华为防火墙路由模式配置(三)

其他 2020-09-08 20:06:32 阅读次数: 0

实验背景:

由于公司在园区内扩展,将现网分享给另一个办公区域,同时加一台华为防火墙,为了尽量少改现网配置,并不将FW部署在出口,而是部署在出口路由与三层交换之间;

实验目的:

掌握简单配置防火墙路由模式的操作方法,部署模式:路由器——防火墙——2个三层交换,实现网络互通;

网络地址及拓扑结构:

配置要求:

全网互通

配置操作:

L2-SW-1配置

L2-SW-2、L2-SW-3、L2-SW-4类似,省略;

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L2-SW-1
[L2-SW-1]vlan batch 1081 1082
Info: This operation may take a few seconds. Please wait for a moment...done.
[L2-SW-1]int gi 0/0/2
[L2-SW-1-GigabitEthernet0/0/2]port link-type access
[L2-SW-1-GigabitEthernet0/0/2]port default vlan 1081
[L2-SW-1-GigabitEthernet0/0/2]q
[L2-SW-1]int gi 0/0/3
[L2-SW-1-GigabitEthernet0/0/3]port link-type access
[L2-SW-1-GigabitEthernet0/0/3]port default vlan 1082
[L2-SW-1-GigabitEthernet0/0/3]q
[L2-SW-1]int gi 0/0/1
[L2-SW-1-GigabitEthernet0/0/1]port link-type trunk
[L2-SW-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 1081 1082
[L2-SW-1-GigabitEthernet0/0/1]

L3-SW-2配置:

L3-SW-1类似,省略

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L3-SW-2
[L3-SW-2]vlan batch 1091 1092 1093 1094 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[L3-SW-2]int gi 0/0/2
[L3-SW-2-GigabitEthernet0/0/2]port link-type trunk
[L3-SW-2-GigabitEthernet0/0/2]port trunk allow-pass vlan 1091 1092 300
[L3-SW-2-GigabitEthernet0/0/2]q
[L3-SW-2]int gi 0/0/3
[L3-SW-2-GigabitEthernet0/0/3]port link-type trunk
[L3-SW-2-GigabitEthernet0/0/3]port trunk allow-pass vlan 1093 1094 300
[L3-SW-2-GigabitEthernet0/0/3]q
[L3-SW-2]int gi 0/0/1
[L3-SW-2-GigabitEthernet0/0/1]port link-type access
[L3-SW-2-GigabitEthernet0/0/1]q
[L3-SW-2]int vlanif 300
[L3-SW-2-Vlanif300]ip addr 192.168.202.1 30
[L3-SW-2-Vlanif300]q
[L3-SW-2]int gi 0/0/1
[L3-SW-2-GigabitEthernet0/0/1]port default vlan 300
[L3-SW-2-GigabitEthernet0/0/1]q
[L3-SW-2]ip route-static 0.0.0.0 0.0.0.0 192.168.202.2
[L3-SW-2]int vlanif 1091                    //vlan1091子网gateway
[L3-SW-2-Vlanif1091]ip addr 10.180.109.1 26
[L3-SW-2-Vlanif1091]q
[L3-SW-2]int vlanif 1092        //vlan1092子网gateway
[L3-SW-2-Vlanif1092]ip addr 10.180.109.65 26
[L3-SW-2-Vlanif1092]q
[L3-SW-2]int vlanif 1093          //vlan1093子网gateway
[L3-SW-2-Vlanif1093]ip addr 10.180.109.129 26
[L3-SW-2-Vlanif1093]q
[L3-SW-2]int vlanif 1094        //vlan1094子网gateway
[L3-SW-2-Vlanif1094]ip addr 10.180.109.193 26
[L3-SW-2-Vlanif1094]q
[L3-SW-2]

AR路由器配置:

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname AR
[AR]int gi 0/0/0
[AR-GigabitEthernet0/0/0]
<AR>sys
Enter system view, return user view with Ctrl+Z.
[AR]int gi 0/0/0
[AR-GigabitEthernet0/0/0]ip addr 192.168.200.1 29
[AR-GigabitEthernet0/0/0]q
[AR]ip route-static 0.0.0.0 0.0.0.0 192.168.200.2
[AR]q

FW防火墙配置:

The device is running!


