大型园区出口配置示例防火墙直连部署

-1 大型园区出口配置例如防火墙直连部署组网需求如图1-1所示，在大型园区出口，核心交换机上行和防火墙进展直连，通过防火墙连接到出口网关，对出入园区的业务流量提供平安过滤功能，为网络平安提供保，网络要求如下：l 网用户使用私网IP地址，用户的IP地址使用DHCP自动分配。l 部门A用户能够访问Internet，部门B用户不能访问Internet。l 外网用户都可以访问 效劳器。l 保证网络的可靠性，每个节点都进展冗余设计。图1-1 园区出口组网图防火墙直连部署要点l 路由部署： Router ID：为每台设备配置一个Loopback地址，作为设备的Router ID。 出口路由器、防火墙、核心交换机作为OSPF骨干区域Area0，出口路由器作为ASBR，核心交换机为ABR。 部门A和部门B的的OSPF区域分别配置为Area 1和Area 2，并配置为NSSA区域，减少LSA在区域间的传播。 为了引导各设备的上行流量，在核心交换机上配置一条缺省路由，下一跳指向防火墙，在防火墙上配置一条缺省路由，下一跳指向出口路由器，出口路由器上配置一条缺省路由，下一跳指向运行商网络设备的对接地址公网网关。l 可靠性部署：推荐使用CSS+iStack+Eth-trunk无环以太网技术，让可靠性变得简单。 在核心交换机部署集群CSS，会聚交换机部署堆叠iStack，保证设备级可靠性。 为提高链路可靠性、在核心交换机与防火墙之间、核心交换机和会聚交换机之间、会聚交换机和接入交换机之间均通过Eth-Trunk互连。 在防火墙上部署双机热备，两台防火墙之间实现负载分担。l DHCP部署： 核心交换机配置DHCP效劳器，为用户自动分配IP地址。 在会聚交换机上配置DHCP Relay，保证能够通过DHCP效劳为用户分配IP地址。l NAT部署： 为了使网用户访问Internet，在两台出口路由器的上行口配置NAT，实现私网地址和公网地址之间的转换。通过ACL匹配部门A的源IP地址，从而实现部门A的用户可以访问Internet，而部门B的用户不能访问Internet。 为了保证外网用户能够访问 效劳器，在两台出口路由器上配置NAT Server。l 平安部署：防火墙配置平安策略，对流量进展过滤，保证网络平安。设备规划设备类型设备型号路由器Router1、Router2华为AR3600系列路由器防火墙FW1、FW2华为USG9000系列防火墙核心交换机做CSS华为S7700/S9700/S12700交换机会聚交换机做iStack华为S5720EI系列交换机，使用业务口做堆叠数据规划设备接口编号成员接口VLANIFIP地址对端设备对端接口编号Router1GE0/0/1-FW1GE1/0/1GE0/0/2-假设此接口用于连接运营商设备接口，IP地址为运营商分配的公网IP。Router2GE0/0/1-FW2GE1/0/1GE0/0/2假设此接口用于连接运营商设备接口，IP地址为运营商分配的公网IP。FW1GE1/0/1-Router1GE0/0/1GE1/0/7-FW2GE1/0/7Eth-Trunk10GE2/0/3-4CSSEth-Trunk10GE2/0/4FW2GE1/0/1-Router2GE0/0/1GE1/0/7-FW1GE1/0/7Eth-Trunk20GE2/0/3-CSSEth-Trunk20GE2/0/4CSSGE1/1/0/10-VLANIF300 效劳器以太网接口Eth-Trunk10GE1/1/0/3-FW1Eth-Trunk10GE2/1/0/3Eth-Trunk20GE1/1/0/4-FW2Eth-Trunk20GE2/1/0/4Eth-Trunk100GE1/2/0/3VLANIF100AGG1Eth-Trunk100GE2/2/0/3Eth-Trunk200GE1/2/0/4VLANIF200AGG2Eth-Trunk200GE2/2/0/4AGG1Eth-Trunk100GE1/0/1VLANIF100CSSEth-Trunk100GE2/0/1Eth-Trunk 500GE1/0/5VLANIF500假设此接口用于连接部门A，并作为部门A用户的网关GE2/0/5AGG2Eth-Trunk100GE1/0/1VLANIF200CSSGE2/0/1Eth-Trunk 600GE1/0/5VLANIF600假设此接口用于连接部门B，并作为部门B用户的网关GE2/0/5 效劳器以太网接口-CSSGE1/1/0/10配置思路采用如下思路配置园区出口：步骤配置思路涉及产品11核心交换机配置集群CSS2会聚交换机配置堆叠(iStack)核心交换机Switch1和Switch2，会聚交换机Switch3、Switch4、Switch5、Switch62配置接口，为提高链路可靠性1核心交换机(CSS)和防火墙之间配置Eth-Trunk2核心交换机(CSS)和会聚交换机(AGG)之间配置Eth-Trunk3会聚交换机和接入交换机之间的Eth-Trunk核心交换机CSS、防火墙FW1、FW2、会聚交换机AGG1、AGG23配置各接口IP地址1配置Router上下行接口IP地址2配置FW上下行接口IP地址3配置核心交换机上下行接口IP地址4配置会聚交换机上下行接口IP地址路由器Router1、Router2、防火墙FW1、FW2、核心交换机CSS、会聚交换机AGG1、AGG24配置路由协议，网使用OSPF协议1路由器、防火墙、核心交换机上行接口配置为骨干区域Area 02核心交换机下行接口、会聚交换机配置为NSSA区域Area1、Area23在核心交换机上配置一条缺省路由，下一跳指向防火墙，在防火墙上配置一条缺省路由，下一跳指向出口路由器，出口路由器上配置一条缺省路由，下一跳指向运行商网络设备的对接地址公网网关路由器Router1、Router2、防火墙FW1、FW2、核心交换机CSS5配置防火墙各接口所属平安区域1将连接外网的接口参加到Untrust区域2将连接网的接口参加到Trust区域3将双机热备心跳线参加到DMZ区域防火墙FW1、FW26配置双机热备1配置VGMP监控上下行接口2指定心跳线，启用双机热备3使能快速备份功能，保证两台防火墙实现负载分担防火墙FW1、FW27配置DHCP 