当前位置: 首页 > wzjs >正文

hao123主页网址之家益阳网站seo

wzjs 2025/8/2 16:40:06
hao123主页网址之家,益阳网站seo,艺术字转换器花体字,电气毕业设计代做网站文章目录 实验topo需求实验配置二层交换机要求SW3SW4STP生成树 核心层SW3SW4创建VRF空间SW1SW2 创建vlanif接口路由策略流量管控之后的对比 交换机和防火墙之间的交互VRF区域配置SW1SW2 FW1FW2安全区域规划FW1FW2 SW1\SW2的Public区域SW1SW2 针对交换机上下行路由的补充防火墙双…

请添加图片描述

文章目录

  • 实验topo
  • 需求
  • 实验配置
    • 二层交换机
      • 要求
      • SW3
      • SW4
      • STP生成树
    • 核心层
      • SW3
      • SW4
      • 创建VRF空间
        • SW1
        • SW2
      • 创建vlanif接口
      • 路由策略
      • 流量管控之后的对比
    • 交换机和防火墙之间的交互
      • VRF区域配置
        • SW1
        • SW2
      • FW1
      • FW2
      • 安全区域规划
        • FW1
        • FW2
      • SW1\SW2的Public区域
        • SW1
        • SW2
      • 针对交换机上下行路由的补充
      • 防火墙双机热备
        • FW1
        • FW2
      • 安全策略配置
    • 核心到边界
      • SW1
      • SW2
      • R1
      • R2
    • 最外层网络
      • R1
      • R2
      • ISP
  • 测试

实验topo

在这里插入图片描述

需求

	正常情况下:SW1_VRF-->FW1--->SW1_Public--->R5故障情况下:SW2_VRF-->FW2--->SW2_Public--->R6
2、SW4的流量正常情况下:SW2_VRF-->FW2--->SW2_Public--->R6故障情况下:SW1_VRF-->FW1--->SW1_Public--->R5
3、交换网络负载均衡

实验配置

二层交换机

在这里插入图片描述

要求

VLAN 2--->SW3,SW4作为备份
VLAN 3--->SW4,SW3作为备份
MSTP设计--->SW3、4、5运行实例1:VLAN 2实例2:VLAN 3SW3是实例1的主根,实例2的备份根;SW4是实例2的主根,实例1的备份根
IP地址规划:SW3:VLAN 2:192.168.2.1/24VLAN 3:192.168.3.1/24SW4:VLAN 2:192.168.2.2/24VLAN 3:192.168.3.2/24虚拟IP:VLAN 2:192.168.2.254/24VLAN 3:192.168.3.254/24

SW3

[SW3]vlan batch 2 3 
[SW3]int g 0/0/3
[SW3-GigabitEthernet0/0/3]port link-type trunk 
[SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3
[SW3]INT G 0/0/4
[SW3-GigabitEthernet0/0/4]port link-type trunk 	
[SW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3[SW3]stp enable 
[SW3]stp mode mstp
[SW3]stp region-configuration 
[SW3-mst-region]region-name aa
[SW3-mst-region]instance 1 vlan 2        ----映射vlan2
[SW3-mst-region]instance 2 vlan 3
[SW3-mst-region]active region-configuration  ---激活配置
[SW3]stp instance 1 root primary      ---设置1为主根
[SW3]stp instance 2 root secondary     ---设置2为备根
[SW3]stp instance 0 root primary	  ---让实例0为主根[SW3]interface vlanif2
[SW3-Vlanif2]ip address 192.168.2.1 24
[SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254 	---设置虚拟IP
[SW3-Vlanif2]vrrp vrid 1 priority 120		---设置抢占延迟时间为20s
[SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15 ---监控上行接口
[SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15
[SW3]int vlanif 3
[SW3-Vlanif3]ip add 192.168.3.1 24
[SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254

