0
[USG6000V1]firewall zone untrust
            set priority 5
            add interface GigabitEthernet1/0/1
            add interface GigabitEthernet1/0/2

[USG6000V1]ip-link check enable
[USG6000V1]ip-link name link1
            destination 1.1.1.1 mode icmp
[USG6000V1]ip-link name link2
            destination 2.2.2.1 mode icmp

[USG6000V1]security-policy
            default action permit

[USG6000V1]policy-based-route
            rule name a1 1
             ingress-interface GigabitEthernet0/0/0
             source-address 10.0.0.0 mask 255.255.0.0
             destination-address 11.0.0.0 mask 255.255.0.0
             action no-pbr
            rule name a2 2
             ingress-interface GigabitEthernet0/0/0
             source-address 10.0.0.0 mask 255.255.0.0
             track ip-link link1
             action pbr next-hop 1.1.1.1
            rule name b1 3
             ingress-interface GigabitEthernet1/0/0
             source-address 11.0.0.0 mask 255.255.0.0
             destination-address 10.0.0.0 mask 255.255.0.0
             action no-pbr
            rule name b2 4
             ingress-interface GigabitEthernet1/0/0
             source-address 11.0.0.0 mask 255.255.0.0
             track ip-link link2
             action pbr next-hop 2.2.2.1

[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 track ip-link link1
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 2.2.2.1 track ip-link link2

检测结果

1、正常情况

PC1和PC2互通,PC1不通2.2.2.1,PC1可以通1.1.1.1

华为数通 双链路 配置IP-Link与策略路由联动

ip-link状态均是up

华为数通 双链路 配置IP-Link与策略路由联动
华为数通 双链路 配置IP-Link与策略路由联动

2、异常情况

测试ar3断开,3秒左右1.1.1.1路由下线,ip-link状态从up切换至down

华为数通 双链路 配置IP-Link与策略路由联动

PC1和PC2互通,PC1不通1.1.1.1,PC2可以通2.2.2.1,测试成功

华为数通 双链路 配置IP-Link与策略路由联动

作者:Zleoco,如若转载,请注明出处:https://www.zleoco.com/?p=2028

发表回复

您的电子邮箱地址不会被公开。

评论列表(1条)

  • Situs Judi Online
    Situs Judi Online 2024年4月17日 上午6:52

    Pretty! This has been an extremely wonderful article. Thank you for providing this info.