如何使用华为ensp模拟器设计实现企业网络?
本次实验在华为ensp模拟器具体实现。
拓扑图
网段划分 区域 vlan 网段
技术部 vlan 10 192.168.10.0/24
人事部 vlan 20 192.168.20.0/24
财务部 vlan 30 192.168.30.0/24
领导部门 vlan 40 192.168.40.0/24
来访客户 vlan 100 192.168.100.0/24
服务器dmz vlan 90 192.138.90.0/24
办公区 vlan+端口配置(二层) lsw1
vlan batch 10int e0/0/1 port link-type trunk port trunk allow-pass vlan 10int e0/0/2 port link-type trunk port trunk allow-pass vlan 10int e0/0/10 port link-type access port default vlan 10 lsw2
vlan batch 20int e0/0/1 port link-type trunk port trunk allow-pass vlan 20int e0/0/2 port link-type trunk port trunk allow-pass vlan 20int e0/0/10 port link-type access port default vlan 20 lsw3
vlan batch 30int e0/0/1 port link-type trunk port trunk allow-pass vlan 30int e0/0/2 port link-type trunk port trunk allow-pass vlan 30int e0/0/10 port link-type access port default vlan 30 lsw4
vlan batch 40int e0/0/1 port link-type trunk port trunk allow-pass vlan 40int e0/0/2 port link-type trunk port trunk allow-pass vlan 40int e0/0/10 port link-type access port default vlan 40 h_sw1
vlan batch 10 20 30 40int g0/0/1 port link-type trunk port trunk allow-pass vlan 10int g0/0/2 port link-type trunk port trunk allow-pass vlan 20int g0/0/3 port link-type trunk port trunk allow-pass vlan 30int g0/0/4 port link-type trunk port trunk allow-pass vlan 40 h_sw2
vlan batch 10 20 30 40int g0/0/1 port link-type trunk port trunk allow-pass vlan 10int g0/0/2 port link-type trunk port trunk allow-pass vlan 20int g0/0/3 port link-type trunk port trunk allow-pass vlan 30int g0/0/4 port link-type trunk port trunk allow-pass vlan 40 无线网络配置 h_sw1
vlan batch 100 1000int g0/0/5 port link-type trunk port trunk allow-pass vlan allint g0/0/6 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enableint vlanif 100 ip add 192.168.100.1 24 dhcp select interface dhcp server dns-list 8.8.8.8 h_sw2
vlan batch 100 1000int g0/0/5 port link-type trunk port trunk allow-pass vlan allint g0/0/6 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enable lsw5
vlan batch 100 1000int e0/0/1 port link-type trunk port trunk allow-pass vlan allint e0/0/2 port link-type trunk port trunk allow-pass vlan allint e0/0/10 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enable lsw6
vlan batch 100 1000int e0/0/1 port link-type trunk port trunk allow-pass vlan 100 1000int e0/0/2 port link-type trunk port trunk allow-pass vlan 100 1000int e0/0/10 port link-type trunk port trunk allow-pass vlan 100 1000 port trunk pvid vlan 1000dhcp enable ac
u t msyssysname acvlan batch 100 1000int g0/0/1 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enableint vlanif 1000 ip add 192.168.101.1 24 dhcp select interfacecapwap source interface vlanif 1000wlan ap-group name ap-group1 regulatory-domain-profile default y quit ap auth-mode mac-auth ap-id 0 ap-mac 00e0-fc25-3910 ap-name area_1 ap-group ap-group1 y quit security-profile name wlan security wpa-wpa2 psk pass-phrase a1234567 aes quit ssid-profile name wlan ssid wlan quit vap-profile name wlan forward-mode direct-forward service-vlan vlan-id 100 security-profile wlan ssid-profile wlan quit ap-group name ap-group1 vap-profile wlan wlan 1 radio 0 vap-profile wlan wlan 1 radio 1 dhcp配置 h_sw1
dhcp enableip pool vlan10 gateway-list 192.168.10.254 network 192.168.10.0 mask 24 excluded-ip-address 192.168.10.1 192.168.10.10 excluded-ip-address 192.168.10.150 192.168.10.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 excluded-ip-address 192.168.20.1 192.168.20.10 excluded-ip-address 192.168.20.150 192.168.20.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.1 192.168.30.10 excluded-ip-address 192.168.30.150 192.168.30.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan40 gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 excluded-ip-address 192.168.40.1 192.168.40.10 excluded-ip-address 192.168.40.150 192.168.40.253 dns-list 8.8.8.8 domain-name blue.comint vlanif10 ip add 192.168.10.1 255.255.255.0 dhcp select globalint vlanif20 ip add 192.168.20.1 255.255.255.0 dhcp select globalint vlanif30 ip add 192.168.30.1 255.255.255.0 dhcp select globalint vlanif40 ip add 192.168.40.1 255.255.255.0 dhcp select global h_sw2
dhcp enableip pool vlan10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 excluded-ip-address 192.168.10.1 192.168.10.149 excluded-ip-address 192.168.10.250 192.168.10.253 dns-list 8.8.8.8 domain-name blue.com ip pool vlan20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 excluded-ip-address 192.168.20.1 192.168.20.149 excluded-ip-address 192.168.20.250 192.168.20.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.1 192.168.30.149 excluded-ip-address 192.168.30.250 192.168.30.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan40 gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 excluded-ip-address 192.168.40.1 192.168.40.149 excluded-ip-address 192.168.40.250 192.168.40.253 dns-list 8.8.8.8 domain-name blue.cominterface vlanif10 ip address 192.168.10.2 255.255.255.0 dhcp select globalinterface vlanif20 ip address 192.168.20.2 255.255.255.0 dhcp select globalinterface vlanif30 ip address 192.168.30.2 255.255.255.0 dhcp select globalinterface vlanif40 ip address 192.168.40.2 255.255.255.0 dhcp select global 在ip地址池创建的过程中,使用了excluded-ip-address命令,使得在主备交换机切换时分配的地址池相互排除,防止主备交换机切换后出现ip地址分配冲突导致网络故障。
vrrp配置 h_sw1
int vlanif10 vrrp vrid 10 virtual-ip 192.168.10.254 vrrp vrid 10 priority 105int vlanif20 vrrp vrid 20 virtual-ip 192.168.20.254 vrrp vrid 20 priority 105int vlanif30 vrrp vrid 30 virtual-ip 192.168.30.254int vlanif40 vrrp vrid 40 virtual-ip 192.168.40.254 h_sw2
int vlanif10vrrp vrid 10 virtual-ip 192.168.10.254int vlanif20vrrp vrid 20 virtual-ip 192.168.20.254int vlanif30vrrp vrid 30 virtual-ip 192.168.30.254vrrp vrid 30 priority 105int vlanif40vrrp vrid 40 virtual-ip 192.168.40.254vrrp vrid 40 priority 105 stp配置 lsw1
stp region-configuration region-name blue_mstp revision-level 1 instance 10 vlan 10 active region-configurationint e0/0/10 stp edged-port enable lsw2
stp region-configuration region-name blue_mstp revision-level 1 instance 10 vlan 10 active region-configurationint e0/0/10 stp edged-port enable lsw3
stp region-configuration region-name blue_mstp revision-level 1 instance 30 vlan 30 active region-configuration quitint e0/0/10 stp edged-port enable lsw4
stp region-configuration region-name blue_mstp revision-level 1 instance 40 vlan 40 active region-configurationint e0/0/10 stp edged-port enable h_sw1
stp instance 12 root primarystp instance 34 root secondarystp region-configuration region-name blue_mstp revision-level 1 instance 12 vlan 10 20 instance 34 vlan 30 40 active region-configurationint g0/0/11 stp disableint g0/0/12 stp disable h_sw2
stp instance 12 root secondarystp instance 34 root primarystp region-configuration region-name blue_mstp revision-level 1 instance 12 vlan 10 20 instance 34 vlan 30 40 active region-configurationint g0/0/11 stp disableint g0/0/12 stp disable acl配置 h_sw1
acl number 3002rule 5 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255int g0/0/5 traffic-filter inbound acl 3002 h_sw2
acl number 3002rule 5 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255int g0/0/5 traffic-filter inbound acl 3002 lacp配置 lacp链路聚合,链路聚合的原理是将一组相同属性的物理接口捆绑在一起为一个逻辑接口来增加带宽和可靠性的一种方法。有以下优势: 增加带宽、提高冗余(提高可靠性)、负载分担、节省成本、配置量小 1.增加带宽:链路聚合接口的最大带宽可以达到各个成员接口带宽之和。 2提高冗余:当某条路线出现故障的时候,流量可以切到其他可用的成员链路上。流量会切到其他可用链路上,从而提高链路聚合接口的冗余性。并不会影响数据的传输,相对来说也具有稳定性。 3负载分担:在一个链路聚合组内,可以实现在各成员活动链路上的负载分担。 4节省成本:管理员不需要升级链路速度,对已有的接口进行捆绑。 5配置量小:大部分的配置在组eth-trunk下完成。 主要的优势是能增加带宽、提高可靠性和负载分担。
h_sw1
lacp priority 100int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/13 eth-trunk 1 lacp priority 100int g0/0/14 eth-trunk 1 h_sw2
int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/13 eth-trunk 1int g0/0/14 eth-trunk 1 ospf配置 lsw1
int loopback0 ip add 192.168.1.1 32 lsw2
interface loopback0 ip address 192.168.2.2 255.255.255.255 lsw3
interface loopback0 ip address 192.168.3.3 255.255.255.255 lsw4
interface loopback0 ip address 192.168.4.4 255.255.255.255 h_sw1
int loopback 0 ip add 192.168.5.5 32ospf 10 router-id 192.168.5.5 silent-interface vlanif10 silent-interface vlanif20 silent-interface vlanif30 silent-interface vlanif40 area 0 network 192.168.5.5 0.0.0.0 network 192.168.10.1 0.0.0.0 network 192.168.20.1 0.0.0.0 network 192.168.30.1 0.0.0.0 network 192.168.40.1 0.0.0.0 network 192.168.25.5 0.0.0.0 network 192.168.35.5 0.0.0.0 network 192.168.100.1 0.0.0.0 h_sw2