SW4

[SW4]vlan batch 2 3 
[SW4]int g 0/0/3
[SW4-GigabitEthernet0/0/3]port link-type trunk 
[SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3 
[SW4]int g 0/0/4
[SW4-GigabitEthernet0/0/4]port link-type trunk 
[SW4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3[SW4]STP enable 
[SW4]stp mode mstp 
[SW4-mst-region]region-name aa
[SW4-mst-region]active region-configuration
[SW4-mst-region]instance 1 vlan 2
[SW4-mst-region]instance 2 vlan 3
[SW4-mst-region]active region-configuration 
[SW4]stp instance 1 root secondary 
[SW4]stp instance 2 root primary 
[SW4]stp instance 0 root secondary 
[SW4]int Vlanif 2
[SW4-Vlanif2]ip address 192.168.2.2 24
[SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254
[SW4-Vlanif2]int vlanif3
[SW4-Vlanif3]ip add 192.168.3.2 255.255.255.0
[SW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254
[SW4-Vlanif3]vrrp vrid 1 priority 120
[SW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20
[SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15
[SW4-Vlanif3]vrrp vrid 1 track int GigabitEthernet 0/0/2 reduced 15

STP生成树

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
测试设备之间的互通
在这里插入图片描述
在这里插入图片描述

核心层

SW3

[SW3]vlan b 103 203
[SW3-GigabitEthernet0/0/1]port link-type  access
[SW3-GigabitEthernet0/0/1]port default vlan 103
[SW3-GigabitEthernet0/0/1]undo stp enable
[SW3-GigabitEthernet0/0/1]int g 0/0/2
[SW3-GigabitEthernet0/0/2]port link-type access 
[SW3-GigabitEthernet0/0/2]port default vlan 203
[SW3-GigabitEthernet0/0/2]undo stp enable[SW3]int Vlanif 103
[SW3-Vlanif103]ip address 10.10.3.3 24
[SW3]int Vlanif 203
[SW3-Vlanif203]ip address 10.20.3.3 24[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0
[SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]silent-interface vlanif 2	---静默接口
[SW3-ospf-1-area-0.0.0.0]silent-interface vlanif 3

SW4

[SW4]vlan b 104 204
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW4]int g 0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access 
[SW4-GigabitEthernet0/0/1]port default vlan 204
[SW4-GigabitEthernet0/0/1]undo stp enable
[SW4-GigabitEthernet0/0/1]int g 0/0/2
[SW4-GigabitEthernet0/0/2]port link-type access 
[SW4-GigabitEthernet0/0/2]port default vlan 104
[SW4-GigabitEthernet0/0/2]undo stp enable[SW4-GigabitEthernet0/0/2]int vlanif 104	
[SW4-Vlanif104]ip address 10.10.4.4 24
[SW4-Vlanif104]int vlanif 204	
[SW4-Vlanif204]ip address 10.20.4.4 24[SW4]ospf 1 router-id 4.4.4.4
[SW4-ospf-1]area 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.3.2 0.0.0.0
[SW4-ospf-1]silent-interface vlanif 2
[SW4-ospf-1]silent-interface vlanif 3

创建VRF空间

创建VRF空间用来将SW1和SW2分割为两台设备,分别和上下行设备连接,其中GE0/0/2、5、6、7属于该空间接口

SW1
[SW1]ip vpn-instance VRF
[SW1-vpn-instance-VRF]route-distinguisher  100:1
[SW1-vpn-instance-VRF-af-ipv4]vpn-target  100:1 both

SW2
[SW2]ip vpn-instance VRF
[SW2-vpn-instance-VRF]route-distinguisher  100:1
[SW2-vpn-instance-VRF-af-ipv4]vpn-target  100:1 both

创建成功
配置VLAN信息

SW1
[SW1]vlan batch 102 103 104
[SW1]int g 0/0/6
[SW1-GigabitEthernet0/0/6]port link-type access
[SW1-GigabitEthernet0/0/6]port default vlan 103	
[SW1-GigabitEthernet0/0/6]undo stp enable[SW1]int g 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk 
[SW1-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW1-GigabitEthernet0/0/5]undo stp enable[SW1-GigabitEthernet0/0/5]int g 0/0/7
[SW1-GigabitEthernet0/0/7]port link-type access 
[SW1-GigabitEthernet0/0/7]port default vlan 104
[SW1-GigabitEthernet0/0/7]undo stp enable
SW2
[SW2]vlan batch 102 203 204[SW2]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 102
[SW2-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1
[SW2-GigabitEthernet0/0/5]undo stp enable[SW2]interface GigabitEthernet 0/0/6
[SW2-GigabitEthernet0/0/6]port link-type access
[SW2-GigabitEthernet0/0/6]undo stp enable[SW2-GigabitEthernet0/0/6]int g 0/0/7
[SW2-GigabitEthernet0/0/7]port link-type access 
[SW2-GigabitEthernet0/0/7]port default vlan 203
[SW2-GigabitEthernet0/0/7]undo stp enable

