静态路由的管理距离和优先级
2012-12-24 16:36:36   来源:   评论:0 点击:

描述:该文档描述Fortigate如何处理有着不同管理距离或优先级的默认路由Network scenario used for this example : [ FortiGate ][ PC ] --- LAN ------ [ switch port16 ] --- ...

描述:
该文档描述Fortigate如何处理有着不同管理距离或优先级的默认路由

Network scenario used for this example :

                     [        FortiGate        ]
[ PC ] --- LAN ------ [ switch           port16 ] --- ISP1 (192.168.182.0/23)
(10.160.0.0/16)      [              port13 ] --- ISP2 (172.31.224.0/23)
优先选择:
优先级:较低值在路由表中优先被选择
管理距离: 较低值在路由表中优先被选择
Example 1 : 同样的管理距离和优先级
config router static
    edit 1
        set device "port16"
        set gateway 192.168.183.254
    next
    edit 2
        set device "port14"
        set gateway 172.31.225.254
    next
end
路由表中包含两条默认路由,以上情况等价多路由ECMP将被应用
FGT# get router  info routing-table static


S*      0.0.0.0/0 [10/0] via 172.31.225.254, port13
                  [10/0] via 192.168.183.254, port16

Example 2 : 不同的管理距离,相同优先级

config router static
    edit 1
        set device "port16"
        set gateway 192.168.183.254
    next
    edit 2
        set device "port13"
        set distance 5
        set gateway 172.31.225.254
    next
end

这种情况路由表中仅包含管理距离最低的那条路由

FGT# get router  info routing-table static


S*      0.0.0.0/0 [5/0] via 172.31.225.254, port13

Example 3 : 相同管理距离,不同的优先级
config router static
    edit 1
        set device "port16"
        set gateway 192.168.183.254
        set priority 2
    next
    edit 2
        set device "port13"
        set gateway 172.31.225.254
        set priority 5
    next
end

该情况路由表中包含2条静态路由,但仅有最低优先级(port16)用于出口路由,第二条用于接受流入流量
FGT# get router  info routing-table static


S*      0.0.0.0/0 [10/0] via 192.168.183.254, port16, [2/0]
                  [10/0] via 172.31.225.254, port13, [5/0]

验证出口 ping 10.70.202.225 :
FGT# diagnose sniffer packet  any "icmp" 4


3.518463 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
3.518481 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request

Example 4 : 相同管理距离,相同优先级,策略路由
该配置目的是将所有http流量导入Port13
config router static
    edit 1
        set device "port16"
        set gateway 192.168.183.254
    next
    edit 2
        set device "port14"
        set gateway 172.31.225.254
    next
end

config router policy
    edit 1
        set input-device "switch"
        set protocol 6
        set start-port 80
        set end-port 80
        set output-device "port13"
    next
end

路由表中包含2条静态路由并使用等价路由处理流量,http流量将路由至port13
FGT# get router info routing-table static


S*      0.0.0.0/0 [10/0] via 172.31.225.254, port13
                  [10/0] via 192.168.183.254, port16

验证出口流量 ping and HTTP 10.70.202.225 :

FGT# diagnose  sniffer packet any "icmp or port 80" 4


8.488361 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
8.488409 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request
19.346273 switch in 10.160.0.93.4090 -> 10.70.202.225.80: syn 3171174784
19.346326 port13 out 172.31.224.200.53106 -> 10.70.202.225.80: syn 3171174784

Example 5 : 相同管理距离,不同的优先级,策略路由
该配置目的是在port13比port16优先级的情况下将http流量路由至port13
config router static
    edit 1
        set device "port16"
        set gateway 192.168.183.254
        set priority 2
    next
    edit 2
        set device "port13"
        set gateway 172.31.225.254
        set priority 5
    next
end

config router policy
    edit 1
        set input-device "switch"
        set protocol 6
        set start-port 80
        set end-port 80
        set output-device "port13"
    next
end

路由表中包含两条路由,其中Port16 这条路由用做出口路由,而只有匹配策略路由的http流量将路由至Port13

FGT# get router info routing-table static


S*      0.0.0.0/0 [10/0] via 192.168.183.254, port16, [2/0]
                  [10/0] via 172.31.225.254, port13, [5/0]


验证出口流量ping and HTTP 10.70.202.225

FG200B3909600137 # diagnose  sniffer packet  any "icmp or port 80" 4


8.412794 switch in 10.160.0.93 -> 10.70.202.225: icmp: echo request
8.412839 port16 out 192.168.182.200 -> 10.70.202.225: icmp: echo request
14.282070 switch in 10.160.0.93.4102 -> 10.70.202.225.80: syn 4033500215
14.290198 port13 out 172.31.224.200.28814 -> 10.70.202.225.80: syn 4033500215

相关热词搜索:

上一篇:设置FortiGate网址过滤
下一篇:站到站IPSecVPN设置 4.3

分享到: 收藏