Login authentication


Username:admin
Password:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password: 
Please enter new password: 
Please confirm new password: 

 Info: Your password has been changed. Save the change to survive a reboot. 
*************************************************************************
*         Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************


<USG6000V1>
<USG6000V1>
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]un in en
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sysname FW
[FW]int gi 0/0/0
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:04:02.320 
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default     //默认配置,需删除
 ip address 192.168.0.1 255.255.255.0    //默认配置,需删除
 alias GE0/METH          //默认配置,需删除
#
return
[FW-GigabitEthernet0/0/0]undo ip binding vpn-instance default
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:04:34.050 
#
interface GigabitEthernet0/0/0
 undo shutdown
 alias GE0/METH
#
return
[FW-GigabitEthernet0/0/0]int gi 1/0/0  //与gi1/0/0口对比,需把gi0/0/0口设置与其一致
[FW-GigabitEthernet1/0/0]dis th
2020-08-25 10:04:42.410 
#
interface GigabitEthernet1/0/0
 undo shutdown
#
return
[FW-GigabitEthernet1/0/0]int gi 0/0/0
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:04:54.340 
#
interface GigabitEthernet0/0/0
 undo shutdown
 alias GE0/METH
#
return
[FW-GigabitEthernet0/0/0]undo alias 
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:05:11.510 
#
interface GigabitEthernet0/0/0
 undo shutdown
#
return

[FW]int gi 0/0/0    //配置与AR连接端口
[FW-GigabitEthernet0/0/0]ip addr 192.168.200.2 29
[FW-GigabitEthernet0/0/0]service-manage ping permit
[FW-GigabitEthernet0/0/0]q
[FW]int gi 1/0/0     //配置与三层交换1连接端口
[FW-GigabitEthernet1/0/0]ip addr 192.168.201.2 30
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW-GigabitEthernet1/0/0]q
[FW]int gi 1/0/1  //配置与三层交换2连接端口    
[FW-GigabitEthernet1/0/1]ip addr 192.168.202.2 30
[FW-GigabitEthernet1/0/1]service-manage ping permit
[FW-GigabitEthernet1/0/1]q
[FW]firewall zone trust    //进入安全域配置
[FW-zone-trust]add int gi1/0/0
[FW-zone-trust]add int gi1/0/1
[FW-zone-trust]q
[FW]firewall zone untrust    //进入非安全域配置
[FW-zone-untrust]add int gi 0/0/0
 Error: The interface has been added to trust security zone. 
[FW-zone-untrust]q
[FW]firewall zone trust
[FW-zone-trust]dis th
2020-08-25 10:30:58.820 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
#
return
[FW-zone-trust]undo add interface GigabitEthernet0/0/0
[FW-zone-trust]
[FW-zone-trust]q
[FW]firewall zone untrust
[FW-zone-untrust]add int gi 0/0/0
[FW-zone-untrust]q
[FW]security-policy        //进入安全策略配置     
[FW-policy-security]rule name trust_untrust    //创建安全域到非安全域的策略名
[FW-policy-security-rule-trust_untrust]source-zone trust    //策略中源为安全域
[FW-policy-security-rule-trust_untrust]destination-zone untrust  //策略中目的为非安全域
[FW-policy-security-rule-trust_untrust]action permit   //启动策略规则
[FW-policy-security-rule-trust_untrust]q
[FW-policy-security]rule name untrust_trust    //创建非安全域到安全域的策略名 
[FW-policy-security-rule-untrust_trust]source-zone untrust   //策略中源为非安全域
[FW-policy-security-rule-untrust_trust]des	
[FW-policy-security-rule-untrust_trust]destination-zone trust   //策略中目的为安全域
[FW-policy-security-rule-untrust_trust]action permit
[FW-policy-security-rule-untrust_trust]q
[FW-policy-security]q
[FW]ip route-static 192.168.200.0 29 192.168.200.1      //配置到AR的静态路由
[FW]ip route-static 192.168.201.0 30 192.168.201.1      //配置到三层交换1的静态路由  这条是错误配置,需删除
[FW]ip route-static 192.168.202.0 30 192.168.202.1      //配置到三层交换2的静态路由   这条是错误配置,需删除
[FW]ip route-static 10.180.109.0 24 192.168.202.1       //配置到109网段的静态路由
[FW]ip route-static 10.180.108.0 24 192.168.201.1       //配置到108网段的静态路由

猜你喜欢

转载自blog.csdn.net/WannaHaha/article/details/108235506
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
《2024 年一季度互联网投融资运行情况》研究报告
报告:Django 仍然是 74% 开发者的首选
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
记一下去大梅沙的准备(2018-05-26)
Spring 注解 事务
基于HTTP协议的客户端缓存
阿里云rds 备份和还原
[PHP] 几个拖慢 PHP 程序/API 运行速度的点
python 代码风格------------PEP8规则
js控制json生成菜单——自制菜单(一)
将字符串: 'k:1|k1:2|k2:3|k3:4 ' ,处理成 python 字典: {'k':1, 'k1':2, ...}
微信小程序转支付宝小程序
Qt551.窗口滚动条
每日归档
更多
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022