创建vlanif接口

SW1
[SW1]interface Vlanif 102
[SW1-Vlanif102]ip binding vpn-instance VRF
[SW1-Vlanif102]ip address 10.10.2.1 24[SW1]interface Vlanif 103
[SW1-Vlanif103]ip binding vpn-instance VRF
[SW1-Vlanif103]ip add 10.10.3.1 24[SW1]interface Vlanif 104
[SW1-Vlanif104]ip binding vpn-instance VRF
[SW1-Vlanif104]ip add 10.10.4.1 24
SW2
[SW2]interface Vlanif 102
[SW2-Vlanif102]ip binding vpn-instance VRF
[SW2-Vlanif102]ip address 10.20.2.2 24[SW2]interface Vlanif 203
[SW2-Vlanif203]ip binding vpn-instance VRF
[SW2-Vlanif203]ip address 10.20.3.2 24[SW2]interface Vlanif 204
[SW2-Vlanif204]ip binding vpn-instance VRF
[SW2-Vlanif204]ip add 10.20.4.2 24

测试
在这里插入图片描述

在这里插入图片描述
VRF空间的OSPF

[SW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF
[SW1-ospf-1]area 0
[SW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0
[SW1-ospf-1]default-route-advertise[SW2]ospf 1 router-id 2.2.2.2 vpn-instance VRF
[SW2-ospf-1]area 0
[SW2-ospf-1-area-0.0.0.0]network 10.10.2.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.3.2 0.0.0.0
[SW2-ospf-1-area-0.0.0.0]network 10.20.4.2 0.0.0.0

因为在要求里面“SW3是实例1的主根,实例2的备份根;SW4是实例2的主根,实例1的备份根”,所以要修改接口开销值避免成为等价路由。(开销值越小,优先级越高)

[SW3]int vlanif 203
[SW3-Vlanif203]ospf cost 5
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0[SW4]int vlanif 104
[SW4-Vlanif104]ospf cost 5
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0

