Topology
The topology can be saved locally, and then enlarged to view, so that it can be seen more clearly. (Drag to a new window to open it)
Routing deployment [According to different needs, deploy default routing , floating routing NQA or IP-link , policy routing ]
Analysis: There are multiple requirements in actual work.
1. The customer wants to achieve telecom traffic access to China Telecom, and China Unicom traffic access to Unicom [this requires a high version of the firewall to support]
2. The customer wants to realize that 2 ISPs are fully utilized and when When an ISP fails, it will automatically switch to another ISP.
3. Customers want to use telecommunications by default, but only when telecommunications fails, they will use China Unicom [or Unicom will use VPN traffic and China Telecom will use ISP traffic. 】
Implementation
1. The customer wants to realize the telecommunications traffic to access telecommunications, and China Unicom’s traffic to access China Unicom [this requires a high version of the firewall to support]
Note: To achieve this requirement, in fact, a large number of routing network segments are required, and the latest network segments of China Telecom and China Unicom need to be known, and then Type in a detailed route into the routing table, so as to realize the access to China Telecom and China Unicom. The routers of some small manufacturers integrate the routing table by default, so this function can be provided. The current version of USG It has not been integrated yet. In the next-generation firewall NGfW, it is said that the routing table is integrated and load balancing can be achieved. Therefore, when implementing this requirement, you must either know the detailed routing of China Telecom and Unicom, or use the high version [this needs It can only be used after Huawei launches], which is currently impossible to achieve.
2. The customer wants to realize that the two ISPs are fully utilized, and when one ISP fails, it will automatically switch to the other ISP.
Note: This method is currently the most used in work. It mainly uses the network segment of the intranet to load balance. For example, the general traffic goes to telecommunications, half of the traffic goes to Unicom, and then through the cooperation of NQA or IP-lINk technology. To detect whether the ISP is normal, and then classify through policy routing .
2.1, policy routing implementation
[USG-GW]acl number 2000
[USG-GW-acl-basic-2000]description Core-A Vrrp master to access internet
[USG-GW-acl-basic-2000]rule permit source 192.168.19.0 0.0.0.255
[USG-GW-acl-basic-2000]rule permit source 192.168.21.0 0.0.0.255
[USG-GW]acl number 2001
[USG-GW-acl-basic-2001]description Core-B vrrp master to access internet
[USG-GW-acl-basic-2001]rule permit source 192.168.20.0 0.0.0.255
description: Two ACls are defined. The classification of the ACl is based on the Master of VrrP. For example, the Master network segment on Core-A is defined in 200, and the Master network segment of Core-B is defined in 2001. In this case It is used to match the traffic of different intranets, and finally called in the policy routing to achieve the effect.
[USG-GW]policy-based-route to-isp permit node 5
[USG-GW-policy-based-route-to-isp-5]if-match acl 2000
[USG-GW-policy-based-route-to-isp-5]apply ip-address next-hop 202.100.1.1
[USG-GW]policy-based-route to-isp permit node 10
[USG-GW-policy-based-route-to-isp-10]if-match acl 2001
[USG-GW-policy-based-route-to -isp-10]apply ip-address next-hop 61.128.1.1
Description: Two policy routes are defined , the first one is for access to telecommunications, when ACl 2000 is matched, the next hop 202.100.1.1 is taken, the first The second one is for China Unicom. When ACl 2001 is matched, the next hop is 61.128.1.1. In addition, this must be written in a policy, because an interface can only call one policy route , so the final call here is under the VLAN interface.
[USG-GW]interface vlan 1
[USG-GW-Vlanif1]ip policy-based-route to-isp
Description: There is no directionality here, and policy routing can be invoked on the source interface.
2.2 IP-Link technology implementation
Note: Everyone thinks that NQA can be used, but NQA does not support associated routing on the firewall, and can only use IP-Link, and IP-link technology has a great advantage, that is, it can be linked with strategic routing.
[USG-GW]ip-link check enable
[USG-GW]ip-link 1 destination 202.100.1.1 interface g0/0/1 mode icmp
[USG-GW]ip-link 2 destination 61.128.1.1 interface g0/0/2 Mode icmp
description: IP-Link technology is turned on, and two are defined. When the destination 202.100.1.1 can be tested with ICMP, IP-Link1 is UP, otherwise it is Down. Of course, the effect of Ip-Link is the same. Eventually associate it with the router.
