双机热备旁挂组网实验
一、实验拓扑
二、实验需求
1、SW3的流量
正常情况下:SW1_VRF--->FW1--->SW1_Public--->R5
故障情况下:SW2_VRF--->FW2--->SW2_Public--->R6
2、SW4的流量
正常情况下:SW2_VRF--->FW2--->SW2_Public--->R6
故障情况下:SW1_VRF--->FW1--->SW1_Public--->R5
3、交换网络负载均衡
三、实验配置
二层交换机配置
使用传统三层架构中MSTP+VRRP组网形式:
VLAN 2 ----> SW3,Sw4作为备份
VLAN 3 ----> SW4,SW3作为备份
MSTP设计---->SW3、4、5运行
实例1:VLAN 2
实例2:VLAN 3
SW3是实例1的主根,实例2的备份根;
SW4是实例2的主根,实例1的备份根;
| VLAN | 设备 | IP | VLAN虚拟IP |
|---|---|---|---|
| vlan 2 | SW3 | 192.168.2.1/24 | 192.168.2.254/24 |
| SW4 | 192.168.2.2/24 | ||
| vlan 3 | SW3 | 192.168.3.1/24 | 192.168.3.254/24 |
| SW4 | 192.168.3.2/24 |
配置如下:
SW3:
[SW3]vlan batch 2 3
[SW3]interface GigabitEthernet 0/0/3
[SW3-GigabitEthernet0/0/3] port link-type trunk
[SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW3]interface GigabitEthernet 0/0/4
[SW3-GigabitEthernet0/0/4] port link-type trunk
[SW3-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 3
[SW3]stp enable
[SW3]stp mode mstp
[SW3]stp region-configuration
[SW3-mst-region]region-name aa
[SW3-mst-region]instance 1 vlan 2 ------实例1映射VLAN 2
[SW3-mst-region]instance 2 vlan 3 ------实例2映射VLAN 3
[SW3-mst-region]active region-configuration ------激活配置
[SW3]stp instance 1 root primary -----让实例1成为主根
[SW3]stp instance 2 root secondary -----让实例2成为备份根
[SW3]stp instance 0 root primary ---让实例0成为主根(可不写)
[SW3]interface Vlanif 2
[SW3-Vlanif2]ip address 192.168.2.1 24
[SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254 ----设置虚拟IP
[SW3-Vlanif2]vrrp vrid 1 priority 120 -----修改优先级
[SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20 ----设置抢占延迟时间为20s
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15 ------监控上行接口
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[SW3]interface Vlanif 3
[SW3-Vlanif3]ip add 192.168.3.1 24
[SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
SW4:
[SW4]vlan batch 2 3
[SW4]interface GigabitEthernet 0/0/3
[SW4-GigabitEthernet0/0/3] port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW4]interface GigabitEthernet 0/0/4
[SW4-GigabitEthernet0/0/4] port link-type trunk
[SW4-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 3
[SW4]stp enable
[SW4]stp mode mstp
[SW4]stp region-configuration
[SW4-mst-region]region-name aa
[SW4-mst-region]instance 1 vlan 2
[SW4-mst-region]instance 2 vlan 3
[SW4-mst-region]active region-configuration
[SW4]stp instance 1 root secondary
[SW4]stp instance 2 root primary
[SW4]stp instance 0 root secondary
[SW4]interface Vlanif 2
[SW4-Vlanif2]ip add 192.168.2.2 24
[SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
interface Vlanif3
ip address 192.168.3.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.3.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15
vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15
SW5:
[SW5]vlan batch 2 3
[SW5]interface GigabitEthernet 0/0/3
[SW5-GigabitEthernet0/0/3]port link-type access
[SW5-GigabitEthernet0/0/3]port default vlan 2
[SW5]interface GigabitEthernet 0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access
[SW5-GigabitEthernet0/0/4]port default vlan 3
[SW5]interface GigabitEthernet 0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[SW5]interface GigabitEthernet 0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 3
[SW5]stp enable
[SW5]stp mode mstp
[SW5]stp region-configuration
