好物优选点击查看详情 京东购买

暂无内容

V7防火墙三层旁路部署(VRF方式)

Ps:内网以vlan 10为例,其他内网网段配置过程一样

一、出口路由器配置

<H3C>system-view

[H3C]sysname Router

[Router]

#配置下行接口IP地址

[Router]inter GigabitEthernet 0/1

[Router-GigabitEthernet0/1]ip address 10.0.12.1 30

[Router-GigabitEthernet0/1]qu

[Router]

#配置内网网段的回程路由,下一跳为核心交换机与路由器互联接口的地址

[Router]ip route-static 10.10.24.0 24 10.0.12.2

       #保存配置

        Router]save force

        Validating file. Please wait…

  Configuration is saved to device successfully.

 

二、汇聚交换机配置

<H3C>system-view

[H3C]sysname L2 SW

[L2 SW]

#创建业务vlan10

[L2 SW]vlan 10

[L2 SW-vlan10]quit

[L2 SW]

#配置上行接口为trunk模式,允许vlan10通过,禁止vlan1通过(非必配)

[L2 SW]inter GigabitEthernet 1/0/2

[L2 SW-GigabitEthernet1/0/2]port trunk permit vlan 10

[L2 SW-GigabitEthernet1/0/2]undo port trunk permit vlan 1

[L2 SW-GigabitEthernet1/0/2]qu

[L2 SW]

#保存配置

       [L2 SW]save force

       Validating file. Please wait…

 Saved the current configuration to mainboard device successfully.

 

三、核心交换机配置

<H3C>system-view

#创建VRF,名称为tofw

[Core]ip vpn-instance tofw

[Core-vpn-instance-tofw]qu

[Core]

#创建业务vlan10

[Core]vlan 10

[Core-vlan10]qu

[Core]

#配置连接汇聚交换机的接口为trunk模式,允许vlan10通过,禁止vlan1通过(非必配)

[Core]inter GigabitEthernet 1/0/2

[Core-GigabitEthernet1/0/2]port link-type trunk

[Core-GigabitEthernet1/0/2]port trunk permit vlan 10

[Core-GigabitEthernet1/0/2]undo port trunk permit vlan 1

[Core-GigabitEthernet1/0/2]qu

[Core]

#创建vlan-interface 10作为业务网关,地址为10.10.24.1/24

[Core]inter vlan 10

[Core-Vlan-interface10]ip address 10.10.24.1 24

[Core-Vlan-interface10]qu

[Core]

#配置连接防火墙的第一个接口为三层模式,地址为10.0.23.1/30,这个接口作为内网流量出交换机进入防火墙的接口

[Core]inter GigabitEthernet 1/0/3

[Core-GigabitEthernet1/0/3]port link-mode route

[Core-GigabitEthernet1/0/3]ip address 10.0.23.1 30

[Core-GigabitEthernet1/0/3]qu

[Core]

#配置连接防火墙的第二个接口为三层模式,绑定此前创建的VRF,地址为10.0.23.5/30,这个接口作为内网流量从防火墙进入交换机的接口

[Core]inter GigabitEthernet 1/0/4

[Core-GigabitEthernet1/0/4]port link-mode route

[Core-GigabitEthernet1/0/4]ip binding vpn-instance tofw

Some configurations on the interface are removed.

#三层接口绑定VRF后,原有的IP等会被删除掉,因此要先绑定VRF,再配置IP地址

[Core-GigabitEthernet1/0/4]ip address 10.0.23.5 30

[Core-GigabitEthernet1/0/4]qu

[Core]

#配置连接上行路由器的接口为三层模式,绑定此前创建的VRF,配置地址为10.0.12.2/30

[Core]inter GigabitEthernet 1/0/1

[Core-GigabitEthernet1/0/1]port link-mode route

[Core-GigabitEthernet1/0/1]ip binding vpn-instance tofw

Some configurations on the interface are removed.

