網絡拓撲圖
北京區(qū)域設備配置
AR1基本配置
sys
[AR1]inter g0/0/1
[AR1-GigabitEthernet0/0/1]ip add 1.1.1.1 29
[AR1-GigabitEthernet0/0/1]quit
[AR1]inter g0/0/2
[AR1-GigabitEthernet0/0/2]ip add 1.1.2.1 29
[AR1-GigabitEthernet0/0/2]quit
[AR1]inter loopb0
[AR1-LoopBack0]ip add 5.5.5.5 32
[AR1-LoopBack0]quit
FW1基本配置
sys
[FW1]inter g0/0/0
[FW1-GigabitEthernet0/0/0]ip add 192.168.7.100 24
[FW1-GigabitEthernet0/0/0]service-manage all per
[FW1-GigabitEthernet0/0/0]quit
[FW1]inter g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 1.1.1.2 29
[FW1-GigabitEthernet1/0/0]service-manage ping per
[FW1-GigabitEthernet1/0/0]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add inter g1/0/0
[FW1-zone-untrust]quit
[FW1]inter g1/0/6
[FW1-GigabitEthernet1/0/6]i add 10.10.1.1 24
[FW1-GigabitEthernet1/0/6]service-manage ping per
[FW1-GigabitEthernet1/0/6]quit
[FW1]firewall zone trust
[FW1-zone-trust]add inter g1/0/6
[FW1-zone-trust]quit
[FW1]inter loopb0
[FW1-LoopBack0]ip add 9.9.9.9 32
[FW1-LoopBack0]quit
配置OSPF內部路由協(xié)議
[FW1]ospf 1 router-id 9.9.9.9
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]net 9.9.9.9 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]net 10.10.1.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]quit
[FW1]ip route-static 0.0.0.0 0.0.0.0 g1/0/0 1.1.1.1
配置安全策略 開發(fā)環(huán)境請勿any到any
[FW1]security-policy
[FW1-policy-security]rule name policy1
[FW1-policy-security-rule-policy1]source-zone trust
[FW1-policy-security-rule-policy1]destination-zone untrust
[FW1-policy-security-rule-policy1]act per
[FW1-policy-security-rule-policy1]quit
[FW1-policy-security]rule name policy2
[FW1-policy-security-rule-policy2]source-zone untrust
[FW1-policy-security-rule-policy2]destination-zone trust
[FW1-policy-security-rule-policy2]act per
[FW1-policy-security-rule-policy2]quit
[FW1-policy-security]rule name policy3
[FW1-policy-security-rule-policy3]source-zone local
[FW1-policy-security-rule-policy3]destination-zone untrust
[FW1-policy-security-rule-policy3]act per
[FW1-policy-security-rule-policy3]quit
[FW1-policy-security]rule name policy4
[FW1-policy-security-rule-policy4]source-zone untrust
[FW1-policy-security-rule-policy4]destination-zone local
[FW1-policy-security-rule-policy4]act per
[FW1-policy-security-rule-policy4]quit
配置nat策略
[FW1]nat-policy
[FW1-policy-nat]rule name easy_nat
[FW1-policy-nat-rule-easy_nat]source-zone trust
[FW1-policy-nat-rule-easy_nat]source-zone untrust
[FW1-policy-nat-rule-easy_nat]act source-nat easy-ip
[FW1-policy-nat-rule-easy_nat]quit
創(chuàng)建IPsec安全提議
[FW1]ipsec proposal tran1
[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[FW1-ipsec-proposal-tran1]esp encryption-algorithm aes-256
[FW1-ipsec-proposal-tran1]quit
創(chuàng)建IPsec policy P10
[FW1]ipsec policy P10 10 manual
[FW1-ipsec-policy-manual-P10-10]security acl 3000
[FW1-ipsec-policy-manual-P10-10]proposal tran1
