H3C防火墙PBR策略路由旁挂部署实验

网络拓扑

防火墙PBR策略路由旁挂方式 相比VPN实例旁挂的优势是 新增设备时 减少网络中断时间 是目前较为常见的一种旁挂方式

流量转发路径为 PCA -> S2 -> S1(VLANIF101) -> F1(VLAN101) -> F1(VLAN102) -> S1(VLAN102) -> R1

采用PBR策略路由旁挂 需要交换机上下行属于不同区域 用于隔离上下行流量 否则防火墙与交换机之间流量转发存在问题 如果不采用不同ospf区域隔离 可以选择交换机创建vpn实例进行隔离

项目实施前 思考以下几点问题

1. 引流来回路径需一致
2. 华三快速转发负载机制
3. S1上行与下行属于同一OSPF区域是否可行？
4. 防火墙RBM双机热备部署
5. 双向PBR部署的位置

S1配置

# 创建VLAN
vlan 10 100 101 102

# 创建OSPF进程
ospf 1 route-id 2.2.2.2

# 划分VLAN
interface GigabitEthernet1/0/1
 port access vlan 10
#
interface GigabitEthernet1/0/2
 port access vlan 100
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk permit vlan 1 101 to 102
#
interface GigabitEthernet1/0/4
 port link-type trunk
 port trunk permit vlan 101 to 102

# 配置互联地址
interface Vlan-interface10
 ip address 10.10.10.254 255.255.255.0
 ospf 1 area 0.0.0.1
#
interface Vlan-interface100
 ip address 192.168.100.254 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface101
 ip address 192.168.101.254 255.255.255.0
 ospf 1 area 0.0.0.0
#
interface Vlan-interface102
 ip address 192.168.102.254 255.255.255.0
 ospf 1 area 0.0.0.1

# 匹配流量
acl basic 2000
 rule 0 permit source 192.168.10.0 0.0.0.255
#
acl basic 2001
 rule 0 permit source 1.1.1.1 0
 
# 配置PBR
policy-based-route to-R1 permit node 10
 if-match acl 2000
 apply next-hop 192.168.101.253
#
policy-based-route to-PC permit node 10
 if-match acl 2001
 apply next-hop 192.168.102.253
 
#应用PBR
interface Vlan-interface10
 ip policy-based-route to-PC
#
interface Vlan-interface100
 ip policy-based-route to-R1
 
# 关闭快速转发负载机制
undo ip fast-forwarding load-sharing

F1配置

ospf 1 router-id 4.4.4.4

vlan 101 102

# 配置双机热备
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.99.1 255.255.255.252
#
remote-backup group
 data-channel interface GigabitEthernet1/0/2
 delay-time 1
 adjust-cost ospf enable absolute 65535
 local-ip 192.168.99.1
 remote-ip 192.168.99.2
 device-role primary

# 划分VLAN
interface GigabitEthernet1/0/0
 port link-type trunk
 port trunk permit vlan 1 101 to 102
 
# 配置互联地址
interface Vlan-interface101
 ip address 192.168.101.251 255.255.255.0
 ospf 1 area 0.0.0.0
 vrrp vrid 1 virtual-ip 192.168.101.253 active
#
interface Vlan-interface102
 ip address 192.168.102.251 255.255.255.0
 ospf 1 area 0.0.0.1
 vrrp vrid 1 virtual-ip 192.168.102.253 active
 
# 划分区域
security-zone name Trust
 import interface Vlan-interface101
#
security-zone name DMZ
 import interface GigabitEthernet1/0/2
#
security-zone name Untrust
 import interface Vlan-interface102
 
#
security-policy ip
 rule 0 name ospf
  action pass  
  source-zone loca
  source-zone local
  source-zone untrust
  source-zone trust
  destination-zone trust
  destination-zone untrust
  destination-zone local
  service ospf
 rule 1 name Trust>Untrust
  action pass
  source-zone trust
  destination-zone untrust
 rule 2 name Untrust>Trust
  action pass
  source-zone untrust
  source-zone trust

快速转发负载分担导致三层环路

OSPF必须不同区域

如果VLANIF101与VLAN102属于同一区域 那么S1与F1之间存在负载分担 也就是S1数据可能是通过VLAN102转发给防火墙 然后防火墙通过VLAN101转发给S1 但是VLAN101属于Trust VLAN102属于Untrust 不符合目前网络规划目的

正常情况下的转发路径

双机热备测试

当任一防火墙与交换机之间线路中断时 另一台设备承担数据转发任务 终端无丢包

NQA+TRACK优化网络

因为VLANIF101与VLANIF102建立OSPF时，需要等待40s选举DR/BDR 本次采取nqa+track方式进行网络优化 快速切换网络线路

S1配置

# 创建nqa
nqa entry admin to_f_r1
 type icmp-echo      // 类型为ping
  destination ip 192.168.101.253  // 探测防火墙VRRP地址
  frequency 1000                  // 探测间隔1000毫秒
  reaction 1 checked-element probe-fail threshold-type consecutive 2 action-type trigger-only
  
#
 nqa schedule admin to_f_r1 start-time now lifetime forever   // 探测从当前时间开始 持续永久

#
track 1 nqa entry admin to_f_r1 reaction 1   // track关联nqa
 delay positive 50   // 转变为正确状态 延迟50秒

#
policy-based-route to-R1 permit node 10
 if-match acl 2000
 apply next-hop 192.168.101.253 track 1  // 应用track模块

#
policy-based-route to-PC permit node 10
 if-match acl 2001
 apply next-hop 192.168.102.253 track 1  // 应用track模块
 
// 如果回程方向不应用 仍然会导致40s秒的延迟 原因在于PC->S2->S1->R1->S1->F1->丢弃

配置测试