一、拓扑
二、配置步骤
交换网络(vrrp+mstp)
sw3:
vlan配置
[sw3]vlan batch 2 3
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 3
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 3
stp配置
[sw3]stp enable
[sw3]stp mode mstp
[sw3]stp region-configuration
[sw3-mst-region]region-name a
[sw3-mst-region]instance 1 vlan 2
[sw3-mst-region]instance 2 vlan 3
[sw3-mst-region]active region-configuration
[sw3]stp instance 0 root primary
vrrp配置
[sw3]interface Vlanif 2
[sw3-Vlanif2]ip address 192.168.2.1 24
[sw3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[sw3-Vlanif2]vrrp vrid 1 priority 120
[sw3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20
[sw3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[sw3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[sw3]interface Vlanif 3
[sw3-Vlanif3]ip add 192.168.3.1 24
[sw3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
sw4:
vlan配置
[sw4]vlan batch 2 3
[sw4]interface GigabitEthernet 0/0/3
[sw4-GigabitEthernet0/0/3]port link-type trunk
[sw4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[sw4-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[sw4-GigabitEthernet0/0/4]port link-type trunk
[sw4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3
stp配置
[sw4]stp enable
[sw4]stp mode mstp
[sw4]stp region-configuration
[sw4-mst-region]region-name a
[sw4-mst-region]instance 1 vlan 2
[sw4-mst-region]instance 2 vlan 3
[sw4-mst-region]active region-configuration
[sw4]stp instance 1 root secondary
[sw4]stp instance 2 root primary
[sw4]stp instance 0 root primary
vrrp配置
[sw4]interface Vlanif 2
[sw4-Vlanif2]ip add 192.168.2.2 24
[sw4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[sw4]interface Vlanif 3
[sw4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[sw4-Vlanif3]vrrp vrid 1 priority 120
[sw4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[sw4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[sw4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
sw5:
vlan配置
[sw5]vlan batch 2 3
[sw5]interface GigabitEthernet 0/0/3
[sw5-GigabitEthernet0/0/3]port link-type access
[sw5-GigabitEthernet0/0/3]port default vlan 2
[sw5-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[sw5-GigabitEthernet0/0/4]port link-type access
[sw5-GigabitEthernet0/0/4]port default vlan 3
[sw5-GigabitEthernet0/0/4]interface GigabitEthernet 0/0/1
[sw5-GigabitEthernet0/0/1]port link-type trunk
[sw5-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[sw5-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw5-GigabitEthernet0/0/2]port link-type trunk
[sw5-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 3
stp配置
[sw5]stp mode mstp
[sw5]stp enable
[sw5]stp region-configuration
[sw5-mst-region]region-name a
[sw5-mst-region]instance 1 vlan 2
[sw5-mst-region]instance 2 vlan 3
[sw5-mst-region]active region-configuration
测试
汇聚到核心路由配置
vlan和接口配置
sw3
[sw3]vlan batch 13 23
[sw3]interface GigabitEthernet 0/0/1
[sw3-GigabitEthernet0/0/1]port link-type access
[sw3-GigabitEthernet0/0/1]port default vlan 13
[sw3-GigabitEthernet0/0/1]undo stp enable
[sw3-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw3-GigabitEthernet0/0/2]port link-type access
[sw3-GigabitEthernet0/0/2]port default vlan 23
[sw3-GigabitEthernet0/0/2]undo stp enable
[sw3]interface Vlanif 13
[sw3-Vlanif13]ip address 10.1.3.3 24
[sw3-Vlanif13]interface Vlanif 23
[sw3-Vlanif23]ip address 10.2.3.3 24
sw4
[sw4]vlan batch 14 24
[sw4]interface GigabitEthernet 0/0/1
[sw4-GigabitEthernet0/0/1]port link-type access
[sw4-GigabitEthernet0/0/1]port default vlan 24
[sw4-GigabitEthernet0/0/1]undo stp enable
[sw4-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw4-GigabitEthernet0/0/2]port link-type access
