当前位置: 首页 > news >正文

防御保护实验四:复现双机热备旁挂组网场景实验

news 来源:原创 2025/6/9 23:35:55

一、实验要求

网络基础配置:IP地址、安全区域、OSPF配置、安全策略(包括本地local的策略)

二、实验目的

1、拓扑
2、需求分析
3、配置
4、验证

三、实验步骤

1、拓扑

2、需求分析
  • 配置IP地址
  • 配置安全区域
  • 配置OSPF配置
  • 配置安全策略
3、配置

二层交换机配置

[SW3]vlan batch 2 3
[SW3]interface GigabitEthernet 0/0/3
[SW3-GigabitEthernet0/0/3] port link-type trunk
[SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW3]interface GigabitEthernet 0/0/4
[SW3-GigabitEthernet0/0/4] port link-type trunk
[SW3-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 3
 
[SW3]stp enable 
[SW3]stp mode mstp
[SW3]stp region-configuration 
[SW3-mst-region]region-name aa
[SW3-mst-region]instance 1 vlan 2  
[SW3-mst-region]instance 2 vlan 3 
[SW3-mst-region]active region-configuration 
[SW3]stp instance 1 root primary 
[SW3]stp instance 2 root secondary  
[SW3]stp instance 0 root primary 
 
[SW3]interface Vlanif 2
[SW3-Vlanif2]ip address 192.168.2.1 24
[SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254   
[SW3-Vlanif2]vrrp vrid 1 priority 120  
[SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20   
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15 
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
 
[SW3]interface Vlanif 3
[SW3-Vlanif3]ip add 192.168.3.1 24
[SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[SW4]vlan batch 2 3
[SW4]interface GigabitEthernet 0/0/3
[SW4-GigabitEthernet0/0/3] port link-type trunk
[SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW4]interface GigabitEthernet 0/0/4
[SW4-GigabitEthernet0/0/4] port link-type trunk
[SW4-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 3
 
[SW4]stp enable 
[SW4]stp mode mstp
[SW4]stp region-configuration 
[SW4-mst-region]region-name aa
[SW4-mst-region]instance 1 vlan 2
[SW4-mst-region]instance 2 vlan 3
[SW4-mst-region]active region-configuration 
[SW4]stp instance 1 root secondary 
[SW4]stp instance 2 root primary
[SW4]stp instance 0 root secondary
 
[SW4]interface Vlanif 2
[SW4-Vlanif2]ip add 192.168.2.2 24
[SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
 
[SW4]interface Vlanif3
[SW4-Vlanif3]ip address 192.168.3.2 255.255.255.0
[SW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[SW4-Vlanif3]vrrp vrid 1 priority 120
[SW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 15
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 15
[SW5]vlan batch 2 3
[SW5]interface GigabitEthernet 0/0/3
[SW5-GigabitEthernet0/0/3]port link-type access 
[SW5-GigabitEthernet0/0/3]port default vlan 2
[SW5]interface GigabitEthernet 0/0/4
[SW5-GigabitEthernet0/0/4]port link-type access 	
[SW5-GigabitEthernet0/0/4]port default vlan 3
[SW5]interface GigabitEthernet 0/0/1
[SW5-GigabitEthernet0/0/1]port link-type trunk 
[SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[SW5]interface GigabitEthernet 0/0/2
[SW5-GigabitEthernet0/0/2]port link-type trunk
[SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 2 to 3
 
[SW5]stp enable 
[SW5]stp mode mstp
[SW5]stp region-configuration 
[SW5-mst-region]region-name aa
[SW5-mst-region]instance 1 vlan 2
[SW5-mst-region]instance 2 vlan 3
[SW5-mst-region]active region-configuration

汇聚到核心层配置

[SW3]vlan batch 103 203
[SW3]interface GigabitEthernet 0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access 
[SW3-GigabitEthernet0/0/1]port default vlan 103
[SW3-GigabitEthernet0/0/1]undo stp enable
[SW3]interface GigabitEthernet 0/0/2	
[SW3-GigabitEthernet0/0/2]port link-type access 
[SW3-GigabitEthernet0/0/2]port default vlan 203
[SW3-GigabitEthernet0/0/2]undo stp enable
 
[SW3]interface Vlanif 103
[SW3-Vlanif103]ip add 10.10.3.3 24
[SW3]interface Vlanif 203
[SW3-Vlanif203]ip add 10.20.3.3 24
 