interface loopback0 ip address 192.168.6.6 255.255.255.255 ospf 10 router-id 192.168.6.6 silent-interface vlanif10 silent-interface vlanif20 silent-interface vlanif30 silent-interface vlanif40 area 0.0.0.0 network 192.168.6.6 0.0.0.0 network 192.168.10.2 0.0.0.0 network 192.168.20.2 0.0.0.0 network 192.168.30.2 0.0.0.0 network 192.168.40.2 0.0.0.0 network 192.168.24.6 0.0.0.0 network 192.168.36.6 0.0.0.0 network 192.168.100.2 0.0.0.0 核心层 vlan划分+配置端口 核心交换机 c_sw1
vlan batch 22 to 25int g0/0/1 port link-type access port default vlan 25 stp disableint g0/0/2 port link-type access port default vlan 24 stp disableint g0/0/11 port link-type access port default vlan 22 stp disableint g0/0/12 port link-type access port default vlan 23 stp disableinterface vlanif22 ip address 192.168.22.7 255.255.255.0 interface vlanif23 ip address 192.168.23.7 255.255.255.0 interface vlanif24 ip address 192.168.24.7 255.255.255.0 interface vlanif25 ip address 192.168.25.7 255.255.255.0 c_sw2
vlan batch 33 to 36 44 55int g0/0/1 port link-type access port default vlan 35 stp disableint g0/0/2 port link-type access port default vlan 36 stp disableint g0/0/11 port link-type access port default vlan 34 stp disableint g0/0/12 port link-type access port default vlan 33 stp disableinterface vlanif33 ip address 192.168.33.8 255.255.255.0 interface vlanif34 ip address 192.168.34.8 255.255.255.0 interface vlanif35 ip address 192.168.35.8 255.255.255.0 interface vlanif36 ip address 192.168.36.8 255.255.255.0 interface vlanif44 ip address 192.168.44.8 255.255.255.0 interface vlanif55 ip address 192.168.55.8 255.255.255.0 汇聚层连接核心交换机 h_sw1
vlan batch 25 35int g0/0/11 port link-type access port default vlan 25 stp disableint g0/0/12 port link-type access port default vlan 35 stp disable int vlanif25 ip add 192.168.25.5 24int vlanif35 ip add 192.168.35.5 24 h_sw2
vlan batch 24 36int g0/0/11 port link-type access port default vlan 24 stp disableint g0/0/12 port link-type access port default vlan 36 stp disableint vlanif24 ip add 192.168.24.6 24int vlanif36 ip add 192.168.36.6 24 stp配置 c_sw1
int g0/0/1 stp disableint g0/0/2 stp disableint g0/0/11 stp disableint g0/0/12 stp disable c_sw2
int g0/0/1 stp disableint g0/0/2 stp disableint g0/0/11 stp disableint g0/0/12 stp disable lacp链路聚合 c_sw1
lacp priority 100int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/3 eth-trunk 1 lacp priority 100int g0/0/4 eth-trunk 1 c_sw2
int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/3 eth-trunk 1int g0/0/4 eth-trunk 1 ospf配置 c_sw1
interface loopback0 ip address 192.168.7.7 255.255.255.255 ospf 10 router-id 192.168.7.7 area 0.0.0.0 network 192.168.7.7 0.0.0.0 network 192.168.22.7 0.0.0.0 network 192.168.23.7 0.0.0.0 network 192.168.44.7 0.0.0.0 network 192.168.55.7 0.0.0.0 network 192.168.24.7 0.0.0.0 network 192.168.25.7 0.0.0.0 c_sw2
interface loopback0 ip address 192.168.8.8 255.255.255.255ospf 10 router-id 192.168.8.8 area 0.0.0.0 network 192.168.8.8 0.0.0.0 network 192.168.33.8 0.0.0.0 network 192.168.34.8 0.0.0.0 network 192.168.35.8 0.0.0.0 network 192.168.36.8 0.0.0.0 network 192.168.44.8 0.0.0.0 network 192.168.55.8 0.0.0.0 防火墙 基本配置 fw1
用户名:admin原始密码:admin@123密码:p@ssw0rd新密码:blue@123undo terminal monitorlanguage-mode chinesesyssysname fw1#配置连接防火墙web的接口,ip为虚拟网络对应网段的地址int g0/0/0 undo ip add 192.168.0.1 24 ip add 192.168.94.2 24 service-manage all permit fw2
用户名:admin原始密码:admin@123密码:p@ssw0rd新密码:blue@123undo terminal monitorlanguage-mode chinesesyssysname fw2int g0/0/0 undo ip add 192.168.0.1 24 ip add 192.168.94.3 24 service-manage all permit 规划网段 fw1
int g1/0/0 undo shutdown ip add 192.168.90.1 255.255.255.0 int g1/0/1 undo shutdown ip add 192.168.22.1 255.255.255.0 service-manage all permitint g1/0/2 undo shutdown ip add 192.168.34.1 255.255.255.0int g1/0/3 undo shutdownint g1/0/4 undo shutdownint g1/0/5 undo shutdown ip address 100.100.100.1 255.255.255.0 service-manage ping permitint g1/0/6 undo shutdown ip add 200.200.200.1 255.255.255.0 service-manage ping permit fw2
int g1/0/0 undo shutdown ip add 192.168.90.2 255.255.255.0int g1/0/1 undo shutdown ip add 192.168.23.1 255.255.255.0 service-manage all permitint g1/0/2 undo shutdown ip add 192.168.33.1 255.255.255.0int g1/0/3 undo shutdownint g1/0/4 undo shutdownint g1/0/5 undo shutdown ip address 100.100.100.2 255.255.255.0 service-manage ping permitint g1/0/6 undo shutdown ip add 200.200.200.2 255.255.255.0 lacp链路聚合 fw1
int eth-trunk2 ip add 192.168.2.1 255.255.255.0 mode lacp-static int g1/0/3 eth-trunk 2int g1/0/4 eth-trunk 2 fw2
int eth-trunk2 ip add 192.168.2.2 255.255.255.0 mode lacp-staticint g1/0/3 eth-trunk 2int g1/0/4 eth-trunk 2 规划安全区域 根据拓扑,将接口划入对应的安全区域
注意:两个防火墙之间的心跳接口要必须放进信任区域
fw1
firewall zone trust add int g1/0/1 add int g1/0/2firewall zone dmz add int g1/0/0firewall zone name heart id 4 set priority 75 add int eth-trunk2firewall zone name isp1 id 5 set priority 20 add int g1/0/5firewall zone name isp2 id 6 set priority 15 add int g1/0/6 fw2
firewall zone trust add int g1/0/1 add int g1/0/2firewall zone dmz add int g1/0/0firewall zone name heart id 4 set priority 75 add int eth-trunk2firewall zone name isp1 id 5 set priority 15 add int g1/0/5firewall zone name isp2 id 6 set priority 20 add int g1/0/6 指定链路接口组名称 fw1
isp name china mobile linkif-group 63 isp name china unicom linkif-group 62 isp name china telecom linkif-group 61 isp name china educationnet linkif-group 60 fw2
isp name china mobile linkif-group 63 isp name china unicom linkif-group 62 isp name china telecom linkif-group 61 isp name china educationnet linkif-group 60 安全策略精要 bgp、bfd、dhcp、dhcpv6、ldp和ospf是否受安全策略控制,由基础协议控制开关(firewall packet-filter basic-protocol enable)决定。
fw1
firewall packet-filter basic-protocol enablefirewall defend port-scan enablefirewall defend ip-sweep enablefirewall defend teardrop enablefirewall defend time-stamp enablefirewall defend route-record enablefirewall defend source-route enablefirewall defend ip-fragment enablefirewall defend tcp-flag enablefirewall defend winnuke enablefirewall defend fraggle enablefirewall defend tracert enablefirewall defend icmp-unreachable enablefirewall defend icmp-redirect enablefirewall defend large-icmp enablefirewall defend ping-of-death enablefirewall defend smurf enablefirewall defend land enablefirewall defend ip-spoofing enable fw2
firewall packet-filter basic-protocol enablefirewall defend port-scan enablefirewall defend ip-sweep enablefirewall defend teardrop enablefirewall defend time-stamp enablefirewall defend route-record enablefirewall defend source-route enablefirewall defend ip-fragment enablefirewall defend tcp-flag enablefirewall defend winnuke enablefirewall defend fraggle enablefirewall defend tracert enablefirewall defend icmp-unreachable enablefirewall defend icmp-redirect enablefirewall defend large-icmp enablefirewall defend ping-of-death enablefirewall defend smurf enablefirewall defend land enablefirewall defend ip-spoofing enable 安全策略配置 fw1
security-policy #管理区 rule name trust_local description management source-zone trust destination-zone local action permit fw2
security-policy #管理区 rule name trust_local description management source-zone trust destination-zone local action permit 配置ip-link fw1
ip-link check enableip-link name isp1 destination 100.100.100.100 interface gigabitethernet1/0/5 mode icmpip-link name isp2 destination 200.200.200.200 interface gigabitethernet1/0/6 mode icmp #安全策略配置security-policy rule name local_isp description ip-link source-zone local destination-zone isp1 destination-zone isp2 action permit fw2
ip-link check enableip-link name isp1 destination 100.100.100.100 interface gigabitethernet1/0/5 mode icmpip-link name isp2 destination 200.200.200.200 interface gigabitethernet1/0/6 mode icmp #安全策略配置security-policy rule name local_isp description ip-link source-zone local destination-zone isp1 destination-zone isp2 action permit 配置静态路由 fw1
ip route-static 0.0.0.0 0.0.0.0 100.100.100.100 preference 50 track ip-link isp1ip route-static 0.0.0.0 0.0.0.0 200.200.200.200 preference 50ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/5 100.100.100.100ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/6 200.200.200.200ip route-static 10.20.100.0 255.255.255.0 null0 fw2
ip route-static 0.0.0.0 0.0.0.0 100.100.100.100ip route-static 0.0.0.0 0.0.0.0 200.200.200.200 preference 50ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/5 100.100.100.100ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/6 200.200.200.200ip route-static 10.20.100.0 255.255.255.0 null0 配置ospf动态路由 步骤一:配置动态路由
fw1
interface loopback0 ip address 192.168.11.11 255.255.255.255ospf 10 router-id 192.168.11.11 default-route-advertise area 0.0.0.0 network 192.168.11.11 0.0.0.0 network 192.168.22.1 0.0.0.0 network 192.168.34.1 0.0.0.0 network 192.168.90.1 0.0.0.0 fw2
