Rock Mesh Branch-HILLSTONE-PBR (Policy Routing) Mount URL application experience sharing

Source: Internet
Author: User

Recently encountered a more common and representative case, special Kai Sen come to share the next. I hope you have a lot of support.

Features: New access ISP export, will feature URL traffic introduced to the exit

Before the network transformation of the three-way communication, we give a relatively complete access plan and operating details, remember, this point in the construction process of network engineers is very important, must have some links, otherwise it is extremely unprofessional practice.

OK, we'll serve the dishes.

The current network topology map is referenced below:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/88/9D/wKioL1f9pXDw8VldAAG3XVNA0UU710.png-wh_500x0-wm_3 -wmp_4-s_593577585.png "style=" Float:none; "title=" Qq20161012103938.png "alt=" Wkiol1f9pxdw8vldaag3xvna0uu710.png-wh_50 "/>

Current topology Description:

    1. Fully redundant network architecture, access to pure BGP networks, physical separation management and business lines

    2. Network edge using a/p mode deployment

    3. Core Exchange uses Huawei S9300 Series virtualization Deployment (CSS)

    4. Load balancing using Citrix's NetScaler high-availability deployment

    5. Access using S5700 Stack deployment

    6. STP not turned on


Current topology Benefits:

No single point of failure on top-down nodes, standard Enterprise DC deployment plan


Current renovation background:

Problem Analysis: The current export BGP line access to the specific USA region, South Korea has more frequent packet loss and a lot of delay jitter, affecting the business platform calls, quantitation affect the business unit complaints.


New requirements Analysis: individual access to the international direction to optimize the line, the use of tunnel or leased line interconnection, the specific target URL host traffic into the international direction of the line.


finalization of the programme: Final selection positioning the Cisco 1841 plus one expansion card slot, the deployment uses VRRP mode to access the core Exchange zone, to ensure that the global network structure redundant structure is not compromised. The requirement is realized by exchanging PBR global mount. The reference legend is as follows:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/88/A0/wKiom1f9pXGDQM6XAAHwiq8xBlY381.png-wh_500x0-wm_3 -wmp_4-s_3735957354.png "style=" Float:none; "title=" Qq20161012105037.png "alt=" Wkiom1f9pxgdqm6xaahwiq8xbly381.png-wh_50 "/>

Current topology Description:

Omit (everyone understands, I find I am too wordy)


OK, get started in the implementation phase. Wait, there's a problem.!!!!!! Big problem.


  1. The URL is the domain name, the switch PBR can only specify the IP address, if the domain name exists Intelligent parsing (currently common geo-disaster preparedness technology), there are multiple IP addresses, or the domain name itself is deployed on a PPPoE to obtain the server, or a nat-pool

  2. The current switch version does not support write PBR, (PBR Configuration window can not be tab out, after the sale to understand the need to upgrade!!!) )

  3. Customer is not allowed to make any interruption adjustments


Emergency consultation with the user solution. Finally, I propose to hk-router access to the firewall (firewall Manufacturers Stone Network Branch (Hillsotne)), in the detailed reference configuration manual, the firewall PBR can be written URL, Instant!! The Web-ui configuration reference is as follows:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/88/A0/wKiom1f9qoeg2dlqAABGrzgE62Q657.png-wh_500x0-wm_3 -wmp_4-s_3169809142.png "title=" Qq20161012111308.png "alt=" Wkiom1f9qoeg2dlqaabgrzge62q657.png-wh_50 "/>

PS: Fill in the target with the domain name you need to access. Praise!!


Well, after an emergency negotiation, our topology diagram becomes the following.

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/88/9D/wKioL1f9qvjAANenAAHs3zZRics569.png-wh_500x0-wm_3 -wmp_4-s_3136452415.png "title=" Qq20161012111502.png "alt=" Wkiol1f9qvjaanenaahs3zzrics569.png-wh_50 "/>

Topology Description:

    1. The new hk-router through the firewall interconnection

    2. Using HILLSTONE-PBR for requirements implementation


Well, here is a false alarm, we began to implement. The results also show that the previous meetings and discussions as well as the planning are very important and the implementation phase is very smooth.


Hk-router configuration ideas for linking specific lines:

    1. Physical leased line access router, default route specified HK side

    2. Make a subnet for the user to use

The reference legend is as follows:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/88/9D/wKioL1f9rxXjpI9PAACYrk4d8Aw957.png-wh_500x0-wm_3 -wmp_4-s_1286851061.png "title=" Qq20161012113154.png "alt=" Wkiol1f9rxxjpi9paacyrk4d8aw957.png-wh_50 "/>


CLI configuration of the firewall:-" some key parameters have been harmonious, here again remind you, we do share to do experience summary is good, but must protect the employer's privacy and trade secrets, otherwise will a lawsuit even into the cell "

Pbr-policy "Hk-router" Vrouter "TRUST-VR"-------the definition and rule configuration of PBR

Match ID 1

Src-ip 172.19.0.0/16

Dst-host "Ap2.x.com"

Dst-host "Ap1.x.com"

Dst-host "Login.x.com"

Service "any"

Nexthop 202.1.2.3

Exit

Exit

IP vrouter "TRUST-VR"----------bind PBR on the global virtual router

Bind Pbr-policy "Hk-router"


The Web-ui configuration reference is as follows:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/88/A1/wKiom1f9s8eS_TD5AABWBQuQF6Y455.png-wh_500x0-wm_3 -wmp_4-s_2142324255.png "title=" Qq20161012115228.png "alt=" Wkiom1f9s8es_td5aabwbquqf6y455.png-wh_50 "/>

PS: Here to mention, we in many times, will subconsciously understand, PBR is hanging in the interface. Because of the firewall used here, you need to be aware when you mount it. Of course also support hanging on the interface, and even support mount security domain, stone Firewall is still very bull X's


At this point, our configuration is over, but we found that there is a problem with the access, why, the firewall, certainly more than the PBR configuration of the switch will be more than a few places configuration.

1. Inter-domain Policy release

2. Accessible routing (round-trip)

3.NAT


As an example, we understand:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/88/9E/wKioL1f9r_WRDD_hAAC05AK64oY231.png-wh_500x0-wm_3 -wmp_4-s_1064561290.png "title=" 3.png "alt=" Wkiol1f9r_wrdd_haac05ak64oy231.png-wh_50 "/>

In conjunction with the three questions mentioned above, expand:

    1. Inter-Domain Policy release (S:DMZ D:HK) complements configuration

    2. Up to Routing
      Hk-router does not refer back to routing 172.19.0.0/16 103.10.1.2, which means that we need to use NAT. (with the HK side of the communication, not allowed to adjust, only to find a way, I faint, Hong Kong operators is so 87, I wear)

    3. Nat direction, from the DMZ to Hkzone, here we must understand the direction of the problem, because in the firewall operation and maintenance experience, I summed up a, if the direction of traffic you do not understand, or basic to this no feeling, those will be the firewall play miserable.


Based on the above analysis, we have added the following configuration: "I use text description"

1.172.19.0.0/16 access to the target domain name, NAT is the Out interface 103.10.1.2


End user test pass, happy. Psychological Dark cool!!! Get the project manager to pay overtime!!! Ha ha


Finally give you a word, DO network engineer, must remember careful is the key to success!!!

—————————— from a two-tier operator for network sharing


This article from "Allen on the road-from zero to one" blog, reprint please contact the author!

Rock Mesh Branch-HILLSTONE-PBR (Policy Routing) Mount URL application experience sharing

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.