拓扑图
设备选型
内网用户和外网用户均使用PC型终端设备
公司服务器采用Server型终端设备
LSW1-3采用S3700型交换机
FW1-FW2使用USG6000型号防火墙
实验要求
1.完成各终端设备的网络参数配置以及FW的初始化配置(密码修改,接口IP)
2.根据终端设备类型,将端口规划到合适的安全区域中
3.根据拓扑规划分别创建连接内网用户、外网用户以及公司服务器的VRRP备份组(使用VGMP)
4.FW1-2设备上开启HRP并配置心跳接口
5.在主FW设备上合理配置安全策略,实现以下要求:
内网用户可以访问外网用户,反之不能访问
内网用户和外网用户均可访问公司服务器
6.HA效果模拟(故障发生时,业务连续性检测)
操作步骤
1.终端设备网络参数配置&FW设备初始化配置
内网用户:
外网用户:
公司服务器:
FW1-修改密码:
FW1-初始化脚本:
sysname Fw1
#
undo info-center enable
#
interface GigabitEthernet1/0/0
ip address 10.0.12.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 172.16.10.251 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.10.251 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 20.0.0.251 255.255.255.0
FW2-修改密码同FW1设备
FW2-初始化脚本:
sysname Fw2
#
undo info-center enable
#
interface GigabitEthernet1/0/0
ip address 10.0.12.2 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 172.16.10.252 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 192.168.10.252 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 20.0.0.252 255.255.255.0
2.FW设备接口的安全区域规划
FW1:
firewall zone trust
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/3
#
firewall zone dmz
add interface GigabitEthernet1/0/2
FW2:
firewall zone trust
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
add interface GigabitEthernet1/0/3
#
firewall zone dmz
add interface GigabitEthernet1/0/2
3.FW设备接口下的VRRP备份组的创建
FW1:
interface GigabitEthernet1/0/1
vrrp vrid 1 virtual-ip 172.16.10.254 active
#
interface GigabitEthernet1/0/2
vrrp vrid 2 virtual-ip 192.168.10.254 active
#
interface GigabitEthernet1/0/3
vrrp vrid 3 virtual-ip 20.0.0.254 active
FW2:
interface GigabitEthernet1/0/1
vrrp vrid 1 virtual-ip 172.16.10.254 standby
#
interface GigabitEthernet1/0/2
vrrp vrid 2 virtual-ip 192.168.10.254 standby
#
interface GigabitEthernet1/0/3
vrrp vrid 3 virtual-ip 20.0.0.254 standby
4.FW1-2设备上开启HRP并配置心跳接口
FW1:
hrp enable
hrp interface GigabitEthernet1/0/0 remote 10.0.12.2
FW2:
hrp enable
hrp interface GigabitEthernet1/0/0 remote 10.0.12.1
5.主FW设备上根据业务要求配置安全策略
FW1:
security-policy
rule name t2u
source-zone trust
destination-zone untrust
source-address 172.16.10.0 mask 255.255.255.0
destination-address 20.0.0.0 mask 255.255.255.0
action permit
rule name tu2d
source-zone trust
source-zone untrust
destination-zone dmz
source-address 172.16.10.0 mask 255.255.255.0
source-address 20.0.0.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
action permit
结果验证
1.业务连通性检测(故障未发生)
2.故障模拟(直接关闭主FW设备)
3.业务连通性检测(故障发生后)