基于OSPF路由协议的防火墙(基本功能)
一、实验目的
1.配置基于OSPF路由协议的防火墙
二、注意事项
1.由于使用的是OSPF路由协议,防火墙本身要处理、响应报文,所以要开启 Local区域到其他接口加入的相应区域的安全策略,也要开启其他接口加入 的相关区域到Local的安全策略
三、防火墙的安全区域
四、基本配置
FW1
sysname FW1 # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255. # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # ospf 1 area 0.0.0.1 network 172.16.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit # return
FW2
sysname FW2 # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet1/0/1 ip address 192.168.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 add interface GigabitEthernet1/0/1 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit # return
FW3
sysname FW3 # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet1/0/1 ip address 192.168.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 add interface GigabitEthernet1/0/1 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.2 network 192.168.2.0 0.0.0.255 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit # return
FW4
sysname FW4 # interface GigabitEthernet1/0/0 ip address 192.168.2.1 255.255.255.0 service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet1/0/0 # ospf 1 area 0.0.0.2 network 192.168.2.0 0.0.0.255 # security-policy rule name policy_sec_1 source-zone local source-zone trust destination-zone local destination-zone trust action permit # return
上一篇:
Java架构师技术进阶路线图