1在核心交换机上配置DCHP效劳器功能，指定地址池和网关2在会聚交换上配置是DHCP中继功能核心交换机(CSS)、会聚交换机AGG1、AGG28配置NAT1在两台出口路由器上配置NAT，让部门A的用户可以访问Internet，部门B用户不能访问Internet2在在两台出口路由器上配置NAT Server，保证外部用户能够访问 效劳器出口路由器Router1、Router29配置攻击防，在防火墙上开启SYN Flood、 Flood攻击防功能，保护部效劳器不受攻击防火墙操作步骤步骤 1 核心交换机：配置交换机集群1. 连接集群卡的线缆，下列图以EH1D2VS08000集群卡连线为例。l 一块集群卡只能与对框一块集群卡相连，不能连接到多块集群卡，且不能与本框集群卡相连。l 集群卡上组1的任意接口只能与对框集群卡上组1的任意接口相连，组2的要求同组1。l 每块集群卡上连接集群线缆的数量一样如果不一样会影响总的集群带宽，且两端按照接口编号的顺序对接。2. 在Switch1上配置集群，集群连接方式为集群卡缺省值，不需配置。集群ID采用缺省值1不需配置，优先级为100 system-view HUAWEI set css mode css-card /设备缺省值，不需再执行命令配置,此步骤仅用作示命令 HUAWEI set css id 1 /设备缺省值，不需再执行命令配置,此步骤仅用作示命令 HUAWEI set css priority 100 /集群优先级缺省为1，修改主交换机的优先级大于备交换机 HUAWEI css enable Warning: The CSS configuration takes effect only after the system is rebooted. The ne*t CSS mode is CSS-Card. Reboot now? Y/N:Y /重启交换机 3. 在Switch2上配置集群。集群连接方式为集群卡缺省值，不需配置。集群ID为2。优先级采用缺省值1不需配置。 system-view HUAWEI set css id 2 /集群ID缺省为1，修改备交换机的ID为2 HUAWEI css enable Warning: The CSS configuration takes effect only after the system is rebooted. The ne*t CSS mode is CSS-Card. Reboot now? Y/N:Y /重启交换机 4. 交换机完成重启后，查看集群状态集群系统主的CSS MASTER灯绿色常亮，如dc_cfg_campus_001#fig_dc_cfg_campus_00103所示。 Switch1的两块主控板上编号为1的CSS ID灯绿色常亮，Switch2的两块主控板上编号为2的CSS ID灯绿色常亮。 集群卡上有集群线缆连接的端口LINK/ALM灯绿色常亮。 主框上所有集群卡的MASTER灯绿色常亮，备框上所有集群卡的MASTER灯常灭。集群建立后，后续交换机的配置都在主交换机上进展，数据会自动同步到备交换机。 在集群系统中，接口编号会变为4维，例如，10GE1/1/0/9。其中左边第一位表示集群ID。步骤 2 会聚交换机：配置堆叠iStack，这里以S5720EI系列交换机为例，使用业务口做堆叠以Switch3和Swtich4为例，Switch5和Swtich6做堆叠类似，不做赘述。 在配置堆叠前，先不要连线，等配置完成之后再连线1. 配置逻辑堆叠端口并参加物理成员接口本端设备逻辑堆叠端口stack-port n/1里的物理成员端口只能与对端设备逻辑堆叠端口stack-port n/2里的物理成员端口相连。# 配置Switch3的业务口GE0/0/28为物理成员端口，并参加到相应的逻辑堆叠端口。Switch3 interface stack-port 0/1 Switch3-stack-port0/1 port interface gigabitethernet 0/0/28 enable Warning: Enabling stack function may cause configuration loss on the interface, continue?Y/N:Y Info: This operation may take a few seconds. Please wait for a moment. Switch3-stack-port0/1 quit# 配置Switch4的业务口GE0/0/28为物理成员端口，并参加到相应的逻辑堆叠端口。Switch4 interface stack-port 0/2 Switch4-stack-port0/2 port interface gigabitethernet 0/0/28 enable Warning: Enabling stack function may cause configuration loss on the interface, continue?Y/N:Y Info: This operation may take a few seconds. Please wait for a moment. Switch4-stack-port0/2 quit2. 配置堆叠ID和堆叠优先级# 配置Switch3的堆叠优先级为200。Switch3 stack slot 0 priority 200 Warning: Please do not frequently modify Priority, it will make the stack split, continue?Y/N:Y# 配置Switch3的堆叠ID为1。