[Core-GigabitEthernet1/0/1]ip address 10.0.12.2 30

[Core-GigabitEthernet1/0/1]qu

[Core]

 

#为了保证防火墙任意链路故障交换机可以快速感知到,配置NQA来检测链路状态

#创建一个管理员名为fwprobe,测试操作标签为mainNQA测试组

[Core]nqa entry fwprobe main

#测试类型为ICMP-echo

[Core-nqa-fwprobe-main]type icmp-echo

#探测的目的地址是10.0.23.6

[Core-nqa-fwprobe-main-icmp-echo] destination ip 10.0.23.6

#探测时间间隔为1000ms

[Core-nqa-fwprobe-main-icmp-echo] frequency 1000

#配置探测报文的下一跳地址为10.0.23.2,这样做有一个好处,就是一个探测组即可同时完成两条链路的探测

[Core-nqa-fwprobe-main-icmp-echo] next-hop ip 10.0.23.2

#探测的超时时间为500ms                               

[Core-nqa-fwprobe-main-icmp-echo] probe timeout 500

#配置序号为1的联动项,连续探测失败5次,触发其他模块联动

[Core-nqa-fwprobe-main-icmp-echo] reaction 1 checked-element probe-fail thresho

ld-type consecutive 5 action-type trigger-only

[Core-nqa-fwprobe-main-icmp-echo]quit

[Core]

#配置立即启动管理员名称为fwprobe,标签为main的测试组一直进行测试

[Core] nqa schedule fwprobe main start-time now lifetime forever

[Core]

#配置track1NQA测试组fwprobe main关联

[Core]track 1 nqa entry fwprobe main reaction 1

[Core-track-1]quit

[Core]

#配置默认路由指向防火墙,同时与track1联动,即NQA探测链路正常时这条路由生效,探测失败(FW与核心交换机互联的任意链路故障)时路由失效

[Core]ip route-static 0.0.0.0 0 10.0.23.2 track 1 description tofw

[Core]

#为了保证在防火墙故障时,交换机还可以正常将流量转发到出口服务器,配置一条优先级为70(优先级小于上一条)的默认路由,直接指向出口路由器

ption backup

[Core]

#正向流量从防火墙的G1/0/4口回到交换机的G1/0/4时,流量属于tofw这个VRF,为了保证流量可以正常转发到出口路由器,为VRF:tofw增加一条默认路由指向出口路由器

[Core]ip route-static vpn-instance tofw 0.0.0.0 0 10.0.12.1

[Core]

#回程流量从出口路由器的G0/0口回到交换机的G1/0/1时,流量属于tofw这个VRF,为了保证回程流量可以继续原路返回到防火墙,为VRF:tofw增加一条明细路由指向防火墙,同时也和track1联动,当NQA探测失败(FW与核心交换机互联的任意链路故障),这条路由失效

[Core]ip route-static vpn-instance tofw 10.10.24.0 24 10.0.23.6 track 1

[Core]

#为了防止防火墙与核心交换机的任意互联链路故障,回程流量无法正常发送到内网,所以需要保证在故障场景,VRF:tofw中有到内网网段的路由,下面通过路由复制+EAA策略的方式来实现故障期间复制缺省public实例的内网路由,非故障期间使用手动的静态路由

#配置一个名为backup地址前缀列表,用于过滤只让VRF:tofw学习到的路由,比如10.10.24.0/2410.20.24.0/24

[Core]ip prefix-list backup index 10 permit 10.10.24.0 24

[Core]ip prefix-list backup index 15 permit 10.20.24.0 24

#配置名为backup的路由策略(路由策略名称可以跟前缀列表名称不一致),用来匹配上面定义的前缀列表

[Core]route-policy backup permit node 10

[Core-route-policy-backup-10]if-match ip address prefix-list backup

[Core-route-policy-backup-10]qu

[Core]

