防火墙双击热备实验

实验目标与拓扑图如下：

实验思路

将拓扑图划分为4个区域 自下而上

第一个区域配置好基础配置后 使其运行stp协议找到最佳路径

第一区域

[LSW3]stp enable
 
[LSW3]stp mode mstp
 
[LSW3]stp region-configuration
 
[LSW3-mst-region]region-name aa
 
[LSW3-mst-region]instance 1 vlan 2
 
[LSW3-mst-region]instance 2 vlan 3
 
[LSW3-mst-region]active region-configuration
 
[LSW3]dis stp region-configuration

[LSW3]stp instance 1 root primary
 
[LSW3]stp instance 2 root secondary
 
[LSW3]stp instance 0 root primary

配置主从关系

交换机LSW3

[LSW3-Vlanif2]ip ad 192.168.2.1 24
 
[LSW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
 
[LSW3-Vlanif2]vrrp vrid 1 priority 120
 
[LSW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20
 
[LSW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
 
[LSW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[LSW3-Vlanif3]ip address 192.168.3.1 255.255.255.0
 
[LSW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
交换机LSW4

[LSW4]stp enable
 
[LSW4]stp mode mstp
 
[LSW4]stp region-configuration
 
[LSW4-mst-region]region-name aa（统一名字）
 
[LSW4-mst-region]instance 1 vlan 2
 
[LSW4-mst-region]instance 2 vlan 3
 
[LSW4-mst-region]active region-configuration
 
[LSW4-Vlanif2]ip ad 192.168.2.2 24
 
[LSW4-Vlanif2]vrrp vrid 2 virtual-ip 192.168.2.254
 
[LSW4-Vlanif3]dis th
 
#
 
interface Vlanif3
 
 ip address 192.168.3.2 255.255.255.0
 
 vrrp vrid 1 virtual-ip 192.168.3.254
 
 vrrp vrid 1 priority 120
 
 vrrp vrid 1 preempt-mode timer delay 20
 
 vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15
 
 vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15
 
#
 
LSW5
 
[LSW5]stp enable
 
[LSW5]stp mode mstp
 
[LSW5]stp region-configuration
 
[LSW5-mst-region]region-name aa（统一名字）
 
[LSW5-mst-region]instance 1 vlan 2
 
[LSW5-mst-region]instance 2 vlan 3
 
[LSW5-mst-region]active region-configuration

第二区域

要保持线路独立 不触发stp机制 需要创立多条vlan

图中四台交换机 需要5条vlan

LSW3

[LSW3-GigabitEthernet0/0/1]undo stp enable
 
[LSW3-GigabitEthernet0/0/2]undo stp enable

LSW4

[LSW4-GigabitEthernet0/0/1]undo stp enable
 
[LSW4-GigabitEthernet0/0/2]undo stp enable

[LSW3-ospf-1]silent-interface Vlanif 2
 
[LSW3-ospf-1]silent-interface Vlanif 3
 
[LSW4-ospf-1]silent-interface Vlanif 2
 
[LSW4-ospf-1]silent-interface Vlanif 3

记得写进入交换机1和2的access链路

[LSW3-Vlanif203]ospf cost 5（优化链路）
 
[LSW4-Vlanif104]ospf cost 5（优化链路）

进行设备分割

[LSW1]ip vpn-instance VRF
 
[LSW1-vpn-instance-VRF]route-distinguisher 100:1
 
[LSW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1  both
 
[LSW2]ip vpn-instance VRF
 
[LSW2-vpn-instance-VRF]route-distinguisher 100:1
 
[LSW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1  both

LSW1配置

[LSW1-GigabitEthernet0/0/5]port link-type access
 
[LSW1-GigabitEthernet0/0/5]port default vlan 103
 
[LSW1-GigabitEthernet0/0/5]undo stp enable
 
[LSW1-GigabitEthernet0/0/6]port link-type access
 
[LSW1-GigabitEthernet0/0/6]port default vlan 104
 
[LSW1-GigabitEthernet0/0/6]undo stp enable
 
[LSW1-GigabitEthernet0/0/4]port link-type access
 
[LSW1-GigabitEthernet0/0/4]port default vlan 102
 
[LSW1-GigabitEthernet0/0/4]undo stp enable
 
[LSW1-Vlanif102]ip binding vpn-instance VRF（将接口转入VRF中）
 

[LSW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF
 
[LSW1-ospf-1-area-0.0.0.0]network 10.10.2.1

LSW2配置

[LSW2-GigabitEthernet0/0/5]port link-type access
 