[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0
[SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0	
[SW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[SW3-ospf-1]silent-interface Vlanif 2
[SW3-ospf-1]silent-interface Vlanif 3
[SW4]vlan batch 104 204
[SW4]interface GigabitEthernet 0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 204
[SW4-GigabitEthernet0/0/1]undo stp enable
[SW4]interface GigabitEthernet 0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access 
[SW4-GigabitEthernet0/0/2]port default vlan 104
[SW4-GigabitEthernet0/0/2]undo stp enable 
 
[SW4]interface Vlanif 104
[SW4-Vlanif104]ip address 10.10.4.4 24
[SW4]interface Vlanif 204
[SW4-Vlanif204]ip add 10.20.4.4 24
 
[SW4]ospf 1 router-id 4.4.4.4
[SW4-ospf-1]area 0
[SW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.3.2 0.0.0.0
 
[SW4-ospf-1]silent-interface Vlanif 2
[SW4-ospf-1]silent-interface Vlanif 3

创建VRF空间并配置VRF信息

[SW1]ip vpn-instance VRF    
[SW1-vpn-instance-VRF]route-distinguisher 100:1 
[SW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both  
[SW2]ip vpn-instance VRF
[SW2-vpn-instance-VRF]route-distinguisher 100:1	
[SW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both

配置VLAN信息

[SW1]vlan batch 102 103 104
[SW1]interface GigabitEthernet 0/0/6
[SW1-GigabitEthernet0/0/6]port link-type access 
[SW1-GigabitEthernet0/0/6]port default vlan 103	
[SW1-GigabitEthernet0/0/6]undo stp enable
 
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk 
[SW1-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW1-GigabitEthernet0/0/5]undo stp enable
 
[SW1]interface GigabitEthernet 0/0/7
[SW1-GigabitEthernet0/0/7]port link-type access 
[SW1-GigabitEthernet0/0/7]port default vlan 104
[SW1-GigabitEthernet0/0/7]undo stp enable
[SW2]vlan batch 102 203 204
[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]port link-type access 	
[SW2-GigabitEthernet0/0/6]port default vlan 204
[SW2-GigabitEthernet0/0/6]undo stp enable
 
[SW2]interface GigabitEthernet 0/0/7
[SW2-GigabitEthernet0/0/7]port link-type access 
[SW2-GigabitEthernet0/0/7]port default vlan 203
[SW2-GigabitEthernet0/0/7]undo stp enable 
 
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW2-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW2-GigabitEthernet0/0/5]undo stp enable

创建Vlanif接口,并将接口划入VRF空间

[SW1]interface Vlanif 102
[SW1-Vlanif102]ip binding vpn-instance VRF 
[SW1-Vlanif102]ip address 10.10.2.1 24
 
[SW1]interface Vlanif 103
[SW1-Vlanif103]ip binding vpn-instance VRF
[SW1-Vlanif103]ip add 10.10.3.1 24
 
[SW1]interface Vlanif 104
[SW1-Vlanif104]ip binding vpn-instance VRF
[SW1-Vlanif104]ip add 10.10.4.1 24
[SW2]interface Vlanif 102
[SW2-Vlanif102]ip binding vpn-instance VRF
[SW2-Vlanif102]ip address 10.10.2.2 24
 
[SW2]interface Vlanif 203
[SW2-Vlanif203]ip binding vpn-instance VRF
[SW2-Vlanif203]ip address 10.20.3.2 24
 
[SW2]interface Vlanif 204
[SW2-Vlanif204]ip binding vpn-instance VRF
[SW2-Vlanif204]ip add 10.20.4.2 24

配置VRF空间的OSPF

[SW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0
[SW1-ospf-1]default-route-advertise
 
[SW2]ospf 1 router-id 2.2.2.2 vpn-instance VRF	
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.10.2.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.3.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.4.2 0.0.0.0
[SW2-ospf-1]default-route-advertise

路由策略配置

[SW3]interface Vlanif 203
[SW3-Vlanif203]ospf cost 5
 
[SW4]interface Vlanif 104
[SW4-Vlanif104]ospf cost 5
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0
[SW3]ip ip-prefix aa permit 192.168.2.0 24
[SW3]ip ip-prefix bb permit 192.168.3.0 24
[SW3]route-policy bb permit node 10
[SW3-route-policy]if-match ip-prefix bb
[SW3-route-policy]apply cost 5
[SW3]route-policy bb permit node 20
[SW3-route-policy]if-match ip-prefix aa
[SW3]ospf 1	
[SW3-ospf-1]import-route direct route-policy bb
 