路由策略

SW3
[SW3]ip ip-prefix aa permit 192.168.2.0 24
[SW3]ip ip-prefix bb permit 192.168.3.0 24[SW3]route-policy bb permit node 10
[SW3-route-policy]if-match ip-prefix bb
[SW3-route-policy]apply cost 5
[SW3]route-policy bb permit node 20
[SW3-route-policy]if-match ip-prefix aa[SW3]ospf 1
[SW3-ospf-1]import-route direct route-policy bb


```bash
[SW4]ip ip-prefix aa permit 192.168.2.0 24
[SW4]ip ip-prefix bb permit 192.168.3.0 24[SW4]route-policy aa permit node 10
Info: New Sequence of this List.
[SW4-route-policy]if-match ip-prefix aa
[SW4-route-policy]apply cost 5
[SW4-route-policy]route-policy aa permit node 20
Info: New Sequence of this List.
[SW4-route-policy]if-match ip-prefix bb[SW4]ospf 1
[SW4-ospf-1]import-route direct route-policy aa

流量管控之后的对比

在这里插入图片描述
在这里插入图片描述

交换机和防火墙之间的交互

在这里插入图片描述
在这里插入图片描述
请添加图片描述
请添加图片描述

VRF区域配置

SW1
[SW1]vlan batch 401 402
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk 	
[SW1-GigabitEthernet0/0/2]port link-type trunk 
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 401 402
[SW1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type trunk 
[SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402[SW1]interface Vlanif 401
[SW1-Vlanif401]ip binding vpn-instance VRF
[SW1-Vlanif401]ip address 10.40.1.1 24
[SW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100
[SW1-Vlanif401]vrrp vrid 1 priority 120
[SW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60
[SW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 30[SW1]interface Vlanif 402
[SW1-Vlanif402]ip binding vpn-instance VRF
[SW1-Vlanif402]ip address 10.40.2.1 24
[SW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
SW2
[SW2]vlan batch 401 402
[SW2]interface GigabitEthernet 0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk 	
[SW2-GigabitEthernet0/0/3]port link-type trunk 
[SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402
[SW2-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/5
[SW2-GigabitEthernet0/0/5]port link-type trunk 
[SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402[SW2]interface Vlanif 401
[SW2-Vlanif401]ip binding vpn-instance VRF
[SW2-Vlanif401]ip address 10.40.1.2 24
[SW2-Vlanif401]vrrp vrid 2 virtual-ip 10.40.1.100[SW2]interface Vlanif 402
[SW2-Vlanif402]ip binding vpn-instance VRF
[SW2-Vlanif402]ip address 10.40.2.2 24
[SW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100
[SW2-Vlanif402]vrrp vrid 2 priority 120
[SW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60
[SW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30

FW1

[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.10.10.1 30
[FW1-GigabitEthernet1/0/0]
[FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]ip add 10.40.1.10 24
[FW1-GigabitEthernet1/0/1.401]vlan-type dot1q 401
[FW1-GigabitEthernet1/0/1.401]
[FW1-GigabitEthernet1/0/1.401]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]ip address 10.40.2.10 24
[FW1-GigabitEthernet1/0/1.402]vlan-type dot1q 402
[FW1-GigabitEthernet1/0/1.402]
[FW1-GigabitEthernet1/0/1.402]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]ip address 10.40.3.10 24
[FW1-GigabitEthernet1/0/2.403]vlan-type dot1q 403
[FW1-GigabitEthernet1/0/2.403]
[FW1-GigabitEthernet1/0/2.403]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]ip add 10.40.4.10 24
[FW1-GigabitEthernet1/0/2.404]vlan-type dot1q 404

FW2

[FW2]interface GigabitEthernet 1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.10.10.2 30
[FW2-GigabitEthernet1/0/0]
[FW2-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]ip add 10.40.1.20 24
[FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401
[FW2-GigabitEthernet1/0/2.401]
[FW2-GigabitEthernet1/0/2.401]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]ip address 10.40.2.20 24
[FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402
[FW2-GigabitEthernet1/0/2.402]
[FW2-GigabitEthernet1/0/2.402]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]ip address 10.40.3.20 24
[FW2-GigabitEthernet1/0/1.403]vlan-type dot1q 403
[FW2-GigabitEthernet1/0/1.403]
[FW2-GigabitEthernet1/0/1.403]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]ip add 10.40.4.20 24
[FW2-GigabitEthernet1/0/1.404]vlan-type dot1q 404

安全区域规划

FW1
[FW1]firewall zone trust 
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.401
[FW1-zone-trust]add interface GigabitEthernet 1/0/1.402
[FW1-zone-trust]
[FW1-zone-trust]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.403
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2.404
[FW1-zone-untrust]
