|
|
发表于 2017-7-1 17:50:16
|
显示全部楼层
兄台, 我來回答, 因我在香港, 所以用英文回答你, 希望你明白.
6 H! h9 c( X, D2 m+ O% }, y) @3 k4 Q' i7 w0 W" Q6 F
In Asymmetric routing, a packet traverses from a source to a destination in one path and takes a different path when it returns to the source. This is commonly seen in Layer-3 routed networks.3 @; Z$ J, q0 _& f5 B% d9 ?2 }
& ?* ?8 W5 l) |8 Y& O0 Z
Issues to Consider with Asymmetric Routing
8 `/ o8 ]! V( Q5 D. _& o
) q/ u" y* y+ N' wAsymmetric routing is not a problem by itself, but will cause problems when Network Address Translation (NAT) or firewalls are used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. The firewall will be an exit point from one security domain to the other. If the return path passes through another firewall, the packet will not be allowed to traverse the firewall from the lower to higher security domain because the firewall in the return path will not have any state information. The state information exists in the first firewall.3 i; ~ z; ]# l& J
2 K; D X3 T6 S1 V, RReference: http://www.cisco.com/web/service ... rchives/200903.html
) ?1 m# w8 k( f0 [8 \& L; j6 s; z" V1 z% q5 o; K
Specifically for TCP-based connections, disabling stateful TCP checks can help mitigate asymmetric routing. When TCP state checks are disabled, the ASA can allow packets in a TCP connection even if the ASA didn’t see the entire TCP 3-way handshake. This feature is called TCP State Bypass.
5 m2 d/ P" @' i7 z2 \0 G& x g% i- T, @6 |2 ]
Reference: https://supportforums.cisco.com/ ... ting-and-mitigation
, X0 \' B1 e; x1 Y) [% Q5 K9 O3 o; v5 C* z8 p# }
Note: The active/active firewall topology uses two firewalls that are both actively providing firewall services.
2 J& R G, e. [6 \; a ~* H. W- N4 z+ A
|
沙发
2017-7-1 17:50:16
回复(0)
收起回复
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
9 个鸿鹄币
置顶卡
喧嚣卡
变色卡
千斤顶
楼主