一、拓补图

二、实验需求

1、SW3的流量
正常情况下:SW1_VRF–>FW1—>SW1_Public—>R5
故障情况下:SW2_VRF–>FW2—>SW2_Public—>R6
2、SW4的流量
正常情况下:SW2_VRF–>FW2—>SW2_Public—>R6
故障情况下:SW1_VRF–>FW1—>SW1_Public—>R5
3、交换网络负载均衡

三、具体配置

1.二层交换配置

使用传统三层架构中MSTP+VRRP组网形式
VLAN 2—>SW3,SW4作为备份
VLAN 3—>SW4,SW3作为备份
MSTP设计—>SW3、4、5运行
实例1:VLAN 2
实例2:VLAN 3
SW3是实例1的主根,实例2的备份根;SW4是实例2的主根,实例1的备份根
IP地址规划:
 

sw3 sw4 虚拟IP
VLAN2 192.168.2.1/24 192.168.2.2/24 192.168.2.254/24
VLAN3 192.168.3.1/24 192.168.3.2/24 192.168.3.254/24
LSW3

VLAN配置

[LSW3]vlan 2
[LSW3]vlan 3
[LSW3]interface GigabitEthernet 0/0/3
[LSW3-GigabitEthernet0/0/3]port link-type trunk 
[LSW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 to 3
[LSW3]interface GigabitEthernet 0/0/4
[LSW3-GigabitEthernet0/0/4]port link-type trunk 
[LSW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 to 3

MSTP配置

[LSW3]stp enable
[LSW3]stp mode mstp 
[LSW3]stp region-configuration 
[LSW3-mst-region]region-name aa
[LSW3-mst-region]instance 1 vlan 2
[LSW3-mst-region]instance 2 vlan 3
[LSW3-mst-region]active region-configuration 
[LSW3]stp instance 1 root primary 
[LSW3]stp instance 2 root secondary 
[LSW3]stp instance 0 root primary 
[LSW3]display stp region-configuration 
 Oper configuration
   Format selector    :0             
   Region name        :aa             
   Revision level     :0

   Instance   VLANs Mapped
      0       1, 4 to 4094
      1       2
      2       3

VRRP配置

[LSW3]int Vlanif 2
[LSW3-Vlanif2]ip address 192.168.2.1 24
[LSW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254 
[LSW3-Vlanif2]vrrp vrid 1 priority 120
[LSW3-Vlanif2]vrrp vrid  1 preempt-mode timer delay 20
[LSW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[LSW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[LSW3-Vlanif2]display this
#
interface Vlanif2
 ip address 192.168.2.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.2.254
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 20
 vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15
 vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15
#
return
[LSW3]interface Vlanif 3
[LSW3-Vlanif3]ip address 192.168.3.1 24
[LSW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[LSW3-Vlanif3]display this
#
interface Vlanif3
 ip address 192.168.3.1 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.3.254
#
return
LSW4

VLAN 配置

[LSW4]vlan 2
[LSW4]vlan 3
[LSW4]interface GigabitEthernet 0/0/3
[LSW4-GigabitEthernet0/0/3]port link-type trunk 
[LSW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 to 3
[LSW4]interface GigabitEthernet 0/0/4
[LSW4-GigabitEthernet0/0/4]port link-type trunk
[LSW4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 to 3

MSTP配置

[LSW4]stp enable
[LSW4]stp mode mstp 
[LSW4]stp region-configuration 
[LSW4-mst-region]instance 1 vlan 2
[LSW4-mst-region]instance 2 vlan 3
[LSW4-mst-region]active region-configuration 
[LSW4]stp instance 1 root secondary
[LSW4]stp instance 2 root primary 
[LSW4]stp instance 0 root secondary

VRRP配置

[LSW4]interface Vlanif 2
[LSW4-Vlanif2]ip address 192.168.2.2 24
[LSW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254

[LSW4-Vlanif2]display this
#
interface Vlanif2
 ip address 192.168.2.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.2.254
#
return
[LSW4]interface Vlanif 3
[LSW4-Vlanif3]ip address 192.168.3.2 24
[LSW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[LSW4-Vlanif3]vrrp vrid 1 priority 120
[LSW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[LSW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[LSW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15