[SW5-mst-region]region-name aa
[SW5-mst-region]instance 1 vlan 2
[SW5-mst-region]instance 2 vlan 3
[SW5-mst-region]active region-configuration
查看STP生成树:
测试二层交换网络互通:
汇聚到核心层配置
| 连接设备区域 | VLAN | 网段 |
|---|---|---|
| SW1-SW2 | 102 | 10.10.2.0/24 |
| SW1-SW3 | 103 | 10.10.3.0/24 |
| SW1-SW4 | 104 | 10.10.4.0/24 |
| SW2-SW3 | 203 | 10.20.3.0/24 |
| SW2-SW4 | 204 | 10.20.4.0/24 |
配置如下:
SW3:
[SW3]vlan batch 103 203
[SW3]interface GigabitEthernet 0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 103
[SW3-GigabitEthernet0/0/1]undo stp enable -----关闭该接口的STP生成树
[SW3]interface GigabitEthernet 0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access
[SW3-GigabitEthernet0/0/2]port default vlan 203
[SW3-GigabitEthernet0/0/2]undo stp enable
[SW3]interface Vlanif 103
[SW3-Vlanif103]ip add 10.10.3.3 24
[SW3]interface Vlanif 203
[SW3-Vlanif203]ip add 10.20.3.3 24
[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0
[SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[SW3-ospf-1]silent-interface Vlanif 2 ----静默接口,避免SW3和SW4建立邻居
[SW3-ospf-1]silent-interface Vlanif 3
SW4:
[SW4]vlan batch 104 204
[SW4]interface GigabitEthernet 0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 204
[SW4-GigabitEthernet0/0/1]undo stp enable
[SW4]interface GigabitEthernet 0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access
[SW4-GigabitEthernet0/0/2]port default vlan 104
[SW4-GigabitEthernet0/0/2]undo stp enable
[SW4]interface Vlanif 104
[SW4-Vlanif104]ip address 10.10.4.4 24
[SW4]interface Vlanif 204
[SW4-Vlanif204]ip add 10.20.4.4 24
[SW4]ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 10.10.4.4 0.0.0.0
network 10.20.4.4 0.0.0.0
network 192.168.2.2 0.0.0.0
network 192.168.3.2 0.0.0.0
[SW4-ospf-1]silent-interface Vlanif 2
[SW4-ospf-1]silent-interface Vlanif 3
创建VRF空间并配置VRF信息:
因为SW1和SW2需要被分割为两台设备,分别与上下行设备连接,故需要先创建VRF空间,其中GE0/0/2、5、6、7属于该空间接口。
VRRF空间配置信息:
名称:VRF
RD:100:1
RT:100:1
[SW1]ip vpn-instance VRF -----创建VRF空间
[SW1-vpn-instance-VRF]route-distinguisher 100:1 ----设定RD值
[SW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both ----设定RT值
[SW2]ip vpn-instance VRF
[SW2-vpn-instance-VRF]route-distinguisher 100:1
[SW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both
配置VLAN信息:
SW1:
[SW1]vlan batch 102 103 104
[SW1]interface GigabitEthernet 0/0/6
[SW1-GigabitEthernet0/0/6]port link-type access
[SW1-GigabitEthernet0/0/6]port default vlan 103
[SW1-GigabitEthernet0/0/6]undo stp enable
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk
[SW1-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW1-GigabitEthernet0/0/5]undo stp enable
[SW1]interface GigabitEthernet 0/0/7
[SW1-GigabitEthernet0/0/7]port link-type access
[SW1-GigabitEthernet0/0/7]port default vlan 104
[SW1-GigabitEthernet0/0/7]undo stp enable
SW2:
[SW2]vlan batch 102 203 204
[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]port link-type access
[SW2-GigabitEthernet0/0/6]port default vlan 204
[SW2-GigabitEthernet0/0/6]undo stp enable
[SW2]interface GigabitEthernet 0/0/7
[SW2-GigabitEthernet0/0/7]port link-type access
[SW2-GigabitEthernet0/0/7]port default vlan 203
[SW2-GigabitEthernet0/0/7]undo stp enable
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW2-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW2-GigabitEthernet0/0/5]undo stp enable
