防火牆+route+vrrp+mstp

防火牆+route+vrrp+mstp

拓撲圖

使用技術

使用到的技術：
	單區域ospf 
  dhcp
  nat

  mstp
  vrrp+track

	鏈路聚合
  
  telnet+aaa
  
  

接入層

huijuA

sys
sysname huijuA

# 創建vlan
vlan batch 10 20 30 40

# 端口分配
int e0/0/1
port link-type access 
port default vlan 10

int e0/0/2
port link-type access 
port default vlan 20

int e0/0/3
port link-type trunk 
port trunk allow-pass vlan all 

int e0/0/4
port link-type trunk 
port trunk allow-pass vlan all 

# mstp 
stp region-configuration 
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40 
active region-configuration

huijuB

sys
sysname huijuB

# 創建vlan
vlan batch 10 20 30 40

# 端口分配
int e0/0/1
port link-type access 
port default vlan 30

int e0/0/2
port link-type access 
port default vlan 40

int e0/0/3
port link-type trunk 
port trunk allow-pass vlan all 

int e0/0/4
port link-type trunk 
port trunk allow-pass vlan all 

# mstp 
stp region-configuration 
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40 
active region-configuration

核心層

coreA

sys
sysname coreA

# 創建vlan
vlan batch 10 20 30 40 50

# 端口分配
int g0/0/1
port link-type access 
port default vlan 50

int g0/0/3
port link-type trunk 
port trunk allow-pass vlan all 

int g0/0/4
port link-type trunk 
port trunk allow-pass vlan all 


# 創建vlan
vlan batch 10 20 30 40


# 鏈路聚合
int Eth-Trunk 1
port link-type trunk 
port trunk allow-pass vlan 10 20 30 40
# 加入
int g0/0/23 
eth-trunk 1

int g0/0/24
eth-trunk 1

# mstp 
stp region-configuration 
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40 
active region-configuration 

quit
# mstp 根橋指定
stp instance 1 root primary 
stp instance 2 root secondary 

# vrrp配置
int vlan 10
ip address 192.168.10.252 24
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 110
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 10 track interface g0/0/1 reduced 50

int vlan 20
ip address 192.168.20.252 24
vrrp vrid 20 virtual-ip 192.168.20.254
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 20 track interface g0/0/1 reduced 50

int vlan 30
ip address 192.168.30.252 24
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 110
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 30 track interface g0/0/1 reduced 50

int vlan 40
ip address 192.168.40.252 24
vrrp vrid 40 virtual-ip 192.168.40.254
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 40 track interface g0/0/1 reduced 50

## 這裏配置完，建議display ip int brief
## 順帶驗證vlan pc間是否能夠通信

# 上聯接口vlan
int vlan 50
ip address 192.168.252.1 24

# 配置ospf
ospf 100 router-id 1.1.1.1
area 0 
network 0.0.0.0 255.255.255.255

core B

sys
sysname coreB 

# 創建vlan
vlan batch 10 20 30 40 60

# 端口分配
int g0/0/1
port link-type access 
port default vlan 60

int g0/0/3
port link-type trunk 
port trunk allow-pass vlan all 

int g0/0/4
port link-type trunk 
port trunk allow-pass vlan all 

# 鏈路聚合
int Eth-Trunk 1
port link-type trunk 
port trunk allow-pass vlan 10 20 30 40

# 加入
int g0/0/23 
eth-trunk 1

int g0/0/24
eth-trunk 1

# mstp 
stp region-configuration 
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40 
active region-configuration 

quit
# mstp 根橋指定
stp instance 2 root primary 
stp instance 1 root secondary 

# vrrp 配置
int vlan 10
ip address 192.168.10.253 24
vrrp vrid 10 virtual-ip 192.168.10.254 
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 10 track interface g0/0/1 reduced 50

int vlan 20
ip address 192.168.20.253 24
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 110
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 20 track interface g0/0/1 reduced 50

int vlan 30
ip address 192.168.30.253 24
vrrp vrid 30 virtual-ip 192.168.30.254
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 30 track interface g0/0/1 reduced 50

int vlan 40
ip address 192.168.40.253 24
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 110
# 配置上聯接口檢測，直連接口(配置的是本機的端口)檢測不通時，降級
vrrp vrid 40 track interface g0/0/1 reduced 50

