なにかの技術メモ置き場

なにかの技術メモ置き場

@インフラエンジニア

トップ > Network > インフラ構築 - ネットワーク - 共通L3SW-共通FW

インフラ構築 - ネットワーク - 共通L3SW-共通FW

Network Cisco Juniper

<編集中・・・>

作業対象

ホスト名 機種 OS
共通L3SW#1(CMNSW01) WS-C3550-24
共通L3SW#2(CMNSW02) WS-C3550-48
共通FW#1(CMNFW01) NetScreen-25
共通FW#2(CMNFW02) NetScreen-25

作業概要

・FWの外側(Untrust)向け経路の設定

設定項目

・(直接接続ルート)
・スタティックルート(注:FWの内側ネットワーク宛)
・FWのインターフェース(Untrust)へのping許可

設定投入

共通L3SW#1

CMNSW01#configure terminal

!--- FWの外側への経路をISPへ広報
CMNSW01(config)#router bgp 100
CMNSW01(config-router)#network 10.4.0.0 mask 255.255.255.0
CMNSW01(config-router)#exit

!--- FWの内側向け経路はスタティックルートで設定
CMNSW01(config)#ip route 10.2.0.0 255.255.255.0 10.4.0.251
CMNSW01(config)#ip route 10.3.0.0 255.255.255.0 10.4.0.251
CMNSW01(config)#exit

共通L3SW#2

CMNSW02#configure terminal

!--- FWの外側への経路をISPへ広報
CMNSW02(config)#router bgp 100
CMNSW02(config-router)#network 10.4.0.0 mask 255.255.255.0
CMNSW02(config-router)#exit

!--- FWの内側向け経路はスタティックルートで設定
CMNSW02(config)#ip route 10.2.0.0 255.255.255.0 10.4.0.251
CMNSW02(config)#ip route 10.3.0.0 255.255.255.0 10.4.0.251
CMNSW02(config)#exit

共通FW#1

!--- インターフェースにIPアドレスを設定(注:NSRP用アドレス)
CMNFW01-> set interface ethernet3 ip 10.4.0.251/24
CMNFW01-> set interface ethernet3 route

!--- インターフェースへのpingを許可
CMNFW01-> set interface ethernet3 manage ping

!--- サービス用IPへの管理目的アクセスを拒否
CMNFW01-> unset interface ethernet3 ip manageable

!--- インターフェースのゲートウェイを設定
CMNFW01-> set interface ethernet3 gateway 10.4.0.254

共通FW#2 ※#1と同じ

!--- インターフェースにIPアドレスを設定(注:NSRP用アドレス)
CMNFW02-> set interface ethernet3 ip 10.4.0.251/24
CMNFW02-> set interface ethernet3 route

!--- インターフェースへのpingを許可
CMNFW02-> set interface ethernet3 manage ping

!--- サービス用IPへの管理目的アクセスを拒否
CMNFW02-> unset interface ethernet3 ip manageable

!--- インターフェースのゲートウェイを設定
CMNFW02-> set interface ethernet3 gateway 10.4.0.254

設定確認

コンフィグ(共通L3SW#1)

Building configuration...

Current configuration : 5200 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CMNSW01
!
!
!
!
no aaa new-model
!
track 1 interface FastEthernet0/23 line-protocol
ip routing
no ip domain-lookup
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
interface Loopback1
ip address 1.1.1.251 255.255.255.255
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
!
interface FastEthernet0/1
switchport access vlan 104
switchport mode access
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
interface FastEthernet0/20
switchport access vlan 105
switchport mode access
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
channel-group 1 mode active
!
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
channel-group 1 mode active
!
interface FastEthernet0/23
switchport access vlan 106
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 100
switchport mode access
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
interface Vlan100
ip address 10.0.0.251 255.255.255.0
!
interface Vlan104
ip address 10.4.0.253 255.255.255.0
no ip redirects
standby 1 ip 10.4.0.254
standby 1 priority 105
standby 1 preempt
standby 1 track 1 decrement 10
!
interface Vlan105
ip address 10.5.0.1 255.255.255.252
!
interface Vlan106
ip address 10.5.0.5 255.255.255.252
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 10.4.0.0 mask 255.255.255.0
network 10.5.0.0 mask 255.255.255.252
network 10.5.0.4 mask 255.255.255.252
timers bgp 10 30
redistribute static
neighbor 1.1.1.250 remote-as 100
neighbor 1.1.1.250 update-source Loopback1
neighbor 1.1.1.252 remote-as 200
neighbor 1.1.1.252 ebgp-multihop 255
neighbor 1.1.1.252 update-source Loopback1
no auto-summary
!
ip classless
ip route 1.1.1.250 255.255.255.255 10.5.0.2
ip route 1.1.1.252 255.255.255.255 10.5.0.6
ip route 10.2.0.0 255.255.255.0 10.4.0.251
ip route 10.3.0.0 255.255.255.0 10.4.0.251
ip http server
ip http secure-server
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
end

コンフィグ(共通L3SW#2)

Building configuration...

