组网如图,两台防火墙二层透传,如果出现异步路由也能正常的访问,求相关的配置文档
(0)
最佳答案
我理解你的二层异步是二层跨框。不建议这么做,推荐防火墙作为三层组网。
二层相关配置如下
(1)
<SW5560_1>
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ospf 64
area 0.0.0.0
network 10.1.255.68 0.0.0.3
network 192.168.0.1 0.0.0.0
#
interface Route-Aggregation1
ip address 10.1.255.69 255.255.255.252
link-aggregation selected-port maximum 1
#
interface NULL0
#
interface LoopBack1
ip address 192.168.0.1 255.255.255.255
#
interface GigabitEthernet1/0/12
port link-mode route
link-aggregation port-priority 10
port link-aggregation group 1
#
interface GigabitEthernet1/0/13
port link-mode route
link-aggregation port-priority 100
port link-aggregation group 1
(2)
<133_1060_IRF_1050>
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 10
irf member 2 priority 1
#
ip load-sharing local-first enable
#
vlan 100
#
vlan 1000
#
irf-port 1/2
port group interface GigabitEthernet1/0/1
#
irf-port 2/1
port group interface GigabitEthernet2/0/1
#
stp global enable
#
interface Bridge-Aggregation1
port access vlan 100
link-aggregation selected-port maximum 1
#
interface Bridge-Aggregation2
port access vlan 100
link-aggregation selected-port maximum 1
#
interface Vlan-interface1000
mad bfd enable
mad ip address 192.168.100.1 255.255.255.0 member 1
mad ip address 192.168.100.2 255.255.255.0 member 2
#
interface GigabitEthernet1/0/13
port link-mode bridge
port access vlan 100
link-aggregation port-priority 10
port link-aggregation group 1
#
interface GigabitEthernet1/0/15
port link-mode bridge
description ***bfd mad***
port access vlan 1000
undo stp enable
#
interface GigabitEthernet1/0/16
port link-mode bridge
port access vlan 100
link-aggregation port-priority 10
port link-aggregation group 2
#
interface GigabitEthernet2/0/13
port link-mode bridge
port access vlan 100
link-aggregation port-priority 100
port link-aggregation group 1
#
interface GigabitEthernet2/0/15
port link-mode bridge
description ***bfd mad***
port access vlan 1000
undo stp enable
#
interface GigabitEthernet2/0/16
port link-mode bridge
port access vlan 100
link-aggregation port-priority 100
port link-aggregation group 2
#
object-policy ip Local-Trust
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Management-Local
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass
#
object-policy ip Untrust-Local
rule 0 pass
#
object-policy ip Untrust-Trust
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1000
import interface Bridge-Aggregation1 vlan 100
import interface GigabitEthernet1/0/13 vlan 100
import interface GigabitEthernet2/0/13 vlan 100
#
security-zone name DMZ
#
security-zone name Untrust
import interface Bridge-Aggregation2 vlan 100
import interface GigabitEthernet1/0/16 vlan 100
import interface GigabitEthernet2/0/16 vlan 100
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
#
zone-pair security source Management destination Local
object-policy apply ip Management-Local
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
redundancy group 2
node 1
bind slot 1
priority 100
track 9 interface GigabitEthernet1/0/13
track 10 interface GigabitEthernet1/0/16
node-member interface GigabitEthernet1/0/13
node-member interface GigabitEthernet1/0/16
node 2
bind slot 2
priority 50
track 7 interface GigabitEthernet2/0/13
track 8 interface GigabitEthernet2/0/16
node-member interface GigabitEthernet2/0/13
node-member interface GigabitEthernet2/0/16
#
session statistics enable
session synchronization enable
#
track 7 interface GigabitEthernet2/0/13 physical
track 8 interface GigabitEthernet2/0/16 physical
track 9 interface GigabitEthernet1/0/13 physical
track 10 interface GigabitEthernet1/0/16 physical
(3)
<SW6800_IRF>
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 10
irf member 2 priority 1
irf mode normal
#
ospf 64
area 0.0.0.0
network 10.1.255.68 0.0.0.3
network 192.168.0.2 0.0.0.0
#
vlan 581
#
vlan 3000
#
irf-port 1/2
port group interface Ten-GigabitEthernet1/1/1
#
irf-port 2/1
port group interface Ten-GigabitEthernet2/1/1
#
interface Bridge-Aggregation2
description ithi
port access vlan 581
link-aggregation selected-port maximum 1
#
interface LoopBack1
ip address 192.168.0.2 255.255.255.255
#
interface Vlan-interface581
description to fw-1
ip address 10.1.255.70 255.255.255.252
ospf bfd enable
bfd min-transmit-interval 500
bfd min-receive-interval 500
#
interface Vlan-interface3000
mad bfd enable
mad ip address 192.168.2.1 255.255.255.0 member 1
mad ip address 192.168.2.2 255.255.255.0 member 2
#
interface M-GigabitEthernet0/0/0
ip address 192.168.218.135 255.255.255.0
#
interface Ten-GigabitEthernet1/1/2
port link-mode bridge
description bfd mad
port access vlan 3000
undo stp enable
#
interface Ten-GigabitEthernet1/1/3
port link-mode bridge
port access vlan 581
link-aggregation port-priority 10
port link-aggregation group 2
#
interface Ten-GigabitEthernet2/1/2
port link-mode bridge
description bfd mad
port access vlan 3000
undo stp enable
#
interface Ten-GigabitEthernet2/1/3
port link-mode bridge
port access vlan 581
link-aggregation port-priority 100
port link-aggregation group 2
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
嗯嗯,是的