旁路挂载实验

文章目录 实验topo需求实验配置二层交换机要求SW3SW4STP生成树 核心层SW3SW4创建VRF空间SW1SW2 创建vlanif接口路由策略流量管控之后的对比 交换机和防火墙之间的交互VRF区域配置SW1SW2 FW1FW2安全区域规划FW1FW2 SW1\SW2的Public区域SW1SW2 针对交换机上下行路由的补充防火墙双机热备FW1FW2 安全策略配置 核心到边界SW1SW2R1R2 最外层网络R1R2ISP 测试

实验topo

需求 正常情况下：SW1_VRF-->FW1--->SW1_Public--->R5 故障情况下：SW2_VRF-->FW2--->SW2_Public--->R6 2、SW4的流量 正常情况下：SW2_VRF-->FW2--->SW2_Public--->R6 故障情况下：SW1_VRF-->FW1--->SW1_Public--->R5 3、交换网络负载均衡 实验配置 二层交换机

要求 VLAN 2--->SW3,SW4作为备份 VLAN 3--->SW4,SW3作为备份 MSTP设计--->SW3、4、5运行 实例1：VLAN 2 实例2：VLAN 3 SW3是实例1的主根，实例2的备份根；SW4是实例2的主根，实例1的备份根 IP地址规划： SW3： VLAN 2:192.168.2.1/24 VLAN 3:192.168.3.1/24 SW4： VLAN 2:192.168.2.2/24 VLAN 3:192.168.3.2/24 虚拟IP： VLAN 2:192.168.2.254/24 VLAN 3:192.168.3.254/24 SW3 [SW3]vlan batch 2 3 [SW3]int g 0/0/3 [SW3-GigabitEthernet0/0/3]port link-type trunk [SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3 [SW3]INT G 0/0/4 [SW3-GigabitEthernet0/0/4]port link-type trunk [SW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3 [SW3]stp enable [SW3]stp mode mstp [SW3]stp region-configuration [SW3-mst-region]region-name aa [SW3-mst-region]instance 1 vlan 2 ----映射vlan2 [SW3-mst-region]instance 2 vlan 3 [SW3-mst-region]active region-configuration ---激活配置 [SW3]stp instance 1 root primary ---设置1为主根 [SW3]stp instance 2 root secondary ---设置2为备根 [SW3]stp instance 0 root primary ---让实例0为主根 [SW3]interface vlanif2 [SW3-Vlanif2]ip address 192.168.2.1 24 [SW3-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254 ---设置虚拟IP [SW3-Vlanif2]vrrp vrid 1 priority 120 ---设置抢占延迟时间为20s [SW3-Vlanif2]vrrp vrid 1 preempt-mode timer delay 20 [SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15 ---监控上行接口 [SW3-Vlanif2]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 15 [SW3]int vlanif 3 [SW3-Vlanif3]ip add 192.168.3.1 24 [SW3-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254 SW4 [SW4]vlan batch 2 3 [SW4]int g 0/0/3 [SW4-GigabitEthernet0/0/3]port link-type trunk [SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 2 3 [SW4]int g 0/0/4 [SW4-GigabitEthernet0/0/4]port link-type trunk [SW4-GigabitEthernet0/0/4]port trunk allow-pass vlan 2 3 [SW4]STP enable [SW4]stp mode mstp [SW4-mst-region]region-name aa [SW4-mst-region]active region-configuration [SW4-mst-region]instance 1 vlan 2 [SW4-mst-region]instance 2 vlan 3 [SW4-mst-region]active region-configuration [SW4]stp instance 1 root secondary [SW4]stp instance 2 root primary [SW4]stp instance 0 root secondary [SW4]int Vlanif 2 [SW4-Vlanif2]ip address 192.168.2.2 24 [SW4-Vlanif2]vrrp vrid 1 virtual-ip 192.168.2.254 [SW4-Vlanif2]int vlanif3 [SW4-Vlanif3]ip add 192.168.3.2 255.255.255.0 [SW4-Vlanif3]vrrp vrid 1 virtual-ip 192.168.3.254 [SW4-Vlanif3]vrrp vrid 1 priority 120 [SW4-Vlanif3]vrrp vrid 1 preempt-mode timer delay 20 [SW4-Vlanif3]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 15 [SW4-Vlanif3]vrrp vrid 1 track int GigabitEthernet 0/0/2 reduced 15 STP生成树

