華為模拟器模拟企業園區組網防火牆做出口配置實驗
模拟器配置實驗
業務部、财務部、生産部、行政部四個部門分别屬于vlan10 ,vlan 20,vlan30,vlan40,不同vlan間可以互訪,www伺服器劃分防火牆DMZ區域,内網主機和外網伺服器都能通路内網www伺服器。
各裝置配置如下
LSW1交換機
sys
sys LSW1
vlan batch 10 20
port-group 1
group-member e0/0/4 to e0/0/6
port link-type access
port default vlan 10
q
int e0/0/7
port link-type access
port default vlan 20
q
int Eth-Trunk 1
mode lacp-static
trunkport ethernet 0/0/1 to 0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
max active-linknumber 3
least active-linknumber 1
q
LSW3交換機
sys
sys LSW3
vlan batch 30 40
int Eth-Trunk 2
mode lacp-static
trunkport ethernet 0/0/1 to 0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40
least active-linknumber 1
q
int e0/0/3
port link-type access
port default vlan 30
int e0/0/4
port link-type access
port default vlan 40
q
LSW2交換機配置:
sys
sys LSW2
dhcp enable
vlan batch 10 20 30 40 101
int Eth-Trunk 1
mode lacp-static
trunkport GigabitEthernet 0/0/1 to 0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
max active-linknumber 3
least active-linknumber 1
q
int Eth-Trunk 2
mode lacp-static
trunkport GigabitEthernet 0/0/4 to 0/0/5
port link-type trunk
port trunk allow-pass vlan 30 40
least active-linknumber 1
q
int vlanif 10
ip add 192.168.10.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 20
ip add 192.168.20.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 30
ip add 192.168.30.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 40
ip add 192.168.40.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 101
ip add 192.168.101.254 24
q
int g0/0/6
port link-type access
port default vlan 101
q
防火牆配置:
sys
sys FW
int g0/0/0
ip add 192.168.101.2 24
int g0/0/1
ip add 192.168.50.254 24
int g0/0/2
ip add 10.0.0.1 24
q
firewall zone trust
add interface g0/0/0
q
firewall zone untrust
add interface g0/0/2
q
firewall zone dmz
add interface g0/0/1
q
ip route-static 0.0.0.0 0 10.0.0.2
ip route-static 192.168.0.0 255.255.0.0 192.168.101.254
policy interzone trust untrust outbound
policy 10
policy source 192.168.0.0 0.0.255.255
action permit
q
q
nat-policy interzone trust untrust outbound
policy 10
policy source 192.168.0.0 0.0.255.255
action source-nat
easy-ip g0/0/2
q
q
policy interface trust dmz outbound
policy 10
policy source 192.168.0.0 0.0.255.255
policy destination 192.168.50.0 0.0.0.255
action permit
q
q
policy interface dmz trust inbound
policy 10
policy source 192.168.50.0 0.0.0.255
policy destination 192.168.0.0 0.0.255.255
action permit
q
q
路由器配置:
sys
sys R1
int g0/0/0
ip add 10.0.0.2 24
int g0/0/1
ip add 2.2.2.2 24
q
實驗結果:
LSW3 int g0/0/1 down
Eth-Trunk 2鍊路狀态
vlan40通路www伺服器走向
LSW1 int e0/0/1 e0/0/2 down
Eth-Trunk1鍊路狀态
vlan10 通路内網www伺服器走向
外網client1通路内網www伺服器
client通路www伺服器