华为二层交换机与防火墙配置实例

二层交换机与防火墙对接上网配置示例

组网图形

图1 二层交换机与防火墙对接上网组网图

  • 二层交换机简介
  • 配置注意事项
  • 组网需求
  • 配置思路
  • 操作步骤
  • 配置文件
  • 相关信息

二层交换机简介

二层交换机指的是仅能够进行二层转发,不能进行三层转发的交换机。也就是说仅支持二层特性,不支持路由等三层特性的交换机。

二层交换机一般部署在接入层,不能作为用户的网关。

配置注意事项

本举例中的交换机配置适用于S系列交换机所有产品的所有版本。

本举例中的防火墙配置以USG6650 V500R001C60为例,其他防火墙的配置方法请参见对应的文档指南。

组网需求

图1所示,某公司拥有多个部门且位于不同网段,各部门均有访问Internet的需求。现要求用户通过二层交换机和防火墙访问外部网络,且要求防火墙作为用户的网关。

配置思路

采用如下思路进行配置:

  1. 配置交换机基于接口划分VLAN,实现二层转发。

  2. 配置防火墙作为用户的网关,通过子接口或VLANIF接口实现跨网段的三层转发。

  3. 配置防火墙作为DHCP服务器,为用户PC分配IP地址。

  4. 开启防火墙域间安全策略,使不同域的报文可以相互转发。

  5. 配置防火墙PAT功能,使内网用户可以访问外部网络。

操作步骤
  1. 配置交换机

    # 配置下行连接用户的接口。

    1. <HUAWEI> system-view
    2. [HUAWEI] sysname Switch
    3. [Switch] vlan batch 2 3
    4. [Switch] interface gigabitethernet 0/0/2
    5. [Switch-GigabitEthernet0/0/2] port link-type access   //配置接口接入类型为access
    6. [Switch-GigabitEthernet0/0/2] port default vlan 2   //配置接口加入VLAN 2
    7. [Switch-GigabitEthernet0/0/2] quit
    8. [Switch] interface gigabitethernet 0/0/3
    9. [Switch-GigabitEthernet0/0/3] port link-type access
    10. [Switch-GigabitEthernet0/0/3] port default vlan 3   
    11. [Switch-GigabitEthernet0/0/3] quit

    # 配置上行连接防火墙的接口。

    1. [Switch] interface gigabitethernet 0/0/1
    2. [Switch-GigabitEthernet0/0/1] port link-type trunk
    3. [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3   //配置接口以trunk方式透传VLAN 2和VLAN 3
    4. [Switch-GigabitEthernet0/0/1] quit

  2. 配置防火墙

    防火墙的配置有两种方式,配置子接口或者配置VLANIF接口,两种方式选择其一即可。

    • 配置防火墙通过子接口终结VLAN,实现跨网段的三层转发。

      # 配置终结子接口。

      1. <USG6600> system-view
      2. [USG6600] interface gigabitethernet 1/0/1.1
      3. [USG6600-GigabitEthernet1/0/1.1] vlan-type dot1q 2   
      4. [USG6600-GigabitEthernet1/0/1.1] ip address 192.168.1.1 24   
      5. [USG6600-GigabitEthernet1/0/1.1] quit
      6. [USG6600] interface gigabitethernet 1/0/1.2
      7. [USG6600-GigabitEthernet1/0/1.2] vlan-type dot1q 3   
      8. [USG6600-GigabitEthernet1/0/1.2] ip address 192.168.2.1 24   
      9. [USG6600-GigabitEthernet1/0/1.2] quit

      # 配置DHCP功能,为内网用户分配IP地址并指定DNS服务器地址。

      1. [USG6600] dhcp enable
      2. [USG6600] interface gigabitethernet 1/0/1.1
      3. [USG6600-GigabitEthernet1/0/1.1] dhcp select interface   //开启接口采用接口地址池的DHCP Server功能
      4. [USG6600-GigabitEthernet1/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5   //配置的DNS-List 114.114.114.114是公用的DNS服务器地址,是不区分运营商的。在实际应用中,请根据运营商分配的DNS进行配置
      5. [USG6600-GigabitEthernet1/0/1.1] quit
      6. [USG6600] interface gigabitethernet 1/0/1.2
      7. [USG6600-GigabitEthernet1/0/1.2] dhcp select interface   
      8. [USG6600-GigabitEthernet1/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5   
      9. [USG6600-GigabitEthernet1/0/1.2] quit

