02.hcie sec和參考1安全hc高可用_第1頁
02.hcie sec和參考1安全hc高可用_第2頁
02.hcie sec和參考1安全hc高可用_第3頁
02.hcie sec和參考1安全hc高可用_第4頁
02.hcie sec和參考1安全hc高可用_第5頁
已閱讀5頁,還剩70頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

1.

鏈路冗余主備”/“主主”鏈路冗余隧道化鏈路冗余全網(wǎng)狀網(wǎng)絡(luò)2.

設(shè)備冗余Copyright

?

2010Technologies

Co.,.s.Page

2鏈路冗余1.1

“主主”“主備”鏈路冗余一般情況下,主用IPSec隧道采用以太網(wǎng)鏈路固定IP接入,備用IPSec隧道采用以太網(wǎng)鏈路或撥號鏈路(PPPoE/ADSL/3G)接入均可。主用鏈路故障時業(yè)務(wù)倒換到備用鏈路。1.2

隧道化鏈路備份(

)將IPSec策略應(yīng)用到Tunnel接口上,IPSec策略跟具體的物理接口沒有綁定關(guān)系,從而實現(xiàn)出接口鏈路的備份。當一條鏈路出現(xiàn)問題時,可直接路由到其他鏈路傳輸。Copyright

?

2010Technologies

Co.,.s.Page

3“主備”鏈路冗余拓撲和需求(物理口建

)需求1:Site1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A的兩個物理接口分別應(yīng)用不同的IPSec策略。網(wǎng)關(guān)B的兩個物理接口分別應(yīng)用不同的IPSec策略需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site2192.168.1.0/24Site1Site1G0/0/0Site2G0/0/1202.100.1.0/24G0/0/2202.100.2.0/24IPsec

隧道1G0/0/010.1.1.0/24IPsec隧道2G0/0/1203.100.1.0/24

G0/0/2203.100.2.0/24Copyright

?

2010Technologies

Co.,.s.Page

4“主備”鏈路冗余拓撲和需求(物理口建

)需求1:Site1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A的兩個物理接口分別應(yīng)用不同的IPSec策略。網(wǎng)關(guān)B的兩個tunnel接口分別應(yīng)用不同的IPSec策略。(隧道化)需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:網(wǎng)關(guān)A和網(wǎng)關(guān)B分別通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site2192.168.1.0/24Site1Site1G0/0/0Site2G0/0/1202.101.1.0/24IPsec

隧道1G0/0/010.1.1.0/24G0/0/1202.100.1.0/24G0/0/2202.100.2.0/24G0/0/2IPsec隧道2Copyright

?

2010Technologies

Co.,.s.Page

5“主主”鏈路冗余拓撲和需求(物理口建

)需求1:Site1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A的兩個物理接口分別應(yīng)用不同的IPSec策略。網(wǎng)關(guān)B的兩個物理接口分別應(yīng)用不同的IPSec策略需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:網(wǎng)關(guān)A和網(wǎng)關(guān)B分別通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site2192.168.1.0/24Site1Site1G0/0/0Site2G0/0/1202.100.1.0/24G0/0/2202.100.2.0/24IPsec

隧道1G0/0/010.1.1.0/24IPsec隧道2G0/0/1203.100.1.0/24

G0/0/2203.100.2.0/24Copyright

?

2010Technologies

Co.,.s.Page

6“主主”

鏈路冗余拓撲和需求(物理口建

)需求1:Site1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A的兩個物理接口分別應(yīng)用不同的IPSec策略。網(wǎng)關(guān)B的兩個tunnel接口分別應(yīng)用不同的IPSec策略。(隧道化)需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site2192.168.1.0/24Site1Site1G0/0/0Site2G0/0/1202.101.1.0/24IPsec

隧道1G0/0/010.1.1.0/24G0/0/1202.100.1.0/24G0/0/2202.100.2.0/24G0/0/2IPsec隧道2Copyright

?

2010Technologies

Co.,.s.Page

7“主主/主備”鏈路冗余拓撲(Loopback口建

)需求1:Site

1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A和網(wǎng)關(guān)B

Loopback接口分別應(yīng)用IPSec策略。配置:Loopback接口要配置公網(wǎng)地址。需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:Loopback接口地址發(fā)布到兩個出口ISP中,并通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site210.1.1.0/24G0/0/1192.168.1.0/24Site1G0/0/1202.100.1.0/24G0/0/2202.100.2.0/24202.101.1.0/24IPsec隧道1G0/0/0Loopback接口Site1G0/0/0Loopback接口Site2Copyright

?

