园区出口路由器部署专线与总部互联配置实例
案例描述:客户园区分支出口的两台防火墙组建双机热备,作为客户整个园区网络的出口网关,承担外网出口业务,并对出入园区的业务流量提供安全过滤功能,为网络安全提供保证。同时,路由器也作为整个园区网络的出口网关,通过专线与总部互联。核心层的两台交换机组建集群,作为整个公司园区网络的核心,同时作为用户网关,为用户分配IP地址。具体业务要求为:内网可以正常访问Internet资源,但不能玩网络游戏和观看网络视频。且禁止外网用户访问内网。
路由器部署专线与总部互联的组网图
本案例使用的设备:出口 USG6300E 版本 V600R007C00 AR6300 版本V300R019C10
核心层 S12700E 版本 V200R019C10
部署思路与步骤:
1、配置集群/堆叠、多主检测功能,提高设备级可靠性。涉及设备核心交换机
2、配置Eth-Trunk功能,提高链路可靠性。涉及设备 核心交换机、出口防火墙
3、配置接口IP地址、路由,使得网络互通。涉及设备 核心交换机、出口防火墙
4、配置双机热备和VRRP备份组,提高设备级可靠性。涉及设备 出口防火墙
5、配置安全策略,使得业务可以通过防火墙。涉及设备 出口防火墙
6、配置NAT策略,使得内网用户可以访问外网。涉及设备 出口防火墙
7、配置攻击防范和应用行为控制,保证网络安全。涉及设备 出口防火墙
配置步骤
核心交换机配置集群、多主检测功能,具体配置请参考集群/堆叠通用部署。
在防火墙FW上配置Eth-Trunk功能。
# 在FWA上创建Eth-Trunk1,用于连接核心交换机CORE,并加入Eth-Trunk成员接口。
<sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] mode lacp-static
[FWA-Eth-Trunk1] quit
[FWA] interface gigabitethernet 1/0/1
[FWA-GigabitEthernet1/0/1] eth-trunk 1
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface gigabitethernet 1/0/2
[FWA-GigabitEthernet1/0/2] eth-trunk 1
[FWA-GigabitEthernet1/0/2] quit
# 在FWB上创建Eth-Trunk2,用于连接核心交换机CORE,并加入Eth-Trunk成员接口。
<sysname> system-view
[sysname] sysname FWB
[FWB] interface eth-trunk 2
[FWB-Eth-Trunk2] mode lacp-static
[FWB-Eth-Trunk2] quit
[FWB] interface gigabitethernet 1/0/1
[FWB-GigabitEthernet1/0/1] eth-trunk 2
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface gigabitethernet 1/0/2
[FWB-GigabitEthernet1/0/2] eth-trunk 2
[FWB-GigabitEthernet1/0/2] quit
在出口路由器Router上配置Eth-Trunk功能。
# 在Router上创建Eth-Trunk40,用于连接CORE,并加入Eth-Trunk成员接口。
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface Eth-Trunk 40
[Router-Eth-Trunk40] mode lacp-static
[Router-Eth-Trunk40] quit
[Router] interface Gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] eth-trunk 40
[Router-GigabitEthernet1/0/0] quit
[Router] interface Gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] eth-trunk 40
[Router-GigabitEthernet2/0/0] quit
在核心交换机CORE上配置Eth-Trunk功能。
# 在CORE上创建Eth-Trunk1,用于连接FWA,并加入Eth-Trunk成员接口。
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] mode lacp
[CORE-Eth-Trunk1] quit
[CORE] interface gigabitethernet 1/3/0/0
[CORE-GigabitEthernet1/3/0/0] eth-trunk 1
[CORE-GigabitEthernet1/3/0/0] quit
[CORE] interface gigabitethernet 2/3/0/1
[CORE-GigabitEthernet2/3/0/1] eth-trunk 1
[CORE-GigabitEthernet2/3/0/1] quit
# 在CORE上创建Eth-Trunk2,用于连接FWB,并加入Eth-Trunk成员接口。
[CORE] interface eth-trunk 2
[CORE-Eth-Trunk2] mode lacp
[CORE-Eth-Trunk2] quit
[CORE] interface gigabitethernet 1/3/0/1
[CORE-GigabitEthernet1/3/0/1] eth-trunk 2
[CORE-GigabitEthernet1/3/0/1] quit
[CORE] interface gigabitethernet 2/3/0/0
[CORE-GigabitEthernet2/3/0/0] eth-trunk 2
[CORE-GigabitEthernet2/3/0/0] quit
# 在CORE上创建Eth-Trunk40,用于连接出口路由器Router,并加入Eth-Trunk成员接口。
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] mode lacp
[CORE-Eth-Trunk40] quit
[CORE] interface gigabitethernet 1/6/0/1
[CORE-GigabitEthernet1/6/0/1] eth-trunk 40
[CORE-GigabitEthernet1/6/0/1] quit
[CORE] interface gigabitethernet 2/6/0/1
[CORE-GigabitEthernet2/6/0/1] eth-trunk 40
[CORE-GigabitEthernet2/6/0/1] quit
配置接口IP地址、路由。
在FWA上配置接口IP地址,并将接口加入相应的安全区域。
[FWA] interface loopback 0
[FWA-LoopBack0] ip address 1.1.1.1 32 //用来做Router ID
[FWA-LoopBack0] quit
[FWA] interface gigabitethernet 1/0/0
[FWA-GigabitEthernet1/0/0] ip address 203.0.113.1 24 //配置和外网相连的接口的IP地址
[FWA-GigabitEthernet1/0/0] gateway 203.0.113.254
[FWA-GigabitEthernet1/0/0] quit
[FWA] interface gigabitethernet 1/0/3
[FWA-GigabitEthernet1/0/3] ip address 10.4.0.1 24 //配置双机热备心跳口IP地址
[FWA-GigabitEthernet1/0/3] quit
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] ip address 10.3.0.1 24 //配置和CORE相连的Eth-Trunk接口的IP地址
[FWA-Eth-Trunk1] quit
