華為模拟器模拟企業園區組網防火牆做出口配置實驗

華為模拟器模拟企業園區組網防火牆做出口配置實驗

模拟器配置實驗

業務部、财務部、生産部、行政部四個部門分别屬于vlan10 ,vlan 20,vlan30,vlan40，不同vlan間可以互訪，www伺服器劃分防火牆DMZ區域，内網主機和外網伺服器都能通路内網www伺服器。

各裝置配置如下

LSW1交換機

sys
sys LSW1
vlan batch 10 20
port-group 1
group-member e0/0/4 to e0/0/6
port link-type access
port default vlan 10
q
int e0/0/7
port link-type access
port default vlan 20
q
int Eth-Trunk 1
mode lacp-static
trunkport ethernet 0/0/1 to 0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
max active-linknumber 3
least active-linknumber 1
q           

LSW3交換機

sys
sys LSW3
vlan batch 30 40
int Eth-Trunk 2
mode lacp-static
trunkport ethernet 0/0/1 to 0/0/2
port link-type trunk
port trunk allow-pass vlan 30 40
least active-linknumber 1
q
int e0/0/3
port link-type access
port default vlan 30
int e0/0/4
port link-type access
port default vlan 40
q           

LSW2交換機配置：

sys
sys LSW2
dhcp enable
vlan batch 10 20 30 40 101
int Eth-Trunk 1
mode lacp-static
trunkport GigabitEthernet 0/0/1 to 0/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
max active-linknumber 3
least active-linknumber 1
q
int Eth-Trunk 2
mode lacp-static
trunkport GigabitEthernet 0/0/4 to 0/0/5
port link-type trunk
port trunk allow-pass vlan 30 40
least active-linknumber 1
q
int vlanif 10 
ip add 192.168.10.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 20 
ip add 192.168.20.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 30 
ip add 192.168.30.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 40 
ip add 192.168.40.254 24
dhcp select interface
dhcp server dns-list 114.114.114.114
q
int vlanif 101
ip add 192.168.101.254 24
q
int g0/0/6
port link-type access
port default vlan 101
q           

防火牆配置：

sys
sys FW
int g0/0/0
ip add 192.168.101.2 24
int g0/0/1
ip add 192.168.50.254 24
int g0/0/2
ip add 10.0.0.1 24
q
firewall zone trust
add interface g0/0/0
q
firewall zone untrust
add interface g0/0/2
q
firewall zone dmz
add interface g0/0/1
q
ip route-static 0.0.0.0 0 10.0.0.2
ip route-static 192.168.0.0 255.255.0.0 192.168.101.254
policy interzone trust untrust outbound
policy 10
policy source 192.168.0.0 0.0.255.255
action permit
q
q
nat-policy interzone trust untrust outbound
policy 10
policy source 192.168.0.0 0.0.255.255
action source-nat
easy-ip g0/0/2
q
q
policy interface trust dmz outbound
policy 10
policy source 192.168.0.0 0.0.255.255
policy destination 192.168.50.0 0.0.0.255
action permit
q
q
policy interface dmz trust inbound
policy 10
policy source 192.168.50.0 0.0.0.255
policy destination 192.168.0.0 0.0.255.255
action permit
q
q
            

路由器配置：

sys
sys R1
int g0/0/0
ip add 10.0.0.2 24
int g0/0/1
ip add 2.2.2.2 24
q           

實驗結果：

LSW3 int g0/0/1 down

Eth-Trunk 2鍊路狀态

vlan40通路www伺服器走向

LSW1 int e0/0/1 e0/0/2 down

Eth-Trunk1鍊路狀态

vlan10 通路内網www伺服器走向

外網client1通路内網www伺服器

client通路www伺服器