Shulou(Shulou.com)06/01 Report--

Due to the needs of the project, the branch launched a Huawei firewall. In order to ensure the availability of Internet exports, it used two SP links, one Unicom 50m enterprise dedicated line and one telecom 200m dial-up link. The requirements of the project are:

1. For the × × × traffic connected to the headquarters, Unicom lines are given priority.

two。 Users' traffic on the Internet gives priority to the use of telecommunications lines.

3. When a public network link fails, it can be switched automatically.

After the demand comes out, it needs to be implemented, how to achieve the requirement:

1. Both links need to be able to access the Internet.

two。 Configure a health check so that when a link is detected to be down, it will not be used to forward traffic

3. Do policy routing and use data forwarding mode according to link priority active and standby mode

Interface configuration: G1UniUniverse 0 Unicom dedicated line, static public network IP, with another address pool configured; g1Gramp0Accord 1, telecom dial-up link, using Easy IP's NAT mode; g1Grammel2, intranet interface

Safe area: both g1Accord 0 and g1Accord 0 and 1 are configured in the untrust area, and the LAN port is configured in the Trust area

Configure Internet access, including security policy, NAT policy and default route

1. Interface configuration: configure the IP addresses of public network interfaces and private network interfaces and select the corresponding health check. The first step to note is that you need to select the health check option for uplink public network interfaces.

G1/0/0

G1/0/1

two。 Security policy: for all traffic from untrust to trust, the action is permit.

3. Two NAT policies are required.

a. One is that the outgoing interface is Unicom and is translated into the address in addressgroup1. This address, in the WEB interface, I only found a new location in the selected address pool, and I didn't see any other locations. The command line can be configured

Nat address-group addressgroup1 0

Mode pat

Route enable

Section 0 58.241.X.X 58.241.X.X

3. Default route and return packet route

Write two default routes, pointing to China Telecom and China Unicom respectively. Because the telecom is dialed by PPPOE, it is directly written out of the interface Dialer0.

2. Health check for uplink SP links

This step should be put at the front and referenced under the interface

To check the health status of the link, in fact, FW uses the public network interface to test the connectivity of the destination address every specified time (5 seconds). If the test fails, the uplink is considered to be disconnected, and the link will be switched after using policy routing.

The address being tested, if your link is a fixed public network IP, can be specified as a gateway, and if it is a dial-up link, it can be specified as a DNS address of SP.

Third, configure policy routing, use active and standby multi-exit method, and realize routing through priority.

Since our requirement is to distinguish between × × traffic and ordinary Internet traffic, the multi-egress option on my side is to forward packets by making active and standby backups according to link priority. For the two SP links, which forwarding you want to use, increase the priority of the interface.

1. Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Of course, this traffic can also be identified using the destination IP as the public network IP of the peer or the port number of the protocol. Here, you need to know about IPSec × × packet encapsulation)

two。 Internet traffic, give priority to telecommunications

Next, you can test it. In my real environment, the results of intelligent routing are as follows:

1. For the traffic on the Internet, there are 2 packets lost, and users are basically unaware of it.

two。 For IPSec × × traffic, the connection will be lost due to the interruption of Unicom link, and the connection needs to be reconnected. The network will be cut off for about 20 seconds.

In this way, our high availability requirements are realized. The loss of any public network link down will not affect users' use of the network for office work. For the way of intelligent routing, and according to the proportion of bandwidth load, these can be used according to everyone's needs.

Attached is the manual of USG6000 series FW. For more information, please refer to the manual.

Https://support.huawei.com/hedex/hdx.do?docid=EDOC1100068395&lang=zh&idPath=7919710%7C9856724%7C21430823%7C21100508%7C8661805

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.