案例实验:
防火墙配置:
Lacp
[fhq1]lacp priority 1000
[fhq1]int Eth-Trunk 12
[fhq1-Eth-Trunk12]mode lacp-static
[fhq1-Eth-Trunk12]load-balance dst-mac
[fhq1-Eth-Trunk12]trunkport g0/0/1
Info: This operation may take a few seconds. Please wait for a moment...done.
[fhq1-Eth-Trunk12]trunkport g0/0/2
Info: This operation may take a few seconds. Please wait for a moment...done.
[fhq1-Eth-Trunk12]port link-type trunk
[fhq1-Eth-Trunk12]port trunk allow-pass vlan all
#
[hfq2]int Eth-Trunk 12
[hfq2-Eth-Trunk12]mode lacp-static
[hfq2-Eth-Trunk12]load-balance dst-mac
[hfq2-Eth-Trunk12]trunkport g0/0/1
Info: This operation may take a few seconds. Please wait for a moment...done.
[hfq2-Eth-Trunk12]trunkport g0/0/2
Info: This operation may take a few seconds. Please wait for a moment...done. [hfq2-Eth-Trunk12]port link-type trunk
[hfq2-Eth-Trunk12]port trunk allow-pass vlan all
#配置VLAN及IP网关不概述
#trunk
[fhq1]int g0/0/4
[fhq1-GigabitEthernet0/0/4]port link-type trunk
[fhq1-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[fhq1]int g0/0/3
[fhq1-GigabitEthernet0/0/3]port link-type trunk
[fhq1-GigabitEthernet0/0/3]port trunk allow-pass vlan all
#trunk
[hfq2]int GigabitEthernet 0/0/3
[hfq2-GigabitEthernet0/0/3]port link-type trunk
[hfq2-GigabitEthernet0/0/4]port trunk allow-pass vlan all[hfq2]int GigabitEthernet 0/0/4
[hfq2-GigabitEthernet0/0/4]port link-type trunk
[hfq2-GigabitEthernet0/0/4]port trunk allow-pass vlan all
#配置二层交换机,提前配置VLAN
[sw1]int e0/0/1
[sw1-Ethernet0/0/1]p l t
[sw1-Ethernet0/0/1]p t a v a
[sw1-Ethernet0/0/1]int e0/0/2
[sw1-Ethernet0/0/2]p l t
[sw1-Ethernet0/0/2]p t a v a
[sw1-Ethernet0/0/2]q
[Huawei]int Eth0/0/1
[Huawei-Ethernet0/0/1]p l t
[Huawei-Ethernet0/0/1]p t a v a
[Huawei-Ethernet0/0/1]int Eth0/0/2
[Huawei-Ethernet0/0/2]p l t
[Huawei-Ethernet0/0/2]p t a v a
#端口分配VLAN
[sw1]int Eth0/0/3
[sw1-Ethernet0/0/3]port link-type access
[sw1-Ethernet0/0/3]port default vlan 2
[sw1-Ethernet0/0/3]int e0/0/4
[sw1-Ethernet0/0/4]p l a
[sw1-Ethernet0/0/4]p d v 3
[sw1-Ethernet0/0/4]q
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]p l a
[Huawei-Ethernet0/0/3]p d v 2
[Huawei-Ethernet0/0/3]port default vlan 2
[Huawei]int Eth0/0/4
[Huawei-Ethernet0/0/4]p l a
[Huawei-Ethernet0/0/4]port default vlan 3
#mstp 在三层防火墙1
[fhq1]stp mode mstp
[fhq1]stp region-configuration
[fhq1-mst-region]region-name linfan
[fhq1-mst-region]revision-level 1
[fhq1-mst-region]instance 1 vlan 2
[fhq1-mst-region]instance 2 vlan 3
[fhq1-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[fhq1]stp instance 1 root primary
[fhq1]stp instance 2 root secondary
#三层防火墙2
[hfq2]stp mode mstp
[hfq2]stp region-configuration
[hfq2-mst-region]region-name linfan
[hfq2-mst-region]revision-level 1
[hfq2-mst-region]instance 1 vlan 2
[hfq2-mst-region]instance 2 vlan 3
[hfq2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[hfq2-mst-region]q
[hfq2]stp instance 2 root primary
[hfq2]stp instance 1 root secondary
#交换机3、4
[sw1]stp mode mstp
[sw1]stp region-configuration
[sw1-mst-region]region-name linfan
[sw1-mst-region]revision-level 1
[sw1-mst-region]instance 1 vlan 2
[sw1-mst-region]instance 2 vlan 3
[sw1-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw1-mst-region]q
#[sw 2]stp mode mstp
[sw 2]stp region-configuration
[sw 2-mst-region]region-name linfan
[sw 2-mst-region]revision-level linfan
[sw 2-mst-region]revision-level 1
[sw 2-mst-region]instance 1 vlan 2
[sw 2-mst-region]instance 2 vlan 3
[sw 2-mst-region]active region-configuration
Info: This operation may take a few seconds. Please wait for a moment...done.
#二层交换机ospf
[fhq1]ospf 1
[fhq1-ospf-1]area 0
[fhq1-ospf-1-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[fhq1-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[fhq1-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[fhq1-ospf-1-area-0.0.0.0]q
[hfq2]ospf 1
[hfq2-ospf-1]area 0
[hfq2-ospf-1-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[hfq2-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[hfq2-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[hfq2-ospf-1-area-0.0.0.0]q
#mstp配置完成段一线做测试等待30s左右及可ping通.....