      # 配置公网接口的IP地址和静态路由。

      1. [USG6600] interface gigabitethernet 1/0/2
      2. [USG6600-GigabitEthernet1/0/2] ip address 203.0.113.2 255.255.255.0   //配置连接公网的接口GE0/0/2的IP地址203.0.113.2
      3. [USG6600-GigabitEthernet1/0/2] quit
      4. [USG6600] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1   //配置静态缺省路由的下一跳指向公网提供的IP地址203.0.113.1

      # 配置安全区域。

      1. [USG6600] firewall zone trust   //配置trust域
      2. [USG6600-zone-trust] add interface gigabitethernet 1/0/1
      3. [USG6600-zone-trust] add interface gigabitethernet 1/0/1.1
      4. [USG6600-zone-trust] add interface gigabitethernet 1/0/1.2
      5. [USG6600-zone-trust] quit
      6. [USG6600] firewall zone untrust   //配置untrust域
      7. [USG6600-zone-untrust] add interface gigabitethernet 1/0/2
      8. [USG6600-zone-untrust] quit
      # 配置安全策略,允许域间互访。 
      1. [USG6600] security-policy
      2. [USG6600-policy-security] rule name policy1
      3. [USG6600-policy-security-rule-policy1] source-zone trust
      4. [USG6600-policy-security-rule-policy1] destination-zone untrust
      5. [USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
      6. [USG6600-policy-security-rule-policy1] action permit
      7. [USG6600-policy-security-rule-policy1] quit
      8. [USG6600-policy-security] quit
      # 配置PAT地址池,开启允许端口地址转换。 
      1. [USG6600] nat address-group addressgroup1    
      2. [USG6600-address-group-addressgroup1] mode pat
      3. [USG6600-address-group-addressgroup1] route enable
      4. [USG6600-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2    //转换的公网IP地址
      5. [USG6600-address-group-addressgroup1] quit
      # 配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换。 
      1. [USG6600] nat-policy    
      2. [USG6600-policy-nat] rule name policy_nat1
      3. [USG6600-policy-nat-rule-policy_nat1] source-zone trust
      4. [USG6600-policy-nat-rule-policy_nat1] destination-zone untrust
      5. [USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0   //允许进行PAT转换的源IP地址
      6. [USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
      7. [USG6600-policy-nat-rule-policy_nat1] quit
      8. [USG6600-policy-nat] quit
      9. [USG6600] quit

    • 配置防火墙通过配置VLANIF接口,实现跨网段的三层转发。

      # 配置VLANIF接口。

      1. <USG6600> system-view
      2. [USG6600] vlan batch 2 3
      3. [USG6600] interface gigabitethernet 1/0/1
      4. [USG6600-GigabitEthernet1/0/1] portswitch   //将以太网接口从三层模式切换到二层模式。如果接口已经是二层模式,跳过该步骤
      5. [USG6600-GigabitEthernet1/0/1] port link-type hybrid
      6. [USG6600-GigabitEthernet1/0/1] port hybrid tagged vlan 2 to 3
      7. [USG6600-GigabitEthernet1/0/1] quit
      8. [USG6600] interface vlanif 2
      9. [USG6600-Vlanif2] ip address 192.168.1.1 24   //配置VLANIF2的IP地址作为PC1的网关
      10. [USG6600-Vlanif2] quit
      11. [USG6600] interface vlanif 3
      12. [USG6600-Vlanif3] ip address 192.168.2.1 24   //配置VLANIF3的IP地址作为PC2的网关
      13. [USG6600-Vlanif3] quit

