防火墙直连路由器出口
案例描述
在大型园区出口,核心交换机上行和防火墙直连,通过防火墙连接到出口网关。两台路由器作为出口网关,直连Internet。两台防火墙组建双机热备,对出入园区的业务流量提供安全过滤功能,为网络安全提供保证。核心层的两台交换机组建集群,作为整个园区网络的核心,同时作为用户网关,为用户分配IP地址。具体业务要求如下:
- 部门A用户能够访问Internet,部门B用户不能访问Internet。
- 内外网用户都可以访问HTTP服务器。
本案例中,汇聚层的两台交换机组建堆叠,与核心交换机相连,对于核心层以下组网场景请参见园区内基础网络连通部署案例。
图1 防火墙直连路由器出口的园区组网图
设备要求和版本
位置 |
本案例使用的设备 |
本案例使用的版本 |
出口 |
AR6300 |
V300R019C10 |
USG6300E |
V600R007C00 |
|
核心层 |
S12700E |
V200R019C10 |
部署思路
步骤 |
配置思路 |
涉及产品 |
1 |
配置集群/堆叠、多主检测功能,提高设备级可靠性。 |
核心交换机 |
2 |
配置Eth-Trunk功能,提高链路可靠性。 |
核心交换机、防火墙 |
3 |
配置各接口IP地址。 |
出口路由器、防火墙、核心交换机 |
4 |
配置路由,使得网络互通。 |
出口路由器、防火墙、核心交换机 |
5 |
配置各接口所属安全区域和安全策略,使得业务可以通过防火墙。 |
防火墙 |
6 |
配置双机热备,两台防火墙之间实现负载分担。 |
防火墙 |
8 |
配置NAT,使得部门A的用户可以访问外网和外网用户可以访问内网HTTP服务器。 |
出口路由器 |
数据规划
设备 |
接口编号 |
成员接口 |
VLANIF |
IP地址 |
RouterA |
GE0/0/1 |
- |
- |
10.1.1.1/24 |
GE0/0/2 |
- |
- |
8.8.8.1/24 |
|
RouterB |
GE0/0/1 |
- |
- |
10.2.1.1/24 |
GE0/0/2 |
- |
- |
9.9.9.1/24 |
|
FWA |
GE1/0/1 |
- |
- |
10.1.1.2/24 |
GE1/0/7 |
- |
- |
10.10.1.1/24 |
|
Eth-Trunk10 |
GE2/0/3 |
- |
10.3.1.1/24 |
|
GE2/0/4 |
||||
FWB |
GE1/0/1 |
- |
- |
10.2.1.2/24 |
GE1/0/7 |
- |
- |
10.10.1.2/24 |
|
Eth-Trunk20 |
GE2/0/3 |
- |
10.4.1.1/24 |
|
GE2/0/4 |
||||
CORE |
XGE1/1/0/5 |
- |
VLANIF300 |
10.100.1.1 |
Eth-Trunk10 |
GE1/3/0/3 |
- |
10.3.1.2/24 |
|
GE2/3/0/3 |
||||
Eth-Trunk20 |
GE1/3/0/4 |
- |
10.4.1.2/24 |
|
GE2/3/0/4 |
||||
HTTP服务器 |
以太网接口 |
- |
- |
10.100.1.10/24 |
部署步骤
- 核心交换机配置集群、多主检测功能,具体配置请参考集群/堆叠通用部署。
- 配置Eth-Trunk功能。
- 配置防火墙FW。# 在FWA上创建Eth-Trunk10,用于连接核心交换机CORE,并加入Eth-Trunk成员接口。
<sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 10
[FWA-Eth-Trunk10] mode lacp-static
[FWA-Eth-Trunk10] quit
[FWA] interface gigabitethernet 2/0/3
[FWA-GigabitEthernet2/0/3] eth-trunk 10
[FWA-GigabitEthernet2/0/3] quit
[FWA] interface gigabitethernet 2/0/4
[FWA-GigabitEthernet2/0/4] eth-trunk 10
[FWA-GigabitEthernet2/0/4] quit
- # 在FWB上创建Eth-Trunk20,用于连接核心交换机CORE,并加入Eth-Trunk成员接口。
<sysname> system-view
[sysname] sysname FWB
[FWB] interface eth-trunk 20
[FWB-Eth-Trunk20] mode lacp-static
[FWB-Eth-Trunk20] quit
[FWB] interface gigabitethernet 2/0/3
[FWB-GigabitEthernet2/0/3] eth-trunk 20
[FWB-GigabitEthernet2/0/3] quit
[FWB] interface gigabitethernet 2/0/4
[FWB-GigabitEthernet2/0/4] eth-trunk 20
[FWB-GigabitEthernet2/0/4] quit
- 配置核心交换机CORE。# 在CORE上创建Eth-Trunk10,用于连接FWA,并加入Eth-Trunk成员接口。
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE] interface gigabitethernet 1/3/0/3
[CORE-GigabitEthernet1/3/0/3] eth-trunk 10
[CORE-GigabitEthernet1/3/0/3] quit
[CORE] interface gigabitethernet 2/3/0/3
[CORE-GigabitEthernet2/3/0/3] eth-trunk 10
[CORE-GigabitEthernet2/3/0/3] quit
- # 在CORE上创建Eth-Trunk20,用于连接FWB,并加入Eth-Trunk成员接口。
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] mode lacp
[CORE-Eth-Trunk20] quit
[CORE] interface gigabitethernet 1/3/0/4
[CORE-GigabitEthernet1/3/0/4] eth-trunk 20
[CORE-GigabitEthernet1/3/0/4] quit
[CORE] interface gigabitethernet 2/3/0/4
[CORE-GigabitEthernet2/3/0/4] eth-trunk 20
[CORE-GigabitEthernet2/3/0/4] quit
- 配置各接口IP地址。# 配置RouterA。
<HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface loopback 0
[RouterA-LoopBack0] ip address 1.1.1.1 32 //用来做Router ID
[RouterA-LoopBack0] quit
[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] ip address 10.1.1.1 24 //配置和FWA相连的接口的IP地址
[RouterA-GigabitEthernet0/0/1] quit
[RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] ip address 8.8.8.1 24 //配置和外网相连的接口的IP地址
[RouterA-GigabitEthernet0/0/2] quit
- # 配置RouterB。
<HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface loopback 0
[RouterB-LoopBack0] ip address 2.2.2.2 32 //用来做Router ID
[RouterB-LoopBack0] quit
[RouterB] interface gigabitethernet 0/0/1
[RouterB-GigabitEthernet0/0/1] ip address 10.2.1.1 24 //配置和FWB相连的接口的IP地址
[RouterB-GigabitEthernet0/0/1] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] ip address 9.9.9.1 24 //配置和外网相连的接口的IP地址
[RouterB-GigabitEthernet0/0/2] quit
- # 配置FWA。
[FWA] interface loopback 0
[FWA-LoopBack0] ip address 3.3.3.3 32 //用来做Router ID
[FWA-LoopBack0] quit
[FWA] interface gigabitethernet 1/0/1
[FWA-GigabitEthernet1/0/1] ip address 10.1.1.2 24 //配置和RouterA相连的接口的IP地址
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface gigabitethernet 1/0/7
[FWA-GigabitEthernet1/0/7] ip address 10.10.1.1 24 //配置双机热备心跳口IP地址
[FWA-GigabitEthernet1/0/7] quit
[FWA] interface eth-trunk 10
[FWA-Eth-Trunk10] ip address 10.3.1.1 24 //配置和CORE相连的Eth-Trunk接口的IP地址
[FWA-Eth-Trunk10] quit
- # 配置FWB。
[FWB] interface loopback 0
[FWB-LoopBack0] ip address 4.4.4.4 32 //用来做Router ID
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/1
[FWB-GigabitEthernet1/0/1] ip address 10.2.1.2 24 //配置和RouterB相连的接口的IP地址
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface gigabitethernet 1/0/7
[FWB-GigabitEthernet1/0/7] ip address 10.10.1.2 24 //配置双机热备心跳口IP地址
[FWB-GigabitEthernet1/0/7] quit
[FWB] interface eth-trunk 20
[FWB-Eth-Trunk20] ip address 10.4.1.1 24 //配置和CORE相连的Eth-Trunk接口的IP地址
[FWB-Eth-Trunk20] quit
- # 配置CORE。
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 5.5.5.5 32 //用来做Router ID
[CORE-LoopBack0] quit
[CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] undo portswitch //缺省情况下,交换机的Eth-Trunk接口为二层模式,如果作为三层接口使用,需要首先使用undo portswitch命令将接口切换为三层模式
[CORE-Eth-Trunk10] ip address 10.3.1.2 24 //配置和FWA相连的Eth-Trunk10接口的IP地址
[CORE-Eth-Trunk10] quit
[CORE] interface eth-trunk 20
[CORE-Eth-Trunk20] undo portswitch
[CORE-Eth-Trunk20] ip address 10.4.1.2 24 //配置和FWB相连的Eth-Trunk20接口的IP地址
[CORE-Eth-Trunk20] quit
[CORE] vlan batch 300
[CORE] interface xgigabitethernet 1/1/0/5
[CORE-XGigabitEthernet1/1/0/5] port link-type access
[CORE-XGigabitEthernet1/1/0/5] port default vlan 300
[CORE-XGigabitEthernet1/1/0/5] quit
[CORE] interface vlanif 300
[CORE-Vlanif300] ip address 10.100.1.1 24
[CORE-Vlanif300] quit
- 配置路由。
- 路由器、防火墙、核心交换机上行接口配置为骨干区域Area 0。# 配置RouterA。
[RouterA] router id 1.1.1.1
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //将连接FWA的网段发布到OSPF骨干区域
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
- # 配置RouterB。
[RouterB] router id 2.2.2.2
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //将连接FWB的网段发布到OSPF骨干区域
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
- # 配置FWA。
[FWA] router id 3.3.3.3
[FWA] ospf 1
[FWA-ospf-1] area 0
[FWA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //将连接RouterA的网段发布到OSPF骨干区域
[FWA-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //将连接CORE的网段发布到OSPF骨干区域
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit
- # 配置FWB。
[FWB] router id 4.4.4.4
[FWB] ospf 1
[FWB-ospf-1] area 0
[FWB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //将连接RouterB的网段发布到OSPF骨干区域
[FWB-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 //将连接CORE的网段发布到OSPF骨干区域
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit
- # 配置CORE。
[CORE] router id 5.5.5.5
[CORE] ospf 1
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //将连接FWA的网段发布到OSPF骨干区域
[CORE-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 //将连接FWB的网段发布到OSPF骨干区域
[CORE-ospf-1-area-0.0.0.0] network 10.100.1.0 0.0.0.255 //将连接HTTP服务器的网段发布到OSPF骨干区域
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
- 配置缺省路由。
# 在CORE上配置缺省路由,下一跳指向防火墙。
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
- # 在FWA上配置缺省路由,下一跳指向出口路由器。
[FWA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
- # 在FWB上配置缺省路由,下一跳指向出口路由器。
[FWB] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
- # 在RouterA上配置缺省路由,下一跳指向运行商网络设备的对接地址(公网网关)。
[RouterA] ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
- # 在RouterB上配置缺省路由,下一跳指向运行商网络设备的对接地址(公网网关)。
[RouterB] ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
- 防火墙:配置防火墙各接口所属安全区域和安全策略。# 配置FWA。
[FWA] firewall zone trust
[FWA-zone-trust] add interface Eth-Trunk 10 //将连接内网的Eth-Trunk10加入安全区域
[FWA-zone-trust] quit
[FWA] firewall zone untrust
[FWA-zone-untrust] add interface gigabitethernet 1/0/1 //将连接外网的GE1/0/1加入非安全区域
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] add interface gigabitethernet 1/0/7 //将心跳口GE1/0/7加入DMZ区域
[FWA-zone-dmz] quit
[FWA] security-policy
[FWA-policy-security] rule name policy_dmz //允许本地和DMZ区域间互访
[FWA-policy-security-rule-policy_dmz] source-zone local
[FWA-policy-security-rule-policy_dmz] source-zone dmz
[FWA-policy-security-rule-policy_dmz] destination-zone local
[FWA-policy-security-rule-policy_dmz] destination-zone dmz
[FWA-policy-security-rule-policy_dmz] action permit
[FWA-policy-security-rule-policy_dmz] quit
[FWA-policy-security] rule name trust_to_untrust //允许内网用户部门A访问外网
[FWA-policy-security-rule-trust_to_untrust] source-zone trust
[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWA-policy-security-rule-trust_to_untrust] source-address 192.168.1.0 24
[FWA-policy-security-rule-trust_to_untrust] action permit
[FWA-policy-security-rule-trust_to_untrust] quit
[FWA-policy-security] rule name trust_to_untrust1 //不允许内网用户部门B访问外网
[FWA-policy-security-rule-trust_to_untrust1] source-zone trust
[FWA-policy-security-rule-trust_to_untrust1] destination-zone untrust
[FWA-policy-security-rule-trust_to_untrust1] source-address 192.168.2.0 24
[FWA-policy-security-rule-trust_to_untrust1] action deny
[FWA-policy-security-rule-trust_to_untrust1] quit
[FWA-policy-security] rule name untrust_to_trust //允许外网用户访问HTTP服务器
[FWA-policy-security-rule-untrust_to_trust] source-zone untrust
[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
[FWA-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWA-policy-security-rule-untrust_to_trust] action permit
[FWA-policy-security-rule-untrust_to_trust] quit
[FWA-policy-security] quit
- # 配置FWB。
[FWB] firewall zone trust
[FWB-zone-trust] add interface Eth-Trunk 20 //将连接内网的Eth-Trunk20加入安全区域
[FWB-zone-trust] quit
[FWB] firewall zone untrust
[FWB-zone-untrust] add interface gigabitethernet 1/0/1 //将连接外网的GE1/0/1加入非安全区域
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] add interface gigabitethernet 1/0/7 //将心跳口GE1/0/7加入DMZ区域
[FWB-zone-dmz] quit
[FWB] security-policy
[FWB-policy-security] rule name policy_dmz //允许本地和DMZ区域间互访
[FWB-policy-security-rule-policy_dmz] source-zone local
[FWB-policy-security-rule-policy_dmz] source-zone dmz
