1.RIP对接
![图片[1]-第4章 防火墙单节点二层与三层部署-4.1 防火墙单节点二层与三层部署-路由对接第4章 防火墙单节点二层与三层部署--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片65-1.png)
1)FW1基础配置
interface GigabitEthernet1/0/1
ip address 10.1.1.91 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/2
ip address 10.2.2.91 255.255.255.0
service-manage all permit
firewall zone trust
add interface GigabitEthernet1/0/2
firewall zone untrust
add interface GigabitEthernet1/0/1
2)FW1配置RIP
rip 1
version 2
network 10.0.0.0
3)R1配置RIP
rip 1
version 2
network 192.168.1.0
network 10.0.0.0
4)R2配置RIP
rip 1
version 2
network 192.168.2.0
network 10.0.0.0
5)FW1配置安全区域
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name un_2_t
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
2.OSPF对接
![图片[2]-第4章 防火墙单节点二层与三层部署-4.1 防火墙单节点二层与三层部署-路由对接第4章 防火墙单节点二层与三层部署--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片66-1.png)
1)OSPF单区域对接
(1)R1配置
ospf 1 router-id 91.1.1.1
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0
(2)R2配置
ospf 1 router-id 91.1.1.1
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0
(3)FW1配置
ospf 1 router-id 91.1.1.1
area 0
interface GigabitEthernet1/0/1
ospf enable 1 area 0
interface GigabitEthernet1/0/2
ospf enable 1 area 0
#FW1查看邻居信息
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/1 1.1.1.1 Full
0.0.0.0 GigabitEthernet1/0/2 2.2.2.2 Full
![图片[3]-第4章 防火墙单节点二层与三层部署-4.1 防火墙单节点二层与三层部署-路由对接第4章 防火墙单节点二层与三层部署--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片67-1.png)
2)OSPF多区域对接
(1)R1配置
ospf 1 router-id 91.1.1.1
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0
(2)R2配置
ospf 1 router-id 91.1.1.1
area 1
interface GigabitEthernet0/0/1
ospf enable 1 area 1
interface GigabitEthernet0/0/0
ospf enable 1 area 1
(3)FW1配置
ospf 1 router-id 91.1.1.1
area 0
area 1
interface GigabitEthernet1/0/1
ospf enable 1 area 0
interface GigabitEthernet1/0/2
ospf enable 1 area 1
#查看邻居
display ospf peer brief
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/1 1.1.1.1 Full
0.0.0.1 GigabitEthernet1/0/2 2.2.2.2 Full
![图片[4]-第4章 防火墙单节点二层与三层部署-4.1 防火墙单节点二层与三层部署-路由对接第4章 防火墙单节点二层与三层部署--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片68-1.png)
3)OSPF特殊区域对接
(1)R1配置
ospf 1 router-id 91.1.1.1
import-route rip 1 #路由引入rip
area 0
interface GigabitEthernet0/0/1
ospf enable 1 area 0
interface GigabitEthernet0/0/0
ospf enable 1 area 0
rip 1
version 2
network 10.0.0.0
import-route ospf 1 #路由引入ospf
(2)R2配置
ospf 1 router-id 91.1.1.1
area 1
interface GigabitEthernet0/0/1
ospf enable 1 area 1
interface GigabitEthernet0/0/0
ospf enable 1 area 1
(3)R3配置
rip 1
version 2
network 10.0.0.0
network 192.168.3.0
(4)FW1配置
ospf 1 router-id 91.1.1.1
area 0
area 1
interface GigabitEthernet1/0/1
ospf enable 1 area 0
interface GigabitEthernet1/0/2
