防火墙 / 二层 /OSPF/WLAN 综合配置(水文章)

拓扑图

1732714992823-fgpf.png

无线部分

  • 管理配置要求
  1. SSID HCIE-2.4G HCIE-5G
  2. 管理 vlan 规划 vlan99
  • 业务要求
  1. AP1 业务 vlan 10.10.10.0 24
  2. AP2 业务 vlan 10.10.20.0 24
  3. AP1 业务密码 HCIE-ap1
  4. AP2 业务密码 HCIE-ap2
  5. 转发模式 隧道转发
  6. WLAN 的 DHCP Server SW1上基于全局地址池实现
  7. 二层组网

AP 管理上线 OVER

AC1

sys
sysname AC1
dhcp en
vlan ba 99
int vlan 99
    ip add 10.10.99.254 24
    dhcp select interface
int g0/0/1
    p l h
    p h t v 99
wlan
    ap auth-mode no-auth
    q
capwap source interface Vlanif 99

SW1

sys
sysname SW1
vlan ba 99
int vlan 99
    ip add 10.10.99.253 24
int g0/0/1
    p l h
    p h t v 99
int g0/0/2
    p l h
    p h t v 99
int g0/0/3
    p l h
    p h t v 99

SW2

sys
sysname SW2
vlan ba 99
int vlan 99
    ip add 10.10.99.252 24
int g0/0/1
    p l h
    p h t v 99
int g0/0/2
    p l h
    p h t v 99

SW3

sys
sysname SW3
vlan ba 99
int vlan 99
    ip add 10.10.99.251 24
int g0/0/1
    p l h
    p h t v 99
int g0/0/2
    p l h
    p h t v 99

SW4

sys
sysname SW4
vlan ba 99
int vlan 99
    ip add 10.10.99.250 24
int g0/0/1
    p l h
    p h u v 99
    p h p v 99
int g0/0/3
    p l h
    p h t v 99

SW5

sys
sysname SW5
vlan ba 99
int vlan 99
    ip add 10.10.99.249 24
int g0/0/2
    p l h
    p h u v 99
    p h p v 99
int g0/0/3
    p l h
    p h t v 99

AP 业务上线 OVER

AC 做业务配置

sys
wlan
ap-id 0
    ap-name AP1
ap-id 1
    ap-name AP2
ssid name HCIE-2.4G
    ssid HCIE-2.4G
ssid name HCIE-5G
    ssid HCIE-5G
sec name HCIE-AP1
    security wpa2 psk pass-phrase HCIE-ap1 aes
sec name HCIE-AP2
    security wpa2 psk pass-phrase HCIE-ap2 aes
vap name AP1
    forward-mode tunnel
    service-vlan vlan-id 111
    ssid-profile HCIE-2.4G
    security-profile HCIE-AP1
vap name AP2
    forward-mode tunnel
    service-vlan vlan-id 222
    ssid-profile HCIE-5G
    security-profile HCIE-AP2
ap-group name AP1
    vap-profile AP1 wlan 1 radio 0
ap-group name AP2
    vap-profile AP2 wlan 1 radio 1

ap-id 0
    ap-group AP1
ap-id 1
    ap-group AP2

AC 放开 vlan

sys
vlan ba 111 222
int g0/0/1
    p h t v 111 222

SW1 DHCP 全局地址池 / 放通业务 vlan

sys

dhcp en
vlan ba 111 222

int g0/0/3
    p h t v 111 222

ip pool vlan111
    gateway-list 10.10.10.254
    network 10.10.10.0 mask 24
ip pool vlan222
    gateway-list 10.10.20.254
    network 10.10.20.0 mask 24
int vlan 111
    ip add 10.10.10.254 24
    dhcp select global
int vlan 222
    ip add 10.10.20.254 24
    dhcp select global

有线部分

SW1 下面的设备(电脑们)

