华为配置ISP选路实现报文按运营商转发

组网需求

如图1所示，FW作为安全网关部署在网络出口，企业分别从ISP1和ISP2租用一条链路。

配置思路

操作步骤

1. 开启健康检查功能，并为ISP1和ISP2链路分别新建一个健康检查。

   <FW> system-view
   [FW] healthcheck enable
   [FW] healthcheck name isp1_health
   [FW-healthcheck-isp1_health] destination 3.3.10.10 interface GigabitEthernet 1/0/1 protocol tcp-simple destination-port 10001
   [FW-healthcheck-isp1_health] destination 3.3.10.11 interface GigabitEthernet 1/0/1 protocol tcp-simple destination-port 10002
   [FW-healthcheck-isp1_health] quit
   [FW] healthcheck name isp2_health
   [FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet 1/0/7 protocol tcp-simple destination-port 10003
   [FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet 1/0/7 protocol tcp-simple destination-port 10004
   [FW-healthcheck-isp2_health] quit

   此处假设3.3.10.10、3.3.10.11和9.9.20.20、9.9.20.21分别为ISP1和ISP2网络中已知的设备地址。

   如果健康检查配置完后，状态一直为down，请检查健康检查的配置。

   对于V500R001C80之前的版本，需要在FW上配置对应的安全策略，允许FW向目的设备发送健康检查探测报文。对于V500R001C80及之后的版本，健康检查的探测报文不受安全策略控制，默认放行，无需配置相应安全策略。

2. 配置接口的IP地址和网关地址，并应用对应的健康检查。

   [FW] interface GigabitEthernet 1/0/1
   [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
   [FW-GigabitEthernet1/0/1] gateway 1.1.1.254
   [FW-GigabitEthernet1/0/1] healthcheck isp1_health
   [FW-GigabitEthernet1/0/1] quit
   [FW] interface GigabitEthernet 1/0/3
   [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
   [FW-GigabitEthernet1/0/3] quit
   [FW] interface GigabitEthernet 1/0/7
   [FW-GigabitEthernet1/0/7] ip address 2.2.2.2 255.255.255.0
   [FW-GigabitEthernet1/0/7] gateway 2.2.2.254
   [FW-GigabitEthernet1/0/7] healthcheck isp2_health
   [FW-GigabitEthernet1/0/7] quit

3. 上传ISP地址文件到FW，可以使用SFTP方式进行传输，导入的ISP地址文件固定存放在根目录下名称为isp的文件夹内，具体步骤略。
4. 为ISP1和ISP2分别创建运营商名称isp1_ifgrp和isp2_ifgrp，并关联对应的ISP地址文件。

   [FW] isp name isp1_ifgrp set filename isp1.csv
   [FW] isp name isp2_ifgrp set filename isp2.csv

5. 为ISP1和ISP2分别新建一个ISP接口组，并将接口加入对应的ISP接口组，缺省下发对应的ISP路由。

   [FW] interface-group 1 isp isp1_ifgrp
   [FW-interface-isp-group-1] add interface GigabitEthernet 1/0/1
   [FW-interface-isp-group-1] quit
   [FW] interface-group 2 isp isp2_ifgrp
   [FW-interface-isp-group-2] add interface GigabitEthernet 1/0/7
   [FW-interface-isp-group-2] quit

6. 将接口加入安全区域。

   [FW] firewall zone trust
   [FW-zone-trust] add interface GigabitEthernet 1/0/3
   [FW-zone-trust] quit
   [FW] firewall zone untrust
   [FW-zone-untrust] add interface GigabitEthernet 1/0/1
   [FW-zone-untrust] add interface GigabitEthernet 1/0/7
   [FW-zone-untrust] quit

7. 配置Local到Untrust区域的安全策略，允许FW向目的设备发送相应的健康检查探测报文。

   对于V500R001C80之前的版本，需要在FW上配置对应的安全策略，允许FW向目的设备发送健康检查探测报文。对于V500R001C80及之后的版本，健康检查的探测报文不受安全策略控制，默认放行，无需配置相应安全策略。

   [FW] security-policy
   [FW-policy-security] rule name policy_sec_local_untrust
   [FW-policy-security-rule-policy_sec_local_untrust] source-zone local
   [FW-policy-security-rule-policy_sec_local_untrust] destination-zone untrust
   [FW-policy-security-rule-policy_sec_local_untrust] destination-address 3.3.10.10 32
   [FW-policy-security-rule-policy_sec_local_untrust] destination-address 3.3.10.11 32
   [FW-policy-security-rule-policy_sec_local_untrust] destination-address 9.9.20.20 32
   [FW-policy-security-rule-policy_sec_local_untrust] destination-address 9.9.20.21 32
   [FW-policy-security-rule-policy_sec_local_untrust] service tcp
   [FW-policy-security-rule-policy_sec_local_untrust] action permit
   [FW-policy-security-rule-policy_sec_local_untrust] quit

8. 配置Trust到Untrust区域的安全策略，允许企业内网用户访问外网资源。假设内部用户网段为10.3.0.0/24。

   [FW-policy-security] rule name policy_sec_trust_untrust
   [FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
   [FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
   [FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
   [FW-policy-security-rule-policy_sec_trust_untrust] action permit
   [FW-policy-security-rule-policy_sec_trust_untrust] quit
   [FW-policy-security] quit

配置脚本

#isp name isp1_ifgrp set filename isp1.csvisp name isp2_ifgrp set filename isp2.csv
#
healthcheck enable
healthcheck name isp1_healthdestination 3.3.10.10 interface GigabitEthernet1/0/1 protocol tcp-simple destination-port 10001destination 3.3.10.11 interface GigabitEthernet1/0/1 protocol tcp-simple destination-port 10002
healthcheck name isp2_healthdestination 9.9.20.20 interface GigabitEthernet1/0/7 protocol tcp-simple destination-port 10003destination 9.9.20.21 interface GigabitEthernet1/0/7 protocol tcp-simple destination-port 10004
#
interface GigabitEthernet1/0/1ip address 1.1.1.1 255.255.255.0healthcheck isp1_healthgateway 1.1.1.254
#
interface GigabitEthernet1/0/3ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet1/0/7ip address 2.2.2.2 255.255.255.0healthcheck isp2_healthgateway 2.2.2.254
#firewall zone trustset priority 85add interface GigabitEthernet1/0/3
#
firewall zone untrustset priority 5add interface GigabitEthernet1/0/1add interface GigabitEthernet1/0/7
#
security-policyrule name policy_sec_local_untrustsource-zone localdestination-zone untrustdestination-address 3.3.10.10 mask 255.255.255.255destination-address 3.3.10.11 mask 255.255.255.255destination-address 9.9.20.20 mask 255.255.255.255destination-address 9.9.20.21 mask 255.255.255.255service tcp action permit      rule name policy_sec_trust_untrustsource-zone trustdestination-zone untrustsource-address 10.3.0.0 mask 255.255.255.0action permit
#
interface-group 1 isp isp1_ifgrpadd interface GigabitEthernet1/0/1
#
interface-group 2 isp isp2_ifgrpadd interface GigabitEthernet1/0/7
#
return