[sw4-GigabitEthernet0/0/2]port default vlan 14
[sw4-GigabitEthernet0/0/2]undo stp enable
[sw4]interface Vlanif 14
[sw4-Vlanif14]ip address 10.1.4.4 24
[sw4-Vlanif14]interface Vlanif 24
[sw4-Vlanif24]ip address 10.2.4.4 24
sw1
[sw1]vlan batch 12 to 14
[sw1]interface GigabitEthernet 0/0/5
[sw1-GigabitEthernet0/0/5]port link-type access
[sw1-GigabitEthernet0/0/5]port default vlan 14
[sw1-GigabitEthernet0/0/5]undo stp enable
[sw1]interface GigabitEthernet 0/0/4
[sw1-GigabitEthernet0/0/4]port link-type trunk
[sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[sw1-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[sw1-GigabitEthernet0/0/4]undo stp enable
sw2
[sw2]vlan batch 12 23 24
[sw2]interface GigabitEthernet 0/0/5
[sw2-GigabitEthernet0/0/5]port link-type access
[sw2-GigabitEthernet0/0/5]port default vlan 24
[sw2-GigabitEthernet0/0/5]undo stp enable
[sw2-GigabitEthernet0/0/5]interface GigabitEthernet 0/0/6
[sw2-GigabitEthernet0/0/6]undo stp enable
[sw2-GigabitEthernet0/0/6]port link-type access
[sw2-GigabitEthernet0/0/6]port default vlan 23
[sw2]interface GigabitEthernet 0/0/4
[sw2-GigabitEthernet0/0/4]port link-type trunk
[sw2-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[sw2-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[sw2-GigabitEthernet0/0/4]undo stp enable
ospf配置
sw3
[sw3]ospf 1 router-id 3.3.3.3
[sw3-ospf-1]area 0
[sw3-ospf-1-area-0.0.0.0]network 10.1.3.3 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]network 10.2.3.3 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[sw3-ospf-1]silent-interface Vlanif 2
[sw3-ospf-1]silent-interface Vlanif 3
创建vrf
sw1
[sw1]ip vpn-instance VRF
[sw1-vpn-instance-VRF]route-distinguisher 100:1
[sw1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both
[sw1-Vlani12]ip binding vpn-instance VRF
[sw1]interface Vlanif 12
[sw1-Vlanif12]ip address 10.1.2.1 24
[sw1-Vlanif12]ip binding vpn-instance vrf
[sw1]interface Vlanif 13
[sw1-Vlanif13]ip binding vpn-instance vrf
[sw1-Vlanif13]ip address 10.1.3.1 24
[sw1-Vlanif13]interface Vlanif 14
[sw1-Vlanif14]ip binding vpn-instance vrf
[sw1-Vlanif14]ip address 10.1.4.1 24
sw2
[sw2]ip vpn-instance vrf
[sw2-vpn-instance-vrf]route-distinguisher 100:1
[sw2-vpn-instance-vrf-af-ipv4]vpn-target 100:1 both
[sw2]interface Vlanif 12
[sw2-Vlanif12]ip binding vpn-instance vrf
[sw2-Vlanif12]ip address 10.1.2.2 24
[sw2-Vlanif12]interface Vlanif 23
[sw2-Vlanif13]ip binding vpn-instance vrf
[sw2-Vlanif13]ip address 10.2.3.2 24
[sw2-Vlanif13]interface Vlanif 24
[sw2-Vlanif14]ip binding vpn-instance vrf
[sw2-Vlanif14]ip address 10.2.4.2 24
ospf配置
sw1
[sw1]ospf 1 router-id 1.1.1.1 vpn-instance vrf
[sw1-ospf-1]area 0
[sw1-ospf-1-area-0.0.0.0]network 10.1.2.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]network 10.1.3.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]network 10.1.4.1 0.0.0.0
sw2
[sw2]ospf 1 router-id 2.2.2.2 vpn-instance vrf
[sw2-ospf-1]area 0
[sw2-ospf-1-area-0.0.0.0]network 10.1.2.2 0.0.0.0
[sw2-ospf-1-area-0.0.0.0]network 10.2.3.2 0.0.0.0
[sw2-ospf-1-area-0.0.0.0]network 10.2.4.2 0.0.0.0
路由策略
修改接口开销:
[sw3]interface Vlanif 23
[sw3-Vlanif23]ospf cost 5
[sw4]interface Vlanif 14
[sw4-Vlanif14]ospf cost 5
重发布:
[sw3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[sw3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0
[sw4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
策略:
[sw3]ip ip-prefix aa permit 192.168.3.0 24
[sw3]ip ip-prefix bb permit 192.168.2.0 24
[sw3]route-policy aa permit node 10
[sw3-route-policy]if-match ip-prefix aa
[sw3-route-policy]apply cost 5
[sw3]route-policy aa permit node 20
Info: New Sequence of this List.
