交换机与防火墙对接上网案例(三层交换机和防火墙对接上网)
二层交换机简介:
二层交换机指的是仅能够进行二层转发,不能进行三层转发的交换机。也就是说仅支持二层特性,不支持路由等三层特性的交换机。
二层交换机一般部署在接入层,不能作为用户的网关。
组网需求:
如下图所示 PC1与PC2位于不同网段,各部门均有访问Internet的需求。现要求用户通过二层交换机和防火墙访问外部网络,且要求防火墙作为用户的网关。
配置思路:
1.配置交换机基于接口划分VLAN,实现二层转发。
2.配置防火墙作为用户的网关,通过子接口或VLANIF接口实现跨网段的三层转发。
3.配置防火墙作为DHCP服务器,为用户PC分配IP地址。
4.开启防火墙域间安全策略,使不同域的报文可以相互转发。
5.配置防火墙PAT功能,使内网用户可以访问外部网络。
操作步骤:
步骤1:配置交换机
VLAN划分,配置上下行接口
[Huawei]vlan batch 2 3
[Huawei]interface GigabitEthernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 2
[Huawei-GigabitEthernet0/0/2]quit
[Huawei]interface GigabitEthernet 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 3
[Huawei-GigabitEthernet0/0/3]quit
[Huawei]interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]quit
步骤2:配置防火墙
防火墙的配置有两种方式,配置子接口或者配置VLANIF接口,两种方式选择其一即可。
配置防火墙通过子接口终结VLAN,实现跨网段的三层转发。
[USG6000V1]interface gigabitethernet 1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]vlan-type dot1q 2
[USG6000V1-GigabitEthernet1/0/1.1]ip address 192.168.2.1 24
[USG6000V1-GigabitEthernet1/0/1.1]quit
[USG6000V1]interface gigabitethernet 1/0/1.2
[USG6000V1-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[USG6000V1-GigabitEthernet1/0/1.2]ip address 192.168.3.1 24
[USG6000V1-GigabitEthernet1/0/1.2]quit
[USG6000V1]dhcp enable
[USG6000V1]interface GigabitEthernet 1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]dhcp select interface
[USG6000V1-GigabitEthernet1/0/1.1]dhcp server dns-list 114.114.114.114 223.5.5.5
[USG6000V1-GigabitEthernet1/0/1.1]quit
[USG6000V1]interface GigabitEthernet 1/0/1.2
[USG6000V1-GigabitEthernet1/0/1.2]dhcp select interface
[USG6000V1-GigabitEthernet1/0/1.2]dhcp server dns-list 114.114.114.114 223.5.5.5
[USG6000V1-GigabitEthernet1/0/1.2]quit
[USG6000V1]interface gigabitethernet 1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip address 200.0.0.2 24
[USG6000V1-GigabitEthernet1/0/2]quit
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1.1
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1.2
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2
[USG6000V1-zone-untrust]quit
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy1
[USG6000V1-policy-security-rule-policy1]destination-zone untrust
[USG6000V1-policy-security-rule-policy1]source-address 192.168.0.0 mask 255.255.0.0
[USG6000V1-policy-security-rule-policy1]action permit
[USG6000V1-policy-security-rule-policy1]quit
[USG6000V1-policy-security]quit
[USG6000V1]nat address-group addressgroup1
[USG6000V1-address-group-addressgroup1]mode pat
[USG6000V1-address-group-addressgroup1]route enable
[USG6000V1-address-group-addressgroup1]section 0 200.0.0.2 200.0.0.2
[USG6000V1-address-group-addressgroup1]quit
[USG6000V1] nat-policy
[USG6000V1-policy-nat] rule name policy_nat1
[USG6000V1-policy-nat-rule-policy_nat1] source-zone trust
[USG6000V1-policy-nat-rule-policy_nat1] destination-zone untrust
[USG6000V1-policy-nat-rule-policy_nat1]source-address 192.168.0.0 mask 255.255.0.0
[USG6000V1-policy-nat-rule-policy_nat1]action source-nat address-group addressgroup1
[USG6000V1-policy-nat-rule-policy_nat1]quit
[USG6000V1-policy-nat]quit
[USG6000V1]quit
步骤3:配置路由器
[Internet]interface GigabitEthernet0/0/1
[Internet]ip address 200.0.0.1 255.255.255.0
[Internet]quit
