- 網絡拓撲圖
網絡拓撲圖
- 組網需求
BJ_FW和SD_FW通過Internet相連,倆者公網路由可達。總部和分部都有私有的IP網絡,内部部署了OSPF動态路由。通過在倆台FW之間建立GRE隧道實作倆個私有IP網絡跨越Internet互動OSPF路由資訊
- 配置思路
- BJ_FW和SD_FW分别建立一個Tunnel接口。
- 在Tunnel接口中指定隧道的源IP位址和目的IP等封裝參數。
- 配置OSPF動态路由。
- 啟用一個OSPF程序,指定運作OSPF協定的接口。隧道各端Tunnel接口通過GRE隧道建立起鄰接關系。
- 配置安全政策,允許GRE隧道的建立和流量的轉發。
- 操作步驟
- 配置internet裝置
a)配置接口的IP位址
[internet]inter g4/0/0
[internet-GigabitEthernet4/0/0]ip add 1.1.1.1 29
[internet-GigabitEthernet4/0/0]quit
[internet]inter g4/0/1
[internet-GigabitEthernet4/0/1]ip add 2.2.2.1 29
[internet-GigabitEthernet4/0/1]quit
[internet]inter loopb0
[internet-LoopBack0]ip add 5.5.5.5 32
[internet-LoopBack0]quit - 配置BJ_FW裝置
a)配置接口IP位址
[BJ_FW]inter g1/0/0
[BJ_FW-GigabitEthernet1/0/0]ip add 1.1.1.2 29
[BJ_FW-GigabitEthernet1/0/0]service-manage ping per
[BJ_FW-GigabitEthernet1/0/0]quit
[BJ_FW]inter g1/0/6
[BJ_FW-GigabitEthernet1/0/6]ip add 10.1.1.1 24
[BJ_FW-GigabitEthernet1/0/6]service-manage ping per
[BJ_FW-GigabitEthernet1/0/6]
[BJ_FW-GigabitEthernet1/0/6]quit
[BJ_FW]inter loopb0
[BJ_FW-LoopBack0]ip add 50.50.50.1 32
[BJ_FW-LoopBack0]quit
[BJ_FW]inter Tunnel 1
[BJ_FW-Tunnel1]ip add 172.16.1.1 29
[BJ_FW-Tunnel1]quit b)将接口加入安全區域
[BJ_FW]firewall zone untrust
[BJ_FW-zone-untrust]add inter g1/0/0
[BJ_FW-zone-untrust]quit
[BJ_FW]firewall zone trust
[BJ_FW-zone-trust]add inter g1/0/6
[BJ_FW-zone-trust]quit
[BJ_FW]firewall zone dmz
[BJ_FW-zone-dmz]add inter Tunnel 1
[BJ_FW-zone-dmz]quit c)配置OSPF路由
将北京的私網網段和Tunnel接口對應的網段172.16.1.0/24通過OSPF釋出出去
[BJ_FW]ospf 1 router-id 50.50.50.1
[BJ_FW-ospf-1]area 0
[BJ_FW-ospf-1-area-0.0.0.0]net 172.16.1.0 0.0.0.255
[BJ_FW-ospf-1-area-0.0.0.0]net 10.1.1.0 0.0.0.255
[BJ_FW-ospf-1-area-0.0.0.0]net 50.50.50.1 0.0.0.0
[BJ_FW-ospf-1-area-0.0.0.0]quit d)配置Tunnel接口的封裝參數
[BJ_FW]inter Tunnel 1
[BJ_FW-Tunnel1]tunnel-protocol gre
[BJ_FW-Tunnel1]source 1.1.1.2
[BJ_FW-Tunnel1]destination 2.2.2.2
[BJ_FW-Tunnel1]gre key cipher 123456789
[BJ_FW-Tunnel1]keepalive
[BJ_FW-Tunnel1]quit e)配置域間安全政策
配置Trust域和DMZ的域間安全政策,允許封裝前的封包通過域間安全政策
[BJ_FW-policy-security]rule name policy1
[BJ_FW-policy-security-rule-policy1]source-zone trust dmz
[BJ_FW-policy-security-rule-policy1]destination-zone dmz trust
[BJ_FW-policy-security-rule-policy1]act per
[BJ_FW-policy-security-rule-policy1]quit 配置Local和Untrust的域間安全政策,允許封裝後的GRE封包通過域間安全政策
[BJ_FW-policy-security]rule name policy2
[BJ_FW-policy-security-rule-policy2]source-zone local untrust
[BJ_FW-policy-security-rule-policy2]destination-zone untrust local
[BJ_FW-policy-security-rule-policy2]service gre
[BJ_FW-policy-security-rule-policy2]act per
[BJ_FW-policy-security-rule-policy2]quit 配置trust和Untrust的域間安全政策,允許内部網絡通路網際網路
BJ_FW-policy-security]rule name policy3
[BJ_FW-policy-security-rule-policy3]source-zone trust
[BJ_FW-policy-security-rule-policy3]destination-zone untrust
[BJ_FW-policy-security-rule-policy3]source-address 10.1.1.0 24
