溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
1、案例拓撲圖(其中AR2和FW啟用ospf協議)
2、核心設備AR2的主要配置
2.1
AR2
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255 //匹配需要過濾的路由
#
traffic classifier liu operator or
if-match acl 2000
#
traffic behavior liu
redirect ip-nexthop 2.1.1.6
#
traffic policy liu
classifier liu behavior liu
interface GigabitEthernet0/0/0
ip address 1.1.1.5 255.255.255.252
traffic-policy liu inbound //策略應用在數據的入方向
2.2
關鍵點,困擾了我很久(如果不下發默認路由,會導致兩個ospf進程,相互學習不到對方的業務地址)
ospf 1
default-route-advertise always //都要下發一條默認路由
ospf 2
default-route-advertise always //都要下發一條默認路由
3、防火墻關鍵配置
3.1
安全策略
#
security-policy
rule name trust-local
source-zone trust
destination-zone local
action permit
rule name local-trust
source-zone local
destination-zone trust
action permit
rule name untrust-local
source-zone untrust
destination-zone local
action permit
rule name local-untrust
source-zone local
destination-zone untrust
action permit
rule name pc-server
source-address 192.168.1.1 mask 255.255.255.255
destination-address 10.1.1.1 mask 255.255.255.255
action permit
3.2
防火墻接口安全區域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
4、驗證pc1---> server 是否經過防火墻
查看防火墻的session table
防火墻上查看session列表,說明策略生效
<FW01>display firewall session table
2019-04-04 14:48:43.930
Current Total Sessions : 6
icmp ×××: public --> public 192.168.1.1:18713 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:20249 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:19225 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:19993 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:18969 --> 10.1.1.1:2048
icmp ×××: public --> public 192.168.1.1:19481 --> 10.1.1.1:2048
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
