基于VRRP的三层架构数据中心网络部署举例
1.组网需求
在数据中心场景中,采用接入层、汇聚层和核心层三层方式部署。用户希望:
1)考虑到业务的可靠性,接入层和汇聚层之间部署VRRP,在一条上行链路断开的时候,流量能切换到另外一条上行链路转发。
2)避免冗余备份链路导致的环网问题,消除接入层和汇聚层之间的环路。
3)核心层设备外挂防火墙,对业务流量提供安全过滤功能。
4)汇聚层和核心层部署OSPF协议实现三层互通。
表1 数据准备表(以SwitchA、SwitchB、SwitchC和SwitchD为例)
2.需求分析
1)通过在汇聚层设备SwitchA和SwitchB之间部署VRRP,实现链路冗余备份。
2)通过在汇聚层设备SwitchA、汇聚层设备SwitchB和接入层设备SwitchC之间部署MSTP,消除网络中的环路。
3)配置出口防火墙FW-1和FW-2双机热备,从核心层设备SwitchI或SwitchJ转发的流量经防火墙的安全策略处理,再分别流向数据中心或Internet。
4)通过在汇聚层设备SwitchA、汇聚层设备SwitchB、核心层设备SwitchI和SwitchJ之间部署OSPF,实现网络三层互通。
3.操作步骤
3.1配置MSTP基本功能
说明:
只要两台设备的以下配置相同,这两台设备就属于同一个
MST域。
MST域的域名。- 多生成树实例和
VLAN的映射关系。MST域的修订级别。
a.配置SwitchA、SwitchB、SwitchC到域名为RG1的域内,创建实例MSTI1和实例MSTI2
# 配置汇聚层设备SwitchA的MST域:
<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] region-name RG1
[*SwitchA-mst-region] instance 1 vlan 2
[*SwitchA-mst-region] instance 2 vlan 3
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit
# 配置汇聚层设备SwitchB的MST域:
<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] region-name RG1
[*SwitchB-mst-region] instance 1 vlan 2
[*SwitchB-mst-region] instance 2 vlan 3
[*SwitchB-mst-region] commit
[~SwitchB-mst-region] quit
# 配置接入层设备SwitchC的MST域:
<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] region-name RG1
[*SwitchC-mst-region] instance 1 vlan 2
[*SwitchC-mst-region] instance 2 vlan 3
[*SwitchC-mst-region] commit
[~SwitchC-mst-region] quit
# 配置接入层设备SwitchD的MST域:
<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] region-name RG1
[*SwitchD-mst-region] instance 1 vlan 2
[*SwitchD-mst-region] instance 2 vlan 3
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit
b.在域RG1内,配置MSTI1与MSTI2的根桥与备份根桥
- 配置
MSTI1的根桥与备份根桥
# 配置汇聚层设备SwitchA为MSTI1的根桥:
[~SwitchA] stp instance 1 root primary
[*SwitchA] commit
# 配置汇聚层设备SwitchB为MSTI1的备份根桥:
[~SwitchB] stp instance 1 root secondary
[*SwitchB] commit
- 配置
MSTI2的根桥与备份根桥
# 配置汇聚层设备SwitchB为MSTI2的根桥:
[~SwitchB] stp instance 2 root primary
[*SwitchB] commit
# 配置汇聚层设备SwitchA为MSTI2的备份根桥:
[~SwitchA] stp instance 2 root secondary
[*SwitchA] commit
c.配置实例MSTI1和MSTI2中将要被阻塞端口的路径开销值大于缺省值
说明:
- 端口路径开销值取值范围由路径开销计算方法决定,这里选择使用华为私有计算方法为例,配置实例
MSTI1和MSTI2中将被阻塞端口的路径开销值为20000。- 同一网络内所有交换设备的端口路径开销应使用相同的计算方法。
# 配置汇聚层设备SwitchA的端口路径开销的计算方法为华为私有计算方法。
[~SwitchA] stp pathcost-standard legacy
[*SwitchA] commit
# 配置汇聚层设备SwitchB的端口路径开销的计算方法为华为的私有计算方法。
[~SwitchB] stp pathcost-standard legacy
[*SwitchB] commit
# 配置接入层设备SwitchC的端口路径开销的计算方法为华为的私有计算方法,将端口10GE1/0/2在实例MSTI1中的路径开销值配置为20000。
[~SwitchC] stp pathcost-standard legacy
[*SwitchC] interface 10ge 1/0/2
[*SwitchC-10GE1/0/2] description TO-CE12800-SWITCHB
[*SwitchC-10GE1/0/2] stp instance 1 cost 20000
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit
# 配置接入层设备SwitchD的端口路径开销的计算方法为华为的私有计算方法,将端口10GE1/0/2在实例MSTI2中的路径开销值配置为20000。
[~SwitchD] stp pathcost-standard legacy
[*SwitchD] interface 10ge 1/0/2
[*SwitchD-10GE1/0/2] description TO-CE12800-SWITCHA
[*SwitchD-10GE1/0/2] stp instance 2 cost 20000
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit
d.使能MSTP,实现破除环路
说明:
设备上
MSTP功能默认使能。
- 设备全局使能
MSTP
# 在汇聚层设备SwitchA上启动MSTP:
[~SwitchA] stp enable
[*SwitchA] commit
# 在汇聚层设备SwitchB上启动MSTP:
[~SwitchB] stp enable
[*SwitchB] commit
# 在接入层设备SwitchC上启动MSTP:
[~SwitchC] stp enable
[*SwitchC] commit
# 在接入层设备SwitchD启动MSTP:
[~SwitchD] stp enable
[*SwitchD] commit
- 将与
Host相连的端口配置为边缘端口
# 配置接入层设备SwitchC端口10GE1/0/3为边缘端口
[~SwitchC] interface 10ge 1/0/3
[*SwitchC-10GE1/0/3] description TO-HOSTA
[*SwitchC-10GE1/0/3] stp edged-port enable
[*SwitchC-10GE1/0/3] commit
[~SwitchC-10GE1/0/3] quit
# 配置接入层设备SwitchD端口10GE1/0/3为边缘端口
[~SwitchD] interface 10ge 1/0/3
[*SwitchD-10GE1/0/3] description TO-HOSTB
[*SwitchD-10GE1/0/3] stp edged-port enable
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit
3.2配置保护功能,如在各实例的根桥设备的指定端口配置根保护功能
# 在汇聚层设备SwitchA端口10GE1/0/1上启动根保护
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] description TO-CE6800-SWITCHC
[*SwitchA-10GE1/0/1] stp root-protection
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
# 在汇聚层设备SwitchB端口10GE1/0/1上启动根保护
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] description TO-CE6800-SWITCHD
[*SwitchB-10GE1/0/1] stp root-protection
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
3.3配置处于环网中的设备的二层转发功能
- 在交换设备
SwitchA、SwitchB、SwitchC上创建VLAN2~3
# 在汇聚层设备SwitchA上创建VLAN2~3:
[~SwitchA] vlan batch 2 to 3
# 在汇聚层设备SwitchB上创建VLAN2~3:
[~SwitchB] vlan batch 2 to 3