测试设备之间的互通

核心层 SW3 [SW3]vlan b 103 203 [SW3-GigabitEthernet0/0/1]port link-type access [SW3-GigabitEthernet0/0/1]port default vlan 103 [SW3-GigabitEthernet0/0/1]undo stp enable [SW3-GigabitEthernet0/0/1]int g 0/0/2 [SW3-GigabitEthernet0/0/2]port link-type access [SW3-GigabitEthernet0/0/2]port default vlan 203 [SW3-GigabitEthernet0/0/2]undo stp enable [SW3]int Vlanif 103 [SW3-Vlanif103]ip address 10.10.3.3 24 [SW3]int Vlanif 203 [SW3-Vlanif203]ip address 10.20.3.3 24 [SW3]ospf 1 router-id 3.3.3.3 [SW3-ospf-1]area 0 [SW3-ospf-1-area-0.0.0.0]network 10.10.3.3 0.0.0.0 [SW3-ospf-1-area-0.0.0.0]network 10.20.3.3 0.0.0.0 [SW3-ospf-1-area-0.0.0.0]network 192.168.2.1 0.0.0.0 [SW3-ospf-1-area-0.0.0.0]network 192.168.3.1 0.0.0.0 [SW3-ospf-1-area-0.0.0.0]silent-interface vlanif 2 ---静默接口 [SW3-ospf-1-area-0.0.0.0]silent-interface vlanif 3 SW4 [SW4]vlan b 104 204 Info: This operation may take a few seconds. Please wait for a moment...done. [SW4]int g 0/0/1 [SW4-GigabitEthernet0/0/1]port link-type access [SW4-GigabitEthernet0/0/1]port default vlan 204 [SW4-GigabitEthernet0/0/1]undo stp enable [SW4-GigabitEthernet0/0/1]int g 0/0/2 [SW4-GigabitEthernet0/0/2]port link-type access [SW4-GigabitEthernet0/0/2]port default vlan 104 [SW4-GigabitEthernet0/0/2]undo stp enable [SW4-GigabitEthernet0/0/2]int vlanif 104 [SW4-Vlanif104]ip address 10.10.4.4 24 [SW4-Vlanif104]int vlanif 204 [SW4-Vlanif204]ip address 10.20.4.4 24 [SW4]ospf 1 router-id 4.4.4.4 [SW4-ospf-1]area 0.0.0.0 [SW4-ospf-1-area-0.0.0.0]network 10.10.4.4 0.0.0.0 [SW4-ospf-1-area-0.0.0.0]network 10.20.4.4 0.0.0.0 [SW4-ospf-1-area-0.0.0.0]network 192.168.2.2 0.0.0.0 [SW4-ospf-1-area-0.0.0.0]network 192.168.3.2 0.0.0.0 [SW4-ospf-1]silent-interface vlanif 2 [SW4-ospf-1]silent-interface vlanif 3 创建VRF空间

创建VRF空间用来将SW1和SW2分割为两台设备，分别和上下行设备连接，其中GE0/0/2、5、6、7属于该空间接口

SW1 [SW1]ip vpn-instance VRF [SW1-vpn-instance-VRF]route-distinguisher 100:1 [SW1-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both SW2 [SW2]ip vpn-instance VRF [SW2-vpn-instance-VRF]route-distinguisher 100:1 [SW2-vpn-instance-VRF-af-ipv4]vpn-target 100:1 both