You can see that they are all UP now.
Extended application [What if you want to test Dns or dial-up interface]
[USG-GW]ip-link 3 destination ccieh3c.taobao.com interface g0/0/1 This can be realized when access to the domain name fails from G0/0/1, the link is considered to be invalid. This method of testing for dNS
needs to open the dNS resolution function and define the dNS server address. dns resolve dns server xxxx
[USG-GW] ip-link 3 destination ccieh3c.com mode icmp next-hop dialer, this means that when it is a PPPOe environment, you can specify the next hop as the dial interface. Of course, it can also be ip-link 3 destination ccieh3c.taobao.com interface dialer 0. Destinatio can be IP or domain name.
2.3 Default route definition
[USG-GW]ip route-static 0.0.0.0 0 202.100.1.1 track ip-link 1
[USG-GW]ip route-static 0.0.0.0 0 61.128.1.1 track ip-link 2
Description: Two default routes are defined , Respectively point to the next hop of China Unicom Telecom. Note that this is associated with IP-LINk technology.
2.4 Policy and NAT definition
The policy and NAT have been defined before, so there is no need to repeat the definition here.
2.5 Results verification test [Take the visitor hall and Boos as an example. 】
9.3.1 Access to the Internet test [dual-line access, and the result of the test side failure. 】
2.5.1 User test in visitor hall
Have obtained the IP address
NAT translation entry view
It can be seen that the traffic with dNS is 202.100.1.2. When the public network address is resolved, it will be converted to 202.100.1.2 to access Baidu.
You can see that Baidu is also opened.
Policy check matches
You can see that there is a corresponding match.
NAT match
Why strategy 2 can take effect, because it is now in Action.
You can see that the ACL also has a corresponding match.
Test whether it can continue to access the external network when dx fails.
[USG-GW]int g0/0/1
[USG-GW-GigabitEthernet0/0/1] shutdown
Here can only be considered as shutting down the next port, causing the problem of failure.
Explanation: PING 114.114.114.144 can communicate, but 8.8.8.8 is not. The country has been closed.
There is a corresponding strategy match.
策略路由与IP-Link技术匹配的时候效果
当有IP-Link技术与策略路由同时出现的时候,系统会默认的根据IP-Link检测的下一跳地址,来判断策略路由是否生效,202.100.1.1失效了,则该策略路由对应的也失效,所以这里走的不是策略路由,而是走的默认路由。
2.5.2高层部门下测试
已经获取到了对应的VLAN下的地址。
可以看到会话信息,都是通过 61.128.1.2转发的。
可以看到,现在第一个是有匹配了的,因为这个是给Boss网段用的。
策略路由调用的ACL也是有效果的。
测试断开链路,继续访问
可以看到后面的都是关于202.100.1.2的了,并不是61.128.1.2,而且访问正常。
可以看到,电信的策略有匹配项目了。
2.6 总结
关于双ISP的实施,注意几点就可以了,关于ip-link技术与策略路由的配合,另外就是需要放行的策略,与NAT的配置。注意查看匹配项来检查是否正常转换。
3、客户想默认情况下走电信,但电信出现故障的时候,才走联通【或者联通走虚拟专用网流量,电信走ISP流量。】
关于该定义的话,这里就不演示结果了,只给出思路与配置。
1、定义ip-link技术
2、直接指向一条默认路由到DX。【注意关联ip-link】
3、定义一条浮动默认路由指向联通【不需要调用ip-link,但是优先级要把DX的要大】
4、如果要实现***的流量走联通的话,指向把需要访问对方私网网段的地址直接指向联通的出接口即可。那么在加密处理的时候自然会把包引向联通的接口,然后发送给对方。
Note: The effect achieved in this way is to use Telecom by default. When the ip-link technology detects that the telecom link is broken, and then the default route disappears, the default route of China Unicom is used directly, and *** is because of the existence of static routes. , So it will lead to Unicom’s interface for encryption.
This article was first published on the public account: Network Road Blog