1.防火墙三层部署(防火墙使用USG6000V-enspv1.2版本)
1)R1配置
interface GigabitEthernet4/0/0
ip address 12.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.13.1.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
rip 1
undo summary
version 2
network 10.0.0.0
ospf 1 router-id 1.1.1.1
area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0
#路由导入
ospf 1 router-id 1.1.1.1
import-route rip 1
rip 1
import-route ospf 1
#R1给R3通告默认路由
rip 1
default-route originate
#R1给FW1通告默认路由
ospf 1 router-id 1.1.1.1
default-route-advertise
#配置NAT,使内网主机访问外网
acl number 2000
rule 10 permit source 192.168.1.0 0.0.0.255
rule 20 permit source 192.168.2.0 0.0.0.255
rule 30 permit source 192.168.3.0 0.0.0.255
interface GigabitEthernet4/0/0
nat outbound 2000
2)R2配置
interface GigabitEthernet0/0/0
ip address 10.2.2.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
bgp 65001
peer 10.2.2.91 as-number 65001
network 192.168.2.0
3)R3配置
interface GigabitEthernet0/0/2
ip address 10.13.1.3 255.255.255.0
interface GigabitEthernet0/0/0
ip address 192.168.3.254 255.255.255.0
rip 1
undo summary
version 2
network 10.0.0.0
network 192.168.3.0
4)R4配置
interface GigabitEthernet0/0/3
ip address 12.1.1.2 255.255.255.0
interface GigabitEthernet0/0/0
ip address 8.8.8.254 255.255.255.0
5)FW1配置
interface GigabitEthernet1/0/1
ip address 10.1.1.91 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/2
ip address 10.2.2.91 255.255.255.0
service-manage all permit
firewall zone trust
add interface GigabitEthernet1/0/2
firewall zone untrust
add interface GigabitEthernet1/0/1
ospf 1 router-id 91.1.1.1
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0
#防火墙USG6000V-enspv1.2版本,拦截OSPF单播流量,需要建立安全策略才能建立OSPF邻居关系,防火墙USG6000V-enspv1.3版本不拦截OSPF单播流量
security-policy
rule name ospf_l_2_un
source-zone local
destination-zone untrust
action permit
bgp 65001
peer 10.2.2.2 as-number 65001
##防火墙USG6000V-enspv1.2版本,拦截BGP流量,需要建立安全策略才能建立BGP邻居关系,防火墙USG6000V-enspv1.3版本不拦截BGP流量
security-policy
rule name bgp_l_2_t
source-zone local
destination-zone trust
action permit
#配置内网访问外网
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
action permit
#路由导入
bgp 65001
import-route ospf 1
#允许把IBGP路由注入OSPF(permit-ibgp)
ospf 1 router-id 91.1.1.1
import-route bgp permit-ibgp
#FW1通告默认路由给R2
bgp 65001
peer 10.2.2.2 default-route-advertise
2.防火墙二层部署(防火墙使用USG6000V-enspv1.2版本)
1)SW1配置
vlan batch 10 20
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan all
2)SW2配置
vlan 30
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan all
3)SW3配置
vlan 30
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan all
4)FW1配置
vlan batch 10 20 30
#使用SVI方式
interface GigabitEthernet1/0/0
portswitch
port link-type trunk
port trunk allow-pass vlan all
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
service-manage all permit
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
service-manage all permit
firewall zone trust
add interface Vlanif10
add interface Vlanif20
#使用单臂路由方式
interface GigabitEthernet1/0/0.1
vlan-type dot1q 10
ip address 192.168.10.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/0.2
vlan-type dot1q 20
ip address 192.168.20.254 255.255.255.0
service-manage all permit
firewall zone trust
add interface GigabitEthernet1/0/0.1
add interface GigabitEthernet1/0/0.2
#配置GigabitEthernet1/0/3和GigabitEthernet1/0/4
interface GigabitEthernet1/0/3
portswitch
port link-type access
port default vlan 30
interface GigabitEthernet1/0/4
portswitch
port link-type access
port default vlan 30
firewall zone trust
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
#配置GigabitEthernet1/0/5和GigabitEthernet1/0/6
interface GigabitEthernet1/0/5
portswitch
port link-type trunk
port trunk allow-pass vlan all
interface GigabitEthernet1/0/6
portswitch
port link-type trunk
port trunk allow-pass vlan all
firewall zone trust
add interface GigabitEthernet1/0/5
add interface GigabitEthernet1/0/6
interface Vlanif30
ip address 192.168.30.254 255.255.255.0
service-manage all permit
firewall zone trust
add interface Vlanif30
bgp 65001
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
source-address 192.168.2.0 mask 255.255.255.0
source-address 192.168.20.0 mask 255.255.255.0
source-address 192.168.30.0 mask 255.255.255.0
action permit
#发布vlan10、20、30直连路由到OSPF
ospf 1 router-id 91.1.1.1
import-route direct
5)R1配置
acl number 2000
rule 40 permit source 192.168.10.0 0.0.0.255
rule 50 permit source 192.168.20.0 0.0.0.255
rule 60 permit source 192.168.30.0 0.0.0.255
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容