当前位置: 代码迷 >> 综合 >> 进入华为软件 eNSP 学习的第八天
  详细解决方案

进入华为软件 eNSP 学习的第八天

热度:40   发布时间:2023-12-02 20:39:43.0

                                        防火墙双机热备实验

 

 

实验拓扑图:

 

  • 实验需求:

1.PC1 ping通PC2

2.防火墙双机备份

 

二、实验步骤:

  第一步:配置思路

     1.配置ip

     2.配置区域

     3.配置安全策略

     4.配置VRRP和hrp

 

第二步:实验操作

  1. 配置ip

FW1:

interface GigabitEthernet1/0/0

ip address 192.168.3.1 255.255.255.0

service-manage ping permit

 

interface GigabitEthernet1/0/1

ip address 192.168.4.1 255.255.255.0

service-manage ping permit

 

interface GigabitEthernet1/0/2

ip address 10.10.10.10 255.255.255.0

service-manage ping permit

FW2:

interface GigabitEthernet1/0/0

ip address 192.168.3.2 255.255.255.0

service-manage ping permit

 

interface GigabitEthernet1/0/1

ip address 192.168.4.2 255.255.255.0

service-manage ping permit

 

interface GigabitEthernet1/0/2

ip address 10.10.10.11 255.255.255.0

service-manage ping permit

 

2.配置区域:

FW1:

firewall zone trust

add interface GigabitEthernet1/0/0

 

firewall zone untrust

 add interface GigabitEthernet1/0/1

 

firewall zone dmz

add interface GigabitEthernet1/0/2

FW2:

firewall zone trust

add interface GigabitEthernet1/0/0

 

firewall zone untrust

add interface GigabitEthernet1/0/1

 

firewall zone dmz

add interface GigabitEthernet1/0/2

 

  1. 配置安全策略

FW1:

security-policy

rule name 1

source-zone trust

destination-zone untrust

action permit

FW2:

security-policy

rule name 1

source-zone trust

destination-zone untrust

action permit

 

 

  1. 配置VRRP和hrp:

FW1:

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 192.168.3.254 active

vrrp virtual-mac enable

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 192.168.4.254 active

vrrp virtual-mac enable

 

[FW1]hrp interface GigabitEthernet 1/0/2 remote 10.10.10.11

[FW1]hrp enable

 

FW2:

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 192.168.3.254 standby

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 192.168.4.254 standby

 

[FW2]hrp interface GigabitEthernet 1/0/2 remote 10.10.10.10

[FW2]hrp enable

 

 5.测试:

PC1àPC2:

FW1:G1/0/1 和FW2:G1/0/1

 

 

 

                       VGMP、VRRP实验报告

 

一、实验需求:

1.全网用静态路由打通
2.R3上有两个loop地址1.1.1.1 2.2.2.2

3.PC1访问1.1.1.1走FW1、R1、R3

4.PC2 访问2.2.2.2走FW2、R2、R3

5.注意线路切换

二、实验拓扑图:

三、实验目标:

1.熟悉vrrp相关配置

2.了解vrrp原理及作用

 

四、实验步骤:

第一步:配置思路

1.配置两台PC IP地址

2.检测连通性

3.配置VGMP+HRP

4.配置路由器侧的vrrp+track

5.配置路由+份路由+安全策略

6.检查连通性

7.断掉R1与R3之间的链路后查看包路径

8.断掉FW1与R1之间的链路后查看包路径

9.开启hrp-track后重复7、8两步查看包路径

10.总结

 

第二步:实际操作

 

  1. 配置IP地址,并开启Ping,配置VLAN

PC1:

 

PC2:

FW1:

 

int g1/0/1

ip address 10.10.10.10 24

service-manage ping permit

 

int g1/0/0

ip address 192.168.1.252 24

 

FW2:

int g1/0/0

ip address 192.168.1.252 255.255.255.0

service-manage ping permit

 

int g1/0/1

ip address 10.10.10.11 24

service-manage ping permit

 

FW1:

vlan 10

int g1/0/2

port link-type access

port default vlan 10

 

int g1/0/3

portswitch

port link-type access

port de vlan 10

 

int vlan 10

ip add 172.16.1.1 24

 

 

