组网说明:
本案例采用H3C HCL模拟器的F1060防火墙来模拟防火墙路由模式的典型部署。为了实现PC之间能够相互通信,因此需要分别在FW、FW2采用三层互联,同时FW1、FW2采用路由模式,最终实现PC之间能够相互PING通。
1、按照网络拓扑图正确配置IP地址
2、FW1、FW2建立OSPF邻居关系,为建立IBGP邻居关系奠定基础。
3、FW1、FW2建立IBGP邻居关系
FW1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname FW1
[FW1]acl basic 2002
[FW1-acl-ipv4-basic-2002]rule 0 permit source any
[FW1-acl-ipv4-basic-2002]quit
[FW1]
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2002
[FW1-zone-pair-security-Trust-Untrust]quit
[FW1]
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2002
[FW1-zone-pair-security-Untrust-Trust]quit
[FW1]
[FW1]zone-pair security source trust destination local
[FW1-zone-pair-security-Trust-Local]packet-filter 2002
[FW1-zone-pair-security-Trust-Local]quit
[FW1]
[FW1]zone-pair security source local destination trust
[FW1-zone-pair-security-Local-Trust]packet-filter 2002
[FW1-zone-pair-security-Local-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination local
[FW1-zone-pair-security-Untrust-Local]packet-filter 2002
[FW1-zone-pair-security-Untrust-Local]quit
[FW1]
[FW1]zone-pair security source local destination untrust
[FW1-zone-pair-security-Local-Untrust]packet-filter 2002
[FW1-zone-pair-security-Local-Untrust]quit
[FW1]
[FW1]zone-pair security source trust destination trust
[FW1-zone-pair-security-Trust-Trust]packet-filter 2002
[FW1-zone-pair-security-Trust-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination untrust
[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2002
[FW1-zone-pair-security-Untrust-Untrust]quit
[FW1]int loopback 0
[FW1-LoopBack0]ip address 1.1.1.1 32
[FW1-LoopBack0]quit
[FW1]int gi 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 192.168.1.1 24
[FW1-GigabitEthernet1/0/2]quit
[FW1]int gi 1/0/3
[FW1-GigabitEthernet1/0/3]des <connect to FW2>
[FW1-GigabitEthernet1/0/3]ip address 10.0.0.1 30
[FW1-GigabitEthernet1/0/3]quit
[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/2
[FW1-security-zone-Trust]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/3
[FW1-security-zone-Untrust]import interface LoopBack 0
[FW1-security-zone-Untrust]quit
[FW1]ospf 1 router-id 1.1.1.1
[FW1-ospf-1]area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]quit
[FW1-ospf-1]quit
[FW1]bgp 100
[FW1-bgp-default]router-id 1.1.1.1
[FW1-bgp-default]peer 2.2.2.2 as-number 100
[FW1-bgp-default]peer 2.2.2.2 connect-interface LoopBack 0
[FW1-bgp-default]address-family ipv4 unicast
[FW1-bgp-default-ipv4]peer 2.2.2.2 enable
[FW1-bgp-default-ipv4]network 192.168.1.0 255.255.255.0
[FW1-bgp-default-ipv4]quit
[FW1-bgp-default]quit
FW2:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname FW2
[FW2]acl basic 2002
[FW2-acl-ipv4-basic-2002]rule 0 permit source any
[FW2-acl-ipv4-basic-2002]quit
[FW2]
[FW2]zone-pair security source trust destination untrust
[FW2-zone-pair-security-Trust-Untrust]packet-filter 2002
[FW2-zone-pair-security-Trust-Untrust]quit
[FW2]
[FW2]zone-pair security source untrust destination trust
[FW2-zone-pair-security-Untrust-Trust]packet-filter 2002
[FW2-zone-pair-security-Untrust-Trust]quit
[FW2]
[FW2]zone-pair security source trust destination local
[FW2-zone-pair-security-Trust-Local]packet-filter 2002
[FW2-zone-pair-security-Trust-Local]quit
[FW2]
[FW2]zone-pair security source local destination trust
[FW2-zone-pair-security-Local-Trust]packet-filter 2002
[FW2-zone-pair-security-Local-Trust]quit
[FW2]
[FW2]zone-pair security source untrust destination local
[FW2-zone-pair-security-Untrust-Local]packet-filter 2002
[FW2-zone-pair-security-Untrust-Local]quit
[FW2]
[FW2]zone-pair security source local destination untrust
[FW2-zone-pair-security-Local-Untrust]packet-filter 2002
[FW2-zone-pair-security-Local-Untrust]quit
[FW2]
[FW2]zone-pair security source trust destination trust
[FW2-zone-pair-security-Trust-Trust]packet-filter 2002
[FW2-zone-pair-security-Trust-Trust]quit
[FW2]
[FW2]zone-pair security source untrust destination untrust
[FW2-zone-pair-security-Untrust-Untrust]packet-filter 2002
[FW2-zone-pair-security-Untrust-Untrust]quit
[FW2]int loopback 0
[FW2-LoopBack0]ip address 2.2.2.2 32
[FW2-LoopBack0]quit
[FW2]int gi 1/0/2
[FW2-GigabitEthernet1/0/2]ip address 172.16.1.1 24
[FW2-GigabitEthernet1/0/2]quit
[FW2]int gi 1/0/3
[FW2-GigabitEthernet1/0/3]des <connect to FW1>
[FW2-GigabitEthernet1/0/3]ip address 10.0.0.2 30
[FW2-GigabitEthernet1/0/3]quit
[FW2]security-zone name Trust
[FW2-security-zone-Trust]import interface GigabitEthernet 1/0/2
[FW2-security-zone-Trust]quit
[FW2]security-zone name Untrust
[FW2-security-zone-Untrust]import interface GigabitEthernet 1/0/3
[FW2-security-zone-Untrust]import interface LoopBack 0
[FW2-security-zone-Untrust]quit
[FW2]ospf 1 router-id 2.2.2.2
[FW2-ospf-1]area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]quit
[FW2-ospf-1]quit
[FW2]bgp 100
[FW2-bgp-default]router-id 2.2.2.2
[FW2-bgp-default]peer 1.1.1.1 as-number 100
[FW2-bgp-default]peer 1.1.1.1 connect-interface LoopBack 0
[FW2-bgp-default]address-family ipv4 unicast
[FW2-bgp-default-ipv4]peer 1.1.1.1 enable
[FW2-bgp-default-ipv4]network 172.16.1.0 255.255.255.0
[FW2-bgp-default-ipv4]quit
[FW2-bgp-default]quit
测试:
PC都填写IP地址:
PC之间可以相互PING通:
分别查看FW1、FW2的BGP邻居信息:
分别查看FW1、FW2的路由表:
至此,F1060路由模式典型组网配置案例10(IBGP)已完成!
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作