# 在接入层设备SwitchC上创建VLAN2:
[~SwitchC] vlan batch 2
# 在接入层设备SwitchD上创建VLAN3:
[~SwitchD] vlan batch 3
- 将交换设备上接入环路中的端口加入
VLAN
# 将汇聚层设备SwitchA端口10GE1/0/1加入VLAN
[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 2
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit
# 将汇聚层设备SwitchA端口10GE1/0/2加入VLAN
[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] description TO-CE6800-SWITCHD
[*SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] port trunk allow-pass vlan 3
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit
# 将汇聚层设备SwitchA端口10GE1/0/3加入VLAN
[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] description TO-CE12800-SWITCHB
[*SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 2 to 3
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit
# 将汇聚层设备SwitchB端口10GE1/0/1加入VLAN
[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 3
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit
# 将汇聚层设备SwitchB端口10GE1/0/2加入VLAN
[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] description TO-CE6800-SWITCHC
[*SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 2
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit
# 将汇聚层设备SwitchB端口10GE1/0/3加入VLAN
[~SwitchB] interface 10ge 1/0/3
[~SwitchB-10GE1/0/3] description TO-CE12800-SWITCHA
[*SwitchB-10GE1/0/3] port link-type trunk
[*SwitchB-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/3] port trunk allow-pass vlan 2 to 3
[*SwitchB-10GE1/0/3] commit
[~SwitchB-10GE1/0/3] quit
# 将接入层设备SwitchC端口10GE1/0/1加入VLAN
[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] description TO-CE12800-SWITCHA
[*SwitchC-10GE1/0/1] port link-type trunk
[*SwitchC-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/1] port trunk allow-pass vlan 2
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit
# 将接入层设备SwitchC端口10GE1/0/2加入VLAN
[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type trunk
[*SwitchC-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/2] port trunk allow-pass vlan 2
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit
# 将接入层设备SwitchC端口10GE1/0/3加入VLAN
[~SwitchC] interface 10ge 1/0/3
[~SwitchC-10GE1/0/3] port link-type access
[*SwitchC-10GE1/0/3] port default vlan 2
[*SwitchC-10GE1/0/3] commit
[~SwitchC-10GE1/0/3] quit
# 将接入层设备SwitchD端口10GE1/0/1加入VLAN
[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] description TO-CE12800-SWITCHB
[*SwitchD-10GE1/0/1] port link-type trunk
[*SwitchD-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchD-10GE1/0/1] port trunk allow-pass vlan 3
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit
# 将接入层设备SwitchD端口10GE1/0/2加入VLAN
[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchD-10GE1/0/2] port trunk allow-pass vlan 3
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit
# 将接入层设备SwitchD端口10GE1/0/3加入VLAN
[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] port link-type access
[*SwitchD-10GE1/0/3] port default vlan 3
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit
3.4配置VRRP备份组
# 在汇聚层设备SwitchA和SwitchB上创建VRRP备份组1,配置SwitchA的优先级为120,抢占延时为20秒,作为Master设备;SwitchB的优先级为缺省值,作为Backup设备。
[~SwitchA] interface vlanif 2
[*SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[*SwitchA-Vlanif2] vrrp vrid 1 priority 120
[*SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20
[*SwitchA-Vlanif2] commit
[~SwitchA-Vlanif2] quit
[~SwitchB] interface vlanif 2
[*SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[*SwitchB-Vlanif2] commit
[~SwitchB-Vlanif2] quit
# 在汇聚层设备SwitchA和SwitchB上创建VRRP备份组2,配置SwitchB的优先级为120,抢占延时为20秒,作为Master设备;SwitchA的优先级为缺省值,作为Backup设备。
[~SwitchB] interface vlanif 3
[*SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[*SwitchB-Vlanif3] vrrp vrid 2 priority 120
[*SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20
[*SwitchB-Vlanif3] commit
[~SwitchB-Vlanif3] quit
[~SwitchA] interface vlanif 3
[*SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[*SwitchA-Vlanif3] commit
[~SwitchA-Vlanif3] quit
# 配置主机HostA的缺省网关为备份组1的虚拟IP地址10.1.2.100,配置主机HostB的缺省网关为备份组2的虚拟IP地址10.1.3.100。
3.5配置设备间的网络互连
# 配置设备各接口的IP地址,以汇聚层设备SwitchA为例。SwitchB、SwitchI和SwitchJ的配置与之类似,详见配置文件。
[~SwitchA] vlan batch 6 7
[*SwitchA] interface 10ge 1/0/4
[*SwitchA-10GE1/0/4] description TO-CE12800-SWITCHI
[*SwitchA-10GE1/0/4] port link-type trunk
[*SwitchA-10GE1/0/4] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/4] port trunk allow-pass vlan 6