配置VLAN信息

SW1 [SW1]vlan batch 102 103 104 [SW1]int g 0/0/6 [SW1-GigabitEthernet0/0/6]port link-type access [SW1-GigabitEthernet0/0/6]port default vlan 103 [SW1-GigabitEthernet0/0/6]undo stp enable [SW1]int g 0/0/5 [SW1-GigabitEthernet0/0/5]port link-type trunk [SW1-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1 [SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 102 [SW1-GigabitEthernet0/0/5]undo stp enable [SW1-GigabitEthernet0/0/5]int g 0/0/7 [SW1-GigabitEthernet0/0/7]port link-type access [SW1-GigabitEthernet0/0/7]port default vlan 104 [SW1-GigabitEthernet0/0/7]undo stp enable SW2 [SW2]vlan batch 102 203 204 [SW2]interface GigabitEthernet 0/0/5 [SW2-GigabitEthernet0/0/5]port link-type trunk [SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 102 [SW2-GigabitEthernet0/0/5]undo port trunk allow-pass vlan 1 [SW2-GigabitEthernet0/0/5]undo stp enable [SW2]interface GigabitEthernet 0/0/6 [SW2-GigabitEthernet0/0/6]port link-type access [SW2-GigabitEthernet0/0/6]undo stp enable [SW2-GigabitEthernet0/0/6]int g 0/0/7 [SW2-GigabitEthernet0/0/7]port link-type access [SW2-GigabitEthernet0/0/7]port default vlan 203 [SW2-GigabitEthernet0/0/7]undo stp enable 创建vlanif接口 SW1 [SW1]interface Vlanif 102 [SW1-Vlanif102]ip binding vpn-instance VRF [SW1-Vlanif102]ip address 10.10.2.1 24 [SW1]interface Vlanif 103 [SW1-Vlanif103]ip binding vpn-instance VRF [SW1-Vlanif103]ip add 10.10.3.1 24 [SW1]interface Vlanif 104 [SW1-Vlanif104]ip binding vpn-instance VRF [SW1-Vlanif104]ip add 10.10.4.1 24 SW2 [SW2]interface Vlanif 102 [SW2-Vlanif102]ip binding vpn-instance VRF [SW2-Vlanif102]ip address 10.20.2.2 24 [SW2]interface Vlanif 203 [SW2-Vlanif203]ip binding vpn-instance VRF [SW2-Vlanif203]ip address 10.20.3.2 24 [SW2]interface Vlanif 204 [SW2-Vlanif204]ip binding vpn-instance VRF [SW2-Vlanif204]ip add 10.20.4.2 24

测试

VRF空间的OSPF

[SW1]ospf 1 router-id 1.1.1.1 vpn-instance VRF [SW1-ospf-1]area 0 [SW1-ospf-1-area-0.0.0.0]network 10.10.2.1 0.0.0.0 [SW1-ospf-1-area-0.0.0.0]network 10.10.3.1 0.0.0.0 [SW1-ospf-1-area-0.0.0.0]network 10.10.4.1 0.0.0.0 [SW1-ospf-1]default-route-advertise [SW2]ospf 1 router-id 2.2.2.2 vpn-instance VRF [SW2-ospf-1]area 0 [SW2-ospf-1-area-0.0.0.0]network 10.10.2.2 0.0.0.0 [SW2-ospf-1-area-0.0.0.0]network 10.20.3.2 0.0.0.0 [SW2-ospf-1-area-0.0.0.0]network 10.20.4.2 0.0.0.0

因为在要求里面“SW3是实例1的主根，实例2的备份根；SW4是实例2的主根，实例1的备份根”，所以要修改接口开销值避免成为等价路由。（开销值越小，优先级越高）

[SW3]int vlanif 203 [SW3-Vlanif203]ospf cost 5 [SW3-ospf-1-area-0.0.0.0]undo network 192.168.2.1 0.0.0.0 [SW3-ospf-1-area-0.0.0.0]undo network 192.168.3.1 0.0.0.0 [SW4]int vlanif 104 [SW4-Vlanif104]ospf cost 5 [SW4-ospf-1-area-0.0.0.0]undo network 192.168.2.2 0.0.0.0 [SW4-ospf-1-area-0.0.0.0]undo network 192.168.3.2 0.0.0.0 路由策略 SW3 [SW3]ip ip-prefix aa permit 192.168.2.0 24 [SW3]ip ip-prefix bb permit 192.168.3.0 24 [SW3]route-policy bb permit node 10 [SW3-route-policy]if-match ip-prefix bb [SW3-route-policy]apply cost 5 [SW3]route-policy bb permit node 20 [SW3-route-policy]if-match ip-prefix aa [SW3]ospf 1 [SW3-ospf-1]import-route direct route-policy bb ```bash [SW4]ip ip-prefix aa permit 192.168.2.0 24 [SW4]ip ip-prefix bb permit 192.168.3.0 24 [SW4]route-policy aa permit node 10 Info: New Sequence of this List. [SW4-route-policy]if-match ip-prefix aa [SW4-route-policy]apply cost 5 [SW4-route-policy]route-policy aa permit node 20 Info: New Sequence of this List. [SW4-route-policy]if-match ip-prefix bb [SW4]ospf 1 [SW4-ospf-1]import-route direct route-policy aa 流量管控之后的对比

