网络安全实验06 部署防火墙主备备份双机热备,提高网络可靠性

2024-04-19 10:01:39 浏览数 (1)

建议使用电脑查看,手机可能某些代码显示不了

用户名:admin

密码:Admin@123

新密码:Huawei@123

步骤1:配置防火墙网络的基本参数

(1)配置防火墙接口IP地址

防火墙A

代码语言:javascript复制
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.2 255.255.255.0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.3.0.2 255.255.255.0
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.10.0.1 255.255.255.252

防火墙B(这里咱们可以直接修改A的配置然后粘贴到防火墙B中运行即可)

代码语言:javascript复制
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.3 255.255.255.0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.3.0.3 255.255.255.0
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.10.0.2 255.255.255.252

(2)将接口加入安全区域

防火墙A

代码语言:javascript复制
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3

防火墙B

代码语言:javascript复制
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3

(3)设置默认路由

防火墙A、B

代码语言:javascript复制
ip route-static 0.0.0.0 0 1.1.1.10

步骤2:配置双击热备主备备份

(1)配置VRRP备份组(防火墙A设置为active,防火墙B设置为standby)

防火墙A

代码语言:javascript复制
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.1 active

防火墙B

代码语言:javascript复制
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.1 standby

(2)指定心跳接口并启用双击热备功能

防火墙A

代码语言:javascript复制
hrp inter g 1/0/3 remote 10.10.0.2
hrp enable

防火墙B

代码语言:javascript复制
hrp inter g 1/0/3 remote 10.10.0.1
hrp enable

步骤3:配置安全策略(只需配置防火墙A,策略会自动备份到防火墙B中)

代码语言:javascript复制
security-policy
 rule name trust_to_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit

步骤4:配置NAT(只需配置防火墙A,策略会自动备份到防火墙B中)

(1)配置NAT地址池

代码语言:javascript复制
nat address-group group01 0
 mode pat
 route enable
 section 0 1.1.1.11 1.1.1.20

(2)配置NAT策略

代码语言:javascript复制
nat-policy
 rule name trust_to_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action source-nat address-group group01

步骤5:配置路由器

(1)配置路由器R1的接口IP地址

代码语言:javascript复制
interface GigabitEthernet0/0/0
 ip address 1.1.1.10 255.255.255.0 
 
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255

(2)配置默认路由

代码语言:javascript复制
ip route-static 10.3.0.0 24 1.1.1.1

步骤6:配置交换机和内网终端

(1)配置交换机VLAN

交换机1(vlan 3)

代码语言:javascript复制
vlan batch 3

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 3
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 3
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 3

交换机2(vlan 2)

代码语言:javascript复制
vlan batch 2

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 2
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 2

(2)配置内网主机的网络参数

防火墙 备份 部署 网络 网络安全

0 人点赞