华为USG防火墙ip-link与静态路由、PBR（策略路由）联动

interfaceGigabitEthernet0/0/0.2

vlan-type dot1q 2                                                          //vlan2的网关//

ip address 192.168.2.254 255.255.255.0

#

interfaceGigabitEthernet0/0/0.3

vlan-type dot1q 3                          //vlan3的网关//

ip address 192.168.3.254 255.255.255.0

#

interfaceGigabitEthernet0/0/1

ip address 202.100.1.1 255.255.255.0

#

trust

priority is 85

interface of the zone is (3):

    GigabitEthernet0/0/0.2

    GigabitEthernet0/0/0.3

#

ctc

priority is 10

interface of the zone is (1):

    GigabitEthernet0/0/1

#

cnc                                       

priority is 20

interface of the zone is (1):

    GigabitEthernet0/0/2

#

------------------------------------------------------------------------------------

policy interzonetrust ctc outbound

policy 0

  action permit

  policy source 192.168.2.0 mask 24

  policy source 192.168.3.0 mask 24

#

policy interzonetrust cnc outbound

policy 0

  action permit

  policy source 192.168.2.0 mask 24

  policy source 192.168.3.0 mask 24

#

----------------------------------------------------------------------

nat-policy interzonetrust ctc outbound

policy 0

  action source-nat

  policy source 192.168.2.0 mask 24

  policy source 192.168.3.0 mask 24

  easy-ip GigabitEthernet0/0/1

#

nat-policy interzonetrust cnc outbound

policy 0

  action source-nat

  policy source 192.168.2.0 mask 24

  policy source 192.168.3.0 mask 24

  easy-ip GigabitEthernet0/0/2

----------------------------------------------------------------------------

policy-based-routePBR1 permit node 1

  if-match acl 3001            

  apply ip-address next-hop 202.100.1.2      匹配acl3001的流量设置下一跳为202.100.1.2

#

policy-based-route PBR2 permit node 2

  if-match acl 3002

  apply ip-address next-hop 202.100.2.2      匹配acl3001的流量设置下一跳为202.100.2.2

#

acl number 3001

rule 5 deny ip destination192.168.3.0 0.0.0.255       目标到达192.168.3.0的路由不匹配策略

rule 10 permit ip source 192.168.2.0 0.0.0.255

#

acl number 3002

rule 1 deny ip destination192.168.2.0 0.0.0.255        目标到达192.168.2.0的路由不匹配策略

rule 5 permit ip source 192.168.3.0 0.0.0.255

ip-link 2destination 202.100.2.2 interface GigabitEthernet 0/0/2 mode icmp

ip-link 1destination 202.100.1.2 interface GigabitEthernet 0/0/1 mode icmp

ip route-static 0.0.0.0 0.0.0.0 202.100.1.2track ip-link 1

ip route-static 0.0.0.0 0.0.0.0 202.100.2.2track ip-link 2

interfaceGigabitEthernet0/0/0.2

ip policy-based-route PBR1

#

interfaceGigabitEthernet0/0/0.3

ip policy-based-route PBR2

假设ip-link检测目标202.100.1.2失效，则对应的静态路由失效，对应的PBR1策略路由也失效。所以源地址

192.168.2.0网段选择下一跳202.100.2.2作为出口路由，当ip-link检测目标202.100.1.2成功，则对应的静态路由生效，对应的PBR1策略路由也随之生效，所以源地址192.168.2.0网段依然选择下一条202.100.1.2作为出口路由。

综述：ip-link检测影响静态路由，静态路由影响策略路由。