华为数通IP必看实验文档:防火墙vsys综合实验
https://editor-material.365editor.com/style/20230220167686474063f2ece47a929material.gif
https://editor-user.365editor.com/98/85/4933185/1692762104818332.png
1-配置vlan和链路聚合
vlan batch 10 20port link-type access
port default vlan 10port link-type access
port default vlan 20interface Eth-Trunk 1
mode lacp-static
trunkport g0/0/3
trunkport g0/0/4port link-type trunk port trunk allow-pass vlan all
interface Eth-Trunk 1
portswitch
mode lacp-static trunkport g1/0/3
trunkport g1/0/4port link-type trunk
port trunkallow-pass vlan alldis eth-trunk 12023-07-02 10:29:54.110 Eth-Trunk1's state information is:Local:LAG ID: 1 WorkingMode: STATIC Preempt Delay: Disabled Hash arithmetic: According to flow System Priority: 32768 System ID: 00e0-fc86-1223 Least Active-linknumber: 1Max Active-linknumber: 8 Operate status: up Number Of Up Port In Trunk: 2 --------------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey PortState WeightGigabitEthernet1/0/3 Selected 1GE 32768 1 305 101111001 GigabitEthernet1/0/4 Selected 1GE 32768 2 305 101111001
Partner:--------------------------------------------------------------------------------ActorPortName SysPri SystemID PortPri PortNo PortKey PortStateGigabitEthernet1/0/3 32768 4c1f-cc8d-520c32768 4 305 10111100GigabitEthernet1/0/4 32768 4c1f-cc8d-520c32768 5 305 10111100
2-配置交换机vpn实例
ip vpn-instance IT
ipv4-family
ip vpn-instance Sales
ipv4-family interface Vlanif 10
ip binding vpn-instance IT
ip address 192.168.10.1 24
ip binding vpn-instance Sales
ip address 192.168.20.1 24
3-交换机在VPN实例下创建与防火墙互联接口
vlan batch 122 124
interface Vlanif 122
ip binding vpn-instance IT
ip address 192.168.122.1 24
interface Vlanif 124
ip binding vpn-instance Sales
ip address 192.168.124.1 24
//在交换机上为两个不同的业务再创建两个vlanif接口并划入对应vpn实例display ip routing-table vpn-instance ITRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: IT Destinations : 4 Routes : 4
Destination/Mask Proto PreCost Flags NextHop Interface
192.168.10.0/24Direct0 0 D 192.168.10.1 Vlanif10 192.168.10.1/32Direct0 0 D 127.0.0.1 Vlanif10192.168.122.0/24Direct0 0 D 192.168.122.1 Vlanif122192.168.122.1/32Direct0 0 D 127.0.0.1 Vlanif122
display ip routing-table vpn-instance SalesRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Sales Destinations : 4 Routes : 4
Destination/Mask Proto PreCost Flags NextHop Interface
192.168.20.0/24Direct0 0 D 192.168.20.1 Vlanif20 192.168.20.1/32Direct0 0 D 127.0.0.1 Vlanif20192.168.124.0/24Direct0 0 D 192.168.124.1 Vlanif124192.168.124.1/32Direct0 0 D 127.0.0.1 Vlanif124
4-在防火墙创建VSYS对接交换机两个VPN实例
vlan batch 122 124vsys enable
vsys name ITassign vlan 122
vsys name Sales
assign vlan 124//在防火墙上创建vlan并分配到对应vsys虚拟防火墙中//在防火墙里,vlan和vlanif接口只可以在根墙上创建再将资料分配到虚拟墙中。
ip address 192.168.122.2 24
ip address 192.168.124.2 24//在根墙上创建两个vlanif接口,由于之前vlan划分到虚拟墙中,vlanif接口也会自动划入虚拟墙中。
switch vsys IT
//切换到IT虚拟墙中<USG6000V1-IT>display ip interface brief//在虚拟墙上查看vlan地址
Interface IP Address/Mask Physical ProtocolVirtual-if1 unassigned up up(s) Vlanif122 192.168.122.2/24 up up
5-防火墙虚拟墙上的vlanif接口加入Trust区域并开启icmp
switch vsys IT<USG6000V1-IT>sys
firewall zone trust
add interface Vlanif 122
interface Vlanif 122
service-manage ping permitquit //退出虚拟墙 需全称quit才能退出到用户模式<USG6000V1-IT>q
switch vsys Sales <USG6000V1-Sales>sys