## 這裏配置完，建議display ip int brief，驗證vlan ip
## 順帶驗證vlan pc間是否能夠通信

# 上聯接口vlan
int vlan 60
ip address 192.168.253.1 24

# 配置ospf
ospf 100 router-id 2.2.2.2
area 0 
network 0.0.0.0 255.255.255.255

對外

防火牆

sys
sysname FW


int g1/0/0
undo shutdown
ip address 192.168.252.2 24
service-manage ping permit

int g1/0/1
undo shutdown
ip address 192.168.253.2 24
service-manage ping permit

int g1/0/2
undo shutdown
ip address 56.29.2.21 24
service-manage ping permit

int g1/0/3
undo shutdown
ip address 120.36.2.21 24
service-manage ping permit

# 信任接口區域配置
firewall zone trust 
add interface g1/0/0
add interface g1/0/1

# 非信任接口區域配置
firewall zone untrust 
add interface g1/0/2
add interface g1/0/3

# ospf
ospf 100 router-id 3.3.3.3
# 默認路由重分佈
default-route-advertise 
area 0 
network 192.168.0.0 0.0.255.255

# 默認路由
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 56.29.2.22
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/3 120.36.2.22 preference 70

# nat 配置
nat-policy
rule name nat-56
egress-interface GigabitEthernet1/0/2
source-address 192.168.0.0 mask 255.255.0.0
action source-nat easy-ip

nat-policy
rule name nat-120
egress-interface GigabitEthernet1/0/3
source-address 192.168.0.0 mask 255.255.0.0
action source-nat easy-ip

# pbr配置
policy-based-route
rule name pbr-56 1
ingress-interface GigabitEthernet1/0/0
ingress-interface GigabitEthernet1/0/1
source-address 192.168.10.0 mask 255.255.255.0
action pbr egress-interface GigabitEthernet1/0/2 next-hop 56.29.2.22
rule name pbr-120 2
ingress-interface GigabitEthernet1/0/0
ingress-interface GigabitEthernet1/0/1
source-address 192.168.20.0 mask 255.255.255.0
action pbr egress-interface GigabitEthernet1/0/3 next-hop 120.36.2.22


# 允許ping的安全策略
security-policy
rule name ping
source-zone dmz
source-zone local
source-zone trust
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone trust
destination-zone untrust
service icmp
action permit

接口配置、接口區域配置

ospf新建區域時，不要選擇認證模式

靜態路由

策略路由

安全策略

NAT 配置

ISP

ISP-1

sys
sysname ISP-2

int g0/0/0
ip address 56.29.2.22 24

int g0/0/1
ip address 12.1.1.1 24

ISP-2

sys
sysname ISP-2

int g0/0/0
ip address 120.36.2.22 24

int g0/0/1
ip address 23.1.1.1 24

internet

sys
sysname internet

int g0/0/1
ip address 12.1.1.2 24

int g0/0/0
ip address 23.1.1.2 24

int g2/0/0 
ip address 8.8.8.254 24

# 互聯網部分ospf
ospf 111
area 0
network 0.0.0.0 255.255.255.255

效果圖

核心層

coreA

display ip int brief

vrrp
display vrrp brief

stp
display stp brief

coreB

display ip int brief

vrrp
display vrrp brief

stp
display stp brief

dis ip routing-table

匯聚層

huijuA

display stp brief

huijuB

display stp brief

核心路由器

dis ip int brief

錯誤排查

交換機mac漂移

大致原因是環路
https://support.huawei.com/enterprise/zh/doc/EDOC1000141442/b2b79367

ospf router-id 衝突

先看看是否手工指定時，確實失誤了。
再排查和交換機的接口，是否已經配置了vlan，測試和交換機的對應vlan能否互通。

vrrp 主備未切換

1. 確認使用shutdown命令，模擬故障。
2. 確認配置了vrrp track，且配置的接口，是上聯接口

雲 端口配置

防火牆ping不通、web頁面訪問不了

1. 再次刷入開啓web的命令
2. 檢查機器cpu、防火牆display cpu
3. 剛連接上防火牆時，如果ping不通，是正常情況，需要在防火牆上配置允許ping
4. 接口ping不通，在接口上使用service-manage ping permit

防火牆ping untrust區域不通、內網通過nat不通

檢查nat配置()、安全策略配置（可以全部放行ping）