一、实验目的和拓扑
实验目的:在源网络和目标网络之间构建流量检测与清洗功能,通过BGP路由方式实现流量的引流和回注,其中使用防火墙充当流量检测和清洗设备
二、基本配置
(一)如图所示配置各接口IP地址
(二)在R1/R2/FW1之间建立OSPF,在各端口启用OSPF路由,实现IGP路由互通
(三)在FW1上将g1/0/0接口设置在UNtrust区域,将g1/0/1接口设置在trust区域,将tunnel口设置在dmz区域
(四)FW1上的安全策略全放
三、详细配置
(一)再R1和FW1之间建立BGP邻居
[R1-bgp]dis th
#
bgp 65000
peer 10.1.121.12 as-number 65000
#
ipv4-family unicast
undo synchronization
peer 10.1.121.12 enable
#
[FW1-bgp]dis th
#
bgp 65000
peer 10.1.121.1 as-number 65000
#
ipv4-family unicast
undo synchronization
peer 10.1.121.1 enable
#
(二)在FW1上设置到服务器的32位静态路由并将其通过BGP映入R1,使R1的的路由表将通往服务器的流量引流至FW1
[FW1]ip route-static 10.1.20.10 32 10.1.122.1
[FW1-bgp]dis th
#
bgp 65000
peer 10.1.121.1 as-number 65000
#
ipv4-family unicast
undo synchronization
network 10.1.20.10 255.255.255.255
peer 10.1.121.1 enable
#
<R1>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.20.0/24 OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/3
10.1.20.10/32 IBGP 255 0 RD 10.1.121.12 GigabitEthernet
0/0/1
(三)在FW1环回口与R2环回口之间建立GRE隧道,设置静态路由使通往服务器的路由指向隧道口,并取消原设置的静态路由
[FW1-Tunnel0]dis th
#
interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre
source LoopBack0
destination 10.1.2.2
#
[R2-Tunnel0/0/0]dis th
[V200R003C00]
#
interface Tunnel0/0/0
ip address 10.1.0.2 255.255.255.0
tunnel-protocol gre
source LoopBack0
destination 10.1.12.12
#
ip route-static 10.1.20.10 255.255.255.255 Tunnel0
undo ip route-static 10.1.20.10 255.255.255.255 10.1.122.1
四、结果验证
PC>tracert 10.1.20.10
traceroute to 10.1.20.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.1 15 ms 16 ms 31 ms
2 10.1.121.12 31 ms 47 ms 47 ms
3 10.1.0.2 63 ms 46 ms 63 ms
4 10.1.20.10 47 ms 62 ms 32 ms