[sw3-route-policy]if-match ip-prefix bb
[sw3-ospf-1]import-route direct route-policy aa
[sw4]ip ip-prefix aa permit 192.168.2.0 24
[sw4]ip ip-prefix bb permit 192.168.3.0 24
[sw4]route-policy aa permit node 10
Info: New Sequence of this List.
[sw4-route-policy]if-match ip-prefix aa
[sw4-route-policy]apply cost 5
[sw4-route-policy]q
[sw4]route-policy aa permit node 20
Info: New Sequence of this List.
[sw4-route-policy]if-match ip-prefix bb
[sw4-ospf-1]import-route direct route-policy aa
双机热备配置
sw1:vrf:组1,2
[sw1]vlan batch 41 42 -----创建vlan
[sw1]interface GigabitEthernet 0/0/3 -----设置0/3和4口为trunk接口放通vlan41和42
[sw1-GigabitEthernet0/0/3]port link-type trunk
[sw1-GigabitEthernet0/0/3]port trunk allow-pass vlan 41 42
[sw1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[sw1-GigabitEthernet0/0/4]port link-type trunk
[sw1-GigabitEthernet0/0/4]port trunk allow-pass vlan 41 42
备份组1:sw1为主----对于5
[sw1]interface Vlanif 41
[sw1-Vlanif41]ip binding vpn-instance vrf
[sw1-Vlanif41]ip address 10.4.1.1 24
[sw1-Vlanif41]vrrp vrid 1 virtual-ip 10.4.1.100
[sw1-Vlanif41]vrrp vrid 1 priority 120
[sw1-Vlanif41]vrrp vrid 1 preempt-mode timer delay 60
[sw1-Vlanif41]vrrp vrid 1 track interface GigabitEthernet 0/0/3 reduced 30
备份组2:sw1为备----对应6
[sw1-Vlanif41]interface Vlanif 42
[sw1-Vlanif42]ip binding vpn-instance vrf
[sw1-Vlanif42]ip address 10.4.2.1 24
[sw1]ip route-static vpn-instance vrf 0.0.0.0 0 10.4.1.200
[sw1]ip route-static vpn-instance vrf 0.0.0.0 0 10.4.2.200 preference 70
[sw1]ip route-static 192.168.0.0 16 10.4.3.200
[sw1]ip route-static 192.168.0.0 16 10.4.4.200 preference 70
[sw1-ospf-1]default-route-advertise
sw2:vrf:组1,2
[sw2]vlan batch 41 42
[sw2]interface GigabitEthernet 0/0/4
[sw2-GigabitEthernet0/0/4]port link-type trunk
[sw2-GigabitEthernet0/0/4]port trunk allow-pass vlan 41 42
[sw2-GigabitEthernet0/0/4]interface GigabitEthernet 0/0/3
[sw2-GigabitEthernet0/0/3]port link-type trunk
[sw2-GigabitEthernet0/0/3]port trunk allow-pass vlan 41 42
备份组1:sw2为备----对应5
[sw2]interface Vlanif 41
[sw2-Vlanif41]ip binding vpn-instance vrf
[sw2-Vlanif41]ip address 10.4.1.2 24
[sw2-Vlanif41]vrrp vrid 1 virtual-ip 10.4.1.100
备份组2:sw2为主---对应6
[sw2-Vlanif41]interface Vlanif 42
[sw2-Vlanif42]ip binding vpn-instance vrf
[sw2-Vlanif42]ip address 10.4.2.2 24
[sw2-Vlanif42]vrrp vrid 2 virtual-ip 10.4.2.100
[sw2-Vlanif42]vrrp vrid 2 priority 120
[sw2-Vlanif42]vrrp vrid 2 preempt-mode timer delay 60
[sw2-Vlanif42]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30
[sw2]ip route-static vpn-instance vrf 0.0.0.0 0 10.4.2.200