创建Vlanif接口,并将接口划入VRF空间:
SW1:
[SW1]interface Vlanif 102
[SW1-Vlanif102]ip binding vpn-instance VRF ----将接口划入到VRF这个交换机中,在接口进行配置之前执行
[SW1-Vlanif102]ip address 10.10.2.1 24
[SW1]interface Vlanif 103
[SW1-Vlanif103]ip binding vpn-instance VRF
[SW1-Vlanif103]ip add 10.10.3.1 24
[SW1]interface Vlanif 104
[SW1-Vlanif104]ip binding vpn-instance VRF
[SW1-Vlanif104]ip add 10.10.4.1 24
SW2:
[SW2]interface Vlanif 102
[SW2-Vlanif102]ip binding vpn-instance VRF
[SW2-Vlanif102]ip address 10.10.2.2 24
[SW2]interface Vlanif 203
[SW2-Vlanif203]ip binding vpn-instance VRF
[SW2-Vlanif203]ip address 10.20.3.2 24
[SW2]interface Vlanif 204
[SW2-Vlanif204]ip binding vpn-instance VRF
[SW2-Vlanif204]ip add 10.20.4.2 24
测试:
[SW2]ping -vpn-instance VRF 10.10.2.1
PING 10.10.2.1: 56 data bytes, press CTRL_C to break
Reply from 10.10.2.1: bytes=56 Sequence=1 ttl=255 time=80 ms
Reply from 10.10.2.1: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 10.10.2.1: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.10.2.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.10.2.1: bytes=56 Sequence=5 ttl=255 time=60 ms
[SW2]ping -vpn-instance VRF 10.20.4.4
PING 10.20.4.4: 56 data bytes, press CTRL_C to break
Reply from 10.20.4.4: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 10.20.4.4: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.20.4.4: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 10.20.4.4: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.20.4.4: bytes=56 Sequence=5 ttl=255 time=50 ms
配置VRF空间的OSPF:
[SW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF ----代表在名称为VRF的VPN实例中配置ospf
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0
[SW1-ospf-1]default-route-advertise
[SW2]ospf 1 router-id 2.2.2.2 vpn-instance VRF
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.10.2.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.3.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.4.2 0.0.0.0
[SW2-ospf-1]default-route-advertise
查看VRF空间路由:
此时回程流量是等价路由,负载均衡,不符合来回路径一致要求。故需要进行路由干涉,使用路由策略。
路由策略规划:
SW3:
主要流量发送给SW1,备份发给SW2
SW4:
主要流量发送给SW2,备份发给SW1
SW1:
192.168.2.0/24----> 主要流量发送给SW3,备份发给SW4
192.168.3.0/24----> 主要流量发送给SW4,备份发给SW3
SW2:
192.168.2.0/24----> 主要流量发送给SW3,备份发给SW4
192.168.3.0/24----> 主要流量发送给SW4,备份发给SW3
解决方法:SW3和SW4只需要修改接口Cost数值,让SW3优选从SW1学习到的路由,让SW4优先从SW2学习到的路由即可。
[SW3]interface Vlanif 203
[SW3-Vlanif203]ospf cost 5
[SW4]interface Vlanif 104
[SW4-Vlanif104]ospf cost 5
路由策略配置:
配置前提:将前面在SW3和SW4上宣告的192.168.2.0/24网段信息和192.168.3.0/24网段信息删除,防止与后面重发布的路由发生冲突:
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0
SW3:
将SW3本地发送的192.168.3.0/24路由的开销值改大,192.168.2.0/24路由开销值不变。
通过重发布调用路由策略:重发布时不要引入其他路由信息。
1、抓流量
[SW3]ip ip-prefix aa permit 192.168.2.0 24
[SW3]ip ip-prefix bb permit 192.168.3.0 24
2、做策略
[SW3]route-policy bb permit node 10
[SW3-route-policy]if-match ip-prefix bb
[SW3-route-policy]apply cost 5
[SW3]route-policy bb permit node 20
[SW3-route-policy]if-match ip-prefix aa
3、调用策略
[SW3]ospf 1
[SW3-ospf-1]import-route direct route-policy bb
SW4:
将SW4本地发送的192.168.2.0/24路由的开销值改大,192.168.3.0/24路由开销值不变。
通过重发布调用路由策略:重发布时不要引入其他路由信息。
1、抓流量
[SW4]ip ip-prefix aa permit 192.168.2.0 24
[SW4]ip ip-prefix bb permit 192.168.3.0 24
2、做策略
[SW4]route-policy aa permit node 10