Switch3 stack slot 0 renumber 1 Warning: All the configurations related to the slot ID will be lost after the slot ID is modified. Please do not frequently modify slot ID, it will make the stack split. Continue?Y/N:Y Info: Stack configuration has been changed, and the device needs to restart to make the configuration effective. # 配置Switch4的堆叠ID为2。Switch4 stack slot 0 renumber 2 Warning: All the configurations related to the slot ID will be lost after the slot ID is modified. Please do not frequently modify slot ID, it will make the stack split. Continue?Y/N:Y Info: Stack configuration has been changed, and the device needs to restart to make the configuration effective. 3. Switch3、Switch4下电，使用SFP+电缆连接GE0/0/28接口做堆叠口。下电前，建议通过命令save保存配置。本设备的stack-port 0/1必须连接邻设备的stack-port 0/2，否则堆叠组建不成功。4. 设备上电如果用户希望*台交换机为主交换机可以先为其上电，例如：希望Switch3做为主设备，可以先给Switch3上电，再为Switch4上电。5. 检查堆叠是否建立成功Switch3 display stack Stack topology type: Link Stack system MAC: 0018-82b1-6eb4 MAC switch delay time: 2 min Stack reserved vlan: 4093 Slot of the active management port: - Slot Role Mac address Priority Device type - 1 Master 0018-82b1-6eb4 200 S5720-36C-EI-AC 2 Standby 0018-82b1-6eba 150 S5720-36C-EI-AC 可以看到一主一备，堆叠建立成功。步骤 3 部署Eth-Trunk接口：配置CSS与FW、会聚交换机之间的跨框Eth-Trunk口1. 防火墙FW：配置和核心交换机CSS之间互联的Eth-Trunk接口# 在FW1上创立Eth-Trunk 10，用于连接核心交换机CSS，并参加Eth-Trunk成员接口。FW1 interface eth-trunk 10 /创立Eth-Trunk10接口，和CSS对接 FW1-Eth-Trunk10 quit FW1 interface gigabitethernet 2/0/3 FW1-GigabitEthernet2/0/3 eth-trunk 10 FW1-GigabitEthernet2/0/3 quit FW1 interface gigabitethernet 2/0/4 FW1-GigabitEthernet2/0/4 eth-trunk 10 FW1-GigabitEthernet2/0/4 quit# 在FW2上创立Eth-Trunk 20，用于连接核心交换机CSS，并参加Eth-Trunk成员接口。FW2 interface eth-trunk 20 /创立Eth-Trunk20接口，和CSS对接 FW2-Eth-Trunk20 quit FW2 interface gigabitethernet 2/0/3 FW2-GigabitEthernet2/0/3 eth-trunk 20 FW2-GigabitEthernet2/0/3 quit FW2 interface gigabitethernet 2/0/4 FW2-GigabitEthernet2/0/4eth-trunk 20 FW2-GigabitEthernet2/0/4 quit2. 核心交换机CSS：配置CSS和FW之间、CSS和会聚交换机的跨框Eth-Trunk# 在CSS上创立Eth-Trunk10，用于连接FW1，并参加Eth-Trunk成员接口。CSS interface eth-trunk 10 /创立Eth-Trunk10接口，和FW1对接 CSS-Eth-Trunk10 quit CSS interface gigabitethernet 1/1/0/3 CSS-GigabitEthernet1/1/0/3 eth-trunk 10 CSS-GigabitEthernet1/1/0/3 quit CSS interface gigabitethernet 2/1/0/3 CSS-GigabitEthernet2/1/0/3 eth-trunk 10 CSS-GigabitEthernet2/1/0/3 quit# 在CSS上创立Eth-Trunk20，用于连接FW2，并参加Eth-Trunk成员接口。