[FW1-ipsec-policy-manual-P10-10]tunnel local 1.1.2.2
[FW1-ipsec-policy-manual-P10-10]tunnel remote 1.1.1.2
[FW1-ipsec-policy-manual-P10-10]sa spi inbound esp 654321
[FW1-ipsec-policy-manual-P10-10]sa string-key inbound esp P@ssw0rd
[FW1-ipsec-policy-manual-P10-10]sa spi outbound esp 123456
[FW1-ipsec-policy-manual-P10-10]sa string-key outbound esp P@ssw0rd
[FW1-ipsec-policy-manual-P10-10]quit
[FW1]inter g1/0/0
[FW1-GigabitEthernet1/0/0]ipsec policy P10
[FW1-GigabitEthernet1/0/0]quit
配置nat豁免
[FW1]nat-policy
[FW1-policy-nat]rule name nat1
[FW1-policy-nat-rule-nat1]source-zone trust
[FW1-policy-nat-rule-nat1]source-zone untrust
[FW1-policy-nat-rule-nat1]source-add 10.10.1.0 0.0.0.255
[FW1-policy-nat-rule-nat1]destination-add 10.10.5.0 0.0.0.255
[FW1-policy-nat-rule-nat1]action no-nat
[FW1-policy-nat-rule-nat1]quit
[FW1-policy-nat]rule move nat1 top
LSW1基本配置
[LSW1]vlan batch 100 200 300
[LSW1]inter vlan 100
[LSW1-Vlanif100]ip add 10.10.1.254 24
[LSW1-Vlanif100]quit
[LSW1-Vlanif200]ip add 10.10.2.254 24
[LSW1-Vlanif200]quit
[LSW1]inter vlan 300
[LSW1-Vlanif300]ip add 10.10.3.254 24
[LSW1-Vlanif300]quit
[LSW1]inter loopb0
[LSW1-LoopBack0]ip add 8.8.8.8 32
[LSW1-LoopBack0]quit
配置OSPF內部路由協(xié)議
[LSW1]ospf 1 router-id 8.8.8.8
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]net 8.8.8.8 0.0.0.0
[LSW1-ospf-1-area-0.0.0.0]net 10.10.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]net 10.10.2.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]net 10.10.3.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]quit
[LSW1]inter g0/0/24
[LSW1-GigabitEthernet0/0/24]port link-ty ac
[LSW1-GigabitEthernet0/0/24]port de vlan 100
[LSW1-GigabitEthernet0/0/24]quit
[LSW1]inter g0/0/10
[LSW1-GigabitEthernet0/0/10]potr link-ty ac
[LSW1-GigabitEthernet0/0/10]port de vlan 100
[LSW1-GigabitEthernet0/0/10]quit
[LSW1]inter g0/0/11
[LSW1-GigabitEthernet0/0/11]port link-ty ac
[LSW1-GigabitEthernet0/0/11]port de vlan 100
[LSW1-GigabitEthernet0/0/11]quit
[LSW1-GigabitEthernet0/0/1]port link-ty ac
[LSW1-GigabitEthernet0/0/1]port de vlan 200
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]inter g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-ty ac
[LSW1-GigabitEthernet0/0/2]port de vlan 300
[LSW1-GigabitEthernet0/0/2]quit
[LSW1]ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 10.10.1.1
[LSW1]dhcp enable
[LSW1]ip pool 200
[LSW1-ip-pool-200]ga 10.10.2.254
[LSW1-ip-pool-200]netw 10.10.2.0 mask 255.255.255.0
[LSW1-ip-pool-200]dns 1.1.1.1 2.2.2.2
[LSW1-ip-pool-200]excluded-ip-address 10.10.2.50 10.10.2.253
[LSW1-ip-pool-200]quit
[LSW1]inter vlan 200
[LSW1-Vlanif200]dhcp sel gl
[LSW1-Vlanif200]quit
[LSW1]ip pool 300
[LSW1-ip-pool-300]ga 10.10.3.254
[LSW1-ip-pool-300]netw 10.10.3.0 mask 255.255.255.0
[LSW1-ip-pool-300]dns 1.1.1.1 2.2.2.2
[LSW1-ip-pool-300]excluded-ip-address 10.10.3.50 10.10.3.253
