Shulou(Shulou.com)06/01 Report--

1. At first, USG6330 uplink ISP line is used in the virtualization platform, and only one line is connected; the lower connection is S5700 layer 3 switch (stacked by three sets). Several VLAN are enabled on the layer 3 switch as the service network end, and the vlan address is configured to place the service server (not placed in the DMZ). The communication between USG6330 and S5700 is through the interworking address, USG 10.10.12.253, S5700 10.10.12.254, and all vlan down-hop addresses point to 10.10.12.254. All VLAN is divided into trust region, and ISP is untrust region (for later distinction, it is defined as untrustA). Through the conversion from trust to untrustA source nat region, all VLAN can access the public network. In this case, all VLAN can communicate normally, and the server can also provide services normally through mapping. Machines in different VLANs can access the private network server through the public network address from the private network, but the mutual access between the machines in the same VLAN through the public network address is not successful. At the beginning of the business, there is no need for the same VLAN machine to access through the public network address, so we do not pay attention to the access of the same vlan and different VLANs through the public network IP. In fact, this is not possible.

2. With the expansion of the platform, an ISP line has been added to the uplink interface of USG6330, which is divided into a separate untrust area (defined here as untrustB), and the downlink has added S5700 layer 3 switch (three stacks), and the corresponding VLAN has been divided for business. It is also divided into an interworking network segment for USG6330 and S5700 communication, USG 10.100.2.253, S5700 10.100.2.254. At this time, the inter-VLAN communication and access to the public network after the expansion is the same as the configuration before the expansion. Before and after the expansion, the two environments are independent, only sharing the firewall, but running independently under the firewall, using policy routing for traffic control.

3. There is a mail server (MAILA) in the platform before the expansion, and then a mail server (MAILB) is created in the expanded platform. It is found that there is no mail communication between the two servers. It is normal that the private network cannot be accessed because logically they are already in an independent platform, but they cannot access MAILB,MAILB or MAILA through the public network IP on the MAILA. At the same time, the access to MAILA within the VLAN where the MAILA resides is not successful, and the same situation exists in the MAILB.

The above questions can be summed up as follows:

1. Machines in the same vlan cannot access each other through the public network IP

2. Different VLAN below USG6330 cannot communicate with each other through public network IP.

The exchange of visits between machines in the same vlan can be solved through the source NAT, that is, the problem of port reflow, resulting in an error in the sent request during the second handshake and the access will fail. It can be configured according to Huawei's configuration case, but in the configuration case, the ISP side needs to configure a route to cooperate, which is more troublesome. You can use policy routing on the USG6330 to do forwarding restrictions, and configure the source NAT at the same time, which solves two problems: the source NAT solution leads the request to the firewall; the request within the same vlan is restricted by policy routing so that the traffic does not have to leave the firewall and solve the loop routing problem.

There are two ISP lines in the expanded platform. According to the policy routing priority principle, when a request is initiated through the public network IP, the request will be sent to the public network by default, and the next hop will be the gateway of the IP segment of the public network on the USG6330. Because of the loopback routing, the ISP router will directly discard the request, causing the request to fail. The mutual access of machines between different vlan can be solved directly by policy routing restriction forwarding, so that the request is initiated from the source private network, the corresponding NAT is found on the firewall, and a static route is used under the policy routing restriction forwarding condition to reach the destination private network and complete the request.

It takes a long time to solve the above problems, and the way to solve the problem is not to analyze and then deal with it from the simplest principle, but to try it step by step. Therefore, it is very important to learn the principles of the network, so that it can be used; all strategies and configurations should be planned for maintenance.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.