interface loopback0 ip address 192.168.22.22 255.255.255.255ospf 10 router-id 192.168.22.22 default-route-advertise area 0.0.0.0 network 192.168.22.22 0.0.0.0 network 192.168.23.1 0.0.0.0 network 192.168.33.1 0.0.0.0 network 192.168.90.2 0.0.0.0 步骤二:配置安全策略
fw1
security-policy rule name local_trust description ospf source-zone local destination-zone trust action permit fw2
security-policy rule name local_trust description ospf source-zone local destination-zone trust action permit 双机热备 步骤1:配置vrrp备份组 主设备:fw1
int g1/0/5 vrrp vrid 1 virtual-ip 100.100.100.5 active vrrp virtual-mac enableint g1/0/6 vrrp vrid 2 virtual-ip 200.200.200.5 standby vrrp virtual-mac enable 备份设备:fw2
int g1/0/5 vrrp vrid 1 virtual-ip 100.100.100.5 standby vrrp virtual-mac enableint g1/0/6 vrrp vrid 2 virtual-ip 200.200.200.5 active vrrp virtual-mac enable 步骤2:开启hrp协议,并配置心跳接口和会话备份功能 fw1
hrp enablehrp int eth-trunk2 remote 192.168.2.2hrp mirror session enablehrp standby config enable fw2
hrp enablehrp int eth-trunk2 remote 192.168.2.1hrp mirror session enablehrp standby config enable 步骤3:配置安全策列 是内网用户可以访问服务器和外网用户;外网用户只能访问服务器。注意:只需要配置master即可,backup设备不用配置,配置命令会自动从主设备备份到备份设备。
fw1
security-policy rule name heart source-zone heart source-zone local destination-zone heart destination-zone local action permit fw2
security-policy default action permit rule name heart source-zone heart source-zone local destination-zone heart destination-zone local action permit nat配置 定义转换的ip地址范围 fw1
ip address-set web_ip type object address 0 100.100.100.5 mask 32 address 1 200.200.200.5 mask 32ip address-set pc type object address 0 192.168.10.0 mask 24 address 1 192.168.20.0 mask 24 address 2 192.168.30.0 mask 24 address 3 192.168.40.0 mask 24 来源:网络技术干货圈 fw2
ip address-set web_ip type object address 0 100.100.100.5 mask 32 address 1 200.200.200.5 mask 32ip address-set pc type object address 0 192.168.10.0 mask 24 address 1 192.168.20.0 mask 24 address 2 192.168.30.0 mask 24 address 3 192.168.40.0 mask 24 配置安全策略 fw1
security-policy rule name trust_isp description nat source-zone trust destination-zone isp1 destination-zone isp2 source-address address-set pc action permit fw2
security-policy rule name trust_isp description nat source-zone trust destination-zone isp1 destination-zone isp2 source-address address-set pc action permit 配置nat策略 fw1
nat address-group isp1 0 mode pat section 0 100.100.100.1 100.100.100.2nat address-group isp2 1 mode pat section 0 200.200.200.1 200.200.200.2nat-policy rule name no_nat_isp1 source-zone trust destination-zone isp1 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name no_nat_isp2 source-zone trust destination-zone isp2 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name nat_isp1 source-zone trust destination-zone isp1 action source-nat address-group isp1 rule name nat_isp2 source-zone trust destination-zone isp2 action source-nat address-group isp2 fw2
nat address-group isp1 0 mode pat section 0 100.100.100.1 100.100.100.2nat address-group isp2 1 mode pat section 0 200.200.200.1 200.200.200.2nat-policy rule name no_nat_isp1 source-zone trust destination-zone isp1 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name no_nat_isp2 source-zone trust destination-zone isp2 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name nat_isp1 source-zone trust destination-zone isp1 action source-nat address-group isp1 rule name nat_isp2 source-zone trust destination-zone isp2 action source-nat address-group isp2 snmp配置 fw1
snmp-agent session-rate trap threshold 100 fw2
snmp-agent session-rate trap threshold 100 ipsec配置 步骤一:配置acl fw1
acl number 3000 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255 acl number 3001 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255 fw2
acl number 3000 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255acl number 3001 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255 步骤二:配置ipsec proposal 这是ike阶段二的策略,在阶段二的策略中安全协议采用esp,加密算法使用aes-256,验证算法使用sha2-256
fw1
ipsec proposal prop23101638529 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 ipsec proposal prop23101639469 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 fw2
ipsec proposal prop23101638529 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 ipsec proposal prop23101639469 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 步骤三:配置ike proposal 配置ike proposal,这是ike阶段一的策略,在fw1/fw2上部署的相关策略均需与fw3相匹配。ike阶段一的策略中,身份验证使用的是预共享的认证方式,验证算法使用的是sha2-256,加密算法使用aes-256
fw1
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 2 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 fw2
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 2 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 步骤四:配置ike peer 定义预共享秘钥、关联ike proposal并指定隧道对端节点ip
fw1
ike peer ike231016385293 exchange-mode auto pre-shared-key 123.abc ike-proposal 1 local-id-type fqdn remote-id-type none local-id c1 dpd type periodic ike negotiate compatibleike peer ike231016394699 exchange-mode auto pre-shared-key 123.abc ike-proposal 2 local-id-type fqdn remote-id-type none local-id c2 dpd type periodic ike negotiate compatible fw2
ike peer ike231016385293 exchange-mode auto pre-shared-key 123.abc ike-proposal 1 local-id-type fqdn remote-id-type none local-id c1 dpd type periodic ike negotiate compatibleike peer ike231016394699 exchange-mode auto pre-shared-key 123.abc ike-proposal 2 local-id-type fqdn remote-id-type none local-id c2 dpd type periodic ike negotiate compatible 步骤五:配置ipsec policy 创建ipsec policy,绑定ipsec proposal、ike peer、acl感兴趣流、配置本地站点地址。
fw1
ipsec policy-template tpl231016385293 1 security acl 3000 ike-peer ike231016385293 proposal prop23101638529 tunnel local 100.100.100.5 alias ipsec-1 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamic ipsec policy-template tpl231016394699 1 security acl 3001 ike-peer ike231016394699 proposal prop23101639469 tunnel local 200.200.200.5 alias ipsec-2 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamicipsec policy ipsec2310163852 10000 isakmp template tpl231016385293ipsec policy ipsec2310163946 10000 isakmp template tpl231016394699 fw2
ipsec policy-template tpl231016385293 1 security acl 3000 ike-peer ike231016385293 proposal prop23101638529 tunnel local 100.100.100.5 alias ipsec-1 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamicipsec policy-template tpl231016394699 1 security acl 3001 ike-peer ike231016394699 proposal prop23101639469 tunnel local 200.200.200.5 alias ipsec-2 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamicipsec policy ipsec2310163852 10000 isakmp template tpl231016385293ipsec policy ipsec2310163946 10000 isakmp template tpl231016394699 步骤六:应用ipsec policy到接口 fw1
int g1/0/5ipsec policy ipsec2310163852 masterint g1/0/6ipsec policy ipsec2310163946 slave fw2
int g1/0/5ipsec policy ipsec2310163852 slaveint g1/0/6ipsec policy ipsec2310163946 master 步骤七:配置策略 fw1
#基于策略路由policy-based-route rule name trust_dmz 1 source-zone trust destination-address address-set web_ip action pbr next-hop 192.168.90.3 rule name isp1 2 source-zone trust source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/5 next-hop 100.100.100.100 rule name isp2 3 source-zone trust source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/6 next-hop 200.200.200.200#安全策略配置security-policy rule name isp_local description ipsec source-zone isp1 source-zone isp2 destination-zone local destination-address 100.100.100.5 mask 255.255.255.255 destination-address 200.200.200.5 mask 255.255.255.255 action permit rule name isp_trust description vpn source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.0.0 mask 255.255.0.0 action permit fw2
#基于策略路由policy-based-route rule name trust_dmz 1 source-zone trust destination-address address-set web_ip action pbr next-hop 192.168.90.3 rule name isp1 2 source-zone trust source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/5 next-hop 100.100.100.100 rule name isp2 3 source-zone trust source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/6 next-hop 200.200.200.200 #安全策略配置security-policy rule name isp_local description ipsec source-zone isp1 source-zone isp2 destination-zone local destination-address 100.100.100.5 mask 255.255.255.255 destination-address 200.200.200.5 mask 255.255.255.255 action permit rule name isp_trust description vpn source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.0.0 mask 255.255.0.0 action permit l2tp配置 打开防火墙的web界面,依次选择 对象->用户->default,然后新建一个用于登录l2tp vpn的用户,再点击应用。
fw1