交换机和防火墙之间的交互

VRF区域配置 SW1 [SW1]vlan batch 401 402 [SW1]interface GigabitEthernet 0/0/2 [SW1-GigabitEthernet0/0/2]port link-type trunk [SW1-GigabitEthernet0/0/2]port link-type trunk [SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 401 402 [SW1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/5 [SW1-GigabitEthernet0/0/5]port link-type trunk [SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402 [SW1]interface Vlanif 401 [SW1-Vlanif401]ip binding vpn-instance VRF [SW1-Vlanif401]ip address 10.40.1.1 24 [SW1-Vlanif401]vrrp vrid 1 virtual-ip 10.40.1.100 [SW1-Vlanif401]vrrp vrid 1 priority 120 [SW1-Vlanif401]vrrp vrid 1 preempt-mode timer delay 60 [SW1-Vlanif401]vrrp vrid 1 track interface GigabitEthernet 0/0/2 reduced 30 [SW1]interface Vlanif 402 [SW1-Vlanif402]ip binding vpn-instance VRF [SW1-Vlanif402]ip address 10.40.2.1 24 [SW1-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100 SW2 [SW2]vlan batch 401 402 [SW2]interface GigabitEthernet 0/0/3 [SW2-GigabitEthernet0/0/3]port link-type trunk [SW2-GigabitEthernet0/0/3]port link-type trunk [SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 401 402 [SW2-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/5 [SW2-GigabitEthernet0/0/5]port link-type trunk [SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 401 402 [SW2]interface Vlanif 401 [SW2-Vlanif401]ip binding vpn-instance VRF [SW2-Vlanif401]ip address 10.40.1.2 24 [SW2-Vlanif401]vrrp vrid 2 virtual-ip 10.40.1.100 [SW2]interface Vlanif 402 [SW2-Vlanif402]ip binding vpn-instance VRF [SW2-Vlanif402]ip address 10.40.2.2 24 [SW2-Vlanif402]vrrp vrid 2 virtual-ip 10.40.2.100 [SW2-Vlanif402]vrrp vrid 2 priority 120 [SW2-Vlanif402]vrrp vrid 2 preempt-mode timer delay 60 [SW2-Vlanif402]vrrp vrid 2 track interface GigabitEthernet 0/0/3 reduced 30 FW1 [FW1]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip add 10.10.10.1 30 [FW1-GigabitEthernet1/0/0] [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1.401 [FW1-GigabitEthernet1/0/1.401]ip add 10.40.1.10 24 [FW1-GigabitEthernet1/0/1.401]vlan-type dot1q 401 [FW1-GigabitEthernet1/0/1.401] [FW1-GigabitEthernet1/0/1.401]interface GigabitEthernet 1/0/1.402 [FW1-GigabitEthernet1/0/1.402]ip address 10.40.2.10 24 [FW1-GigabitEthernet1/0/1.402]vlan-type dot1q 402 [FW1-GigabitEthernet1/0/1.402] [FW1-GigabitEthernet1/0/1.402]interface GigabitEthernet 1/0/2.403 [FW1-GigabitEthernet1/0/2.403]ip address 10.40.3.10 24 [FW1-GigabitEthernet1/0/2.403]vlan-type dot1q 403 [FW1-GigabitEthernet1/0/2.403] [FW1-GigabitEthernet1/0/2.403]interface GigabitEthernet 1/0/2.404 [FW1-GigabitEthernet1/0/2.404]ip add 10.40.4.10 24 [FW1-GigabitEthernet1/0/2.404]vlan-type dot1q 404 FW2 [FW2]interface GigabitEthernet 1/0/0 [FW2-GigabitEthernet1/0/0]ip add 10.10.10.2 30 [FW2-GigabitEthernet1/0/0] [FW2-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/2.401 [FW2-GigabitEthernet1/0/2.401]ip add 10.40.1.20 24 [FW2-GigabitEthernet1/0/2.401]vlan-type dot1q 401 [FW2-GigabitEthernet1/0/2.401] [FW2-GigabitEthernet1/0/2.401]interface GigabitEthernet 1/0/2.402 [FW2-GigabitEthernet1/0/2.402]ip address 10.40.2.20 24 [FW2-GigabitEthernet1/0/2.402]vlan-type dot1q 402 [FW2-GigabitEthernet1/0/2.402] [FW2-GigabitEthernet1/0/2.402]interface GigabitEthernet 1/0/1.403 [FW2-GigabitEthernet1/0/1.403]ip