FW2:

int g1/0/2

portswitch

port link-type access

port de vlan 10

 

int g1/0/3

portswitch

port link-type access

port de vlan 10

 

int vlan 10

ip add 172.16.2.12 24

 

R1:

int g0/0/0

ip add 172.16.1.1 24

 

int g0/0/1

ip add 172.16.2.1 24

 

int g0/0/2

ip add 172.16.13.1 24

 

R3:

int g0/0/0

ip add 172.16.13.3 24

 

int g0/0/1

ip add 172.16.23.3 24

 

int loopback 0

ip add 1.1.1.1 32

 

int loopback 1

ip add 2.2.2.2 32

 

R2:

int g0/0/2

ip add 172.16.23.2 24

 

int g0/0/1

ip add 172.16.1.2 24

 

int g0/0/0

ip add 172.16.2.2 24

 

  1. 配置区域和VGMP+HRP

FW1:

firewall zone trust

add int g1/0/0

 

firewall zone dmz

add int g1/0/1

 

firewall zone untrust

add int g1/0/2

add int g1/0/3

add int vlan 10

 

FW2:

firewall zone trust

add int g1/0/0

 

firewall zone dmz

add int g1/0/1

 

firewall zone untrust

add int g1/0/2

add int g1/0/3

add int vlan 10

 

int g1/0/0

vrrp vrid 1 virtual-ip 192.168.1.253 24 active

vrrp vrid 2 virtual-ip 192.168.1.254  24 standby

FW1:

interface GigabitEthernet1/0/0

 vrrp vrid 1 virtual-ip 192.168.1.253 standby

 vrrp vrid 2 virtual-ip 192.168.1.254 active

 

hrp enable

hrp mirror session enable

hrp int g1/0/1 remote 10.10.10.11

FW2:

interface GigabitEthernet1/0/0

 vrrp vrid 1 virtual-ip 192.168.1.253 active

 vrrp vrid 2 virtual-ip 192.168.1.254 standby

 

hrp enable

hrp mirror session enable

hrp int g1/0/1 remote 10.10.10.10

  1. 配置路由器侧的vrrp+track

AR1:

int g0/0/0

vrrp vrid 1 virtual-ip 172.16.1.254

vrrp vrid 1 priority 200

 

int g0/0/1

vrrp vrid 2 virtual-ip 172.16.2.254

 

AR2:

int g0/0/1

vrrp vrid 1 virtual-ip 172.16.1.254

 

int g0/0/0

vrrp vrid 2 virtual-ip 172.16.2.254

vrrp vrid 2 priority 200

 

AR1:

int g0/0/0

vrrp vrid 1 track int g0/0/2 reduced 120

 

AR2:

int g0/0/0

vrrp vrid 2 track int g0/0/2 reduced 120

  1. 配置路由+备份路由+安全策略

FW1:

ip route-static 0.0.0.0 0 172.16.1.254

FW2:

ip route-static 0.0.0.0 0 172.16.2.254

 

AR1:

ip route-static 1.1.1.1 32 172.16.13.3

ip route-static 2.2.2.2 32 172.16.13.3

ip route-static 192.168.1.0 24 172.16.1.11

ip route-static 192.168.1.0 24 172.16.2.12 preference 100

AR2:

ip route-static 1.1.1.1 32 172.16.23.3

ip route-static 2.2.2.2 32 172.16.23.3

ip route-static 192.168.1.0 24 172.16.1.11 preference 100

ip route-static 192.168.1.0 24 172.16.2.12

 

AR3:

ip route-static 172.16.1.0 24 172.16.13.1

ip route-static 172.16.1.0 24 172.16.23.2 preference 100

ip route-static 172.16.2.0 24 172.16.23.2

ip route-static 172.16.2.0 24 172.16.13.1 preference 100

ip route-static 192.168.1.0 24 172.16.13.1

ip route-static 192.168.1.0 24 172.16.23.2

FW1:

security-policy

rule name trust

source-zone trust

destination-zone untrust

action permit

 

FW1:

int vlan 10

service-manage ping permit

 

  1. 断掉R1与R3之间的链路后查看包路径

PC1

  1. 断掉FW1与R1之间的链路后查看包路径

 

第三步:测试并查看

检测连通性

PC1

 

PC2

 

  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.