[LSW4-Vlanif3]display this
#
interface Vlanif3
 ip address 192.168.3.2 255.255.255.0
 vrrp vrid 1 virtual-ip 192.168.3.254
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt-mode timer delay 20
 vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15
 vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15
#
return

LSW5

VLAN 配置

[LSW5]vlan 2
[LSW5]vlan 3
[LSW5]interface GigabitEthernet 0/0/1
[LSW5-GigabitEthernet0/0/1]port link-type trunk 
[LSW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 3
[LSW5]interface GigabitEthernet 0/0/2
[LSW5-GigabitEthernet0/0/2]port link-type trunk 
[LSW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 3
[SW5]interface GigabitEthernet 0/0/3
[SW5-GigabitEthernet0/0/3]port link-type access 
[SW5-GigabitEthernet0/0/3]port default vlan 2
[LSW5]interface GigabitEthernet 0/0/4
[LSW5-GigabitEthernet0/0/4]port link-type access 
[LSW5-GigabitEthernet0/0/4]port default vlan 3

MSTP配置

[LSW5]stp enable
[LSW5]stp mode mstp 
[LSW5]stp region-configuration 
[LSW5-mst-region]region-name aa
[LSW5-mst-region]instance 1 vlan 2
[LSW5-mst-region]instance 2 vlan 3
[LSW5-mst-region]active region-configuration
测试

2.汇聚到核心层路由配置

SW1-SW2:VLAN 102—10.10.2.0/24
SW1-SW3:VLAN 103—10.10.3.0/24
SW1-SW4:VLAN 104—10.10.4.0/24
SW2-SW3:VLAN 203—10.20.3.0/24
SW2-SW4:VLAN 204—10.20.4.0/24

LSW3

VLAN配置

[LSW3]vlan batch 103 203
[LSW3]interface GigabitEthernet 0/0/1
[LSW3-GigabitEthernet0/0/1]port link-type access 
[LSW3-GigabitEthernet0/0/1]port default vlan 103
[LSW3-GigabitEthernet0/0/1]undo stp enable
[LSW3]interface GigabitEthernet 0/0/2
[LSW3-GigabitEthernet0/0/2]port link-type access 
[LSW3-GigabitEthernet0/0/2]port default vlan 203
[LSW3-GigabitEthernet0/0/2]undo stp enable 

[LSW3]interface Vlanif 103
[LSW3-Vlanif103]ip address 10.10.3.3 24
[LSW3]interface Vlanif 203
[LSW3-Vlanif203]ip address 10.20.3.3 24

[LSW3]ospf 1 router-id 3.3.3.3
[LSW3-ospf-1]area 0
[LSW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[LSW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[LSW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0
[LSW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[LSW3-ospf-1]silent-interface Vlanif 2
[LSW3-ospf-1]silent-interface Vlanif 3

LSW4
[LSW4]vlan batch 104 204
[LSW4]interface GigabitEthernet 0/0/1
[LSW4-GigabitEthernet0/0/1]port link-type access 
[LSW4-GigabitEthernet0/0/1]port default vlan 204
[LSW4-GigabitEthernet0/0/1]undo stp enable 
[LSW4]interface GigabitEthernet 0/0/2
[LSW4-GigabitEthernet0/0/2]port link-type access 
[LSW4-GigabitEthernet0/0/2]port default vlan 104
[LSW4-GigabitEthernet0/0/2]undo stp enable 

[LSW4]interface Vlanif 104
[LSW4-Vlanif104]ip address 10.10.4.4 24
[LSW4]interface Vlanif 204
[LSW4-Vlanif204]ip address 10.20.4.4 24

[LSW4]ospf 1 router-id 4.4.4.4 
[LSW4-ospf-1]area 0
[LSW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0
[LSW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0
[LSW4-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.0
[LSW4-ospf-1-area-0.0.0.0]network 192.168.3.2 0.0.0.0

[LSW4-ospf-1]silent-interface Vlanif 2
[LSW4-ospf-1]silent-interface Vlanif 3

因为SW1和SW2需要被分割为两台设备,分别与上下行设备连接,故需要先创建VRF空间,其中GE0/0/3-GE0/0/6属于该空间接口。 

创建VRF空间并配置VRF信息:

  1. VRRF空间配置信息:

  2. 名称:VRF

  3. RD:100:1

  4. RT:100:1

LSW1
[LSW1]ip vpn-instance VRF      -----创建VRF空间
[LSW1-vpn-instance-VRF]route-distinguisher 100:1    ----设定RD值
[LSW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both   ----设定RT值 

[LSW1]vlan batch 102 103 104
[LSW1]interface GigabitEthernet 0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk 
[LSW1-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 102
[LSW1-GigabitEthernet0/0/4]undo stp enable 

[LSW1]interface GigabitEthernet 0/0/5
[LSW1-GigabitEthernet0/0/5]port link-type access 
[LSW1-GigabitEthernet0/0/5]port default vlan 103
[LSW1-GigabitEthernet0/0/5]undo stp enable 

[LSW1]interface GigabitEthernet 0/0/6
[LSW1-GigabitEthernet0/0/6]port link-type access 
[LSW1-GigabitEthernet0/0/6]port default vlan 104
[LSW1-GigabitEthernet0/0/6]undo stp enable 

创建Vlanif接口,并将接口划入VRF空间:

[LSW1]interface Vlanif 102
[LSW1-Vlanif102]ip binding vpn-instance VRF
[LSW1-Vlanif102]ip address 10.10.2.1 24

[LSW1]interface Vlanif 103
[LSW1-Vlanif103]ip binding vpn-instance VRF
[LSW1-Vlanif103]ip address 10.10.3.1 24

[LSW1]interface Vlanif 104
[LSW1-Vlanif104]ip binding vpn-instance VRF
[LSW1-Vlanif104]ip address 10.10.4.1 24

配置VRF空间的OSPF:

[LSW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0
[LSW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0
[LSW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0
[LSW1-ospf-1]default-route-advertise

LSW2
[LSW2]ip vpn-instance VRF
[LSW2-vpn-instance-VRF]route-distinguisher 100:1
[LSW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both 

配置VLAN信息:
[LSW2]vlan batch 102 203 204
[LSW2]interface GigabitEthernet 0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type trunk 
[LSW2-port-group-trunk]port trunk allow-pass vlan 102
[LSW2-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
[LSW2-GigabitEthernet0/0/2]undo stp enable

[LSW2]interface GigabitEthernet 0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk 
[LSW2-GigabitEthernet0/0/4]undo port trunk allow-pass vlan 1
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 102
[LSW2-GigabitEthernet0/0/4]undo stp enable

[LSW2]interface GigabitEthernet 0/0/5
[LSW2-GigabitEthernet0/0/5]port link-type access 
[LSW2-GigabitEthernet0/0/5]port default vlan 204
[LSW2-GigabitEthernet0/0/5]undo stp enable

[LSW2]interface GigabitEthernet 0/0/6
[LSW2-GigabitEthernet0/0/6]port link-type access
[LSW2-GigabitEthernet0/0/6]port default vlan 203
[LSW2-GigabitEthernet0/0/6]undo stp enable

创建Vlanif接口,并将接口划入VRF空间:
[LSW2]interface Vlanif 102
[LSW2-Vlanif102]ip binding vpn-instance VRF
[LSW2-Vlanif102]ip address 10.10.2.2 24

[LSW2]interface Vlanif 203
[LSW2-Vlanif203]ip binding vpn-instance VRF
[LSW2-Vlanif203]ip address 10.20.3.2 24

[LSW2]interface Vlanif 204
[LSW2-Vlanif204]ip binding vpn-instance VRF
[LSW2-Vlanif204]ip address 10.20.4.2 24

配置VRF空间的OSPF:

[LSW2]ospf 1 router-id 2.2.2.2 vpn-instance VRF
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.10.2.2 0.0.0.0
[LSW2-ospf-1-area-0.0.0.0]network 10.20.3.2 0.0.0.0
[LSW2-ospf-1-area-0.0.0.0]network 10.20.4.2 0.0.0.0
[LSW2-ospf-1-area-0.0.0.0]default-route-advertise

此时回程流量是等价路由,负载均衡,不符合来回路径一致要求。故需要进行路由干涉,使用路由 策略:

路由策略规划:

    LSW3:
        主要流量发送给SW1,备份发给LSW2
    LSW4:
        主要流量发送给SW2,备份发给LSW1
    LSW1:
        192.168.2.0/24---->    主要流量发送给LSW3,备份发给LSW4
        192.168.3.0/24---->    主要流量发送给LSW4,备份发给LSW3
    LSW2:
        192.168.2.0/24---->    主要流量发送给LSW3,备份发给LSW4
        192.168.3.0/24---->    主要流量发送给LSW4,备份发给LSW3

想要达成此操作只需要:LSW3和LSW4只需要修改接口Cost数值,让LSW3优选从LSW1学习到的路由,让LSW4优先从LSW2学习到的路由即可 

[LSW3]interface Vlanif 203
[LSW3-Vlanif203]ospf cost 5
[LSW4]interface Vlanif 104
[LSW4-Vlanif104]ospf cost 5
LSW3:

将LSW3本地发送的192.168.3.0/24路由的开销值改大,192.168.2.0/24路由开销值不变。

通过重发布调用路由策略:重发布时不要引入其他路由信息。

配置前提:为了避免重发布时引入其他路由信息,将前面在LSW3上宣告的192.168.2.0/24网段信息和192.168.3.0/24网段信息删除,防止与后面重发布的路由发生冲突:

[LSW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[LSW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0

1.抓流量

[LSW3]ip ip-prefix aa permit 192.168.2.0 24
[LSW3]ip ip-prefix bb permit 192.168.3.0 24

2.做策略

[LSW3]route-policy bb permit node 10
[LSW3-route-policy]if-match ip-prefix bb
[LSW3]route-policy bb permit node 20
[LSW3-route-policy]apply cost 5
[LSW3-route-policy]if-match ip-prefix aa

3.调用策略

[LSW3]ospf 1
[LSW3-ospf-1]import-route direct route-policy bb
LSW4:

LSW4本地发送的192.168.2.0/24路由的开销值改大,192.168.3.0/24路由开销值不变。

通过重发布调用路由策略:重发布时不要引入其他路由信息。

配置前提:为了避免重发布时引入其他路由信息,将前面在SW4上宣告的192.168.2.0/24网段信息和192.168.3.0/24网段信息删除,防止与后面重发布的路由发生冲突:

[LSW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
[LSW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0

1.抓流量

[LSW4]ip ip-prefix aa permit 192.168.2.0 24
[LSW4]ip ip-prefix bb permit 192.168.3.0 24

2.做策略

[LSW4]route-policy aa permit node 10
[LSW4-route-policy]if-match ip-prefix aa
[LSW4-route-policy]apply cost 5
[LSW4]route-policy aa permit node 20
[LSW4-route-policy]if-match ip-prefix bb

3.调用策略

[LSW4]ospf 1
[LSW4-ospf-1]import-route direct route-policy aa
效果

3.VRF交换机和防火墙的路由交互

防火墙和VRF交换机各自建立一个VRRP组,且两个组之间不相关,但相互对称 。 

FW1为主:
    VRRP备份组1-----VRRP备份组5
    VRRP备份组3-----VRRP备份组7
FW2为主:
    VRRP备份组2-----VRRP备份组6
    VRRP备份组4-----VRRP备份组8

配置思路:
VRRP 备份组 Master 角色 Backup 角色 VLAN 网段 SW1-IP SW2-IP 虚拟 IP 备注
备份组 1 SW1 SW2 401 10.40.1.0/24 10.40.1.1/24 10.40.1.2/24 10.40.1.100/24 VRF 使用
备份组 2 SW2 SW1 402 10.40.2.0/24 10.40.2.1/24 10.40.2.2/24 10.40.2.100/24 VRF 使用
备份组 3 SW1 SW2 403 10.40.3.0/24 10.40.3.1/24 10.40.3.2/24 10.40.3.100/24 Public 使用
备份组 4 SW2 SW1 404 10.40.4.0/24 10.40.4.1/24 10.40.4.2/24 10.40.4.100/24 Public 使用
VRRP 备份组 Master 角色 Backup 角色 VLAN 网段 FW1-IP FW2-IP 虚拟 IP 备注
备份组 5 FW1 FW2 401 10.40.1.0/24 10.40.1.10/24 10.40.1.20/24 10.40.1.200/24 防火墙使用
备份组 6 FW2 FW1 402 10.40.2.0/24 10.40.2.10/24 10.40.2.20/24 10.40.2.200/24 防火墙使用
备份组 7 FW1 FW2 403 10.40.3.0/24 10.40.3.10/24 10.40.3.20/24 10.40.3.200/24 防火墙使用
备份组 8 FW2 FW1 404 10.40.4.0/24 10.40.4.10/24 10.40.4.20/24 10.40.4.200/24 防火墙使用
LSW1
[LSW1]vlan batch 401 402
[LSW1]interface GigabitEthernet 0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type trunk 
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402
[LSW1]interface GigabitEthernet 0/0/4
[LSW1-GigabitEthernet0/0/4]port link-type trunk 
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 401 402