l2tp enableaaa service-scheme webserverscheme1649076535499 quit domain default service-scheme webserverscheme1649076535499 service-type l2tp ike internet-access mode password reference user current-domain manager-user password-modify enable manager-user audit-admin password cipher blue@123 service-type web terminal level 15 l2tp-group 1tunnel password cipher blue@123tunnel name lnsallow l2tp virtual-template 1 remote l2tp-client domain defaultinterface virtual-template0 ppp authentication-mode chap y remote address 172.16.1.10 ip address 172.16.1.1 255.255.255.0 service-manage ping permit 路由配置 接口配置地址 isp
int g0/0/1 ip add 10.10.100.3 24int g0/0/2 ip add 10.10.200.3 24int g0/0/3 ip add 150.150.150.1 24int e0/0/0 ip add 8.8.8.1 24int e0/0/1 ip add 192.168.94.50 24 isp_1
int g0/0/1 ip add 100.100.100.100 24int g0/0/2 ip add 10.10.100.1 24 isp_2
int g0/0/1 ip add 200.200.200.200 24int g0/0/2 ip add 10.10.200.2 24 配置is-is isp
int loopback 0 ip add 3.3.3.3 32isis 26 network-entity 49.0010.0030.0300.3003.00 is-level level-2 cost-style wide log-peer-change topologyint g0/0/1 isis enable 26int g0/0/2 isis enable 26int g0/0/3 isis enable 26int e0/0/0 isis enable 26int e0/0/1 isis enable 26int loopback 0 isis enable 26 isp_1
int loopback 0 ip add 1.1.1.1 32isis 26 is-level level-2 cost-style wide network-entity 49.0010.0010.0100.1001.00 log-peer-change topologyint g0/0/1 isis enable 26int g0/0/2 isis enable 26int loopback 0 isis enable 26 isp_2
int loopback 0 ip add 2.2.2.2 32isis 26 is-level level-2 cost-style wide network-entity 49.0010.0020.0200.2002.00 log-peer-change topologyint g0/0/1 isis enable 26int g0/0/2 isis enable 26int loopback 0 isis enable 26 子公司配置 防火墙 初始化配置 用户名:admin原始密码:admin@123密码:blue@123undo terminal monitorlanguage-mode chinesesyssysname fw3int g0/0/0undo ip add 192.168.0.1 24ip add 192.168.94.4 24service-manage all permit 规划网段 int g1/0/0 undo shutdown ip add 150.150.150.150 255.255.255.0 service-manage ping permitint g1/0/1 undo shutdown ip add 10.20.100.254 255.255.255.0 service-manage ping permit #创建tunnel接口并绑定接口int tunnel1 ip add unnumbered int g1/0/0 alias tunnel1 service-manage ping permit int tunnel2 ip add unnumbered int g1/0/0 alias tunnel2 service-manage ping permit 规划安全区域 firewall zone trust add interface gigabitethernet1/0/1firewall zone untrust add interface gigabitethernet1/0/0 add interface tunnel1 add interface tunnel2 指定链路接口组名称 isp name china mobile linkif-group 63isp name china unicom linkif-group 62isp name china telecom linkif-group 61isp name china educationnet linkif-group 60 安全策略配置 #基础协议控制开关firewall packet-filter basic-protocol enable#安全策略security-policy rule name trust_untrust source-zone trust destination-zone untrust action permit 配置ip-link ip-link check enableip-link name link_100 destination 100.100.100.5 interface gigabitethernet1/0/1 mode icmp ip-link name link_200 destination 200.200.200.5 interface gigabitethernet1/0/1 mode icmp 配置静态路由 ip route-static 0.0.0.0 0.0.0.0 150.150.150.1ip route-static 192.168.0.0 255.255.0.0 null0ip route-static 192.168.10.0 255.255.255.0 tunnel1 preference 10 track ip-link link_100ip route-static 192.168.10.0 255.255.255.0 tunnel2 preference 20ip route-static 192.168.20.0 255.255.255.0 tunnel1 preference 10 track ip-link link_100ip route-static 192.168.20.0 255.255.255.0 tunnel2 preference 20ip route-static 192.168.30.0 255.255.255.0 tunnel2 preference 10 track ip-link link_200ip route-static 192.168.30.0 255.255.255.0 tunnel1 preference 20ip route-static 192.168.40.0 255.255.255.0 tunnel2 preference 10 track ip-link link_200ip route-static 192.168.40.0 255.255.255.0 tunnel1 preference 20 nat配置 #配置nat策略nat-policy rule name no_nat source-zone trust destination-zone untrust source-address 10.20.100.0 mask 255.255.255.0 destination-address 192.168.0.0 mask 255.255.0.0 action no-nat rule name nat source-zone trust destination-zone untrust action source-nat easy-ip 配置ipsec vpn 步骤一:配置acl
acl number 3000 rule 5 permit ip source 10.20.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 acl number 3001 rule 5 permit ip source 10.20.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 步骤二:配置ipsec proposal
ipsec proposal prop23101712198 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 ipsec proposal prop23101713129 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 步骤三:配置ike proposal
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 2 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 步骤四:配置ike peer
ike peer ike231017121983 exchange-mode auto pre-shared-key 123.abc ike-proposal 1 local-id-type fqdn remote-id-type none local-id br1 dpd type periodic remote-address 100.100.100.5 ike peer ike231017131292 exchange-mode auto pre-shared-key 123.abc ike-proposal 2 local-id-type fqdn remote-id-type none local-id br2 dpd type periodic remote-address 200.200.200.5 步骤五:配置ipsec policy
ipsec policy ipsec2310171219 1 isakmp security acl 3000 ike-peer ike231017121983 proposal prop23101712198 tunnel local applied-interface alias ipsec-1 sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamic ipsec policy ipsec2310171312 1 isakmp security acl 3001 ike-peer ike231017131292 proposal prop23101713129 tunnel local applied-interface alias ipsec-2 sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamic 步骤六:应用ipsec policy到接口
int tunnel1 tunnel-protocol ipsec ipsec policy ipsec2310171219int tunnel2 tunnel-protocol ipsec ipsec policy ipsec2310171312 步骤七:配置策略
security-policy rule name local_untrust description ipsec upd500 source-zone local destination-zone untrust destination-address 100.100.100.5 mask 255.255.255.255 destination-address 200.200.200.5 mask 255.255.255.255 action permit rule name untrust_local description ipsec_esp source-zone untrust destination-zone local source-address 100.100.100.5 mask 255.255.255.255 source-address 200.200.200.5 mask 255.255.255.255 action permit rule name untrust_trust description vpn source-zone untrust destination-zone trust source-address 192.168.0.0 mask 255.255.0.0 destination-address 10.20.100.0 mask 255.255.255.0 action permit 服务区域dmz vlan+端口配置 lsw9
vlan batch 90int vlanif90ip address 192.168.90.3 255.255.255.0int g0/0/11port link-type accessport default vlan 90int g0/0/12port link-type accessport default vlan 90int g0/0/13port link-type accessport default vlan 90int g0/0/1port link-type accessport default vlan 90int g0/0/2port link-type accessport default vlan 90 ospf配置 lsw9
int loopback 0 ip add 192.168.9.9 32ospf 10 router-id 192.168.9.9 default-route-advertise area 0.0.0.0 network 192.168.9.9 0.0.0.0 network 192.168.90.3 0.0.0.0 安全策略配置 fw1
#外网访问服务、防火墙到服务器、内网访问服务
security-policy rule name isp_dmz description www source-zone isp1 source-zone isp2 destination-zone dmz destination-address address-set web_ip service dns service ftp service http service icmp long-link enable long-link aging-time 10 action permit rule name local_dmz description ospf source-zone local destination-zone dmz destination-address 192.168.90.0 mask 255.255.255.0 service icmp action permit rule name trust_dmz source-zone trust destination-zone dmz service http action permit fw2
security-policy rule name isp_dmz description www source-zone isp1 source-zone isp2 destination-zone dmz destination-address address-set web_ip service dns service ftp service http service icmp long-link enable long-link aging-time 10 action permit rule name local_dmz description ospf source-zone local destination-zone dmz destination-address 192.168.90.0 mask 255.255.255.0 service icmp action permit rule name trust_dmz source-zone trust destination-zone dmz service http action permit 服务器负载均衡slb fw1
slb enableslb group 0 server metric roundrobin health-check type icmp rserver 1 rip 192.168.90.10 port 80 max-connection 10 description server1 rserver 2 rip 192.168.90.20 port 80 max-connection 20 description server2 rserver 3 rip 192.168.90.30 port 80 max-connection 30 description server3 action optimize vserver 0 web vip 0 100.100.100.5 vip 1 200.200.200.5 protocol http vport 80 group server fw2
slb enableslb group 0 server metric roundrobin health-check type icmp rserver 1 rip 192.168.90.10 port 80 max-connection 10 description server1 rserver 2 rip 192.168.90.20 port 80 max-connection 20 description server2 rserver 3 rip 192.168.90.30 port 80 max-connection 30 description server3 action optimize vserver 0 web vip 0 100.100.100.5 vip 1 200.200.200.5 protocol http vport 80 group server
基于对EPCS在线编程的FPGA可重构方法
快充标准将统一化,苹果会如何破局?
水系金属离子电池的溶剂化结构及其调控策略
华为新品发布会正式举办,一口气推出了多款可穿戴设备
TDA4851各引脚功能资料
如何使用华为ensp模拟器设计实现企业网络?
电池管理芯片的BMS三分天下格局分析
电阻来可以降低电压吗
意法半导体推出新STM32WB双核无线MCU实现超低功耗的实时性能
TD-SCDMA室内外协同覆盖及优化策略
EMI和EMS噪声的定义
现在是最好入手华为mate9的时间吗?华为mate10还未到,华为mate9已经将到最低价了
SK海力士非存储器半导体销售额增长 内存却下降
25G SFP 28 LR高性价比的光模块?