#配置名为backupEAA策略,当track1检测失败,即FW与核心交换机任意链路故障时,配置路由复制,学习内网网段路由

[Core]rtm cli-policy backup

[Core-rtm-backup]event track 1 state negative

[Core-rtm-backup]action 0 cli system-view

[Core-rtm-backup]action 1 cli ip vpn-instance tofw

[Core-rtm-backup]action 2 cli address-family ipv4

policy backup

[Core-rtm-backup]action 4 cli save f

[Core-rtm-backup]user-role network-admin

[Core-rtm-backup]commit

[Core-rtm-backup]quit

[Core]

#配置名为DelbackupEAA策略,当track1检测恢复,即FW与核心交换机所有链路故障恢复时,取消路由复制,发往内网的回程流量还是走静态路由回防火墙

[Core]rtm cli-policy Delbackup

[Core-rtm-Delbackup]event track 1 state positive

[Core-rtm-Delbackup]action 0 cli system-view

[Core-rtm-Delbackup]action 1 cli ip vpn-instance tofw

[Core-rtm-Delbackup]action 2 cli undo address-family ipv4

[Core-rtm-Delbackup]action 3 cli save f

[Core-rtm-Delbackup]user-role network-admin

[Core-rtm-Delbackup]commit

[Core-rtm-Delbackup]quit

[Core]

#保存当前配置

[Core]save force

Validating file. Please wait…

Saved the current configuration to mainboard device successfully.

 

四、防火墙配置

<H3C>system-view

[H3C]sysname FW

[FW]

#配置防火墙与核心交换机G1/0/4互联的接口IP10.0.23.6/30

[FW]inter GigabitEthernet 1/0/4

[FW-GigabitEthernet1/0/4]ip address 10.0.23.6 30

[FW-GigabitEthernet1/0/4]qu

[FW]

#配置防火墙与核心交换机G1/0/3互联的接口IP10.0.23.2/30

[FW]inter GigabitEthernet 1/0/3

[FW-GigabitEthernet1/0/3]ip address 10.0.23.2 30

[FW-GigabitEthernet1/0/3]qu

[FW]

#因为内网出去的流量是从G1/0/3进入防火墙的,按照配置习惯,将接口G1/0/3加入trust安全域

[FW]security-zone name Trust

[FW-security-zone-Trust]import interface GigabitEthernet 1/0/3

[FW-security-zone-Trust]qu

[FW]

#内网的流量从G1/0/4发往公网,因此将接口G1/0/4加入untrust安全域

[FW]security-zone name Untrust

[FW-security-zone-Untrust]import interface GigabitEthernet 1/0/4

[FW-security-zone-Untrust]qu

[FW]

#配置IPV4安全策略规则

[FW]security-policy ip

#因为交换机有NQA探测,这部分流量是需要访问防火墙本地的,所以放行所有到local安全域的流量

[FW-security-policy-ip]rule 1 name any2local

[FW-security-policy-ip-1-any2local]destination-zone local

[FW-security-policy-ip-1-any2local]action pass

[FW-security-policy-ip-1-any2local]qu

#配置安全策略规则,放行内网到公网的所有流量,本次测试不做限制,实际可根据需求增加源目ip等过滤条件

[FW-security-policy-ip]rule 5 name trust2untrust

[FW-security-policy-ip-5-trust2untrust]source-zone trust

[FW-security-policy-ip-5-trust2untrust]destination-zone untrust

[FW-security-policy-ip-5-trust2untrust]action pass

[FW-security-policy-ip-5-trust2untrust]qu

[FW-security-policy-ip]qu

[FW]

[FW]session statistics enable

This command is CPU intensive and might affect ongoing services. Are you sure you want to continue? [Y/N]:Y

[FW]

#配置默认路由指向核心交换机的G1/0/4口,保证正向流量防火墙检测完成后可发回核心交换机

[FW]ip route-static 0.0.0.0 0 10.0.23.5

#配置内网网段的明细路由指向核心交换机的G1/0/3口,保证回程流量防火墙检测完成后可发回核心交换机

[FW]ip route-static 10.10.24.0 24 10.0.23.1

#保存配置

[FW]save force

Validating file. Please wait…

Saved the current configuration to mainboard device successfully.

