防火墙组网双击热备综合实验

最新推荐文章于 2025-04-23 17:17:07 发布

原创最新推荐文章于 2025-04-23 17:17:07 发布 · 898 阅读

14 ·

CC 4.0 BY-SA版权

文章标签：

#防火墙组网

网络专栏收录该内容

20 篇文章

订阅专栏

实验目标与拓扑图如下：

需求：

1、SW3的流量

正常情况下：SW1_VRF-->FW1--->SW1_Public--->R5

故障情况下：SW2_VRF-->FW2--->SW2_Public--->R6

2、SW4的流量

正常情况下：SW2_VRF-->FW2--->SW2_Public--->R6

故障情况下：SW1_VRF-->FW1--->SW1_Public--->R5

3、交换网络负载均衡

实验思路

将拓扑图划分为4个区域自下而上

第一个区域配置好基础配置后使其运行stp协议找到最佳路径

第一区域

[LSW3]stp enable

[LSW3]stp mode mstp

[LSW3]stp region-configuration

[LSW3-mst-region]region-name aa（名字必须统一）

[LSW3-mst-region]instance 1 vlan 2

[LSW3-mst-region]instance 2 vlan 3

[LSW3-mst-region]active region-configuration

[LSW3]dis stp region-configuration

[LSW3]stp instance 1 root primary

[LSW3]stp instance 2 root secondary

[LSW3]stp instance 0 root primary

配置主从关系

交换机LSW3

[LSW3-Vlanif2]ip ad 192.168.2.1 24

[LSW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254（配置实例1的ip）

[LSW3-Vlanif2]vrrp vrid 1 priority 120（配置实例1的优先级）

[LSW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20（配置修复时间）

[LSW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15

[LSW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15（实例1优先级为120 监控上行端口出现问题优先级减15）