ospf enable 1 area 1
#配置安全策略
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.3.0 mask 255.255.255.0
action permit
rule name un_2_t
source-zone untrust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
source-address 192.168.3.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
4)OSPF特殊区域对接-stub
(1)FW1配置
ospf 1 router-id 91.1.1.1
area 0.0.0.1
stub
(2)R2配置
#配置前查看路由(外部路由)
display ip routing-table
192.168.3.0/24 O_ASE 150 1 D 10.2.2.91 GigabitEthernet0/0/0
ospf 1 router-id 2.2.2.2
area 0.0.0.1
stub
#配置后查看路由(外部路由看不到了,产生默认路由)
display ip routing-table
0.0.0.0/0 OSPF 10 2 D 10.2.2.91 GigabitEthernet0/0/0
#Stub 作用:ABR设备,不会向stub区域发送OSPF O_ASE外部路由,通过非OSPF进程学习到的路由 导入到OSPF进程,通过非当前OSPF进程学习到的路由 导入到当前OSPF进程 ,屏蔽外部路由进入到stub末梢, 取而代之是ABR向stub区域路由器发送一个默认路由
5)OSPF特殊区域对接-total stub
#配置前查看路由(其他区域路由)
display ip routing-table
192.168.1.0/24 OSPF 10 3 D 10.2.2.91 GigabitEthernet0/0/0
(1)FW1配置
ospf 1 router-id 91.1.1.1
area 0.0.0.1
stub no-summary
(2)R2配置
ospf 1 router-id 2.2.2.2
area 0.0.0.1
stub no-summary
#配置后查看路由表(没有其他区域路由-192.168.1.0的路由)
0.0.0.0/0 OSPF 10 2 D 10.2.2.91 GigabitEthernet0/0/0
#特殊区域 – 保护当前特殊区域中的路由器设备不必吸收过多的路由信息
6)OSPF非特殊区域对接
(1)FW1配置
#配置安全区域策略
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.2.0 mask 255.255.255.0
action permit
(2)R1配置
#配置acl策略并在接口绑定
acl number 2000
rule 10 permit source 192.168.1.0 0.0.0.255
rule 20 permit source 192.168.2.0 0.0.0.255
rule 30 permit source 192.168.3.0 0.0.0.255
interface GigabitEthernet1/0/0
nat outbound 2000
#配置默认路由
ip route-static 0.0.0.0 0.0.0.0 14.1.1.4
#R1配置默认路由通告,(当前如果自己存在默认路由 )当前设备为其他的OSPF邻居发送一个默认路由信息,让其他邻居路由器产生默认路由,并且将下一跳指向到当前设备
ospf 1 router-id 1.1.1.1
default-route-advertise
import-route rip 1
area 0.0.0.0
#(当前自己无论是否存在默认路由 )当前设备为其他的OSPF邻居发送一个默认路由信息,让其他邻居路由器产生默认路由,并且将下一跳指向到当前设备
ospf 1 router-id 1.1.1.1
default-route-advertise always
#PC1、PC2连通性测试server1
PC>ping 80.1.1.1
From 80.1.1.1: bytes=32 seq=1 ttl=251 time=15 ms
#R1通过RIP下发路由通告
rip 1
default-route originate
version 2
network 10.0.0.0
import-route ospf 1
#PC3连通性测试server1
PC>ping 80.1.1.1
From 80.1.1.1: bytes=32 seq=1 ttl=251 time=15 ms
3.BGP对接
![图片[5]-第4章 防火墙单节点二层与三层部署-4.1 防火墙单节点二层与三层部署-路由对接第4章 防火墙单节点二层与三层部署--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片69-1.png)
BGP – 边界网关协议
每一个路由器 - AS自治系统号码
自治系统号码: 公有 1-64511| 私有 64512-65535
两侧AS号码一致 - 内部BGP对接关系 IBGP
两侧AS号码不一致 – 外部BGP对接关系 EBGP
BGP – 无法激活接口 / 必须手工配置邻居
1)FW1配置bgp
bgp 65001
peer 10.2.2.2 as-number 65002
2)R2配置bgp
bgp 65002
peer 10.2.2.91 as-number 65001
network 192.168.2.0 #通告自己的路由信息
3)FW1上OSPF引入BGP
ospf 1 router-id 91.1.1.1
import-route bgp
4)FW1上OSPF引入BGP
bgp 65001
import-route ospf 1
5)FW1下发默认路由
bgp 65001
default-route imported 下发(导入从OSPF学习到的)默认路由给BGP 邻居
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容