設備IP編址、接口VLAN見下表:
實驗需求
1. 設備IP、VLAN規劃如上表所示;
2. PC1(VLAN10)PC2(VLAN20)的網關在FW1及FW2上(VRRP組1及組2的虛擬IP地址);
3. PC1屬於Trust區域;PC2屬於DMZ區域;R1及R2處於untrust區域;
4. FW1及FW2運行雙機熱備,FW1為主,FW2為備;兩臺防火牆的GE0/0/2口為心跳接口,專用於HRP,同時將該接口劃分到一個自定義的安全區域:heart之中;
5. FW1、FW2、R1、R2運行OSPF,如圖所示;
6. PC1能夠主動發起訪問到10.9.9.0/24網絡;
配置實現
1. 配置接入層交換機SW3
#在SW3上創建VLAN10及20
[SW3] vlan batch 10 20
#在SW3上配置二層接口類型,並加入相應的VLAN
[SW3] interface GigabitEthernet0/0/1
[SW3-GigabitEthernet0/0/1] port link-type access
[SW3-GigabitEthernet0/0/1] port default vlan 10
[SW3] interface GigabitEthernet0/0/2
[SW3-GigabitEthernet0/0/1] port link-type access
[SW3-GigabitEthernet0/0/1] port default vlan 20
[SW3] interface GigabitEthernet0/0/21
[SW3-GigabitEthernet0/0/21] port link-type trunk
[SW3-GigabitEthernet0/0/21] port trunk allow-pass vlan all
[SW3] interface GigabitEthernet0/0/22
[SW3-GigabitEthernet0/0/22] port link-type trunk
[SW3-GigabitEthernet0/0/22] port trunk allow-pass vlan all
#在SW3上配置MSTP
[SW3] stp mode mstp
[SW3] stp enable
2. 配置SW1及SW2
#在SW1上創建VLAN、配置Eth-trunk、配置二層接口並將接口劃入相應VLAN
[SW1] vlan batch 10 20
[SW1]interface Eth-Trunk 1
[SW1-Eth-Trunk1] mode manual load-balance
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/24
[SW1-Eth-Trunk1] port link-type trunk
[SW1-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SW1-Eth-Trunk1] quit
#
[SW1] interface GigabitEthernet0/0/21
[SW1-GigabitEthernet0/0/21] port link-type trunk
[SW1-GigabitEthernet0/0/21] port trunk allow-pass vlan 10 20
#
[SW1] interface GigabitEthernet0/0/20
[SW1-GigabitEthernet0/0/20] port link-type trunk
[SW1-GigabitEthernet0/0/20] port trunk allow-pass vlan 10 20
#SW1配置MSTP,SW1配置為網絡中的STP主根
[SW1] stp mode mstp
[SW1] stp instance 0 root primary
[SW1] stp enable
#在SW2上創建VLAN、配置Eth-trunk、配置二層接口並將接口劃入相應VLAN
[SW2] vlan batch 10 20
[SW2] interface Eth-Trunk 1
[SW2-Eth-Trunk1] mode manual load-balance
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/24
[SW2-Eth-Trunk1] port link-type trunk
[SW2-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SW2-Eth-Trunk1] quit
#
[SW2] interface GigabitEthernet0/0/22
[SW2-GigabitEthernet0/0/22] port link-type trunk
[SW2-GigabitEthernet0/0/22] port trunk allow-pass vlan 10 20
#
[SW2] interface GigabitEthernet0/0/20
[SW2-GigabitEthernet0/0/20] port link-type trunk
[SW2-GigabitEthernet0/0/20] port trunk allow-pass vlan 10 20
#SW1配置MSTP,SW2配置為網絡中的STP次根
[SW1] stp mode mstp
[SW1] stp instance 0 root secondary
[SW1] stp enable
3. 配置FW1及FW2,使得PC1及PC2能夠與自己的網關互通
#在FW1上創建子接口GE0/0/1.10,封裝dot1q vlan 10,配置IP地址及VRRP;創建子接口GE0/0/1.20,封裝dot1q vlan 20,配置IP地址及VRRP;將上述兩個子接口關聯到相應安全區域:
[Fw1] interface GigabitEthernet 0/0/1.10
[Fw1-GigabitEthernet0/0/1.10] vlan-type dot1q 10