2010Technologies

Co.,.s.Page

8Case

Study

1:主備鏈路冗余拓撲和需求需求1:Site1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A的兩個物理接口分別應(yīng)用不同的IPSec策略。網(wǎng)關(guān)B的兩個tunnel接口分別應(yīng)用不同的IPSec策略。(隧道化)需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site2192.168.1.0/24Site1.1Site1G0/0/0.254Site2.1

202.100.1.0/24G0/0/2

.254202.101.1.0/24IPsec隧道1G0/0/0.254

.110.1.1.0/24G0/0/1

.254G0/0/1.1

202.100.2.0/24G0/0/2G0/0/0

G0/0/1.254

.1IPsec隧道2Copyright

?

2010Technologies

Co.,.s.Page

9基本網(wǎng)絡(luò)配置(路由器)sysname

Site1-Server#interface

GigabitEthernet

0/0/0ip

address

192.168.1.1255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0192.168.1.254sysname

Internet#interface

GigabitEthernet

0/0/0ip

address

202.101.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ipaddress

202.100.1.254255.255.255.0#interface

GigabitEthernet

0/0/2ip

address

202.100.2.254

255.255.255.0sysname

Site2-Server#interface

GigabitEthernet

0/0/0ip

address

10.1.1.1

255.255.255.0#iproute-static

0.0.0.0

0.0.0.010.1.1.254Copyright

?

2010Technologies

Co.,.s.Page

10基本網(wǎng)絡(luò)配置()sysname

Site1#interface

GigabitEthernet

0/0/0ip

address

192.168.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.1.1

255.255.255.0#interface

GigabitEthernet

0/0/2ip

address

202.100.2.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet0/0/1add

interface

GigabitEthernet0/0/2sysname

Site2#interface

GigabitEthernet

0/0/0ip

address

10.1.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.101.1.1

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0

202.101.1.254#firewall

zone

untrustadd

interfaceGigabitEthernet0/0/1Copyright

?

2010Technologies

Co.,.s.Page

11Site1配置雙鏈路的IP-Link和相關(guān)路由ip-link check

enableip-link

1

destination

202.101.1.1

interface

g0/0/1

mode

icmpnext-hop

202.100.1.1#ip

route-static

0.0.0.0

0.0.0.0

202.100.1.254

preference

10track

ip-link

1ip

route-static

0.0.0.0

0.0.0.0

202.100.2.254

preference

20Copyright

?

2010Technologies

Co.,.s.Page

12Site1配置域間策略放行相關(guān)加密流量security-policyrule

namepolicy_ipsec_1source-zone

trustdestination-zone

untrustsource-address

192.168.1.0

24destination-address

10.1.1.0

24action

permitrule

namepolicy_ipsec_2source-zone

untrustdestination-zone

trustsource-address

10.1.1.0

24destination-address

192.168.1.0

24action

permitCopyright

?

2010Technologies

Co.,.s.Page

13Site1配置域間策略放行相關(guān)IKE流量rule

namepolicy_ipsec_3source-zone

localdestination-zone

untrustsource-address

202.100.1.1

32source-address

202.100.2.1

32destination-address

202.101.1.1

32action

permitrule

namepolicy_ipsec_4source-zone

untrustdestination-zone

localsource-address

202.101.1.1

32destination-address

202.100.1.1

32destination-address

202.100.2.1

32action

permitCopyright

?

2010Technologies

Co.,.s.Page

14Site1配置ACL定義需要保護的流量#acl

number

3000rule

5

permit

ip

source

192.168.1.0

0.0.0.255

destination

10.1.1.00.0.0.255#acl

number

3001rule

5

permit

ip

source

192.168.1.0

0.0.0.255

destination

10.1.1.00.0.0.255Copyright

?

2010Technologies

Co.,.s.Page

15Site1配置

安全提議ike

proposal

10authentication-method

pre-shareauthentication-algorithm

sha1#ipsec

proposal

trans1esp

authentication-algorithm

sha1esp

encryption-algorithm

aesencapsulation-mode

tunnelCopyright

?

2010Technologies

Co.,.s.Page

16Site1配置IKE

Peerike

peer

site2pre-shared-key

Key123ike-proposal

10undo

version

2remote-address

202.101.1.1Copyright

?

