网络安全 频道
IT168首页 > 网络安全 > 网络安全应用 > 正文

电信网通双出口负载分担配置指导

作者:IT168 编辑: 李莲 2007-07-04 17:59
分享

ip route-static 221.207.0.0 255.255.192.0 221.12.79.49 preference 60 detect-group 2
ip route-static 221.208.0.0 255.240.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 221.208.0.0 255.252.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 221.213.0.0 255.255.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 221.214.0.0 255.254.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 222.128.0.0 255.252.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 222.132.0.0 255.252.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 222.136.0.0 255.248.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 222.160.0.0 255.252.0.0 221.12.79.49 preference 60 detect-group 2
ip route-static 222.163.0.0 255.255.224.0 221.12.79.49 preference 60 detect-group 2
ip route-static 0.0.0.0 0.0.0.0 20.1.1.2 preference 60


  注:以上路由已经包含大部分网通地址段,如有更新可以动态添加。

  经过如上三个配置步骤后,路由器便能自动区分网通流量和电信流量,使访问网通站点走网通线路,访问电信站点走电信线路。并且当网通线路出问题后所有流量都会自动切换到电信线路上,使用户能够不间断访问网络。
    添加防火墙配置,增加网络的可性:

   定义电信线路使用的acl 3001:

  可以用实际电信网关地址替换地址60.190.80.112,实际内网地址网段替换192.168.2.0 0.0.0.255后直接复制粘贴:

acl number 3001
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 200 deny tcp destination-port eq www
rule 202 deny tcp destination-port eq ftp
rule 204 deny tcp destination-port eq 3389
rule 2000 permit ip destination 60.190.80.112 0
rule 2001 permit ip destination 192.168.2.0 0.0.0.255
rule 2002 deny ip

 

定义网通线路使用的acl 3002:

  可以用实际网通网关地址替换地址221.12.79.49,实际内网地址网段替换192.168.2.0 0.0.0.255后直接复制粘贴:

acl number 3002
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 200 deny tcp destination-port eq www
rule 202 deny tcp destination-port eq ftp
rule 204 deny tcp destination-port eq 3389
rule 2000 permit ip destination 221.12.79.54 0
rule 2001 permit ip destination 192.168.2.0 0.0.0.255
rule 2002 deny ip


  定义内网使用的acl 3003:

  可以用实际内网地址网段替换192.168.2.0 0.0.0.255后直接复制粘贴:

acl number 3003
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 2030 permit ip source 192.168.2.0 0.0.0.255
rule 3000 deny ip

 在全局和接口下分别启用防火墙:

[Quidway]firewall enable
[Quidway]firewall default deny
[Quidway] interface Ethernet 1/0
[Quidway-Ethernet1/0]firewall packet-filter 3001 inbound
[Quidway-Ethernet1/0]quit
[Quidway]interface Ethernet 2/0
[Quidway-Ethernet2/0]firewall packet-filter 3002 inbound
[Quidway-Ethernet2/0]quit
[Quidway]interface Ethernet 3/0
[Quidway-Ethernet3/0]firewall packet-filter 3003 inbound
[Quidway-Ethernet3/0]


  以上配置为Ethernet 1/0连接电信线路,Ethernet 2/0连接网通线路,Ethernet 3/0连接内网,可以根据实际组网进行调整。http://netadmin.77169.com/HTML/20070628000944_5.html

0
12查看全文
第1页:电信网通双出口负载分担配置指导第2页:电信网通双出口负载分担配置指导
相关文章
    盛拓传媒简介 关于IT168 广告服务 使用条款 投稿指南 联系我们
    北京盛拓优讯信息技术有限公司. 版权所有 中华人民共和国增值电信业务经营许可证 编号:京B2-20170206 北京市公安局海淀分局网监中心备案编号:11010802020118
    广播电视节目制作经营许可证:(京) 字第25315号 信息系统安全等级保护备案:11010813655-00001 京公网安备11010802020118号
    违法和不良信息举报电话 :010-58859066,18101376593,shengtuo20@it168.com