华为初级网安综合实验-2
|网络拓扑|
|组网需求|
(1)设计、搭建合理的、可靠性较高的、易于管理维护的网络,满足公司业务需求;
(2)Portal、FTP服务器需要能够让公网用户访问;
(3)深圳总部用户使用202.1.1.1这个地址上互联网;
(4)深圳、北京、广州通过VPN实现内网互访;
(5)北京分公司员工访问互联网其流量通过深圳总部出口;
(6)北京与广州分公司有2个业务节点需要互访,请务必确保这2个业务节点之间的通信流量经过深圳总部;
(7)广州分公司与深圳总部有2台重要的业务服务器需要互访,请务必确保这2台服务器之间的通信流量的安全性;
(8)在深圳总部的LAN内,仅允许用户区域的特定用户(“192.168.10.210和20.210”)访问172.16.105.200这台业务服务器。
(9)有大约50个出差用户需要不定时地访问深圳总部的业务服务器(172.16.105.100);
(10)适当规范深圳总部的员工上网行为。
|部署思路|
拓扑搭建--->物理连线
二层链路配置/VLAN / MSTP
IP编址(ipaddr)/三层链路配置 /Eth-Trunk
VRRP
内网OSPF
DHCP服务器(Server、Relay)
业务服务器搭建(Web、FTP、DNS)
本地上网业务——NAT(EASYIP、NAT-SERVER)
VPN(IPSECVPN / GRE/SSLVPN)
网络管理
梳理安全策略
测试
| 部分参考脚本 |
GRE VPN模块关键配置参考脚本
[HQ-VPN]display current-configuration | include "gre vpn"
interface Tunnel1
ip address 20.1.123.1 255.255.255.0
tunnel-protocol gre
source 202.1.1.1
destination 50.1.1.1
service-manage ping permit
#
interface Tunnel2
ip address 20.1.124.1 255.255.255.0
tunnel-protocol gre
source 202.1.1.1
destination 60.1.1.1
service-manage ping permit
#
firewall zone name gre_bj id 6
set priority 30
add interface Tunnel1
#
firewall zone name gre_gz id 7
set priority 31
add interface Tunnel2
#
ip route-static 192.168.50.0 255.255.255.0 Tunnel1
ip route-static 192.168.60.0 255.255.255.0 Tunnel2
[BJ-VPN]display current-configuration | include "gre vpn"
interface Tunnel1
ip address 20.1.123.2 255.255.255.0
tunnel-protocol gre
source 50.1.1.1
destination 202.1.1.1
service-manage ping permit
#
firewall zone name gre id 4
set priority 10
add interface Tunnel1
#
ip route-static 172.16.101.100 255.255.255.255 Tunnel1
ip route-static 172.16.102.100 255.255.255.255 Tunnel1
ip route-static 192.168.10.0 255.255.255.0 Tunnel1
ip route-static 192.168.20.0 255.255.255.0 Tunnel1
[GZ-VPN]display current-configuration | include "gre vpn"
interface Tunnel1
ip address 20.1.124.2 255.255.255.0
tunnel-protocol gre
source 10.10.60.2
destination 202.1.1.1
service-manage ping permit
#
firewall zone name gre id 4
set priority 10
add interface Tunnel1
#
ip route-static 172.16.101.100 255.255.255.255 Tunnel1
ip route-static 172.16.102.100 255.255.255.255 Tunnel1
ip route-static 192.168.10.0 255.255.255.0 Tunnel1
ip route-static 192.168.20.0 255.255.255.0 Tunnel1
ip route-static 192.168.50.101 255.255.255.255 Tunnel1
IPSec VPN模块关键配置参考脚本
[HQ-VPN]displaycurrent-configuration | include "ipsec vpn"
aclnumber 3001
rule 5 permit ip source 172.16.105.200 0destination 192.168.60.200 0
#
ike peer gz
undo version 2
pre-shared-key %@%@ve
ike-proposal 1
remote-address 60.1.1.1
remote-address authentication-address 10.10.60.2
#
ipsecproposal 1
#
ipsecpolicy ipsec_ply 1 isakmp
security acl 3001
ike-peer gz
proposal 1
#
interfaceGigabitEthernet1/0/4
ip address 202.1.1.1 255.255.255.0
service-manage ping permit
ipsec policy ipsec_ply
#
iproute-static 192.168.60.200 255.255.255.255 202.1.1.254
[GZ-VPN]display current-configuration | include "ipsec vpn"
acl number 3001
rule 5 permit ip source 192.168.60.200 0 destination 172.16.105.200 0
#
ipsec proposal 1
#
ike peer sz
undo version 2
pre-shared-key %@%@i7dP'dw12O@`7%=ov#fU@^>/%@%@
ike-proposal 1
remote-address 202.1.1.1
#
ipsec policy ipsec_ply 1 isakmp
security acl 3001
ike-peer sz
proposal 1
#
interface GigabitEthernet1/0/0
ip address 10.10.60.2 255.255.255.0
ipsec policy ipsec_ply
GZ-NAT模块设备关键配置参考脚本
[GZ-NAT]display current-configuration | include "nat"
interface GigabitEthernet1/0/0
ip address 10.10.60.1 255.255.255.0
service-manage ping permit
interface GigabitEthernet1/0/1
ip address 60.1.1.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
#
nat server gre 0 protocol 47 global interface GigabitEthernet1/0/1 inside 10.10.60.2
nat server isakmp 1 protocol udp global interface GigabitEthernet1/0/1 500 inside 10.10.60.2 500
nat server nat-t 2 protocol udp global interface GigabitEthernet1/0/1 4500 inside 10.10.60.2 4500
#
ip route-static 0.0.0.0 0.0.0.0 60.1.1.254
ip route-static 192.168.60.0 255.255.255.0 10.10.60.2
防火墙安全策略
请自行根据实际业务情况进行合理部署。
设备维护/管理参考命令【常用部分】
display lldp neighbor brief
display interface description
display interface GigabitEthernet 0/0/1
display interface brief
display vlan
display port vlan active
display ip interface brief
display stp brief/display stp instance 10 brief
display stp region-configuration
display vrrp [brief]
display ip routing-table | include xxx
display interface Eth-Trunk 2 (display eth-trunk 2 verbose)
display ospf interface [verbose]
display ospf peer brief
display ospf error
display ip pool name VLAN-10 used
display dhcp relay all
display firewall session table [verbose]
display firewall statistic system discard
display firewall server-map
display nat-policy all
display nat server
display gre statistic (display interface Tunnel 1)
display ike sa / display ipsec sa
display ipsec policy
display ike peer
display ipsec statistics
-------------------
ONE NETWORKS
开放 | 创新 | 协作 | 分享
- 发表于:
- 原文链接:http://kuaibao.qq.com/s/20180321A1OA7X00?refer=cp_1026
- 腾讯「腾讯云开发者社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。
- 如有侵权,请联系 cloudcommunity@tencent.com 删除。
相关快讯
扫码
添加站长 进交流群
领取专属 10元无门槛券
私享最新 技术干货
腾讯云开发者