2010Technologies

Co.,.s.Page

17Site1配置IPsec安全策略組ipsec

policy

map1

10

isakmpsecurity

acl

3000ike-peer

site2proposal

trans1#ipsec

policy

map2

10

isakmpsecurity

acl

3001ike-peer

site2proposal

trans1Copyright

?

2010Technologies

Co.,.s.Page

18Site1接口調(diào)用相關(guān)安全策略組interface

GigabitEthernet0/0/1ipsec

policy

map1

auto-neg#interface

GigabitEthernet0/0/2ipsec

policy

map2

auto-negCopyright

?

2010Technologies

Co.,.s.Page

19Site2配置兩個Tunnel接口用于建立interface

Tunnel1ip

address

unnumbered

interface

GigabitEthernet0/0/1tunnel-protocol

ipsec#interface

Tunnel2ip

address

unnumbered

interface

GigabitEthernet0/0/1tunnel-protocolipsec#firewall

zone

untrustadd

interface

Tunnel1add

interface

Tunnel2Copyright

?

2010Technologies

Co.,.s.Page

20Site2配置域間策略放行相關(guān)加密流量security-policyrule

namepolicy_ipsec_1source-zone

trustdestination-zone

untrustsource-address

10.1.1.0

24destination-address

192.168.1.0

24action

permitrule

namepolicy_ipsec_2source-zone

untrustdestination-zone

trustsource-address

192.168.1.0

24destination-address

10.1.1.0

24action

permitCopyright

?

2010Technologies

Co.,.s.Page

21Site2配置域間策略放行相關(guān)IKE流量rule

namepolicy_ipsec_3source-zone

localdestination-zone

untrustsource-address

202.101.1.1

32destination-address

202.100.1.1

32destination-address

202.100.2.1

32action

permitrule

namepolicy_ipsec_4source-zone

untrustdestination-zone

localsource-address

202.100.1.1

32source-address

202.100.2.1

32destination-address

202.101.1.1

32action

permitCopyright

?

2010Technologies

Co.,.s.Page

22Site2配置雙鏈路的IP-Link和相關(guān)路由ip-link check

enableip-link

1

destination

202.100.1.1

interface

g0/0/1

mode

icmpnext-hop

202.101.1.1#ip

route-static

192.168.1.0

255.255.255.0

Tunnel

1

preference10

track

ip-link

1ip

route-static

192.168.1.0

255.255.255.0

Tunnel

2preference

20Copyright

?

2010Technologies

Co.,.s.Page

23Site2配置ACL定義需要保護的流量#acl

number

3000rule

permit

ip

source

10.1.1.0

0.0.0.255

destination

192.168.1.00.0.0.255#acl

number

3001rule

permit

ip

source

10.1.1.0

0.0.0.255

destination

192.168.1.00.0.0.255Copyright

?

2010Technologies

Co.,.s.Page

24Site2配置

安全提議ikeproposal10authentication-methodpre-shareauthentication-algorithm

sha1#ipsecproposaltrans1espauthentication-algorithmsha1espencryption-algorithmaesencapsulation-modetunnelCopyright

?

2010Technologies

Co.,.s.Page

25Site2配置IKE

Peerike

peer

site1apre-shared-key

Key123ike-proposal

10undo

version

2remote-address

202.100.1.1#ike

peer

site1bpre-shared-key

Key123ike-proposal

10undo

version

2remote-address

202.100.2.1Copyright

?

2010Technologies

Co.,.s.Page

26Site2配置IPsec安全策略組ipsec

policy

map1

10

isakmpsecurity

acl

3000ike-peer

site1aproposal

trans1#ipsec

policy

map2

10

isakmpsecurity

acl

3001ike-peer

site1bproposal

trans1Copyright

?

2010Technologies

Co.,.s.Page

27Site2接口調(diào)用相關(guān)安全策略組interface

Tunnel

1ipsec

policy

map1#interface

Tunnel

2ipsec

policy

map2Copyright

?

2010Technologies

Co.,.s.Page

281.

鏈路冗余主備”/“主主”鏈路冗余隧道化鏈路冗余全網(wǎng)狀網(wǎng)絡(luò)2.

設(shè)備冗余Copyright

?