firewall zone trust
interface Vlanif 124service-manage ping permit
6-防火墙虚墙允许本地到信任区域策略
switch vsys IT<USG6000V1-IT>sys
security-policy
rule nameL2T
source-zone local
destination-zone trust
action permit
switch vsys Sales<USG6000V1-Sales>sys
security-policy
rule nameL2T
source-zone local
destination-zone trust
action permit
7-配置交换机和防火墙在vpn实例下的ospf邻居
ospf 10 vpn-instance IT router-id 5.5.5.5
area 0
network 192.168.10.0 0.0.0.255
network 192.168.122.0 0.0.0.255ospf 20 vpn-instance Sales router-id 6.6.6.6
area 0
network 192.168.20.0 0.0.0.255
network 192.168.124.0 0.0.0.255
ospf 10 vpn-instance IT router-id 3.3.3.3
area 0
network 192.168.122.0 0.0.0.255
ospf 20 vpn-instance Sales router-id 4.4.4.4
area 0
network 192.168.124.0 0.0.0.255
8-两个防火墙虚墙创建vlan连接交换机全局
https://editor-user.365editor.com/98/85/4933185/1692762281608007.png
vlan batch 121 123
interface Vlanif 121
ip address 192.168.121.1 24
int Vlanif 123
ip address 192.168.123.1 24
vlan batch 121 123//全局下创建vlan并划入对应虚墙vsys name IT
assign vlan 121
vsys name Sales
assign vlan 123
interface Vlanif 121
ip address 192.168.121.2 24
interface Vlanif 123
ip address 192.168.123.2 24
switch vsys IT //进入虚墙把接口划入对应区域,开启icmp<USG6000V1-IT>sys
firewall zone untrust
add interface Vlanif 121
interface Vlanif 121
service-manage ping permit
switch vsys Sales<USG6000V1-Sales>sys
firewall zone untrust
add interface Vlanif 123
interface Vlanif 123
service-manage ping permit
<SW1>ping 192.168.121.2 //交换机全局下ping虚墙接口地址PING 192.168.121.2: 56data bytes, press CTRL_C to break Request time out Reply from 192.168.121.2: bytes=56 Sequence=2 ttl=255 time=50 ms Reply from 192.168.121.2: bytes=56 Sequence=3 ttl=255 time=20 ms Reply from 192.168.121.2: bytes=56 Sequence=4 ttl=255 time=20 ms Reply from 192.168.121.2: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 192.168.121.2 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/22/50 ms
<SW1>ping 192.168.123.2PING 192.168.123.2: 56data bytes, press CTRL_C to break Request time out Reply from 192.168.123.2: bytes=56 Sequence=2 ttl=255 time=40 ms Reply from 192.168.123.2: bytes=56 Sequence=3 ttl=255 time=40 ms Reply from 192.168.123.2: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 192.168.123.2: bytes=56 Sequence=5 ttl=255 time=30 ms
--- 192.168.123.2 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 10/30/40 ms
9-交换机全局和两个防火墙虚墙ospf相连
network 192.168.121.0 0.0.0.255
network 192.168.123.0 0.0.0.255
ospf 1 router-id 2.2.2.2
area 0
network 192.168.121.0 0.0.0.255
network 192.168.123.0 0.0.0.255
dis ip routing-table //全局下路由都可以查询到Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 12 Routes : 12
Destination/Mask Proto PreCost Flags NextHop Interface
127.0.0.0/8 Direct0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32Direct0 0 D 127.0.0.1 InLoopBack0 192.168.10.0/24OSPF 10 3 D 192.168.121.2 Vlanif121 192.168.20.0/24OSPF 10 3 D 192.168.123.2 Vlanif123 192.168.30.0/24Direct0 0 D 192.168.30.1 Vlanif30 192.168.30.1/32Direct0 0 D 127.0.0.1 Vlanif30192.168.121.0/24Direct0 0 D 192.168.121.1 Vlanif121192.168.121.1/32Direct0 0 D 127.0.0.1 Vlanif121192.168.122.0/24OSPF 10 2 D 192.168.121.2 Vlanif121192.168.123.0/24Direct0 0 D 192.168.123.1 Vlanif123192.168.123.1/32Direct0 0 D 127.0.0.1 Vlanif123192.168.124.0/24OSPF 10 2 D 192.168.123.2 Vlanif123