 

五、测试

1、  当防火墙与核心交换机互联链路都正常时

 

#核心public路由表:

[Core]dis ip routing-table

Destinations : 17       Routes : 17

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           10.0.23.2       GE1/0/3

#可以看到,当前缺省路由的下一跳地址是防火墙的10.0.23.2

[Core]

#核心VRF:tofw路由表:

[Core]dis ip routing-table vpn-instance tofw

Destinations : 18       Routes : 18

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           10.0.12.1       GE1/0/1

10.10.24.0/24      Static  60  0           10.0.23.6       GE1/0/4

#可以看到,当前VRF:tofw的缺省路由指向出口路由器,明细路由是指向防火墙的静态路由

#内网可以正常ping通出口路由器地址

<L2 SW>ping 10.0.12.1

Ping 10.0.12.1 (10.0.12.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.0.12.1: icmp_seq=0 ttl=252 time=9.000 ms

56 bytes from 10.0.12.1: icmp_seq=1 ttl=252 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=2 ttl=252 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=3 ttl=252 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=4 ttl=252 time=1.000 ms

 

— Ping statistics for 10.0.12.1 —

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/3.200/9.000/2.926 ms

 

#查看防火墙有来回的会话信息:

<FW>dis session table ipv4 source-ip 10.10.24.254 destination-ip 10.0.12.1 proto

col icmp verbose

Slot 1:

Initiator:

  Source      IP/port: 10.10.24.254/304

  Destination IP/port: 10.0.12.1/2048

  DS-Lite tunnel peer: –

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/3

  Source security zone: Trust

Responder:

  Source      IP/port: 10.0.12.1/304

  Destination IP/port: 10.10.24.254/0

  DS-Lite tunnel peer: –

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/4

  Source security zone: Untrust

State: ICMP_REPLY

Application: ICMP

Rule ID: 5

Rule name: trust2untrust

Start time: 2021-12-18 22:12:08  TTL: 0s

Initiator->Responder:            5 packets        420 bytes

Responder->Initiator:            5 packets        420 bytes

 

Total sessions found: 1

 

2、  当防火墙与核心交换机任意链路断开时(仅以1/0/3断开举例)

[Core]inter GigabitEthernet 1/0/3

[Core-GigabitEthernet1/0/3]shutdown

[Core-GigabitEthernet1/0/3]

%Dec 18 22:13:50:278 2021 Core IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/3 changed to down.

%Dec 18 22:13:50:279 2021 Core IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/3 changed to down.

                   #可以看到,NQA探测失败

%Dec 18 22:13:51:080 2021 Core NQA/6/NQA_ENTRY_PROBE_RESULT: Reaction entry 1 of NQA entry admin-name fwprobe operation-tag main: probe-fail.

#backupEAA策略也正常执行

%Dec 18 22:13:51:310 2021 Core RTM/6/RTM_POLICY: CLI policy backup is running successfully.

[Core-GigabitEthernet1/0/3]qu

#核心public路由表:

[Core]dis ip routing-table

Destinations : 13       Routes : 13

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  70  0           10.0.12.1       GE1/0/1

#可以看到,故障发生后,默认路由的下一跳直接指向了出口路由器,而非防火墙

#核心VRF:tofw路由表:

[Core]dis ip routing-table vpn-instance tofw

Destinations : 18       Routes : 18

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           10.0.12.1       GE1/0/1

10.10.24.0/24      Direct  0   0           10.10.24.1      Vlan10

#可以看到,故障期间VRF:tofw到内网的回程路由已变成了通过路由复制学习到的直连路由,而非指向防火墙的静态路由

#内网依旧可以ping通出口路由器地址

<L2 SW>ping 10.0.12.1

Ping 10.0.12.1 (10.0.12.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.0.12.1: icmp_seq=0 ttl=254 time=1.000 ms

