最近收到一个新的项目,双路由器、双防火墙、双交换机实现全网互通
因实际项目采用全Cisco 设备,故这次展示及命令为Cisco,华为也尝试过也能完全实现,若有需求我会在发一份华为的配置
在EVE上模拟整个项目:
网络拓扑图如下:Cisco
华为拓扑图如下:(ENSP大家都可以自己搭建来玩玩)
这篇文章我们仅对Cisco设备进行描述,ok我们开始进入正题
================================================================================================
首先,因为EVE没办法模拟VSS故我们用一台交换机来替代,VPC1代表DB-ZONE、VPC2代表APP-ZONE
VPC1:172.16.10.1 24/172.16.10.254
VPC2:172.16.20.1 24/172.16.20.254
交换机作为2层交换机,防火墙做单臂路由,因为客户要实现APP和DB放在不同的DMZ区进行隔离
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
开始配置:
VPC1:
ip 172.16.10.1 255.255.255.0 172.16.10.254
save
VPC2:
ip 172.16.20.1 255.255.255.0 172.16.20.254
save
交换机配置
en
config t
hostname VSS
vlan 10
vlan20
int vlan 10
ip add 172.16.10.2 255.255.255.0
int vlan 20
ip add 172.16.20.2 255.255.255.0
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
negotiation auto
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
negotiation auto
ok重点开始了 防火墙配置 OSPF,failover,单臂路由
ASA-A(主防火墙)
先配置单臂接口和其他子接口:
interface Ethernet0
nameif DMZ
security-level 50
ip address 172.16.30.1 255.255.255.0 standby 172.16.30.2
interface Ethernet1
no nameif
no security-level
no ip address
interface Ethernet1.10
vlan 10
nameif DB
security-level 100
ip address 172.16.10.254 255.255.255.0
interface Ethernet1.20
vlan 20
nameif APP
security-level 100
ip address 172.16.20.254 255.255.255.0
interface Ethernet2
description STATE Failover Interface (同步会话)
interface Ethernet3
description LAN Failover Interface (同步配置)
端口配置完成后 我们开始放行流量为了 保证全部验证通过 先permit any any
same-security-traffic permit inter-interface---------------------(同安全级别的子接口互访)
access-list acl_DB extended permit ip any any
access-list acl_DB extended permit icmp any any
access-list acl_APP extended permit icmp any any
access-list acl_APP extended permit ip any any
access-list acl_DMZ extended permit ip any any
access-list acl_DMZ extended permit icmp any any
access-group acl_DMZ in interface DMZ
access-group acl_DB in interface DB
access-group acl_APP in interface APP
全部放通以后,一定要先测试是否能通到172.16.10.254 和20.254 以及DB和APP是否能能够互通
如图:
然后配置双机热备:
failover
failover lan unit primary ------------------------------------------------设置为主
failover lan interface HA Ethernet3----------------------------------设置failover的接口,此接口用来检测心跳和同步配置
failover link stateful Ethernet2----------------------------------------设置名称
failover interface ip HA 1.1.1.1 255.255.255.0 standby 1.1.1.2---设置failover主备地址
failover interface ip stateful 2.1.1.1 255.255.255.0 standby 2.1.1.2-设置failover link主备地址
主防火墙这里就全部配置完成这里为了偷懒 我起了OSPF配置如下:
router ospf 100
network 172.16.10.0 255.255.255.0 area 0
network 172.16.20.0 255.255.255.0 area 0
network 172.16.30.0 255.255.255.0 area 0
log-adj-changes
default-information originate ----------------------------下发缺省
主防火墙到这里就全部配置完成、我们开始配置备防火墙
interface eth3
no shutdown
failover lan unit secondary
failover lan interface ha eth3
failover interface ip ha 1.1.1.1 255.255.255.0 standby 1.1.1.2
failover
这样我们就配置完成,后续的所有配置都会自动同步到备上,
ok我们开始配置路由器,主要配置的技术有nat,ospf、HSRP
同理我们先配置端口,这里就不写上去了
配置ospf:
router ospf 100
network 172.16.30.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
default-information originate
然后我们配置HSRP
interface GigabitEthernet0/3
ip address 172.16.30.3 255.255.255.0
ip nat inside ----------------------这里先写了 用于nat
ip virtual-reassembly in
standby 10 ip 172.16.30.254 ----vip
standby 10 priority 101--------------优先级
standby 10 preempt-----------------开启抢占模式
standby 10 track 10 decrement 10----链路检测机制
track 10 interface GigabitEthernet0/0 line-protocol-----先定义track
nat:
access-list 10 permit 172.16.30.0 0.0.0.255
access-list 10 permit 172.16.10.0 0.0.0.255
access-list 10 permit 172.16.20.0 0.0.0.255-----------------先设置规则
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.106.1.1
自从 我们整个网络就全部完成啦,备的配置请查考主路由器。
测试:
测试主防火墙shutdown
完成整个实验。
后续如果有需要华为的配置人多的话,我也会整理一份出来。
5838
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