[LSW3-Vlanif3]ip address 192.168.3.1 255.255.255.0

[LSW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254（两口出问题后使用vlan3的ip）

交换机LSW4

[LSW4]stp enable

[LSW4]stp mode mstp

[LSW4]stp region-configuration

[LSW4-mst-region]region-name aa（统一名字）

[LSW4-mst-region]instance 1 vlan 2

[LSW4-mst-region]instance 2 vlan 3

[LSW4-mst-region]active region-configuration

[LSW4-Vlanif2]ip ad 192.168.2.2 24

[LSW4-Vlanif2]vrrp vrid 2 virtual-ip 192.168.2.254

[LSW4-Vlanif3]dis th

interface Vlanif3

ip address 192.168.3.2 255.255.255.0

vrrp vrid 1 virtual-ip 192.168.3.254

vrrp vrid 1 priority 120

vrrp vrid 1 preempt-mode timer delay 20

vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15

vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15

LSW5

[LSW5]stp enable

[LSW5]stp mode mstp

[LSW5]stp region-configuration

[LSW5-mst-region]region-name aa（统一名字）

[LSW5-mst-region]instance 1 vlan 2

[LSW5-mst-region]instance 2 vlan 3

[LSW5-mst-region]active region-configuration

第二区域

要保持线路独立不触发stp机制需要创立多条vlan

图中四台交换机需要5条vlan

LSW3

[LSW3-GigabitEthernet0/0/1]undo stp enable

[LSW3-GigabitEthernet0/0/2]undo stp enable

LSW4

[LSW4-GigabitEthernet0/0/1]undo stp enable

[LSW4-GigabitEthernet0/0/2]undo stp enable

不需要建邻

[LSW3-ospf-1]silent-interface Vlanif 2

[LSW3-ospf-1]silent-interface Vlanif 3

[LSW4-ospf-1]silent-interface Vlanif 2

[LSW4-ospf-1]silent-interface Vlanif 3

记得写进入交换机1和2的access链路

[LSW3-Vlanif203]ospf cost 5（优化链路）

[LSW4-Vlanif104]ospf cost 5（优化链路）

进行设备分割

[LSW1]ip vpn-instance VRF

[LSW1-vpn-instance-VRF]route-distinguisher 100:1

[LSW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both

[LSW2]ip vpn-instance VRF

[LSW2-vpn-instance-VRF]route-distinguisher 100:1

[LSW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both

LSW1配置

[LSW1-GigabitEthernet0/0/5]port link-type access

[LSW1-GigabitEthernet0/0/5]port default vlan 103

[LSW1-GigabitEthernet0/0/5]undo stp enable

[LSW1-GigabitEthernet0/0/6]port link-type access

[LSW1-GigabitEthernet0/0/6]port default vlan 104

[LSW1-GigabitEthernet0/0/6]undo stp enable

[LSW1-GigabitEthernet0/0/4]port link-type access

[LSW1-GigabitEthernet0/0/4]port default vlan 102

[LSW1-GigabitEthernet0/0/4]undo stp enable

[LSW1-Vlanif102]ip binding vpn-instance VRF（将接口转入VRF中）

[LSW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF

[LSW1-ospf-1-area-0.0.0.0]network 10.10.2.1

LSW2配置

[LSW2-GigabitEthernet0/0/5]port link-type access

[LSW2-GigabitEthernet0/0/5]port default vlan 204

[LSW2-GigabitEthernet0/0/5]undo stp enable

[LSW2-GigabitEthernet0/0/6]port link-type access

[LSW2-GigabitEthernet0/0/6]port default vlan 203

[LSW2-GigabitEthernet0/0/6]undo stp enable

[LSW2-GigabitEthernet0/0/4]port link-type access

[LSW2-GigabitEthernet0/0/4]port default vlan 102

[LSW2-GigabitEthernet0/0/4]undo stp enable

[LSW2-Vlanif102]ip binding vpn-instance VRF（将接口转入VRF中）

[LSW2]dis ip routing-table vpn-instance VRF

[LSW2]ping -vpn-instance VRF 10.10.2.1

PING 10.10.2.1: 56 data bytes, press CTRL_C to break

Reply from 10.10.2.1: bytes=56 Sequence=1 ttl=255 time=60 ms

Reply from 10.10.2.1: bytes=56 Sequence=2 ttl=255 time=30 ms

Reply from 10.10.2.1: bytes=56 Sequence=3 ttl=255 time=50 ms

Reply from 10.10.2.1: bytes=56 Sequence=4 ttl=255 time=50 ms

Reply from 10.10.2.1: bytes=56 Sequence=5 ttl=255 time=40 ms

为了优化路由（）下面的路由（192.168网段）使用重发布技术

[LSW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0

[LSW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0

[LSW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0

[LSW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0

1、抓流量

[sw3]ip ip-prefix aa permit 192.168.3.0 24

[sw3]ip ip-prefix bb permit 192.168.2.0 24

[LSW4]ip ip-prefix aa permit 192.168.2.0 24

[LSW4]ip ip-prefix bb permit 192.168.3.0 24

2、做策略

[sw3]route-policy aa permit node 10

[sw3-route-policy]if-match ip-prefix aa

[sw3-route-policy]apply cost 5

[sw3]route-policy aa permit node 20

[sw3-route-policy]if-match ip-prefix bb

3、调用

[sw3-ospf-1]import-route direct route-policy aa

[LSW4-ospf-1]import-route direct route-policy aa

第三层

SW1--VLAN

创建以SW1为主的vrrp

[LSW1-Vlanif401]dis th

interface Vlanif401

ip binding vpn-instance VRF

ip address 10.40.1.1 255.255.255.0

vrrp vrid 1 virtual-ip 10.40.1.100

vrrp vrid 1 priority 120

vrrp vrid 1 preempt-mode timer delay 60

vrrp vrid 1 track interface GigabitEthernet0/0/3 reduced 30

配置当以SW2为主时SW1为备

[LSW1-Vlanif402]dis th

interface Vlanif402

ip binding vpn-instance VRF

ip address 10.40.2.1 255.255.255.0

vrrp vrid 2 virtual-ip 10.40.2.100

SW2配置

[LSW2-Vlanif402]dis th

interface Vlanif402

ip binding vpn-instance VRF

ip address 10.40.2.1 255.255.255.0

vrrp vrid 2 virtual-ip 10.40.2.100

vrrp vrid 2 priority 120

vrrp vrid 2 preempt-mode timer delay 60

vrrp vrid 2 track interface GigabitEthernet0/0/3 reduced 30

[LSW2-Vlanif401]dis th

