!!! 有需要的小伙伴可以通过文章末尾名片咨询我哦!!!
💕💕作者:小马
💕💕个人简介:混迹在java圈十年有余,擅长Java、微信小程序、Python、Android等,大家有这一块的问题可以一起交流!
💕💕各类成品java系统 。javaweb,ssh,ssm,springboot等等项目框架,源码丰富,欢迎咨询交流。学习资料、程序开发、技术解答、代码讲解、源码部署,需要请看文末联系方式。
设计思路
1、网络架构为三层架构,防火墙-核心交换机-汇聚交换机-接入交换机。
2、三层设备间通过OSPF动态路由。
3、服务器区为OSPF区域1。
4、终端用户通过核心交换机获取IP地址并进行路由。
5、终端用户通过防火墙进行NAT转换访问公网。
6、外部网络通过ISIS与BGP实现路由可达。
7、防火墙配置攻击防护。
8、防火墙配置HRP提高稳定性。
9、配置IP-LINK对电信、移动、联通进行健康检查。
10、P2P以及HTTP协议流量均经由ISPB转发。
11、访问教育网资源的流量均经由ISPC转发。
12、防火墙配置DNS代理提供负载冗余。
IP地址规划
设备 | 设备名称 | 设备接口 | IP地址 | 子网掩码 |
FW-A | 防火墙(主) | G0/0/0 | 1.1.1.2 | 255.255.255.0 |
G0/0/1 | 10.0.1.1 | 255.255.255.0 | ||
G0/0/2 | 10.0.2.1 | 255.255.255.0 | ||
Core-A | 核心交换机(主) | vlanif1 | 10.0.1.2 | 255.255.255.0 |
vlanif3 | 10.0.3.1 | 255.255.255.0 | ||
vlanif8 | 10.0.8.2 | 255.255.255.0 | ||
vlanif9 | 10.0.9.2 | 255.255.255.0 | ||
vlanif10 | 10.0.10.2 | 255.255.255.0 | ||
vlanif11 | 10.0.11.2 | 255.255.255.0 | ||
vlanif16 | 10.0.16.2 | 255.255.255.0 | ||
vlanif17 | 10.0.17.2 | 255.255.255.0 | ||
vlanif18 | 10.0.18.2 | 255.255.255.0 | ||
vlanif19 | 10.0.19.2 | 255.255.255.0 | ||
Core-B | 核心交换机(备) | vlanif2 | 10.0.2.2 | 255.255.255.0 |
vlanif4 | 10.0.4.1 | 255.255.255.0 | ||
vlanif8 | 10.0.8.3 | 255.255.255.0 | ||
vlanif9 | 10.0.9.3 | 255.255.255.0 | ||
vlanif10 | 10.0.10.3 | 255.255.255.0 | ||
vlanif11 | 10.0.11.3 | 255.255.255.0 | ||
vlanif16 | 10.0.16.3 | 255.255.255.0 | ||
vlanif17 | 10.0.17.3 | 255.255.255.0 | ||
vlanif18 | 10.0.18.3 | 255.255.255.0 | ||
vlanif19 | 10.0.19.3 | 255.255.255.0 | ||
FW-Server | 服务器区防火墙 | G0/0/0 | 10.0.3.2 | 255.255.255.0 |
G0/0/1 | 10.0.4.2 | 255.255.255.0 | ||
G0/0/2 | 10.0.5.1 | 255.255.255.0 | ||
WWW | WEB服务器 | 本地 | 10.0.5.100 | 255.255.255.0 |
DNS | DNS服务器 | 本地 | 10.0.5.101 | 255.255.255.0 |
FTP | FTP服务器 | 本地 | 10.0.5.102 | 255.255.255.0 |
AC | AC | 本地 | 10.0.5.5 | 255.255.255.0 |
设备配置
一、防火墙配置
1.1、更改设备命名
sysname FWA
1.2、配置HRP
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.0.0.2
hrp track interface GigabitEthernet1/0/0
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
1.3、接口配置IP地址
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 2.2.2.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 9.9.9.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
1.4、接口加入指定安全域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
#
1.5、配置OSPF进程
ospf 1
default-route-advertise always
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
1.6、配置默认路由
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 track ip-link a
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1 preference 80 track ip-link b
ip route-static 0.0.0.0 0.0.0.0 9.9.9.1 preference 100 track ip-link c
1.7、配置安全策略
security-policy
rule name any
action permit
1.8、配置NAT策略
nat-policy
rule name nat
source-zone trust
destination-zone untrust
action source-nat easy-ip
1.9、配置攻击防护
firewall defend port-scan enable
firewall defend ip-sweep enable
firewall defend teardrop enable
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend tracert enable
firewall defend icmp-unreachable enable
firewall defend icmp-redirect enable
firewall defend large-icmp enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
firewall defend ip-spoofing enable
firewall defend action discard
1.10、配置IP-LINK
ip-link check enable
ip-link name a
destination 1.1.1.1 mode icmp
ip-link name b
destination 2.2.2.1 mode icmp
ip-link name c
destination 9.9.9.1 mode icmp
1.11、配置策略路由
policy-based-route
rule name edu 1
source-zone trust
destination-address 100.1.1.1 mask 255.255.255.255
track ip-link c
action pbr next-hop 9.9.9.1
rule name p2p 2
source-zone trust
application app HTTP
application app P2P_Radio
track ip-link b
action pbr next-hop 2.2.2.1
1.12、配置DNS透明代理
dns-transparent-policy
default action tpdns
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/2 preferred 12.12.12.13 alternate
12.12.12.14
dns server bind interface GigabitEthernet1/0/3 preferred 12.12.12.13 alternate
12.12.12.14
dns server bind interface GigabitEthernet1/0/4 preferred 12.12.12.13 alternate
更多项目:
另有1000+份项目源码,项目有java(包含springboot,ssm,jsp等),小程序,python,php,net等语言项目。项目均包含完整前后端源码,可正常运行!
!!! 有需要的小伙伴可以点击下方链接咨询我哦!!!