诺基亚贝尔与中国电信合作研发高铁5G模拟系统
英特尔表示把Modem芯片业务出售给苹果公司是高通造成的
关于日产可变压缩比涡轮增压MR20 DDT发动机性能介绍
利用多次回波技术的激光雷达实现雨雾穿透进行车辆测量
常用Linux命令总结
三极管元器件在现代电器中的重要性
拓扑图
网段划分 区域 vlan 网段
技术部 vlan 10 192.168.10.0/24
人事部 vlan 20 192.168.20.0/24
财务部 vlan 30 192.168.30.0/24
领导部门 vlan 40 192.168.40.0/24
来访客户 vlan 100 192.168.100.0/24
服务器dmz vlan 90 192.138.90.0/24
办公区 vlan+端口配置(二层) lsw1
vlan batch 10int e0/0/1 port link-type trunk port trunk allow-pass vlan 10int e0/0/2 port link-type trunk port trunk allow-pass vlan 10int e0/0/10 port link-type access port default vlan 10 lsw2
vlan batch 20int e0/0/1 port link-type trunk port trunk allow-pass vlan 20int e0/0/2 port link-type trunk port trunk allow-pass vlan 20int e0/0/10 port link-type access port default vlan 20 lsw3
vlan batch 30int e0/0/1 port link-type trunk port trunk allow-pass vlan 30int e0/0/2 port link-type trunk port trunk allow-pass vlan 30int e0/0/10 port link-type access port default vlan 30 lsw4
vlan batch 40int e0/0/1 port link-type trunk port trunk allow-pass vlan 40int e0/0/2 port link-type trunk port trunk allow-pass vlan 40int e0/0/10 port link-type access port default vlan 40 h_sw1
vlan batch 10 20 30 40int g0/0/1 port link-type trunk port trunk allow-pass vlan 10int g0/0/2 port link-type trunk port trunk allow-pass vlan 20int g0/0/3 port link-type trunk port trunk allow-pass vlan 30int g0/0/4 port link-type trunk port trunk allow-pass vlan 40 h_sw2
vlan batch 10 20 30 40int g0/0/1 port link-type trunk port trunk allow-pass vlan 10int g0/0/2 port link-type trunk port trunk allow-pass vlan 20int g0/0/3 port link-type trunk port trunk allow-pass vlan 30int g0/0/4 port link-type trunk port trunk allow-pass vlan 40 无线网络配置 h_sw1
vlan batch 100 1000int g0/0/5 port link-type trunk port trunk allow-pass vlan allint g0/0/6 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enableint vlanif 100 ip add 192.168.100.1 24 dhcp select interface dhcp server dns-list 8.8.8.8 h_sw2
vlan batch 100 1000int g0/0/5 port link-type trunk port trunk allow-pass vlan allint g0/0/6 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enable lsw5
vlan batch 100 1000int e0/0/1 port link-type trunk port trunk allow-pass vlan allint e0/0/2 port link-type trunk port trunk allow-pass vlan allint e0/0/10 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enable lsw6
vlan batch 100 1000int e0/0/1 port link-type trunk port trunk allow-pass vlan 100 1000int e0/0/2 port link-type trunk port trunk allow-pass vlan 100 1000int e0/0/10 port link-type trunk port trunk allow-pass vlan 100 1000 port trunk pvid vlan 1000dhcp enable ac
u t msyssysname acvlan batch 100 1000int g0/0/1 port link-type trunk port trunk allow-pass vlan 100 1000dhcp enableint vlanif 1000 ip add 192.168.101.1 24 dhcp select interfacecapwap source interface vlanif 1000wlan ap-group name ap-group1 regulatory-domain-profile default y quit ap auth-mode mac-auth ap-id 0 ap-mac 00e0-fc25-3910 ap-name area_1 ap-group ap-group1 y quit security-profile name wlan security wpa-wpa2 psk pass-phrase a1234567 aes quit ssid-profile name wlan ssid wlan quit vap-profile name wlan forward-mode direct-forward service-vlan vlan-id 100 security-profile wlan ssid-profile wlan quit ap-group name ap-group1 vap-profile wlan wlan 1 radio 0 vap-profile wlan wlan 1 radio 1 dhcp配置 h_sw1
dhcp enableip pool vlan10 gateway-list 192.168.10.254 network 192.168.10.0 mask 24 excluded-ip-address 192.168.10.1 192.168.10.10 excluded-ip-address 192.168.10.150 192.168.10.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 excluded-ip-address 192.168.20.1 192.168.20.10 excluded-ip-address 192.168.20.150 192.168.20.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.1 192.168.30.10 excluded-ip-address 192.168.30.150 192.168.30.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan40 gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 excluded-ip-address 192.168.40.1 192.168.40.10 excluded-ip-address 192.168.40.150 192.168.40.253 dns-list 8.8.8.8 domain-name blue.comint vlanif10 ip add 192.168.10.1 255.255.255.0 dhcp select globalint vlanif20 ip add 192.168.20.1 255.255.255.0 dhcp select globalint vlanif30 ip add 192.168.30.1 255.255.255.0 dhcp select globalint vlanif40 ip add 192.168.40.1 255.255.255.0 dhcp select global h_sw2
dhcp enableip pool vlan10 gateway-list 192.168.10.254 network 192.168.10.0 mask 255.255.255.0 excluded-ip-address 192.168.10.1 192.168.10.149 excluded-ip-address 192.168.10.250 192.168.10.253 dns-list 8.8.8.8 domain-name blue.com ip pool vlan20 gateway-list 192.168.20.254 network 192.168.20.0 mask 255.255.255.0 excluded-ip-address 192.168.20.1 192.168.20.149 excluded-ip-address 192.168.20.250 192.168.20.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan30 gateway-list 192.168.30.254 network 192.168.30.0 mask 255.255.255.0 excluded-ip-address 192.168.30.1 192.168.30.149 excluded-ip-address 192.168.30.250 192.168.30.253 dns-list 8.8.8.8 domain-name blue.comip pool vlan40 gateway-list 192.168.40.254 network 192.168.40.0 mask 255.255.255.0 excluded-ip-address 192.168.40.1 192.168.40.149 excluded-ip-address 192.168.40.250 192.168.40.253 dns-list 8.8.8.8 domain-name blue.cominterface vlanif10 ip address 192.168.10.2 255.255.255.0 dhcp select globalinterface vlanif20 ip address 192.168.20.2 255.255.255.0 dhcp select globalinterface vlanif30 ip address 192.168.30.2 255.255.255.0 dhcp select globalinterface vlanif40 ip address 192.168.40.2 255.255.255.0 dhcp select global 在ip地址池创建的过程中,使用了excluded-ip-address命令,使得在主备交换机切换时分配的地址池相互排除,防止主备交换机切换后出现ip地址分配冲突导致网络故障。
vrrp配置 h_sw1
int vlanif10 vrrp vrid 10 virtual-ip 192.168.10.254 vrrp vrid 10 priority 105int vlanif20 vrrp vrid 20 virtual-ip 192.168.20.254 vrrp vrid 20 priority 105int vlanif30 vrrp vrid 30 virtual-ip 192.168.30.254int vlanif40 vrrp vrid 40 virtual-ip 192.168.40.254 h_sw2
int vlanif10vrrp vrid 10 virtual-ip 192.168.10.254int vlanif20vrrp vrid 20 virtual-ip 192.168.20.254int vlanif30vrrp vrid 30 virtual-ip 192.168.30.254vrrp vrid 30 priority 105int vlanif40vrrp vrid 40 virtual-ip 192.168.40.254vrrp vrid 40 priority 105 stp配置 lsw1
stp region-configuration region-name blue_mstp revision-level 1 instance 10 vlan 10 active region-configurationint e0/0/10 stp edged-port enable lsw2
stp region-configuration region-name blue_mstp revision-level 1 instance 10 vlan 10 active region-configurationint e0/0/10 stp edged-port enable lsw3
stp region-configuration region-name blue_mstp revision-level 1 instance 30 vlan 30 active region-configuration quitint e0/0/10 stp edged-port enable lsw4
stp region-configuration region-name blue_mstp revision-level 1 instance 40 vlan 40 active region-configurationint e0/0/10 stp edged-port enable h_sw1
stp instance 12 root primarystp instance 34 root secondarystp region-configuration region-name blue_mstp revision-level 1 instance 12 vlan 10 20 instance 34 vlan 30 40 active region-configurationint g0/0/11 stp disableint g0/0/12 stp disable h_sw2
stp instance 12 root secondarystp instance 34 root primarystp region-configuration region-name blue_mstp revision-level 1 instance 12 vlan 10 20 instance 34 vlan 30 40 active region-configurationint g0/0/11 stp disableint g0/0/12 stp disable acl配置 h_sw1
acl number 3002rule 5 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255int g0/0/5 traffic-filter inbound acl 3002 h_sw2
acl number 3002rule 5 deny ip source 192.168.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255int g0/0/5 traffic-filter inbound acl 3002 lacp配置 lacp链路聚合,链路聚合的原理是将一组相同属性的物理接口捆绑在一起为一个逻辑接口来增加带宽和可靠性的一种方法。有以下优势: 增加带宽、提高冗余(提高可靠性)、负载分担、节省成本、配置量小 1.增加带宽:链路聚合接口的最大带宽可以达到各个成员接口带宽之和。 2提高冗余:当某条路线出现故障的时候,流量可以切到其他可用的成员链路上。流量会切到其他可用链路上,从而提高链路聚合接口的冗余性。并不会影响数据的传输,相对来说也具有稳定性。 3负载分担:在一个链路聚合组内,可以实现在各成员活动链路上的负载分担。 4节省成本:管理员不需要升级链路速度,对已有的接口进行捆绑。 5配置量小:大部分的配置在组eth-trunk下完成。 主要的优势是能增加带宽、提高可靠性和负载分担。
h_sw1
lacp priority 100int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/13 eth-trunk 1 lacp priority 100int g0/0/14 eth-trunk 1 h_sw2
int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/13 eth-trunk 1int g0/0/14 eth-trunk 1 ospf配置 lsw1
int loopback0 ip add 192.168.1.1 32 lsw2
interface loopback0 ip address 192.168.2.2 255.255.255.255 lsw3
interface loopback0 ip address 192.168.3.3 255.255.255.255 lsw4
interface loopback0 ip address 192.168.4.4 255.255.255.255 h_sw1
int loopback 0 ip add 192.168.5.5 32ospf 10 router-id 192.168.5.5 silent-interface vlanif10 silent-interface vlanif20 silent-interface vlanif30 silent-interface vlanif40 area 0 network 192.168.5.5 0.0.0.0 network 192.168.10.1 0.0.0.0 network 192.168.20.1 0.0.0.0 network 192.168.30.1 0.0.0.0 network 192.168.40.1 0.0.0.0 network 192.168.25.5 0.0.0.0 network 192.168.35.5 0.0.0.0 network 192.168.100.1 0.0.0.0 h_sw2