2010Technologies

Co.,.s.Page

29“主主/主備”鏈路冗余拓撲(隧道化)需求1:Site

1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A使用Tunnel隧道化技術(shù)建立一個

隧道。網(wǎng)關(guān)B使用物理接口建立一個

隧道。需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。IPSec隧道不需要進行重協(xié)商,故可快速完成流量切換。配置:通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量至Tunnel隧道接口。Site210.1.1.0/24G0/0/1192.168.1.0/24Site1G0/0/1202.100.1.0/24G0/0/2202.100.2.0/24202.101.1.0/24IPsec

隧道1G0/0/0Tunnel接口Site1G0/0/0G0/0/1接口Site2Copyright

?

2010Technologies

Co.,.s.Page

30Case

Study

2:隧道化鏈路備份拓撲和需求需求1:Site1有兩個出口接入不同的ISP中,Site

2只有一個出口之間配置:網(wǎng)關(guān)A的tunnel接口應(yīng)用IPSec策略。(隧道化)網(wǎng)關(guān)B的物理接口應(yīng)用IPSec策略。。需求2:通過Site

1上的主鏈路發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:網(wǎng)關(guān)A通過靜態(tài)路由或者動態(tài)路由,以及IP-Link引導(dǎo)流量。Site2G0/0/1.1G0/0/1Site1G0/0/0.1

.254192.168.1.0/24.1

202.100.1.0/24.254G0/0/2.1

202.100.2.0/24.254202.101.1.0/24G0/0/0.254

.110.1.1.0/24G0/0/1G0/0/2G0/0/0.254IPsec

隧道Tunnel接口Copyright

?

2010Technologies

Co.,.s.Page

31Site1G0/0/1接口Site2基本網(wǎng)絡(luò)配置(路由器)sysname

Site1-Server#interface

GigabitEthernet

0/0/0ip

address

192.168.1.1255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0192.168.1.254sysname

Internet#interface

GigabitEthernet

0/0/0ip

address

202.101.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ipaddress

202.100.1.254255.255.255.0#interface

GigabitEthernet

0/0/2ip

address

202.100.2.254

255.255.255.0sysname

Site2-Server#interface

GigabitEthernet

0/0/0ip

address

10.1.1.1

255.255.255.0#iproute-static

0.0.0.0

0.0.0.010.1.1.254Copyright

?

2010Technologies

Co.,.s.Page

32基本網(wǎng)絡(luò)配置()sysname

Site1#interface

GigabitEthernet

0/0/0ip

address

192.168.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.1.1

255.255.255.0#interface

GigabitEthernet

0/0/2ip

address

202.100.2.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet0/0/1add

interface

GigabitEthernet0/0/2sysname

Site2#interface

GigabitEthernet

0/0/0ip

address

10.1.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.101.1.1

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0

202.101.1.254#firewall

zone

untrustadd

interfaceGigabitEthernet0/0/1Copyright

?

2010Technologies

Co.,.s.Page

33Site1配置Tunnel接口用于建立interface

Tunnel1ip

address

1.1.1.1

24tunnel-protocol

ipsec#firewall

zone

untrustadd

interface

Tunnel1Copyright

?

2010Technologies

Co.,.s.Page

34Site1配置雙鏈路的IP-Link和相關(guān)路由ip-link checkenableip-link1destination202.101.1.1interfaceg0/0/1modeicmpnext-hop202.100.1.1#ip

route-static

202.101.1.1

255.255.255.255

202.100.1.254preference10trackip-link1iproute-static202.101.1.1255.255.255.255202.100.2.254preference20ip

route-static

10.1.1.0

255.255.255.0

tunnel

1Copyright

?

2010Technologies

Co.,.s.Page

35Site1配置域間策略放行相關(guān)加密流量security-policyrule

namepolicy_ipsec_1source-zone

trustdestination-zone

untrustsource-address

192.168.1.0

24destination-address

10.1.1.0

24action

permitrule

namepolicy_ipsec_2source-zone

untrustdestination-zone

trustsource-address

10.1.1.0

24destination-address

192.168.1.0

24action

permitCopyright

?

2010Technologies

Co.,.s.Page

36Site1配置域間策略放行相關(guān)IKE流量rule

namepolicy_ipsec_3source-zone

localdestination-zone

untrustsource-address

202.100.1.1

32source-address

202.100.2.1

32source-address

1.1.1.1

32destination-address

202.101.1.1

32action

permitrule

namepolicy_ipsec_4source-zone

untrustdestination-zone

localsource-address

202.101.1.1

32destination-address

202.100.1.1

32destination-address

202.100.2.1

32destination-address

1.1.1.1

32action

permitCopyright

?