[*SwitchA-10GE1/0/4] quit
[*SwitchA] interface 10ge 1/0/5
[*SwitchA-10GE1/0/5] description TO-CE12800-SWITCHJ
[*SwitchA-10GE1/0/5] port link-type trunk
[*SwitchA-10GE1/0/5] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/5] port trunk allow-pass vlan 7
[*SwitchA-10GE1/0/5] quit
[*SwitchA] interface vlanif 2
[*SwitchA-Vlanif2] ip address 10.1.2.102 24
[*SwitchA-Vlanif2] quit
[*SwitchA] interface vlanif 3
[*SwitchA-Vlanif3] ip address 10.1.3.102 24
[*SwitchA-Vlanif3] quit
[*SwitchA] interface vlanif 6
[*SwitchA-Vlanif6] ip address 10.1.6.102 24
[*SwitchA-Vlanif6] quit
[*SwitchA] interface vlanif 7
[*SwitchA-Vlanif7] ip address 10.1.7.102 24
[*SwitchA-Vlanif7] quit
[*SwitchA] commit
# 配置汇聚层设备SwitchA、汇聚层设备SwitchB、核心层设备SwitchI、核心层设备SwitchJ和出口路由器间采用OSPF协议进行互连。
[~SwitchA] ospf 1
[*SwitchA-ospf-1] area 0
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.6.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.7.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] quit
[*SwitchA-ospf-1] quit
[*SwitchA] commit
3.6配置防火墙
配置FW-1和FW-2进行双机热备,从SwitchI、SwitchJ转发的报文经FW-1或FW-2的安全策略处理,再分别流向数据中心或Internet。
FW-1和FW-2进行负载分担,均同时转发流量,当一台FW故障时,业务可以平滑切换到另一台FW。
以下FW-1和FW-2以华为USG统一安全网关为例,介绍FW双机热备负载分担配置步骤。
a.在出口防火墙FW-1上完成基础配置,包括配置设备名称、接口、区域等。
<USG> system-view
[USG] sysname FW-1
[FW-1] interface GigabitEthernet 1/0/1
[FW-1-GigabitEthernet1/0/1] ip address 172.16.1.1 24
[FW-1-GigabitEthernet1/0/1] quit
[FW-1] interface GigabitEthernet 1/0/2
[FW-1-GigabitEthernet1/0/2] ip address 172.16.2.1 24
[FW-1-GigabitEthernet1/0/2] quit
[FW-1] interface GigabitEthernet 1/0/3
[FW-1-GigabitEthernet1/0/3] ip address 172.16.3.1 24
[FW-1-GigabitEthernet1/0/3] quit
[FW-1] interface GigabitEthernet 1/0/4
[FW-1-GigabitEthernet1/0/4] ip address 172.16.4.1 24
[FW-1-GigabitEthernet1/0/4] quit
[FW-1] interface Eth-Trunk 1
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3
[FW-1-Eth-Trunk1] ip address 172.16.5.1 24
[FW-1-Eth-Trunk1] quit
[FW-1] firewall zone trust
[FW-1-zone-trust] add interface GigabitEthernet 1/0/1
[FW-1-zone-trust] add interface GigabitEthernet 1/0/3
[FW-1-zone-trust] quit
[FW-1] firewall zone untrust
[FW-1-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-1-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-1-zone-untrust] quit
[FW-1] firewall zone dmz
[FW-1-zone-dmz] add interface Eth-Trunk 1
[FW-1-zone-dmz] quit
[FW-1] interface LoopBack 1
[FW-1-LoopBack1] ip address 172.16.100.1 32
[FW-1-LoopBack1] quit
[FW-1] interface LoopBack 2
[FW-1-LoopBack2] ip address 172.16.100.2 32
[FW-1-LoopBack2] quit
[FW-1] interface LoopBack 3
[FW-1-LoopBack3] ip address 172.16.100.3 32
[FW-1-LoopBack3] quit
[FW-1] interface LoopBack 4
[FW-1-LoopBack4] ip address 172.16.100.4 32
[FW-1-LoopBack4] quit
b.在出口防火墙FW-2上完成基础配置,包括配置设备名称、接口、区域等。
<USG> system-view
[USG] sysname FW-2
[FW-2] interface GigabitEthernet 1/0/1
[FW-2-GigabitEthernet1/0/1] ip address 172.16.6.1 24
[FW-2-GigabitEthernet1/0/1] quit
[FW-2] interface GigabitEthernet 1/0/2
[FW-2-GigabitEthernet1/0/2] ip address 172.16.7.1 24
[FW-2-GigabitEthernet1/0/2] quit
[FW-2] interface GigabitEthernet 1/0/3
[FW-2-GigabitEthernet1/0/3] ip address 172.16.8.1 24
[FW-2-GigabitEthernet1/0/3] quit
[FW-2] interface GigabitEthernet 1/0/4
[FW-2-GigabitEthernet1/0/4] ip address 172.16.9.1 24
[FW-2-GigabitEthernet1/0/4] quit
[FW-2] interface Eth-Trunk 1
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3
[FW-2-Eth-Trunk1] ip address 172.16.10.1 24
[FW-2-Eth-Trunk1] quit
[FW-2] firewall zone trust
[FW-2-zone-trust] add interface GigabitEthernet 1/0/1
[FW-2-zone-trust] add interface GigabitEthernet 1/0/3
[FW-2-zone-trust] quit
[FW-2] firewall zone untrust
[FW-2-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-2-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-2-zone-untrust] quit
[FW-2] firewall zone dmz
[FW-2-zone-dmz] add interface Eth-Trunk 1
[FW-2-zone-dmz] quit
[FW-2] interface LoopBack 1
[FW-2-LoopBack1] ip address 172.16.100.1 32
[FW-2-LoopBack1] quit
[FW-2] interface LoopBack 2
[FW-2-LoopBack2] ip address 172.16.100.2 32
[FW-2-LoopBack2] quit
[FW-2] interface LoopBack 3
[FW-2-LoopBack3] ip address 172.16.100.3 32
[FW-2-LoopBack3] quit
[FW-2] interface LoopBack 4
[FW-2-LoopBack4] ip address 172.16.100.4 32
[FW-2-LoopBack4] quit
c.分别在出口防火墙FW-1、FW-2上配置OSPF。
配置router-id时,需要为不同的进程指定不同的router-id。另外,主备防火墙也需要为OSPF进程指定不同的router-id,防止OSPF路由震荡。
