Recently encountered a more common and representative case, special Kai Sen come to share the next. I hope you have a lot of support.
Features: New access ISP export, will feature URL traffic introduced to the exit
Before the network transformation of the three-way communication, we give a relatively complete access plan and operating details, remember, this point in the construction process of network engineers is very important, must have some links, otherwise it is extremely unprofessional practice.
OK, we'll serve the dishes.
The current network topology map is referenced below:
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/88/9D/wKioL1f9pXDw8VldAAG3XVNA0UU710.png-wh_500x0-wm_3 -wmp_4-s_593577585.png "style=" Float:none; "title=" Qq20161012103938.png "alt=" Wkiol1f9pxdw8vldaag3xvna0uu710.png-wh_50 "/>
Current topology Description:
Fully redundant network architecture, access to pure BGP networks, physical separation management and business lines
Network edge using a/p mode deployment
Core Exchange uses Huawei S9300 Series virtualization Deployment (CSS)
Load balancing using Citrix's NetScaler high-availability deployment
Access using S5700 Stack deployment
STP not turned on
Current topology Benefits:
No single point of failure on top-down nodes, standard Enterprise DC deployment plan
Current renovation background:
Problem Analysis: The current export BGP line access to the specific USA region, South Korea has more frequent packet loss and a lot of delay jitter, affecting the business platform calls, quantitation affect the business unit complaints.
New requirements Analysis: individual access to the international direction to optimize the line, the use of tunnel or leased line interconnection, the specific target URL host traffic into the international direction of the line.
finalization of the programme: Final selection positioning the Cisco 1841 plus one expansion card slot, the deployment uses VRRP mode to access the core Exchange zone, to ensure that the global network structure redundant structure is not compromised. The requirement is realized by exchanging PBR global mount. The reference legend is as follows:
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/88/A0/wKiom1f9pXGDQM6XAAHwiq8xBlY381.png-wh_500x0-wm_3 -wmp_4-s_3735957354.png "style=" Float:none; "title=" Qq20161012105037.png "alt=" Wkiom1f9pxgdqm6xaahwiq8xbly381.png-wh_50 "/>
Current topology Description:
Omit (everyone understands, I find I am too wordy)
OK, get started in the implementation phase. Wait, there's a problem.!!!!!! Big problem.
The URL is the domain name, the switch PBR can only specify the IP address, if the domain name exists Intelligent parsing (currently common geo-disaster preparedness technology), there are multiple IP addresses, or the domain name itself is deployed on a PPPoE to obtain the server, or a nat-pool
The current switch version does not support write PBR, (PBR Configuration window can not be tab out, after the sale to understand the need to upgrade!!!) )
Customer is not allowed to make any interruption adjustments
Emergency consultation with the user solution. Finally, I propose to hk-router access to the firewall (firewall Manufacturers Stone Network Branch (Hillsotne)), in the detailed reference configuration manual, the firewall PBR can be written URL, Instant!! The Web-ui configuration reference is as follows:
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/88/A0/wKiom1f9qoeg2dlqAABGrzgE62Q657.png-wh_500x0-wm_3 -wmp_4-s_3169809142.png "title=" Qq20161012111308.png "alt=" Wkiom1f9qoeg2dlqaabgrzge62q657.png-wh_50 "/>
PS: Fill in the target with the domain name you need to access. Praise!!
Well, after an emergency negotiation, our topology diagram becomes the following.
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/88/9D/wKioL1f9qvjAANenAAHs3zZRics569.png-wh_500x0-wm_3 -wmp_4-s_3136452415.png "title=" Qq20161012111502.png "alt=" Wkiol1f9qvjaanenaahs3zzrics569.png-wh_50 "/>
Topology Description:
The new hk-router through the firewall interconnection
Using HILLSTONE-PBR for requirements implementation
Well, here is a false alarm, we began to implement. The results also show that the previous meetings and discussions as well as the planning are very important and the implementation phase is very smooth.
Hk-router configuration ideas for linking specific lines:
Physical leased line access router, default route specified HK side
Make a subnet for the user to use
The reference legend is as follows:
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/88/9D/wKioL1f9rxXjpI9PAACYrk4d8Aw957.png-wh_500x0-wm_3 -wmp_4-s_1286851061.png "title=" Qq20161012113154.png "alt=" Wkiol1f9rxxjpi9paacyrk4d8aw957.png-wh_50 "/>
CLI configuration of the firewall:-" some key parameters have been harmonious, here again remind you, we do share to do experience summary is good, but must protect the employer's privacy and trade secrets, otherwise will a lawsuit even into the cell "
Pbr-policy "Hk-router" Vrouter "TRUST-VR"-------the definition and rule configuration of PBR
Match ID 1
Src-ip 172.19.0.0/16
Dst-host "Ap2.x.com"
Dst-host "Ap1.x.com"
Dst-host "Login.x.com"
Service "any"
Nexthop 202.1.2.3
Exit
Exit
IP vrouter "TRUST-VR"----------bind PBR on the global virtual router
Bind Pbr-policy "Hk-router"
The Web-ui configuration reference is as follows:
650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/88/A1/wKiom1f9s8eS_TD5AABWBQuQF6Y455.png-wh_500x0-wm_3 -wmp_4-s_2142324255.png "title=" Qq20161012115228.png "alt=" Wkiom1f9s8es_td5aabwbquqf6y455.png-wh_50 "/>
PS: Here to mention, we in many times, will subconsciously understand, PBR is hanging in the interface. Because of the firewall used here, you need to be aware when you mount it. Of course also support hanging on the interface, and even support mount security domain, stone Firewall is still very bull X's
At this point, our configuration is over, but we found that there is a problem with the access, why, the firewall, certainly more than the PBR configuration of the switch will be more than a few places configuration.
1. Inter-domain Policy release
2. Accessible routing (round-trip)
3.NAT
As an example, we understand:
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/88/9E/wKioL1f9r_WRDD_hAAC05AK64oY231.png-wh_500x0-wm_3 -wmp_4-s_1064561290.png "title=" 3.png "alt=" Wkiol1f9r_wrdd_haac05ak64oy231.png-wh_50 "/>
In conjunction with the three questions mentioned above, expand:
Inter-Domain Policy release (S:DMZ D:HK) complements configuration
Up to Routing
Hk-router does not refer back to routing 172.19.0.0/16 103.10.1.2, which means that we need to use NAT. (with the HK side of the communication, not allowed to adjust, only to find a way, I faint, Hong Kong operators is so 87, I wear)
Nat direction, from the DMZ to Hkzone, here we must understand the direction of the problem, because in the firewall operation and maintenance experience, I summed up a, if the direction of traffic you do not understand, or basic to this no feeling, those will be the firewall play miserable.
Based on the above analysis, we have added the following configuration: "I use text description"
1.172.19.0.0/16 access to the target domain name, NAT is the Out interface 103.10.1.2
End user test pass, happy. Psychological Dark cool!!! Get the project manager to pay overtime!!! Ha ha
Finally give you a word, DO network engineer, must remember careful is the key to success!!!
—————————— from a two-tier operator for network sharing
This article from "Allen on the road-from zero to one" blog, reprint please contact the author!
Rock Mesh Branch-HILLSTONE-PBR (Policy Routing) Mount URL application experience sharing