1.防火墙/路由器分析
(1)防火墙/路由器优势
防火墙优势/不可被路由器替代:状态检测/高级应用层流量拦截/安全策略;模拟路由器功能(三层对接/路由协议对接/NAT/VLAN间路由-子接口);模拟三层交换-VLAN—IF;模拟纯二层交换机-透明转发(ACCESS/trunk)
(2)路由器优势/不可被防火墙替代:支持ISP对接丰富接口类型 (T1/E1/MSTP/POS)/ 对路由协议支持更加丰富(IS-IS)
2.多种出接口网关设备选择
(1)成本方面:状态检测/安全拦截/安全策略/对接静态路由/OSPF/NAT
(2)运营商对接/接口:运营商提供特殊接口类型(专线-特殊接口-路由器)
(3)部署防火墙的目的:针对内网进行控制、外网进行控制
(4)内网转发效率:防火墙-对包进行检测--状态检测/攻击防范检测 --引入额外延时)
3.三层直路部署-上下行连接交换机
1)1)SW1配置
vlan batch 10 99
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface Vlanif10
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/0/24
port link-type access
port default vlan 99
interface Vlanif99
ip address 10.1.1.2 255.255.255.252
2)SW2配置
vlan batch 10 99
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
interface Vlanif20
ip address 192.168.2.254 255.255.255.0
interface GigabitEthernet0/0/24
port link-type access
port default vlan 99
interface Vlanif99
ip address 10.1.2.2 255.255.255.252
3)FW1配置
firewall zone name yq01
set priority 55
add interface GigabitEthernet1/0/1
firewall zone name yq02
set priority 65
add interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.252
service-manage all permit
interface GigabitEthernet1/0/2
ip address 10.1.2.1 255.255.255.252
service-manage all permit
4)FW1配置OSPF
ospf 1 router-id 1.1.1.1
area 0.0.0.0
interface GigabitEthernet1/0/1
ospf enable 1 area 0
interface GigabitEthernet1/0/2
ospf enable 1 area 0
5)SW1配置OSPF
ospf 1 router-id 2.2.2.2
area 0.0.0.0
interface Vlanif10
ospf enable 1 area 0
interface Vlanif99
ospf enable 1 area 0
6)SW2配置OSPF
ospf 1 router-id 3.3.3.3
area 0.0.0.0
interface Vlanif20
ospf enable 1 area 0
interface Vlanif99
ospf enable 1 area 0
7)FW1配置安全区域
security-policy
rule name yq01_2_yq02
source-zone yq01
destination-zone yq02
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name yq02_2_yq01
source-zone yq02
destination-zone yq01
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
4.三层直路部署-上行路由器下行交换机
![图片[1]-4.3 防火墙部署扩展-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片59-1.png)
1)R1配置
ospf 1 router-id 2.2.2.2
area 0.0.0.0
interface GigabitEthernet0/0/0
ip address 10.1.1.2 255.255.255.252
ospf enable 1 area 0
interface GigabitEthernet0/0/1
ip address 192.168.1.254 255.255.255.0
ospf enable 1 area 0
2)FW1配置同上,查看邻居关系(SW2配置同上)
display ospf peer brief
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/1 2.2.2.2 Full
0.0.0.0 GigabitEthernet1/0/2 3.3.3.3 Full
5.防火墙旁挂部署-策略静态路由引流
1)SW2配置
vlan 20
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
2)SW3配置
vlan batch 10 20
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
interface Vlanif10
ip address 192.168.1.254 255.255.255.0
interface Vlanif20
ip address 192.168.2.254 255.255.255.0
vlan batch 21 22
interface GigabitEthernet0/0/21
port link-type access
port default vlan 21
interface GigabitEthernet0/0/22
port link-type access
port default vlan 22
interface Vlanif21
ip address 10.21.1.2 255.255.255.252
interface Vlanif22
ip address 10.22.1.2 255.255.255.252
3)SW4配置
vlan 10
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
4)FW1配置
firewall zone name yq01
set priority 55
add interface GigabitEthernet1/0/1
firewall zone name yq02
set priority 65
add interface GigabitEthernet1/0/2
5)SW4配置路由
ospf 1 router-id 1.1.1.1
area 0.0.0.0
interface Vlanif10
ospf enable 1 area 0
interface Vlanif20
ospf enable 1 area 0
interface Vlanif21
ospf enable 1 area 0
interface Vlanif22
ospf enable 1 area 0
6)FW1配置路由
ospf 1 router-id 2.2.2.2
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0
interface GigabitEthernet1/0/2
ospf enable 1 area 0
7)SW3配置策略静态路由引流(PC1到PC2)
#定义访问控制列表
acl number 3000
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#匹配指定流量
traffic classifier panggua
if-match acl 3000
#重定向到10.21.1.1
traffic behavior panggua
redirect ip-nexthop 10.21.1.1
#策略绑定流量和行为
traffic policy panggua
classifier panggua behavior panggua
#接口调用策略
interface GigabitEthernet0/0/1
traffic-policy panggua inbound
8)FW1配置安全策略(PC1到PC2)
security-policy
rule name yq01_2_yq02
source-zone yq01
destination-zone yq02
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
9)SW3配置策略静态路由引流(PC2到PC1)
#定义访问控制列表
acl number 3001
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#匹配指定流量
traffic classifier panggua2
if-match acl 3001
#重定向到10.22.1.2
traffic behavior panggua2
redirect ip-nexthop 10.22.1.1
#策略绑定流量和行为
traffic policy panggua2
classifier panggua2 behavior panggua2
#接口调用策略
interface GigabitEthernet0/0/2
traffic-policy panggua2 inbound
10)FW1配置安全策略(PC2到PC1)
security-policy
rule name yq02_2_yq01
source-zone yq02
destination-zone yq01
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容