[sw2]ip route-static vpn-instance vrf 0.0.0.0 0 10.4.1.200 preference 70
[sw2]ip route-static 192.168.0.0 16 10.4.3.200 preference 70
[sw2]ip route-static 192.168.0.0 16 10.4.4.200
[sw2-ospf-1]default-route-advertises
sw1:poblic:组3,4
[sw1]vlan batch 43 44
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan 43 44
[sw1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type trunk
[sw1-GigabitEthernet0/0/2]port trunk allow-pass vlan 43 44
备份组3:sw1为主----对应7
[sw1]interface Vlanif 43
[sw1-Vlanif43]ip address 10.4.3.1 24
[sw1-Vlanif43]vrrp vrid 3 virtual-ip 10.4.3.100
[sw1-Vlanif43]vrrp vrid 3 priority 120
[sw1-Vlanif43]vrrp vrid 3 preempt-mode timer delay 60
[sw1-Vlanif43]vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 30
备份组4:sw1为备----对应8
[sw1]interface Vlanif 44
[sw1-Vlanif44]ip address 10.4.4.1 24
[sw1-Vlanif44]vrrp vrid 4 virtual-ip 10.4.4.100
sw2:poblic:组3,4
[sw2]vlan batch 43 44
[sw2]interface GigabitEthernet 0/0/1
[sw2-GigabitEthernet0/0/1]port link-type trunk
[sw2-GigabitEthernet0/0/1]port trunk allow-pass vlan 43 44
[sw2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw2-GigabitEthernet0/0/2]port link-type trunk
[sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 43 44
备份组3:sw2为备----对应7
[sw2]interface Vlanif 43
[sw2-Vlanif43]ip address 10.4.3.2 24
[sw2-Vlanif43]vrrp vrid 3 virtual-ip 10.4.3.100
备份组4:sw2为主----对应8
[sw2]interface Vlanif 44
[sw2-Vlanif44]ip address 10.4.4.2 24
[sw2-Vlanif44]vrrp vrid 4 virtual-ip 10.4.4.100
[sw2-Vlanif44]vrrp vrid 4 priority 120
[sw2-Vlanif44]vrrp vrid 4 preempt-mode timer delay 60
[sw2-Vlanif44]vrrp vrid 4 track interface GigabitEthernet 0/0/1 reduced 30
fw1和2
HRP_M[fw1]interface GigabitEthernet 1/0/2
HRP_M[fw1-GigabitEthernet1/0/2]ip address 1.1.1.1 24
HRP_M[fw1-GigabitEthernet1/0/2]undo ip address
HRP_M[fw1-GigabitEthernet1/0/2]interface GigabitEthernet 1/0/3
HRP_M[fw1-GigabitEthernet1/0/3]ip address 2.2.2.2 24
HRP_M[fw1-GigabitEthernet1/0/3]undo ip address
HRP_S[fw2]interface GigabitEthernet 1/0/2
HRP_S[fw2-GigabitEthernet1/0/2]ip address 3.3.3.3 24
HRP_S[fw2-GigabitEthernet1/0/2]undo ip address
HRP_S[fw2-GigabitEthernet1/0/2]interface GigabitEthernet 1/0/3
HRP_S[fw2-GigabitEthernet1/0/3]ip address 3.3.3.3 24
HRP_S[fw2-GigabitEthernet1/0/3]undo ip address
fw1:组5,6,7,8
vlan和接口配置
[fw1]vlan batch 41 42 43 44
[fw1]interface GigabitEthernet 1/0/0
[fw1-GigabitEthernet1/0/0]ip address 10.10.10.1 24
将1/0/2分为2.41,2.42两个子接口对应组5,6
[fw1]interface GigabitEthernet 1/0/2.41
[fw1-GigabitEthernet1/0/2.41]ip address 10.4.1.10 24