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 1 //将连接内网的Eth-Trunk1加入安全区域
[FWA-zone-trust] quit
[FWA] firewall zone name isp1
[FWA-zone-isp1] set priority 10
[FWA-zone-isp1] add interface gigabitethernet 1/0/0 //将连接外网的接口加入安全区域
[FWA-zone-isp1] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/3 //将心跳口加入DMZ区域
[FWA-zone-dmz] quit
在FWB上配置接口IP地址,并将接口加入相应的安全区域。
[FWB] interface loopback 0
[FWB-LoopBack0] ip address 2.2.2.2 32 //用来做Router ID
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/0
[FWB-GigabitEthernet1/0/0] ip address 203.0.113.2 24 //配置和外网相连的接口的IP地址
[FWB-GigabitEthernet1/0/0] gateway 203.0.113.254
[FWB-GigabitEthernet1/0/0] quit
[FWB] interface gigabitethernet 1/0/3
[FWB-GigabitEthernet1/0/3] ip address 10.4.0.2 24 //配置双机热备心跳口IP地址
[FWB-GigabitEthernet1/0/3] quit
[FWB] interface eth-trunk 2
[FWB-Eth-Trunk2] ip address 10.3.0.2 24 //配置和CORE相连的Eth-Trunk接口的IP地址
[FWB-Eth-Trunk2] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 2 //将连接内网的Eth-Trunk2加入安全区域
[FWB-zone-trust] quit
[FWB] firewall zone name isp1
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/0 //将连接外网的接口加入安全区域isp1
[FWB-zone-isp1] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3 //将心跳口加入DMZ区域
[FWB-zone-dmz] quit
在Router上配置接口IP地址。
[Router] interface loopback 0
[Router-LoopBack0] ip address 4.4.4.4 32 //用来做Router ID
[Router-LoopBack0] quit
[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] ip address 10.7.0.1 24 //配置和外网相连的接口的IP地址
[Router-GigabitEthernet3/0/0] quit
[Router] interface Eth-Trunk 40
[Router-Eth-Trunk40] ip address 10.8.0.254 24 //配置和CORE相连的接口的IP地址
[Router-Eth-Trunk40] quit
在CORE上配置接口IP地址。
[CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32 //用来做Router ID
[CORE-LoopBack0] quit
[CORE] vlan batch 20 50
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] port link-type access
[CORE-Eth-Trunk1] port default vlan 20
[CORE-Eth-Trunk1] quit
[CORE] interface eth-trunk 2
[CORE-Eth-Trunk2] port link-type access
[CORE-Eth-Trunk2] port default vlan 20
[CORE-Eth-Trunk2] quit
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] port link-type trunk
[CORE-Eth-Trunk40] port trunk pvid vlan 50
[CORE-Eth-Trunk40] port trunk allow-pass vlan 50
[CORE-Eth-Trunk40] quit
[CORE] interface vlanif 20
[CORE-Vlanif20] ip address 10.3.0.254 24 //配置连接FW的VLANIF的IP地址
[CORE-Vlanif20] quit
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 10.8.0.1 24 //配置连接Router的VLANIF的IP地址
[CORE-Vlanif50] quit
在FWA上配置OSPF路由来发布下行接口所在网段。
[FWA] ospf 1 router-id 1.1.1.1
[FWA-ospf-1] area 0.0.0.0
[FWA-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit
在FWA上配置缺省路由,下一跳为公网的IP地址。
[FWA] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
在FWB上配置OSPF路由来发布下行接口所在网段。
[FWB] ospf 1 router-id 2.2.2.2
[FWB-ospf-1] area 0.0.0.0
[FWB-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit
在FWB上配置缺省路由,下一跳为公网的IP地址。
[FWB] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
在Router上配置OSPF路由来发布上下行接口所在网段。
[Router] ospf 1 router-id 4.4.4.4
[Router-ospf-1] area 0.0.0.0
[Router-ospf-1-area-0.0.0.0] network 10.7.0.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 10.8.0.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
在CORE上配置OSPF路由发布上行接口所在网段。
[CORE] router id 3.3.3.3
[CORE] ospf 1
[CORE-ospf-1] area 0.0.0.0
[CORE-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255 //发布连接FW的网段
[CORE-ospf-1-area-0.0.0.0] network 10.8.0.0 0.0.0.255 //发布连接Router的网段
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit
在CORE上配置缺省路由,下一跳为FW的VRRP虚拟IP。
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
在防火墙上配置VRRP备份组。
# 在FWA上行业务接口GE1/0/0上配置VRRP备份组1,并设置其状态为Active;下行业务接口Eth-Trunk1上配置VRRP备份组2,并设置其状态为Active。
[FWA] interface GigabitEthernet 1/0/0
[FWA-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 203.0.113.3 24 active
