防火墙路由负载.docx

防火墙利用策略路由+NAT方式实现链路冗余和负载均衡 摘 在为用户设计组网方案过程中，经常会遇到用户具有双岀口（电信、网通），要求组网能够实现双链路 要冗余，并且在双链路情况下实现负载均衡的需求。 本文通过实验模拟组网介绍此种情况下利用防火墙策 :略路由+NAT方式的解决方案。 容一、组网需求： 正常情况下 10.0.0.2从出口 12.12.12.0NAT 转化成 100.0.0.0 的地址，20.0.0.2 从出口 13.13.13.0NAT转化成200.0.0.0的地址，实现负载均衡。 FW双出口的某一条链路down,所有用户NAT成同一地址段出去，实现链 路冗余。 二、实验组网 30 0.0.2^ 30 0.0.2^ 30 0.03* 4.444 四、关键配置 USG5360 (V100R003C01SPC007): ip address-set 100and200 type object address 0 10.0.0.0 mask 24 address 1 20.0.0.0 mask 24 # ip address-set 10.0.0.2 type object address 0 10.0.0.0 mask 24 # ip address-set 20.0.0.2 type object address 0 20.0.0.0 mask 24 # acl number 3001 rule 0 permit ip source 10.0.0.0 0.255.255.255 acl number 3002 rule 0 permit ip source 20.0.0.0 0.255.255.255 # nat address-group 100 NAT1 100.0.0.1 100.0.0.100 nat address-group 200 NAT2 200.0.0.1 200.0.0.100 # traffic classifier 12 if-match acl 3001 traffic classifier 13 if-match acl 3002 # traffic behavior 12 remark ip-nexthop 12.12.12.2 output-interface GigabitEthernet0/0/0 traffic behavior 13 remark ip-nexthop 13.13.13.2 output-interface GigabitEthernet0/0/1 qos policy re classifier 12 behavior 12 classifier 13 behavior 13 # interface GigabitEthernet0/0/0 ip address 12.12.12.1 255.255.255.252 # interface GigabitEthernet0/0/1 ip address 13.13.13.1 255.255.255.252 # interface GigabitEthernet0/0/2 ip address 20.0.0.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 10.0.0.1 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 qos apply policy re outbound add interface GigabitEthernet0/0/2 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 # firewall zone name t100 set priority 10 add interface GigabitEthernet0/0/0 # firewall zone name t200 set priority 11 add interface GigabitEthernet0/0/1 # nat-policy interzone trust untrust outbound # nat-policy interzone trust t100 outbound policy 0 action source-nat policy source address-set 100and200 address-group NAT1 # nat-policy interzone trust t200 outbound