Vlan间通信-防火墙

 

Vlan间通信-防火墙

实验环境：一台防火墙来实现单臂路由，两台两层交换机，两台路由器做pc机

 

配置防火墙：

[r]inter eth0/0.10

[r-Ethernet0/0.10]vlan-type dot1q vid 10

[r-Ethernet0/0.10]ip address 192.168.10.254 24

[r]inter eth0/0.20

[r-Ethernet0/0.20]vlan-type dot1q vid 20

[r-Ethernet0/0.20]ip address 192.168.20.254 24

加区域：

[r]firewall zone trust

[r-zone-trust]add interface eth0/0.10

[r-zone-trust]add interface eth0/0.20

取消隔离：

[r]undo insulate

 

配置sw1：

[sw1]inter e1/0/2

[sw1-Ethernet1/0/2]

[sw1-Ethernet1/0/2]

[sw1-Ethernet1/0/2]

[sw1-Ethernet1/0/2]port link-type trunk

[sw1-Ethernet1/0/2]port trunk permit vlan all

 Please wait........................................... Done.

[sw1-Ethernet1/0/2]inter e1/0/1              

[sw1-Ethernet1/0/1]port link-type trunk      

[sw1-Ethernet1/0/1]port trunk permit vlan all

 Please wait........................................... Done.

[sw1-Ethernet1/0/1]

划分vlan：

[sw1]vlan 10

[sw1-vlan10]port e1/0/10

[sw1-vlan10]vlan 20     

[sw1-vlan20]port e1/0/20

配置sw2：

[sw2]inter e1/0/1

[sw2-Ethernet1/0/1]port link-type trunk

[sw2-Ethernet1/0/1]port trunk permit vlan all

 Please wait........................................... Done.

[sw2-Ethernet1/0/1]quit

[sw2]vlan 10

[sw2-vlan10]port e1/0/10

[sw2-vlan10]vlan 20

[sw2-vlan20]port e1/0/20

用路由器1做pc机10.100：

[r1]inter e0

[r1-Ethernet0]ip address 192.168.10.100 24

[r1]ip route 0.0.0.0 0 192.168.10.254

[r1]ping 192.168.10.254

  PING 192.168.10.254: 56 data bytes, press CTRL_C to break

    Reply from 192.168.10.254: bytes=56 Sequence=0 ttl=255 time = 5 ms

    Reply from 192.168.10.254: bytes=56 Sequence=1 ttl=255 time = 3 ms

    Reply from 192.168.10.254: bytes=56 Sequence=2 ttl=255 time = 3 ms

    Reply from 192.168.10.254: bytes=56 Sequence=3 ttl=255 time = 3 ms

Reply from 192.168.10.254: bytes=56 Sequence=4 ttl=255 time = 3 ms

 

用路由器2做pc机20.100

[r2]inter e0

[r2-Ethernet0]

[r2-Ethernet0]

[r2-Ethernet0]ip address 192.168.20.100 24

[r2-Ethernet0]

%01:12:39: Line protocol ip on the interface Ethernet0 is UP

[r2-Ethernet0]quit

[r2]ip route 0 0 192.168.20.254

 Bad IP address

[r2]ip route 0.0.0.0 0 192.168.20.254

测试：

[r2]ping 192.168.10.254

 

Pinging 192.168.10.254 with 32 bytes of data:

 

Reply from 192.168.10.254: bytes=32 time=2ms TTL=255

Reply from 192.168.10.254: bytes=32 time=5ms TTL=255

Reply from 192.168.10.254: bytes=32 time=5ms TTL=255

Reply from 192.168.10.254: bytes=32 time=3ms TTL=255

 

Ping statistics for 192.168.10.254:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 5ms, Average = 3ms

 

[r2]ping 192.168.10.100

 

Pinging 192.168.10.100 with 32 bytes of data:

 

Reply from 192.168.10.100: bytes=32 time=5ms TTL=63

Reply from 192.168.10.100: bytes=32 time=3ms TTL=63

Reply from 192.168.10.100: bytes=32 time=2ms TTL=63

Reply from 192.168.10.100: bytes=32 time=3ms TTL=63

 

Ping statistics for 192.168.10.100:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 5ms, Average = 3ms

 

[r2]tracert 192.168.10.100

 

Tracing route to 192.168.10.100 over a maximum of 30 hops

 

 1      2 ms     1 ms     1 ms 192.168.20.254

 2      2 ms     2 ms     3 ms 192.168.10.100

 

 

 

 

 

 

 

转载于:https://blog.51cto.com/liufan0321/1079415