      # 配置DHCP功能。

      1. [USG6600] dhcp enable
      2. [USG6600] interface vlanif 2
      3. [USG6600-Vlanif2] dhcp select interface
      4. [USG6600-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5   //配置的DNS-List 114.114.114.114是公用的DNS服务器地址,是不区分运营商的。在实际应用中,请根据运营商分配的DNS进行配置
      5. [USG6600-Vlanif2] quit
      6. [USG6600] interface vlanif 3
      7. [USG6600-Vlanif3] dhcp select interface
      8. [USG6600-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
      9. [USG6600-Vlanif3] quit

      # 配置公网接口的IP地址和静态路由。

      1. [USG6600] interface gigabitethernet 1/0/2
      2. [USG6600-GigabitEthernet1/0/2] ip address 203.0.113.2 255.255.255.0
      3. [USG6600-GigabitEthernet1/0/2] quit
      4. [USG6600] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1   //配置静态缺省路由的下一跳指向公网提供的IP地址203.0.113.1

      # 配置安全区域。

      1. [USG6600] firewall zone trust
      2. [USG6600-zone-trust] add interface gigabitethernet 1/0/1
      3. [USG6600-zone-trust] add interface vlanif 2
      4. [USG6600-zone-trust] add interface vlanif 3
      5. [USG6600-zone-trust] quit
      6. [USG6600] firewall zone untrust
      7. [USG6600-zone-untrust] add interface gigabitethernet 1/0/2
      8. [USG6600-zone-untrust] quit
      # 配置安全策略,允许域间互访。 
      1. [USG6600] security-policy
      2. [USG6600-policy-security] rule name policy1
      3. [USG6600-policy-security-rule-policy1] source-zone trust
      4. [USG6600-policy-security-rule-policy1] destination-zone untrust
      5. [USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
      6. [USG6600-policy-security-rule-policy1] action permit
      7. [USG6600-policy-security-rule-policy1] quit
      8. [USG6600-policy-security] quit
      # 配置PAT地址池,开启允许端口地址转换。 
      1. [USG6600] nat address-group addressgroup1    
      2. [USG6600-address-group-addressgroup1] mode pat
      3. [USG6600-address-group-addressgroup1] route enable
      4. [USG6600-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2    //转换的公网IP地址
      5. [USG6600-address-group-addressgroup1] quit
      # 配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换。 
      1. [USG6600] nat-policy    
      2. [USG6600-policy-nat] rule name policy_nat1
      3. [USG6600-policy-nat-rule-policy_nat1] source-zone trust
      4. [USG6600-policy-nat-rule-policy_nat1] destination-zone untrust
      5. [USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0   //允许进行PAT转换的源IP地址
      6. [USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
      7. [USG6600-policy-nat-rule-policy_nat1] quit
      8. [USG6600-policy-nat] quit
      9. [USG6600] quit