CSS interface eth-trunk 20 /创立Eth-Trunk20接口，和FW2对接 CSS-Eth-Trunk20 quit CSS interface gigabitethernet 1/1/0/4 CSS-GigabitEthernet1/1/0/4 eth-trunk 20 CSS-GigabitEthernet1/1/0/4 quit CSS interface gigabitethernet 2/1/0/4 CSS-GigabitEthernet2/1/0/4 eth-trunk 20 CSS-GigabitEthernet2/1/0/4 quit# 在CSS上创立Eth-Trunk 100，用于连接会聚交换机AGG1，并参加Eth-Trunk成员接口。CSS interface eth-trunk 100 /创立Eth-Trunk100接口，和AGG1相连 CSS-Eth-Trunk100 quit CSS interface gigabitethernet 1/2/0/3 CSS-GigabitEthernet1/2/0/3 eth-trunk 100 CSS-GigabitEthernet1/2/0/3 quit CSS interface gigabitethernet 2/2/0/3 CSS-GigabitEthernet2/2/0/3 eth-trunk 100 CSS-GigabitEthernet2/2/0/3 quit# 在CSS上创立Eth-Trunk 200，用于连接会聚交换机AGG2，并参加Eth-Trunk成员接口。CSS interface eth-trunk 200 /创立Eth-Trunk200接口，和AGG2相连 CSS-Eth-Trunk200 quit CSS interface gigabitethernet 1/2/0/4 CSS-GigabitEthernet1/2/0/4 eth-trunk 200 CSS-GigabitEthernet1/2/0/4 quit CSS interface gigabitethernet 2/2/0/4 CSS-GigabitEthernet2/2/0/4eth-trunk 200 CSS-GigabitEthernet2/2/0/4 quit 3. 会聚交换机：配置会聚交换机AGG和核心交换机CSS、会聚交换机和接入交换机之间互联的Eth-Trunk接口# 配置AGG1。AGG1 interface eth-trunk 100 /创立Eth-Trunk100接口，和CSS相连 AGG1-Eth-Trunk100 quit AGG1 interface gigabitethernet 1/0/1 AGG1-GigabitEthernet1/0/1 eth-trunk 100 AGG1-GigabitEthernet1/0/1 quit AGG1 interface gigabitethernet 2/0/1 AGG1-GigabitEthernet2/0/1 eth-trunk 100 AGG1-GigabitEthernet2/0/1 quit AGG1 interface eth-trunk 500 /创立Eth-Trunk500接口，和接入交换机相连 AGG1-Eth-Trunk500 quit AGG1 interface gigabitethernet 1/0/5 AGG1-GigabitEthernet1/0/5 eth-trunk 500 AGG1-GigabitEthernet1/0/5 quit AGG1 interface gigabitethernet 2/0/5 AGG1-GigabitEthernet2/0/5 eth-trunk 500 AGG1-GigabitEthernet2/0/5 quit# 配置AGG2。AGG2 interface eth-trunk 200 /创立Eth-Trunk200接口，和CSS相连 AGG2-Eth-Trunk200 quit AGG2 interface gigabitethernet 1/0/1 AGG2-GigabitEthernet1/0/1 eth-trunk 200 AGG2-GigabitEthernet1/0/1 quit AGG2 interface gigabitethernet 2/0/1 AGG2-GigabitEthernet2/0/1 eth-trunk 200 AGG2-GigabitEthernet2/0/1 quit AGG2 interface eth-trunk 600 /创立Eth-Trunk600接口，和接入交换机相连 AGG2-Eth-Trunk600 quit AGG2 interface gigabitethernet 1/0/5 AGG2-GigabitEthernet1/0/5 eth-trunk 600 AGG2-GigabitEthernet1/0/5 quit AGG2 interface gigabitethernet 2/0/5 AGG2-GigabitEthernet2/0/5 eth-trunk 600 AGG2-GigabitEthernet2/0/5 quit步骤 4 配置各接口IP地址# 配置Router1。Router1 interface loopback 0 Router1-LoopBack0 ip address 1.1.1.1 32 /用来做Router ID Router1-LoopBack0 quit Router1 interface gigabitethernet 0/0/2 Router1-GigabitEthernet0/0/2 ip address 202.10.1.1 24 /配置和外网相连的接口的IP地址 Router1-GigabitEthernet0/0/2 quit Router1 interface gigabitethernet 0/0/1 Router1-GigabitEthernet0/0/1 ip address 10.1.1.1 24 /配置和FW1相连的接口的IP地址 Router1-GigabitEthernet0/0/1 quit# 配置Router2。