[Fw1-GigabitEthernet0/0/1.10] ip address 192.168.10.3 24
[Fw1-GigabitEthernet0/0/1.10] vrrp vrid 1 virtual-ip 192.168.10.1 master
[Fw1-GigabitEthernet0/0/1.10] quit
#
[Fw1] interface GigabitEthernet 0/0/1.20
[Fw1-GigabitEthernet0/0/1.20] vlan-type dot1q 20
[Fw1-GigabitEthernet0/0/1.20] ip address 192.168.20.3 24
[Fw1-GigabitEthernet0/0/1.20] vrrp vrid 2 virtual-ip 192.168.20.1 master
[Fw1-GigabitEthernet0/0/1.20] quit
#
[Fw1] firewall zone trust
[Fw1-zone-trust] add interface GigabitEthernet 0/0/1.10
[Fw1-zone-trust] quit
[Fw1] firewall zone dmz
[Fw1-zone-dmz] add interface GigabitEthernet 0/0/1.20
[Fw1-zone-dmz] quit
#在FW2上創建子接口GE0/0/1.10,封裝dot1q vlan 10,配置IP地址及VRRP;創建子接口GE0/0/1.20,封裝dot1q vlan 20,配置IP地址及VRRP;將上述兩個子接口關聯到相應安全區域:
[Fw2] interface GigabitEthernet 0/0/1.10
[Fw2-GigabitEthernet0/0/1.10] vlan-type dot1q 10
[Fw2-GigabitEthernet0/0/1.10] ip address 192.168.10.2 24
[Fw2-GigabitEthernet0/0/1.10] vrrp vrid 1 virtual-ip 192.168.10.1 slave
[Fw2-GigabitEthernet0/0/1.10] quit
[Fw2] interface GigabitEthernet 0/0/1.20
[Fw2-GigabitEthernet0/0/1.20] vlan-type dot1q 20
[Fw2-GigabitEthernet0/0/1.20] ip address 192.168.20.2 24
[Fw2-GigabitEthernet0/0/1.20] vrrp vrid 2 virtual-ip 192.168.20.1 slave
[Fw2-GigabitEthernet0/0/1.20] quit
#
[Fw2] firewall zone trust
[Fw2-zone-untrust] add interface GigabitEthernet 0/0/1.10
[Fw2-zone-untrust] quit
[Fw2] firewall zone dmz
[Fw2-zone-untrust] add interface GigabitEthernet 0/0/1.20
[Fw2-zone-untrust] quit
完成上述配置後PC1與PC2就能夠跟自己的網關互通了,PC1屬於trust區域,防火牆可能默認的安全策略放行了local-trust安全區域的inbound及outbound策略,因此PC1可直接ping通網關192.168.10.1;而local-dmz的inbound及outbound的默認策略都是deny的,因此PC2可能無法直接ping通網關192.168.20.1,但是這並不影響實驗,如果想要觀察實驗結果,可以放開local-dmz之間的安全策略。
4. 配置FW1及FW2,與R1、R2建立OSPF鄰居關係
#在FW1配置GE0/0/3口,並且運行OSPF,使用router-id 1.1.1.1
[Fw1] firewall zone untrust
[Fw1-zone-untrust] add interface GigabitEthernet 0/0/3
[Fw1] interface GigabitEthernet 0/0/3
[Fw1-GigabitEthernet0/0/3] ip address 10.1.1.1 24
[Fw1] ospf 1 router-id 1.1.1.1
[Fw1-ospf-1] area 0
[Fw1-ospf-1-0.0.0.0] network 10.1.1.0 0.0.0.255
[Fw1-ospf-1-0.0.0.0] network 192.168.10.0 0.0.0.255
[Fw1-ospf-1-0.0.0.0] network 192.168.20.0 0.0.0.255
[Fw1-ospf-1-0.0.0.0] quit
[Fw1-ospf-1] quit
#在FW2配置GE0/0/3口,並且運行OSPF,使用router-id 2.2.2.2
[Fw2] firewall zone untrust
[Fw2-zone-untrust] add interface GigabitEthernet 0/0/3
[Fw2] interface GigabitEthernet 0/0/3
[Fw2-GigabitEthernet0/0/3] ip address 10.1.2.1 24
[Fw2] ospf 1 router-id 2.2.2.2
[Fw2-ospf-1] area 0
[Fw2-ospf-1-0.0.0.0] network 10.1.2.0 0.0.0.255
[Fw2-ospf-1-0.0.0.0] network 192.168.10.0 0.0.0.255
[Fw2-ospf-1-0.0.0.0] network 192.168.20.0 0.0.0.255
[Fw2-ospf-1-0.0.0.0] quit
[Fw2-ospf-1] quit