[BJ_FW-policy-security-rule-policy3]source-address 10.1.2.0 24
[BJ_FW-policy-security-rule-policy3]source-address 10.1.3.0 24
[BJ_FW-policy-security-rule-policy3]quit 配置nat,私網IP轉換出口IP通路網際網路
[BJ_FW-policy-nat]rule name policy_nat1
[BJ_FW-policy-nat-rule-policy_nat1]source-zone trust
[BJ_FW-policy-nat-rule-policy_nat1]destination-zone untrust
[BJ_FW-policy-nat-rule-policy_nat1]source-address 10.1.1.0 24
[BJ_FW-policy-nat-rule-policy_nat1]source-address 10.1.2.0 24
[BJ_FW-policy-nat-rule-policy_nat1]source-address 10.1.3.0 24
[BJ_FW-policy-nat-rule-policy_nat1]act source-nat easy-ip
[BJ_FW-policy-nat-rule-policy_nat1]quit f)配置預設路由
[BJ_FW]ip route-static 0.0.0.0 0.0.0.0 g1/0/0 1.1.1.1 - 配置BJ_Core裝置
a)建立vlan将接口加入相應vlan,并配置接口的IP位址
[BJ_Core]vlan b 100 200 300
[BJ_Core]inter g0/0/24
[BJ_Core-GigabitEthernet0/0/24]port link-ty ac
[BJ_Core-GigabitEthernet0/0/24]port de vlan 100
[BJ_Core-GigabitEthernet0/0/24]quit
[BJ_Core]inter g0/0/10
[BJ_Core-GigabitEthernet0/0/10]port link-ty ac
[BJ_Core-GigabitEthernet0/0/10]port de vlan 100
[BJ_Core-GigabitEthernet0/0/10]quit
[BJ_Core]inter g0/0/1
[BJ_Core-GigabitEthernet0/0/1]port link-ty ac
[BJ_Core-GigabitEthernet0/0/1]port de vlan 200
[BJ_Core]inter g0/0/2
[BJ_Core-GigabitEthernet0/0/2]port link-ty ac
[BJ_Core-GigabitEthernet0/0/2]port de vlan 300
[BJ_Core-GigabitEthernet0/0/2]quit
[BJ_Core]inter vlan 100
[BJ_Core-Vlanif100]ip add 10.1.1.254 24
[BJ_Core-Vlanif100]quit
[BJ_Core]inter vlan 200
[BJ_Core-Vlanif200]ip add 10.1.2.254 24
[BJ_Core-Vlanif200]quit
[BJ_Core]inter vlan 300
[BJ_Core-Vlanif300]ip add 10.1.3.254 24
[BJ_Core-Vlanif300]quit
[BJ_Core]inter loopb0
[BJ_Core-LoopBack0]ip add 50.50.50.2 32
[BJ_Core-LoopBack0]quit b)配置預設路由
[BJ_Core]ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 10.1.1.1 c)配置OSPF路由
[BJ_Core]ospf 1 router-id 50.50.50.2
[BJ_Core-ospf-1]area 0
[BJ_Core-ospf-1-area-0.0.0.0]net 50.50.50.2 0.0.0.0
[BJ_Core-ospf-1-area-0.0.0.0]net 10.1.1.0 0.0.0.255
[BJ_Core-ospf-1-area-0.0.0.0]net 10.1.2.0 0.0.0.255
[BJ_Core-ospf-1-area-0.0.0.0]net 10.1.3.0 0.0.0.255
[BJ_Core-ospf-1-area-0.0.0.0]quit - 配置SD_FW裝置
a)配置接口IP位址
[SD_FW]inter g1/0/0
[SD_FW-GigabitEthernet1/0/0]ip add 2.2.2.2 29
[SD_FW-GigabitEthernet1/0/0]service-manage ping per
[SD_FW-GigabitEthernet1/0/0]quit
[SD_FW]inter g1/0/6
[SD_FW-GigabitEthernet1/0/6]ip add 10.2.1.1 24
[SD_FW-GigabitEthernet1/0/6]service-manage ping per
[SD_FW-GigabitEthernet1/0/6]
[SD_FW-GigabitEthernet1/0/6]quit
[SD_FW]inter loopb0
[SD_FW-LoopBack0]ip add 50.50.60.1 32
[SD_FW-LoopBack0]quit
[SD_FW]inter Tunnel 1
[SD_FW-Tunnel1]ip add 172.16.1.2 29
[SD_FW-Tunnel1]quit b)将接口加入安全區域
[SD_FW]firewall zone untrust
[SD_FW-zone-untrust]add inter g1/0/0
[SD_FW-zone-untrust]quit
[SD_FW]firewall zone trust
[SD_FW-zone-trust]add inter g1/0/6
[SD_FW-zone-trust]quit
[SD_FW]firewall zone dmz