Router2 interface loopback 0 Router2-LoopBack0 ip address 2.2.2.2 32 /用来做Router ID Router2-LoopBack0 quit Router2 interface gigabitethernet 0/0/2 Router2-GigabitEthernet0/0/2 ip address 202.10.2.1 24 /配置和外网相连的接口的IP地址 Router2-GigabitEthernet0/0/2 quit Router2 interface gigabitethernet 0/0/1 Router2-GigabitEthernet0/0/1 ip address 10.2.1.1 24 /配置和FW2相连的接口的IP地址 Router2-GigabitEthernet0/0/1 quit# 配置FW1。FW1 interface loopback 0 FW1-LoopBack0 ip address 3.3.3.3 32 /用来做Router ID FW1-LoopBack0 quit FW1 interface gigabitethernet 1/0/1 FW1-GigabitEthernet1/0/1 ip address 10.1.1.2 24 /配置和Router1相连的接口的IP地址 FW1-GigabitEthernet1/0/1quit FW1 interface gigabitethernet 1/0/7 FW1-GigabitEthernet1/0/7 ip address 10.10.1.1 24 /配置双机热备心跳线IP地址 FW1-GigabitEthernet1/0/7 quit FW1 interface eth-trunk 10 FW1-Eth-Trunk10 ip address 10.3.1.1 24 /配置和CSS相连的Eth-Trunk接口的IP地址 FW1-Eth-Trunk10 quit# 配置FW2。FW2 interface loopback 0 FW2-LoopBack0 ip address 4.4.4.4 32 /用来做Router ID FW2-LoopBack0 quit FW2 interface gigabitethernet 1/0/1 FW2-GigabitEthernet1/0/1 ip address 10.2.1.2 24 /配置和Router2相连的接口的IP地址 FW2-GigabitEthernet1/0/1 quit FW2 interface gigabitethernet 1/0/7 FW2-GigabitEthernet1/0/7 ip address 10.10.1.2 24 /配置双机热备心跳线IP地址 FW2-GigabitEthernet1/0/7 quit FW2 interface eth-trunk 20 FW2-Eth-Trunk20 ip address 10.4.1.1 24 /配置和CSS相连的Eth-Trunk接口的IP地址 FW2-Eth-Trunk20 quit# 配置CSS。CSS interface loopback 0 CSS-LoopBack0 ip address 5.5.5.5 32 /用来做Router ID CSS-LoopBack0 quit CSS interface eth-trunk 10 CSS-Eth-Trunk10 undo portswitch /缺少情况下，交换机的Eth-Trunk接口为二层模式，如果作为三层接口使用，需要首先使用undo portswitch命令将接口切换为三层模式 CSS-Eth-Trunk10 ip address 10.3.1.2 24 /配置和FW1相连的Eth-Trunk10接口的IP地址 CSS-Eth-Trunk10 quit CSS interface eth-trunk 20 CSS-Eth-Trunk20 undo portswitch /缺少情况下，交换机的Eth-Trunk接口为二层模式，如果作为三层接口使用，需要首先使用undo portswitch命令将接口切换为三层模式 CSS-Eth-Trunk20 ip address 10.4.1.2 24 /配置和FW2相连的Eth-Trunk20接口的IP地址 CSS-Eth-Trunk20 quit CSS vlan batch 100 200 300 /批量创立VLAN CSS interface eth-trunk 100 CSS-Eth-Trunk100 port hybrid pvid vlan 100 CSS-Eth-Trunk100 port hybrid untagged vlan 100 CSS-Eth-Trunk100 quit CSS interface vlanif 100 CSS-Vlanif100 ip address 10.5.1.1 24 /配置和会聚交换机AGG1相连的接口的IP地址 CSS-Vlanif100 quit CSS interface eth-trunk 200 CSS-Eth-Trunk200 port hybrid pvid vlan 200 CSS-Eth-Trunk200 port hybrid untagged vlan 200 CSS-Eth-Trunk200 quit CSS interface vlanif 200 CSS-Vlanif200 ip address 10.6.1.1 24 /配置和会聚交换机AGG2相连的接口的IP地址 CSS-Vlanif200 quit CSS interface gigabitethernet 1/1/0/10 /进入连接 效劳器的接口 CSS-GigabitEthernet1/1/0/10 port link-type access CSS-GigabitEthernet1/1/0/10 port default vlan 300 /以Access方式参加VLAN 300 CSS-GigabitEthernet1/1/0/10 quit CSS interface vlanif 300 CSS-Vlanif300 ip address 10.100.1.1 24 /配置连接 效劳器接口的IP地址 CSS-Vlanif300 quit# 配置AGG1。