HCIA_Sec实验(双机热备+用户管理)
作者:互联网
一,拓扑图
二,规划
2.1 SW1的VLAN规划
| VLAN10 | GE0/0/1,G0/0/5,G0/0/9 |
| VLAN20 | G0/0/2,G0/0/6,G0/0/10 |
| VLAN30 | G0/0/3,G0/0/7,G0/0/11 |
| VLAN40 | G0/0/4,G0/0/8,G0/0/12 |
2.2 IP地址规划
#FW1
| G0/0/0 | 192.168.0.10/24 | |
| G1/0/0 | 10.1.1.10/24 | |
| G1/0/1 | 202.100.1.10/24 | |
| G1/0/2 | 192.168.1.10/24 | |
| G1/0/3 | 172.16.0.10/24 |
#FW2
| G0/0/0 | 192.168.0.20/24 | |
| G1/0/0 | 10.1.1.20/24 | |
| G1/0/1 | 202.100.1.20/24 | |
| G1/0/2 | 192.168.1.20/24 | |
| G1/0/3 | 172.16.0.20/24 |
#PC1
10.1.1.1/24
#ISP
| G0/0/0 | 202.100.1.253/24 |
| G0/0/1 |
#SERVER1
192.168.1.1/24
三,基础配置
①配置IP地址(略)
②配置对应vlan(略)
③配置防火墙的安全区域
#FW1
[FW1]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 1/0/0 [FW1-zone-trust]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet1/0/1 [FW1-zone-untrust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/2
#FW2
[FW2]firewall zone trust [FW2-zone-trust]add interface GigabitEthernet 1/0/0 [FW2-zone-trust]firewall zone untrust [FW2-zone-untrust]add interface GigabitEthernet 1/0/1 [FW2-zone-untrust]firewall zone dmz [FW2-zone-dmz]add interface GigabitEthernet 1/0/2
④PC1的配置
⑤ Server1的配置
四,配置双机热备
4.1命令
#FW1
[FW1]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.1.254 active [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 202.100.1.254 active #配置心跳线 [FW1]hrp interface GigabitEthernet 1/0/3 remote 172.16.0.20
#FW2
[FW2]interface GigabitEthernet 1/0/0 [FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.1.254 standby [FW2-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 202.100.1.254 standby #定义备设备 [FW2]hrp standby-device #配置心跳线 [FW2]hrp interface GigabitEthernet 1/0/3 remote 172.16.0.10
#同步安全策略
HRP_M[FW1]security-policy (+B) HRP_M[FW1-policy-security]rule name internet (+B) HRP_M[FW1-policy-security-rule-internet]source-zone trust (+B) HRP_M[FW1-policy-security-rule-internet]destination-zone untrust (+B) HRP_M[FW1-policy-security-rule-internet]action permit (+B)
4.2效果测试
①PC1可以访问
五,用户管理
5.1 使10.1.1.0/24网段用户访问untrust需要验证
①配置密码
②配置认证策略
③配置认证选项
④新建服务
⑤ 配置安全策略
标签:24,热备,zone,G0,HCIA,interface,双机,FW1,FW2 来源: https://www.cnblogs.com/l-f-a-l/p/15929242.html