[FW-1] ospf 1 router-id 172.16.100.1
[FW-1-ospf-1] area 0
[FW-1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[FW-1-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0
[FW-1-ospf-1-area-0.0.0.0] quit
[FW-1-ospf-1] quit
[FW-1] ospf 2 router-id 172.16.100.2
[FW-1-ospf-2] area 0
[FW-1-ospf-2-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[FW-1-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0
[FW-1-ospf-2-area-0.0.0.0] quit
[FW-1-ospf-2] quit
[FW-1] ospf 3 router-id 172.16.100.3
[FW-1-ospf-3] area 0
[FW-1-ospf-3-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[FW-1-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0
[FW-1-ospf-3-area-0.0.0.0] quit
[FW-1-ospf-3] quit
[FW-1] ospf 4 router-id 172.16.100.4
[FW-1-ospf-4] area 0
[FW-1-ospf-4-area-0.0.0.0] network 172.16.4.0 0.0.0.255
[FW-1-ospf-4-area-0.0.0.0] network 172.16.100.4 0.0.0.0
[FW-1-ospf-4-area-0.0.0.0] quit
[FW-1-ospf-4] quit
[FW-2] ospf 1 router-id 172.16.100.6
[FW-2-ospf-1] area 0
[FW-2-ospf-1-area-0.0.0.0] network 172.16.6.0 0.0.0.255
[FW-2-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0
[FW-2-ospf-1-area-0.0.0.0] quit
[FW-2-ospf-1] quit
[FW-2] ospf 2 router-id 172.16.100.7
[FW-2-ospf-2] area 0
[FW-2-ospf-2-area-0.0.0.0] network 172.16.7.0 0.0.0.255
[FW-2-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0
[FW-2-ospf-2-area-0.0.0.0] quit
[FW-2-ospf-2] quit
[FW-2] ospf 3 router-id 172.16.100.8
[FW-2-ospf-3] area 0
[FW-2-ospf-3-area-0.0.0.0] network 172.16.8.0 0.0.0.255
[FW-2-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0
[FW-2-ospf-3-area-0.0.0.0] quit
[FW-2-ospf-3] quit
[FW-2] ospf 4 router-id 172.16.100.9
[FW-2-ospf-4] area 0
[FW-2-ospf-4-area-0.0.0.0] network 172.16.9.0 0.0.0.255
[FW-2-ospf-4-area-0.0.0.0] network 172.16.100.4 0.0.0.0
[FW-2-ospf-4-area-0.0.0.0] quit
[FW-2-ospf-4] quit
d.分别在出口防火墙FW-1、FW-2配置双机热备
- 在
FW-1上配置双机热备
[FW-1] hrp track interface GigabitEthernet 1/0/1
[FW-1] hrp track interface GigabitEthernet 1/0/2
[FW-1] hrp track interface GigabitEthernet 1/0/3
[FW-1] hrp track interface GigabitEthernet 1/0/4
[FW-1] hrp adjust ospf-cost enable
[FW-1] hrp interface Eth-Trunk 1 remote 172.16.10.1
[FW-1] hrp enable
[FW-1] hrp mirror session enable
- 在
FW-2上配置双机热备
[FW-2] hrp track interface GigabitEthernet 1/0/1
[FW-2] hrp track interface GigabitEthernet 1/0/2
[FW-2] hrp track interface GigabitEthernet 1/0/3
[FW-2] hrp track interface GigabitEthernet 1/0/4
[FW-2] hrp adjust ospf-cost enable
[FW-2] hrp interface Eth-Trunk 1 remote 172.16.5.1
[FW-2] hrp enable
[FW-2] hrp mirror session enable
e.配置安全策略和入侵防御
HRP_M[FW-1] policy interzone trust untrust outbound
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.2.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.4.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.5.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit
HRP_M[FW-1] policy interzone trust untrust inbound
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.2.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.4.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.5.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit
HRP_M[FW-1] ips enable
f.配置攻击防范
说明:
本举例中的攻击防范阈值仅供参考,实际配置时,请管理员根据网络实际流量进行配置。
HRP_M[FW-1] firewall defend syn-flood enable
HRP_M[FW-1] firewall defend syn-flood enable
HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000
HRP_M[FW-1] firewall defend udp-flood enable
HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500
HRP_M[FW-1] firewall defend icmp-flood enable
HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000
HRP_M[FW-1] firewall blacklist enable
HRP_M[FW-1] firewall defend ip-sweep enable
HRP_M[FW-1] firewall defend ip-sweep max-rate 4000
HRP_M[FW-1] firewall defend port-scan enable
HRP_M[FW-1] firewall defend port-scan max-rate 4000
HRP_M[FW-1] firewall defend ip-fragment enable
HRP_M[FW-1] firewall defend ip-spoofing enable
3.7配置策略路由将所有流经核心层设备SwitchI和SwitchJ的流量通过策略路由重定向到防火墙,防火墙对流量进行过滤。
# 以核心层设备SwitchI的配置为例,核心层设备SwitchJ配置与之类似,详见配置文件。
[~SwitchI] acl 3001
[*SwitchI-acl4-advance-3001] rule 5 permit ip source 10.1.2.0 24
[*SwitchI-acl4-advance-3001] rule 10 permit ip source 10.1.3.0 24
[*SwitchI-acl4-advance-3001] rule 15 permit ip source 10.1.4.0 24
[*SwitchI-acl4-advance-3001] rule 20 permit ip source 10.1.5.0 24
[*SwitchI-acl4-advance-3001] commit
