华为防火墙与三层交换机对接配置VLAN上网设置-Toy模板网

这篇具有很好参考价值的文章主要介绍了华为防火墙与三层交换机对接配置VLAN上网设置。希望对大家有所帮助。如果存在错误或未考虑完全的地方，请大家不吝赐教，您也可以点击"举报违法"按钮提交疑问。

拓扑图

防火墙vlan接口设置,数通技术,华为,网络,服务器

一、交换机设置

1、创建VLAN

<Huawei>sys
[Huawei]sys SW1
[SW1]un in en

[SW1]vlan batch 10 20 100
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]p l a
[SW1-GigabitEthernet0/0/1]p d v 10
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]p l a
[SW1-GigabitEthernet0/0/2]p d v 20
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]p l a
[SW1-GigabitEthernet0/0/3]p d v 100
[SW1-GigabitEthernet0/0/3]quit

2、VLANIF配置DHCP

# 开启DHCP
[SW1]dhcp enable
[SW1]int vlanif 10
[SW1-Vlanif10]ip addr 192.168.10.1 24
[SW1-Vlanif10]dhcp select int
[SW1-Vlanif10]dhcp server dns-list 114.114.114.114
[SW1-Vlanif10]int vlanif 20
[SW1-Vlanif20]ip addr 192.168.20.1 24
[SW1-Vlanif20]dhcp select int
[SW1-Vlanif20]dhcp server dns-list 114.114.114.114
[SW1-Vlanif20]quit

# 配置连接防火墙接口的IP
[SW1]int vlanif 100
[SW1-Vlanif100]ip addr 192.168.100.2 24
[SW1-Vlanif100]quit

3、配置默认路由

[SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1

二、防火墙设置

1、配置连接交换机的接口与公网接口

<USG6000V1>sys
[USG6000V1]sys FW1
[FW1]un in en

# 配置公网IP
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip addr 192.168.137.10 24
[FW1-GigabitEthernet1/0/0]service-manage all permit

# 配置与交换机连接的接口IP
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip addr 192.168.100.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]quit

2、配置安全区域

[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1
[FW1-zone-trust]firewall zone untrust
[FW1-zone-untrust]add int g1/0/0
[FW1-zone-untrust]quit

3、创建地址列表

[FW1]ip address-set 192.168.10.0/24 type object
[FW1-object-address-set-192.168.10.0/24]address 0 192.168.10.0 mask 24
[FW1-object-address-set-192.168.10.0/24]ip address-set 192.168.20.0/24 type object
[FW1-object-address-set-192.168.20.0/24]address 0 192.168.20.0 mask 24
[FW1-object-address-set-192.168.20.0/24]quit

4、配置安全策略

[FW1]security-policy
[FW1-policy-security]rule name "untrust to local"
[FW1-policy-security-rule-untrust to local]source-zone untrust
[FW1-policy-security-rule-untrust to local]destination-zone local
[FW1-policy-security-rule-untrust to local]action permit

[FW1-policy-security-rule-untrust to local]rule name "local to untrust"
[FW1-policy-security-rule-local to untrust]source-zone local
[FW1-policy-security-rule-local to untrust]destination-zone untrust
[FW1-policy-security-rule-local to untrust]action permit

[FW1-policy-security-rule-local to untrust]rule name "trust to untrust"
[FW1-policy-security-rule-trust to untrust]source-zone trust
[FW1-policy-security-rule-trust to untrust]destination-zone untrust
[FW1-policy-security-rule-trust to untrust]source-address address-set 192.168.10.0/24
[FW1-policy-security-rule-trust to untrust]source-address address-set 192.168.20.0/24
[FW1-policy-security-rule-trust to untrust]action permit
[FW1-policy-security-rule-trust to untrust]quit

5、配置NAT策略

# 配置源地址转换，内网用户可以上网
[FW1]nat-policy
[FW1-policy-nat]rule name snat
[FW1-policy-nat-rule-snat]source-zone trust
[FW1-policy-nat-rule-snat]destination-zone untrust
[FW1-policy-nat-rule-snat]source-address address-set 192.168.10.0/24
[FW1-policy-nat-rule-snat]source-address address-set 192.168.20.0/24
[FW1-policy-nat-rule-snat]action source-nat easy-ip
[FW1-policy-nat-rule-snat]quit
[FW1-policy-nat]quit

6、配置默认路由

[FW1]ip route-static 0.0.0.0 0.0.0.0 192.168.137.1
[FW1]ip route-static 192.168.0.0 255.255.0.0 192.168.100.2

7、配置DNS

[FW1]dns resolve
[FW1]dns server 114.114.114.114

三、测试验证

1、查看PC1 PC2 获取IP

PC1>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe90:25d3
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.10.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.10.1
Physical address..................: 54-89-98-90-25-D3
DNS server........................: 114.114.114.114

PC2>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fee7:3d77
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.20.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.20.1
Physical address..................: 54-89-98-E7-3D-77
DNS server........................: 114.114.114.114

2、验证 PC1 PC2互通文章来源地址https://www.toymoban.com/news/detail-675538.html

PC1>ping 192.168.20.254

Ping 192.168.20.254: 32 data bytes, Press Ctrl_C to break
From 192.168.20.254: bytes=32 seq=1 ttl=127 time=63 ms
From 192.168.20.254: bytes=32 seq=2 ttl=127 time=46 ms
From 192.168.20.254: bytes=32 seq=3 ttl=127 time=32 ms
From 192.168.20.254: bytes=32 seq=4 ttl=127 time=32 ms
From 192.168.20.254: bytes=32 seq=5 ttl=127 time=46 ms

--- 192.168.20.254 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 32/43/63 ms

到了这里，关于华为防火墙与三层交换机对接配置VLAN上网设置的文章就介绍完了。如果您还想了解更多内容，请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章，希望大家以后多多支持TOY模板网！