4.3 防火墙部署扩展

1.防火墙/路由器分析

(1)防火墙/路由器优势
防火墙优势/不可被路由器替代:状态检测/高级应用层流量拦截/安全策略;模拟路由器功能(三层对接/路由协议对接/NAT/VLAN间路由-子接口);模拟三层交换-VLAN—IF;模拟纯二层交换机-透明转发(ACCESS/trunk) 
(2)路由器优势/不可被防火墙替代:支持ISP对接丰富接口类型 (T1/E1/MSTP/POS)/ 对路由协议支持更加丰富(IS-IS)

2.多种出接口网关设备选择

(1)成本方面:状态检测/安全拦截/安全策略/对接静态路由/OSPF/NAT
(2)运营商对接/接口:运营商提供特殊接口类型(专线-特殊接口-路由器)
(3)部署防火墙的目的:针对内网进行控制、外网进行控制
(4)内网转发效率:防火墙-对包进行检测--状态检测/攻击防范检测 --引入额外延时)

3.三层直路部署-上下行连接交换机

1)1)SW1配置
vlan batch 10 99
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10

interface Vlanif10
 ip address 192.168.1.254 255.255.255.0

interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 99

interface Vlanif99
 ip address 10.1.1.2 255.255.255.252

2)SW2配置
vlan batch 10 99
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 20

interface Vlanif20
 ip address 192.168.2.254 255.255.255.0

interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 99

interface Vlanif99
 ip address 10.1.2.2 255.255.255.252

3)FW1配置
firewall zone name yq01 
 set priority 55
 add interface GigabitEthernet1/0/1

firewall zone name yq02 
 set priority 65
 add interface GigabitEthernet1/0/2

interface GigabitEthernet1/0/1
 ip address 10.1.1.1 255.255.255.252
service-manage all permit

interface GigabitEthernet1/0/2
 ip address 10.1.2.1 255.255.255.252
service-manage all permit

4)FW1配置OSPF
ospf 1 router-id 1.1.1.1
 area 0.0.0.0
interface GigabitEthernet1/0/1
 ospf enable 1 area 0
interface GigabitEthernet1/0/2
 ospf enable 1 area 0

5)SW1配置OSPF
ospf 1 router-id 2.2.2.2
 area 0.0.0.0
interface Vlanif10
 ospf enable 1 area 0
interface Vlanif99
 ospf enable 1 area 0

6)SW2配置OSPF
ospf 1 router-id 3.3.3.3
 area 0.0.0.0
interface Vlanif20
 ospf enable 1 area 0
interface Vlanif99
 ospf enable 1 area 0

7)FW1配置安全区域
security-policy
 rule name yq01_2_yq02
  source-zone yq01
  destination-zone yq02
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name yq02_2_yq01
  source-zone yq02
  destination-zone yq01
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit

4.三层直路部署-上行路由器下行交换机

图片[1]-4.3 防火墙部署扩展-大赛人网
1)R1配置
ospf 1 router-id 2.2.2.2 
 area 0.0.0.0 
interface GigabitEthernet0/0/0
 ip address 10.1.1.2 255.255.255.252 
 ospf enable 1 area 0

interface GigabitEthernet0/0/1
 ip address 192.168.1.254 255.255.255.0 
 ospf enable 1 area 0

2)FW1配置同上,查看邻居关系(SW2配置同上)
display ospf peer brief 
Area Id          Interface                        Neighbor id      State    
 0.0.0.0          GigabitEthernet1/0/1             2.2.2.2          Full        
 0.0.0.0          GigabitEthernet1/0/2             3.3.3.3          Full    

5.防火墙旁挂部署-策略静态路由引流

1)SW2配置
vlan 20
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 20

2)SW3配置
vlan batch 10 20
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10

interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 20

interface Vlanif10
 ip address 192.168.1.254 255.255.255.0

interface Vlanif20
 ip address 192.168.2.254 255.255.255.0

vlan batch 21 22
interface GigabitEthernet0/0/21
 port link-type access
 port default vlan 21

interface GigabitEthernet0/0/22
 port link-type access
 port default vlan 22

interface Vlanif21
 ip address 10.21.1.2 255.255.255.252
interface Vlanif22
 ip address 10.22.1.2 255.255.255.252

3)SW4配置
vlan 10
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10

4)FW1配置
firewall zone name yq01 
 set priority 55
 add interface GigabitEthernet1/0/1

firewall zone name yq02 
 set priority 65
 add interface GigabitEthernet1/0/2

5)SW4配置路由
ospf 1 router-id 1.1.1.1
 area 0.0.0.0

interface Vlanif10
 ospf enable 1 area 0

interface Vlanif20
 ospf enable 1 area 0

interface Vlanif21
 ospf enable 1 area 0

interface Vlanif22
 ospf enable 1 area 0

6)FW1配置路由
ospf 1 router-id 2.2.2.2
 area 0

interface GigabitEthernet1/0/1
  ospf enable 1 area 0

interface GigabitEthernet1/0/2
  ospf enable 1 area 0

7)SW3配置策略静态路由引流(PC1到PC2)
#定义访问控制列表
acl number 3000
 rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#匹配指定流量
traffic classifier panggua 
  if-match acl 3000
#重定向到10.21.1.1
traffic behavior panggua
 redirect ip-nexthop 10.21.1.1
#策略绑定流量和行为
traffic policy panggua
 classifier panggua behavior panggua
#接口调用策略
interface GigabitEthernet0/0/1
 traffic-policy panggua inbound

8)FW1配置安全策略(PC1到PC2)
security-policy
 rule name yq01_2_yq02
  source-zone yq01
  destination-zone yq02
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit

9)SW3配置策略静态路由引流(PC2到PC1)
#定义访问控制列表
acl number 3001
 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#匹配指定流量
traffic classifier panggua2 
  if-match acl 3001
#重定向到10.22.1.2
traffic behavior panggua2
 redirect ip-nexthop 10.22.1.1
#策略绑定流量和行为
traffic policy panggua2
 classifier panggua2 behavior panggua2
#接口调用策略
interface GigabitEthernet0/0/2
 traffic-policy panggua2 inbound

10)FW1配置安全策略(PC2到PC1)
security-policy
  rule name yq02_2_yq01
  source-zone yq02
  destination-zone yq01
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
© 版权声明
THE END
喜欢就支持一下吧
点赞9 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容