[SW4-route-policy]if-match ip-prefix aa
[SW4-route-policy]apply cost 5
[SW4]route-policy aa permit node 20
[SW4-route-policy]if-match ip-prefix bb
3、调用策略
[SW4]ospf 1
[SW4-ospf-1]import-route direct route-policy aa
查看更改后的VRF空间路由:
VRF交换机和防火墙的交互
FW1为主:
VRRP备份组1-----VRRP备份组5
VRRP备份组3-----VRRP备份组7
FW2为主:
VRRP备份组2-----VRRP备份组6
VRRP备份组4-----VRRP备份组8
| VRRP备份组 | Master角色 | Backup角色 | VLAN | 网段 | SW1-IP | SW2-IP | 虚拟IP | 备注 |
|---|---|---|---|---|---|---|---|---|
| 备份组1 | SW1 | SW2 | 401 | 10.40.1.0/24 | 10.40.1.1/24 | 10.40.1.2/24 | 10.40.1.100/24 | VRF使用 |
| 备份组2 | SW2 | SW1 | 402 | 10.40.2.0/24 | 10.40.2.1/24 | 10.40.2.2/24 | 10.40.2.100/24 | VRF使用 |
| 备份组3 | SW1 | SW2 | 403 | 10.40.3.0/24 | 10.40.3.1/24 | 10.40.3.2/24 | 10.40.3.100/24 | Public使用 |
| 备份组4 | SW2 | SW1 | 404 | 10.40.4.0/24 | 10.40.4.1/24 | 10.40.4.2/24 | 10.40.4.100/24 | Public使用 |
| VRRP备份组 | Master角色 | Backup角色 | VLAN | 网段 | FW1-IP | FW2-IP | 虚拟IP | 备注 |
|---|---|---|---|---|---|---|---|---|
| 备份组5 | FW1 | FW2 | 401 | 10.40.1.0/24 | 10.40.1.10/24 | 10.40.1.20/24 | 10.40.1.200/24 | 防火墙使用 |
| 备份组6 | FW2 | FW1 | 402 | 10.40.2.0/24 | 10.40.2.10/24 | 10.40.2.20/24 | 10.40.2.200/24 | 防火墙使用 |
| 备份组7 | FW1 | FW2 | 403 | 10.40.3.0/24 | 10.40.3.10/24 | 10.40.3.20/24 | 10.40.3.200/24 | 防火墙使用 |
| 备份组8 | FW2 | FW1 | 404 | 10.40.4.0/24 | 10.40.4.10/24 | 10.40.4.20/24 | 10.40.4.200/24 | 防火墙使用 |
VRF区域配置:
SW1
[SW1]vlan batch 401 402
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 401 402
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
[SW1]interface Vlanif 401
[SW1-Vlanif401]ip binding vpn-instance VRF
[SW1-Vlanif401]ip address 10.40.1.1 24
[SW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW1-Vlanif401]vrrp vrid 1 priority 120
[SW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[SW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 30
[SW1]interface Vlanif 402
[SW1-Vlanif402]ip binding vpn-instance VRF
[SW1-Vlanif402]ip address 10.40.2.1 24
[SW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
SW2
[SW2]vlan batch 401 402
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
[SW2]interface Vlanif 401
[SW2-Vlanif401]ip binding vpn-instance VRF
[SW2-Vlanif401]ip address 10.40.1.2 24
[SW2-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW2]interface Vlanif 402
[SW2-Vlanif402]ip binding vpn-instance VRF
[SW2-Vlanif402]ip address 10.40.2.2 24
[SW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[SW2-Vlanif402]vrrp vrid 2 priority 120
[SW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[SW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30
FW1
[FW1]vlan batch 401 402 403 404
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.10.10.1 30
[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]ip add 10.40.1.10 24
[FW1-GigabitEthernet1/0/1.401]vlan-type dot1q 401
[FW1]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]ip address 10.40.2.10 24
[FW1-GigabitEthernet1/0/1.402]vlan-type dot1q 402
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]ip address 10.40.3.10 24
[FW1-GigabitEthernet1/0/2.403]vlan-type dot1q 403
[FW1]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]ip add 10.40.4.10 24
[FW1-GigabitEthernet1/0/2.404]vlan-type dot1q 404
FW2
[FW2]vlan batch 401 402 403 404
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.10.10.2 30
