In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
1. Create port aggregation to ensure port redundancy. Use LACP. And put the relevant ports into the aggregation group. The planned agg1 is LAN (connecting customers) and agg2 is WAN (connecting multiple bandwidths).
Config
Interface aggregate1
Lacp enable
Interface aggregate2
Lacp enable
Interface xethernet4/0
Aggregate aggregate1
Interface xethernet4/1
Aggregate aggregate1
Interface xethernet4/2
Aggregate aggregate2
Interface xethernet4/3
Aggregate aggregate2
2. Create a management port, and add the management port to trusst zone to allow ping http telnet ssh snmp. For insurance, create two management ports for mutual backup.
Interface aggregate1.100
Zone "trust"
Ip address 103.246.132.64 255.255.255.0
Manage ping
Manage http
Manage https
Manage telnet
Manage ssh
Manage snmp
Interface aggregate2.120
Zone "trust"
Ip address 124.113.229.158 255.255.255.252
Manage ping
Manage http
Manage https
Manage telnet
Manage ssh
Manage snmp
No reverse-route disables reverse routing. When the data arrives, it does not check the local routing table and returns directly from 2.120.
Reverse routing can be understood as when the device returns the packet, it regards the accessed source ip as the destination address and then looks up the routing table on the device to determine which interface to return the packet from.
Turning off reverse routing means that it is generally understood that the interface from which the data comes from and the interface from which the packet is returned, there is no process of reverse routing query.
3. Create subinterfaces and interconnected IP to customers and mutual resources.
Interface aggregate1.110
Zone "trust"
Ip address 10.10.110.2 255.255.255.252
Description "jsyd"
Manage ping
Manage telnet
Agg 1.110 is the interconnection to the customer, adding to trust zone
Interface aggregate2.121
Zone "untrust"
Ip address 10.10.121.1 255.255.255.252
Description "ahdx1"
Manage telnet
Manage ping
Reverse-route prefer
Exit
Interface aggregate2.122
Zone "untrust"
Ip address 10.10.122.1 255.255.255.252
Description "ahdx2"
Manage ping
Exit
Interface aggregate2.123
Zone "untrust"
Ip address 10.10.123.1 255.255.255.252
Description "wzdx1"
Manage ping
Manage telnet
Exit
Interface aggregate2.124
Zone "untrust"
Ip address 10.10.124.1 255.255.255.252
Description "shjh-1"
Manage ping
Agg 2.121 2.122 2.123 2.124 is an interconnection to different exits. Join utrust zone.
4. Create the customer's address range table and each bandwidth NAT address table.
Address jsyd
Ip 1.51.32.0/20
Ip 1.51.48.0/21
Ip 21.228.228.0/22
Ip 43.254.84.0/22
Ip 58.68.228.16/29
Customer's address field
Address ahdx1
Ip 124.113.229.104/30
Address ahdx2
Ip 124.113.229.152/30
Address wzdx1
Ip 122.228.229.120/30
Address shjh2
Ip 117.21.164.128/30
Each resource is used as the address field of NAT.
5. Create security rules to ensure that trust can access utrust
Rule 1
Action permit
Src-zone trust
Dst-zone untrust
Src-addr jsyd
Dst-addr Any
Service Any
Name 1
Allow trust zone to access utrust zone
Rule 2
Action permit
Src-zone untrust
Dst-zone trust
Src-addr Any
Dst-addr Any
Service Any
Name 2
Allow utrust to access trust zone.
6. Add the customer's backhaul route.
Ip vrouter trust-vr
Ip route 1.51.32.0/20 aggregate1.110 10.10.110.1 description jsyd-1104
Ip route 1.51.48.0/21 aggregate1.110 10.10.110.1 description jsyd-1104
Ip route 21.228.228.0/22 aggregate1.110 10.10.110.1 description jsyd-1104
Ip route 43.254.84.0/22 aggregate1.110 10.10.110.1 description jsyd-1104
Ip route 58.68.228.16/29 aggregate1.110 10.10.110.1 description jsyd-1104
7. Create default routes to different exits. Since devices match NAT rules before routing, all exits can be added as default routes at the same time.
Ip vrouter trust-vr
Ip route 0.0.0.0/0 aggregate2.120 124.113.229.157
Ip route 0.0.0.0Comp0 aggregate2.121 10.10.121.2 description ahyd1-1G
Ip route 0.0.0.0Comp0 aggregate2.122 10.10.122.2 description ahyd2-1G
Ip route 0.0.0.0/0 aggregate2.123 10.10.123.2 description wzdx-2G
Ip route 0.0.0.0Comp0 aggregate2.124 10.10.124.2 description shjh2-1G
Ip route 0.0.0.0Comp0 aggregate2.125 10.10.125.2 description shjh3-0.75G
8. Create NAT rules.
Ip vrouter trust-vr
Snatrule id 1 from jsyd to any eif aggregate2.121 trans-to address-book ahdx1 mode dynamicport sticky log
Snatrule id 2 from jsyd to any eif aggregate2.122 trans-to address-book ahdx2 mode dynamicport sticky log
Snatrule id 3 from jsyd to any eif aggregate2.123 trans-to address-book wzdx1 mode dynamicport sticky log
Snatrule id 4 from jsyd to any eif aggregate2.124 trans-to address-book shjh2 mode dynamicport sticky log
When using multiple egress for NAT, packets will be routed egress by default. If dynamicport sticky is used, the traffic of each egress will be uneven, because sticky will keep the same session to one IP address.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.