[LSW1]interface Vlanif 401
[LSW1-Vlanif401]ip binding vpn-instance VRF
[LSW1-Vlanif401]ip address 10.40.1.1 24
[LSW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[LSW1-Vlanif401]vrrp vrid 1 priority 120
[LSW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[LSW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/3 reduce 30

[LSW1]interface Vlanif 402
[LSW1-Vlanif402]ip binding vpn-instance VRF
[LSW1-Vlanif402]ip address 10.40.2.1 24
[LSW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100

SW1上行路由:(VRF)
[LSW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200
[LSW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70


SW1下行路由:(Public)
[LSW1]ip route-static 192.168.0.0 16 10.40.3.200
[LSW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70
LSW2
[LSW2]vlan batch 401 402
[LSW2]interface GigabitEthernet 0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type trunk
[LSW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402
[LSW2]interface GigabitEthernet 0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 401 402

[LSW2]interface Vlanif 401
[LSW2-Vlanif401]ip binding vpn-instance VRF
[LSW2-Vlanif401]ip address 10.40.1.2 24
[LSW2-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100

[LSW2]interface Vlanif 402
[LSW2-Vlanif402]ip binding vpn-instance VRF
[LSW2-Vlanif402]ip address 10.40.2.2 24
[LSW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[LSW2-Vlanif402]vrrp vrid 2 priority 120
[LSW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[LSW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30


SW2上行路由:(VRF)
[LSW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200
[LSW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70

SW2下行路由:(Public)
[LSW2]ip route-static 192.168.0.0 16 10.40.4.200
[LSW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70
FW1
[FW1]vlan batch 401 402 403 404

[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip address 10.10.10.1 30

[FW1]interface GigabitEthernet 1/0/2.401
[FW1-GigabitEthernet1/0/2.401]ip address 10.40.1.10 24
[FW1-GigabitEthernet1/0/2.401]vlan-type dot1q 401

[FW1]interface GigabitEthernet 1/0/2.402
[FW1-GigabitEthernet1/0/2.402]ip address 10.40.2.10 24
[FW1-GigabitEthernet1/0/2.402]vlan-type dot1q 402

[FW1]interface GigabitEthernet 1/0/3.403
[FW1-GigabitEthernet1/0/3.403]ip address 10.40.3.10 24
[FW1-GigabitEthernet1/0/3.403]vlan-type dot1q 403

[FW1]interface GigabitEthernet 1/0/3.404
[FW1-GigabitEthernet1/0/3.404]ip address 10.40.4.10 24
[FW1-GigabitEthernet1/0/3.404]vlan-type dot1q 404

安全区域划分:
[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW1-zone-trust]add interface GigabitEthernet 1/0/2.402

[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/3.403
[FW1-zone-untrust]add interface GigabitEthernet 1/0/3.404

[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/0
FW2
[FW2]vlan batch 401 402 403 404

[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip address 10.10.10.2 30

[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]ip address 10.40.1.20 24
[FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401

[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]ip address 10.40.2.20 24
[FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402

[FW2]interface GigabitEthernet 1/0/3.403
[FW2-GigabitEthernet1/0/3.403]ip address 10.40.3.20 24
[FW2-GigabitEthernet1/0/3.403]vlan-type dot1q 403

[FW2]interface GigabitEthernet 1/0/3.404
[FW2-GigabitEthernet1/0/3.404]ip address 10.40.4.20 24
[FW2-GigabitEthernet1/0/3.404]vlan-type dot1q 404

安全区域划分:
[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.402

[FW2]firewall zone untrust 
[FW2-zone-untrust]add interface GigabitEthernet 1/0/3.403
[FW2-zone-untrust]add interface GigabitEthernet 1/0/3.404