Current configuration : 6811 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CMNSW02
!
!
!
!
no aaa new-model
!
track 1 interface FastEthernet0/24 line-protocol
!
track 2 interface FastEthernet0/1 line-protocol
!
track 3 interface FastEthernet0/23 line-protocol
ip routing
no ip domain-lookup
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
interface Loopback1
ip address 1.1.1.250 255.255.255.255
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
!
interface FastEthernet0/1
switchport access vlan 104
switchport mode access
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
interface FastEthernet0/20
switchport access vlan 105
switchport mode access
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
channel-group 1 mode active
!
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport mode dynamic desirable
channel-group 1 mode active
!
interface FastEthernet0/23
switchport access vlan 107
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 100
switchport mode access
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
interface Vlan100
ip address 10.0.0.250 255.255.255.0
!
interface Vlan104
ip address 10.4.0.252 255.255.255.0
standby 1 ip 10.4.0.254
standby 1 preempt
standby 1 track 3 decrement 10
!
interface Vlan105
ip address 10.5.0.2 255.255.255.252
!
interface Vlan107
ip address 10.5.0.9 255.255.255.252
!
router bgp 100
no synchronization
bgp log-neighbor-changes
network 10.4.0.0 mask 255.255.255.0
network 10.5.0.0 mask 255.255.255.252
network 10.5.0.8 mask 255.255.255.252
timers bgp 10 30
redistribute static
neighbor 1.1.1.251 remote-as 100
neighbor 1.1.1.251 update-source Loopback1
neighbor 1.1.1.252 remote-as 200
neighbor 1.1.1.252 ebgp-multihop 255
neighbor 1.1.1.252 update-source Loopback1
no auto-summary
!
ip classless
ip route 1.1.1.251 255.255.255.255 10.5.0.1
ip route 1.1.1.252 255.255.255.255 10.5.0.10
ip route 10.2.0.0 255.255.255.0 10.4.0.251
ip route 10.3.0.0 255.255.255.0 10.4.0.251
ip http server
ip http secure-server
!
〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜〜
!
end

ルーティングテーブル(共通L3SW#1)

CMNSW01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 3 subnets
C 1.1.1.251 is directly connected, Loopback1
S 1.1.1.250 [1/0] via 10.5.0.2
S 1.1.1.252 [1/0] via 10.5.0.6
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
B 10.5.0.8/30 [200/0] via 1.1.1.250, 00:57:02
S 10.2.0.0/24 [1/0] via 10.4.0.251
S 10.3.0.0/24 [1/0] via 10.4.0.251
C 10.0.0.0/24 is directly connected, Vlan100
C 10.5.0.4/30 is directly connected, Vlan106
C 10.4.0.0/24 is directly connected, Vlan104
C 10.5.0.0/30 is directly connected, Vlan105
B 192.168.0.0/24 [20/0] via 1.1.1.252, 02:07:49

ルーティングテーブル(共通L3SW#2)

CMNSW02#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 3 subnets
S 1.1.1.251 [1/0] via 10.5.0.1
C 1.1.1.250 is directly connected, Loopback1
S 1.1.1.252 [1/0] via 10.5.0.10
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.5.0.8/30 is directly connected, Vlan107
S 10.2.0.0/24 [1/0] via 10.4.0.251
S 10.3.0.0/24 [1/0] via 10.4.0.251
C 10.0.0.0/24 is directly connected, Vlan100
B 10.5.0.4/30 [200/0] via 1.1.1.251, 00:56:53
C 10.4.0.0/24 is directly connected, Vlan104
C 10.5.0.0/30 is directly connected, Vlan105
B 192.168.0.0/24 [20/0] via 1.1.1.252, 02:07:51

BGPテーブル(共通L3SW#1)