[FW1-zone-untrust]firewall zone dmz 
[FW1-zone-dmz]add interface GigabitEthernet 1/0/0
FW2
[FW2]firewall zone trust 
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.401
[FW2-zone-trust]add interface GigabitEthernet 1/0/2.402
[FW2-zone-trust]
[FW2-zone-trust]firewall zone untrust 
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.403
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1.404
[FW2-zone-untrust]
[FW2-zone-untrust]firewall zone dmz 
[FW2-zone-dmz]add interface GigabitEthernet 1/0/0

SW1\SW2的Public区域

SW1
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk 
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404
[SW1-GigabitEthernet0/0/3]
[SW1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type trunk 
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW1-GigabitEthernet0/0/4]
[SW1-GigabitEthernet0/0/4]interface Vlanif 403
[SW1-Vlanif403]ip address 10.40.3.1 24
[SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100
[SW1-Vlanif403]vrrp vrid 3 priority 120
[SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60
[SW1-Vlanif403]vrrp vrid 3 track interface GigabitEthernet 0/0/3 reduced 30
[SW1-Vlanif403]
[SW1-Vlanif403]interface Vlanif 404
[SW1-Vlanif404]ip add 10.40.4.1 24
[SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
SW2
[SW2]vlan batch 403 404
[SW2]interface GigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2]port link-type trunk 
[SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404
[SW2-GigabitEthernet0/0/2]
[SW2-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port link-type trunk 
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404
[SW2-GigabitEthernet0/0/4]
[SW2-GigabitEthernet0/0/4]interface Vlanif 403
[SW2-Vlanif403]ip add 10.40.3.2 24
[SW2-Vlanif403]vrrp vrid 4 virtual-ip 10.40.3.100
[SW2-Vlanif403]
[SW2-Vlanif403]interface Vlanif 404
[SW2-Vlanif404]ip address 10.40.4.2 24
[SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100
[SW2-Vlanif404]vrrp vrid 4 priority 120
[SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60
[SW2-Vlanif404]vrrp vrid 4 track interface GigabitEthernet 0/0/2 reduced 30

针对交换机上下行路由的补充

上行
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200
[SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70
下行
[SW1]ip route-static 192.168.0.0 16 10.40.3.200
[SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70上行
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200
[SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70
下行
[SW2]ip route-static 192.168.0.0 16 10.40.4.200
[SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

需要先激活FW的1/0/1和1/0/2的接口才能运行

防火墙双机热备

FW1
下行
[FW1]interface GigabitEthernet 1/0/1.401
[FW1-GigabitEthernet1/0/1.401]vrrp vrid 5 virtual-ip 10.40.1.200 active 
[FW1-GigabitEthernet1/0/1.401]interface GigabitEthernet 1/0/1.402
[FW1-GigabitEthernet1/0/1.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby 
上行
[FW1]interface GigabitEthernet 1/0/2.403
[FW1-GigabitEthernet1/0/2.403]vrrp vrid 7 virtual-ip 10.40.3.200 active 
[FW1-GigabitEthernet1/0/2.403]interface GigabitEthernet 1/0/2.404
[FW1-GigabitEthernet1/0/2.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby [FW1]hrp mirror session enable      
[FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2  
[FW1]hrp enable   
上行
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100
HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70
下行
HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.1.100
HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70
FW2
下行
[FW2]interface GigabitEthernet 1/0/2.401
[FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby 
[FW2-GigabitEthernet1/0/2.401]interface GigabitEthernet 1/0/2.402
[FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active 
上行
[FW2]interface GigabitEthernet 1/0/1.403
[FW2-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby 
[FW2-GigabitEthernet1/0/1.403]interface GigabitEthernet 1/0/1.404
[FW2-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 active 
[FW2]hrp mirror session enable
[FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1
[FW2]hrp enable
FW2上行路由配置:
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100
HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70
FW2下行路由配置:
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100
HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70

安全策略配置

HRP_M[FW1]security-policy  (+B)
