交换机的配置步骤(共2步)
第一步:配置下行连接用户的接口。
[Switch] vlan batch 2 3
[Switch] interface gigabitethernet0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 3
[Switch-GigabitEthernet0/0/3] quit
第二步:配置上行连接防火墙的接口。
[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3
[Switch-GigabitEthernet0/0/1] quit
防火墙的接口作为三层口,通过配置子接口终结VLAN进行通信的配置步骤(共5步)
第一步:配置终结子接口。
[USG] vlan batch 2 3
[USG] interface gigabitethernet0/0/1.1
[USG-GigabitEthernet0/0/1.1] vlan-type dot1q 2
[USG-GigabitEthernet0/0/1.1] ip address 192.168.1.1 24
[USG-GigabitEthernet0/0/1.1] quit
[USG] interface gigabitethernet0/0/1.2
[USG-GigabitEthernet0/0/1.2] vlan-type dot1q 3
[USG-GigabitEthernet0/0/1.2] ip address 192.168.2.1 24
[USG-GigabitEthernet0/0/1.2] quit
第二步:配置DHCP和DNS功能,
为内网用户分配IP地址和指定DNS服务器地址。
[USG] dhcp enable
[USG] interface gigabitethernet0/0/1.1
[USG-GigabitEthernet0/0/1.1] dhcp select interface
[USG-GigabitEthernet0/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-GigabitEthernet0/0/1.1] quit
[USG] interface gigabitethernet0/0/1.2
[USG-GigabitEthernet0/0/1.2] dhcp select interface
[USG-GigabitEthernet0/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-GigabitEthernet0/0/1.2] quit
第三步:配置域并开启域间策略。
[USG] firewall zone trust
[USG-zone-trust] add interface gigabitethernet0/0/1
[USG-zone-trust] add interface gigabitethernet0/0/1.1
[USG-zone-trust] add interface gigabitethernet0/0/1.2
[USG-zone-trust] quit
[USG] firewall zone untrust
[USG-zone-untrust] add interface gigabitethernet0/0/2
[USG-zone-untrust] quit
[USG] firewall packet-filter default permit all
第四步:配置公网接口的IP地址和静态路由。
[USG] interface gigabitethernet0/0/2
[USG-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0
[USG-GigabitEthernet0/0/2] quit
[USG] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
第五步:配置NAT功能,使内网用户可以访问外网。
[USG] nat address-group 1 200.0.0.2 200.0.0.2
[USG] nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound] policy 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.255.255
[USG-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] quit
[USG-nat-policy-interzone-trust-untrust-outbound] quit
防火墙的接口作为二层口,通过VLANIF进行通信的配置步骤(共5步)
第一步:配置VLANIF接口。
[USG] vlan batch 2 3
[USG] interface gigabitethernet0/0/1
[USG] portswitch
[USG-GigabitEthernet0/0/1] port link-type trunk
[USG-GigabitEthernet0/0/1] port trunk permit vlan 2 3
[USG-GigabitEthernet0/0/1] quit
[USG] interface vlanif 2
[USG-Vlanif2] ip address 192.168.1.1 24
[USG-Vlanif2] quit
[USG] interface Vlanif 3
[USG-Vlanif3] ip address 192.168.2.1 24
[USG-Vlanif3] quit
第二步:配置DHCP和DNS功能,
为内网用户分配IP地址和指定DNS服务器地址。
[USG] dhcp enable
[USG] interface vlanif 2
[USG-Vlanif2] dhcp select interface
[USG-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-Vlanif2] quit
[USG] interface vlanif 3
[USG-Vlanif3] dhcp select interface
[USG-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-Vlanif3] quit
第三步:配置域并开启域间策略。
[USG] firewall zone trust
[USG-zone-trust] add interface gigabitethernet0/0/1
[USG-zone-trust] add interface Vlanif 2
[USG-zone-trust] add interface Vlanif 3
[USG-zone-trust] quit
[USG] firewall zone untrust
[USG-zone-untrust] add interface gigabitethernet0/0/2
[USG-zone-untrust] quit
[USG] firewall packet-filter default permit all
第四步:配置公网接口的IP地址和静态路由。
[USG] interface gigabitethernet0/0/2
[USG-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0
[USG-GigabitEthernet0/0/2] quit
[USG] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
第五步:配置NAT功能,使内网用户可以访问外网。
[USG] nat address-group 1 200.0.0.2 200.0.0.2
[USG] nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound] policy 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.255.255
[USG-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] quit
第一步:配置下行连接用户的接口。
[Switch] vlan batch 2 3
[Switch] interface gigabitethernet0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 3