  3. 检查配置结果

    配置PC1的IP地址为192.168.1.2/24,网关为192.168.1.1;PC2的IP地址为192.168.2.2/24,网关为192.168.2.1。

    配置外网PC的IP地址为203.0.113.1/24,网关为203.0.113.2。

    配置完成后,PC1和PC2都可以Ping通外网的IP 203.0.113.1/24,PC1和PC2都可以访问Internet。

配置文件
  1. Switch的配置文件
  2. #
  3. sysname Switch
  4. #
  5. vlan batch 2 to 3
  6. #
  7. interface GigabitEthernet0/0/1
  8.  port link-type trunk
  9.  port trunk allow-pass vlan 2 to 3
  10. #
  11. interface GigabitEthernet0/0/2
  12.  port link-type access
  13.  port default vlan 2
  14. #
  15. interface GigabitEthernet0/0/3
  16.  port link-type access
  17.  port default vlan 3
  18. #
  19. return
  20. USG的配置文件(防火墙通过子接口进行三层转发的配置文件)
  21. #
  22. interface GigabitEthernet1/0/1
  23. #
  24. interface GigabitEthernet1/0/1.1
  25.  vlan-type dot1q 2 
  26.  ip address 192.168.1.1 255.255.255.0
  27.  dhcp select interface
  28.  dhcp server dns-list 114.114.114.114 223.5.5.5
  29.  #
  30. interface GigabitEthernet1/0/1.2
  31.  vlan-type dot1q 3
  32.  ip address 192.168.2.1 255.255.255.0
  33.  dhcp select interface
  34.  dhcp server dns-list 114.114.114.114 223.5.5.5
  35. #
  36. interface GigabitEthernet1/0/2
  37.  ip address 203.0.113.2 255.255.255.0
  38. #
  39. firewall zone trust
  40.  set priority 85
  41.  add interface GigabitEthernet1/0/1
  42.  add interface GigabitEthernet1/0/1.1
  43.  add interface GigabitEthernet1/0/1.2
  44. #
  45. firewall zone untrust
  46.  set priority 5
  47.  add interface GigabitEthernet1/0/2
  48. #
  49.  ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
  50. #
  51. nat address-group addressgroup1 0 
  52.  mode pat                                                                         route enable                                                                     section 0 203.0.113.2 203.0.113.2    
  53. #
  54. security-policy                                                                 
  55.  rule name policy1                                                              
  56.   source-zone trust                                                             
  57.   destination-zone untrust                                                      
  58.   source-address 192.168.0.0 mask 255.255.0.0                                   
  59.   action permit   
  60. #
  61. nat-policy                                                                      
  62.  rule name policy_nat1                                                          
  63.   source-zone trust                                                             
  64.   destination-zone untrust                                                      
  65.   source-address 192.168.0.0 mask 255.255.0.0                                   
  66.   action nat address-group addressgroup1                                 
  67. #  
  68. return
  69. USG的配置文件(防火墙通过VLANIF接口进行三层转发的配置文件)
  70. #
  71.  vlan batch 2 to 3
  72. #
  73. interface Vlanif2
  74.  ip address 192.168.1.1 255.255.255.0                                           
  75.  dhcp server dns-list 114.114.114.114 223.5.5.5 
  76. #
  77. interface Vlanif3
  78.  ip address 192.168.2.1 255.255.255.0                                           
  79.  dhcp select interface                                                          
  80.  dhcp server dns-list 114.114.114.114 223.5.5.5
  81. #
  82. interface GigabitEthernet1/0/1
  83.  portswitch
  84.  port hybrid tagged vlan 2 to 3
  85. #
  86. interface GigabitEthernet1/0/2
  87.  ip address 203.0.113.2 255.255.255.0
  88. #
  89. firewall zone trust
  90.  set priority 85
  91.  add interface GigabitEthernet1/0/1
  92.  add interface Vlanif2
  93.  add interface Vlanif3
  94. #
  95. firewall zone untrust
  96.  set priority 5
  97.  add interface GigabitEthernet1/0/2
  98. #jja
  99.  ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
  100. #
  101. nat address-group addressgroup1 0 
  102.  mode pat                                                                       
  103.  route enable                                                                   
  104.  section 0 203.0.113.2 203.0.113.2    
  105. #
  106. security-policy                                                                 
  107.  rule name policy1                                                              
  108.   source-zone trust                                                             
  109.   destination-zone untrust                                                      
  110.   source-address 192.168.0.0 mask 255.255.0.0                                   
  111.   action permit   
  112. #
  113. nat-policy                                                                      
  114.  rule name policy_nat1                                                          
  115.   source-zone trust                                                             
  116.   destination-zone untrust                                                      
  117.   source-address 192.168.0.0 mask 255.255.0.0                                   
  118.   action nat address-group addressgroup1                                 
  119. # 
  120. return

注:本文转载自blog.csdn.net的知孤云出岫的文章"https://blog.csdn.net/weixin_59383576/article/details/135154569"。版权归原作者所有,此博客不拥有其著作权,亦不承担相应法律责任。如有侵权,请联系我们删除。
复制链接
相关推荐
发表评论

评论记录:

未查询到任何数据!