测试拓扑如下:
一、交换机配置如下:
#
vlan 2 //服务器的接入VLAN
#
vlan 10 //终端VLAN
#
vlan 20 //新规划的服务器VLAN并作为网关
#
interface Bridge-Aggregation1 //连接防火墙eth0/1、eth0/3
port link-type trunk
port trunk permit vlan all
#
interface Vlan-interface10 //终端网关
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20 //服务器网关
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface GigabitEthernet1/0/2 //连接服务器
port access vlan 2
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan all
port link-aggregation group 1
#
interface GigabitEthernet1/0/4 //模拟终端
port access vlan 10
#
二、防火墙配置
exit
zone "L2-trust-vlan2" l2
exit
zone "L2-untrust-vlan20" l2
exit
interface aggregate1
exit
interface aggregate1.2
exit
interface aggregate1.20
exit
zone "L2-trust-vlan2" l2
bind "vswitch1"
exit
zone "L2-untrust-vlan20" l2
bind "vswitch1"
exit
interface vswitchif1
zone "trust"
ip address 192.168.20.254 255.255.255.0 //配置里服务器的管理IP,为了查看防火墙
manage ssh
manage ping
manage https
no reverse-route
exit
interface ethernet0/1 //连接交换机 GE1/0/1
aggregate aggregate1
exit
interface ethernet0/3 //连接交换机 GE1/0/3
aggregate aggregate1
exit
interface aggregate1
zone "l2-trust"
exit
interface aggregate1.2 //内接口
zone "L2-trust-vlan2"
exit
interface aggregate1.20 //外接口
zone "L2-untrust-vlan20"
exit
rule id 1
action permit
log session-start
log session-end
src-zone "L2-untrust-vlan20" //外部访问服务器
dst-zone "L2-trust-vlan2"
src-addr "Any"
dst-addr "Any"
service "Any"
exit
rule id 2
action permit
log session-start
log session-end
src-zone "L2-trust-vlan2" //服务器主动访问外部网络
dst-zone "L2-untrust-vlan20"
src-addr "Any"
dst-addr "Any"
service "Any"
exit
三、功能性
PC:192.168.10.34 访问 Server:192.168.20.100 正常!!!
四、防火墙故障时,交换机上的操作
undo interface vlan 20 //删除vlan20网关
interface Vlan-interface2 //添加新的vlan2网关作为服务器网关(恢复原来)
ip address 192.168.20.1 255.255.255.0
流量不再经过防火墙,但仍可以通过254地址来管理防火墙,并查看结果。
五、思考
原来服务器5个vlan,那么需要交换机新增5个vlan,并将原5个vlan-interface接口删除,新增5个vlan-interface新增,并配置对应的IP作为网关。
