目录拓扑基础需求出口路由器双路静态路由防火墙配置全区域互通透传静态路由冗余备份核心交换机静态路由非业务vlan场景模拟拓扑基础需求地址互通出口路由器地址可达边界防火墙且与内网互通防火墙三层透传即安全区域全部互通内网地址与外网地址互通暂时不做访问控制设备的备份冗余基于双核心的防火墙主备备份冗余一个核心交换机对应一个备份分组双路出口路由器的备份冗余出口路由器双路静态路由ISP AISP B防火墙配置全区域互通透传静态路由冗余备份vrid 1边界防火墙A # interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.40.3 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.40.200 active vrrp virtual-mac enable gateway 192.168.40.1 service-manage ping permit # hrp enable hrp interface GigabitEthernet1/0/4 remote 10.0.0.2 hrp auto-sync config static-route # --------------------------- 边界防火墙B: # interface GigabitEthernet1/0/3 undo shutdown ip address 192.168.40.4 255.255.255.0 vrrp vrid 1 virtual-ip 192.168.40.200 standby gateway 192.168.40.1 service-manage ping permit # hrp enable hrp interface GigabitEthernet1/0/2 remote 10.0.0.1 hrp auto-sync config static-route #vrid 2防火墙A # interface GigabitEthernet1/0/5 undo shutdown ip address 192.168.41.4 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.41.200 active vrrp virtual-mac enable gateway 192.168.41.1 service-manage ping permit --------------------------- 防火墙B # interface GigabitEthernet1/0/1 undo shutdown ip address 192.168.41.3 255.255.255.0 vrrp vrid 2 virtual-ip 192.168.41.200 standby gateway 192.168.40.1 service-manage ping permit #两组均以“边界FW_A”为active。核心交换机静态路由非业务vlan这里主要是依据边界防火墙的备份组划分方便管理和地址可达vlan40对应vrid 1vlan41对应vrid 2。*此配置与sw-3-2同步解析对方地址。# interface Vlanif40 ip address 192.168.40.1 255.255.255.0 # interface Vlanif41 ip address 192.168.41.1 255.255.255.0 #场景模拟外网机能且仅能访问web服务器服务器名dvwa.com---192.168.45.10其他资源不可访问边界防火墙主上做如下策略也就是公网域名只注册可访问的服务器域名解析。允许“研发部”访问内网任意服务器和外网技术网tec.com不能访问人事网hr.com防止骑驴找马人事部允许访问OAoa.com和任意外网web site暂时能想到这么多更多场景模拟后续持续更新。前置阅读双核心冗余二层链路实现1/2期eNSPhttps://blog.csdn.net/qq_44846097/article/details/157700768?spm1001.2014.3001.5501