問題描述:
我在核心上如何將核心全部流量引流至接入交換機下的安全資源池服務器設備上,
- 2024-12-23提問
- 舉報
-
(0)
最佳答案
參考案例
1、交換機1將g0/1引用路由策略去往交換機2路由,改至10.2.2.2。
2、交換機2將g0/2引用路由策略從交換機2回去路由,改至10.1.1.2
目前就是,從交換機3去往交換機2流量,在交換機1和防火牆來回發,出現路由環路
交換機1配置
[H3C]display current-configuration
#
version 7.1.070, Alpha 7170
#
sysname H3C
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip ttl-expires enable
#
lldp global enable
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
stp global enable
#
policy-based-route aaa permit node 1
if-match acl 3000
apply next-hop 10.1.1.2
#
policy-based-route bbb permit node 1
if-match acl 3001
apply next-hop 10.2.2.2
#
interface NULL0
#
interface FortyGigE1/0/53
port link-mode bridge
#
interface FortyGigE1/0/54
port link-mode bridge
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
ip address 1.1.1.1 255.255.255.0
ip policy-based-route bbb
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable fiber
ip address 2.2.2.1 255.255.255.0
ip policy-based-route aaa
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable fiber
ip address 10.1.1.1 255.255.255.252
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable fiber
ip address 10.2.2.1 255.255.255.252
#
interface GigabitEthernet1/0/5
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/6
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/7
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/8
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/9
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/10
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/11
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/12
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/13
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/14
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/15
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/16
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/21
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/22
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/23
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/24
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/25
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/26
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/27
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/28
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/29
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/30
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/31
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/32
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/33
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/34
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/35
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/36
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/37
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/38
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/39
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/40
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/41
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/42
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/43
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/44
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/45
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/46
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/47
port link-mode bridge
combo enable fiber
#
interface GigabitEthernet1/0/48
port link-mode bridge
combo enable fiber
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/49
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/50
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/51
port link-mode bridge
combo enable fiber
#
interface Ten-GigabitEthernet1/0/52
port link-mode bridge
combo enable fiber
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
acl advanced 3000
rule 0 permit ip source 2.2.2.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip destination 2.2.2.0 0.0.0.255
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
防火牆配置
<H3C>display current-configuration
#
version 7.1.064, Alpha 7164
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip ttl-expires enable
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 11.11.11.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 10.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 10.2.2.2 255.255.255.252
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/4
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 10.2.2.1
ip route-static 2.2.2.0 24 10.1.1.1
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl basic 2000
rule 0 permit source 1.1.1.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$MKVVV6yuS8P36pPn$LC0CUf4NLzlDup3kMQXzJ9JHTBcmIq0Ip3c9V2lwfqo5hoOZ/U9cwrgwIqnZgUeLPJayreTttl5CDDTs9nzCmg==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name 0
action pass
source-zone Trust
source-zone local
source-zone Untrust
destination-zone local
destination-zone Trust
destination-zone Untrust
#
return
<H3C>
最佳答案
參考下案例:
如圖,交換機的int vlan 10和防火牆的RAGG1.10處於同一網段,交換機的int vlan20、路由器的GE0/0以及防火牆的RAGG1.20處於同一網段。
現在客戶需要實現如下需求:防火牆工作正常的時候,終端前往邊界路由器的流量需要經過防火牆,但是當防火牆異常的時候,流量直接從交換機轉發給防火牆。
在交換機和路由器上通過配置靜態路由結合track NQA,使防火牆正常的時候路由指向防火牆,當防火牆出問題後,路由不再指向防火牆,直接在交換機轉發。
配置步驟
防火牆配置:
interface Route-Aggregation1.10
ip address 192.168.10.1 255.255.255.0
vlan-type dot1q vid 10
#
interface Route-Aggregation1.20
ip address 192.168.20.1 255.255.255.0
vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/0
port link-mode route
port link-aggregation group 1
#
interface GigabitEthernet1/0/1
port link-mode route
port link-aggregation group 1
#
security-zone name Trust
import interface Route-Aggregation1.10
#
security-zone name Untrust
import interface Route-Aggregation1.20
#
ip route-static 0.0.0.0 0 192.168.20.3
ip route-static 192.168.100.0 24 192.168.10.2
#
security-policy ip
rule 0 name permit-all
action pass
source-zone untrust
source-zone trust
source-zone local
destination-zone untrust
destination-zone trust
destination-zone local
交換機配置
track 1 nqa entry fw 1 reaction 1 //track nqa狀態
#
nqa entry fw 1 //配置nqa,探測10.1是否可達,頻率1秒(100厘秒),探測三次
type icmp-echo
destination ip 192.168.10.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule fw 1 start-time now lifetime forever //開啟nqa探測
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 10 20
#
interface Vlan-interface10
ip address 192.168.10.2 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.2 255.255.255.0
#
interface Vlan-interface100
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
port link-aggregation group 1
#
ip route-static 0.0.0.0 0 192.168.10.1 track 1 //配置靜態路由指向防火牆並調用track,當nqa探測失敗的時候自動失效
ip route-static 0.0.0.0 0 192.168.20.3 preference 70 //配置浮動路由指向路由器,當上麵的靜態路由失效的時候生效
路由器配置
track 1 nqa entry fw 1 reaction 1 //track nqa狀態
#
nqa entry fw 1 //配置nqa,探測20.1是否可達,頻率1秒(100厘秒),探測三次
type icmp-echo
destination ip 192.168.20.1
frequency 100
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule fw 1 start-time now lifetime forever //開啟nqa探測
#
interface LoopBack0 //模擬的外網地址
ip address 100.100.100.100 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.20.3 255.255.255.0
#
ip route-static 192.168.100.0 24 192.168.20.1 track 1 //配置靜態路由指向防火牆並調用track,當nqa探測失敗的時候自動失效
ip route-static 192.168.100.0 24 192.168.20.2 preference 70 //配置浮動路由指向交換機,當上麵的靜態路由失效的時候生效
測試結果
正常情況下的交換機路由表
[SW]dis ip ro
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 192.168.10.1 Vlan10
......