10-交换机创建全局下与路由器R1互连,且宣告进ospf
vlan 30
port link-type access
port default vlan 30
interface Vlanif 30
ip address 192.168.30.1 24network 192.168.30.0 0.0.0.255
interface g0/0/0ip address 192.168.30.2 24
interface LoopBack 0
ip address 1.1.1.1 32ospf 1 router-id 1.1.1.1
area 0
network 192.168.30.0 0.0.0.255network 1.1.1.1 0.0.0.0
11-配置内网访问外部untrust 防火墙安全策略
switch vsysIT<USG6000V1-IT>sys
security-policy
rule name T2U
source-zone trust
destination-zone untrust
action permit
switch vsys Sales<USG6000V1-Sales>sys
security-policy
rule name T2U
source-zone trust
destination-zone untrust
action permit
12-配置网络出口及NAT
ip address 202.100.1.1 24ip route-static 0.0.0.0 0.0.0.0 202.100.1.2default-route-advertiseACL 2000
rule 10 permit source 192.168.10.0 0.0.0.255
rule 15 permit source 192.168.20.0 0.0.0.255
interface g0/0/1
nat outbound 2000
ip address 202.100.1.2 24ip address 8.8.8.8 32
13-IT和Sales部门间防火墙策略
switch vsys IT<USG6000V1-IT>sys
security-policy
rule name U2Tsource-zone untrust source-address 192.168.20.0 24destination-zone trust
action permit
switch vsys Sales<USG6000V1-Sales>sys
security-policy
rule name U2T
source-zone untrust
source-address 192.168.10.0 24
destination-zone trust
action permit
display firewall session table all-systems2023-07-03 08:09:30.810 Current Total Sessions : 10 icmpVPN: Sales --> Sales192.168.10.254:13186 --> 192.168.20.254:2048 icmpVPN: IT --> IT192.168.10.254:12674 --> 192.168.20.254:2048 icmpVPN: Sales --> Sales192.168.10.254:12162 --> 192.168.20.254:2048 icmpVPN: Sales --> Sales192.168.10.254:12674 --> 192.168.20.254:2048 icmpVPN: IT --> IT192.168.10.254:13186 --> 192.168.20.254:2048 icmpVPN: IT --> IT192.168.10.254:12162 --> 192.168.20.254:2048 icmpVPN: Sales --> Sales192.168.10.254:12930 --> 192.168.20.254:2048 icmpVPN: IT --> IT192.168.10.254:12930 --> 192.168.20.254:2048 icmpVPN: Sales --> Sales192.168.10.254:13442 --> 192.168.20.254:2048 icmpVPN: IT --> IT192.168.10.254:13442 --> 192.168.20.254:2048
实验要求达成!
拓展实验部分
icmp ttl-exceeded send //显示跟踪路径
PC1>tracert 192.168.20.254
traceroute to 192.168.20.254, 8 hops max(ICMP), press Ctrl+C to stop 1192.168.10.1 15 ms16 ms31 ms 2192.168.122.2 32 ms31 ms47 ms 3192.168.121.1 62 ms63 ms62 ms 4192.168.123.2 78 ms63 ms62 ms 5192.168.124.1 94 ms109 ms110 ms 6 *192.168.20.254 94 ms109 ms
防火墙每创建一个vsys就会自动创建一个virtual-if接口。可以像一个三层接口一样配置IP地址,该逻辑接口用于vsys之间的互联互通。
interface Virtual-if 1
ip address 12.1.1.1 24
interface Virtual-if 2
ip address 12.1.1.2 24
switch vsys IT //把两个Virtual接口划入对应虚墙的untrust区域<USG6000V1-IT>SYS
firewall zone untrust
add interface Virtual-if 1
switch vsys Sales<USG6000V1-Sales>sys
firewall zone untrust
add interface Virtual-if 2
ip route-static vpn-instance IT 192.168.20.0 24 vpn-instance Sales preference 8 ip route-static vpn-instance Sales 192.168.10.0 24 vpn-instance IT preference 8
PC1>tracert 192.168.20.254 //跟踪路径,从Virtual-if接口转发
traceroute to 192.168.20.254, 8 hops max(ICMP), press Ctrl+C to stop 1192.168.10.1 15 ms16 ms31 ms 2192.168.122.2 47 ms16 ms47 ms 312.1.1.2 47 ms31 ms31 ms 4192.168.124.1 78 ms31 ms63 ms 5 *192.168.20.254 78 ms94 ms
https://editor-material.365editor.com/style/20230220167686474063f2ece49a3d3material.gif
https://editor-material.365editor.com/style/20230220167686474063f2ece4b7c43material.gif
页:
[1]