[Switch-GigabitEthernet0/0/3] quit
第二步:配置上行连接防火墙的接口。
[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3
[Switch-GigabitEthernet0/0/1] quit
防火墙的接口作为三层口,通过配置子接口终结VLAN进行通信的配置步骤(共5步)
第一步:配置终结子接口。
[USG] vlan batch 2 3
[USG] interface gigabitethernet0/0/1.1
[USG-GigabitEthernet0/0/1.1] vlan-type dot1q 2
[USG-GigabitEthernet0/0/1.1] ip address 192.168.1.1 24
[USG-GigabitEthernet0/0/1.1] quit
[USG] interface gigabitethernet0/0/1.2
[USG-GigabitEthernet0/0/1.2] vlan-type dot1q 3
[USG-GigabitEthernet0/0/1.2] ip address 192.168.2.1 24
[USG-GigabitEthernet0/0/1.2] quit
第二步:配置DHCP和DNS功能,
为内网用户分配IP地址和指定DNS服务器地址。
[USG] dhcp enable
[USG] interface gigabitethernet0/0/1.1
[USG-GigabitEthernet0/0/1.1] dhcp select interface
[USG-GigabitEthernet0/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-GigabitEthernet0/0/1.1] quit
[USG] interface gigabitethernet0/0/1.2
[USG-GigabitEthernet0/0/1.2] dhcp select interface
[USG-GigabitEthernet0/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-GigabitEthernet0/0/1.2] quit
第三步:配置域并开启域间策略。
[USG] firewall zone trust
[USG-zone-trust] add interface gigabitethernet0/0/1
[USG-zone-trust] add interface gigabitethernet0/0/1.1
[USG-zone-trust] add interface gigabitethernet0/0/1.2
[USG-zone-trust] quit
[USG] firewall zone untrust
[USG-zone-untrust] add interface gigabitethernet0/0/2
[USG-zone-untrust] quit
[USG] firewall packet-filter default permit all
第四步:配置公网接口的IP地址和静态路由。
[USG] interface gigabitethernet0/0/2
[USG-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0
[USG-GigabitEthernet0/0/2] quit
[USG] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
第五步:配置NAT功能,使内网用户可以访问外网。
[USG] nat address-group 1 200.0.0.2 200.0.0.2
[USG] nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound] policy 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.255.255
[USG-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] quit
[USG-nat-policy-interzone-trust-untrust-outbound] quit
防火墙的接口作为二层口,通过VLANIF进行通信的配置步骤(共5步)
第一步:配置VLANIF接口。
[USG] vlan batch 2 3
[USG] interface gigabitethernet0/0/1
[USG] portswitch
[USG-GigabitEthernet0/0/1] port link-type trunk
[USG-GigabitEthernet0/0/1] port trunk permit vlan 2 3
[USG-GigabitEthernet0/0/1] quit
[USG] interface vlanif 2
[USG-Vlanif2] ip address 192.168.1.1 24
[USG-Vlanif2] quit
[USG] interface Vlanif 3
[USG-Vlanif3] ip address 192.168.2.1 24
[USG-Vlanif3] quit
第二步:配置DHCP和DNS功能,
为内网用户分配IP地址和指定DNS服务器地址。
[USG] dhcp enable
[USG] interface vlanif 2
[USG-Vlanif2] dhcp select interface
[USG-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-Vlanif2] quit
[USG] interface vlanif 3
[USG-Vlanif3] dhcp select interface
[USG-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG-Vlanif3] quit
第三步:配置域并开启域间策略。
[USG] firewall zone trust
[USG-zone-trust] add interface gigabitethernet0/0/1
[USG-zone-trust] add interface Vlanif 2
[USG-zone-trust] add interface Vlanif 3
[USG-zone-trust] quit
[USG] firewall zone untrust
[USG-zone-untrust] add interface gigabitethernet0/0/2
[USG-zone-untrust] quit
[USG] firewall packet-filter default permit all
第四步:配置公网接口的IP地址和静态路由。
[USG] interface gigabitethernet0/0/2
[USG-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0
[USG-GigabitEthernet0/0/2] quit
[USG] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
第五步:配置NAT功能,使内网用户可以访问外网。
[USG] nat address-group 1 200.0.0.2 200.0.0.2
[USG] nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound] policy 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.255.255
[USG-nat-policy-interzone-trust-untrust-outbound-1] action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1] address-group 1
[USG-nat-policy-interzone-trust-untrust-outbound-1] quit
[USG-nat-policy-interzone-trust-untrust-outbound] quit
文章转载自DevOps架构实战,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
