1.网络拓扑图
链接:https://pan.baidu.com/s/1LYeVtY7QSXDKjQBrZJWOzA
提取码:8888
eNSP
链接:https://pan.baidu.com/s/1wP0vHim4yqVV0bc0wmzhFw
提取码:8888
2.网络需求
FW1及FW2运行双机热备,FW1为主,FW2为备;两台防火墙的GE0/0/2口为心跳接口,专用于HRP,同时将该接口划分到一个自定义的安全区域:ha之中;FW1、FW2及R1运行OSPF;PC1能够主动访问PC2;PC2能够访问S1的FTP服务。
3.配置
在SW3上配置MSTP
[SW3] stp mode mstp
[SW3] stp enable
SW1配置MSTP,SW1配置为网络中的STP主根
[SW1] stp mode mstp
[SW1] stp root primary
[SW1] stp enable
SW2配置MSTP,SW2配置为网络中的STP次根
[SW2] stp mode mstp
[SW2] stp root secondary
[SW2] stp enable
将GE0/0/1.10及GE0/0/1.20配置为OSPF Silent接口,OSPF将不会在这些接口上发送或接收Hello报文,也就不会建立OSPF
邻居关系了。
[FW1-ospf-1] silent-interface GigabitEthernet 0/0/1.10
[FW1-ospf-1] silent-interface GigabitEthernet 0/0/1.20
HRP跟踪接口状态
[FW1-GigabitEthernet 0/0/3] hrp track master #HRP跟踪接口状态
将GE0/0/2口配置为HRP心跳接口
[FW1] hrp interface GigabitEthernet0/0/2
用hrp ospf-cost adjust-enable命令启动根据主备状态调整OSPF的COST值功能。
[FW2] hrp ospf-cost adjust-enable
3.1、SW1的配置
display current-configuration
sysname SW1
vlan batch 10 20
stp instance 0 root primary
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface Vlanif1
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp-static
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/21
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
eth-trunk 1
interface GigabitEthernet0/0/24
eth-trunk 1
interface NULL0
user-interface con 0
user-interface vty 0 4
return
3.2、SW2的配置
display current-configuration
sysname SW2
vlan batch 10 20
stp instance 0 root secondary
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface Vlanif1
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
mode lacp-static
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/23
eth-trunk 1
interface GigabitEthernet0/0/24
eth-trunk 1
interface NULL0
user-interface con 0
user-interface vty 0 4
return
3.3、SW3的配置
display current-configuration
sysname SW3
vlan batch 10 20
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
diffserv domain default
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface Vlanif1
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/22
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
user-interface con 0
user-interface vty 0 4
return
3.4、FW1的配置
HRP_Mdisplay current-configuration
17:54:20 2020/11/08
stp region-configuration
region-name 803447150095
active region-configuration
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/1.10
vlan-type dot1q 10
alias GigabitEthernet0/0/1.10
ip address 192.168.10.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1 master
interface GigabitEthernet0/0/1.20
vlan-type dot1q 20
alias GigabitEthernet0/0/1.20
ip address 192.168.20.3 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.1 master
interface GigabitEthernet0/0/2
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.252
hrp track master
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface NULL0
alias NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1.10
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/1.20
firewall zone name ha
set priority 90
add interface GigabitEthernet0/0/2
firewall interzone dmz untrust
detect ftp
aaa
local-user admin password cipher %$%
3
P
f
10
J
∣
[
9
D
/
d
(
′
∗
93
j
A
/
l
[
R
I
3Pf10J|[9D/d('*93jA/l[RI%
3Pf10J∣[9D/d(′∗93jA/l[RI%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
ospf 1 router-id 1.1.1.1
silent-interface GigabitEthernet0/0/1.10
silent-interface GigabitEthernet0/0/1.20
area 0.0.0.0
network 10.0.0.0 0.0.0.3
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
nqa-jitter tag-version 1
banner enable
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
slb
right-manager server-group
sysname FW1
l2tp domain suffix-separator @
hrp enable
hrp preempt delay 60
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/2
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local ha direction outbound
ip df-unreachables enable
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
policy interzone trust untrust outbound
policy 10
action permit
policy source 192.168.10.0 0.0.0.255
policy interzone dmz untrust inbound
policy 10
action permit
policy service service-set icmp
policy service service-set icmpv6
policy service service-set smtp
policy service service-set ftp
policy destination 192.168.20.100 0
return
3.5、FW2 的配置
HRP_Sdis current-configuration
17:54:54 2020/11/08
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/1.10
vlan-type dot1q 10
alias GigabitEthernet0/0/1.10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1 slave
interface GigabitEthernet0/0/1.20
vlan-type dot1q 20
alias GigabitEthernet0/0/1.20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.1 slave
interface GigabitEthernet0/0/2
ip address 1.1.1.2 255.255.255.0
interface GigabitEthernet0/0/3
ip address 10.0.0.5 255.255.255.252
hrp track slave
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface NULL0
alias NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1.10
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/1.20
firewall zone name ha
set priority 90
add interface GigabitEthernet0/0/2
aaa
local-user admin password cipher %$%
3
P
f
10
J
∣
[
9
D
/
d
(
′
∗
93
j
A
/
l
[
R
I
3Pf10J|[9D/d('*93jA/l[RI%
3Pf10J∣[9D/d(′∗93jA/l[RI%$
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
ospf 1 router-id 2.2.2.2
silent-interface GigabitEthernet0/0/1.10
silent-interface GigabitEthernet0/0/1.20
area 0.0.0.0
network 10.0.0.4 0.0.0.3
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
nqa-jitter tag-version 1
banner enable
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
slb
right-manager server-group
sysname FW2
l2tp domain suffix-separator @
hrp enable
hrp preempt delay 60
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/2
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local ha direction outbound
ip df-unreachables enable
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
return
3.5、R1的配置
display current-configuration
sysname R1
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
firewall zone Local
priority 16
interface Ethernet0/0/0
interface Ethernet0/0/1
interface Serial0/0/0
link-protocol ppp
interface Serial0/0/1
link-protocol ppp
interface Serial0/0/2
link-protocol ppp
interface Serial0/0/3
link-protocol ppp
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 10.0.0.6 255.255.255.252
interface GigabitEthernet0/0/2
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/0/3
wlan
interface NULL0
ospf 1 router-id 3.3.3.3
silent-interface GigabitEthernet0/0/2
area 0.0.0.0
network 10.0.0.0 0.0.0.3
network 10.0.0.4 0.0.0.3
network 10.1.1.0 0.0.0.255
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
return