本文配置目标:华为防火墙双机热备,电信和联通双运营商、固定IP接入,华为核心交换机配置VRRP。
为保护客户隐私,电信和联通的IP地址为虚构,如有雷同,纯属巧合。
真实拓扑图如下所示,电信和联通给的掩码都是29,如果掩码都是30,恐怕不能这么连接。
回来用模拟器还原了配置,注意AR3以及下面的两台交换机,是用来模拟运营商接入的,实际环境中只是两个光猫而已。
一、配置模拟运营商接入的设备
1、路由器的配置:
配置各接口IP,并且宣告进OSPF
interface GigabitEthernet0/0/0
ip address 33.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 34.1.1.3 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 33.1.1.3 0.0.0.0
network 34.1.1.3 0.0.0.0
#
2、交换机SW3的配置:
创建VLAN,配置IP,并且宣告进OSPF
vlan batch 33 130 222
#
interface Vlanif33
ip address 33.1.1.1 255.255.255.0
#
interface Vlanif222
ip address 222.92.76.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 222
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 222
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 33
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 222.92.76.1 0.0.0.0
network 33.1.1.1 0.0.0.0
#
3、交换机SW4的配置:
vlan batch 34 130
#
interface Vlanif34
ip address 34.1.1.4 255.255.255.0
#
interface Vlanif130
ip address 130.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 130
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 130
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 34
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 130.1.1.1 0.0.0.0
network 34.1.1.4 0.0.0.0
#
二、防火墙的配置
以FW1的配置为例说明
1、配置各接口IP
2、配置NAT策略
电信的NAT策略:
联通的NAT策略:
3、配置上网案例策略:
4、配置IP-LINK,也可以在创建默认的路由顺便创建
5、配置默认路由
电信和联通各有一条默认路由
6、配置通向局域网的回程路由
7、配置FW2,过程略,方法同上;
8、在FW1上配置双机热备(主)
9、在FW2上配置双机热备(备)
三、核心交换机和接入交换机的配置
1、核心交换机CE1的配置
vlan batch 9 to 10
#
stp enable
Stp mode mstp
#
stp region-configuration
region-name test
revision-level 1
instance 1 vlan 9 to 10
#
stp instance 1 root primary
#
interface Vlanif9
description ith
ip address 192.168.9.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.9.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt timer delay 15
vrrp vrid 1 track interface GE1/0/0 reduce 40
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.10.254
vrrp vrid 2 priority 120
vrrp vrid 2 track interface GE1/0/0 reduce 40
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 11.1.1.1 255.255.255.248
#
interface GE1/0/1
undo shutdown
port link-type trunk
port trunk allow-pass vlan all
#
interface GE1/0/2
undo shutdown
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
interface GE1/0/3
undo shutdown
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
ip route-static 0.0.0.0 0.0.0.0 11.1.1.2 preference 50
ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 70
#
2、核心交换机CE2的配置
vlan batch 9 to 10
#
stp enable
Stp mode mstp
#
stp region-configuration
region-name test
revision-level 1
instance 1 vlan 9 to 10
#
stp instance 1 root secondary
#
interface Vlanif9
ip address 192.168.9.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.9.254
#
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.10.254
#
interface MEth0/0/0
undo shutdown
#
interface GE1/0/0
undo shutdown
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
interface GE1/0/1
undo shutdown
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
interface GE1/0/2
undo shutdown
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 13.1.1.1 255.255.255.248
#
ip route-static 0.0.0.0 0.0.0.0 11.1.1.2 preference 70
ip route-static 0.0.0.0 0.0.0.0 13.1.1.2 preference 50
#
3、接入交换机SW1的配置:
vlan batch 9 to 10
#
stp region-configuration
region-name test
revision-level 1
instance 1 vlan 9 to 10
active region-configuration
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 9 to 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 9
stp edged-port enable
#
interface Ethernet0/0/4
port link-type access
port default vlan 10
stp edged-port enable
#
4、接入交换机SW2的配置
和SW1的配置非常接近,就不再重复贴出来了。
四、灾难测试
1、模拟VRRP Master交换机故障
如上图所示,停止CE1交换机后,上网流量切换到右边了;
2、模拟防火墙FW1故障
关停防火墙FW1之后,HRP状态切换了,右侧备机切换为激活状态,上网流量切换到FW2上面了,说明配置正确。
#网络安全##网络工程师##IT# #华为#