[~SwitchI-acl4-advance-3001] quit
[~SwitchI] traffic classifier c1
[*SwitchI-classifier-c1] if-match acl 3001
[*SwitchI-classifier-c1] quit
[*SwitchI] commit
[~SwitchI] traffic behavior b1
[*SwitchI-behavior-b1] redirect load-balance nexthop 172.16.100.1 172.16.100.3
[*SwitchI-behavior-b1] quit
[*SwitchI] commit
[~SwitchI] traffic policy p1
[*SwitchI-trafficpolicy-p1] classifier c1 behavior b1
[*SwitchI-trafficpolicy-p1] quit
[*SwitchI] commit
[~SwitchI] interface 10ge 1/0/1
[~SwitchI-10GE1/0/1] traffic-policy p1 inbound
[*SwitchI-10GE1/0/1] quit
[*SwitchI] commit
[~SwitchI] interface 10ge 1/0/2
[~SwitchI-10GE1/0/2] traffic-policy p1 inbound
[*SwitchI-10GE1/0/2] quit
[*SwitchI] commit
[~SwitchI] interface 10ge 1/0/3
[~SwitchI-10GE1/0/3] traffic-policy p1 inbound
[*SwitchI-10GE1/0/3] quit
[*SwitchI] commit
[~SwitchI] interface 10ge 1/0/4
[~SwitchI-10GE1/0/4] traffic-policy p1 inbound
[*SwitchI-10GE1/0/4] quit
[*SwitchI] commit
[~SwitchI] interface 10ge 1/0/14
[~SwitchI-10GE1/0/14] traffic-policy p1 inbound
[*SwitchI-10GE1/0/14] quit
[*SwitchI] commit
[~SwitchI] acl 3003
[*SwitchI-acl4-advance-3003] rule 5 permit ip destination 10.1.2.0 24
[*SwitchI-acl4-advance-3003] rule 10 permit ip destination 10.1.3.0 24
[*SwitchI-acl4-advance-3003] rule 15 permit ip destination 10.1.4.0 24
[*SwitchI-acl4-advance-3003] rule 20 permit ip destination 10.1.5.0 24
[*SwitchI-acl4-advance-3003] commit
[~SwitchI-acl4-advance-3003] quit
[~SwitchI] traffic classifier c3
[*SwitchI-classifier-c3] if-match acl 3003
[*SwitchI-classifier-c3] quit
[*SwitchI] commit
[~SwitchI] traffic behavior b3
[*SwitchI-behavior-b3] redirect load-balance nexthop 172.16.100.2 172.16.100.4
[*SwitchI-behavior-b3] quit
[*SwitchI] commit
[~SwitchI] traffic policy p2
[*SwitchI-trafficpolicy-p2] classifier c3 behavior b3
[*SwitchI-trafficpolicy-p2] quit
[*SwitchI] commit
[~SwitchI] interface 10ge 1/0/5
[~SwitchI-10GE1/0/5] traffic-policy p2 inbound
[*SwitchI-10GE1/0/5] quit
[*SwitchI] commit
4.验证
# 完成上述配置后,在汇聚层设备SwitchA上执行display vrrp命令,可以看到SwitchA在备份组1中作为Master设备,在备份组2中作为Backup设备。
<SwitchA> display vrrp verbose
Vlanif2 | Virtual Router 1
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s Remain : --
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config Type : normal-vrrp
Create Time : 2023-05-11 11:39:18
Last Change Time : 2023-05-26 11:38:58
Vlanif3 | Virtual Router 2
State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s Remain : --
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config Type : normal-vrrp
Create Time : 2023-05-11 11:40:18
Last Change Time : 2023-05-26 11:48:58
# 在汇聚层设备SwitchB上执行display vrrp命令,可以看到SwitchB在备份组1中作为Backup设备,在备份组2中作为Master设备。
<SwitchB> display vrrp verbose
Vlanif2 | Virtual Router 1
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s Remain : --
TimerRun : 1 s
TimerConfig : 1 s
Auth Type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config Type : normal-vrrp
Create Time : 2023-05-11 11:39:18
Last Change Time : 2023-05-26 11:38:58
Vlanif3 | Virtual Router 2
State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s Remain : --
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config Type : normal-vrrp
Create Time : 2023-05-11 11:40:18
Last Change Time : 2023-05-26 11:48:58
5.配置文件
# 汇聚层设备SwitchA的配置文件
sysname SwitchA
#
vlan batch 2 to 3 6 to 7
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
#
interface Vlanif6
ip address 10.1.6.102 255.255.255.0
#
interface Vlanif7
ip address 10.1.7.102 255.255.255.0
#
interface 10GE1/0/1
description TO-CE6800-SWITCHC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2
stp root-protection
#
interface 10GE1/0/2
description TO-CE6800-SWITCHD
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3
#
interface 10GE1/0/3
description TO-CE12800-SWITCHB
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/4
description TO-CE12800-SWITCHI
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6
#
interface 10GE1/0/5
description TO-CE12800-SWITCHJ
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 7
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.1.7.0 0.0.0.255
#
return
# 汇聚层设备SwitchB的配置文件
sysname SwitchB
#
vlan batch 2 to 3 6 to 7
#
stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.3.100
vrrp vrid 2 priority 120
vrrp vrid 2 preempt timer delay 20
#
interface Vlanif6
ip address 10.1.6.103 255.255.255.0