[fw1-GigabitEthernet1/0/2.41]vlan-type dot1q 41
[fw1-GigabitEthernet1/0/2.41]interface GigabitEthernet 1/0/2.42
[fw1-GigabitEthernet1/0/2.42]ip address 10.4.2.10 24
[fw1-GigabitEthernet1/0/2.42]vlan-type dot1q 42
将1/0/3分为3.43,3.44两个子接口对应组7,8
[fw1-GigabitEthernet1/0/2.42]interface GigabitEthernet 1/0/3.43
[fw1-GigabitEthernet1/0/3.43]ip address 10.4.3.10 24
[fw1-GigabitEthernet1/0/3.43]vlan-type dot1q 43
[fw1-GigabitEthernet1/0/2.42]interface GigabitEthernet 1/0/3.44
[fw1-GigabitEthernet1/0/3.44]ip address 10.4.4.10 24
[fw1-GigabitEthernet1/0/3.44]vlan-type dot1q 44
划分安全区域:
fw1与fw2之间dmz
fw1与vrf交换机为trust
fw1与poblic交换机为trust
[fw1]firewall zone dmz
[fw1-zone-dmz]add interface GigabitEthernet 1/0/0
[fw1]firewall zone trust
[fw1-zone-trust]add interface GigabitEthernet 1/0/2.41
[fw1-zone-trust]add interface GigabitEthernet 1/0/2.42
[fw1]firewall zone untrust
[fw1-zone-untrust]add interface GigabitEthernet 1/0/3.43
[fw1-zone-untrust]add interface GigabitEthernet 1/0/3.44
防火墙双机热备配置:
VRRP备份组5:防火墙使用,FW1为Master,FW2为Backup
[fw1]interface GigabitEthernet 1/0/2.41
[fw1-GigabitEthernet1/0/2.41]vrrp vrid 5 virtual-ip 10.4.1.200 active
VRRP备份组6:防火墙使用,FW2为Master,FW1为Backup
[fw1-GigabitEthernet1/0/2.41]interface GigabitEthernet 1/0/2.42
[fw1-GigabitEthernet1/0/2.42]vrrp vrid 6 virtual-ip 10.4.2.200 standby
VRRP备份组7:防火墙使用,FW1为Master,FW2为Backup
[fw1-GigabitEthernet1/0/2.42]interface GigabitEthernet 1/0/3.43
[fw1-GigabitEthernet1/0/3.43]vrrp vrid 7 virtual-ip 10.4.3.200 active
VRRP备份组8:防火墙使用,FW2为Master,FW1为Backup
[fw1-GigabitEthernet1/0/3.43]interface GigabitEthernet 1/0/3.44
[fw1-GigabitEthernet1/0/3.44]vrrp vrid 8 virtual-ip 10.4.4.200 standby
hrp心跳线配置;
[FW1]hrp mirror session enable
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2
[FW1]hrp enable
向上的缺省路由配置:(指向poblic交换机的)
HRP_M[fw1]ip route-static 0.0.0.0 0 10.4.3.100
HRP_M[fw1]ip route-static 0.0.0.0 0 10.4.4.100 preference 70
向下的缺省路由配置:(指向vrf交换机的)
HRP_M[fw1]ip route-static 192.168.0.0 16 192.168.1.100
HRP_M[fw1]ip route-static 192.168.0.0 16 192.168.2.100 preference 70
安全策略:
HRP_M[fw1]security-policy
HRP_M[fw1-policy-security]rule name 1
HRP_M[fw1-policy-security-rule-1]source-zone trust
HRP_M[fw1-policy-security-rule-1]destination-zone untrust
HRP_M[fw1-policy-security-rule-1]source-address 192.168.0.0 16
HRP_M[fw1-policy-security-rule-1]action permit
fw2:组5,6,7,8
vlan和接口配置
[fw2]vlan batch 41 to 44
[fw2]interface GigabitEthernet 1/0/0
[fw2-GigabitEthernet1/0/0]ip address 10.10.10.2 24
将1/0/2分为2.41,2.42两个子接口对应组5,6
[fw2]interface GigabitEthernet 1/0/2.41