[FWA-GigabitEthernet1/0/0] quit
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] vrrp vrid 2 virtual-ip 10.3.0.3 24 active
[FWA-Eth-Trunk1] quit
# 在FWB上行业务接口GE1/0/0上配置VRRP备份组1,并设置其状态为Standby;下行业务接口Eth-trunk2上配置VRRP备份组2,并设置其状态为Standby。
[FWB] interface GigabitEthernet 1/0/0
[FWB-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 203.0.113.3 24 standby
[FWB-GigabitEthernet1/0/0] quit
[FWB] interface eth-trunk 2
[FWB-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.3.0.3 24 standby
[FWB-Eth-Trunk2] quit
在防火墙上配置双机热备。
# 在FWA上指定心跳接口,启用双机热备。
[FWA] hrp interface gigabitethernet 1/0/3 remote 10.4.0.2
[FWA] hrp enable
HRP_M[FWA] hrp mirror session enable //启动会话快速备份功能
# 在FWB上指定心跳接口,启用双机热备。
[FWB] hrp interface gigabitethernet 1/0/3 remote 10.4.0.1
[FWB] hrp enable
HRP_S[FWB] hrp mirror session enable
在防火墙上配置安全策略。
# 双机热备状态成功建立后,FWA的安全策略配置会自动备份到FWB上。
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_dmz //允许本地和DMZ区域间互访
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust //允许内网用户访问外网
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust //禁止外网用户访问内网
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] action deny
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWA-policy-security] quit
在防火墙上配置NAT策略。
# 在FWA上创建地址池addressgroup1(192.0.2.1~192.0.2.5)。在FWA上配置的地址池会自动备份到FWB上。
HRP_M[FWA] nat address-group addressgroup1
HRP_M[FWA-nat-address-group-addressgroup1] section 0 192.0.2.1 192.0.2.5
HRP_M[FWA-nat-address-group-addressgroup1] mode pat
HRP_M[FWA-nat-address-group-addressgroup1] route enable
HRP_M[FWA-nat-address-group-addressgroup1] quit
# 配置源NAT策略,使IP地址为10.6.0.0/24的内网用户通过转换后的公网IP地址可以访问Internet。
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 10.6.0.1 10.6.0.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
HRP_M[FWA-policy-nat-rule-policy_nat_1] quit
# 需要联系ISP的网络管理员配置目的地址为地址池addressgroup1的路由,下一跳为防火墙对应的接口地址。
在防火墙上配置攻击防范和应用行为控制。
# 配置攻击防范。
HRP_M[FWA] firewall defend land enable
HRP_M[FWA] firewall defend smurf enable
HRP_M[FWA] firewall defend fraggle enable
HRP_M[FWA] firewall defend winnuke enable
HRP_M[FWA] firewall defend source-route enable
HRP_M[FWA] firewall defend route-record enable
HRP_M[FWA] firewall defend time-stamp enable
HRP_M[FWA] firewall defend ping-of-death enable
HRP_M[FWA] interface GigabitEthernet 1/0/0
HRP_M[FWA-GigabitEthernet1/0/0] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/0] quit
HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply
HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic
# 配置应用行为控制。
本功能需要License授权,并通过动态加载功能加载相应组件包后方可使用。
创建应用行为控制文件,用于禁止进行HTTP操作和FTP操作。
HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit
创建名称为working_hours的时间段。
HRP_M[FWA] time-range working_hours
HRP_M[FWA-time-range-working_hours] period-range all
HRP_M[FWA-time-range-working_hours] quit
配置安全策略policy_sec_work,通过引用时间段“working_hours”和应用行为控制配置文件“profile_app_work”用来禁止工作时间进行HTTP操作和FTP操作。
HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit
结果验证
# 通过Ping方式,可以发现总部和分支的私网可以相互Ping通。外网用户不能访问内网。内网员工能够访问Internet,但不能玩网络游戏和观看网络视频。
配置文件
FWA的配置文件
#
sysname FWA
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.4.0.2
hrp mirror session enable
#
interface Eth-Trunk1
ip address 10.3.0.1 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 active
mode lacp-static
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 203.0.113.1 255.255.255.0
vrrp vrid 1 virtual-ip 203.0.113.3 255.255.255.0 active
anti-ddos flow-statistic enable
gateway 203.0.113.254
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.4.0.1 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface Eth-Trunk1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range all
