本文主要是介绍二层交换机与防火墙通过子接口对接上网,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
1.配置基本IP地址
2.untrust区域连通性配置
[AR1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[AR1-GigabitEthernet0/0/1]ip add 20.1.2.2 24
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 20.1.2.0 0.0.0.255
3.LSW1的配置
(1)配置下行连接PC的接口
[LSW1]vlan batch 10 20
[LSW1-Ethernet0/0/1]port link-type access
[LSW1-Ethernet0/0/1]port default vlan 10
[LSW1-Ethernet0/0/2]port link-type access
[LSW1-Ethernet0/0/2]port default vlan 20
(2)配置上行连接FW1的接口
[LSW1-Ethernet0/0/3]port link-type trunk
[LSW1-Ethernet0/0/3]port trunk allow-pass vlan 10 20
4.配置FW1
(1)配置FW1通过子接口终结VLAN,实现跨网段的三层转发
[FW1]int g1/0/1.1
[FW1-GigabitEthernet1/0/1.1]vlan-type dot1q 10
[FW1-GigabitEthernet1/0/1.1]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/1.1]int g1/0/1.2
[FW1-GigabitEthernet1/0/1.2]vlan-type dot1q 20
[FW1-GigabitEthernet1/0/1.2]ip add 10.1.2.1 24
(2)配置DHCP功能,为内网用户分配IP地址并指定DNS服务器地址
[FW1]dhcp enable
[FW1]int g1/0/1.1
[FW1-GigabitEthernet1/0/1.1]dhcp select interface
[FW1-GigabitEthernet1/0/1.1]dhcp server dns-list 114.114.114.114
(3)配置上行接口的IP地址和静态路由
[FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
(4)配置安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/1
[FW1-zone-trust]add interface g1/0/1.1
[FW1-zone-trust]add interface g1/0/1.2
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/2
(5)配置安全策略,允许域间互访
[FW1]security-policy
[FW1-policy-security]rule name policy1
[FW1-policy-security-rule-policy1]source-zone trust
[FW1-policy-security-rule-policy1]destination-zone untrust
[FW1-policy-security-rule-policy1]source-address 10.1.0.0 16
[FW1-policy-security-rule-policy1]action permit
(6)配置PAT地址池,开启允许端口地址转换
[FW1]nat address-group add_group1
[FW1-address-group-add_group1]mode pat
[FW1-address-group-add_group1]route enable
[FW1-address-group-add_group1]section 0 20.1.1.1 20.1.1.1
(7)配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换
[FW1]nat-policy
[FW1-policy-nat]rule name nat_policy1
[FW1-policy-nat-rule-nat_policy1]source-zone trust
[FW1-policy-nat-rule-nat_policy1]destination-zone untrust
[FW1-policy-nat-rule-nat_policy1]source-address 10.1.0.0 16
[FW1-policy-nat-rule-nat_policy1]action source-nat address-group add_group1
5.验证
这篇关于二层交换机与防火墙通过子接口对接上网的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