#
interface Vlanif7
ip address 10.1.7.103 255.255.255.0
#
interface 10GE1/0/1
description TO-CE6800-SWITCHD
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3
stp root-protection
#
interface 10GE1/0/2
description TO-CE6800-SWITCHC
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2
#
interface 10GE1/0/3
description TO-CE12800-SWITCHA
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/4
description TO-CE12800-SWITCHI
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6
#
interface 10GE1/0/5
description TO-CE12800-SWITCHJ
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 7
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.1.7.0 0.0.0.255
#
return
# 接入层设备SwitchC的配置文件
sysname SwitchC
#
vlan batch 2
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface 10GE1/0/1
description TO-CE12800-SWITCHA
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
description TO-CE12800-SWITCHB
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2
stp instance 1 cost 20000
#
interface 10GE1/0/3
description TO-HOSTA
port default vlan 2
stp disable
#
return
# 接入层设备SwitchD的配置文件
sysname SwitchD
#
vlan batch 3
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface 10GE1/0/1
description TO-CE12800-SWITCHB
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3
#
interface 10GE1/0/2
description TO-CE12800-SWITCHA
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 3
stp instance 2 cost 20000
#
interface 10GE1/0/3
description TO-HOSTB
port default vlan 3
stp disable
#
return
# 核心层设备SwitchI的配置文件
sysname SwitchI
#
vlan batch 6 8 to 13
#
acl number 3001
rule 5 permit ip source 10.1.2.0 0.0.0.255
rule 10 permit ip source 10.1.3.0 0.0.0.255
rule 15 permit ip source 10.1.4.0 0.0.0.255
rule 20 permit ip source 10.1.5.0 0.0.0.255
#
acl number 3003
rule 5 permit ip destination 10.1.2.0 0.0.0.255
rule 10 permit ip destination 10.1.3.0 0.0.0.255
rule 15 permit ip destination 10.1.4.0 0.0.0.255
rule 20 permit ip destination 10.1.5.0 0.0.0.255
#
traffic classifier c1 type or
if-match acl 3001
#
traffic classifier c3 type or
if-match acl 3003
#
traffic behavior b1
redirect load-balance nexthop 172.16.100.1 172.16.100.3
#
traffic behavior b3
redirect load-balance nexthop 172.16.100.2 172.16.100.4
#
traffic policy p1
classifier c1 behavior b1 precedence 5
#
traffic policy p2
classifier c3 behavior b3 precedence 5
#
interface Vlanif6
ip address 10.1.6.104 255.255.255.0
#
interface Vlanif8
ip address 10.1.8.104 255.255.255.0
#
interface Vlanif9
ip address 172.16.1.2 255.255.255.0
#
interface Vlanif10
ip address 172.16.2.2 255.255.255.0
#
interface Vlanif11
ip address 172.16.3.2 255.255.255.0
#
interface Vlanif12
ip address 172.16.4.2 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.102 255.255.255.0
#
interface 10GE1/0/1
description TO-CE12800-SWITCHA
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6
traffic-policy p1 inbound
#
interface 10GE1/0/2
description TO-CE12800-SWITCHB
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6
traffic-policy p1 inbound
#
interface 10GE1/0/3
description TO-CE12800-SWITCHE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6
traffic-policy p1 inbound
#
interface 10GE1/0/4
description TO-CE12800-SWITCHF
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 6
traffic-policy p1 inbound
#
interface 10GE1/0/5
description TO-ROUTERA
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 8
traffic-policy p2 inbound
#
interface 10GE1/0/6
description TO-FW-1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 9
#
interface 10GE1/0/7
description TO-FW-1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
interface 10GE1/0/8
description TO-FW-2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11
#
interface 10GE1/0/9
description TO-FW-2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 12
#
interface 10GE1/0/14
description TO-CE12800-SWITCHJ
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 13
traffic-policy p1 inbound
#
ospf 1
area 0.0.0.0
network 10.1.6.0 0.0.0.255
network 10.1.8.0 0.0.0.255
network 10.1.13.0 0.0.0.255
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 172.16.4.0 0.0.0.255
#
return
# 核心层设备SwitchJ的配置文件
sysname SwitchJ
#
vlan batch 7 to 13
#
acl number 3001
rule 5 permit ip source 10.1.2.0 0.0.0.255
rule 10 permit ip source 10.1.3.0 0.0.0.255
rule 15 permit ip source 10.1.4.0 0.0.0.255