interface loopback0 ip address 192.168.6.6 255.255.255.255 ospf 10 router-id 192.168.6.6 silent-interface vlanif10 silent-interface vlanif20 silent-interface vlanif30 silent-interface vlanif40 area 0.0.0.0 network 192.168.6.6 0.0.0.0 network 192.168.10.2 0.0.0.0 network 192.168.20.2 0.0.0.0 network 192.168.30.2 0.0.0.0 network 192.168.40.2 0.0.0.0 network 192.168.24.6 0.0.0.0 network 192.168.36.6 0.0.0.0 network 192.168.100.2 0.0.0.0 核心层 vlan划分+配置端口 核心交换机 c_sw1
vlan batch 22 to 25int g0/0/1 port link-type access port default vlan 25 stp disableint g0/0/2 port link-type access port default vlan 24 stp disableint g0/0/11 port link-type access port default vlan 22 stp disableint g0/0/12 port link-type access port default vlan 23 stp disableinterface vlanif22 ip address 192.168.22.7 255.255.255.0 interface vlanif23 ip address 192.168.23.7 255.255.255.0 interface vlanif24 ip address 192.168.24.7 255.255.255.0 interface vlanif25 ip address 192.168.25.7 255.255.255.0 c_sw2
vlan batch 33 to 36 44 55int g0/0/1 port link-type access port default vlan 35 stp disableint g0/0/2 port link-type access port default vlan 36 stp disableint g0/0/11 port link-type access port default vlan 34 stp disableint g0/0/12 port link-type access port default vlan 33 stp disableinterface vlanif33 ip address 192.168.33.8 255.255.255.0 interface vlanif34 ip address 192.168.34.8 255.255.255.0 interface vlanif35 ip address 192.168.35.8 255.255.255.0 interface vlanif36 ip address 192.168.36.8 255.255.255.0 interface vlanif44 ip address 192.168.44.8 255.255.255.0 interface vlanif55 ip address 192.168.55.8 255.255.255.0 汇聚层连接核心交换机 h_sw1
vlan batch 25 35int g0/0/11 port link-type access port default vlan 25 stp disableint g0/0/12 port link-type access port default vlan 35 stp disable int vlanif25 ip add 192.168.25.5 24int vlanif35 ip add 192.168.35.5 24 h_sw2
vlan batch 24 36int g0/0/11 port link-type access port default vlan 24 stp disableint g0/0/12 port link-type access port default vlan 36 stp disableint vlanif24 ip add 192.168.24.6 24int vlanif36 ip add 192.168.36.6 24 stp配置 c_sw1
int g0/0/1 stp disableint g0/0/2 stp disableint g0/0/11 stp disableint g0/0/12 stp disable c_sw2
int g0/0/1 stp disableint g0/0/2 stp disableint g0/0/11 stp disableint g0/0/12 stp disable lacp链路聚合 c_sw1
lacp priority 100int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/3 eth-trunk 1 lacp priority 100int g0/0/4 eth-trunk 1 c_sw2
int eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 mode lacp-static load-balance src-dst-macint g0/0/3 eth-trunk 1int g0/0/4 eth-trunk 1 ospf配置 c_sw1
interface loopback0 ip address 192.168.7.7 255.255.255.255 ospf 10 router-id 192.168.7.7 area 0.0.0.0 network 192.168.7.7 0.0.0.0 network 192.168.22.7 0.0.0.0 network 192.168.23.7 0.0.0.0 network 192.168.44.7 0.0.0.0 network 192.168.55.7 0.0.0.0 network 192.168.24.7 0.0.0.0 network 192.168.25.7 0.0.0.0 c_sw2
interface loopback0 ip address 192.168.8.8 255.255.255.255ospf 10 router-id 192.168.8.8 area 0.0.0.0 network 192.168.8.8 0.0.0.0 network 192.168.33.8 0.0.0.0 network 192.168.34.8 0.0.0.0 network 192.168.35.8 0.0.0.0 network 192.168.36.8 0.0.0.0 network 192.168.44.8 0.0.0.0 network 192.168.55.8 0.0.0.0 防火墙 基本配置 fw1
用户名:admin原始密码:admin@123密码:p@ssw0rd新密码:blue@123undo terminal monitorlanguage-mode chinesesyssysname fw1#配置连接防火墙web的接口,ip为虚拟网络对应网段的地址int g0/0/0 undo ip add 192.168.0.1 24 ip add 192.168.94.2 24 service-manage all permit fw2
用户名:admin原始密码:admin@123密码:p@ssw0rd新密码:blue@123undo terminal monitorlanguage-mode chinesesyssysname fw2int g0/0/0 undo ip add 192.168.0.1 24 ip add 192.168.94.3 24 service-manage all permit 规划网段 fw1
int g1/0/0 undo shutdown ip add 192.168.90.1 255.255.255.0 int g1/0/1 undo shutdown ip add 192.168.22.1 255.255.255.0 service-manage all permitint g1/0/2 undo shutdown ip add 192.168.34.1 255.255.255.0int g1/0/3 undo shutdownint g1/0/4 undo shutdownint g1/0/5 undo shutdown ip address 100.100.100.1 255.255.255.0 service-manage ping permitint g1/0/6 undo shutdown ip add 200.200.200.1 255.255.255.0 service-manage ping permit fw2
int g1/0/0 undo shutdown ip add 192.168.90.2 255.255.255.0int g1/0/1 undo shutdown ip add 192.168.23.1 255.255.255.0 service-manage all permitint g1/0/2 undo shutdown ip add 192.168.33.1 255.255.255.0int g1/0/3 undo shutdownint g1/0/4 undo shutdownint g1/0/5 undo shutdown ip address 100.100.100.2 255.255.255.0 service-manage ping permitint g1/0/6 undo shutdown ip add 200.200.200.2 255.255.255.0 lacp链路聚合 fw1
int eth-trunk2 ip add 192.168.2.1 255.255.255.0 mode lacp-static int g1/0/3 eth-trunk 2int g1/0/4 eth-trunk 2 fw2
int eth-trunk2 ip add 192.168.2.2 255.255.255.0 mode lacp-staticint g1/0/3 eth-trunk 2int g1/0/4 eth-trunk 2 规划安全区域 根据拓扑,将接口划入对应的安全区域
注意:两个防火墙之间的心跳接口要必须放进信任区域
fw1
firewall zone trust add int g1/0/1 add int g1/0/2firewall zone dmz add int g1/0/0firewall zone name heart id 4 set priority 75 add int eth-trunk2firewall zone name isp1 id 5 set priority 20 add int g1/0/5firewall zone name isp2 id 6 set priority 15 add int g1/0/6 fw2
firewall zone trust add int g1/0/1 add int g1/0/2firewall zone dmz add int g1/0/0firewall zone name heart id 4 set priority 75 add int eth-trunk2firewall zone name isp1 id 5 set priority 15 add int g1/0/5firewall zone name isp2 id 6 set priority 20 add int g1/0/6 指定链路接口组名称 fw1
isp name china mobile linkif-group 63 isp name china unicom linkif-group 62 isp name china telecom linkif-group 61 isp name china educationnet linkif-group 60 fw2
isp name china mobile linkif-group 63 isp name china unicom linkif-group 62 isp name china telecom linkif-group 61 isp name china educationnet linkif-group 60 安全策略精要 bgp、bfd、dhcp、dhcpv6、ldp和ospf是否受安全策略控制,由基础协议控制开关(firewall packet-filter basic-protocol enable)决定。
fw1
firewall packet-filter basic-protocol enablefirewall defend port-scan enablefirewall defend ip-sweep enablefirewall defend teardrop enablefirewall defend time-stamp enablefirewall defend route-record enablefirewall defend source-route enablefirewall defend ip-fragment enablefirewall defend tcp-flag enablefirewall defend winnuke enablefirewall defend fraggle enablefirewall defend tracert enablefirewall defend icmp-unreachable enablefirewall defend icmp-redirect enablefirewall defend large-icmp enablefirewall defend ping-of-death enablefirewall defend smurf enablefirewall defend land enablefirewall defend ip-spoofing enable fw2
firewall packet-filter basic-protocol enablefirewall defend port-scan enablefirewall defend ip-sweep enablefirewall defend teardrop enablefirewall defend time-stamp enablefirewall defend route-record enablefirewall defend source-route enablefirewall defend ip-fragment enablefirewall defend tcp-flag enablefirewall defend winnuke enablefirewall defend fraggle enablefirewall defend tracert enablefirewall defend icmp-unreachable enablefirewall defend icmp-redirect enablefirewall defend large-icmp enablefirewall defend ping-of-death enablefirewall defend smurf enablefirewall defend land enablefirewall defend ip-spoofing enable 安全策略配置 fw1
security-policy #管理区 rule name trust_local description management source-zone trust destination-zone local action permit fw2
security-policy #管理区 rule name trust_local description management source-zone trust destination-zone local action permit 配置ip-link fw1
ip-link check enableip-link name isp1 destination 100.100.100.100 interface gigabitethernet1/0/5 mode icmpip-link name isp2 destination 200.200.200.200 interface gigabitethernet1/0/6 mode icmp #安全策略配置security-policy rule name local_isp description ip-link source-zone local destination-zone isp1 destination-zone isp2 action permit fw2
ip-link check enableip-link name isp1 destination 100.100.100.100 interface gigabitethernet1/0/5 mode icmpip-link name isp2 destination 200.200.200.200 interface gigabitethernet1/0/6 mode icmp #安全策略配置security-policy rule name local_isp description ip-link source-zone local destination-zone isp1 destination-zone isp2 action permit 配置静态路由 fw1
ip route-static 0.0.0.0 0.0.0.0 100.100.100.100 preference 50 track ip-link isp1ip route-static 0.0.0.0 0.0.0.0 200.200.200.200 preference 50ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/5 100.100.100.100ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/6 200.200.200.200ip route-static 10.20.100.0 255.255.255.0 null0 fw2
ip route-static 0.0.0.0 0.0.0.0 100.100.100.100ip route-static 0.0.0.0 0.0.0.0 200.200.200.200 preference 50ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/5 100.100.100.100ip route-static 10.20.100.0 255.255.255.0 gigabitethernet1/0/6 200.200.200.200ip route-static 10.20.100.0 255.255.255.0 null0 配置ospf动态路由 步骤一:配置动态路由
fw1
interface loopback0 ip address 192.168.11.11 255.255.255.255ospf 10 router-id 192.168.11.11 default-route-advertise area 0.0.0.0 network 192.168.11.11 0.0.0.0 network 192.168.22.1 0.0.0.0 network 192.168.34.1 0.0.0.0 network 192.168.90.1 0.0.0.0 fw2
