拓扑如下
实验要求:
1 防火墙作为内网网关设置安全策略及安全区域保证内网传输安全
2 防火墙下发 DHCP 使能 PC机自动获取 IP地址
3 防火墙做 Easy_nat转换内网地址
4 PC机成功访问 ISP且地址为 公网地址
5 汇聚层交换机做链路聚合实现冗余链路
6 局域网主机能互访
7 配置ospf 使 ISP Firewall Swithch_access实现全互联
1 :配置基础环境 Vlan ip 及防火墙接口地址
配置安全策略和放行服务流量
[USG6000V1-policy-security]dis th
2022-12-06 08:28:20.230
#
security-policy
rule name pc_gateway
source-address 10.1.1.0 mask 255.255.255.0
action permit ##放行 内网 PC去往网关
rule name pc2_any
source-address 10.1.2.0 mask 255.255.255.0
action permit ##放行 内网 PC去往网关
rule name isp_inside
destination-zone local
destination-zone trust
source-address 1.1.1.0 mask 255.255.255.0
action permit ##放行 外网运营商流量通往内网
防火墙接口放行流量策略
[USG6000V1-GigabitEthernet1/0/0]dis th
2022-12-06 08:30:57.780
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
service-manage ping permit
[USG6000V1-GigabitEthernet1/0/6]dis th
2022-12-06 08:31:45.100
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 10.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
[USG6000V1-GigabitEthernet1/0/2]dis th
2022-12-06 08:32:37.160
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.2.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
放行流量可以直接
service-manage all permit
汇聚层交换机
SW1:
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned up down
Vlanif10 10.1.1.11/24 up up
Vlanif20 10.1.2.11/24 up up
SW2:
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned up down
Vlanif10 10.1.1.12/24 up up
Vlanif20 10.1.2.12/24 up up
[SW1-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10 绑定vlan
[SW2-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20 绑定vlan
#
2:防火墙配置 DHCP
[USG6000V1]dhcp enable
interface GigabitEthernet1/0/6
dhcp select interface
dhcp server gateway-list 10.1.1.1
dhcp server dns-list 8.8.8.8
interface GigabitEthernet1/0/2
dhcp select interface
dhcp server gateway-list 10.1.2.1
dhcp server dns-list 8.8.8.8
校验 PC机是否获取 IP
测试网关连通性:
3:防火墙设置 nat内网转外网
[USG6000V1]nat-policy
#
nat-policy
rule name pc1_isp
source-address 10.1.1.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action source-nat easy-ip
rule name pc2_ISP
source-address 10.1.2.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action source-nat easy-ip
#
return
抓包查看是否转换成功
内网地址成功转换为公网
## ISP路由器没有到达内网的路由,配置 交换机 防火墙 ISP路由 配置 Ospf 形成全连接,使ISP有到达内网的路由表。
4: OSPF
[USG6000V1-ospf-1]dis th
2022-12-06 08:45:34.340
#
ospf 1 router-id 1.1.1.1
import-route direct
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.1.2.1 0.0.0.0
#
[SW1-ospf-1]dis th
#
ospf 1 router-id 10.1.1.11
area 0.0.0.0
network 10.1.1.11 0.0.0.0
#
[SW2-ospf-1]dis th
#
ospf 1 router-id 10.1.2.12
area 0.0.0.0
network 10.1.2.12 0.0.0.0
#
[ISP-ospf-1]dis th
[V200R003C00]
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 1.1.1.2 0.0.0.0
#
ISP 查看 ospf路由表发现有到达内网的路由
查看邻居状态是否正常
5:汇聚层交换机链路聚合
[SW1-Eth-Trunk1]dis th
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
max bandwidth-affected-linknumber 1
#
[SW2-Eth-Trunk1]dis th
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
max bandwidth-affected-linknumber 1
#
6:测试全网连通性
## 若防火墙连通性一直有问题,尝试切换端口,有一些端口是保留给管理员使用。若想实现web登录切记不要用 g 0/0/0