路由器

首页 路由器设置 路由器百科 电脑教程 软件下载

h3c路由器防火墙组网(防火墙Trunk模式组网实验)

小编:小丢 更新时间:2022-12-07

实验拓扑

注:如无特别说明,描述中的 R1 或 SW1 对应拓扑中设备名称末尾数字为 1 的设备,R2 或 SW2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;同一网段中,IP 地址的主机位为其设备编号,如 R3 的 g0/0 接口若在 192.168.1.0/24 网段,则其 IP 地址为 192.168.1.3/24,以此类推。

实验需求

1.按照图示配置 IP 地址,R2,SW3 分别配置 Loopback0 口地址作为 OSPF 的 Router_id,地址格式为 X.X.X.X/32,X 为设备编号。
  2.按照图示配置 OSPF ,实现全网互通
  3.将F1060防火墙配置为透明模式,采用Trunk的方式为R1、SW1透
传业务。

实验解法

  1.配置 IP 地址(环回口部分略)

分析:S5820V2交换机为三层交换机,将接口改为路由模式进行配置IP地址。这里要把MSR36-20路由器接口改为二层模式。

步骤1:在SW3上进入g1/0/1接口的接口视图,修改接口模式为路由模式,配置IP地址为192.168.2.254/24

[SW1]interface GigabitEthernet 1/0/1

[SW1-GigabitEthernet1/0/1]port link-mode route

[SW1-GigabitEthernet1/0/1]ip address 192.168.2.254 24

[SW1]interface GigabitEthernet 1/0/2

[SW1-GigabitEthernet1/0/2]port link-mode route

[SW1-GigabitEthernet1/0/2]ip address 10.0.0.3 24

步骤2:在R2上进入g0/0接口的接口视图,修改二层接口模式,创建VLAN,启用三层接口配置IP地址,并在接口放行相关VLAN。

[R2]interface GigabitEthernet 0/0

[R2-GigabitEthernet0/0]port link-mode bridge

[R2-GigabitEthernet0/0]port link-type trunk

[R2-GigabitEthernet0/0]port trunk permit vlan 10

[R2-GigabitEthernet0/0]undo port trunk permit vlan 1

[R2-GigabitEthernet0/0]quit

[R2]vlan 10

[R2-vlan10]quit

[R2]interface Vlan-interface 10

[R2-Vlan-interface10]ip ad 10.0.0.2 24

  2.按照图示配置 OSPF ,实现全网互通

分析:实现全网互通,意味着每台路由器都要宣告本地的所有直连网段,包括环回口所在的网段。同时,每台路由器手动配置各自环回口的 IP 地址作为 Router-id

步骤 1:在R2上配置 OSPF,按区域宣告所有直连网段和环回口

[R2]ospf 1 router-id 2.2.2.2[R2-ospf-1]area 0.0.0.0[R2-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

步骤2:在SW3上配置OSPF,按区域宣告所有直连网段和环回口

[SW3]ospf 1 router-id 3.3.3.3[SW3-ospf-1]area 0.0.0.0[SW3-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255[SW3-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0[SW3-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255

  3.配置防火墙相关策略放行流量

步骤1:登录防火墙admin/admin

login: adminPassword: admin

步骤2:创建VLAN,并设置对应端口Trunk放行

[FW1]vlan 10

[FW1-vlan10]port GigabitEthernet 1/0/0

[FW1-vlan10]port GigabitEthernet 1/0/1

[FW1]interface GigabitEthernet 1/0/0

[FW1-GigabitEthernet1/0/0]port link-type trunk

[FW1-GigabitEthernet1/0/0]port trunk permit vlan 10

[FW1-GigabitEthernet1/0/0]undo port trunk permit vlan 1

[FW1]interface GigabitEthernet 1/0/1

[FW1-GigabitEthernet1/0/1]port link-type trunk

[FW1-GigabitEthernet1/0/1]port trunk permit vlan 10

[FW1-GigabitEthernet1/0/1]undo port trunk permit vlan 1

步骤3:配置防火墙安全区域,将接口加入到对应区域

[FW1]security-zone name Trust

[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/0 vlan 10

[FW1-security-zone-Trust]quit

[FW1]security-zone name Untrust

[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/1 vlan 10

[FW1-security-zone-Untrust]quit

步骤4: 配置一条基本ACL

[FW1]acl basic 2000[FW1-acl-ipv4-basic-2000]rule 0 permit source any

  4.设置防火墙安全策略

[FW1]zone-pair security source trust destination untrust[FW1-zone-pair-security-Trust-Untrust]packet-filter 2000[FW1-zone-pair-security-Trust-Untrust]quit