56 bytes from 10.0.12.1: icmp_seq=1 ttl=254 time=0.000 ms

56 bytes from 10.0.12.1: icmp_seq=2 ttl=254 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=3 ttl=254 time=1.000 ms

56 bytes from 10.0.12.1: icmp_seq=4 ttl=254 time=3.000 ms

 

— Ping statistics for 10.0.12.1 —

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.400/3.000/1.020 ms

 

3、  当防火墙与核心交换机互联的G1/0/3恢复时

[Core]inter GigabitEthernet 1/0/3

[Core-GigabitEthernet1/0/3]dis this

interface GigabitEthernet1/0/3

 port link-mode route

 combo enable fiber

 shutdown

 ip address 10.0.23.1 255.255.255.252

return

[Core-GigabitEthernet1/0/3]undo shutdown

[Core-GigabitEthernet1/0/3]%Dec 18 22:18:04:608 2021 Core IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/3 changed to up.

%Dec 18 22:18:04:608 2021 Core IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/3 changed to up.

#可以看到,NQA检测成功

%Dec 18 22:18:04:774 2021 Core NQA/6/NQA_ENTRY_PROBE_RESULT: Reaction entry 1 of NQA entry admin-name fwprobe operation-tag main: probe-pass.

#DelbackupEAA策略也正常执行

%Dec 18 22:18:05:027 2021 Core RTM/6/RTM_POLICY: CLI policy Delbackup is running successfully.

 

[Core-GigabitEthernet1/0/3]quit

#核心public路由表:

[Core]dis ip routing-table

Destinations : 17       Routes : 17

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           10.0.23.2       GE1/0/3

#可以看到,故障恢复后默认路由的下一跳地址又回到了防火墙的10.0.23.2

[Core]

#核心VRF:tofw路由表:

[Core]dis ip routing-table vpn-instance tofw

Destinations : 18       Routes : 18

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           10.0.12.1       GE1/0/1

10.10.24.0/24      Static  60  0           10.0.23.6       GE1/0/4

#可以看到,恢复后VRF:tofw的缺省路由指向出口路由器,明细路由是指向防火墙的静态路由

#内网可以正常ping通出口路由器地址

<L2 SW>ping 10.0.12.1

Ping 10.0.12.1 (10.0.12.1): 56 data bytes, press CTRL_C to break

56 bytes from 10.0.12.1: icmp_seq=0 ttl=252 time=9.000 ms

56 bytes from 10.0.12.1: icmp_seq=1 ttl=252 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=2 ttl=252 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=3 ttl=252 time=2.000 ms

56 bytes from 10.0.12.1: icmp_seq=4 ttl=252 time=1.000 ms

 

— Ping statistics for 10.0.12.1 —

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/3.200/9.000/2.926 ms

 

#查看防火墙有来回的会话信息:

<FW>dis session table ipv4 source-ip 10.10.24.254 destination-ip 10.0.12.1 proto

col icmp verbose

Slot 1:

Initiator:

  Source      IP/port: 10.10.24.254/312

  Destination IP/port: 10.0.12.1/2048

  DS-Lite tunnel peer: –

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/3

  Source security zone: Trust

Responder:

  Source      IP/port: 10.0.12.1/312

  Destination IP/port: 10.10.24.254/0

  DS-Lite tunnel peer: –

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/4

  Source security zone: Untrust

State: ICMP_REPLY

Application: ICMP

Rule ID: 5

Rule name: trust2untrust

Start time: 2021-12-18 22:27:36  TTL: 22s

Initiator->Responder:            5 packets        420 bytes

Responder->Initiator:            5 packets        420 bytes

              

Total sessions found: 1

原文链接:https://zhiliao.h3c.com/Theme/details/184057

© 版权声明
THE END
喜欢就支持一下吧
点赞15 分享