华为三层交换机与防火墙对接上网

华为三层交换机与防火墙对接上网

Scroll Down

华为三层交换机与防火墙对接上网和二层对接上网有以下不同:

  1. DHCP位置不同,二层由防火墙建立DHCP,三层由三层交换机建立。
  2. 交换机和防火墙连接端口属性不一样,二层交换机端口设置为trunk,三层交换机端口为access。

具体我们来看实验

1.jpg

三层交换对接防火墙

上图中交换机为S5700,防火墙为USG6000,路由器充当外网。

先配置交换机:

<Huawei>sys

[Huawei]sys S1

开启VLAN和DHCP


[S1]dhcp enable

[S1]vlan b 10 20 100

配置连接电脑端口


[S1]int g 0/0/1

[S1-GigabitEthernet0/0/1]port link-type access

[S1-GigabitEthernet0/0/1]port default vlan 10

[S1]int g0/0/2

[S1-GigabitEthernet0/0/2]port link-type access

[S1-GigabitEthernet0/0/2]port de vlan 20

配置连接防火墙端口


[S1]int g0/0/3

[S1-GigabitEthernet0/0/3]port link-type access

[S1-GigabitEthernet0/0/3]port default vlan 100

在交换机开启DHCP


[S1]int vlan10

[S1-Vlanif10]ip address 192.168.10.1 24

[S1-Vlanif10]dhcp select interface

[S1-Vlanif10]dhcp server dns-list 8.8.8.8

[S1-Vlanif10]dhcp server excluded-ip-address 192.168.10.2 192.168.10.10

[S1-Vlanif10]dhcp server lease day 1

[S1-Vlanif10]dhcp server domain-name dongzao.com

[S1]int vlan 20

[S1-Vlanif20]ip address 192.168.20.1 24

[S1-Vlanif20]dhcp sel interface

[S1-Vlanif20]dhcp server dns-list 8.8.8.8

[S1-Vlanif20]dhcp server excluded-ip-address 192.168.20.2 192.168.20.10

[S1-Vlanif20]dhcp server lease day 1

[S1-Vlanif20]dhcp server domain-name dongzao.com

配置连接防火墙VLAN接口


[S1]int vlan 100

[S1-Vlanif100]ip address 192.168.100.1 24

配置出去的默认路由


[S1]ip route-static 0.0.0.0 0.0.0.0 192.168.100.2

交换机就配置完成,我们检查DHCP:

2.jpg

DHCP池状态

3.jpg

PC1正常获取IP

下来我们配置防火墙:


<USG6000V1>sys

[USG6000V1]sys F1

配置防火墙接口IP


[F1]int g1/0/1

[F1-GigabitEthernet1/0/1]ip add 100.0.0.1 24

[F1]int g1/0/0

[F1-GigabitEthernet1/0/0]ip add 192.168.100.2 24

配置出去和到内网的路由

[F1]ip route-static 0.0.0.0 0.0.0.0 100.0.0.2

[F1]ip route-static 192.168.0.0 255.255.0.0 192.168.100.1

配置防护区域接口

[F1]firewall zone trust

[F1-zone-trust]add interface GigabitEthernet 1/0/0

[F1]firewall z untrust

[F1-zone-untrust]add interface GigabitEthernet 1/0/1

配置区域间安全策略,保证数据流通。

[F1]security-policy

[F1-policy-security]rule name p1

[F1-policy-security-rule-p1]source-zone trust

[F1-policy-security-rule-p1]destination-zone untrust

[F1-policy-security-rule-p1]source-address 192.168.0.0 mask 255.255.0.0

[F1-policy-security-rule-p1]action permit

配置nat地址池和转换模式,开启允许端口地址转换。


[F1]nat address-group dizhi1

[F1-address-group-dizhi1]mode pat

[F1-address-group-dizhi1]route enable

[F1-address-group-dizhi1]section 0 100.0.0.1 100.0.0.1

配置nat源PAT策略,实现私网指定网段访问公网时自动进行源地址转换


[F1]nat-policy

[F1-policy-nat]rule name nat

[F1-policy-nat-rule-nat]source-zone trust

[F1-policy-nat-rule-nat]destination-zone untrust

[F1-policy-nat-rule-nat]source-address 192.168.0.0 m 255.255.0.0

[F1-policy-nat-rule-nat]action nat address-group dizhi1

下来检测一下效果:

4.jpg

PC2可ping通外网

5.jpg

dis nat statistics

全部配置完成,有问题的留言!