[FW2]firewall zone dmz
[FW2-zone-dmz]add interface GigabitEthernet 1/0/0
 防火墙双机热备配置:
FW1
FW1下行接口:(VRF)
[FW1]interface GigabitEthernet 1/0/2.401
[FW1-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 active
[FW1]interface GigabitEthernet 1/0/2.402
[FW1-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby

FW1上行接口:(Public)
[FW1]interface GigabitEthernet 1/0/3.403
[FW1-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 active
[FW1]interface GigabitEthernet 1/0/3.404
[FW1-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby 

[FW1]hrp mirror session enable   ------开启快速备份功能
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2   ----定义心跳线和对端IP
[FW1]hrp enable   -----启动HRP协议

FW1上行路由配置:
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70


FW1下行路由配置:
(192.168.2.0/24和192.168.3.0/24两个网段汇聚成192.168.0.0/16网段)
HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.1.100
HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70
FW2
FW2下行接口:(VRF)
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active 

FW2上行接口:(Pubilc)
[FW2]interface GigabitEthernet 1/0/3.403
[FW2-GigabitEthernet1/0/3.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby
[FW2]interface GigabitEthernet 1/0/3.404 
[FW2-GigabitEthernet1/0/3.404]vrrp vrid 8 virtual-ip 10.40.4.200 active

[FW2]hrp mirror session enable
[FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[FW2]hrp enable

FW2上行路由配置:
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100
HRP_S[FW2]iproute-static 0.0.0.0 0 10.40.3.100 preference 70

FW2下行路由配置:
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70
安全策略配置:
HRP_M[FW1]security-policy (+B)
HRP_M[FW1-policy-security]rule name trust_to_untrust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-zone trust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-address 192.168.0.0 16 (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]action permit (+B)

查看安全策略是否同步给FW2

4.核心到边界配置 

规划:
SW1-SW2:VLAN 201 --- 10.20.1.0/24
SW1-R5:VLAN 105 ---- 10.10.5.0/24
SW2-R6:VLAN 206 ---- 10.20.6.0/24
R5-R6: ---- 10.56.0.0/24

LSW1
[LSW1]vlan batch 201 105

[LSW1]interface GigabitEthernet 0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk 
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 201
[LSW1-GigabitEthernet0/0/2]undo stp enable 

[LSW1]interface GigabitEthernet 0/0/7
[LSW1-GigabitEthernet0/0/7]port link-type access
[LSW1-GigabitEthernet0/0/7]port default vlan 105
[LSW1-GigabitEthernet0/0/7]undo stp enable 

[LSW1]interface Vlanif 105
[LSW1-Vlanif105]ip address 10.10.5.1 24
[LSW1]interface Vlanif 201
[LSW1-Vlanif201]ip address 10.20.1.1 24

[LSW1]ospf 2 router-id 1.1.1.1
[LSW1-ospf-2]area 0
[LSW1-ospf-2-area-0.0.0.0]network 10.20.1.1 0.0.0.0
[LSW1-ospf-2-area-0.0.0.0]network 10.10.5.1 0.0.0.0
LSW2
[LSW2]vlan batch 201 206

[LSW2]interface GigabitEthernet 0/0/2
[LSW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 201
[LSW2-GigabitEthernet0/0/2]undo stp enable 

[LSW2]interface GigabitEthernet 0/0/7
[LSW2-GigabitEthernet0/0/7]port link-type access 
[LSW2-GigabitEthernet0/0/7]port default vlan 206
[LSW2-GigabitEthernet0/0/7]undo stp enable

[LSW2]interface Vlanif 201
[LSW2-Vlanif201]ip address 10.20.1.2 24
[LSW2]interface Vlanif 206
[LSW2-Vlanif206]ip address 10.20.6.2 24

[LSW2]ospf 2 router-id 2.2.2.2
[LSW2-ospf-2]area 0
[LSW2-ospf-2-area-0.0.0.0]network 10.20.1.2 0.0.0.0
[LSW2-ospf-2-area-0.0.0.0]network 10.20.6.2 0.0.0.0
R5
[R5]interface GigabitEthernet 0/0/0
[R5-GigabitEthernet0/0/0]ip address 10.10.5.5 24
[R5]interface GigabitEthernet 0/0/1
[R5-GigabitEthernet0/0/1]ip address 10.56.0.5 24