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]ip address 10.40.1.20 24
[FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]ip add 10.40.2.20 24
[FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]ip add 10.40.3.20 24
[FW2-GigabitEthernet1/0/1.403]vlan-type dot1q 403
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]ip add 10.40.4.20 24
[FW2-GigabitEthernet1/0/1.404]vlan-type dot1q 404
安全区域划分:
FW1
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.401
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.402
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.403
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.404
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/0
FW2
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.402
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.403
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.404
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/0
SW1、SW2的Public区域配置:
SW1:
[SW1]vlan batch 403 404
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW1]interface Vlanif 403
[SW1-Vlanif403]ip address 10.40.3.1 24
[SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW1-Vlanif403]vrrp vrid 3 priority 120
[SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60
[SW1-Vlanif403]vrrp vrid 3 track interface GigabitEthernet 0/0/3 reduced 30
[SW1]interface Vlanif 404
[SW1-Vlanif404]ip add 10.40.4.1 24
[SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
SW2:
[SW2]vlan batch 403 404
[SW2]interface GigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW2]interface Vlanif 403
[SW2-Vlanif403]ip address 10.40.3.2 24
[SW2-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW2]interface Vlanif 404
[SW2-Vlanif404]ip address 10.40.4.2 24
[SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2-Vlanif404]vrrp vrid 4 priority 120
[SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60
[SW2-Vlanif404]vrrp vrid 4 track interface GigabitEthernet 0/0/2 reduced 30
路由补充:
SW1上行路由:(VRF)
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70
SW1下行路由:(Public)
[SW1]ip route-static 192.168.0.0 16 10.40.3.200
[SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70
SW2上行路由:(VRF)
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70
SW2下行路由:(Public)
[SW2]ip route-static 192.168.0.0 16 10.40.4.200
[SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70
注意:需要通过对FW的两个物理接口GE1/0/1和GE1/0/2进行IP地址的配置和删除,使FW的两个物理接口得以激活。
防火墙双机热备配置
FW1:
FW1下行接口:(VRF)
[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]vrrp vrid 5 virtual-ip 10.40.1.200 active
[FW1]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby
FW1上行接口:(Public)
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]vrrp vrid 7 virtual-ip 10.40.3.200 active
[FW1]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby
[FW1]hrp mirror session enable ------开启快速备份功能
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2 ----定义心跳线和对端IP
[FW1]hrp enable -----启动HRP协议
FW1上行路由配置:
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70
FW1下行路由配置:(192.168.2.0/24和192.168.3.0/24两个网段汇聚成192.168.0.0/16网段)
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.1.100
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70
FW2:
FW2下行接口:(VRF)
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active