[LSW1-ip-pool-300]quit
[LSW1]inter vlan 300
[LSW1-Vlanif300]dhcp sel gl
上海區(qū)域設備配置
FW2基本配置
sys
[FW2]inter g0/0/0
[FW2-GigabitEthernet0/0/0]ip add 192.168.7.150 24
[FW2-GigabitEthernet0/0/0]service-manage all per
[FW2-GigabitEthernet0/0/0]quit
[FW2]inter g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 1.1.2.2 29
[FW2-GigabitEthernet1/0/0]service-manage ping per
[FW2-GigabitEthernet1/0/0]quit
[FW2]firewall zone untrust
[FW2-zone-untrust]add inter g1/0/0
[FW2-zone-untrust]quit
[FW2]inter g1/0/6
[FW2-GigabitEthernet1/0/6]ip add 10.10.5.1 24
[FW2-GigabitEthernet1/0/6]service-manage ping per
[FW2-GigabitEthernet1/0/6]quit
[FW2]firewall zone trust
[FW2-zone-trust]add inter g1/0/6
[FW2-zone-trust]quit
[FW2]inter loopb0
[FW2-LoopBack0]ip add 4.4.4.4 32
[FW2-LoopBack0]quit
配置OSPF內部路由協(xié)議
[FW2]ospf 1 router-id 4.4.4.4
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]net 4.4.4.4 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]net 10.10.5.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0]quit
[FW2]ip route-static 0.0.0.0 0.0.0.0 g1/0/0 1.1.2.1
配置安全策略 開發(fā)環(huán)境請勿any到any
[FW2]security-policy
[FW2-policy-security]rule name policy1
[FW2-policy-security-rule-policy1]source-zone trust
[FW2-policy-security-rule-policy1]destination-zone untrust
[FW2-policy-security-rule-policy1]act per
[FW2-policy-security-rule-policy1]quit
[FW2-policy-security]rule name policy2
[FW2-policy-security-rule-policy2]source-zone untrust
[FW2-policy-security-rule-policy2]destination-zone trust
[FW2-policy-security-rule-policy2]act per
[FW2-policy-security-rule-policy2]quit
[FW2-policy-security]rule name policy3
[FW2-policy-security-rule-policy3]source-zone local
[FW2-policy-security-rule-policy3]destination-zone untrust
[FW2-policy-security-rule-policy3]act per
[FW2-policy-security-rule-policy3]quit
[FW2-policy-security]rule name policy4
[FW2-policy-security-rule-policy4]source-zone untrust
[FW2-policy-security-rule-policy4]destination-zone local
[FW2-policy-security-rule-policy4]act per
[FW2-policy-security-rule-policy4]quit
配置nat策略
[FW2]nat-policy
[FW2-policy-nat]rule name easy_nat
[FW2-policy-nat-rule-easy_nat]source-zone trust
[FW2-policy-nat-rule-easy_nat]source-zone untrust
[FW2-policy-nat-rule-easy_nat]act source-nat easy-ip
[FW2-policy-nat-rule-easy_nat]quit
創(chuàng)建高級ACL識別感興趣流
[FW2-acl-adv-3000]rule per ip so 10.10.5.0 0.0.0.255 destination 10.10.1.0 0.0.0.255
[FW2-acl-adv-3000]quit
創(chuàng)建IPsec安全提議
[FW2]ipsec proposal tran1
[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha2-256
[FW2-ipsec-proposal-tran1]esp encryption-algorithm aes-256
[FW2-ipsec-proposal-tran1]quit
創(chuàng)建IPsec policy P10
[FW2]ipsec policy P10 10 manual
[FW2-ipsec-policy-manual-P10-10]security acl 3000
[FW2-ipsec-policy-manual-P10-10]proposal tran1
[FW2-ipsec-policy-manual-P10-10]tunnel local 1.1.2.2