[FWB-policy-security-rule-policy_dmz] destination-zone local
[FWB-policy-security-rule-policy_dmz] destination-zone dmz
[FWB-policy-security-rule-policy_dmz] action permit
[FWB-policy-security-rule-policy_dmz] quit
[FWB-policy-security] rule name trust_to_untrust //允许内网用户部门A访问外网
[FWB-policy-security-rule-trust_to_untrust] source-zone trust
[FWB-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust] source-address 192.168.1.0 24
[FWB-policy-security-rule-trust_to_untrust] action permit
[FWB-policy-security-rule-trust_to_untrust] quit
[FWB-policy-security] rule name trust_to_untrust1 //不允许内网用户部门B访问外网
[FWB-policy-security-rule-trust_to_untrust1] source-zone trust
[FWB-policy-security-rule-trust_to_untrust1] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust1] source-address 192.168.2.0 24
[FWB-policy-security-rule-trust_to_untrust1] action deny
[FWB-policy-security-rule-trust_to_untrust1] quit
[FWB-policy-security] rule name untrust_to_trust //允许外网用户访问HTTP服务器
[FWB-policy-security-rule-untrust_to_trust] source-zone untrust
[FWB-policy-security-rule-untrust_to_trust] destination-zone trust
[FWB-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWB-policy-security-rule-untrust_to_trust] action permit
[FWB-policy-security-rule-untrust_to_trust] quit
[FWB-policy-security] quit
- 防火墙:配置双机热备。# 在FWA上配置VGMP组监控上下行业务接口。
[FWA] hrp track interface gigabitethernet 1/0/1 //配置VGMP组监控上行接口
[FWA] hrp track interface eth-trunk 10 //配置VGMP组监控下行接口
- # 在FWA配置根据HRP状态调整OSPF的相关COST值的功能。
[FWA] hrp adjust ospf-cost enable
- # 在FWB上配置VGMP组监控上下行业务接口。
[FWB] hrp track interface gigabitethernet 1/0/1
[FWB] hrp track interface eth-trunk 20
- # 在FWB配置根据HRP状态调整OSPF的相关COST值的功能。
[FWB] hrp adjust ospf-cost enable
- # 在FWA上指定心跳接口,启用双机热备。
[FWA] hrp interface gigabitethernet 1/0/7 remote 10.10.1.2 //配置心跳口,并启用双机热备
[FWA] hrp enable //启动HRP双机热备份功能
HRP_M[FWA] hrp mirror session enable //启动会话快速备份功能
双机热备功能配置完成后,主用设备的配置和会话会自动备份到备用设备上。
# 在FWB上指定心跳接口,启用双机热备。
[FWB] hrp interface gigabitethernet 1/0/7 remote 10.10.1.1
[FWB] hrp enable
HRP_B[FWB] hrp mirror session enable
- 出口路由器:配置NAT。
假设运营商分配给企业用户的公网IP为:8.8.8.2~8.8.8.10,9.9.9.2~9.9.9.10。 其中8.8.8.2作为RouterA连接外网的IP地址,9.9.9.2为RouterB连接外网的IP地址。8.8.8.10、9.9.9.10作为外网用户访问HTTP服务器的公网地址。内网用户使用剩余公网IP访问Internet。
# 在RouterA上配置NAT Outbound,将部门A的用户的私网IP地址转换成公网IP,保证部门A的用户能够访问Internet。
[RouterA] nat address-group 1 8.8.8.3 8.8.8.9 //配置NAT地址池,包括用来运营商分配的公网IP
[RouterA] acl number 2000
[RouterA-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //配置可以用来访问外网的用户地址段
[RouterA-acl-basic-2000] quit
[RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //在连接外网的接口上应用NAT
[RouterA-GigabitEthernet0/0/2] quit
- # 在RouterB上配置NAT Outbound,将部门A的用户的私网IP地址转换成公网IP。
[RouterB] nat address-group 1 9.9.9.3 9.9.9.10 //配置NAT地址池,包括用来运营商分配的公网IP
[RouterB] acl number 2000
[RouterB-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //配置可以用来访问外网的用户地址段
[RouterB-acl-basic-2000] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //在连接外网的接口上应用NAT
[RouterB-GigabitEthernet0/0/2] quit
- # 在RouterA和RouterB上配置NAT Server,保证外网用户能够访问内网HTTP服务器。
[RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] nat server protocol tcp global 8.8.8.10 inside 10.100.1.10
[RouterA-GigabitEthernet0/0/2] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] nat server protocol tcp global 9.9.9.10 inside 10.100.1.10
[RouterB-GigabitEthernet0/0/2] quit
结果验证