AGG1 interface loopback 0 AGG1-LoopBack0 ip address 6.6.6.6 32 /用来做Router ID AGG1-LoopBack0 quit AGG1 vlan batch 100 500 AGG1 interface eth-trunk 100 AGG1-Eth-Trunk100 port hybrid pvid vlan 100 AGG1-Eth-Trunk100port hybrid untagged vlan 100 AGG1-Eth-Trunk100 quit AGG1 interface vlanif 100 AGG1-Vlanif100 ip address 10.5.1.2 24 /配置和CSS相连的接口的IP地址 AGG1-Vlanif100 quit AGG1 interface eth-trunk 500 AGG1-Eth-Trunk500 port hybrid pvid vlan 500 AGG1-Eth-Trunk500 port hybrid untagged vlan 500 AGG1-Eth-Trunk500 quit AGG1 interface vlanif 500 AGG1-Vlanif500 ip address 192.168.1.1 24 /配置和接入交换机相连的接口的IP地址，并作为部门A的网关 AGG1-Vlanif500 quit# 配置AGG2。AGG2 interface loopback 0 AGG2-LoopBack0 ip address 7.7.7.7 32 /用来做Router ID AGG2-LoopBack0 quit AGG2 vlan batch 200 600 AGG2 interface eth-trunk 200 AGG2-Eth-Trunk200 port hybrid pvid vlan 200 AGG2-Eth-Trunk200 port hybrid untagged vlan 200 AGG2-Eth-Trunk200 quit AGG2interface vlanif 200 AGG2-Vlanif200 ip address 10.6.1.2 24 /配置和CSS相连的接口的IP地址 AGG2-Vlanif200 quit AGG2 interface eth-trunk 600 AGG2-Eth-Trunk600 port hybrid pvid vlan 600 AGG2-Eth-Trunk600 port hybrid untagged vlan 600 AGG2-Eth-Trunk600 quit AGG2 interface vlanif 600 AGG2-Vlanif600 ip address 192.168.2.1 24 /配置和接入交换机相连的接口的IP地址，并作为部门B的网关 AGG2-Vlanif600 quit步骤 5 防火墙：配置防火墙各接口所属平安区域和平安策略# 将各接口参加到平安区域。FW1 firewall zone trust FW1-zone-trust add interface Eth-Trunk 10 /将连接网的Eth-Trunk10参加平安区域 FW1-zone-trust quit FW1 firewall zone untrust FW1-zone-untrust add interface gigabitethernet 1/0/1 /将连接外网的GE1/0/1参加非平安区域 FW1-zone-untrust quit FW1 firewall zone dmz FW1-zone-dmz add interface gigabitethernet 1/0/7 /将心跳口GE1/0/7参加DMZ区域 FW1-zone-dmz quit FW2 firewall zone trust FW2-zone-trust add interface Eth-Trunk 20 /将连接网的Eth-Trunk20参加平安区域 FW2-zone-trust quit FW2 firewall zone untrust FW2-zone-untrust add interface gigabitethernet 1/0/1 /将连接外网的GE1/0/1参加非平安区域 FW2-zone-untrust quit FW2 firewall zone dmz FW2-zone-dmz add interface gigabitethernet 1/0/7 /将心跳口GE1/0/7参加DMZ区域 FW2-zone-dmz quit# FW1:配置平安策略 FW1 policy interzone local untrust inbound FW1-policy-interzone-local-untrust-inbound policy 2 FW1-policy-interzone-local-untrust-inbound-2 policy source 10.1.1.1 mask 24 /允许位于untrust区域的接入路由器访问防火墙 FW1-policy-interzone-local-untrust-inbound-2 action permit