interface loopback0 ip address 192.168.22.22 255.255.255.255ospf 10 router-id 192.168.22.22 default-route-advertise area 0.0.0.0 network 192.168.22.22 0.0.0.0 network 192.168.23.1 0.0.0.0 network 192.168.33.1 0.0.0.0 network 192.168.90.2 0.0.0.0 步骤二:配置安全策略
fw1
security-policy rule name local_trust description ospf source-zone local destination-zone trust action permit fw2
security-policy rule name local_trust description ospf source-zone local destination-zone trust action permit 双机热备 步骤1:配置vrrp备份组 主设备:fw1
int g1/0/5 vrrp vrid 1 virtual-ip 100.100.100.5 active vrrp virtual-mac enableint g1/0/6 vrrp vrid 2 virtual-ip 200.200.200.5 standby vrrp virtual-mac enable 备份设备:fw2
int g1/0/5 vrrp vrid 1 virtual-ip 100.100.100.5 standby vrrp virtual-mac enableint g1/0/6 vrrp vrid 2 virtual-ip 200.200.200.5 active vrrp virtual-mac enable 步骤2:开启hrp协议,并配置心跳接口和会话备份功能 fw1
hrp enablehrp int eth-trunk2 remote 192.168.2.2hrp mirror session enablehrp standby config enable fw2
hrp enablehrp int eth-trunk2 remote 192.168.2.1hrp mirror session enablehrp standby config enable 步骤3:配置安全策列 是内网用户可以访问服务器和外网用户;外网用户只能访问服务器。注意:只需要配置master即可,backup设备不用配置,配置命令会自动从主设备备份到备份设备。
fw1
security-policy rule name heart source-zone heart source-zone local destination-zone heart destination-zone local action permit fw2
security-policy default action permit rule name heart source-zone heart source-zone local destination-zone heart destination-zone local action permit nat配置 定义转换的ip地址范围 fw1
ip address-set web_ip type object address 0 100.100.100.5 mask 32 address 1 200.200.200.5 mask 32ip address-set pc type object address 0 192.168.10.0 mask 24 address 1 192.168.20.0 mask 24 address 2 192.168.30.0 mask 24 address 3 192.168.40.0 mask 24 来源:网络技术干货圈 fw2
ip address-set web_ip type object address 0 100.100.100.5 mask 32 address 1 200.200.200.5 mask 32ip address-set pc type object address 0 192.168.10.0 mask 24 address 1 192.168.20.0 mask 24 address 2 192.168.30.0 mask 24 address 3 192.168.40.0 mask 24 配置安全策略 fw1
security-policy rule name trust_isp description nat source-zone trust destination-zone isp1 destination-zone isp2 source-address address-set pc action permit fw2
security-policy rule name trust_isp description nat source-zone trust destination-zone isp1 destination-zone isp2 source-address address-set pc action permit 配置nat策略 fw1
nat address-group isp1 0 mode pat section 0 100.100.100.1 100.100.100.2nat address-group isp2 1 mode pat section 0 200.200.200.1 200.200.200.2nat-policy rule name no_nat_isp1 source-zone trust destination-zone isp1 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name no_nat_isp2 source-zone trust destination-zone isp2 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name nat_isp1 source-zone trust destination-zone isp1 action source-nat address-group isp1 rule name nat_isp2 source-zone trust destination-zone isp2 action source-nat address-group isp2 fw2
nat address-group isp1 0 mode pat section 0 100.100.100.1 100.100.100.2nat address-group isp2 1 mode pat section 0 200.200.200.1 200.200.200.2nat-policy rule name no_nat_isp1 source-zone trust destination-zone isp1 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name no_nat_isp2 source-zone trust destination-zone isp2 source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 destination-address 10.20.0.0 mask 255.255.0.0 action no-nat rule name nat_isp1 source-zone trust destination-zone isp1 action source-nat address-group isp1 rule name nat_isp2 source-zone trust destination-zone isp2 action source-nat address-group isp2 snmp配置 fw1
snmp-agent session-rate trap threshold 100 fw2
snmp-agent session-rate trap threshold 100 ipsec配置 步骤一:配置acl fw1
acl number 3000 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255 acl number 3001 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255 fw2
acl number 3000 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255acl number 3001 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 10.20.100.0 0.0.0.255 步骤二:配置ipsec proposal 这是ike阶段二的策略,在阶段二的策略中安全协议采用esp,加密算法使用aes-256,验证算法使用sha2-256
fw1
ipsec proposal prop23101638529 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 ipsec proposal prop23101639469 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 fw2
ipsec proposal prop23101638529 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 ipsec proposal prop23101639469 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 步骤三:配置ike proposal 配置ike proposal,这是ike阶段一的策略,在fw1/fw2上部署的相关策略均需与fw3相匹配。ike阶段一的策略中,身份验证使用的是预共享的认证方式,验证算法使用的是sha2-256,加密算法使用aes-256
fw1
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 2 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 fw2
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 2 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 步骤四:配置ike peer 定义预共享秘钥、关联ike proposal并指定隧道对端节点ip
fw1
ike peer ike231016385293 exchange-mode auto pre-shared-key 123.abc ike-proposal 1 local-id-type fqdn remote-id-type none local-id c1 dpd type periodic ike negotiate compatibleike peer ike231016394699 exchange-mode auto pre-shared-key 123.abc ike-proposal 2 local-id-type fqdn remote-id-type none local-id c2 dpd type periodic ike negotiate compatible fw2
ike peer ike231016385293 exchange-mode auto pre-shared-key 123.abc ike-proposal 1 local-id-type fqdn remote-id-type none local-id c1 dpd type periodic ike negotiate compatibleike peer ike231016394699 exchange-mode auto pre-shared-key 123.abc ike-proposal 2 local-id-type fqdn remote-id-type none local-id c2 dpd type periodic ike negotiate compatible 步骤五:配置ipsec policy 创建ipsec policy,绑定ipsec proposal、ike peer、acl感兴趣流、配置本地站点地址。
fw1
ipsec policy-template tpl231016385293 1 security acl 3000 ike-peer ike231016385293 proposal prop23101638529 tunnel local 100.100.100.5 alias ipsec-1 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamic ipsec policy-template tpl231016394699 1 security acl 3001 ike-peer ike231016394699 proposal prop23101639469 tunnel local 200.200.200.5 alias ipsec-2 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamicipsec policy ipsec2310163852 10000 isakmp template tpl231016385293ipsec policy ipsec2310163946 10000 isakmp template tpl231016394699 fw2
ipsec policy-template tpl231016385293 1 security acl 3000 ike-peer ike231016385293 proposal prop23101638529 tunnel local 100.100.100.5 alias ipsec-1 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamicipsec policy-template tpl231016394699 1 security acl 3001 ike-peer ike231016394699 proposal prop23101639469 tunnel local 200.200.200.5 alias ipsec-2 sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamicipsec policy ipsec2310163852 10000 isakmp template tpl231016385293ipsec policy ipsec2310163946 10000 isakmp template tpl231016394699 步骤六:应用ipsec policy到接口 fw1
int g1/0/5ipsec policy ipsec2310163852 masterint g1/0/6ipsec policy ipsec2310163946 slave fw2
int g1/0/5ipsec policy ipsec2310163852 slaveint g1/0/6ipsec policy ipsec2310163946 master 步骤七:配置策略 fw1
#基于策略路由policy-based-route rule name trust_dmz 1 source-zone trust destination-address address-set web_ip action pbr next-hop 192.168.90.3 rule name isp1 2 source-zone trust source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/5 next-hop 100.100.100.100 rule name isp2 3 source-zone trust source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/6 next-hop 200.200.200.200#安全策略配置security-policy rule name isp_local description ipsec source-zone isp1 source-zone isp2 destination-zone local destination-address 100.100.100.5 mask 255.255.255.255 destination-address 200.200.200.5 mask 255.255.255.255 action permit rule name isp_trust description vpn source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.0.0 mask 255.255.0.0 action permit fw2
#基于策略路由policy-based-route rule name trust_dmz 1 source-zone trust destination-address address-set web_ip action pbr next-hop 192.168.90.3 rule name isp1 2 source-zone trust source-address 192.168.10.0 mask 255.255.255.0 source-address 192.168.20.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/5 next-hop 100.100.100.100 rule name isp2 3 source-zone trust source-address 192.168.30.0 mask 255.255.255.0 source-address 192.168.40.0 mask 255.255.255.0 action pbr egress-interface gigabitethernet1/0/6 next-hop 200.200.200.200 #安全策略配置security-policy rule name isp_local description ipsec source-zone isp1 source-zone isp2 destination-zone local destination-address 100.100.100.5 mask 255.255.255.255 destination-address 200.200.200.5 mask 255.255.255.255 action permit rule name isp_trust description vpn source-zone isp1 source-zone isp2 destination-zone trust destination-address 192.168.0.0 mask 255.255.0.0 action permit l2tp配置 打开防火墙的web界面,依次选择 对象->用户->default,然后新建一个用于登录l2tp vpn的用户,再点击应用。
fw1
