用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程

2023年 12月 13日 96.3k 0

在配置案例之前,先对二层交换机和三层交换机做个简单比较,如下图:

图片[1]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

这样,交换机在局域网中的应用常分为两种:

  • 作为二层交换机使用,为多个用户划分VLAN,实现同网段数据访问。
  • 作为三层交换机使用,部署用户的网关,实现跨网段数据访问。

第一部分:二层交换机与防火墙对接上网

1.应用场景

如下图,交换机Switch和防火墙对接,使用户PC1-PC2PC3-PC4可以实现上网功能。

交换机是二层交换机,仅能实现二层转发。

图片[2]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

2.配置思路

图片[3]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

3.配置过程

3.1交换机配置步骤

交换机的配置过程共分2步:

第一步:配置下行连接用户的接口

创建VLAN1020,将接口Ethernet0/0/1-2加入vlan10,将Ethernet0/0/3-4加入vlan20

[SWITCH]vlan batch 10 20
[SWITCH]interface Ethernet0/0/1
[SWITCH-Ethernet0/0/1]port link-type access
[SWITCH-Ethernet0/0/1]port default vlan 10
[SWITCH-Ethernet0/0/1]interface Ethernet0/0/2
[SWITCH-Ethernet0/0/2]port link-type access
[SWITCH-Ethernet0/0/2]port default vlan 10
[SWITCH-Ethernet0/0/2]int Ethernet0/0/3
[SWITCH-Ethernet0/0/3]port link-type access
[SWITCH-Ethernet0/0/3]port default vlan 20
[SWITCH-Ethernet0/0/3]int Ethernet0/0/4
[SWITCH-Ethernet0/0/4]port link-type access
[SWITCH-Ethernet0/0/4]port default vlan 20
[SWITCH-Ethernet0/0/4]quit
[SWITCH]
第二步:配置上行连接防火墙的接口
[SWITCH]int GigabitEthernet 0/0/1
[SWITCH-GigabitEthernet0/0/1]port link-type trunk
[SWITCH-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[SWITCH-GigabitEthernet0/0/1]quit
[SWITCH]
3.2防火墙是三层接口的配置

防火墙的接口作为三层口,通过配置子接口终结VLAN进行通信的配置。

第一步:配置终结子接口
[USG6000]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.

[USG6000]interface GigabitEthernet 1/0/3.1
[USG6000-GigabitEthernet1/0/3.1]vlan-type dot1q 10
[USG6000-GigabitEthernet1/0/3.1]ip address 192.168.10.1 255.255.255.0
[USG6000-GigabitEthernet1/0/3.1]quit
 
[USG6000]interface GigabitEthernet 1/0/3.2
[USG6000-GigabitEthernet1/0/3.2]vlan-type dot1q 20
[USG6000-GigabitEthernet1/0/3.2]ip address 192.168.20.1 24
[USG6000-GigabitEthernet1/0/3.2]quit
[USG6000]
第二步:配置DHCPDNS功能

这里防火墙为内网有户提供IP地址,所以配置DHCPDNS功能,为内网用户分配IP地址和指定DNS服务器地址。

[USG6000]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.

[USG6000]int GigabitEthernet 1/0/3.1
[USG6000-GigabitEthernet1/0/3.1]dhcp select interface
[USG6000-GigabitEthernet1/0/3.1]dhcp server dns-list 114.114.114.114 8.8.8.8
[USG6000-GigabitEthernet1/0/3.1]quit
 
[USG6000]interface GigabitEthernet 1/0/3.2
[USG6000-GigabitEthernet1/0/3.2]dhcp select interface
[USG6000-GigabitEthernet1/0/3.2]dhcp server dns-list 114.114.114.114 8.8.8.8
[USG6000-GigabitEthernet1/0/3.2]quit
[USG6000]
第三步:将接口加入安全区域
[USG6000]firewall zone trust
[USG6000-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000-zone-trust]add interface GigabitEthernet 1/0/3.1
[USG6000-zone-trust]add interface GigabitEthernet 1/0/3.2
[USG6000-zone-trust]quit

[USG6000]firewall zone untrust
[USG6000-zone-untrust]add interface GigabitEthernet 1/0/1
[USG6000-zone-untrust]quit
[USG6000]
第四步:配置公网接口的IP地址和静态路由
[USG6000]int GigabitEthernet 1/0/1
[USG6000-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[USG6000-GigabitEthernet1/0/1]quit
[USG6000]ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
[USG6000]
第五步:配置域安全策略