interface Vlanif401

ip binding vpn-instance VRF

ip address 10.40.1.2 255.255.255.0

vrrp vrid 1 virtual-ip 10.40.1.100

FW1配置

1.划分ip

2.划分安全区域

[FW1]firewall zone trust

[FW1-zone-trust]ad interface g 1/0/2.401

[FW1-zone-trust]ad interface g 1/0/2.402

[FW1]firewall zone untrust

[FW1-zone-untrust]ad interface g1/0/3.403

[FW1-zone-untrust]ad interface g1/0/3.404

[FW1]firewall zone dmz

[FW1-zone-dmz]add int g 1/0/0

配置双击热备（vrrp）

[FW1-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 active

[FW1-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby

[FW1-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 active

[FW1-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby

[FW1]hrp mirror session enable（快速备份功能）

[FW1]hrp interface g 1/0/0 remote 10.10.10.2

[FW1]hrp enable

ip route-static 0.0.0.0 0.0.0.0 10.40.3.100

ip route-static 0.0.0.0 0.0.0.0 10.40.4.100 preference 70

写静态通上层网络

ip route-static 192.168.0.0 255.255.0.0 10.40.1.100

ip route-static 192.168.0.0 255.255.0.0 10.40.2.100 preference 70

写静态通下层网络

[LSW1-Vlanif404]dis th

interface Vlanif404

ip address 10.40.4.1 255.255.255.0

vrrp vrid 4 virtual-ip 10.40.4.100

Return

[LSW1-Vlanif403]dis th

interface Vlanif403

ip address 10.40.3.1 255.255.255.0

vrrp vrid 3 virtual-ip 10.40.3.100

vrrp vrid 3 priority 120

vrrp vrid 3 preempt-mode timer delay 60

vrrp vrid 3 track interface GigabitEthernet0/0/1 reduced 30

Return

[LSW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200

[LSW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70

[LSW1]ip route-static 192.168.0.0 16 10.40.3.200

[LSW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70

FW2配置

1.划分ip

2.划分安全区域

[FW2]firewall zone trust

[FW2-zone-trust]ad interface g 1/0/2.401

[FW2-zone-trust]ad interface g 1/0/2.402

[FW2]firewall zone untrust

[FW2-zone-untrust]ad interface g1/0/3.403

[FW2-zone-untrust]ad interface g1/0/3.404

[FW2]firewall zone dmz

[FW2-zone-dmz]add int g 1/0/0

3配置双击热备（vrrp）

[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby

[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active

[FW2-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby

[FW2-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.3.200 active

[FW2]hrp mirror session enable（快速备份功能）

[FW2]hrp interface g 1/0/0 remote 10.10.10.1

[FW2]hrp enable

ip route-static 0.0.0.0 0.0.0.0 10.40.3.100 preference 70

ip route-static 0.0.0.0 0.0.0.0 10.40.4.100

写静态通上层网络

ip route-static 192.168.0.0 255.255.0.0 10.40.1.100 preference 70

ip route-static 192.168.0.0 255.255.0.0 10.40.2.100

写静态通下层网络

配置安全策略

HRP_M[FW1]security-policy

HRP_M[FW1-policy-security]rule name t_to_u (+B)

rule name t_to_u

source-zone trust

destination-zone untrust

source-address 192.168.0.0 mask 255.255.0.0

action permit

[LSW2-Vlanif403]dis th

interface Vlanif403

ip address 10.40.3.2 255.255.255.0

vrrp vrid 3 virtual-ip 10.40.3.100

return

[LSW2-Vlanif404]dis th

interface Vlanif404

ip address 10.40.4.2 255.255.255.0

vrrp vrid 4 virtual-ip 10.40.4.100

vrrp vrid 4 priority 120

vrrp vrid 4 preempt-mode timer delay 60

vrrp vrid 4 track interface GigabitEthernet0/0/1 reduced 30

Return

[LSW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70

[LSW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200

[LSW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

[LSW2]ip route-static 192.168.0.0 16 10.40.4.200

HRP_M[FW1]int g1/0/2 (+B)

HRP_M[FW1-GigabitEthernet1/0/2]ip ad 1.1.1.1 24

HRP_M[FW1-GigabitEthernet1/0/2]undo ip address

HRP_M[FW1-GigabitEthernet1/0/3]（两台防火墙四个口都要激活）

第四层

[LSW1-ospf-2]dis th

ospf 2 router-id 1.1.1.1

area 0.0.0.0

network 10.20.1.1 0.0.0.0

network 10.10.5.1 0.0.0.0

Return

[LSW2-ospf-2]dis th

ospf 2 router-id 2.2.2.2

area 0.0.0.0

network 10.20.6.2 0.0.0.0

network 10.20.1.2 0.0.0.0

Return

[r6-ospf-1]dis th

[V200R003C00]

ospf 1 router-id 6.6.6.6

area 0.0.0.0

network 10.20.6.6 0.0.0.0

network 10.56.0.6 0.0.0.0

Return

[r5-ospf-1]dis th

[V200R003C00]

ospf 1 router-id 5.5.5.5

area 0.0.0.0

network 10.10.5.5 0.0.0.0

network 10.56.0.5 0.0.0.0

Return

第五层

[r5-ospf-1]dis th

[V200R003C00]

ospf 1 router-id 5.5.5.5

default-route-advertise

area 0.0.0.0

network 10.10.5.5 0.0.0.0

network 10.56.0.5 0.0.0.0

Retur

[r6-ospf-1]dis th

[V200R003C00]

ospf 1 router-id 6.6.6.6

default-route-advertise

area 0.0.0.0

network 10.20.6.6 0.0.0.0

network 10.56.0.6 0.0.0.0

Return

R5配置

[r5-GigabitEthernet0/0/2]ip ad 12.0.0.5 24

[r5]ip route-static 0.0.0.0 0 12.0.0.100

[r5]acl 2000

[r5-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255

[r5-GigabitEthernet0/0/2]nat outbound 2000

R6配置

[r6]acl 2000

[r6-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255

[r6-GigabitEthernet0/0/2]ip ad 13.0.0.6 24

[r6]ip route-static 0.0.0.0 0 13.0.0.100

[r6-GigabitEthernet0/0/2]nat outbound 2000

LSP配置

实验完成