SW1

ret
sys

vlan ba 102 to 103

int vlan 102
    ip add 10.10.102.254 24
int vlan 103
    ip add 10.10.103.254 24

int g0/0/1
    p l h
    p h t v 102
int g0/0/2
    p l h
    p h t v 103

ip route-static 10.10.50.0 24 10.10.102.253
ip route-static 10.10.12.0 24 10.10.102.253

ip route-static 10.10.60.0 24 10.10.103.253
ip route-static 10.10.21.0 24 10.10.103.253

SW2

sys
dhcp en


vlan ba 102 50 12
int vlan 102
    ip add 10.10.102.253 24
int vlan 50
    ip add 10.10.50.254 24
    dhcp select interface
int vlan 12
    ip add 10.10.12.254 24
    dhcp select interface
int g0/0/2
    p l h
    p h t v 102
int g0/0/3
    p l h
    p h u v 50
    p h p v 50
int g0/0/1
    p l h
    p h u v 12
    p h p v 12

SW3

sys
dhcp en


vlan ba 103 60 21
int vlan 103
    ip add 10.10.103.253 24
int vlan 60
    ip add 10.10.60.254 24
    dhcp select interface
int vlan 21
    ip add 10.10.21.254 24
    dhcp select interface
int g0/0/2
    p l h
    p h t v 103
int g0/0/3
    p l h
    p h u v 60
    p h p v 60
int g0/0/1
    p l h
    p h u v 21
    p h p v 21

SW1 以上的设备(各个设备能 ping 通防火墙)

SW1

vlan ba 11
int vlan 11
    ip add 192.168.11.253 24
int g0/0/4
    p l h
    p h u v 11
    p h p v 11

R1

sys
sysname R1
int g0/0/0
    ip add 192.168.11.254 24
int g0/0/1
    ip add 100.100.110.253 30

FW

sys
sysname FW1

vsys en

vsys name InSide
    ass int g1/0/1
vsys name OutSide
    ass int g1/0/0

ret
sys
switch vsys InSide
sys
firewall zone trust
    add interface g1/0/1
int g1/0/1
    ip add 100.100.110.254 30
    ser all per
sec
    rule name AllPermit
    action permit

ret
sys
switch vsys OutSide
sys
firewall zone untrust
    add interface g1/0/0
int g1/0/0
    ip add 100.100.120.253 30
    ser all per
sec
    rule name AllPermit
    action permit

R2

sys
sysname R2
int g0/0/0
    ip add 100.100.120.254 30
int g0/0/1
    ip add 192.168.22.253 24

SW2

sys
sysname SW2

vlan ba 22 70
int vlan 22
    ip add 192.168.22.254 24
int vlan 70
    ip add 10.10.70.254 24
int g0/0/2
    p l h
    p h u v 22
    p h p v 22
int g0/0/1
    p l h
    p h u v 70
    p h p v 70

Server

ip       10.10.70.253 24
gateway  10.10.70.254

路由做通,实现全网 ping 通防火墙

直接全部设备OSPF全0宣告

防火墙之间通信

ret
sys
switch vsys InSide
sys
int virtual-if 1
    ip add 1.1.1.1 32
firewall zone trust
    add int vir 1

ret
sys
switch vsys OutSide
sys
int virtual-if 2
    ip add 2.2.2.2 32
firewall zone untrust
    add int vir 2

ret
sys
switch vsys InSide
sys
ip route-static 100.100.120.252 30 public
ret
sys
switch vsys OutSide
sys
ip route-static 100.100.110.252 30 public 

ret
sys
ip route-static 100.100.120.252 30 VPN-instance OutSide
ip route-static 100.100.110.252 30 VPN-instance InSide

两边的设备跨防火墙通信

先在两边的设备全部做OSPF,然后在防火墙做右边的静态路由就行了。
注意,需要添加缺省路由到防火墙。

防火墙策略

# 一个示例
ret
sys
switch vsys InSide
    security-policy
        rule name FTP
            ser ftp
            source-address x.x.x.x
            action permit
        rule name DENY
            action deny