[R5]ospf 1 router-id 5.5.5.5
[R5-ospf-1]area 0
[R5-ospf-1-area-0.0.0.0]network 10.10.5.5 0.0.0.0
[R5-ospf-1-area-0.0.0.0]network 10.56.0.5 0.0.0.0

[R6]interface GigabitEthernet 0/0/0
[R6-GigabitEthernet0/0/0]ip address 10.20.6.6 24
[R6]interface GigabitEthernet 0/0/1
[R6-GigabitEthernet0/0/1]ip address 10.56.0.6 24

[R6]ospf 1 router-id 6.6.6.6
[R6-ospf-1]area 0
[R6-ospf-1-area-0.0.0.0]network 10.56.0.6 0.0.0.0
[R6-ospf-1-area-0.0.0.0]network 10.20.6.6 0.0.0.0

5.最外层网络配置

ISP
[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip address 12.0.0.100 24
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip address 13.0.0.100 24
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip address 100.1.1.1 24
R5
[R5]interface GigabitEthernet 0/0/2
[R5-GigabitEthernet0/0/2]ip address 12.0.0.5 24
[R5]ip route-static 0.0.0.0 0 12.0.0.100 
[R5]ospf 1
[R5-ospf-1]default-route-advertise

[R5]acl 2000
[R5-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R5]interface GigabitEthernet 0/0/2
[R5-GigabitEthernet0/0/2]nat outbound 2000
R6
[R6]interface GigabitEthernet 0/0/2
[R6-GigabitEthernet0/0/2]ip address 13.0.0.6 24
[R6]ip route-static 0.0.0.0 0 13.0.0.100
[R6]ospf 1
[R6-ospf-1]default-route-advertise

[R6]acl 2000
[R6-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R6]interface GigabitEthernet 0/0/2
[R6-GigabitEthernet0/0/2]nat outbound 2000
LSW1,LSW2

防火墙在LSW1,LSW2上下放路由同时在LSW1和LSW2的OSPF进程2中引入静态路由:

[LSW1]ospf 1
[LSW1-ospf-1]default-route-advertise
[LSW1]ospf 2
[LSW1-ospf-2]import-route static 

[LSW2]ospf 1
[LSW2-ospf-1]default-route-advertise
[LSW2]ospf 2
[LSW2-ospf-2]import-route static
测试

# 服务器
Logo
腾讯云开发者社区

腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。

更多推荐

终极指南:Flink SQL连接器版本管理从混乱到有序的升级之路

Apache Flink作为流处理领域的佼佼者,其SQL连接器的版本管理一直是开发者面临的核心挑战。本文将系统讲解Flink SQL连接器版本管理的最佳实践,帮助你轻松应对版本兼容性问题,实现从混乱到有序的升级之旅。## 连接器版本管理的常见痛点 😫在Flink应用开发中,连接器版本管理常常让开发者头疼不已。不同版本的连接器可能导致各种兼容性问题,例如API变更、功能差异甚至运行时错误。

avatar 腾讯云开发者社区

Elasticsearch复杂数据类型终极指南:从入门到精通

Elasticsearch作为功能强大的搜索引擎,支持多种复杂数据类型,让开发者能够灵活处理各种结构化和非结构化数据。本文将带你全面了解Elasticsearch中的复杂数据类型,从基础概念到实际应用,助你轻松掌握数据建模的核心技巧。## 内部对象:构建层级化数据结构在Elasticsearch中,对象类型(Object)是最基础的复杂数据类型之一,用于表示具有嵌套关系的数据。例如,我们可

avatar 腾讯云开发者社区

如何快速搭建Neon无服务器PostgreSQL:面向初学者的完整指南

Neon是一款革命性的无服务器PostgreSQL解决方案,它通过分离存储和计算层,实现了自动扩缩容、类代码式数据库分支以及零级扩展能力。本指南将帮助你从零开始搭建Neon开发环境,体验这款创新数据库的强大功能。## 准备工作:环境要求与依赖项在开始搭建Neon环境前,请确保你的系统满足以下要求:- Linux操作系统(推荐Ubuntu 20.04+或Debian 11+)- Git

avatar 腾讯云开发者社区