[SW4]ip ip-prefix aa permit 192.168.2.0 24
[SW4]ip ip-prefix bb permit 192.168.3.0 24
[SW4]route-policy aa permit node 10
[SW4-route-policy]if-match ip-prefix aa
[SW4-route-policy]apply cost 5
[SW4]route-policy aa permit node 20
[SW4-route-policy]if-match ip-prefix bb
[SW4]ospf 1
[SW4-ospf-1]import-route direct route-policy aa

VRF区域配置

[SW1]vlan batch 401 402
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 	
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 401 402
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk 
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
 
[SW1]interface Vlanif 401
[SW1-Vlanif401]ip binding vpn-instance VRF
[SW1-Vlanif401]ip address 10.40.1.1 24
[SW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW1-Vlanif401]vrrp vrid 1 priority 120
[SW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[SW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 30
 
[SW1]interface Vlanif 402
[SW1-Vlanif402]ip binding vpn-instance VRF
[SW1-Vlanif402]ip address 10.40.2.1 24
[SW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[SW2]vlan batch 401 402
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk 
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402
[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402
 
[SW2]interface Vlanif 401
[SW2-Vlanif401]ip binding vpn-instance VRF
[SW2-Vlanif401]ip address 10.40.1.2 24
[SW2-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
 
[SW2]interface Vlanif 402
[SW2-Vlanif402]ip binding vpn-instance VRF
[SW2-Vlanif402]ip address 10.40.2.2 24
[SW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[SW2-Vlanif402]vrrp vrid 2 priority 120
[SW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[SW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30
[FW1]vlan batch 401 402 403 404
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.10.10.1 30
 
[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]ip add 10.40.1.10 24
[FW1-GigabitEthernet1/0/1.401]vlan-type dot1q 401
 
[FW1]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]ip address 10.40.2.10 24
[FW1-GigabitEthernet1/0/1.402]vlan-type dot1q 402
 
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]ip address 10.40.3.10 24
[FW1-GigabitEthernet1/0/2.403]vlan-type dot1q 403
 
[FW1]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]ip add 10.40.4.10 24
[FW1-GigabitEthernet1/0/2.404]vlan-type dot1q 404
[FW2]vlan batch 401 402 403 404
[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.10.10.2 30
 
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]ip address 10.40.1.20 24
[FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401
 
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]ip add 10.40.2.20 24
[FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402
 
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]ip add 10.40.3.20 24
[FW2-GigabitEthernet1/0/1.403]vlan-type dot1q 403
 
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]ip add 10.40.4.20 24
[FW2-GigabitEthernet1/0/1.404]vlan-type dot1q 404

安全区域划分

[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.401
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.402
 
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.403
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.404
 
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface GigabitEthernet 1/0/0
[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.402
 
[FW2]firewall zone untrust 
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.403
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.404
 
[FW2]firewall zone dmz 
[FW2-zone-dmz]add interface GigabitEthernet 1/0/0

SW1、SW2的Public区域配置

[SW1]vlan batch 403 404
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW1]interface Vlanif 403
[SW1-Vlanif403]ip address 10.40.3.1 24
[SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW1-Vlanif403]vrrp vrid 3 priority 120
[SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60
[SW1-Vlanif403]vrrp vrid 3 track interface GigabitEthernet 0/0/3 reduced 30
[SW1]interface Vlanif 404
[SW1-Vlanif404]ip add 10.40.4.1 24
[SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
 
[SW2]vlan batch 403 404
[SW2]interface GigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk 
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk 
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW2]interface  Vlanif 403
[SW2-Vlanif403]ip address 10.40.3.2 24
[SW2-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW2]interface Vlanif 404
[SW2-Vlanif404]ip address 10.40.4.2 24
[SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2-Vlanif404]vrrp vrid 4 priority 120
[SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60
[SW2-Vlanif404]vrrp vrid 4 track interface GigabitEthernet 0/0/2 reduced 30

路由补充

[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70
 
[SW1]ip route-static 192.168.0.0 16 10.40.3.200
[SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70
 
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70
 
[SW2]ip route-static 192.168.0.0 16 10.40.4.200	
[SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

防火墙双机热备配置

[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]vrrp vrid 5 virtual-ip 10.40.1.200 active 
[FW1]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby 
 
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]vrrp vrid 7 virtual-ip 10.40.3.200 active 
[FW1]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby 
 
[FW1]hrp mirror session enable 
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2 
[FW1]hrp enable
 
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100	
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70
 
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.1.100
HRP_M[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby 
[FW2]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active 
 
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby 
[FW2]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 active 
 
[FW2]hrp mirror session enable
[FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[FW2]hrp enable
 
