命令行
首先配置
PC1
、PC2
、PC3
、PC4
、R1
、R2
、R3
的接口,IP地址,掩碼,網關
PC1:
PC2:
PC3:
R1:
sys
un in en
sysname R1
int e0/0/0
ip address 192.168.70.7 24
dis this
quit
R2:
sys
un in en
sysname R2
int e0/0/0
ip address 192.168.77.7 24
dis this
quit
R3:
sys
un in en
sysname R3
int e0/0/0
ip address 177.7.7.7 24
dis this
quit
接下來配置兩個交換機的接口,連接PC的那些接口設置成
Access
口,通往防火牆的接口設置成Trunk
口,以及創建vlan
區並把接口劃分到對應的vlan
區
LSW1:
sys
un in en
sysname LSW1
vlan batch 7 17
int e0/0/2
port link-type access
port de vlan 7
dis this
int e0/0/3
port link-type access
port de vlan 7
dis this
int e0/0/4
port link-type access
port de vlan 17
quit
dis port vlan
int e0/0/1
port link-type trunk
port trunk allow-pass vlan 7 17
dis this
quit
dis port vlan
LSW2:
sys
un in en
sysname LSW2
vlan 10
int e0/0/2
port link-type access
port de vlan 10
dis this
int e0/0/1
port link-type trunk
port trunk allow-pass vlan 10
dis this
quit
dis port vlan
在防火牆上創建
vlan
,接着對防火牆上的接口進行設置配置,GE 1/0/0
、GE 1/0/1
口配置成Trunk
口,GE 1/0/2
、GE 1/0/3
配置成Access
口並允許對應vlan
通過,然後新建邏輯接口
並分入對應的vlan
FW:
sys
un in en
vlan batch 7 10 17 70 77
dis port vlan
int g1/0/0
portswitch
port link-type trunk
port trunk allow-pass vlan 7 17
dis this
int g1/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 10
dis this
int g1/0/2
portswitch
port link-type access
port de vlan 70
dis this
int g1/0/3
portswitch
port link-type access
port de vlan 77
dis this
quit
dis ip int brief
interface vlanif 7
ip address 192.168.7.1 24
service-manage ping permit
dis this
quit
interface vlanif 10
ip address 192.168.10.1 24
service-manage ping permit
dis this
quit
interface vlanif 17
ip address 192.168.17.1 24
service-manage ping permit
dis this
quit
interface vlanif 70
ip address 192.168.70.1 24
service-manage ping permit
dis this
quit
interface vlanif 77
ip address 192.168.70.1 24
service-manage ping permit
dis this
quit
dis port vlan
把每個
vlan
都建立對應的區域,並把對應的邏輯接口
劃分到對應的區域,以實現精細化管控
FW:
sys
firewall zone name vlan7
set priority 75
add int Vlanif7
dis this
quit
firewall zone name vlan10
set priority 77
add int Vlanif10
dis this
quit
firewall zone name vlan17
set priority 76
add int Vlanif17
dis this
quit
firewall zone name vlan70
set priority 78
add int Vlanif70
dis this
quit
firewall zone name vlan77
set priority 79
add int Vlanif77
dis this
quit
配置到這裏,每個vlan
的PC就可以訪問各自的網關了,驗證結果如下:
vlan7-PC1:
vlan17-PC3:
vlan10-PC4:
vlan70-R1:
vlan77-R2:
相同區域可以訪問,不同區域不能訪問,驗證結果如下:
接下來只需要對不同區域設置對應需求的安全策略即可實現精細化管控
FW;
sys
security-policy
rule name vlan7_to_vlan17
source-zone vlan7
destination-zone vlan17
service icmp
action permit
dis this
驗證結果如下:
其他的就不演示了,不同區域的設置對應的安全策略即可實現精細化管控
如果是內網的
PC
想要訪問外網的地址,做個NAT源地址轉換
,做個策略,再在外網口上設置一條缺省路由
即可
FW:
sys
firewall zone trust
add int g1/0/0
add int g1/0/1
add int g1/0/2
add int g1/0/3
dis this
quit
firewall zone untrust
add int g1/0/4
dis this
quit
int g1/0/4
ip address 177.7.7.1 24
dis this
quit
ip route-static 0.0.0.0 0 177.7.7.7
nat-policy
rule bane vlan7_nat_untrust
source-zone vlan7
egress-int g1/0/4
action nat easy-ip
dis this
quit
quit
驗證結果:
防火牆web端配置