用动态lacp
security-zone name Trust
import interface Vlan-interface100
import interface Bridge-Aggregation1 vlan 100
import interface GigabitEthernet1/0/11 vlan 100
import interface GigabitEthernet1/0/12 vlan 100
import interface GigabitEthernet1/0/13 vlan 100
import interface GigabitEthernet1/0/14 vlan 100
import interface GigabitEthernet1/0/15 vlan 100
interface GigabitEthernet1/0/11
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet1/0/12
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet1/0/13
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet1/0/14
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet1/0/15
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
link-aggregation mode dynamic
--------------------------------------------------------------------------------------------------------------
以下为交换机的配置,两端要一样,防火墙比交换机就多了安全区域
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
link-aggregation mode dynamic
interface GigabitEthernet2/0/14
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 21
#
interface GigabitEthernet2/0/15
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 8
#
interface GigabitEthernet2/0/16
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 8
#
interface GigabitEthernet2/0/17
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 8
interface GigabitEthernet2/0/20
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
interface GigabitEthernet2/0/21
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet2/0/22
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet2/0/23
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
#
interface GigabitEthernet2/0/24
port link-mode bridge
port link-type trunk
port trunk permit vlan all
port trunk pvid vlan 100
port link-aggregation group 1
做完后在防火墙的安全策略里面要做any
2023年2月27日实验补充
1.首先要配好安全域,防火墙上这是基础,不然通不了信,无法测试,尤其是要做local到trust和trust到local的域间允许策略,不然防火墙和交换机无法通信,ping是本机local发出的
2.要了解安全域的概念,一个域是一个阵营,阵营内是可以直接通信的,相当一个vlan
3.每个接口必须要加入一个域,如果不加域,那防火墙就不知道这个接口属于哪个域,没有定义域的接口所有数据都是直接丢弃,更不用说数据通信。
4.比如聚合端口interface bridge-aggregation 1它只是一个普通二层接口,和它其它inter GigabitEthernet1/0/1 管理起来没什么区别,就把它当然一个普通二层接口,它的通信需要三层的vlan,如:inter vlan-interface 10
5.在防火墙上的安全域内加入二层接口如: interface Bridge-Aggregation1和interface GigabitEthernet1/0/0 需要带vlan,至于带哪个vlan,就看inter vlan-interface XXX这个虚拟三层接口需要和哪个交换机通信,这个二层接口对面的交换机的通信vlan是多少
6.防火墙和交换机的端口两端如果一端加了pvid,那么另一端也要加pvid,不然无法通信
7.附一些配置:
security-zone name Trust
import interface GigabitEthernet1/0/1 #三层接口电脑与防火墙直连
import interface Vlan-interface2 #三层虚拟接口
import interface Bridge-Aggregation1 vlan 2 #普通二层接口,用于给Vlan-interface2通信
import interface GigabitEthernet1/0/0 vlan 2 #转化为二层接口,用于给Vlan-interface2通信
object-policy ip manage
rule 0 pass
security-policy ip
rule 0 name any #做any策略
action pass
counting enable