华为模拟器eNSP将防火墙配置成三层核心交换机 | 您所在的位置:网站首页 › ensp三层交换机端口配置ip › 华为模拟器eNSP将防火墙配置成三层核心交换机 |
命令行 首先配置PC1、PC2、PC3、PC4、R1、R2、R3的接口,IP地址,掩码,网关 PC1: 接下来配置两个交换机的接口,连接PC的那些接口设置成Access口,通往防火墙的接口设置成Trunk口,以及创建vlan区并把接口划分到对应的vlan区 LSW1: sys un in en sysname LSW1 vlan batch 7 17 int e0/0/2 port link-type access port de vlan 7 dis this int e0/0/3 port link-type access port de vlan 7 dis this int e0/0/4 port link-type access port de vlan 17 quit dis port vlan int e0/0/1 port link-type trunk port trunk allow-pass vlan 7 17 dis this quit dis port vlan LSW2: sys un in en sysname LSW2 vlan 10 int e0/0/2 port link-type access port de vlan 10 dis this int e0/0/1 port link-type trunk port trunk allow-pass vlan 10 dis this quit dis port vlan在防火墙上创建vlan,接着对防火墙上的接口进行设置配置,GE 1/0/0、GE 1/0/1口配置成Trunk口,GE 1/0/2、GE 1/0/3配置成Access口并允许对应vlan通过,然后新建逻辑接口并分入对应的vlan FW: sys un in en vlan batch 7 10 17 70 77 dis port vlan int g1/0/0 portswitch port link-type trunk port trunk allow-pass vlan 7 17 dis this int g1/0/1 portswitch port link-type trunk port trunk allow-pass vlan 10 dis this int g1/0/2 portswitch port link-type access port de vlan 70 dis this int g1/0/3 portswitch port link-type access port de vlan 77 dis this quit dis ip int brief interface vlanif 7 ip address 192.168.7.1 24 service-manage ping permit dis this quit interface vlanif 10 ip address 192.168.10.1 24 service-manage ping permit dis this quit interface vlanif 17 ip address 192.168.17.1 24 service-manage ping permit dis this quit interface vlanif 70 ip address 192.168.70.1 24 service-manage ping permit dis this quit interface vlanif 77 ip address 192.168.70.1 24 service-manage ping permit dis this quit dis port vlan把每个vlan都建立对应的区域,并把对应的逻辑接口划分到对应的区域,以实现精细化管控 FW: sys firewall zone name vlan7 set priority 75 add int Vlanif7 dis this quit firewall zone name vlan10 set priority 77 add int Vlanif10 dis this quit firewall zone name vlan17 set priority 76 add int Vlanif17 dis this quit firewall zone name vlan70 set priority 78 add int Vlanif70 dis this quit firewall zone name vlan77 set priority 79 add int Vlanif77 dis this quit配置到这里,每个vlan的PC就可以访问各自的网关了,验证结果如下: vlan7-PC1: 接下来只需要对不同区域设置对应需求的安全策略即可实现精细化管控 FW; sys security-policy rule name vlan7_to_vlan17 source-zone vlan7 destination-zone vlan17 service icmp action permit dis this验证结果如下: 如果是内网的PC想要访问外网的地址,做个NAT源地址转换,做个策略,再在外网口上设置一条缺省路由即可 FW: sys firewall zone trust add int g1/0/0 add int g1/0/1 add int g1/0/2 add int g1/0/3 dis this quit firewall zone untrust add int g1/0/4 dis this quit int g1/0/4 ip address 177.7.7.1 24 dis this quit ip route-static 0.0.0.0 0 177.7.7.7 nat-policy rule bane vlan7_nat_untrust source-zone vlan7 egress-int g1/0/4 action nat easy-ip dis this quit quit验证结果: 防火墙web端配置 |
今日新闻 |
推荐新闻 |
专题文章 |
CopyRight 2018-2019 实验室设备网 版权所有 |