三层交换机和防火墙对接上网
如图所示,三层交换机和防火墙对接,使用户PC1和PC2可以实现上网功能。交换机是三层交换机,可以完成跨网段数据转发。
要求:
交换机作为网关,实现三层转发。同时作为DHCP服务器,为用户分配IP地址。
防火墙通过NAT转换,实现内网访问外网。
操作方法
- 01
一、交换机的配置 1、配置连接用户的接口和VLANif的接口。 <Huawei>system-view [Huawei]vlan batch 2 3 100 [Huawei]interface g0/0/2 [Huawei-GigabitEthernet0/0/2]port link-type access [Huawei-GigabitEthernet0/0/2]port default vlan 2 [Huawei-GigabitEthernet0/0/2]quit [Huawei]interface g0/0/3 [Huawei-GigabitEthernet0/0/3]port link-type access [Huawei-GigabitEthernet0/0/3]port default vlan 3 [Huawei-GigabitEthernet0/0/3]quit [Huawei]interface vlanif 2 [Huawei-Vlanif2]ip address 192.168.2.1 24 [Huawei-Vlanif2]quit [Huawei]interface vlanif 3 [Huawei-Vlanif3]ip address 192.168.3.1 24 [Huawei-Vlanif3]quit
- 02
2、配置防火墙对应的接口和VLanif接口。 3、配置静态路由 [Huawei]interface g0/0/1 [Huawei-GigabitEthernet0/0/1]port link-type trunk [Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 100 [Huawei-GigabitEthernet0/0/1]quit [Huawei]interface vlanif 100 [Huawei-Vlanif100]ip address 192.168.100.2 24 [Huawei-Vlanif100]quit [Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
- 03
4、配置DHCP服务器。 [Huawei]dhcp enable [Huawei]interface vlanif 2 [Huawei-Vlanif2]dhcp select interface [Huawei-Vlanif2]dhcp server dns-list 114.114.114.114 [Huawei-Vlanif2]quit [Huawei]interface vlanif 3 [Huawei-Vlanif3]dhcp select interface [Huawei-Vlanif3]dhcp server dns-list 114.114.114.114 [Huawei-Vlanif3]quit
- 04
二、防火墙的配置 1、配置连接交换机的端口和对应的IP地址 <Huawei>system-view [SRG]interface g0/0/1 [SRG-GigabitEthernet0/0/1]ip address 192.168.100.1 24 [SRG-GigabitEthernet0/0/1]quit
- 05
2、配置公网的连接口和IP地址。 3、配置缺省路由和回程路由。 <SRG>sys [SRG]interface g0/0/2 18:13:57 2017/06/15 [SRG-GigabitEthernet0/0/2]ip address 200.0.0.2 24 [SRG-GigabitEthernet0/0/2]quit [SRG]ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 [SRG]ip route-static 192.168.2.0 255.255.255.0 192.168.100.2 [SRG]ip route-static 192.168.3.0 255.255.255.0 192.168.100.2
- 06
3、配置NAT功能 [SRG]nat address-group 1 200.0.0.2 200.0.0.2 [SRG]nat-policy interzone trust untrust outbound [SRG-nat-policy-interzone-trust-untrust-outbound]policy 1 [SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 0.0.255.255 [SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat [SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1 [SRG-nat-policy-interzone-trust-untrust-outbound-1]quit [SRG-nat-policy-interzone-trust-untrust-outbound]quit [SRG]
- 07
4、配置域并配置域间策略 [SRG]firewall zone trust [SRG-zone-trust]add interface g0/0/1 [SRG-zone-trust]quit [SRG]firewall zone untrust [SRG-zone-untrust]add interface g0/0/2 [SRG-zone-untrust]quit [SRG]firewall packet-filter default permit all