配置安全策略,允许域间互访

[USG6000]security-policy
[USG6000-policy-security]rule name trust-to-untrust
[USG6000-policy-security-rule-trust-to-untrust]source-address 192.168.10.0 mask 255.255.255.0
[USG6000-policy-security-rule-trust-to-untrust]source-address 192.168.20.0 mask 255.255.255.0
[USG6000-policy-security-rule-trust-to-untrust]source-zone trust
[USG6000-policy-security-rule-trust-to-untrust]destination-zone untrust
[USG6000-policy-security-rule-trust-to-untrust]action permit
[USG6000-policy-security-rule-trust-to-untrust]quit
[USG6000-policy-security]quit
[USG6000]
第六步:配置NAT功能
[USG6000]nat-policy
[USG6000-policy-nat]rule name mypolicy_nat_01
[USG6000-policy-nat-rule-mypolicy_nat_01]source-address 192.168.10.0 mask 255.255.255.0
[USG6000-policy-nat-rule-mypolicy_nat_01]source-address 192.168.20.0 mask 255.255.255.0
[USG6000-policy-nat-rule-mypolicy_nat_01]source-zone trust
[USG6000-policy-nat-rule-mypolicy_nat_01]egress-interface GigabitEthernet 1/0/1
[USG6000-policy-nat-rule-mypolicy_nat_01]action source-nat easy-ip
[USG6000-policy-nat-rule-mypolicy_nat_01]quit
[USG6000-policy-nat]quit
[USG6000]

以上已经配置完毕,下面3.3和3.2是两种不同的方法。

3.3防火墙是二层接口的配置
第一步:配置VLANIF接口
[USG6000]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.

[USG6000]interface GigabitEthernet 1/0/3
[USG6000-GigabitEthernet1/0/3]portswitch
[USG6000-GigabitEthernet1/0/3]port link-type trunk
[USG6000-GigabitEthernet1/0/3]port trunk allow-pass vlan 10 20
[USG6000-GigabitEthernet1/0/3]quit

[USG6000]interface vlanif10
[USG6000-Vlanif10]ip address 192.168.10.1 255.255.255.0
[USG6000-Vlanif10]quit
[USG6000]interface vlanif20
[USG6000-Vlanif20]ip address 192.168.20.1 255.255.255.0
[USG6000-Vlanif20]quit
[USG6000]
第二步:配置DHCPDNS功能

配置DHCP,为内网用户分配IP地址和指定DNS服务器地址。

[USG6000]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[USG6000]interface vlanif 10
[USG6000-Vlanif10]dhcp select interface
[USG6000-Vlanif10]dhcp server dns-list 114.114.114.114 8.8.8.8
[USG6000-Vlanif10]quit
[USG6000]interface vlanif 20
[USG6000-Vlanif20]dhcp select interface
[USG6000-Vlanif20]dhcp server dns-list 114.114.114.114 8.8.8.8
[USG6000-Vlanif20]quit
[USG6000]
第三步:将接口加入安全域
[USG6000]firewall zone trust
[USG6000-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000-zone-trust]add interface vlanif 10
[USG6000-zone-trust]add interface vlanif 20
[USG6000-zone-trust]quit
[USG6000]firewall zone untrust
[USG6000-zone-untrust]add interface GigabitEthernet 1/0/1
[USG6000-zone-untrust]quit
[USG6000]
第四步:配置公网接口的IP地址和静态路由
[USG6000]interface GigabitEthernet 1/0/1
[USG6000-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[USG6000-GigabitEthernet1/0/1]quit
[USG6000]ip route-st 
[USG6000]ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
[USG6000]
第五步:配置域安全策略

配置安全策略,允许域间互访

[USG6000]security-policy
[USG6000-policy-security]rule name trust-to-untrust
[USG6000-policy-security-rule-trust-to-untrust]source-address 192.168.10.0 mask 255.255.255.0
[USG6000-policy-security-rule-trust-to-untrust]source-address 192.168.20.0 mask 255.255.255.0
[USG6000-policy-security-rule-trust-to-untrust]source-zone trust
[USG6000-policy-security-rule-trust-to-untrust]destination-zone untrust
[USG6000-policy-security-rule-trust-to-untrust]action permit
[USG6000-policy-security-rule-trust-to-untrust]quit
[USG6000-policy-security]quit
[USG6000]
第六步:配置NAT功能
[USG6000]nat-policy
[USG6000-policy-nat]rule name mypolicy_nat_02
[USG6000-policy-nat-rule-mypolicy_nat_02]source-address 192.168.10.0 mask 255.255.255.0
[USG6000-policy-nat-rule-mypolicy_nat_02]source-address 192.168.20.0 mask 255.255.255.0
[USG6000-policy-nat-rule-mypolicy_nat_02]source-zone trust
[USG6000-policy-nat-rule-mypolicy_nat_02]egress-interface gigabitethernet 1/0/1
[USG6000-policy-nat-rule-mypolicy_nat_02]action source easy-ip
[USG6000-policy-nat-rule-mypolicy_nat_02]quit
[USG6000-policy-nat]

第二部分:三层交换机与防火墙对接上网

1.应用场景

交换机Switch和防火墙对接,使用户PC1-PC4可以实现上网功能。

交换机是三层交换机,可以完成跨网段数据转发。

图片[4]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

2.配置思路

图片[5]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

3.配置过程

3.1交换机的配置步骤
第一步:配置连接用户的接口和对应的VLANIF接口
[HXSW]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[HXSW]interface GigabitEthernet 0/0/1
[HXSW-GigabitEthernet0/0/1]port link-type access
[HXSW-GigabitEthernet0/0/1]port default vlan 10
[HXSW-GigabitEthernet0/0/1]quit