[fw2-GigabitEthernet1/0/2.41]ip address 10.4.1.20 24
[fw2-GigabitEthernet1/0/2.41]vlan-type dot1q 41
[fw2-GigabitEthernet1/0/2.41]interface GigabitEthernet 1/0/2.42
[fw2-GigabitEthernet1/0/2.42]ip address 10.4.2.20 24
[fw2-GigabitEthernet1/0/2.42]vlan-type dot1q 42
将1/0/3分为3.43,3.44两个子接口对应组7,8
[fw2-GigabitEthernet1/0/2.42]interface GigabitEthernet 1/0/3.43
[fw2-GigabitEthernet1/0/3.43]ip address 10.4.3.20 24
[fw2-GigabitEthernet1/0/3.43]vlan-type dot1q 43
[fw2-GigabitEthernet1/0/3.43]interface GigabitEthernet 1/0/3.44
[fw2-GigabitEthernet1/0/3.44]ip address 10.4.4.20 24
[fw2-GigabitEthernet1/0/3.44]vlan-type dot1q 44
划分安全区域:
[fw2]firewall zone dmz
[fw2-zone-dmz]add interface GigabitEthernet 1/0/0
[fw2]firewall zone trust
[fw2-zone-trust]add interface GigabitEthernet 1/0/2.41
[fw2-zone-trust]add interface GigabitEthernet 1/0/2.42
[fw2]firewall zone untrust
[fw2-zone-untrust]add interface GigabitEthernet 1/0/3.43
[fw2-zone-untrust]add interface GigabitEthernet 1/0/3.44
防火墙双机热备配置:
VRRP备份组5:防火墙使用,FW1为Master,FW2为Backup
[fw2]interface GigabitEthernet 1/0/2.41
[fw2-GigabitEthernet1/0/2.41]vrrp vrid 5 virtual-ip 10.4.1.200 standby
VRRP备份组6:防火墙使用,FW2为Master,FW1为Backup
[fw2]interface GigabitEthernet 1/0/2.42
[fw2-GigabitEthernet1/0/2.42]vrrp vrid 6 virtual-ip 10.4.2.200 active
VRRP备份组7:防火墙使用,FW1为Master,FW2为Backup
[fw2]interface GigabitEthernet 1/0/3.43
[fw2-GigabitEthernet1/0/3.43]vrrp vrid 7 virtual-ip 10.4.3.200 standby
VRRP备份组8:防火墙使用,FW2为Master,FW1为Backup
[fw2]interface GigabitEthernet 1/0/3.44
[fw2-GigabitEthernet1/0/3.44]vrrp vrid 8 virtual-ip 10.4.4.200 active
hrp配置:
[fw2]hrp mirror session enable
[fw2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[fw2]hrp enable
向上的缺省路由配置:(指向poblic交换机的)
HRP_S[fw2]ip route-static 0.0.0.0 0 10.4.3.100 preference 70
HRP_S[fw2]ip route-static 0.0.0.0 0 10.4.4.100
向下的静态路由配置:(指向vrf交换机的)
HRP_S[fw2]ip route-static 192.168.0.0 16 10.4.1.100 preference 70
HRP_S[fw2]ip route-static 192.168.0.0 16 10.4.2.100 
核心到边界
sw1(poblic)
vlan和接口配置:
[sw1]vlan batch 102 105
[sw1]interface GigabitEthernet 0/0/7
[sw1-GigabitEthernet0/0/7]port link-type access
[sw1-GigabitEthernet0/0/7]port default vlan 105
[sw1-GigabitEthernet0/0/7]undo stp enable
[sw1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type trunk
[sw1-GigabitEthernet0/0/2]port trunk allow-pass vlan 102 105
[sw1-GigabitEthernet0/0/2]undo stp enable
[sw1]interface Vlanif 102
[sw1-Vlanif102]ip address 10.12.0.1 24
[sw1-Vlanif102]interface Vlanif 105
[sw1-Vlanif105]ip address 10.15.0.1 24
ospf2配置;
[sw1]ospf 2 router-id 1.1.1.1