FW2上行接口:(Pubilc)
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 active
[FW2]hrp mirror session enable
[FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[FW2]hrp enable
FW2上行路由配置:
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70
FW2下行路由配置:
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70
安全策略配置
HRP_M[FW1]security-policy (+B)
HRP_M[FW1-policy-security]rule name trust_to_untrust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-zone trust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-address 192.168.0.0 16 (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]action permit (+B)
查看FW2上安全策略同步:
核心到边界配置
规划:
SW1-SW2:VLAN 12 --- 10.12.1.0/24
SW1-R1:VLAN 11 ---- 10.11.1.0/24
SW2-R2:VLAN 22 ---- 10.22.2.0/24
R1-R2: ---- 10.12.2.0/24
OSPF:(这里的OSPF协议需要通过进程号进行区分)设定为2
SW1:1.1.1.1
SW2:2.2.2.2
R1:3.3.3.3
R2:4.4.4.4
配置如下:
SW1:
[SW1]vlan batch 11 12
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 11
[SW1-GigabitEthernet0/0/1]undo stp enable
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW1-GigabitEthernet0/0/4]undo stp enable
[SW1]interface Vlanif 11
[SW1-Vlanif11]ip address 10.11.1.1 24
[SW1]interface Vlanif 12
[SW1-Vlanif12]ip add 10.12.1.1 24
[SW1]ospf 2 router-id 1.1.1.1
[SW1-ospf-2]area 0
[SW1-ospf-2-area-0.0.0.0]network 10.11.1.1 0.0.0.0
[SW1-ospf-2-area-0.0.0.0]network 10.12.1.1 0.0.0.0
SW2:
[SW2]vlan batch 12 22
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access
[SW2-GigabitEthernet0/0/1]port default vlan 22
[SW2-GigabitEthernet0/0/1]undo stp enable
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW2-GigabitEthernet0/0/4]undo stp enable
[SW2]interface Vlanif 12
[SW2-Vlanif12]ip address 10.12.1.2 24
[SW2]interface Vlanif 22
[SW2-Vlanif22]ip address 10.22.2.1 24
[SW2-ospf-2]dis th
ospf 2 router-id 2.2.2.2
area 0.0.0.0
network 10.12.1.2 0.0.0.0
network 10.22.2.1 0.0.0.0
R1:
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.11.1.2 24
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24
[R1-ospf-1]display this
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 10.11.1.2 0.0.0.0
network 10.12.2.1 0.0.0.0
R2:
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.22.2.2 24
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14
[R2]ospf 1 router-id 4.4.4.4
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.22.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.12.2.2 0.0.0.0
最外层网络
R1:
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ip add 12.0.0.1 24
[R1]ip route-static 0.0.0.0 0 12.0.0.100
[R1-ospf-1]default-route-advertise -------下放缺省路由
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000 ---调用
R2:
[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[R2]ip route-static 0.0.0.0 0 13.0.0.100
[R2-ospf-1]default-route-advertise
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R2]int g 0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2000
ISP:
[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip add 100.1.1.1 24
在SW1和SW2的OSPF进程2中引入静态路由:
[SW1-ospf-2]import-route static
[SW2-ospf-2]import-route static
三、测试
1、正常情况下,PC1和PC2分别pingISP的环回接口:
2、当SW1的某些接口发生故障时,对PC1到ISP环回接口的网络进行测试:
[SW1-GigabitEthernet0/0/2]shutdown
由图可知,测试网络只存在一瞬间的丢弃,但网络并未断开,测试成功。
扫一扫
2188
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