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 192.0.2.1 192.0.2.5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
source-address 10.6.0.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
destination-zone trust
action deny
rule name policy_sec_work
source-zone trust
destination-zone isp1
time-range working_hours
profile app-control profile_app_work
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address range 10.6.0.1 10.6.0.127
action source-nat address-group addressgroup1
#
return
FWB的配置文件
#
sysname FWB
#
hrp enable
hrp interface GigabitEthernet1/0/3 remote 10.4.0.1
hrp mirror session enable
#
interface Eth-Trunk2
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 standby
mode lacp-static
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 203.0.113.2 255.255.255.0
vrrp vrid 1 virtual-ip 203.0.113.3 255.255.255.0 standby
anti-ddos flow-statistic enable
gateway 203.0.113.254
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 2
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 2
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.4.0.2 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface Eth-Trunk2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#
firewall zone name isp1
set priority 10
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
http-control post action deny
http-control proxy action deny
http-control web-browse action deny
http-control file direction upload action deny
http-control file direction download action deny
ftp-control file delete action deny
ftp-control file direction upload action deny
ftp-control file direction download action deny
#
time-range working_hours
period-range all
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 192.0.2.1 192.0.2.5
#
security-policy
rule name policy_dmz
source-zone local
source-zone dmz
destination-zone local
destination-zone dmz
action permit
rule name trust_to_untrust
source-zone trust
destination-zone isp1
source-address 10.6.0.0 mask 255.255.255.0
action permit
rule name untrust_to_trust
source-zone isp1
destination-zone trust
action deny
rule name policy_sec_work
source-zone trust
destination-zone isp1
time-range working_hours
profile app-control profile_app_work
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address range 10.6.0.1 10.6.0.127
action source-nat address-group addressgroup1
#
return
Router的配置文件
#
sysname Router
#
interface Eth-Trunk40
undo portswitch
ip address 10.8.0.254 255.255.255.0
mode lacp-static
#
interface GigabitEthernet1/0/0
eth-trunk 40
#
interface GigabitEthernet2/0/0
eth-trunk 40
#
interface GigabitEthernet3/0/0
ip address 10.7.0.1 255.255.255.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 10.7.0.0 0.0.0.255
network 10.8.0.0 0.0.0.255
#
return
CORE的配置文件
sysname CORE
#
router id 3.3.3.3
#
vlan batch 20 50
#
interface Vlanif20
ip address 10.3.0.254 255.255.255.0
#
interface Vlanif50
ip address 10.8.0.1 255.255.255.0
#
interface Eth-Trunk1
port link-type access
port default vlan 20
mode lacp
#
interface Eth-Trunk2
port link-type access
port default vlan 20
mode lacp
#
interface Eth-Trunk40
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 50
mode lacp
#
interface GigabitEthernet1/3/0/0
eth-trunk 1
#
interface GigabitEthernet1/3/0/1
eth-trunk 2
#
interface GigabitEthernet1/6/0/1
eth-trunk 40
#
interface XGigabitEthernet1/1/0/10
mad detect mode direct
#
interface GigabitEthernet2/3/0/0
eth-trunk 2
#
interface GigabitEthernet2/3/0/1
eth-trunk 1
#
interface GigabitEthernet2/6/0/1
eth-trunk 40
#
interface XGigabitEthernet2/1/0/10
mad detect mode direct
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.3.0.0 0.0.0.255
network 10.8.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
#
return
