如图:实现 要求: 1、当流量正常时PC1---LSW1----FW1----LSP_CNCC(lo0);PC2---LSW1----FW1----LSP_CMCC(lo0)
2、当LSP_CNCC(lo0)挂掉时;PC1与CP2流量全部切换至LSP_CMCC(lo0)反之当LSP_CMCC(lo0)挂掉时;PC1与CP2流量全部切换至LSP_CNCC(lo0)
3、注意配置ACL中deny意思为当实行内部网段通信时不匹配策略,如匹配策略的话,就会进行NAT导致内部通信中断!
4、实际案例中根据实际情况去绑定检测机制如NQA,BFD等实现更快去检测链路故障实现流量的切换保证流量可达性!
FW1配置:
<SRG>dis current-configuration
23:04:18 2017/07/12
stp region-configuration region-name e81582044529 active region-configuration
acl number 3000 rule 2 deny ip destination 192.168.20.0 0.0.0.255 //实现内部通信,不让其匹配策略! rule 5 permit ip source 192.168.10.0 0.0.0.255 rule 10 deny ip
acl number 3001 rule 2 deny ip destination 192.168.10.0 0.0.0.255 rule 5 permit ip source 192.168.20.0 0.0.0.255 rule 10 deny ip
interface GigabitEthernet0/0/0 alias GE0/MGMT ip address 192.168.0.1 255.255.255.0 dhcp select interface dhcp server gateway-list 192.168.0.1
interface GigabitEthernet0/0/1 ip address 210.1.1.1 255.255.255.0
interface GigabitEthernet0/0/2 ip address 220.1.1.1 255.255.255.0
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/8.10 vlan-type dot1q 10 alias GigabitEthernet0/0/8.10 ip address 192.168.10.254 255.255.255.0 ip policy-based-route 10
interface GigabitEthernet0/0/8.20 vlan-type dot1q 20 alias GigabitEthernet0/0/8.20 ip address 192.168.20.254 255.255.255.0 ip policy-based-route 10
interface NULL0 alias NULL0
firewall zone local set priority 100
firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/8 add interface GigabitEthernet0/0/8.10 add interface GigabitEthernet0/0/8.20
firewall zone untrust set priority 5
firewall zone dmz set priority 50
firewall zone name cncc set priority 10 add interface GigabitEthernet0/0/1
firewall zone name cmcc set priority 15 add interface GigabitEthernet0/0/2
aaa local-user admin password cipher %$%$q4o'Iu\Qr<9uB!;*(9\WYvmd%$%$ local-user admin service-type web terminal telnet local-user admin level 15 authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
nqa-jitter tag-version 1
ip route-static 0.0.0.0 0.0.0.0 210.1.1.2 ip route-static 0.0.0.0 0.0.0.0 220.1.1.2
banner enable
user-interface con 0 authentication-mode none user-interface vty 0 4 authentication-mode none protocol inbound all
policy-based-route 10 permit node 10 //配置两个网段的流量走向! if-match acl 3000 apply ip-address next-hop 210.1.1.2 policy-based-route 10 permit node 20 if-match acl 3001 apply ip-address next-hop 220.1.1.2
slb
right-manager server-group
sysname SRG
l2tp domain suffix-separator @
firewall packet-filter default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone local cncc direction outbound firewall packet-filter default permit interzone local cmcc direction outbound
ip df-unreachables enable
firewall ipv6 session link-state check firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0 pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
policy interzone trust cncc outbound //放行流量从CNCC出去! policy 0 action permit policy source 192.168.10.0 mask 24 policy source 192.168.20.0 mask 24
policy interzone trust cmcc outbound //放行流量从CMCC出去! policy 0 action permit policy source 192.168.10.0 mask 24 policy source 192.168.20.0 mask 24
nat-policy interzone trust cncc outbound //做cncc端的地址转换 policy 0 action source-nat policy source 192.168.10.0 mask 24 policy source 192.168.20.0 mask 24 easy-ip GigabitEthernet0/0/1
nat-policy interzone trust cmcc outbound //做cmcc端的地址转换 policy 0 description isthis action source-nat policy source 192.168.10.0 mask 24 policy source 192.168.20.0 mask 24 easy-ip GigabitEthernet0/0/2
return <SRG>
SW1配置: <SW1>dis current-configuration
sysname SW1
vlan batch 10 20
interface Ethernet0/0/1 port link-type access port default vlan 10
interface Ethernet0/0/2 port link-type access port default vlan 20
interface Ethernet0/0/3 description sithos port link-type trunk port trunk allow-pass vlan 2 to 4094
<SW1>
LSP_CNCC配置:
<CNCC>dis current-configuration [V200R003C00]
sysname CNCC
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1 ip address 210.1.1.2 255.255.255.0
interface NULL0
interface LoopBack0 ip address 100.100.100.100 255.255.255.255
user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20
wlan ac
return <CNCC>
LSP_CMCC配置: <cmcc>dis current-configuration [V200R003C00]
sysname cmcc
interface GigabitEthernet0/0/1 ip address 220.1.1.2 255.255.255.0
interface NULL0
interface LoopBack0 ip address 100.100.100.100 255.255.255.255
user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20
wlan ac
return <cmcc>
验证流量走向是否正确?
PC1流量走向 (正确)
PC2流量走向(正确)
当LSP_CNCC挂时;关掉USG g0/0/1(流量实现切换;地址已由210--220)