rule 20 permit ip source 10.1.5.0 0.0.0.255
#
acl number 3003
rule 5 permit ip destination 10.1.2.0 0.0.0.255
rule 10 permit ip destination 10.1.3.0 0.0.0.255
rule 15 permit ip destination 10.1.4.0 0.0.0.255
rule 20 permit ip destination 10.1.5.0 0.0.0.255
#
traffic classifier c1 type or
if-match acl 3001
#
traffic classifier c3 type or
if-match acl 3003
#
traffic behavior b1
redirect load-balance nexthop 172.16.100.1 172.16.100.3
#
traffic behavior b3
redirect load-balance nexthop 172.16.100.2 172.16.100.4
#
traffic policy p1
classifier c1 behavior b1 precedence 5
#
traffic policy p2
classifier c3 behavior b3 precedence 5
#
interface Vlanif7
ip address 10.1.7.105 255.255.255.0
#
interface Vlanif8
ip address 10.1.8.105 255.255.255.0
#
interface Vlanif9
ip address 172.16.6.2 255.255.255.0
#
interface Vlanif10
ip address 172.16.7.2 255.255.255.0
#
interface Vlanif11
ip address 172.16.8.2 255.255.255.0
#
interface Vlanif12
ip address 172.16.9.2 255.255.255.0
#
interface Vlanif13
ip address 10.1.13.103 255.255.255.0
#
interface 10GE1/0/1
description TO-CE12800-SWITCHA
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 7
traffic-policy p1 inbound
#
interface 10GE1/0/2
description TO-CE12800-SWITCHB
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 7
traffic-policy p1 inbound
#
interface 10GE1/0/3
description TO-CE12800-SWITCHE
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 7
traffic-policy p1 inbound
#
interface 10GE1/0/4
description TO-CE12800-SWITCHF
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 7
traffic-policy p1 inbound
#
interface 10GE1/0/5
description TO-ROUTERB
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 8
traffic-policy p2 inbound
#
interface 10GE1/0/6
description TO-FW-1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 9
#
interface 10GE1/0/7
description TO-FW-1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
interface 10GE1/0/8
description TO-FW-2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 11
#
interface 10GE1/0/9
description TO-FW-2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 12
#
interface 10GE1/0/14
description TO-CE12800-SWITCHI
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 13
traffic-policy p1 inbound
#
ospf 1
area 0.0.0.0
network 10.1.7.0 0.0.0.255
network 10.1.8.0 0.0.0.255
network 10.1.11.0 0.0.0.255
network 172.16.6.0 0.0.0.255
network 172.16.7.0 0.0.0.255
network 172.16.8.0 0.0.0.255
network 172.16.9.0 0.0.0.255
#
return
# 出口防火墙FW-1的配置文件
#
sysname FW-1
#
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall defend port-scan enable
firewall defend ip-sweep enable
firewall defend ip-fragment enable
firewall defend icmp-flood enable
firewall defend udp-flood enable
firewall defend syn-flood enable
firewall defend ip-spoofing enable
firewall defend action discard
firewall defend icmp-flood zone untrust max-rate 20000
firewall defend udp-flood zone untrust max-rate 1500
firewall defend syn-flood zone untrust max-rate 20000
#
hrp enable
hrp adjust ospf-cost enable
hrp interface Eth-Trunk1 remote 172.16.10.1
hrp mirror session enable
hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/2
hrp track interface GigabitEthernet 1/0/3
hrp track interface GigabitEthernet 1/0/4
#
ips enable
#
interface Eth-Trunk1
ip address 172.16.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
description TO-CE12800-SwitchI-Upstream
ip address 172.16.1.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet1/0/2
description TO-CE12800-SwitchI-Downstream
ip address 172.16.2.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet1/0/3
description TO-CE12800-SwitchJ-Upstream
ip address 172.16.3.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet1/0/4
description TO-CE12800-SwitchJ-Downstream
ip address 172.16.4.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet2/0/0
description TO-FW-2-HRP
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/1
description TO-FW-2-HRP
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/2
description TO-FW-2-HRP
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/3
description TO-FW-2-HRP
undo shutdown
eth-trunk 1
#
interface LoopBack 1
ip address 172.16.100.1 32
#
interface LoopBack 2
ip address 172.16.100.2 32
#
interface LoopBack 3
ip address 172.16.100.3 32
#
interface LoopBack 4
ip address 172.16.100.4 32
#
profile type ips name default