- 通过访问任意公网网站,可以发现部门A用户能够访问Internet,而部门B用户不能访问Internet。
- 部门A和部门B用户、外网用户都可以Ping通HTTP服务器。
配置文件
- RouterA的配置文件
#
sysname RouterA
#
router id 1.1.1.1
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 8.8.8.3 8.8.8.9
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 8.8.8.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 8.8.8.10 inside 10.100.1.10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
#
return
- RouterB的配置文件
#
sysname RouterB
#
router id 2.2.2.2
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 9.9.9.3 9.9.9.10 mask 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 9.9.9.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 9.9.9.10 inside 10.100.1.10
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
#
return
- FWA的配置文件
#
sysname FWA
#
router id 3.3.3.3
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.2
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 10
#
interface Eth-Trunk10
ip address 10.3.1.1 255.255.255.0
mode lacp-static
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/7
undo shutdown
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
undo shutdown
eth-trunk 10
#
interface GigabitEthernet2/0/4
undo shutdown
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk10
#
firewall zone dmz
set priority 50
add interface GigabitEthernet 1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
rule name trust_to_untrust1
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
action deny
rule name untrust_to_trust
source-zone untrust
destination-zone trust
destination-address 10.100.1.0 mask 255.255.255.0
action permit
#
return
- FWB的配置文件
#
sysname FWB
#
router id 4.4.4.4
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.1
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 20
#
interface Eth-Trunk20
ip address 10.4.1.1 255.255.255.0
mode lacp-static
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/7
undo shutdown
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet2/0/3
undo shutdown
eth-trunk 20
#
interface GigabitEthernet2/0/4
undo shutdown
eth-trunk 20
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk20
#
firewall zone dmz
set priority 50
add interface GigabitEthernet 1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
rule name trust_to_untrust1
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
action deny
rule name untrust_to_trust
source-zone untrust
destination-zone trust
destination-address 10.100.1.0 mask 255.255.255.0
action permit
#
return
- CORE的配置文件
#
sysname CORE
#
router id 5.5.5.5
#
vlan batch 300
#
ip pool poola
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
ip pool poolb
gateway-list 192.168.2.1
network 192.168.2.0 mask 255.255.255.0
#
interface Vlanif300
ip address 10.100.1.100 255.255.255.0
#
interface Eth-Trunk10
undo portswitch
ip address 10.3.1.2 255.255.255.0
mode lacp-static
#
interface Eth-Trunk20
undo portswitch
ip address 10.4.1.2 255.255.255.0
mode lacp-static
#
interface GigabitEthernet1/3/0/3
eth-trunk 10
#
interface GigabitEthernet1/3/0/4
eth-trunk 20
#
interface XGigabitEthernet1/1/0/5
port link-type access
port default vlan 300
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface GigabitEthernet2/3/0/3
eth-trunk 10
#
interface GigabitEthernet2/3/0/4
eth-trunk 20
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.100.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
#
return