CMNSW01#show ip bgp
BGP table version is 31, local router ID is 1.1.1.251
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.250/32 10.5.0.2 0 32768 ?
* i1.1.1.252/32 10.5.0.10 0 100 0 ?
*> 10.5.0.6 0 32768 ?
* i10.2.0.0/24 10.4.0.251 0 100 0 ?
*> 10.4.0.251 0 32768 ?
* i10.3.0.0/24 10.4.0.251 0 100 0 ?
*> 10.4.0.251 0 32768 ?
* i10.4.0.0/24 1.1.1.250 0 100 0 i
*> 0.0.0.0 0 32768 i
* i10.5.0.0/30 1.1.1.250 0 100 0 i
*> 0.0.0.0 0 32768 i
* 10.5.0.4/30 1.1.1.252 0 0 200 i
*> 0.0.0.0 0 32768 i
*>i10.5.0.8/30 1.1.1.250 0 100 0 i
* 1.1.1.252 0 0 200 i
* i192.168.0.0 1.1.1.252 0 100 0 200 i
*> 1.1.1.252 0 0 200 i

BGPテーブル(共通L3SW#2)

CMNSW02#show ip bgp
BGP table version is 63, local router ID is 1.1.1.250
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 1.1.1.251/32 10.5.0.1 0 32768 ?
* i1.1.1.252/32 10.5.0.6 0 100 0 ?
*> 10.5.0.10 0 32768 ?
*> 10.2.0.0/24 10.4.0.251 0 32768 ?
* i 10.4.0.251 0 100 0 ?
*> 10.3.0.0/24 10.4.0.251 0 32768 ?
* i 10.4.0.251 0 100 0 ?
*> 10.4.0.0/24 0.0.0.0 0 32768 i
* i 1.1.1.251 0 100 0 i
* i10.5.0.0/30 1.1.1.251 0 100 0 i
*> 0.0.0.0 0 32768 i
*>i10.5.0.4/30 1.1.1.251 0 100 0 i
* 1.1.1.252 0 0 200 i
* 10.5.0.8/30 1.1.1.252 0 0 200 i
*> 0.0.0.0 0 32768 i
* i192.168.0.0 1.1.1.252 0 100 0 200 i
*> 1.1.1.252 0 0 200 i

コンフィグ(共通FW#1)

CMNFW01-> get config
Total Config size 2702:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet3 ip 10.4.0.251/24
set interface ethernet3 route
set interface ethernet3 gateway 10.4.0.254
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet3 ip manageable
set interface ethernet3 manage ping
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname CMNFW01
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

コンフィグ(共通FW#2)

CMNFW02-> get config
Total Config size 2702:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet3 ip 10.4.0.251/24
set interface ethernet3 route
set interface ethernet3 gateway 10.4.0.254
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet3 ip manageable
set interface ethernet3 manage ping
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname CMNFW02
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

ルーティングテーブル(共通FW#1)

CMNFW01-> get route


IPv4 Dest-Routes for (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2


IPv4 Dest-Routes for (5 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 8 0.0.0.0/0 eth3 10.4.0.254 C 0 1 Root
* 2 192.168.1.1/32 eth1 0.0.0.0 H 0 0 Root
* 1 192.168.1.0/24 eth1 0.0.0.0 C 0 0 Root
* 6 10.4.0.0/24 eth3 0.0.0.0 C 0 0 Root
* 7 10.4.0.251/32 eth3 0.0.0.0 H 0 0 Root

ルーティングテーブル(共通FW#2)

CMNFW02-> get route


IPv4 Dest-Routes for (0 entries)
--------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2


IPv4 Dest-Routes for (5 entries)
--------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 6 0.0.0.0/0 eth3 10.4.0.254 C 0 1 Root
* 2 192.168.1.1/32 eth1 0.0.0.0 H 0 0 Root
* 1 192.168.1.0/24 eth1 0.0.0.0 C 0 0 Root
* 3 10.4.0.0/24 eth3 0.0.0.0 C 0 0 Root
* 4 10.4.0.251/32 eth3 0.0.0.0 H 0 0 Root

インターフェース情報(共通FW#1)

CMNFW01-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth1 192.168.1.1/24 Trust 0010.db79.e970 - U -
eth2 0.0.0.0/0 DMZ 0010.db79.e975 - U -
eth3 10.4.0.251/24 Untrust 0010.db79.e976 - U -
eth4 0.0.0.0/0 Null 0010.db79.e977 - U -
vlan1 0.0.0.0/0 VLAN 0010.db79.097f 1 D -
null 0.0.0.0/0 Null N/A - U 0

インターフェース情報(共通FW#2)

CMNFW02-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth1 192.168.1.1/24 Trust 0010.db6f.a1f0 - U -
eth2 0.0.0.0/0 DMZ 0010.db6f.a1f5 - U -
eth3 10.4.0.251/24 Untrust 0010.db6f.a1f6 - U -
eth4 0.0.0.0/0 Null 0010.db6f.a1f7 - U -
vlan1 0.0.0.0/0 VLAN 0010.db6f.01ff 1 D -
null 0.0.0.0/0 Null N/A - U 0

疎通確認

<編集中・・・>