#配置R1
[R1] interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0] ip address 10.1.1.2 24
[R1] interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1] ip address 10.9.9.1 24
#
[R1] ospf 1 router-id 3.3.3.3
[R1-ospf-1] area 0
[R1-ospf-1-0.0.0.0] network 10.1.1.0 0.0.0.255
[R1-ospf-1-0.0.0.0] network 10.9.9.0 0.0.0.255
[R1-ospf-1-0.0.0.0] quit
[R1-ospf-1] quit
#配置R2
[R2] interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0] ip address 10.1.2.2 24
[R2] interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1] ip address 10.9.9.2 24
#
[R2] ospf 1 router-id 4.4.4.4
[R2-ospf-1] area 0
[R2-ospf-1-0.0.0.0] network 10.1.2.0 0.0.0.255
[R2-ospf-1-0.0.0.0] network 10.9.9.0 0.0.0.255
[R2-ospf-1-0.0.0.0] quit
[R2-ospf-1] quit
5. FW1及FW2配置雙機熱備
FW1的配置增加如下:
[FW1] interface GigabitEthernet0/0/3
[FW1-GigabitEthernet 0/0/3] hrp track master
#
[FW1] Interface GigabitEthernet 0/0/2 #配置用於HRP的接口
[FW1-GigabitEthernet 0/0/2] Ip address 1.1.1.1 24
[FW1-GigabitEthernet 0/0/2] quit
[FW1] firewall zone name heart #創建一個安全區域並關聯該接口
[FW1-zone-heart] set priority 90
[FW1-zone-heart] add interface GigabitEthernet 0/0/2
[FW1-zone-heart] quit
[FW1] hrp interface GigabitEthernet0/0/2 #將GE0/0/2口配置為HRP心跳接口
[FW1] hrp ospf-cost adjust-enable # 配置根據HRP狀態調整OSPF相關的COST值命令功能。
[FW1] hrp preempt delay 30
[FW1] hrp enable #啟用HRP備份功能,啟用之後就會協商主備,主設備顯示HRP_M,備設備顯示HRP_S。兩端首次協商出主備後,主用設備將向備用設備備份配置和連接狀態等信息
FW2的配置增加如下:
[Fw2] interface GigabitEthernet0/0/3
[Fw2-GigabitEthernet 0/0/3] hrp track master
#
[Fw2] Interface GigabitEthernet 0/0/2 #配置用於HRP的接口
[Fw2-GigabitEthernet 0/0/2] Ip address 1.1.1.2 24
[Fw2-GigabitEthernet 0/0/2] quit
[Fw2] firewall zone name heart #創建一個安全區域並關聯該接口
[Fw2-zone-heart] set priority 90
[Fw2-zone-heart] add interface GigabitEthernet 0/0/2
[Fw2-zone-heart] quit
[Fw2] hrp interface GigabitEthernet0/0/2 #將GE0/0/2口配置為HRP心跳接口
[Fw2] hrp ospf-cost adjust-enable # 配置根據HRP狀態調整OSPF相關的COST值命令功能。
[Fw2] hrp preempt delay 30
[Fw2] hrp enable
防火牆主備跑起來後,FW2作為備機在通告192.168.10.0/24及192.168.20.0/24路由給R2的時候,路由的cost就會變成65500;而FW1作為主設備,其在通告路由給R1的時候,路由的metric不會調整,因此untrust區域內的用戶到trust的流量,會走FW1。
6. 在主設備FW1上完成配置,使得PC1能夠ping 10.9.9.0/24網絡
#FW1上部署interzone策略,允許PC1所在網段訪問untrust區域:
HRP_M[Fw1] policy interzone trust untrust outbound
HRP_M[Fw1-policy-interzone-trust-untrust-outbound] policy 0
HRP_M[Fw1-policy-interzone-trust-untrust-outbound-0] policy source 192.168.10.0 0.0.0.255
HRP_M[Fw1-policy-interzone-trust-untrust-outbound-0] action permit
HRP_M[Fw1-policy-interzone-trust-untrust-outbound-0] quit
HRP_M[Fw1-policy-interzone-trust-untrust-outbound] quit
由於部署了防火牆雙機熱備,因此在主設備FW1上所配置的策略會同步到備份設備FW2上。
如此一來,PC1即可ping通10.9.9.1或10.9.9.2。
閱讀更多 網由之路 的文章