l2tp enableaaa service-scheme webserverscheme1649076535499 quit domain default service-scheme webserverscheme1649076535499 service-type l2tp ike internet-access mode password reference user current-domain manager-user password-modify enable manager-user audit-admin password cipher blue@123 service-type web terminal level 15 l2tp-group 1tunnel password cipher blue@123tunnel name lnsallow l2tp virtual-template 1 remote l2tp-client domain defaultinterface virtual-template0 ppp authentication-mode chap y remote address 172.16.1.10 ip address 172.16.1.1 255.255.255.0 service-manage ping permit 路由配置 接口配置地址 isp
int g0/0/1 ip add 10.10.100.3 24int g0/0/2 ip add 10.10.200.3 24int g0/0/3 ip add 150.150.150.1 24int e0/0/0 ip add 8.8.8.1 24int e0/0/1 ip add 192.168.94.50 24 isp_1
int g0/0/1 ip add 100.100.100.100 24int g0/0/2 ip add 10.10.100.1 24 isp_2
int g0/0/1 ip add 200.200.200.200 24int g0/0/2 ip add 10.10.200.2 24 配置is-is isp
int loopback 0 ip add 3.3.3.3 32isis 26 network-entity 49.0010.0030.0300.3003.00 is-level level-2 cost-style wide log-peer-change topologyint g0/0/1 isis enable 26int g0/0/2 isis enable 26int g0/0/3 isis enable 26int e0/0/0 isis enable 26int e0/0/1 isis enable 26int loopback 0 isis enable 26 isp_1
int loopback 0 ip add 1.1.1.1 32isis 26 is-level level-2 cost-style wide network-entity 49.0010.0010.0100.1001.00 log-peer-change topologyint g0/0/1 isis enable 26int g0/0/2 isis enable 26int loopback 0 isis enable 26 isp_2
int loopback 0 ip add 2.2.2.2 32isis 26 is-level level-2 cost-style wide network-entity 49.0010.0020.0200.2002.00 log-peer-change topologyint g0/0/1 isis enable 26int g0/0/2 isis enable 26int loopback 0 isis enable 26 子公司配置 防火墙 初始化配置 用户名:admin原始密码:admin@123密码:blue@123undo terminal monitorlanguage-mode chinesesyssysname fw3int g0/0/0undo ip add 192.168.0.1 24ip add 192.168.94.4 24service-manage all permit 规划网段 int g1/0/0 undo shutdown ip add 150.150.150.150 255.255.255.0 service-manage ping permitint g1/0/1 undo shutdown ip add 10.20.100.254 255.255.255.0 service-manage ping permit #创建tunnel接口并绑定接口int tunnel1 ip add unnumbered int g1/0/0 alias tunnel1 service-manage ping permit int tunnel2 ip add unnumbered int g1/0/0 alias tunnel2 service-manage ping permit 规划安全区域 firewall zone trust add interface gigabitethernet1/0/1firewall zone untrust add interface gigabitethernet1/0/0 add interface tunnel1 add interface tunnel2 指定链路接口组名称 isp name china mobile linkif-group 63isp name china unicom linkif-group 62isp name china telecom linkif-group 61isp name china educationnet linkif-group 60 安全策略配置 #基础协议控制开关firewall packet-filter basic-protocol enable#安全策略security-policy rule name trust_untrust source-zone trust destination-zone untrust action permit 配置ip-link ip-link check enableip-link name link_100 destination 100.100.100.5 interface gigabitethernet1/0/1 mode icmp ip-link name link_200 destination 200.200.200.5 interface gigabitethernet1/0/1 mode icmp 配置静态路由 ip route-static 0.0.0.0 0.0.0.0 150.150.150.1ip route-static 192.168.0.0 255.255.0.0 null0ip route-static 192.168.10.0 255.255.255.0 tunnel1 preference 10 track ip-link link_100ip route-static 192.168.10.0 255.255.255.0 tunnel2 preference 20ip route-static 192.168.20.0 255.255.255.0 tunnel1 preference 10 track ip-link link_100ip route-static 192.168.20.0 255.255.255.0 tunnel2 preference 20ip route-static 192.168.30.0 255.255.255.0 tunnel2 preference 10 track ip-link link_200ip route-static 192.168.30.0 255.255.255.0 tunnel1 preference 20ip route-static 192.168.40.0 255.255.255.0 tunnel2 preference 10 track ip-link link_200ip route-static 192.168.40.0 255.255.255.0 tunnel1 preference 20 nat配置 #配置nat策略nat-policy rule name no_nat source-zone trust destination-zone untrust source-address 10.20.100.0 mask 255.255.255.0 destination-address 192.168.0.0 mask 255.255.0.0 action no-nat rule name nat source-zone trust destination-zone untrust action source-nat easy-ip 配置ipsec vpn 步骤一:配置acl
acl number 3000 rule 5 permit ip source 10.20.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 acl number 3001 rule 5 permit ip source 10.20.100.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 步骤二:配置ipsec proposal
ipsec proposal prop23101712198 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 ipsec proposal prop23101713129 encapsulation-mode auto esp authentication-algorithm sha2-256 esp encryption-algorithm aes-256 步骤三:配置ike proposal
ike proposal 1 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 ike proposal 2 encryption-algorithm aes-256 dh group14 authentication-algorithm sha2-256 authentication-method pre-share integrity-algorithm hmac-sha2-256 prf hmac-sha2-256 步骤四:配置ike peer
ike peer ike231017121983 exchange-mode auto pre-shared-key 123.abc ike-proposal 1 local-id-type fqdn remote-id-type none local-id br1 dpd type periodic remote-address 100.100.100.5 ike peer ike231017131292 exchange-mode auto pre-shared-key 123.abc ike-proposal 2 local-id-type fqdn remote-id-type none local-id br2 dpd type periodic remote-address 200.200.200.5 步骤五:配置ipsec policy
ipsec policy ipsec2310171219 1 isakmp security acl 3000 ike-peer ike231017121983 proposal prop23101712198 tunnel local applied-interface alias ipsec-1 sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamic ipsec policy ipsec2310171312 1 isakmp security acl 3001 ike-peer ike231017131292 proposal prop23101713129 tunnel local applied-interface alias ipsec-2 sa trigger-mode auto sa duration traffic-based 10485760 sa duration time-based 3600 route inject dynamic 步骤六:应用ipsec policy到接口
int tunnel1 tunnel-protocol ipsec ipsec policy ipsec2310171219int tunnel2 tunnel-protocol ipsec ipsec policy ipsec2310171312 步骤七:配置策略
security-policy rule name local_untrust description ipsec upd500 source-zone local destination-zone untrust destination-address 100.100.100.5 mask 255.255.255.255 destination-address 200.200.200.5 mask 255.255.255.255 action permit rule name untrust_local description ipsec_esp source-zone untrust destination-zone local source-address 100.100.100.5 mask 255.255.255.255 source-address 200.200.200.5 mask 255.255.255.255 action permit rule name untrust_trust description vpn source-zone untrust destination-zone trust source-address 192.168.0.0 mask 255.255.0.0 destination-address 10.20.100.0 mask 255.255.255.0 action permit 服务区域dmz vlan+端口配置 lsw9
vlan batch 90int vlanif90ip address 192.168.90.3 255.255.255.0int g0/0/11port link-type accessport default vlan 90int g0/0/12port link-type accessport default vlan 90int g0/0/13port link-type accessport default vlan 90int g0/0/1port link-type accessport default vlan 90int g0/0/2port link-type accessport default vlan 90 ospf配置 lsw9
int loopback 0 ip add 192.168.9.9 32ospf 10 router-id 192.168.9.9 default-route-advertise area 0.0.0.0 network 192.168.9.9 0.0.0.0 network 192.168.90.3 0.0.0.0 安全策略配置 fw1
#外网访问服务、防火墙到服务器、内网访问服务
security-policy rule name isp_dmz description www source-zone isp1 source-zone isp2 destination-zone dmz destination-address address-set web_ip service dns service ftp service http service icmp long-link enable long-link aging-time 10 action permit rule name local_dmz description ospf source-zone local destination-zone dmz destination-address 192.168.90.0 mask 255.255.255.0 service icmp action permit rule name trust_dmz source-zone trust destination-zone dmz service http action permit fw2
security-policy rule name isp_dmz description www source-zone isp1 source-zone isp2 destination-zone dmz destination-address address-set web_ip service dns service ftp service http service icmp long-link enable long-link aging-time 10 action permit rule name local_dmz description ospf source-zone local destination-zone dmz destination-address 192.168.90.0 mask 255.255.255.0 service icmp action permit rule name trust_dmz source-zone trust destination-zone dmz service http action permit 服务器负载均衡slb fw1
slb enableslb group 0 server metric roundrobin health-check type icmp rserver 1 rip 192.168.90.10 port 80 max-connection 10 description server1 rserver 2 rip 192.168.90.20 port 80 max-connection 20 description server2 rserver 3 rip 192.168.90.30 port 80 max-connection 30 description server3 action optimize vserver 0 web vip 0 100.100.100.5 vip 1 200.200.200.5 protocol http vport 80 group server fw2
slb enableslb group 0 server metric roundrobin health-check type icmp rserver 1 rip 192.168.90.10 port 80 max-connection 10 description server1 rserver 2 rip 192.168.90.20 port 80 max-connection 20 description server2 rserver 3 rip 192.168.90.30 port 80 max-connection 30 description server3 action optimize vserver 0 web vip 0 100.100.100.5 vip 1 200.200.200.5 protocol http vport 80 group server
基于对EPCS在线编程的FPGA可重构方法
快充标准将统一化,苹果会如何破局?
水系金属离子电池的溶剂化结构及其调控策略
华为新品发布会正式举办,一口气推出了多款可穿戴设备
TDA4851各引脚功能资料
如何使用华为ensp模拟器设计实现企业网络?
电池管理芯片的BMS三分天下格局分析
电阻来可以降低电压吗
意法半导体推出新STM32WB双核无线MCU实现超低功耗的实时性能
TD-SCDMA室内外协同覆盖及优化策略
EMI和EMS噪声的定义
现在是最好入手华为mate9的时间吗?华为mate10还未到,华为mate9已经将到最低价了
SK海力士非存储器半导体销售额增长 内存却下降
25G SFP 28 LR高性价比的光模块?
诺基亚贝尔与中国电信合作研发高铁5G模拟系统
英特尔表示把Modem芯片业务出售给苹果公司是高通造成的
关于日产可变压缩比涡轮增压MR20 DDT发动机性能介绍
利用多次回波技术的激光雷达实现雨雾穿透进行车辆测量
常用Linux命令总结
三极管元器件在现代电器中的重要性