[FW1]zone-pair security source untrust destination trust[FW1-zone-pair-security-Untrust-Trust]packet-filter 2000[FW1-zone-pair-security-Untrust-Trust]quit

[FW1]zone-pair security source trust destination trust[FW1-zone-pair-security-Trust-Trust]packet-filter 2000[FW1-zone-pair-security-Trust-Trust]quit

[FW1]zone-pair security source untrust destination untrust[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2000[FW1-zone-pair-security-Untrust-Untrust]quit

  5.测试结果

1.PC之间可以相互PING通

ping 192.168.2.1

Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break56 bytes from 192.168.2.1: icmp_seq=0 ttl=253 time=3.000 ms56 bytes from 192.168.2.1: icmp_seq=1 ttl=253 time=2.000 ms56 bytes from 192.168.2.1: icmp_seq=2 ttl=253 time=3.000 ms56 bytes from 192.168.2.1: icmp_seq=3 ttl=253 time=3.000 ms56 bytes from 192.168.2.1: icmp_seq=4 ttl=253 time=2.000 ms

ping 192.168.1.1

Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break56 bytes from 192.168.1.1: icmp_seq=0 ttl=253 time=3.000 ms56 bytes from 192.168.1.1: icmp_seq=1 ttl=253 time=2.000 ms56 bytes from 192.168.1.1: icmp_seq=2 ttl=253 time=2.000 ms56 bytes from 192.168.1.1: icmp_seq=3 ttl=253 time=3.000 ms56 bytes from 192.168.1.1: icmp_seq=4 ttl=253 time=2.000 ms

2.分别查看R2,SW3的OSPF邻居信息

[R2]display ospf peer

OSPF Process 1 with Router ID 2.2.2.2

Neighbor Brief Information

Area: 0.0.0.0

Router ID Address Pri Dead-Time State Interface

3.3.3.3 10.0.0.3 1 32 Full/DR GE0/1

[SW3]display ospf peer

OSPF Process 1 with Router ID 3.3.3.3

Neighbor Brief Information

Area: 0.0.0.0

Router ID Address Pri Dead-Time State Interface

2.2.2.2 10.0.0.2 1 34 Full/BDR GE1/0/2

3.分别查看R2,SW3的路由表信息,查看是否学习到相关路由

[R2]display ip routing-table

Destinations : 19 Routes : 19

Destination/Mask Proto Pre Cost NextHop Interface0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop02.2.2.2/32 Direct 0 0 127.0.0.1 InLoop03.3.3.3/32 O_INTRA 10 1 10.0.0.3 GE0/110.0.0.0/24 Direct 0 0 10.0.0.2 GE0/110.0.0.0/32 Direct 0 0 10.0.0.2 GE0/110.0.0.2/32 Direct 0 0 127.0.0.1 InLoop010.0.0.255/32 Direct 0 0 10.0.0.2 GE0/1127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 Direct 0 0 192.168.1.254 GE0/0192.168.1.0/32 Direct 0 0 192.168.1.254 GE0/0192.168.1.254/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.255/32 Direct 0 0 192.168.1.254 GE0/0192.168.2.0/24 O_INTRA 10 2 10.0.0.3 GE0/1224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

[SW3]display ip routing-table

Destinations : 19 Routes : 19

Destination/Mask Proto Pre Cost NextHop Interface0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop02.2.2.2/32 O_INTRA 10 1 10.0.0.2 GE1/0/23.3.3.3/32 Direct 0 0 127.0.0.1 InLoop010.0.0.0/24 Direct 0 0 10.0.0.3 GE1/0/210.0.0.0/32 Direct 0 0 10.0.0.3 GE1/0/210.0.0.3/32 Direct 0 0 127.0.0.1 InLoop010.0.0.255/32 Direct 0 0 10.0.0.3 GE1/0/2127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0192.168.1.0/24 O_INTRA 10 2 10.0.0.2 GE1/0/2192.168.2.0/24 Direct 0 0 192.168.2.254 GE1/0/1192.168.2.0/32 Direct 0 0 192.168.2.254 GE1/0/1192.168.2.254/32 Direct 0 0 127.0.0.1 InLoop0192.168.2.255/32 Direct 0 0 192.168.2.254 GE1/0/1224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0

上一篇:家庭组网路由器接交换机(电脑网络:路由器和交换机原理是什么,如何互相连接?) 下一篇:华为路由器x1增强版组网(荣耀路由x1增强版怎么样 荣耀路由x1增强版和标准版对比评测)

推荐文章

最新文章

热门文章

Copyright © 2023 路由器, All Rights Reserved.

苏ICP备2023015666号