HRP_M[FW1-policy-security]rule name trust_to_untrust (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-zone trust  (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust  (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]source-address 192.168.0.0 16 (+B)
HRP_M[FW1-policy-security-rule-trust_to_untrust]action permit  (+B)

查看在FW2上同步的安全策略
在这里插入图片描述

核心到边界

在这里插入图片描述

规划:SW1-SW2:VLAN 12 --- 10.12.1.0/24SW1-R1:VLAN 11 ---- 10.11.1.0/24SW2-R2:VLAN 22 ---- 10.22.2.0/24R1-R2: 			---- 10.12.2.0/24OSPF:(这里的OSPF协议需要通过进程号进行区分)设定为2SW1:1.1.1.1SW2:2.2.2.2R1:3.3.3.3R2:4.4.4.4

SW1

[SW1]vlan batch 11 12
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 11
[SW1-GigabitEthernet0/0/1]undo stp enable 
[SW1-GigabitEthernet0/0/1]
[SW1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW1-GigabitEthernet0/0/4]undo stp enable 
[SW1-GigabitEthernet0/0/4]
[SW1-GigabitEthernet0/0/4]interface Vlanif 11
[SW1-Vlanif11]ip address 10.11.1.1 24
[SW1-Vlanif11]interface Vlanif 12
[SW1-Vlanif12]ip add 10.12.1.1 24[SW1]ospf 2 router-id 1.1.1.1
[SW1-ospf-2]area 0
[SW1-ospf-2-area-0.0.0.0]network 10.11.1.1 0.0.0.0
[SW1-ospf-2-area-0.0.0.0]network 10.12.1.1 0.0.0.0

SW2

[SW2]vlan batch 12 22
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type access 
[SW2-GigabitEthernet0/0/1]port default vlan 22
[SW2-GigabitEthernet0/0/1]undo stp enable
[SW2-GigabitEthernet0/0/1]
[SW2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/4
[SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 12
[SW2-GigabitEthernet0/0/4]undo stp enable 
[SW2-GigabitEthernet0/0/4]
[SW2-GigabitEthernet0/0/4]interface Vlanif 12
[SW2-Vlanif12]ip address 10.12.1.2 24
[SW2-Vlanif12]interface Vlanif 22
[SW2-Vlanif22]ip address 10.22.2.1 24[SW2]ospf 2 router-id 2.2.2.2
[SW2-ospf-2] area 0.0.0.0
[SW2-ospf-2-area-0.0.0.0]  network 10.12.1.2 0.0.0.0
[SW2-ospf-2-area-0.0.0.0]  network 10.22.2.1 0.0.0.0

R1

[R1-GigabitEthernet0/0/0]ip add 10.11.1.2 24
[R1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24
[R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24[R1]ospf 1 router-id 3.3.3.3 
[R1-ospf-1] area 0.0.0.0 
[R1-ospf-1-area-0.0.0.0]  network 10.11.1.2 0.0.0.0 
[R1-ospf-1-area-0.0.0.0]  network 10.12.2.1 0.0.0.0

R2

[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 10.22.2.2 24
[R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14
[R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14[R2]ospf 1 router-id 4.4.4.4
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.22.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.12.2.2 0.0.0.0

最外层网络

在这里插入图片描述

R1

[R1]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]ip add 12.0.0.1 24
[R1-GigabitEthernet0/0/2]ip route-static 0.0.0.0 0 12.0.0.100
[R1]ospf 1
[R1-ospf-1]default-route-advertise
[R1]acl 2000
[R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R1-acl-basic-2000]interface GigabitEthernet 0/0/2
[R1-GigabitEthernet0/0/2]nat outbound 2000

R2

[R2]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[R2-GigabitEthernet0/0/2]ip route-static 0.0.0.0 0 13.0.0.100
[R2]ospf 1
[R2-ospf-1]default-route-advertise    
[R2-ospf-1]acl 2000
[R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[R2-acl-basic-2000]interface GigabitEthernet 0/0/2
[R2-GigabitEthernet0/0/2]nat outbound 2000

ISP

[ISP]interface GigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]
[ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24
[ISP-GigabitEthernet0/0/0]
[ISP-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]
[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24[ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24
[ISP-GigabitEthernet0/0/1]interface LoopBack 0
[ISP-LoopBack0]ip add 100.1.1.1 24

在SW1和SW2的OSPF进程2中引入静态路由

[SW1-ospf-1]import-route static 
[SW2-ospf-2]import-route static

测试

正常情况下SW1\2 ping ISP
在这里插入图片描述
在这里插入图片描述
关闭接口之后还是能ping通
在这里插入图片描述
在这里插入图片描述

http://www.dtcms.com/wzjs/192117.html

相关文章:

  • php 网站发布社交网络推广方法有哪些
  • 新疆档案馆建设网站win7优化配置的方法
  • 团中央建设的网站网络营销软件网站
  • 益阳做网站百度指数人群画像怎么看
  • 上传网站空间的建站程序怎么删除好口碑的关键词优化
  • 2022年编程语言官方排行榜重庆seo排名方法
  • 如何制作手机免费网站模板下载微信管理软件
  • 有哪些可以在线做app的网站企业营销网站
  • 重庆点优建设网站公司吗seo流量是什么
  • 深圳专业网站制作公司排名用广州seo推广获精准访问量
  • 网站从建设到赚钱的流程怎样联系百度客服
  • 做网站最小的字体是多少百度 营销推广怎么操作
  • 网站空间送域名青岛seo外包服务
  • 请网站建设的人多少钱淘宝店铺转让价格表
  • 东城手机网站制作长沙seo优化排名
  • 网站换ip影响 百度精准客户运营推广
  • 丰台网站公安备案网络营销推广价格
  • 西部数码网站开发管理助手北京网络优化推广公司
  • wordpress欢迎页云浮seo
  • 重庆建设医院官方网站seo网站快排
  • 自己的服务器 做网站搜索引擎大全网站
  • 绵阳网站建设软件有哪些南昌seo搜索排名
  • 企业网站策划应该怎么做品牌推广策划方案案例
  • 网站建设教程视频教程抖音seo招商
  • 郑州网站设计制作价格好的推广平台
  • 潍坊昌大建设集团有限公司网站百度识图以图搜图
  • 网站建设合同电子版近几天发生的新闻大事
  • 网站首页图片叫什么如何优化关键词排名快速首页
  • 湛江免费建站哪里有友情链接交换
  • 龙岗区网站建设哪个公司好市场营销策划公司