[LSW2-GigabitEthernet0/0/5]port default vlan 204
 
[LSW2-GigabitEthernet0/0/5]undo stp enable
 
[LSW2-GigabitEthernet0/0/6]port link-type access
 
[LSW2-GigabitEthernet0/0/6]port default vlan 203
 
[LSW2-GigabitEthernet0/0/6]undo stp enable
 
[LSW2-GigabitEthernet0/0/4]port link-type access
 
[LSW2-GigabitEthernet0/0/4]port default vlan 102
 
[LSW2-GigabitEthernet0/0/4]undo stp enable
 
[LSW2-Vlanif102]ip binding vpn-instance VRF（将接口转入VRF中）

[LSW2]dis ip routing-table vpn-instance VRF
 
[LSW2]ping -vpn-instance VRF 10.10.2.1
 
  PING 10.10.2.1: 56  data bytes, press CTRL_C to break
 
    Reply from 10.10.2.1: bytes=56 Sequence=1 ttl=255 time=60 ms
 
    Reply from 10.10.2.1: bytes=56 Sequence=2 ttl=255 time=30 ms
 
    Reply from 10.10.2.1: bytes=56 Sequence=3 ttl=255 time=50 ms
 
    Reply from 10.10.2.1: bytes=56 Sequence=4 ttl=255 time=50 ms
 
Reply from 10.10.2.1: bytes=56 Sequence=5 ttl=255 time=40 ms

1、抓流量

[sw3]ip ip-prefix aa permit 192.168.3.0 24

[sw3]ip ip-prefix bb permit 192.168.2.0 24

[LSW4]ip ip-prefix aa permit 192.168.2.0 24 

[LSW4]ip ip-prefix bb permit 192.168.3.0 24 

2、做策略

[sw3]route-policy aa permit node 10

[sw3-route-policy]if-match ip-prefix aa

[sw3-route-policy]apply cost 5

[sw3]route-policy aa permit node 20

[sw3-route-policy]if-match ip-prefix bb

3、调用

[sw3-ospf-1]import-route direct route-policy aa

[LSW4-ospf-1]import-route direct route-policy aa

第三层

创建以SW1为主的vrrp

[LSW1-Vlanif401]dis th

#

interface Vlanif401

 ip binding vpn-instance VRF

 ip address 10.40.1.1 255.255.255.0

 vrrp vrid 1 virtual-ip 10.40.1.100

 vrrp vrid 1 priority 120

 vrrp vrid 1 preempt-mode timer delay 60

 vrrp vrid 1 track interface GigabitEthernet0/0/3 reduced 30

配置当以SW2为主时SW1为备

[LSW1-Vlanif402]dis th

#

interface Vlanif402

 ip binding vpn-instance VRF

 ip address 10.40.2.1 255.255.255.0

 vrrp vrid 2 virtual-ip 10.40.2.100

SW2配置

[LSW2-Vlanif402]dis th
 
#
 
interface Vlanif402
 
 ip binding vpn-instance VRF
 
 ip address 10.40.2.1 255.255.255.0
 
 vrrp vrid 2 virtual-ip 10.40.2.100
 
 vrrp vrid 2 priority 120
 
 vrrp vrid 2 preempt-mode timer delay 60
 
 vrrp vrid 2 track interface GigabitEthernet0/0/3 reduced 30
 
[LSW2-Vlanif401]dis th
 
#
 
interface Vlanif401
 
 ip binding vpn-instance VRF
 
 ip address 10.40.1.2 255.255.255.0
 
 vrrp vrid 1 virtual-ip 10.40.1.100

FW1配置

2.划分安全区域

[FW1]firewall zone trust  
 
[FW1-zone-trust]ad interface g 1/0/2.401
 
[FW1-zone-trust]ad interface g 1/0/2.402
 
[FW1]firewall zone untrust
 
[FW1-zone-untrust]ad interface g1/0/3.403
 
[FW1-zone-untrust]ad interface g1/0/3.404
 
[FW1]firewall zone dmz
 
[FW1-zone-dmz]add int g 1/0/0
  
 
配置双击热备（vrrp）
[FW1-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 active
 
[FW1-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby
 
[FW1-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 active
 
[FW1-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby
 
[FW1]hrp mirror session enable（快速备份功能）
 
[FW1]hrp interface g 1/0/0 remote 10.10.10.2
 
[FW1]hrp enable
 
ip route-static 0.0.0.0 0.0.0.0 10.40.3.100
 
ip route-static 0.0.0.0 0.0.0.0 10.40.4.100 preference 70
 

写静态通上层网络

ip route-static 192.168.0.0 255.255.0.0 10.40.1.100

ip route-static 192.168.0.0 255.255.0.0 10.40.2.100 preference 70

 

