华为初级网安综合实验-2

|网络拓扑|

|组网需求|

(1)设计、搭建合理的、可靠性较高的、易于管理维护的网络,满足公司业务需求;

(2)Portal、FTP服务器需要能够让公网用户访问;

(3)深圳总部用户使用202.1.1.1这个地址上互联网;

(4)深圳、北京、广州通过VPN实现内网互访;

(5)北京分公司员工访问互联网其流量通过深圳总部出口;

(6)北京与广州分公司有2个业务节点需要互访,请务必确保这2个业务节点之间的通信流量经过深圳总部;

(7)广州分公司与深圳总部有2台重要的业务服务器需要互访,请务必确保这2台服务器之间的通信流量的安全性;

(8)在深圳总部的LAN内,仅允许用户区域的特定用户(“192.168.10.210和20.210”)访问172.16.105.200这台业务服务器。

(9)有大约50个出差用户需要不定时地访问深圳总部的业务服务器(172.16.105.100);

(10)适当规范深圳总部的员工上网行为。

|部署思路|

拓扑搭建--->物理连线

二层链路配置/VLAN / MSTP

IP编址(ipaddr)/三层链路配置 /Eth-Trunk

VRRP

内网OSPF

DHCP服务器(Server、Relay)

业务服务器搭建(Web、FTP、DNS)

本地上网业务——NAT(EASYIP、NAT-SERVER)

VPN(IPSECVPN / GRE/SSLVPN)

网络管理

梳理安全策略

测试

| 部分参考脚本 |

GRE VPN模块关键配置参考脚本

[HQ-VPN]display current-configuration | include "gre vpn"

interface Tunnel1

ip address 20.1.123.1 255.255.255.0

tunnel-protocol gre

source 202.1.1.1

destination 50.1.1.1

service-manage ping permit

#

interface Tunnel2

ip address 20.1.124.1 255.255.255.0

tunnel-protocol gre

source 202.1.1.1

destination 60.1.1.1

service-manage ping permit

#

firewall zone name gre_bj id 6

set priority 30

add interface Tunnel1

#

firewall zone name gre_gz id 7

set priority 31

add interface Tunnel2

#

ip route-static 192.168.50.0 255.255.255.0 Tunnel1

ip route-static 192.168.60.0 255.255.255.0 Tunnel2

[BJ-VPN]display current-configuration | include "gre vpn"

interface Tunnel1

ip address 20.1.123.2 255.255.255.0

tunnel-protocol gre

source 50.1.1.1

destination 202.1.1.1

service-manage ping permit

#

firewall zone name gre id 4

set priority 10

add interface Tunnel1

#

ip route-static 172.16.101.100 255.255.255.255 Tunnel1

ip route-static 172.16.102.100 255.255.255.255 Tunnel1

ip route-static 192.168.10.0 255.255.255.0 Tunnel1

ip route-static 192.168.20.0 255.255.255.0 Tunnel1

[GZ-VPN]display current-configuration | include "gre vpn"

interface Tunnel1

ip address 20.1.124.2 255.255.255.0

tunnel-protocol gre

source 10.10.60.2

destination 202.1.1.1

service-manage ping permit

#

firewall zone name gre id 4

set priority 10

add interface Tunnel1

#

ip route-static 172.16.101.100 255.255.255.255 Tunnel1

ip route-static 172.16.102.100 255.255.255.255 Tunnel1

ip route-static 192.168.10.0 255.255.255.0 Tunnel1

ip route-static 192.168.20.0 255.255.255.0 Tunnel1

ip route-static 192.168.50.101 255.255.255.255 Tunnel1

IPSec VPN模块关键配置参考脚本

[HQ-VPN]displaycurrent-configuration | include "ipsec vpn"

aclnumber 3001

rule 5 permit ip source 172.16.105.200 0destination 192.168.60.200 0

#

ike peer gz

undo version 2

pre-shared-key %@%@ve

ike-proposal 1

remote-address 60.1.1.1

remote-address authentication-address 10.10.60.2

#

ipsecproposal 1

#

ipsecpolicy ipsec_ply 1 isakmp

security acl 3001

ike-peer gz

proposal 1

#

interfaceGigabitEthernet1/0/4

ip address 202.1.1.1 255.255.255.0

service-manage ping permit

ipsec policy ipsec_ply

#

iproute-static 192.168.60.200 255.255.255.255 202.1.1.254

[GZ-VPN]display current-configuration | include "ipsec vpn"

acl number 3001

rule 5 permit ip source 192.168.60.200 0 destination 172.16.105.200 0

#

ipsec proposal 1

#

ike peer sz

undo version 2

pre-shared-key %@%@i7dP'dw12O@`7%=ov#fU@^>/%@%@

ike-proposal 1

remote-address 202.1.1.1

#

ipsec policy ipsec_ply 1 isakmp

security acl 3001

ike-peer sz

proposal 1

#

interface GigabitEthernet1/0/0

ip address 10.10.60.2 255.255.255.0

ipsec policy ipsec_ply

GZ-NAT模块设备关键配置参考脚本

[GZ-NAT]display current-configuration | include "nat"

interface GigabitEthernet1/0/0

ip address 10.10.60.1 255.255.255.0

service-manage ping permit

interface GigabitEthernet1/0/1

ip address 60.1.1.1 255.255.255.0

#

firewall zone trust

add interface GigabitEthernet1/0/0

firewall zone untrust

add interface GigabitEthernet1/0/1

#

nat server gre 0 protocol 47 global interface GigabitEthernet1/0/1 inside 10.10.60.2

nat server isakmp 1 protocol udp global interface GigabitEthernet1/0/1 500 inside 10.10.60.2 500

nat server nat-t 2 protocol udp global interface GigabitEthernet1/0/1 4500 inside 10.10.60.2 4500

#

ip route-static 0.0.0.0 0.0.0.0 60.1.1.254

ip route-static 192.168.60.0 255.255.255.0 10.10.60.2

防火墙安全策略

请自行根据实际业务情况进行合理部署。

设备维护/管理参考命令【常用部分】

display lldp neighbor brief

display interface description

display interface GigabitEthernet 0/0/1

display interface brief

display vlan

display port vlan active

display ip interface brief

display stp brief/display stp instance 10 brief

display stp region-configuration

display vrrp [brief]

display ip routing-table | include xxx

display interface Eth-Trunk 2 (display eth-trunk 2 verbose)

display ospf interface [verbose]

display ospf peer brief

display ospf error

display ip pool name VLAN-10 used

display dhcp relay all

display firewall session table [verbose]

display firewall statistic system discard

display firewall server-map

display nat-policy all

display nat server

display gre statistic (display interface Tunnel 1)

display ike sa / display ipsec sa

display ipsec policy

display ike peer

display ipsec statistics

-------------------

ONE NETWORKS

开放 | 创新 | 协作 | 分享

  • 发表于:
  • 原文链接http://kuaibao.qq.com/s/20180321A1OA7X00?refer=cp_1026
  • 腾讯「云+社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。

扫码关注云+社区

领取腾讯云代金券