#三层交换机配置虚拟接口连接充当网段
[fhq1]int GigabitEthernet 0/0/5
[fhq1-GigabitEthernet0/0/5]port link-type access
[fhq1-GigabitEthernet0/0/5]port default vlan 10
[fhq1-GigabitEthernet0/0/5]q
interface GigabitEthernet0/0/5
port link-type access
port default vlan 20
#做完配置用pcping一下,如果不同检查网关。完成此步,三层交换机网络互通。
#防火墙配置
[USG6000V1]int GigabitEthernet 0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip add 192.168.4.1 24
[USG6000V1-GigabitEthernet0/0/0]int GigabitEthernet 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.5.1 24
[USG6000V1-GigabitEthernet1/0/0]int GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.6.1 24
[USG6000V1-GigabitEthernet1/0/1]int GigabitEthernet 1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip add 192.168.7.2 24
[USG6000V1-GigabitEthernet1/0/2]q
#配置防火墙区域
[USG6000V1]firewall zon
[USG6000V1]firewall zone tr
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]und
[USG6000V1-zone-trust]undo add int g0/0/0
[USG6000V1-zone-trust]add int g0/0/0
[USG6000V1-zone-trust]add int g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]fire zone dmz
[USG6000V1-zone-dmz]add int g1/0/1
[USG6000V1-zone-dmz]q
[USG6000V1]fire zone untrust
[USG6000V1-zone-untrust]add int g1/0/2
[USG6000V1-zone-untrust]q
#配置ospf区域学习路由
[USG6000V1]ospf 1
[USG6000V1-ospf-1]area 0
[USG6000V1-ospf-1-area-0.0.0.0]net 192.168.6.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]net 192.168.7.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]q
#查看路由表却没有学习到二层交换机的路由???
原因:规则限制,ospf数据包被防火墙丢弃!!!
解决方法:安全策略
[USG6000V1]security-policy
[USG6000V1-policy-security-rule-1]source-zone trust
[USG6000V1-policy-security-rule-1]destination-zone local
[USG6000V1-policy-security-rule-1]destination-zone local
[USG6000V1-policy-security-rule-1]action permit
[USG6000V1-policy-security-rule-1]q
#如果没有学习到检查Firewall是否添加正确!!!
让trunst区域访问dmz区域写一个安全策略!!!
[USG6000V1]security-policy
[USG6000V1-policy-security]ru name 2 [USG6000V1-policy-security-rule-2]source-zone trust
[USG6000V1-policy-security-rule-2]destination-zone dmz [USG6000V1-policy-security-rule-2]act permit
[USG6000V1-policy-security-rule-2]q
#虽然ping的通6.2的服务器,缺ping不同防火墙的端口IP。因为,防火墙是默认拒绝所有协议,想要ping通需要写个安全策略即可。
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name 10
[USG6000V1-policy-security-rule-10]source-zone trust
[USG6000V1-policy-security-rule-10]destination-zone untrust
[USG6000V1-policy-security-rule-10]action permit
[USG6000V1-policy-security-rule-10]q
Nat策略:决定符合条件的数据包进行转换的。
安全策略:过滤数据流
#防火墙配置NAT(PAT)
Nat地址池策略
[USG6000V1]nat address-group natgroup
[USG6000V1-address-group-natgroup]mode pat
[USG6000V1-address-group-natgroup]section 0 110.1.1.1 110.1.1.1
[USG6000V1-address-group-natgroup]q
Nat
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name 3
[USG6000V1-policy-nat-rule-3]source-zone trust
[USG6000V1-policy-nat-rule-3]destination-zone untrust
[USG6000V1-policy-nat-rule-3]action source-nat address-group natgroup(nat策略名)
[USG6000V1-policy-nat-rule-3]q
[USG6000V1]nat server 4 global 110.1.1.2 inside 192.168.6.2
这里要写一条道ar1的默认路由。
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 192.168.7.1
重分发默认路由
ospf 1
Ar1路由器配置:
[ar1]int GigabitEthernet 0/0/0
[ar1-GigabitEthernet0/0/0]ip add 192.168.7.1 24
[ar1-GigabitEthernet0/0/0]int g0/0/1
[ar1-GigabitEthernet0/0/1]ip add 100.1.1.1 30
[ar1-GigabitEthernet0/0/1]q
[ar1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
[ar1]ip route-s 110.1.1.0 255.255.255.248 192.168.7.2
Ar2配置:
[ar2]ip route-static 110.1.1.0 255.255.255.248 10.1.1.1
[ar2]bgp 100
[ar2-bgp]peer 100.1.1.2 as 200
[ar2-bgp]net 110.1.1.0 29
Ar3配置:
[ar3]int g0/0/0
[ar3-GigabitEthernet0/0/0]ip ad 100.1.1.2 24
[ar3-GigabitEthernet0/0/0]int g0/0/1
[ar3-GigabitEthernet0/0/1]ip add 200.1.1.1 24
[ar3]bgp 200
[ar3-bgp]peer 100.1.1.1 as 100
[ar3-bgp]net 200.1.1.0 24
[ar3-bgp]q
#在ar3查看是否通过ebgp学习到110路由
测试:内网ping外网服务器
扫一扫
197
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
