4.4 防火墙二三层部署综合

图片[1]-4.4 防火墙二三层部署综合-大赛人网

1.防火墙三层部署(防火墙使用USG6000V-enspv1.2版本)

1)R1配置
interface GigabitEthernet4/0/0
 ip address 12.1.1.1 255.255.255.0

interface GigabitEthernet0/0/1
 ip address 192.168.1.254 255.255.255.0 

interface GigabitEthernet0/0/2
 ip address 10.13.1.1 255.255.255.0

interface GigabitEthernet0/0/0
 ip address 10.1.1.1 255.255.255.0 

ip route-static 0.0.0.0 0.0.0.0 12.1.1.2

rip 1
 undo summary
 version 2
 network 10.0.0.0

ospf 1 router-id 1.1.1.1 
 area 0
interface GigabitEthernet0/0/0
 ospf enable 1 area 0 
interface GigabitEthernet0/0/1
 ospf enable 1 area 0

#路由导入
ospf 1 router-id 1.1.1.1 
import-route rip 1

rip 1
import-route ospf 1

#R1给R3通告默认路由
rip 1
default-route originate

#R1给FW1通告默认路由
ospf 1 router-id 1.1.1.1 
 default-route-advertise

#配置NAT,使内网主机访问外网
acl number 2000  
rule 10 permit source 192.168.1.0 0.0.0.255 
rule 20 permit source 192.168.2.0 0.0.0.255 
rule 30 permit source 192.168.3.0 0.0.0.255 
interface GigabitEthernet4/0/0
  nat outbound 2000

2)R2配置
interface GigabitEthernet0/0/0
 ip address 10.2.2.2 255.255.255.0

interface GigabitEthernet0/0/1
 ip address 192.168.2.254 255.255.255.0

bgp 65001
 peer 10.2.2.91 as-number 65001
network 192.168.2.0

3)R3配置
interface GigabitEthernet0/0/2
 ip address 10.13.1.3 255.255.255.0

interface GigabitEthernet0/0/0
 ip address 192.168.3.254 255.255.255.0

rip 1
 undo summary
 version 2
 network 10.0.0.0
 network 192.168.3.0

4)R4配置
interface GigabitEthernet0/0/3
 ip address 12.1.1.2 255.255.255.0

interface GigabitEthernet0/0/0
 ip address 8.8.8.254 255.255.255.0

5)FW1配置
interface GigabitEthernet1/0/1
  ip address 10.1.1.91 255.255.255.0
 service-manage all permit

interface GigabitEthernet1/0/2
  ip address 10.2.2.91 255.255.255.0
 service-manage all permit

firewall zone trust
 add interface GigabitEthernet1/0/2

firewall zone untrust
 add interface GigabitEthernet1/0/1

ospf 1 router-id 91.1.1.1
 area 0
interface GigabitEthernet1/0/1
 ospf enable 1 area 0

#防火墙USG6000V-enspv1.2版本,拦截OSPF单播流量,需要建立安全策略才能建立OSPF邻居关系,防火墙USG6000V-enspv1.3版本不拦截OSPF单播流量
security-policy
 rule name ospf_l_2_un
  source-zone local
  destination-zone untrust
  action permit

bgp 65001
 peer 10.2.2.2 as-number 65001

##防火墙USG6000V-enspv1.2版本,拦截BGP流量,需要建立安全策略才能建立BGP邻居关系,防火墙USG6000V-enspv1.3版本不拦截BGP流量
security-policy
rule name bgp_l_2_t
  source-zone local
  destination-zone trust
  action permit

#配置内网访问外网
security-policy
rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  action permit

#路由导入
bgp 65001
import-route ospf 1
#允许把IBGP路由注入OSPF(permit-ibgp)
ospf 1 router-id 91.1.1.1
import-route bgp permit-ibgp

#FW1通告默认路由给R2
bgp 65001
peer 10.2.2.2 default-route-advertise

2.防火墙二层部署(防火墙使用USG6000V-enspv1.2版本)

1)SW1配置
vlan batch 10 20
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10

interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20

interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan all

2)SW2配置
vlan 30
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30

interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan all

3)SW3配置
vlan 30
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30

interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan all

4)FW1配置
vlan batch 10 20 30
#使用SVI方式
interface GigabitEthernet1/0/0
 portswitch
 port link-type trunk
 port trunk allow-pass vlan all

interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
service-manage all permit

interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
service-manage all permit

firewall zone trust
add interface Vlanif10
  add interface Vlanif20

#使用单臂路由方式
interface GigabitEthernet1/0/0.1
 vlan-type dot1q 10
 ip address 192.168.10.254 255.255.255.0
service-manage all permit

interface GigabitEthernet1/0/0.2
 vlan-type dot1q 20
 ip address 192.168.20.254 255.255.255.0
service-manage all permit

firewall zone trust
 add interface GigabitEthernet1/0/0.1
 add interface GigabitEthernet1/0/0.2

#配置GigabitEthernet1/0/3和GigabitEthernet1/0/4
interface GigabitEthernet1/0/3
 portswitch
 port link-type access
 port default vlan 30

interface GigabitEthernet1/0/4
 portswitch
 port link-type access
 port default vlan 30

firewall zone trust
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/4

#配置GigabitEthernet1/0/5和GigabitEthernet1/0/6
interface GigabitEthernet1/0/5
 portswitch
 port link-type trunk
 port trunk allow-pass vlan all

interface GigabitEthernet1/0/6
 portswitch
 port link-type trunk
 port trunk allow-pass vlan all

firewall zone trust
 add interface GigabitEthernet1/0/5
 add interface GigabitEthernet1/0/6

interface Vlanif30
 ip address 192.168.30.254 255.255.255.0
service-manage all permit 

firewall zone trust
 add interface Vlanif30

bgp 65001
network 192.168.10.0
  network 192.168.20.0
  network 192.168.30.0

security-policy
rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  source-address 192.168.2.0 mask 255.255.255.0
  source-address 192.168.20.0 mask 255.255.255.0
  source-address 192.168.30.0 mask 255.255.255.0
  action permit

#发布vlan10、20、30直连路由到OSPF
ospf 1 router-id 91.1.1.1
 import-route direct

5)R1配置
acl number 2000
rule 40 permit source 192.168.10.0 0.0.0.255
rule 50 permit source 192.168.20.0 0.0.0.255
rule 60 permit source 192.168.30.0 0.0.0.255
© 版权声明
THE END
喜欢就支持一下吧
点赞12 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容