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70
 
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70

安全策略配置

HRP_M[FW1]security-policy  (+B)
HRP_M[FW1-policy-security]rule name trust_to_untrust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-zone trust  (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust  (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-address 192.168.0.0 16 (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]action permit  (+B)

核心到边界配置

[SW1]vlan batch 11 12
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 11
[SW1-GigabitEthernet0/0/1]undo stp enable 
 
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW1-GigabitEthernet0/0/4]undo stp enable 
 
[SW1]interface Vlanif 11
[SW1-Vlanif11]ip address 10.11.1.1 24
[SW1]interface Vlanif 12
[SW1-Vlanif12]ip add 10.12.1.1 24
 
[SW1]ospf 2 router-id 1.1.1.1
[SW1-ospf-2]area 0
[SW1-ospf-2-area-0.0.0.0]network 10.11.1.1 0.0.0.0
[SW1-ospf-2-area-0.0.0.0]network 10.12.1.1 0.0.0.0
    [SW2]vlan batch 12 22
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access 
[SW2-GigabitEthernet0/0/1]port default vlan 22
[SW2-GigabitEthernet0/0/1]undo stp enable
 
[SW2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW2-GigabitEthernet0/0/4]undo stp enable 
 
[SW2]interface Vlanif 12
[SW2-Vlanif12]ip address 10.12.1.2 24
[SW2]interface Vlanif 22
[SW2-Vlanif22]ip address 10.22.2.1 24
 
[SW2-ospf-2]dis th
ospf 2 router-id 2.2.2.2
 area 0.0.0.0
  network 10.12.1.2 0.0.0.0
  network 10.22.2.1 0.0.0.0
    [R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.11.1.2 24
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24
 
[R1-ospf-1]display this 
ospf 1 router-id 3.3.3.3 
 area 0.0.0.0 
  network 10.11.1.2 0.0.0.0 
  network 10.12.2.1 0.0.0.0 
    [R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.22.2.2 24
[R2]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14
 
[R2]ospf 1 router-id 4.4.4.4
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.22.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.12.2.2 0.0.0.0

    最外层网络

    [R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ip add 12.0.0.1 24
[R1]ip route-static 0.0.0.0 0 12.0.0.100
[R1-ospf-1]default-route-advertise 
 
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000
    [R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[R2]ip route-static 0.0.0.0 0 13.0.0.100
[R2-ospf-1]default-route-advertise
 
[R2]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R2]int g 0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2000
    [ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24
[ISP]interface LoopBack 0
[ISP-LoopBack0]ip add 100.1.1.1 24
    [SW1-ospf-2]import-route static 
[SW2-ospf-2]import-route static
    4、验证

    正常情况下,PC1和PC2分别pingISP的环回接口

    当SW1的某些接口发生故障时,对PC1到ISP环回接口的网络进行测试

    [SW1-GigabitEthernet0/0/2]shutdown 

    相关文章:

  1. 15.7 LangChain 版智能销售顾问实战:构建企业级知识驱动型对话系统
  2. 2025-02-27 学习记录--C/C++-PTA 7-30 字符串的冒泡排序
  3. 神经性手抖是一种常见的症状
  4. 场景重建——Nerf场景重建
  5. Python 编程题 第四节:斐波那契数列、列表的复制、暂停后输出、成绩评级、统计字符
  6. 【现代Web布局与动画技术:卡片组件实战分享】
  7. 塑造网络安全的关键事件
  8. DeepSeek开源周,第五弹再次来袭,3FS
  9. 掌握Git:从入门到精通的完整指南
  10. 数字电子电路基础第三章——门电路(二)
  11. [深度学习] 大模型学习2-提示词工程指北
  12. 云平台DeepSeek满血版:引领AI推理革新,开启智慧新时代
  13. 我忘记 rar、zip 密码了,咋打开呀?
  14. Python线程进程协程
  15. Redis入门基础
  16. 2.希尔排序(缩小增量排序)
  17. 【Pytest】setup和teardown的四个级别
  18. React底层常见的设计模式
  19. P9231 [蓝桥杯 2023 省 A] 平方差
  20. 因子有效性的审判使者——回测分析【量化实践】
  21. 佛山网站建设哪家效果好/seo网站优化技术
  22. 建材建设网站/平台交易网
  23. 合肥网站建设政务区/活动推广朋友圈文案
  24. 渭南网站建设/app网站
  25. 网站icp备案号查询/关键词排名批量查询软件
  26. 课程资源网站的建设/2023第二波疫情已经到来了