address 10.40.3.20 24 [FW2-GigabitEthernet1/0/1.403]vlan-type dot1q 403 [FW2-GigabitEthernet1/0/1.403] [FW2-GigabitEthernet1/0/1.403]interface GigabitEthernet 1/0/1.404 [FW2-GigabitEthernet1/0/1.404]ip add 10.40.4.20 24 [FW2-GigabitEthernet1/0/1.404]vlan-type dot1q 404 安全区域规划 FW1 [FW1]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 1/0/1.401 [FW1-zone-trust]add interface GigabitEthernet 1/0/1.402 [FW1-zone-trust] [FW1-zone-trust]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/2.403 [FW1-zone-untrust]add interface GigabitEthernet 1/0/2.404 [FW1-zone-untrust] [FW1-zone-untrust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/0 FW2 [FW2]firewall zone trust [FW2-zone-trust]add interface GigabitEthernet 1/0/2.401 [FW2-zone-trust]add interface GigabitEthernet 1/0/2.402 [FW2-zone-trust] [FW2-zone-trust]firewall zone untrust [FW2-zone-untrust]add interface GigabitEthernet 1/0/1.403 [FW2-zone-untrust]add interface GigabitEthernet 1/0/1.404 [FW2-zone-untrust] [FW2-zone-untrust]firewall zone dmz [FW2-zone-dmz]add interface GigabitEthernet 1/0/0 SW1\SW2的Public区域 SW1 [SW1]interface GigabitEthernet 0/0/3 [SW1-GigabitEthernet0/0/3]port link-type trunk [SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 403 404 [SW1-GigabitEthernet0/0/3] [SW1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4 [SW1-GigabitEthernet0/0/4]port link-type trunk [SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404 [SW1-GigabitEthernet0/0/4] [SW1-GigabitEthernet0/0/4]interface Vlanif 403 [SW1-Vlanif403]ip address 10.40.3.1 24 [SW1-Vlanif403]vrrp vrid 3 virtual-ip 10.40.3.100 [SW1-Vlanif403]vrrp vrid 3 priority 120 [SW1-Vlanif403]vrrp vrid 3 preempt-mode timer delay 60 [SW1-Vlanif403]vrrp vrid 3 track interface GigabitEthernet 0/0/3 reduced 30 [SW1-Vlanif403] [SW1-Vlanif403]interface Vlanif 404 [SW1-Vlanif404]ip add 10.40.4.1 24 [SW1-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100 SW2 [SW2]vlan batch 403 404 [SW2]interface GigabitEthernet 0/0/2 [SW2-GigabitEthernet0/0/2]port link-type trunk [SW2-GigabitEthernet0/0/2]port trunk allow-pass vlan 403 404 [SW2-GigabitEthernet0/0/2] [SW2-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/4 [SW2-GigabitEthernet0/0/4]port link-type trunk [SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 403 404 [SW2-GigabitEthernet0/0/4] [SW2-GigabitEthernet0/0/4]interface Vlanif 403 [SW2-Vlanif403]ip add 10.40.3.2 24 [SW2-Vlanif403]vrrp vrid 4 virtual-ip 10.40.3.100 [SW2-Vlanif403] [SW2-Vlanif403]interface Vlanif 404 [SW2-Vlanif404]ip address 10.40.4.2 24 [SW2-Vlanif404]vrrp vrid 4 virtual-ip 10.40.4.100 [SW2-Vlanif404]vrrp vrid 4 priority 120 [SW2-Vlanif404]vrrp vrid 4 preempt-mode timer delay 60 [SW2-Vlanif404]vrrp vrid 4 track interface GigabitEthernet 0/0/2 reduced 30 针对交换机上下行路由的补充 上行 [SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 [SW1]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 preference 70 下行 [SW1]ip route-static 192.168.0.0 16 10.40.3.200 [SW1]ip route-static 192.168.0.0 16 10.40.4.200 preference 70 上行 [SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.2.200 [SW2]ip route-static vpn-instance VRF 0.0.0.0 0 10.40.1.200 preference 70 下行 [SW2]ip route-static 192.168.0.0 16 10.40.4.200 [SW2]ip route-static 192.168.0.0 16 10.40.3.200 preference 70

