iT邦幫忙

0

JUNIPER SSG-140 PBR 兩個ISP線路問題

http://i.imgur.com/r7QntDp.jpg

公司防火牆為ssg-140,有兩條ISP線路

目前想讓SERVER所有的服務走IPS1出去
一般使用者電腦上網走ISP2出去

請問PBR該怎麼設定呢???

找了好多文章設定好幾次,查myip.com.tw還是都沒有變化

再請各位JUNIPER前輩幫幫忙

謝謝

看更多先前的討論...收起先前的討論...
wjwenster iT邦新手 5 級 ‧ 2016-06-07 17:02:21 檢舉
http://i.imgur.com/r7QntDp.jpg
想做的架構圖
http://ithelp.ithome.com.tw/questions/10177253
相同的問題.
wjwenster iT邦新手 5 級 ‧ 2016-06-13 11:52:29 檢舉
謝michaelwan,那邊也是說用PBR或source routing...然後自己看文件.......
wjwenster iT邦新手 5 級 ‧ 2016-06-13 16:03:15 檢舉
## set up the access-lists
SSG140-> set vrouter trust-vr
SSG140(trust-vr)-> set access-list extended 10 src-ip 192.168.1.0/24 entry 1

SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.5/24 entry 1
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.2/24 entry 2
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.3/24 entry 3
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.4/24 entry 4
SSG140(trust-vr)-> set access-list extended 20 src-ip 192.168.1.5/24 entry 5

## create the match groups and assign the extended acl to the group
SSG140(trust-vr)-> set match-group name ISPAPTG
SSG140(trust-vr)-> set match-group ISPAPTG ext-acl 10 match-entry 10

SSG140(trust-vr)-> set match-group name ISPCHT
SSG140(trust-vr)-> set match-group ISPCHT ext-acl 20 match-entry 10

## create action groups and set next hop
SSG140(trust-vr)-> set action-group name toISPAPTG
SSG140(trust-vr)-> set action-group toISPAPTG next-hop XX.XX.XX.254 action-entry 1

SSG140(trust-vr)-> set action-group name toISPCHT
SSG140(trust-vr)-> set action-group toISPCHT next-hop XX.XX.XX.254 action-entry 1

## create pbr and bind action group with match group
SSG140(trust-vr)-> set pbr policy name separate-traffic
SSG140(trust-vr)-> set pbr policy separate-traffic match-group ISPAPTG action-group toISPAPTG 1
SSG140(trust-vr)-> set pbr policy separate-traffic match-group ISPCHT action-group toISPCHT 2
SSG140(trust-vr)-> exit

## enable PBR on the ingress interface (in the LAN zone !!!!)
SSG140-> set interface bgroup0/0 pbr PBR

## enable the PBR policy on the entire zone
SSG140-> set zone trust pbr PBR

## create policy to allow traffic
SSG140-> set policy from Lan to Internet any any any nat src permit
wjwenster iT邦新手 5 級 ‧ 2016-06-13 16:05:43 檢舉
目前的設定如上面指令,但是沒有生效192.168.1.0/24 還是不會走ISPAPTG那條線路,還是說不能用192.168.1.0/24 及192.168.1.2~5/24來區分?

尚未有邦友回答

立即登入回答