signature-set name default
os both
target both
severity low medium high
protocol all
category all
#
firewall zone trust
set priority 85
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/4
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
firewall interzone trust untrust
detect ftp
#
policy interzone trust untrust inbound
policy 1
action permit
profile ips default
policy service service-set ftp
policy service service-set http
policy destination 10.1.2.0 mask 24
policy destination 10.1.3.0 mask 24
policy destination 10.1.4.0 mask 24
policy destination 10.1.5.0 mask 24
#
policy interzone trust untrust outbound
policy 1
action permit
profile ips default
policy source 10.1.2.0 mask 24
policy source 10.1.3.0 mask 24
policy source 10.1.4.0 mask 24
policy source 10.1.5.0 mask 24
#
ospf 1 router-id 172.16.100.1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.16.100.1 0.0.0.0
#
ospf 2 router-id 172.16.100.2
area 0.0.0.0
network 172.16.2.0 0.0.0.255
network 172.16.100.2 0.0.0.0
#
ospf 3 router-id 172.16.100.3
area 0.0.0.0
network 172.16.3.0 0.0.0.255
network 172.16.100.3 0.0.0.0
#
ospf 4 router-id 172.16.100.4
area 0.0.0.0
network 172.16.4.0 0.0.0.255
network 172.16.100.4 0.0.0.0
#
return
# 出口防火墙FW-2的配置文件
#
sysname FW-2
#
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall defend port-scan enable
firewall defend ip-sweep enable
firewall defend ip-fragment enable
firewall defend icmp-flood enable
firewall defend udp-flood enable
firewall defend syn-flood enable
firewall defend ip-spoofing enable
firewall defend action discard
firewall defend icmp-flood zone untrust max-rate 20000
firewall defend udp-flood zone untrust max-rate 1500
firewall defend syn-flood zone untrust max-rate 20000
#
hrp enable
hrp adjust ospf-cost enable
hrp interface Eth-Trunk1 remote 172.16.5.1
hrp mirror session enable
hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/2
hrp track interface GigabitEthernet 1/0/3
hrp track interface GigabitEthernet 1/0/4
#
ips enable
#
interface Eth-Trunk1
ip address 172.16.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
description TO-CE12800-SwitchI-Upstream
ip address 172.16.6.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet1/0/2
description TO-CE12800-SwitchI-Downstream
ip address 172.16.7.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet1/0/3
description TO-CE12800-SwitchJ-Upstream
ip address 172.16.8.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet1/0/4
description TO-CE12800-SwitchJ-Downstream
ip address 172.16.9.1 255.255.255.0
undo shutdown
#
interface GigabitEthernet2/0/0
description TO-FW-1-HRP
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/1
description TO-FW-1-HRP
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/2
description TO-FW-1-HRP
undo shutdown
eth-trunk 1
#
interface GigabitEthernet2/0/3
description TO-FW-1-HRP
undo shutdown
eth-trunk 1
#
interface LoopBack 1
ip address 172.16.100.1 32
#
interface LoopBack 2
ip address 172.16.100.2 32
#
interface LoopBack 3
ip address 172.16.100.3 32
#
interface LoopBack 4
ip address 172.16.100.4 32
#
profile type ips name default
signature-set name default
os both
target both
severity low medium high
protocol all
category all
#
firewall zone trust
set priority 85
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/4
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
firewall interzone trust untrust
detect ftp
#
policy interzone trust untrust inbound
policy 1
action permit
profile ips default
policy service service-set ftp
policy service service-set http
policy destination 10.1.2.0 mask 24
policy destination 10.1.3.0 mask 24
policy destination 10.1.4.0 mask 24
policy destination 10.1.5.0 mask 24
#
policy interzone trust untrust outbound
policy 1
action permit
profile ips default
policy source 10.1.2.0 mask 24
policy source 10.1.3.0 mask 24
policy source 10.1.4.0 mask 24
policy source 10.1.5.0 mask 24
#
ospf 1 router-id 172.16.100.6
area 0.0.0.0
network 172.16.6.0 0.0.0.255
network 172.16.100.1 0.0.0.0
#
ospf 2 router-id 172.16.100.7
area 0.0.0.0
network 172.16.7.0 0.0.0.255
network 172.16.100.2 0.0.0.0
#
ospf 3 router-id 172.16.100.8
area 0.0.0.0
network 172.16.8.0 0.0.0.255
network 172.16.100.3 0.0.0.0
#
ospf 4 router-id 172.16.100.9
area 0.0.0.0
network 172.16.9.0 0.0.0.255
network 172.16.100.4 0.0.0.0
#
return
浙公网安备 33010602011771号