[SD_FW-zone-dmz]add inter Tunnel 1
[SD_FW-zone-dmz]quit c)配置OSPF路由
将山東的私網網段和Tunnel接口對應的網段172.16.1.0/24通過OSPF釋出出去
[SD_FW]ospf 1 router-id 50.50.60.1
[SD_FW-ospf-1]area 0
[SD_FW-ospf-1-area-0.0.0.0]net 172.16.1.0 0.0.0.255
[SD_FW-ospf-1-area-0.0.0.0]net 10.2.1.0 0.0.0.255
[SD_FW-ospf-1-area-0.0.0.0]net 50.50.60.1 0.0.0.0
[SD_FW-ospf-1-area-0.0.0.0]quit d)配置Tunnel接口的封裝參數
[SD_FW]inter Tunnel 1
[SD_FW-Tunnel1]tunnel-protocol gre
[SD_FW-Tunnel1]source 2.2.2.2
[SD_FW-Tunnel1]destination 1.1.1.2
[SD_FW-Tunnel1]gre key cipher 123456789
[SD_FW-Tunnel1]keepalive
[SD_FW-Tunnel1]quit e)配置域間安全政策
配置Trust域和DMZ的域間安全政策,允許封裝前的封包通過域間安全政策
[SD_FW-policy-security]rule name policy1
[SD_FW-policy-security-rule-policy1]source-zone trust dmz
[SD_FW-policy-security-rule-policy1]destination-zone dmz trust
[SD_FW-policy-security-rule-policy1]act per
[SD_FW-policy-security-rule-policy1]quit 配置Local和Untrust的域間安全政策,允許封裝後的GRE封包通過域間安全政策
[SD_FW-policy-security]rule name policy2
[SD_FW-policy-security-rule-policy2]source-zone local untrust
[SD_FW-policy-security-rule-policy2]destination-zone untrust local
[SD_FW-policy-security-rule-policy2]service gre
[SD_FW-policy-security-rule-policy2]act per
[SD_FW-policy-security-rule-policy2]quit 配置trust和Untrust的域間安全政策,允許内部網絡通路網際網路
[SD_FW-policy-security]rule name policy3
[SD_FW-policy-security-rule-policy3]source-zone trust
[SD_FW-policy-security-rule-policy3]destination-zone untrust
[SD_FW-policy-security-rule-policy3]source-address 10.2.1.0 24
[SD_FW-policy-security-rule-policy3]source-address 10.2.2.0 24
[SD_FW-policy-security-rule-policy3]source-address 10.2.3.0 24
[SD_FW-policy-security-rule-policy3]quit 配置nat,私網IP轉換出口IP通路網際網路
[SD_FW-policy-nat]rule name policy_nat1
[SD_FW-policy-nat-rule-policy_nat1]source-zone trust
[SD_FW-policy-nat-rule-policy_nat1]destination-zone untrust
[SD_FW-policy-nat-rule-policy_nat1]source-address 10.2.1.0 24
[SD_FW-policy-nat-rule-policy_nat1]source-address 10.2.2.0 24
[SD_FW-policy-nat-rule-policy_nat1]source-address 10.2.3.0 24
[SD_FW-policy-nat-rule-policy_nat1]act source-nat easy-ip
[SD_FW-policy-nat-rule-policy_nat1]quit f)配置預設路由
[BJ_FW]ip route-static 0.0.0.0 0.0.0.0 g1/0/0 2.2.2.1 - 配置SD_Core裝置
a)建立vlan将接口加入相應vlan,并配置接口的IP位址
[SD_Core]vlan b 100 200 300
[SD_Core]inter g0/0/24
[SD_Core-GigabitEthernet0/0/24]port link-ty ac
[SD_Core-GigabitEthernet0/0/24]port de vlan 100
[SD_Core-GigabitEthernet0/0/24]quit
[SD_Core]inter g0/0/10
[SD_Core-GigabitEthernet0/0/10]port link-ty ac
[SD_Core-GigabitEthernet0/0/10]port de vlan 100
[SD_Core-GigabitEthernet0/0/10]quit
[SD_Core]inter g0/0/1
[SD_Core-GigabitEthernet0/0/1]port link-ty ac
[SD_Core-GigabitEthernet0/0/1]port de vlan 200
[SD_Core]inter g0/0/2
[SD_Core-GigabitEthernet0/0/2]port link-ty ac
[SD_Core-GigabitEthernet0/0/2]port de vlan 300
[SD_Core-GigabitEthernet0/0/2]quit
[SD_Core]inter vlan 100
