最近收到一个新的项目,双路由器、双防火墙、双交换机实现全网互通
因实际项目采用全Cisco 设备,故这次展示及命令为Cisco,华为也尝试过也能完全实现,若有需求我会在发一份华为的配置
在EVE上模拟整个项目:
网络拓扑图如下:Cisco
华为拓扑图如下:(ENSP大家都可以自己搭建来玩玩)
这篇文章我们仅对Cisco设备进行描述,ok我们开始进入正题
================================================================================================
首先,因为EVE没办法模拟VSS故我们用一台交换机来替代,VPC1代表DB-ZONE、VPC2代表APP-ZONE
VPC1:172.16.10.1 24/172.16.10.254
VPC2:172.16.20.1 24/172.16.20.254
交换机作为2层交换机,防火墙做单臂路由,因为客户要实现APP和DB放在不同的DMZ区进行隔离
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
开始配置:
VPC1:
ip 172.16.10.1 255.255.255.0 172.16.10.254
save
VPC2:
ip 172.16.20.1 255.255.255.0 172.16.20.254
save
交换机配置
en
config t
hostname VSS
vlan 10
vlan20
int vlan 10
ip add 172.16.10.2 255.255.255.0
int vlan 20
ip add 172.16.20.2 255.255.255.0
interface GigabitEthernet0/0 switchport trunk encapsulation dot1q switchport mode trunk negotiation auto interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk negotiation auto interface GigabitEthernet0/2 switchport access vlan 10 switchport mode access negotiation auto interface GigabitEthernet0/3 switchport access vlan 20 switchport mode access negotiation auto
ok重点开始了 防火墙配置 OSPF,failover,单臂路由
ASA-A(主防火墙)
先配置单臂接口和其他子接口:
interface Ethernet0 nameif DMZ security-level 50 ip address 172.16.30.1 255.255.255.0 standby 172.16.30.2 interface Ethernet1 no nameif no security-level no ip address interface Ethernet1.10 vlan 10 nameif DB security-level 100 ip address 172.16.10.254 255.255.255.0 interface Ethernet1.20 vlan 20 nameif APP security-level 100 ip address 172.16.20.254 255.255.255.0 interface Ethernet2 description STATE Failover Interface (同步会话) interface Ethernet3 description LAN Failover Interface (同步配置)
端口配置完成后 我们开始放行流量为了 保证全部验证通过 先permit any any
same-security-traffic permit inter-interface---------------------(同安全级别的子接口互访) access-list acl_DB extended permit ip any any access-list acl_DB extended permit icmp any any access-list acl_APP extended permit icmp any any access-list acl_APP extended permit ip any any access-list acl_DMZ extended permit ip any any access-list acl_DMZ extended permit icmp any any
access-group acl_DMZ in interface DMZ access-group acl_DB in interface DB access-group acl_APP in interface APP
全部放通以后,一定要先测试是否能通到172.16.10.254 和20.254 以及DB和APP是否能能够互通
如图:
然后配置双机热备:
failover failover lan unit primary ------------------------------------------------设置为主 failover lan interface HA Ethernet3----------------------------------设置failover的接口,此接口用来检测心跳和同步配置 failover link stateful Ethernet2----------------------------------------设置名称 failover interface ip HA 1.1.1.1 255.255.255.0 standby 1.1.1.2---设置failover主备地址 failover interface ip stateful 2.1.1.1 255.255.255.0 standby 2.1.1.2-设置failover link主备地址
主防火墙这里就全部配置完成这里为了偷懒 我起了OSPF配置如下:
router ospf 100 network 172.16.10.0 255.255.255.0 area 0 network 172.16.20.0 255.255.255.0 area 0 network 172.16.30.0 255.255.255.0 area 0 log-adj-changes default-information originate ----------------------------下发缺省
主防火墙到这里就全部配置完成、我们开始配置备防火墙
interface eth3 no shutdown failover lan unit secondary failover lan interface ha eth3 failover interface ip ha 1.1.1.1 255.255.255.0 standby 1.1.1.2 failover
这样我们就配置完成,后续的所有配置都会自动同步到备上,
ok我们开始配置路由器,主要配置的技术有nat,ospf、HSRP
同理我们先配置端口,这里就不写上去了
配置ospf:
router ospf 100 network 172.16.30.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.255 area 0 default-information originate
然后我们配置HSRP
interface GigabitEthernet0/3 ip address 172.16.30.3 255.255.255.0 ip nat inside ----------------------这里先写了 用于nat ip virtual-reassembly in standby 10 ip 172.16.30.254 ----vip standby 10 priority 101--------------优先级 standby 10 preempt-----------------开启抢占模式 standby 10 track 10 decrement 10----链路检测机制
track 10 interface GigabitEthernet0/0 line-protocol-----先定义track
nat:
access-list 10 permit 172.16.30.0 0.0.0.255 access-list 10 permit 172.16.10.0 0.0.0.255 access-list 10 permit 172.16.20.0 0.0.0.255-----------------先设置规则
ip nat inside source list 10 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 202.106.1.1
自从 我们整个网络就全部完成啦,备的配置请查考主路由器。
测试:
测试主防火墙shutdown
完成整个实验。
后续如果有需要华为的配置人多的话,我也会整理一份出来。