[sw1-ospf-2]area 0
[sw1-ospf-2-area-0.0.0.0]network 10.12.0.1 0.0.0.0
[sw1-ospf-2-area-0.0.0.0]network 10.15.0.1 0.0.0.0
sw2(poblic)
vlan和接口配置:
[sw2]vlan batch 102 206
[sw2]interface GigabitEthernet 0/0/7
[sw2-GigabitEthernet0/0/7]port link-type access
[sw2-GigabitEthernet0/0/7]port default vlan 206
[sw2-GigabitEthernet0/0/7]undo stp enable
[sw2]interface GigabitEthernet 0/0/2
[sw2-GigabitEthernet0/0/2]port link-type trunk
[sw2-GigabitEthernet0/0/2]port trunk allow-pass vlan 102 206
[sw2-GigabitEthernet0/0/2]undo stp enable
[sw2]interface Vlanif 102
[sw2-Vlanif102]ip address 10.12.0.2 24
[sw2-Vlanif102]interface Vlanif 206
[sw2-Vlanif206]ip address 10.26.0.2 24
ospf2配置:
[sw2]ospf 2 router-id 2.2.2.2
[sw2-ospf-2]area 0
[sw2-ospf-2-area-0.0.0.0]network 10.12.0.2 0.0.0.0
[sw2-ospf-2-area-0.0.0.0]network 10.26.0.2 0.0.0.0
r5
接口配置:
[r5]interface GigabitEthernet 0/0/0
[r5-GigabitEthernet0/0/0]ip address 10.15.0.5 24
[r5-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[r5-GigabitEthernet0/0/1]ip address 10.56.0.5 24
ospf1配置:
[r5]ospf 1 router-id 5.5.5.5
[r5-ospf-1]area 0
[r5-ospf-1-area-0.0.0.0]network 10.15.0.5 0.0.0.0
[r5-ospf-1-area-0.0.0.0]network 10.56.0.5 0.0.0.0
r6
接口配置:
[r6]interface GigabitEthernet 0/0/0
[r6-GigabitEthernet0/0/0]ip address 10.26.0.6 24
[r6-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[r6-GigabitEthernet0/0/1]ip address 10.56.0.6 24
ospf1配置:
[r6]ospf 1 router-id 6.6.6.6
[r6-ospf-1]area 0
[r6-ospf-1-area-0.0.0.0]network 10.26.0.6 0.0.0.0
[r6-ospf-1-area-0.0.0.0]network 10.56.0.6 0.0.0.0
缺省路由配置
r5
[r5]interface GigabitEthernet 0/0/2
[r5-GigabitEthernet0/0/2]ip address 12.0.0.5 24
[r5]ip route-static 0.0.0.0 0 12.0.0.100
[r5]ospf 1
[r5-ospf-2]default-route-advertise
[r5]acl 2000
[r5-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[r5]interface GigabitEthernet 0/0/2
[r5-GigabitEthernet0/0/2]nat outbound 2000
r6
[r6]interface GigabitEthernet 0/0/2
[r6-GigabitEthernet0/0/2]ip address 13.0.0.6 24
[r6]ip route-static 0.0.0.0 0 13.0.0.100
[r6]ospf 1
[r6-ospf-2]default-route-advertise
[r6]acl 2000
[r6-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[r6]interface GigabitEthernet 0/0/2
[r6-GigabitEthernet0/0/2]nat outbound 2000
isp
[isp100]interface GigabitEthernet0/0/0
[isp100-GigabitEthernet0/0/0]ip address 12.0.0.100 24
[isp100-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[isp100-GigabitEthernet0/0/1]ip address 13.0.0.100 24
[isp100]interface LoopBack 0
[isp100-LoopBack0]ip address 100.1.1.1 24
测试
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