2010Technologies

Co.,.s.Page

37Site1配置ACL定義需要保護的流量#acl

number

3000rule

5

permit

ip

source

192.168.1.0

0.0.0.255

destination

10.1.1.00.0.0.255#acl

number

3001rule

5

permit

ip

source

192.168.1.0

0.0.0.255

destination

10.1.1.00.0.0.255Copyright

?

2010Technologies

Co.,.s.Page

38Site1配置

安全提議ike

proposal

10authentication-method

pre-shareauthentication-algorithm

sha1#ipsec

proposal

trans1esp

authentication-algorithm

sha1esp

encryption-algorithm

aesencapsulation-mode

tunnelCopyright

?

2010Technologies

Co.,.s.Page

39Site1配置IKE

Peerike

peer

site2pre-shared-key

Key123ike-proposal

10undo

version

2remote-address

202.101.1.1Copyright

?

2010Technologies

Co.,.s.Page

40Site1配置IPsec安全策略組ipsec

policy

map1

10

isakmpsecurity

acl

3000ike-peer

site2proposal

trans1Copyright

?

2010Technologies

Co.,.s.Page

41Site1接口調(diào)用相關(guān)安全策略組interface

Tunnel1ipsec

policy

map1

auto-neg#Copyright

?

2010Technologies

Co.,.s.Page

42Site2配置域間策略放行相關(guān)加密流量security-policyrule

namepolicy_ipsec_1source-zone

trustdestination-zone

untrustsource-address

10.1.1.0

24destination-address

192.168.1.0

24action

permitrule

namepolicy_ipsec_2source-zone

untrustdestination-zone

trustsource-address

192.168.1.0

24destination-address

10.1.1.0

24action

permitCopyright

?

2010Technologies

Co.,.s.Page

43Site2配置域間策略放行相關(guān)IKE流量rule

namepolicy_ipsec_3source-zone

localdestination-zone

untrustsource-address

202.101.1.1

32destination-address

202.100.1.1

32destination-address

202.100.2.1

32action

permitrule

namepolicy_ipsec_4source-zone

untrustdestination-zone

localsource-address

202.100.1.1

32source-address

202.100.2.1

32destination-address

202.101.1.1

32action

permitCopyright

?

2010Technologies

Co.,.s.Page

44Site2配置ACL定義需要保護的流量#acl

number

3000rule

permit

ip

source

10.1.1.0

0.0.0.255

destination

192.168.1.00.0.0.255#acl

number

3001rule

permit

ip

source

10.1.1.0

0.0.0.255

destination

192.168.1.00.0.0.255Copyright

?

2010Technologies

Co.,.s.Page

45Site2配置

安全提議ikeproposal10authentication-methodpre-shareauthentication-algorithm

sha1#ipsecproposaltrans1espauthentication-algorithmsha1espencryption-algorithmaesencapsulation-modetunnelCopyright

?

2010Technologies

Co.,.s.Page

46Site2配置IKE

Peerike

peer

site1apre-shared-key

Key123ike-proposal

10undo

version

2remote-address

1.1.1.1Copyright

?

2010Technologies

Co.,.s.Page

47Site2配置IPsec安全策略組ipsec

policy

map1

10

isakmpsecurity

acl

3000ike-peer

site1aproposal

trans1Copyright

?

2010Technologies

Co.,.s.Page

48Site2接口調(diào)用相關(guān)安全策略組interface

GigabitEthernet

0/0/1ipsec

policy

map1#Copyright

?

2010Technologies

Co.,.s.Page

491.

鏈路冗余主備”/“主主”鏈路冗余隧道化鏈路冗余全網(wǎng)狀網(wǎng)絡(luò)2.

設(shè)備冗余Copyright

?

2010Technologies

Co.,.s.Page

50全網(wǎng)狀網(wǎng)絡(luò),當網(wǎng)絡(luò)中的所有節(jié)點之間都需要通信或者通信流量較大時,可采用網(wǎng)狀結(jié)構(gòu)建立

。所有節(jié)點都可以自行上網(wǎng),任何節(jié)點Down掉都不影響其它節(jié)點。這種網(wǎng)絡(luò)結(jié)構(gòu)適用于同等重要的多個節(jié)點之間的

互聯(lián)。Site2Site1Site1G0/0/0G0/0/1202.100.1.0/24IPsec隧道1Site2G0/0/010.1.1.0/24192.168.1.0/24G0/0/1接口Site3Site310.1.2.0/24G0/0/1接口G0/0/1

G0/0/1接口G0/0/1接口202.102.1.0/24G0/0/1接口G0/0/1202.101.1.0/24G0/0/1接口Copyright

?

