Shulou(Shulou.com)06/01 Report--

The network topology is as follows:

Networking situation:

Enterprise users mainly include the Technology Department (VLAN10) and the Administration Department (VLAN20), which are connected to the USG through the aggregation switch.

The enterprise connects to Internet,ISP1 through two different operators (ISP1 and ISP2). The IP address assigned by ISP2 is 1.1.1.1 to 1.1.1.10. The IP address assigned by ISP2 is 2.2.2.1 to 2.2.2.10, with a mask of 24 bits.

The following requirements need to be met:

When the links to the two operators are working normally, the technical department users access the Internet through the operator ISP1, and the administrative department users access the Internet through the operator ISP2.

When one link fails, the traffic can be switched to another link in time to avoid long-term network interruption.

Aggregate SW configuration:

Vlan batch 10 20

Interface GigabitEthernet0/0/1

Port link-type access

Port default vlan 10

Stp edged-port enable

Interface GigabitEthernet0/0/2

Port link-type access

Port default vlan 20

Stp edged-port enable

Interface GigabitEthernet0/0/24

Port link-type trunk

Port trunk allow-pass vlan 10 20

USG configuration:

1. Interface and area configuration

Interface GigabitEthernet0/0/0.1

Vlan-type dot1q 10

Alias GigabitEthernet0/0/0.1

Ip address 10.1.1.1 255.255.255.0

Dhcp select interface

Dhcp server gateway-list 10.1.1.1

Interface GigabitEthernet0/0/0.2

Vlan-type dot1q 20

Alias GigabitEthernet0/0/0.2

Ip address 10.1.2.1 255.255.255.0

Dhcp select interface

Dhcp server gateway-list 10.1.2.1

Interface GigabitEthernet0/0/1

Ip address 1.1.1.1 255.255.255.0

Interface GigabitEthernet0/0/2

Ip address 2.2.2.1 255.255.255.0

Firewall zone trust

Set priority 85

Add interface GigabitEthernet0/0/0

Add interface GigabitEthernet0/0/0.1

Add interface GigabitEthernet0/0/0.2

Firewall zone name isp1

Set priority 30

Add interface GigabitEthernet0/0/1

Firewall zone name isp2

Set priority 35

Add interface GigabitEthernet0/0/2

two。 Inter-domain policy configuration:

Policy interzone trust isp1 outbound

Policy 1

Action permit

Policy source 10.1.0.0 0.0.255.255

Policy interzone trust isp2 outbound

Policy 1

Action permit

Policy source 10.1.0.0 0.0.255.255

3.NAT configuration:

Nat address-group 1 jishu 1.1.1.5 1.1.1.10

Nat address-group 2 xingzheng 2.2.2.5 2.2.2.10

Nat-policy interzone trust isp1 outbound

Policy 1

Action source-nat

Policy source 10.1.0.0 0.0.255.255

Address-group jishu

Nat-policy interzone trust isp2 outbound

Policy 1

Action source-nat

Policy source 10.1.0.0 0.0.255.255

Address-group xingzheng

4.IP-Link Link Detection configuration

Ip-link check enable

Ip-link 1 destination 1.1.1.100 interface GigabitEthernet 0/0/1 mode icmp

Ip-link 2 destination 2.2.2.100 interface GigabitEthernet 0/0/2 mode icmp

5. Policy routing configuration

Acl number 3001

Rule 10 permit ip source 10.1.1.0 0.0.0.255

Acl number 3002

Rule 10 permit ip source 10.1.2.0 0.0.0.255

Policy-based-route huawei permit node 1

If-match acl 3001

Apply ip-address next-hop 1.1.1.100

Policy-based-route huawei permit node 2

If-match acl 3002

Apply ip-address next-hop 2.2.2.100

This policy route is referenced on G0Universe 0.1 and G0UniUniverse 0.2, respectively.

Interface GigabitEthernet0/0/0.1

Ip policy-based-route huawei

Interface GigabitEthernet0/0/0.2

Ip policy-based-route huawei

Two default routes entered to ISP-1 and ISP-2, respectively

Ip route-static 0.0.0.0 0.0.0.0 1.1.1.100 track ip-link 1

Ip route-static 0.0.0.0 0.0.0.0 2.2.2.100 track ip-link 2

ISP-1 and ISP-2 interface configuration:

ISP-1:

Interface GigabitEthernet0/0/0

Ip address 1.1.1.100 255.255.255.0

ISP-2:

Interface GigabitEthernet0/0/0

Ip address 2.2.2.100 255.255.255.0

Test:

1. Ping 8.8.8.8-t on the computer of the technical department and the administrative department respectively, and check the NAT conversion on the USG input: display firewall session table verbose, as shown in the following figure:

two。 At this point, the G0UniUniG0 shutdown of ISP-1 is used to observe whether the technical department will switch to ISP-2 to access Internet.

As can be seen from the above, the Technical Department 10.1.1.2 has been successfully converted to 2.2.2.10.

At this point, the experimental configuration is complete.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.