正常情況下的路由器路由表
[RT]dis ip ro
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
......
192.168.100.0/24 Static 60 0 192.168.20.1 GE0/0
......
PC(192.168.100.2)測試訪問100.100.100.100
[PC]ping 100.100.100.100
Ping 100.100.100.100 (100.100.100.100): 56 data bytes, press CTRL_C to break
56 bytes from 100.100.100.100: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 100.100.100.100: icmp_seq=1 ttl=253 time=3.000 ms
56 bytes from 100.100.100.100: icmp_seq=2 ttl=253 time=3.000 ms
56 bytes from 100.100.100.100: icmp_seq=3 ttl=253 time=2.000 ms
56 bytes from 100.100.100.100: icmp_seq=4 ttl=253 time=4.000 ms
--- Ping statistics for 100.100.100.100 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/3.000/4.000/0.632 ms
此時防火牆能夠看到會話,說明流量經過防火牆
[FW]dis session table ipv4 source-ip 192.168.100.2 destination-ip 100.100.100.100 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.100.2/225
Destination IP/port: 100.100.100.100/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.10
Source security zone: Trust
Responder:
Source IP/port: 100.100.100.100/225
Destination IP/port: 192.168.100.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Route-Aggregation1.20
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: permit-all
Start time: 2020-04-30 03:10:17 TTL: 26s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
當防火牆故障的時候,track使靜態路由失效
%Apr 30 03:25:36:153 2020 SW NQA/6/NQA_ENTRY_PROBE_RESULT: Reaction entry 1 of NQA entry admin-name fw operation-tag 1: probe-fail.
Track ID: 1
State: Negative
Duration: 0 days 0 hours 0 minutes 15 seconds
Tracked object type: NQA
Notification delay: Positive 0, Negative 0 (in seconds)
Tracked object:
NQA entry: fw 1
Reaction: 1
Remote IP/URL: 192.168.10.1
Local IP: --
Interface: --
%Apr 30 03:25:41:279 2020 RT NQA/6/NQA_ENTRY_PROBE_RESULT: Reaction entry 1 of NQA entry admin-name fw operation-tag 1: probe-fail.
Track ID: 1
State: Negative
Duration: 0 days 0 hours 2 minutes 43 seconds
Tracked object type: NQA
Notification delay: Positive 0, Negative 0 (in seconds)
Tracked object:
NQA entry: fw 1
Reaction: 1
Remote IP/URL: 192.168.20.1
Local IP: --
Interface: --
此時看靜態路由,發現SW、RT的路由已切換不走防火牆
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 70 0 192.168.20.3 Vlan20
......
Destinations : 14 Routes : 14
......
192.168.100.0/24 Static 70 0 192.168.20.2 GE0/0
......
PC仍然能夠ping通100.100.100.100
Ping 100.100.100.100 (100.100.100.100): 56 data bytes, press CTRL_C to break
56 bytes from 100.100.100.100: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 100.100.100.100: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 100.100.100.100: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 100.100.100.100: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 100.100.100.100: icmp_seq=4 ttl=254 time=2.000 ms
--- Ping statistics for 100.100.100.100 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
此時由於流量不經過防火牆,防火牆上沒有會話
[FW-Route-Aggregation1.10]dis session table ipv4 source-ip 192.168.100.2 destination-ip 100.100.100.100 verbose
Slot 1:
Total sessions found: 0
- 2024-12-23回答
- 評論(0)
- 舉報
-
(0)
你這個場景,直接配置端口鏡像就行了
- 2024-12-23回答
- 評論(1)
- 舉報
-
(0)
這邊需求是需要捕捉流量並且可以進行攔截
這邊需求是需要捕捉流量並且可以進行攔截
編輯答案
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
對根叔社區有害的內容
×
不規範轉載
×
舉報說明