Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

HillStone long NAT uses different network bandwidth egress

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

1. Create port aggregation to ensure port redundancy. Use LACP. And put the relevant ports into the aggregation group. The planned agg1 is LAN (connecting customers) and agg2 is WAN (connecting multiple bandwidths).

Config

Interface aggregate1

Lacp enable

Interface aggregate2

Lacp enable

Interface xethernet4/0

Aggregate aggregate1

Interface xethernet4/1

Aggregate aggregate1

Interface xethernet4/2

Aggregate aggregate2

Interface xethernet4/3

Aggregate aggregate2

2. Create a management port, and add the management port to trusst zone to allow ping http telnet ssh snmp. For insurance, create two management ports for mutual backup.

Interface aggregate1.100

Zone "trust"

Ip address 103.246.132.64 255.255.255.0

Manage ping

Manage http

Manage https

Manage telnet

Manage ssh

Manage snmp

Interface aggregate2.120

Zone "trust"

Ip address 124.113.229.158 255.255.255.252

Manage ping

Manage http

Manage https

Manage telnet

Manage ssh

Manage snmp

No reverse-route disables reverse routing. When the data arrives, it does not check the local routing table and returns directly from 2.120.

Reverse routing can be understood as when the device returns the packet, it regards the accessed source ip as the destination address and then looks up the routing table on the device to determine which interface to return the packet from.

Turning off reverse routing means that it is generally understood that the interface from which the data comes from and the interface from which the packet is returned, there is no process of reverse routing query.

3. Create subinterfaces and interconnected IP to customers and mutual resources.

Interface aggregate1.110

Zone "trust"

Ip address 10.10.110.2 255.255.255.252

Description "jsyd"

Manage ping

Manage telnet

Agg 1.110 is the interconnection to the customer, adding to trust zone

Interface aggregate2.121

Zone "untrust"

Ip address 10.10.121.1 255.255.255.252

Description "ahdx1"

Manage telnet

Manage ping

Reverse-route prefer

Exit

Interface aggregate2.122

Zone "untrust"

Ip address 10.10.122.1 255.255.255.252

Description "ahdx2"

Manage ping

Exit

Interface aggregate2.123

Zone "untrust"

Ip address 10.10.123.1 255.255.255.252

Description "wzdx1"

Manage ping

Manage telnet

Exit

Interface aggregate2.124

Zone "untrust"

Ip address 10.10.124.1 255.255.255.252

Description "shjh-1"

Manage ping

Agg 2.121 2.122 2.123 2.124 is an interconnection to different exits. Join utrust zone.

4. Create the customer's address range table and each bandwidth NAT address table.

Address jsyd

Ip 1.51.32.0/20

Ip 1.51.48.0/21

Ip 21.228.228.0/22

Ip 43.254.84.0/22

Ip 58.68.228.16/29

Customer's address field

Address ahdx1

Ip 124.113.229.104/30

Address ahdx2

Ip 124.113.229.152/30

Address wzdx1

Ip 122.228.229.120/30

Address shjh2

Ip 117.21.164.128/30

Each resource is used as the address field of NAT.

5. Create security rules to ensure that trust can access utrust

Rule 1

Action permit

Src-zone trust

Dst-zone untrust

Src-addr jsyd

Dst-addr Any

Service Any

Name 1

Allow trust zone to access utrust zone

Rule 2

Action permit

Src-zone untrust

Dst-zone trust

Src-addr Any

Dst-addr Any

Service Any

Name 2

Allow utrust to access trust zone.

6. Add the customer's backhaul route.

Ip vrouter trust-vr

Ip route 1.51.32.0/20 aggregate1.110 10.10.110.1 description jsyd-1104

Ip route 1.51.48.0/21 aggregate1.110 10.10.110.1 description jsyd-1104

Ip route 21.228.228.0/22 aggregate1.110 10.10.110.1 description jsyd-1104

Ip route 43.254.84.0/22 aggregate1.110 10.10.110.1 description jsyd-1104

Ip route 58.68.228.16/29 aggregate1.110 10.10.110.1 description jsyd-1104

7. Create default routes to different exits. Since devices match NAT rules before routing, all exits can be added as default routes at the same time.

Ip vrouter trust-vr

Ip route 0.0.0.0/0 aggregate2.120 124.113.229.157

Ip route 0.0.0.0Comp0 aggregate2.121 10.10.121.2 description ahyd1-1G

Ip route 0.0.0.0Comp0 aggregate2.122 10.10.122.2 description ahyd2-1G

Ip route 0.0.0.0/0 aggregate2.123 10.10.123.2 description wzdx-2G

Ip route 0.0.0.0Comp0 aggregate2.124 10.10.124.2 description shjh2-1G

Ip route 0.0.0.0Comp0 aggregate2.125 10.10.125.2 description shjh3-0.75G

8. Create NAT rules.

Ip vrouter trust-vr

Snatrule id 1 from jsyd to any eif aggregate2.121 trans-to address-book ahdx1 mode dynamicport sticky log

Snatrule id 2 from jsyd to any eif aggregate2.122 trans-to address-book ahdx2 mode dynamicport sticky log

Snatrule id 3 from jsyd to any eif aggregate2.123 trans-to address-book wzdx1 mode dynamicport sticky log

Snatrule id 4 from jsyd to any eif aggregate2.124 trans-to address-book shjh2 mode dynamicport sticky log

When using multiple egress for NAT, packets will be routed egress by default. If dynamicport sticky is used, the traffic of each egress will be uneven, because sticky will keep the same session to one IP address.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report