[SD_Core-Vlanif100]ip add 10.2.1.254 24
[SD_Core-Vlanif100]quit
[SD_Core]inter vlan 200
[SD_Core-Vlanif200]ip add 10.2.2.254 24
[SD_Core-Vlanif200]quit
[SD_Core]inter vlan 300
[SD_Core-Vlanif300]ip add 10.2.3.254 24
[SD_Core-Vlanif300]quit
[SD_Core]inter loopb0
[SD_Core-LoopBack0]ip add 50.50.60.2 32
[SD_Core-LoopBack0]quit b)配置預設路由
[SD_Core]ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 10.2.1.1 c)配置OSPF路由
[SD_Core]ospf 1 router-id 50.50.60.2
[SD_Core-ospf-1]area 0
[SD_Core-ospf-1-area-0.0.0.0]net 50.50.60.2 0.0.0.0
[SD_Core-ospf-1-area-0.0.0.0]net 10.2.1.0 0.0.0.255
[SD_Core-ospf-1-area-0.0.0.0]net 10.2.2.0 0.0.0.255
[SD_Core-ospf-1-area-0.0.0.0]net 10.2.3.0 0.0.0.255
[SD_Core-ospf-1-area-0.0.0.0]quit - 結果驗證
a)BJ_PC1和SD_PC2能夠互相ping通
北京PC能夠和山東PC互相ping通
b)SD_PC1和BJ_PC2能夠互相ping通
山東PC能夠和北京PC互相ping通
c)在BJ_FW使用display ip routing-table指令檢視路由表,可以看到山東内網私有網段出口為Tunnel 1
<BJ_FW>dis ip routing-table
2022-11-26 10:41:07.380
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 D 1.1.1.1 GigabitEthernet1/0/0
1.1.1.0/29 Direct 0 0 D 1.1.1.2 GigabitEthernet1/0/0
1.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet1/0/6
10.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/6
10.1.2.0/24 OSPF 10 2 D 10.1.1.254 GigabitEthernet1/0/6
10.1.3.0/24 OSPF 10 2 D 10.1.1.254 GigabitEthernet1/0/6
10.2.1.0/24 OSPF 10 1563 D 172.16.1.2 Tunnel1
10.2.2.0/24 OSPF 10 1564 D 172.16.1.2 Tunnel1
10.2.3.0/24 OSPF 10 1564 D 172.16.1.2 Tunnel1
50.50.50.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
50.50.50.2/32 OSPF 10 1 D 10.1.1.254 GigabitEthernet1/0/6
50.50.60.1/32 OSPF 10 1562 D 172.16.1.2 Tunnel1
50.50.60.2/32 OSPF 10 1563 D 172.16.1.2 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.1.0/29 Direct 0 0 D 172.16.1.1 Tunnel1
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel1 d)在SD_FW使用display ip routing-table指令檢視路由表,可以看到北京内網私有網段出口為Tunnel 1
<SD_FW>dis ip routing-table
2022-11-26 10:46:12.610
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 D 2.2.2.1 GigabitEthernet1/0/0
2.2.2.0/29 Direct 0 0 D 2.2.2.2 GigabitEthernet1/0/0
2.2.2.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.0/24 OSPF 10 1563 D 172.16.1.1 Tunnel1
10.1.2.0/24 OSPF 10 1564 D 172.16.1.1 Tunnel1
10.1.3.0/24 OSPF 10 1564 D 172.16.1.1 Tunnel1
10.2.1.0/24 Direct 0 0 D 10.2.1.1 GigabitEthernet1/0/6
10.2.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/6
10.2.2.0/24 OSPF 10 2 D 10.2.1.254 GigabitEthernet1/0/6
10.2.3.0/24 OSPF 10 2 D 10.2.1.254 GigabitEthernet1/0/6
50.50.50.1/32 OSPF 10 1562 D 172.16.1.1 Tunnel1
50.50.50.2/32 OSPF 10 1563 D 172.16.1.1 Tunnel1
50.50.60.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
50.50.60.2/32 OSPF 10 1 D 10.2.1.254 GigabitEthernet1/0/6
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.1.0/29 Direct 0 0 D 172.16.1.2 Tunnel1
172.16.1.2/32 Direct 0 0 D 127.0.0.1 Tunnel1