华为防火墙与三层交换机对接配置VLAN上网设置

2023-09-02 19:25

短信预约 -IT技能 免费直播动态提醒

拓扑图

一、交换机设置

创建VLAN

sys[Huawei]sys SW1[SW1]un in en[SW1]vlan batch 10 20 100[SW1]int g0/0/1[SW1-GigabitEthernet0/0/1]p l a[SW1-GigabitEthernet0/0/1]p d v 10[SW1-GigabitEthernet0/0/1]int g0/0/2[SW1-GigabitEthernet0/0/2]p l a[SW1-GigabitEthernet0/0/2]p d v 20[SW1-GigabitEthernet0/0/2]int g0/0/3[SW1-GigabitEthernet0/0/3]p l a[SW1-GigabitEthernet0/0/3]p d v 100[SW1-GigabitEthernet0/0/3]quit

VLANIF配置DHCP

# 开启DHCP[SW1]dhcp enable[SW1]int vlanif 10[SW1-Vlanif10]ip addr 192.168.10.1 24[SW1-Vlanif10]dhcp select int[SW1-Vlanif10]dhcp server dns-list 114.114.114.114[SW1-Vlanif10]int vlanif 20[SW1-Vlanif20]ip addr 192.168.20.1 24[SW1-Vlanif20]dhcp select int[SW1-Vlanif20]dhcp server dns-list 114.114.114.114[SW1-Vlanif20]quit# 配置连接防火墙接口的IP[SW1]int vlanif 100[SW1-Vlanif100]ip addr 192.168.100.2 24[SW1-Vlanif100]quit

3、配置默认路由

[SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1

二、防火墙设置

配置连接交换机的接口与公网接口

sys[USG6000V1]sys FW1[FW1]un in en# 配置公网IP[FW1]int g1/0/0[FW1-GigabitEthernet1/0/0]ip addr 192.168.137.10 24[FW1-GigabitEthernet1/0/0]service-manage all permit# 配置与交换机连接的接口IP[FW1-GigabitEthernet1/0/0]int g1/0/1[FW1-GigabitEthernet1/0/1]ip addr 192.168.100.1 24[FW1-GigabitEthernet1/0/1]service-manage ping permit[FW1-GigabitEthernet1/0/1]quit

配置安全区域

[FW1]firewall zone trust[FW1-zone-trust]add int g1/0/1[FW1-zone-trust]firewall zone untrust[FW1-zone-untrust]add int g1/0/0[FW1-zone-untrust]quit

创建地址列表

[FW1]ip address-set 192.168.10.0/24 type object[FW1-object-address-set-192.168.10.0/24]address 0 192.168.10.0 mask 24[FW1-object-address-set-192.168.10.0/24]ip address-set 192.168.20.0/24 type object[FW1-object-address-set-192.168.20.0/24]address 0 192.168.20.0 mask 24[FW1-object-address-set-192.168.20.0/24]quit

配置安全策略

[FW1]security-policy[FW1-policy-security]rule name "untrust to local"[FW1-policy-security-rule-untrust to local]source-zone untrust[FW1-policy-security-rule-untrust to local]destination-zone local[FW1-policy-security-rule-untrust to local]action permit[FW1-policy-security-rule-untrust to local]rule name "local to untrust"[FW1-policy-security-rule-local to untrust]source-zone local[FW1-policy-security-rule-local to untrust]destination-zone untrust[FW1-policy-security-rule-local to untrust]action permit[FW1-policy-security-rule-local to untrust]rule name "trust to untrust"[FW1-policy-security-rule-trust to untrust]source-zone trust[FW1-policy-security-rule-trust to untrust]destination-zone untrust[FW1-policy-security-rule-trust to untrust]source-address address-set 192.168.10.0/24[FW1-policy-security-rule-trust to untrust]source-address address-set 192.168.20.0/24[FW1-policy-security-rule-trust to untrust]action permit[FW1-policy-security-rule-trust to untrust]quit

配置NAT策略

# 配置源地址转换，内网用户可以上网[FW1]nat-policy[FW1-policy-nat]rule name snat[FW1-policy-nat-rule-snat]source-zone trust[FW1-policy-nat-rule-snat]destination-zone untrust[FW1-policy-nat-rule-snat]source-address address-set 192.168.10.0/24[FW1-policy-nat-rule-snat]source-address address-set 192.168.20.0/24[FW1-policy-nat-rule-snat]action source-nat easy-ip[FW1-policy-nat-rule-snat]quit[FW1-policy-nat]quit

配置默认路由

[FW1]ip route-static 0.0.0.0 0.0.0.0 192.168.137.1[FW1]ip route-static 192.168.0.0 255.255.0.0 192.168.100.2

配置DNS

[FW1]dns resolve[FW1]dns server 114.114.114.114

三、测试验证

查看PC1 PC2 获取IP

PC1>ipconfigLink local IPv6 address...........: fe80::5689:98ff:fe90:25d3IPv6 address......................: :: / 128IPv6 gateway......................: ::IPv4 address......................: 192.168.10.254Subnet mask.......................: 255.255.255.0Gateway...........................: 192.168.10.1Physical address..................: 54-89-98-90-25-D3DNS server........................: 114.114.114.114

PC2>ipconfigLink local IPv6 address...........: fe80::5689:98ff:fee7:3d77IPv6 address......................: :: / 128IPv6 gateway......................: ::IPv4 address......................: 192.168.20.254Subnet mask.......................: 255.255.255.0Gateway...........................: 192.168.20.1Physical address..................: 54-89-98-E7-3D-77DNS server........................: 114.114.114.114

验证 PC1 PC2互通

PC1>ping 192.168.20.254Ping 192.168.20.254: 32 data bytes, Press Ctrl_C to breakFrom 192.168.20.254: bytes=32 seq=1 ttl=127 time=63 msFrom 192.168.20.254: bytes=32 seq=2 ttl=127 time=46 msFrom 192.168.20.254: bytes=32 seq=3 ttl=127 time=32 msFrom 192.168.20.254: bytes=32 seq=4 ttl=127 time=32 msFrom 192.168.20.254: bytes=32 seq=5 ttl=127 time=46 ms--- 192.168.20.254 ping statistics ---  5 packet(s) transmitted  5 packet(s) received  0.00% packet loss  round-trip min/avg/max = 32/43/63 ms

来源地址：https://blog.csdn.net/mshxuyi/article/details/128574491

免责声明：

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的，并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据，供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

华为网络服务器

阅读原文内容投诉