The company has been using 10 m lines of China Telecom to access the Internet. At the same time, it has established a VPN transmission service data with each subsidiary based on this line, and recently added a 10 m connection line for traffic distribution, it is required to achieve this without adjusting the telecom lines:
1. VPN traffic is still processed through telecom lines
2. Normal intercommunication between internal network segments of the company
3. The Internet traffic of the 10 CIDR blocks of the head office is forwarded by China Unicom, and the Internet traffic of the 90 CIDR blocks is forwarded by China Telecom.
Because the export uses SSG140 to query relevant information and is ready to use the PBR function to achieve this requirement, the topology is as follows:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" image002 "border =" 0 "alt =" image002 "src =" http://www.bkjia.com/uploads/allimg/131227/01220A632-0.gif "width =" 477 "height =" 420 "/>
PBRPolicy Basic Routing) refers to the forwarding of packets that comply with the policy standards according to the specified Routing, forwarding can be performed based on the source address, source port, protocol, Destination Address, destination port, and other standards. Traffic that does not comply with the policy will be forwarded according to the default route table. OK, let's go!
1. Configure China Unicom line access
The China Unicom line is connected to the E0/7 Port of SSG140. Therefore, you need to configure the public IP address, working mode, and other information of China Unicom on this port. After logging on to the WEB, selectNetworkÀInterfaceÀEthernet0/7The configuration is as follows:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image004 "border =" 0 "alt =" clip_image004 "src =" http://www.bkjia.com/uploads/allimg/131227/01220620W-1.jpg "width =" 534 "height =" 182 "/>
Remarks: Port Ethernet0/7 is bound to the Untrust area.
2. Configure the PBR Function
PBR functions must be configured in sequence.EACL/Match_GROUP/Active_Group/Policy/BindingAnd so on. The configuration is as follows:
1. EACL is a policy-compliant element, such as the source address and destination address. Two eacls are created here as needed.
EACL1: internal traffic, that is, traffic destined for 10, 90, or 172 segments
EACL2: 10-segment Internet access traffic, that is, traffic from the source address 10 to 0.0.0.0
Because the 90-segment traffic is forwarded through the telecom line by default, we do not need to create an EACL for the 90-segment traffic.
The WEB login firewall is locatedNetwork> Routing> PBR> Extended ACL ListCreate an EACL, for example:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image006 "border =" 0 "alt =" clip_image006 "src =" http://www.bkjia.com/uploads/allimg/131227/0122063002-2.jpg "width =" 549 "height =" 270 "/>
Note: When creating an EACL, You must select create in the trust-vr routing table.
2. Create a Match Group. Because the EACL contains many records and is named by numbers, it is not easy to recognize. Therefore, Match Group is easier to recognize. We only need to create two matchgroups. Intranet is used to match the EACL of internal traffic and Internet-LT matches the Internet traffic of 10 segments. ClickNetwork> Routing> PBR> Match Group ListConfiguration, such:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image008 "border =" 0 "alt =" clip_image008 "src =" http://www.bkjia.com/uploads/allimg/131227/0122062J2-3.jpg "width =" 619 "height =" 185 "/>
3. the Action Group is created to specify the data packet processing method, that is, how to route and forward data. For 10-segment Internet traffic, it is directly transferred to the China Unicom line, that is, the E0/7 interface; for internal traffic, you do not need to specify the processing method. The firewall processes the traffic according to the default route table. ClickNetwork> Routing> PBR> Action Group ListConfiguration, such as: 650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image010 "border =" 0 "alt =" clip_image010 "src =" http://www.bkjia.com/uploads/allimg/131227/01220C414-4.jpg "width =" 593 "height =" 188 "/>
4. Create a Policy. The policy associates the MatchGroup and ActiveGroup created in the previous step to process EACL-compliant packets according to the specified ActionGroup. It should be noted that a policy set contains multiple policies, and the policy execution starts from top to bottom according to the ID. Therefore, the internal traffic policy should be placed at the top. ClickNetwork> Routing> PBR> Policy ListConfiguration, such:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image012 "border =" 0 "alt =" clip_image012 "src =" http://www.bkjia.com/uploads/allimg/131227/0122062430-5.jpg "width =" 661 "height =" 137 "/>
5. Bind The policy. What we have done here is how to make the created policy take effect. data packets will be forwarded only after the policy takes effect. The policy can be bound to interfaces, security areas, virtual routes, and other places. Here we choose to bind the policy to the interface, that is, the interface E0/0 where 10 segments are located. ClickNetwork> Routing> PBR> Policy BindingConfiguration, such:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image014 "border =" 0 "alt =" clip_image014 "src =" http://www.bkjia.com/uploads/allimg/131227/01220C432-6.jpg "width =" 547 "height =" 263 "/>
So far, we have completed the configuration of the PBR function, and now we start to check whether the data is processed according to our requirements.
Iii. Verification results
1. Whether the VPN traffic is processed through a telecom line
Because VPN is established through the telecom line, and we have not established a VPN channel on the UNICOM line, as long as the Intranet segment can normally access the subsidiary of the VPN connection, the VPN traffic is normal.
We Ping the CIDR Block of the subsidiary from the 90 and 10 hosts respectively, for example:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image016 "border =" 0 "alt =" clip_image016 "src =" http://www.bkjia.com/uploads/allimg/131227/0122064953-7.jpg "width =" 472 "height =" 244 "/>
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image018 "border =" 0 "alt =" clip_image018 "src =" http://www.bkjia.com/uploads/allimg/131227/01220C329-8.jpg "width =" 575 "height =" 102 "/>
2. Whether the Intranet segment of the company can communicate with each other. The Ping10 segment IP address on the 90 segment host can pass through
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image020 "border =" 0 "alt =" clip_image020 "src =" http://www.bkjia.com/uploads/allimg/131227/01220C463-9.jpg "width =" 469 "height =" 223 "/>
Do the public network traffic in section 3.10 and section 90 follow the corresponding line? Log on to IP138.COM on a host in sections 10 and 90 to query its public IP address, for example:
10 hosts:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image022 "border =" 0 "alt =" clip_image022 "src =" http://www.bkjia.com/uploads/allimg/131227/0122061V7-10.jpg "width =" 617 "height =" 119 "/>
90-segment Host:
650) this. width = 650; "style =" border-right-0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto "title =" clip_image024 "border =" 0 "alt =" clip_image024 "src =" http://www.bkjia.com/uploads/allimg/131227/0122063236-11.jpg "width =" 617 "height =" 130 "/>
This article is from the "OnMyWay" blog, please be sure to keep this source http://active.blog.51cto.com/1100981/1119894