[HXSW]interface GigabitEthernet 0/0/2
[HXSW-GigabitEthernet0/0/2]port link-type access
[HXSW-GigabitEthernet0/0/2]port default vlan 10
[HXSW-GigabitEthernet0/0/2]quit
 
[HXSW]interface GigabitEthernet 0/0/3
[HXSW-GigabitEthernet0/0/3]port link-type access
[HXSW-GigabitEthernet0/0/3]port default vlan 20
[HXSW-GigabitEthernet0/0/3]quit

[HXSW]int GigabitEthernet 0/0/4
[HXSW-GigabitEthernet0/0/4]port link-type access
[HXSW-GigabitEthernet0/0/4]port default vlan 20
[HXSW-GigabitEthernet0/0/4]quit

[HXSW]int vlanif10
[HXSW-Vlanif10]ip address 192.168.10.1 24
[HXSW-Vlanif10]quit
[HXSW]int vlanif20
[HXSW-Vlanif20]ip address 192.168.20.1 24
[HXSW-Vlanif20]quit
[HXSW]
第二步:配置连接防火墙的接口和对应的VLANIF接口
[HXSW]vlan 100
[HXSW-vlan100]quit

[HXSW]interface GigabitEthernet 0/0/24
[HXSW-GigabitEthernet0/0/24]port link-type access
[HXSW-GigabitEthernet0/0/24]port default vlan 100
[HXSW-GigabitEthernet0/0/24]quit

[HXSW]interface vlanif100
[HXSW-Vlanif100]ip address 10.10.250.2 24
[HXSW-Vlanif100]quit
[HXSW]
第三步:配置dhcp服务
[HXSW]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[HXSW]interface vlanif10
[HXSW-Vlanif10]dhcp select interface 
[HXSW-Vlanif10]dhcp server dns-list 114.114.114.114 8.8.8.8
[HXSW-Vlanif10]quit

[HXSW]interface vlanif20
[HXSW-Vlanif20]dhcp select interface 
[HXSW-Vlanif20]dhcp server dns-list 114.114.114.114 8.8.8.8
[HXSW-Vlanif20]quit
[HXSW]
第四步:配置缺省路由
[HXSW]ip route-static 0.0.0.0 0.0.0.0 10.10.250.1
[HXSW]
3.2防火墙配置步骤
第一步:配置连接交换机的接口对应的IP地址
[USG6000]interface GigabitEthernet 1/0/3
[USG6000-GigabitEthernet1/0/3]ip address 10.10.250.1 24
[USG6000-GigabitEthernet1/0/3]quit
[USG6000]
第二步:配置连接公网接口的IP地址
[USG6000]int GigabitEthernet 1/0/1
[USG6000-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[USG6000-GigabitEthernet1/0/1]quit
[USG6000]
第三步:配置缺省路由和回程路由
[USG6000]ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
[USG6000]ip route-static 192.168.0.0 255.255.0.0 10.10.250.2
[USG6000
第四步:将接口加入安全区域
[USG6000]firewall zone trust
[USG6000-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000-zone-trust]quit
[USG6000]firewall zone untrust
[USG6000-zone-untrust]add interface GigabitEthernet 1/0/1
[USG6000-zone-untrust]quit
[USG6000]
第五步:配置安全策略
[USG6000]security-policy 
[USG6000-policy-security]rule name trust-to-untrust
[USG6000-policy-security-rule-trust-to-untrust]source-address 192.168.10.0 mask 255.255.255.0
[USG6000-policy-security-rule-trust-to-untrust]source-address 192.168.20.0 mask 255.255.255.0
[USG6000-policy-security-rule-trust-to-untrust]source-zone trust
[USG6000-policy-security-rule-trust-to-untrust]destination-zone untrust
[USG6000-policy-security-rule-trust-to-untrust]action permit
[USG6000-policy-security-rule-trust-to-untrust]quit
[USG6000-policy-security]quit
[USG6000]
第六步:配置NAT功能
[USG6000]nat-policy 
[USG6000-policy-nat]rule name mynat
[USG6000-policy-nat-rule-mynat]source-address 192.168.10.0 mask 255.255.255.0
[USG6000-policy-nat-rule-mynat]source-address 192.168.20.0 mask 255.255.255.0
[USG6000-policy-nat-rule-mynat]source-zone trust
[USG6000-policy-nat-rule-mynat]egress-interface GigabitEthernet 1/0/1
[USG6000-policy-nat-rule-mynat]action source easy-ip
[USG6000-policy-nat-rule-mynat]quit
[USG6000-policy-nat]quit
[USG6000]
4.测试结果

不同VLAN主机获得IP地址

图片[6]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

图片[7]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

不同VLAN主机PING外网

图片[8]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

图片[9]-用ENSP模拟二层交换机和三层交换机分别与防火墙对接上网配置过程-不念博客

相关文章

如何在 Linux 中使用 logname 命令?
为什么有 HTTPS?HTTPS 如何实现安全通信?
HTTPS的TSL握手流程是什么
华为无线网络射频调优及WLAN跨VLAN的三层漫游示例
502错误是什么、应该怎么排查?
HTTP3为什么抛弃了经典的TCP,而选择QUIC

发布评论