FW1-policy-interzone-local-untrust-inbound-2 quit FW1-policy-interzone-local-untrust-inbound quit FW1 policy interzone local trust outbound FW1-policy-interzone-local-trust-outbound policy 1 FW1-policy-interzone-local-trust-outbound-1 policy source 10.3.1.2 mask 24 /允许位于Trust区域的设备访问防火墙 FW1-policy-interzone-local-trust-outbound-1 policy source 10.5.1.1 mask 24 /允许位于Trust区域的设备访问防火墙 FW1-policy-interzone-local-trust-outbound-1 policy source 192.168.1.1 mask 24 /允许位于Trust区域的设备访问防火墙 FW1-policy-interzone-local-outbound-inbound-1 action permit FW1-policy-interzone-local-outbound-inbound-1 quit FW1-policy-interzone-local-outbound-inbound quit FW1 policy interzone trust untrust outbound FW1-policy-interzone-trust-untrust-outbound policy 4 FW1-policy-interzone-trust-untrust-outbound-4 policy source 192.168.1.1 mask 24 /允许192.168.1.0/24网段访问外网 FW1-policy-interzone-trust-untrust-outbound-4 action permit FW1-policy-interzone-trust-untrust-outbound-4 quit FW1-policy-interzone-trust-untrust-outbound quit FW1 policy interzone trust untrust inbound FW1-policy-interzone-trust-untrust-inbound policy 3 FW1-policy-interzone-trust-untrust-inbound-3 policy source 10.1.1.1 mask 24 /允许10.1.1.1访问网 FW1-policy-interzone-trust-untrust-inbound-3 action permit FW1-policy-interzone-trust-untrust-inbound-3 quit FW1-policy-interzone-trust-untrust-inbound quit# FW2:配置平安策略 FW2 policy interzone local untrust inbound FW2-policy-interzone-local-untrust-inbound policy 2 FW2-policy-interzone-local-untrust-inbound-2 policy source 10.2.1.1 mask 24 /允许位于untrust区域的接入路由器访问防火墙 FW2-policy-interzone-local-untrust-inbound-2 action permit FW2-policy-interzone-local-untrust-inbound-2 quit FW2-policy-interzone-local-untrust-inbound quit FW2 policy interzone local trust outbound FW2-policy-interzone-local-trust-outbound policy 1 FW2-policy-interzone-local-trust-outbound-1 policy source 10.4.1.2 mask 24 /允许位于Trust区域的设备访问防火墙 FW2-policy-interzone-local-trust-outbound-1 policy source 10.6.1.1 mask 24 /允许位于Trust区域的设备访问防火墙 FW2-policy-interzone-local-trust-outbound-1 policy source 192.168.2.1 mask 24 /允许位于Trust区域的设备访问防火墙 FW2-policy-interzone-local-dmz-inbound-1 action permit FW2-policy-interzone-local-dmz-inbound-1 quit FW2-policy-interzone-local-dmz-inbound quit FW2 policy interzone trust untrust inbound FW2-policy-interzone-trust-untrust-inbound policy 3 FW2-policy-interzone-trust-untrust-inbound-3 policy source 10.2.1.1 mask 24 /允许10.2.1.1访问网 FW2-policy-interzone-trust-untrust-inbound-3 action permit FW2-policy-interzone-trust-untrust-inbound-3 quit FW2-