[LSW1-Vlanif404]dis th

#

interface Vlanif404

 ip address 10.40.4.1 255.255.255.0

 vrrp vrid 4 virtual-ip 10.40.4.100

#

Return

[LSW1-Vlanif403]dis th

#

interface Vlanif403

 ip address 10.40.3.1 255.255.255.0

 vrrp vrid 3 virtual-ip 10.40.3.100

 vrrp vrid 3 priority 120

 vrrp vrid 3 preempt-mode timer delay 60

 vrrp vrid 3 track interface GigabitEthernet0/0/1 reduced 30

#

Return

[LSW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200

[LSW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70

[LSW1]ip route-static 192.168.0.0 16 10.40.3.200

[LSW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70

FW2配置、、

2.划分安全区域

[FW2]firewall zone trust  
 
[FW2-zone-trust]ad interface g 1/0/2.401
 
[FW2-zone-trust]ad interface g 1/0/2.402
 
[FW2]firewall zone untrust
 
[FW2-zone-untrust]ad interface g1/0/3.403
 
[FW2-zone-untrust]ad interface g1/0/3.404
 
[FW2]firewall zone dmz
 
[FW2-zone-dmz]add int g 1/0/0

3配置双击热备（vrrp）

[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby
 
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active
 
[FW2-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby
 
[FW2-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.3.200 active
 
[FW2]hrp mirror session enable（快速备份功能）
 
[FW2]hrp interface g 1/0/0 remote 10.10.10.1
 
[FW2]hrp enable
 
ip route-static 0.0.0.0 0.0.0.0 10.40.3.100 preference 70
 
ip route-static 0.0.0.0 0.0.0.0 10.40.4.100

写静态通上层网络

ip route-static 192.168.0.0 255.255.0.0 10.40.1.100  preference 70

ip route-static 192.168.0.0 255.255.0.0 10.40.2.100

配置安全策略

HRP_M[FW1]security-policy

HRP_M[FW1-policy-security]rule name t_to_u (+B)

 rule name t_to_u

  source-zone trust

  destination-zone untrust

  source-address 192.168.0.0 mask 255.255.0.0

  action permit

[LSW2-Vlanif403]dis th

#

interface Vlanif403

 ip address 10.40.3.2 255.255.255.0

 vrrp vrid 3 virtual-ip 10.40.3.100

#

return

[LSW2-Vlanif404]dis th

#

interface Vlanif404

 ip address 10.40.4.2 255.255.255.0

 vrrp vrid 4 virtual-ip 10.40.4.100

 vrrp vrid 4 priority 120

 vrrp vrid 4 preempt-mode timer delay 60

 vrrp vrid 4 track interface GigabitEthernet0/0/1 reduced 30

#

Return

[LSW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70

[LSW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200

[LSW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

[LSW2]ip route-static 192.168.0.0 16 10.40.4.200

HRP_M[FW1]int g1/0/2 (+B)

HRP_M[FW1-GigabitEthernet1/0/2]ip ad 1.1.1.1 24

HRP_M[FW1-GigabitEthernet1/0/2]undo ip address

HRP_M[FW1-GigabitEthernet1/0/3]（两台防火墙 四个口都要激活）

第四层

[LSW1-ospf-2]dis th
 
#
 
ospf 2 router-id 1.1.1.1
 
 area 0.0.0.0
 
  network 10.20.1.1 0.0.0.0
 
  network 10.10.5.1 0.0.0.0
 
#
 
Return
 
[LSW2-ospf-2]dis th
 
#
 
ospf 2 router-id 2.2.2.2
 
 area 0.0.0.0
 
  network 10.20.6.2 0.0.0.0
 
  network 10.20.1.2 0.0.0.0
 
#
 
Return
 

[r6-ospf-1]dis th
 
[V200R003C00]
 
#
 
ospf 1 router-id 6.6.6.6
 
 area 0.0.0.0
 
  network 10.20.6.6 0.0.0.0
 
  network 10.56.0.6 0.0.0.0
 
#
 
Return
 
[r5-ospf-1]dis th
 
[V200R003C00]
 
#
 
ospf 1 router-id 5.5.5.5
 
 area 0.0.0.0
 
  network 10.10.5.5 0.0.0.0
 
  network 10.56.0.5 0.0.0.0
 
#
 
Return

R6配置

[r6]acl 2000

[r6-acl-basic-2000]rule  permit source 192.168.0.0 0.0.255.255

[r6-GigabitEthernet0/0/2]ip ad 13.0.0.6 24

[r6]ip route-static 0.0.0.0 0 13.0.0.100

[r6-GigabitEthernet0/0/2]nat outbound 2000

LSP配置