2010Technologies

Co.,.s.Page

51Case

Study:全網(wǎng)狀網(wǎng)絡(luò)配置(Site1配置)ikepeer

bexchange-mode

autopre-shared-key

%$%$c([VET@941t/q_4tS-f7,ri/%$%$ike-proposal

1remote-id-type

ip

202.38.169.1remote-address

202.38.169.1#ike

peer

cexchange-mode

autopre-shared-key

%$%$c([VET@941t/q_4tS-f7,ri/%$%$ike-proposal

2remote-id-type

ip

202.38.170.1remote-address

202.38.170.1#ipsec

proposal

bencapsulation-mode

auto#ipsec

proposal

cencapsulation-mode

auto#ipsecpolicymap1 1isakmpsecurity

acl

3000ike-peerbaliaspolicy1proposalblocal-address202.38.163.1ipsec

policy

map1

2

isakmpsecurityacl3001ike-peericaliaspolicy2proposal

clocal-address202.38.163.1interfaceGigabitEthernet0/0/1ipsecpolicymap1Site1網(wǎng)關(guān)關(guān)鍵配置和其他Site安全網(wǎng)關(guān)配置類似Copyright

?

2010Technologies

Co.,.s.Page

521.

鏈路冗余設(shè)備冗余IPSec網(wǎng)關(guān)主備備份Copyright

?

2010Technologies

Co.,.s.Page

53設(shè)備冗余主備設(shè)備冗余IPSec

網(wǎng)關(guān)采用主備備份機制,當一臺設(shè)備出現(xiàn)故障時,業(yè)務(wù)可以平滑的切換到備用設(shè)備上。Copyright

?

2010Technologies

Co.,.s.Page

54IPSec網(wǎng)關(guān)主備備份需求:Site

1有兩個Gateway,兩個Gateway分別有一個公網(wǎng)出口接入相同的ISP中,Site

2只有一個公網(wǎng)出口。通過Site

1上的設(shè)備發(fā)生故障時,業(yè)務(wù)可以自動切換到備鏈路;主鏈路恢復(fù)時,業(yè)務(wù)會自動回切到主鏈路。配置:Site2網(wǎng)關(guān)和Site1虛擬地址建立IPsec隧道配置:Gateway1和Gateway2啟用HA功能,對內(nèi)網(wǎng)側(cè)和

側(cè)分別并生成一個虛擬地址,

側(cè)的虛擬地址占用一個公網(wǎng)地址。分部10.6.1.0/24Gi0/0/1.1

.10.6.100Site2.254

.2Gi0/0/2.5.254202.10.1.0/24IPsec隧道Gateway

1Gi1/0/1

.310.100.10.0/24

Gi1/0/1

.2Gi0/0/0Gi0/0/2202.38.10.0/24.3Gi0/0/3.4Gi0/0/3Gateway

2.1.1總部

10.2.2.0/24Copyright

?

2010Technologies

Co.,.s.Page

55基本網(wǎng)絡(luò)配置(路由器)sysname

Site1-Server#interface

GigabitEthernet

0/0/0ip

address

10.100.10.100255.255.255.0#ip

route-static

0.0.0.0

0.0.0.010.100.10.1sysname

Internet#interface

GigabitEthernet

0/0/0ip

address

202.10.1.254

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.38.10.254255.255.255.0#sysname

Site2-Server#interface

GigabitEthernet

0/0/0ip

address

10.6.1.100

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.010.6.1.1Copyright

?