需要先激活FW的1/0/1和1/0/2的接口才能运行

防火墙双机热备 FW1 下行 [FW1]interface GigabitEthernet 1/0/1.401 [FW1-GigabitEthernet1/0/1.401]vrrp vrid 5 virtual-ip 10.40.1.200 active [FW1-GigabitEthernet1/0/1.401]interface GigabitEthernet 1/0/1.402 [FW1-GigabitEthernet1/0/1.402]vrrp vrid 6 virtual-ip 10.40.2.200 standby 上行 [FW1]interface GigabitEthernet 1/0/2.403 [FW1-GigabitEthernet1/0/2.403]vrrp vrid 7 virtual-ip 10.40.3.200 active [FW1-GigabitEthernet1/0/2.403]interface GigabitEthernet 1/0/2.404 [FW1-GigabitEthernet1/0/2.404]vrrp vrid 8 virtual-ip 10.40.4.200 standby [FW1]hrp mirror session enable [FW1]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.2 [FW1]hrp enable 上行 HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.3.100 HRP_S[FW1]ip route-static 0.0.0.0 0 10.40.4.100 preference 70 下行 HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.1.100 HRP_S[FW1]ip route-static 192.168.0.0 16 10.40.2.100 preference 70 FW2 下行 [FW2]interface GigabitEthernet 1/0/2.401 [FW2-GigabitEthernet1/0/2.401]vrrp vrid 5 virtual-ip 10.40.1.200 standby [FW2-GigabitEthernet1/0/2.401]interface GigabitEthernet 1/0/2.402 [FW2-GigabitEthernet1/0/2.402]vrrp vrid 6 virtual-ip 10.40.2.200 active 上行 [FW2]interface GigabitEthernet 1/0/1.403 [FW2-GigabitEthernet1/0/1.403]vrrp vrid 7 virtual-ip 10.40.3.200 standby [FW2-GigabitEthernet1/0/1.403]interface GigabitEthernet 1/0/1.404 [FW2-GigabitEthernet1/0/1.404]vrrp vrid 8 virtual-ip 10.40.4.200 active [FW2]hrp mirror session enable [FW2]hrp interface GigabitEthernet 1/0/0 remote 10.10.10.1 [FW2]hrp enable FW2上行路由配置： HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.4.100 HRP_S[FW2]ip route-static 0.0.0.0 0 10.40.3.100 preference 70 FW2下行路由配置： HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.2.100 HRP_S[FW2]ip route-static 192.168.0.0 16 10.40.1.100 preference 70 安全策略配置 HRP_M[FW1]security-policy (+B) HRP_M[FW1-policy-security]rule name trust_to_untrust (+B) HRP_M[FW1-policy-security-rule-trust_to_untrust]source-zone trust (+B) HRP_M[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust (+B) HRP_M[FW1-policy-security-rule-trust_to_untrust]source-address 192.168.0.0 16 (+B) HRP_M[FW1-policy-security-rule-trust_to_untrust]action permit (+B)