[FW2-ipsec-policy-manual-P10-10]tunnel remote 1.1.1.2
[FW2-ipsec-policy-manual-P10-10]sa spi inbound esp 123456
[FW2-ipsec-policy-manual-P10-10]sa string-key inbound esp P@ssw0rd
[FW2-ipsec-policy-manual-P10-10]sa spi outbound esp 654321
[FW2-ipsec-policy-manual-P10-10]sa string-key outbound esp P@ssw0rd
[FW2-ipsec-policy-manual-P10-10]quit
[FW2]inter g1/0/0
[FW2-GigabitEthernet1/0/0]ipsec policy P10
[FW2-GigabitEthernet1/0/0]quit
配置nat豁免
[FW2]nat-policy
[FW2-policy-nat]rule name nat1
[FW2-policy-nat-rule-nat1]source-zone trust
[FW2-policy-nat-rule-nat1]source-zone untrust
[FW2-policy-nat-rule-nat1]source-add 10.10.5.0 0.0.0.255
[FW2-policy-nat-rule-nat1]destination-add 10.10.1.0 0.0.0.255
[FW2-policy-nat-rule-nat1]action no-nat
[FW2-policy-nat-rule-nat1]quit
[FW2-policy-nat]rule move nat1 top
LSW2基本配置
[LSW2]vlan batch 100 200 300
[LSW2]inter vlan 100
[LSW2-Vlanif100]ip add 10.10.5.254 24
[LSW2-Vlanif100]quit
[LSW2-Vlanif200]ip add 10.10.6.254 24
[LSW2-Vlanif200]quit
[LSW2]inter vlan 300
[LSW2-Vlanif300]ip add 10.10.7.254 24
[LSW2-Vlanif300]quit
[LSW2]inter loopb0
[LSW2-LoopBack0]ip add 3.3.3.3 32
[LSW2-LoopBack0]quit
配置OSPF內部路由協(xié)議
[LSW2]ospf 1 router-id 3.3.3.3
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]net 3.3.3.3 0.0.0.0
[LSW2-ospf-1-area-0.0.0.0]net 10.10.5.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]net 10.10.6.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]net 10.10.7.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]quit
[LSW2]inter g0/0/24
[LSW2-GigabitEthernet0/0/24]port link-ty ac
[LSW2-GigabitEthernet0/0/24]port de vlan 100
[LSW2-GigabitEthernet0/0/24]quit
[LSW2]inter g0/0/10
[LSW2-GigabitEthernet0/0/10]potr link-ty ac
[LSW2-GigabitEthernet0/0/10]port de vlan 100
[LSW2-GigabitEthernet0/0/10]quit
[LSW2]inter g0/0/11
[LSW2-GigabitEthernet0/0/11]port link-ty ac
[LSW2-GigabitEthernet0/0/11]port de vlan 100
[LSW2-GigabitEthernet0/0/11]quit
[LSW2-GigabitEthernet0/0/1]port link-ty ac
[LSW2-GigabitEthernet0/0/1]port de vlan 200
[LSW2-GigabitEthernet0/0/1]quit
[LSW2]inter g0/0/2
[LSW2-GigabitEthernet0/0/2]port link-ty ac
[LSW2-GigabitEthernet0/0/2]port de vlan 300
[LSW2-GigabitEthernet0/0/2]quit
[LSW2]ip route-static 0.0.0.0 0.0.0.0 Vlanif 100 10.10.5.1
[LSW2]dhcp enable
[LSW2]ip pool 200
[LSW2-ip-pool-200]ga 10.10.6.254
[LSW2-ip-pool-200]netw 10.10.6.0 mask 255.255.255.0
[LSW2-ip-pool-200]dns 1.1.1.1 2.2.2.2
[LSW2-ip-pool-200]excluded-ip-address 10.10.6.50 10.10.6.253
[LSW2-ip-pool-200]quit
[LSW2]inter vlan 200
[LSW2-Vlanif200]dhcp sel gl
[LSW2-Vlanif200]quit
[LSW2]ip pool 300
[LSW2-ip-pool-300]ga 10.10.7.254
[LSW2-ip-pool-300]netw 10.10.7.0 mask 255.255.255.0
[LSW2-ip-pool-300]dns 1.1.1.1 2.2.2.2
[LSW2-ip-pool-300]excluded-ip-address 10.10.7.50 10.10.7.253
[LSW2-ip-pool-300]quit
[LSW2]inter vlan 300
[LSW2-Vlanif300]dhcp sel gl