2010Technologies

Co.,.s.Page

56基本網(wǎng)絡(luò)配置(-Site1)sysname

Gateway1#firewall

zone

trustadd

interface

GigabitEthernet1/0/3#firewall

zone

untrustadd

interface

GigabitEthernet1/0/2#firewall

zone

dmzadd

interface

GigabitEthernet1/0/1#interface

GigabitEthernet

1/0/1ip

address

10.2.2.2

255.255.255.0#interface

GigabitEthernet

1/0/2ip

address

202.38.10.6

255.255.255.0#interface

GigabitEthernet

1/0/3ip

address

10.100.10.3

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0

202.38.10.254sysname

Gateway2#firewall

zone

trustadd

interface

GigabitEthernet1/0/3#firewall

zone

untrustadd

interface

GigabitEthernet1/0/2#firewall

zone

dmzadd

interface

GigabitEthernet1/0/1#interface

GigabitEthernet

1/0/1ip

address

10.2.2.3

255.255.255.0#interface

GigabitEthernet

1/0/2ip

address

202.38.10.5

255.255.255.0#interface

GigabitEthernet

1/0/3ip

address

10.100.10.4

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0

202.38.10.254Copyright

?

2010Technologies

Co.,.s.Page

57基本網(wǎng)絡(luò)配置(-Site2)sysname

Site2#firewall

zone

trustadd

interface

GigabitEthernet1/0/3#firewall

zone

untrustadd

interface

GigabitEthernet1/0/1#interface

GigabitEthernet

1/0/3ip

address

10.6.1.1

255.255.255.0#interface

GigabitEthernet

1/0/1ip

address

202.10.1.2

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0

202.10.1.254Copyright

?

2010Technologies

Co.,.s.Page

58Site1(Gateway1)配置域間策略放行相關(guān)加密流量security-policyrule

namepolicy_ipsec_2source-zone

trustdestination-zone

untrustsource-address

10.100.10.0

24destination-address

10.6.1.024action

permitrule

namepolicy_ipsec_3source-zone

untrustdestination-zone

trustsource-address

10.6.1.0

24destination-address

10.100.10.0

24action

permitCopyright

?

2010Technologies

Co.,.s.Page

59Site1(Gateway1)配置域間策略放行相關(guān)IKE流量security-policyrule

name

policy_ipsec_1source-zone

localsource-zone

dmzdestination-zone

localdestination-zone

dmzaction

permitrule

name

policy_ipsec_4source-zone

untrustdestination-zone

localsource-address

202.10.1.2

32destination-address

202.38.10.0

24action

permitrule

name

policy_ipsec_5source-zone

localdestination-zone

untrustsource-address

202.38.10.0

24destination-address

202.10.1.2

32action

permitCopyright

?

2010Technologies

Co.,.s.Page

60Site1配置ACL定義需要保護的流量Gateway1:acl

3003rule

permit

ip

source

10.100.10.0

0.0.0.255

destination

10.6.1.00.0.0.255Gateway2:acl

3003rule

permit

ip

source

10.100.10.0

0.0.0.255

destination

10.6.1.00.0.0.255Copyright

?

2010Technologies

Co.,.s.Page

61Site1(Gateway1)配置

安全提議ike

proposal

10authentication-method

pre-shareauthentication-algorithm

sha1#ipsec

proposal

trans1esp

authentication-algorithm

sha1esp

encryption-algorithm

aesencapsulation-mode

tunnelCopyright

?

2010Technologies

Co.,.s.Page

62Site1(Gateway1)配置IKE

Peerike

peer

site2pre-shared-key

Key123ike-proposal

10undo

version

2remote-address

202.101.1.1Copyright

?

2010Technologies

Co.,.s.Page

63Site1(Gateway1)配置IPsec安全策略組ipsec

policy

map1

10

isakmpsecurity

acl

3000ike-peer

site2proposal

trans1Copyright

?

2010Technologies

Co.,.s.Page

64HA配置(

-Site1)Gateway1:#hrp

enablehrp

interface

GigabitEthernet

1/0/1#interface

GigabitEthernet

1/0/2ip

address

202.38.10.6

255.255.255.0vrrp

vrid

2

virtual-ip

202.38.10.1

24

activeipsec

policy

map1

auto-neg#interface

GigabitEthernet

1/0/3ip

address

10.100.10.3

255.255.255.0vrrp

vrid

1

virtual-ip

10.100.10.2

24

activeGateway2:#hrp

enablehrp

interface

GigabitEthernet

1/0/1#interface

GigabitEthernet

1/0/2ip

address

202.38.10.5

255.255.255.0vrrp

vrid

2

virtual-ip

202.38.10.1

24standbyipsec

policy

map1

auto-neg#interface

GigabitEthernet

1/0/3ip

address

10.100.10.4

255.255.255.0vrrp

vrid

1

virtual-ip

10.100.10.2

24

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論