查看在FW2上同步的安全策略

核心到边界

规划： SW1-SW2：VLAN 12 --- 10.12.1.0/24 SW1-R1：VLAN 11 ---- 10.11.1.0/24 SW2-R2：VLAN 22 ---- 10.22.2.0/24 R1-R2： ---- 10.12.2.0/24 OSPF：（这里的OSPF协议需要通过进程号进行区分）设定为2 SW1：1.1.1.1 SW2：2.2.2.2 R1：3.3.3.3 R2：4.4.4.4 SW1 [SW1]vlan batch 11 12 Info: This operation may take a few seconds. Please wait for a moment...done. [SW1]interface GigabitEthernet 0/0/1 [SW1-GigabitEthernet0/0/1]port link-type access [SW1-GigabitEthernet0/0/1]port default vlan 11 [SW1-GigabitEthernet0/0/1]undo stp enable [SW1-GigabitEthernet0/0/1] [SW1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/4 [SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 12 [SW1-GigabitEthernet0/0/4]undo stp enable [SW1-GigabitEthernet0/0/4] [SW1-GigabitEthernet0/0/4]interface Vlanif 11 [SW1-Vlanif11]ip address 10.11.1.1 24 [SW1-Vlanif11]interface Vlanif 12 [SW1-Vlanif12]ip add 10.12.1.1 24 [SW1]ospf 2 router-id 1.1.1.1 [SW1-ospf-2]area 0 [SW1-ospf-2-area-0.0.0.0]network 10.11.1.1 0.0.0.0 [SW1-ospf-2-area-0.0.0.0]network 10.12.1.1 0.0.0.0 SW2 [SW2]vlan batch 12 22 Info: This operation may take a few seconds. Please wait for a moment...done. [SW2]interface GigabitEthernet 0/0/1 [SW2-GigabitEthernet0/0/1]port link-type access [SW2-GigabitEthernet0/0/1]port default vlan 22 [SW2-GigabitEthernet0/0/1]undo stp enable [SW2-GigabitEthernet0/0/1] [SW2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/4 [SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 12 [SW2-GigabitEthernet0/0/4]undo stp enable [SW2-GigabitEthernet0/0/4] [SW2-GigabitEthernet0/0/4]interface Vlanif 12 [SW2-Vlanif12]ip address 10.12.1.2 24 [SW2-Vlanif12]interface Vlanif 22 [SW2-Vlanif22]ip address 10.22.2.1 24 [SW2]ospf 2 router-id 2.2.2.2 [SW2-ospf-2] area 0.0.0.0 [SW2-ospf-2-area-0.0.0.0] network 10.12.1.2 0.0.0.0 [SW2-ospf-2-area-0.0.0.0] network 10.22.2.1 0.0.0.0 R1 [R1-GigabitEthernet0/0/0]ip add 10.11.1.2 24 [R1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24 [R1-GigabitEthernet0/0/1]ip address 10.12.2.1 24 [R1]ospf 1 router-id 3.3.3.3 [R1-ospf-1] area 0.0.0.0 [R1-ospf-1-area-0.0.0.0] network 10.11.1.2 0.0.0.0 [R1-ospf-1-area-0.0.0.0] network 10.12.2.1 0.0.0.0 R2 [R2]interface GigabitEthernet 0/0/0 [R2-GigabitEthernet0/0/0]ip add 10.22.2.2 24 [R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14 [R2-GigabitEthernet0/0/1]ip add 10.12.2.2 14 [R2]ospf 1 router-id 4.4.4.4 [R2-ospf-1]area 0 [R2-ospf-1-area-0.0.0.0]network 10.22.2.2 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 10.12.2.2 0.0.0.0 最外层网络

R1 [R1]interface GigabitEthernet 0/0/2 [R1-GigabitEthernet0/0/2]ip add 12.0.0.1 24 [R1-GigabitEthernet0/0/2]ip route-static 0.0.0.0 0 12.0.0.100 [R1]ospf 1 [R1-ospf-1]default-route-advertise [R1]acl 2000 [R1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 [R1-acl-basic-2000]interface GigabitEthernet 0/0/2 [R1-GigabitEthernet0/0/2]nat outbound 2000 R2 [R2]interface GigabitEthernet 0/0/2 [R2-GigabitEthernet0/0/2]ip add 13.0.0.1 24 [R2-GigabitEthernet0/0/2]ip route-static 0.0.0.0 0 13.0.0.100 [R2]ospf 1 [R2-ospf-1]default-route-advertise [R2-ospf-1]acl 2000 [R2-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255 [R2-acl-basic-2000]interface GigabitEthernet 0/0/2 [R2-GigabitEthernet0/0/2]nat outbound 2000 ISP [ISP]interface GigabitEthernet 0/0/0 [ISP-GigabitEthernet0/0/0] [ISP-GigabitEthernet0/0/0]ip add 12.0.0.100 24 [ISP-GigabitEthernet0/0/0] [ISP-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP-GigabitEthernet0/0/1] [ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24 [ISP-GigabitEthernet0/0/1]ip add 13.0.0.100 24 [ISP-GigabitEthernet0/0/1]interface LoopBack 0 [ISP-LoopBack0]ip add 100.1.1.1 24

在SW1和SW2的OSPF进程2中引入静态路由

[SW1-ospf-1]import-route static [SW2-ospf-2]import-route static 测试

正常情况下SW1\2 ping ISP 关闭接口之后还是能ping通