2、防火墙Access模式组网实验
实验拓扑

注:如无特别说明,描述中的 R1 或 SW1 对应拓扑中设备名称末尾数字为 1 的设备,R2 或 SW2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;另外,同一网段中,IP 地址的主机位为其设备编号,如 R3 的 g0/0 接口若在 192.168.1.0/24 网段,则其 IP 地址为 192.168.1.3/24,以此类推。
实验需求
1.按照图示配置 IP 地址,R2,SW3 分别配置 Loopback0 口地址作为 OSPF 的 Router_id,地址格式为 X.X.X.X/32,X 为设备编号。
2.按照图示配置 OSPF ,实现全网互通。
3.将F1060防火墙配置为透明模式,采用Access的方式为R1、SW1透传业务。
实验解法
1.配置 IP 地址(路由器部分略)
分析:S5820V2交换机为三层交换机,将接口改为路由模式进行配置IP地址。
步骤1:在SW3上进入g1/0/1接口的接口视图,修改接口模式为路由模式,配置IP地址为192.168.2.254/24
[SW1]interface GigabitEthernet 1/0/1
[SW1-GigabitEthernet1/0/1]port link-mode route
[SW1-GigabitEthernet1/0/1]ip address 192.168.2.254 24
步骤2:在SW3上进入g1/0/2接口的接口视图,修改接口模式为路由模式,配置IP地址为10.0.0.3/24
[SW1]interface GigabitEthernet 1/0/2
[SW1-GigabitEthernet1/0/2]port link-mode route
[SW1-GigabitEthernet1/0/2]ip address 10.0.0.3 24
2.按照图示配置 OSPF ,实现全网互通
分析:实现全网互通,意味着每台路由器都要宣告本地的所有直连网段,包括环回口所在的网段。同时,每台路由器手动配置各自环回口的 IP 地址作为 Router-id。
步骤 1:在R2上配置 OSPF,按区域宣告所有直连网段和环回口
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
步骤2:在SW3上配置OSPF,按区域宣告所有直连网段和环回口
[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255
[SW3-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
3.配置防火墙相关策略放行流量
步骤1:登录防火墙admin/admin
login: admin
Password: admin
步骤2:创建VLAN,并设置对应端口
[FW1]vlan 10
[FW1-vlan10]port GigabitEthernet 1/0/0
[FW1-vlan10]port GigabitEthernet 1/0/1
步骤3:配置防火墙安全区域,将接口加入到对应区域
[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/0 vlan 10
[FW1-security-zone-Trust]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/1 vlan 10
[FW1-security-zone-Untrust]quit
步骤4:配置一条基本ACL
[FW1]acl basic 2000
[FW1-acl-ipv4-basic-2000]rule 0 permit source any
4.设置防火墙安全策略
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Trust-Untrust]quit
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Trust]quit
[FW1]zone-pair security source trust destination trust
[FW1-zone-pair-security-Trust-Trust]packet-filter 2000
[FW1-zone-pair-security-Trust-Trust]quit
[FW1]zone-pair security source untrust destination untrust
[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Untrust]quit
5.测试结果
1.PC之间可以相互PING通
<H3C>ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=253 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=253 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=253 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=253 time=2.000 ms
<H3C>ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.1: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 192.168.1.1: icmp_seq=1 ttl=253 time=2.000 ms
56 bytes from 192.168.1.1: icmp_seq=2 ttl=253 time=2.000 ms
56 bytes from 192.168.1.1: icmp_seq=3 ttl=253 time=3.000 ms
56 bytes from 192.168.1.1: icmp_seq=4 ttl=253 time=2.000 ms
2.分别查看R2,SW3的OSPF邻居信息
[R2]display ospf peer
OSPF Process 1 with Router ID 2.2.2.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
3.3.3.3 10.0.0.3 1 32 Full/DR GE0/1
[SW3]display ospf peer
OSPF Process 1 with Router ID 3.3.3.3
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
2.2.2.2 10.0.0.2 1 34 Full/BDR GE1/0/2
3.分别查看R2,SW3的路由表信息,查看是否学习到相关路由
[R2]display ip routing-table
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.2/32 Direct 0 0 127.0.0.1 InLoop0
3.3.3.3/32 O_INTRA 10 1 10.0.0.3 GE0/1
10.0.0.0/24 Direct 0 0 10.0.0.2 GE0/1
10.0.0.0/32 Direct 0 0 10.0.0.2 GE0/1
10.0.0.2/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.255/32 Direct 0 0 10.0.0.2 GE0/1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.0/24 Direct 0 0 192.168.1.254 GE0/0
192.168.1.0/32 Direct 0 0 192.168.1.254 GE0/0
192.168.1.254/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.255/32 Direct 0 0 192.168.1.254 GE0/0
192.168.2.0/24 O_INTRA 10 2 10.0.0.3 GE0/1
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
[SW3]display ip routing-table
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
2.2.2.2/32 O_INTRA 10 1 10.0.0.2 GE1/0/2
3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.0/24 Direct 0 0 10.0.0.3 GE1/0/2
10.0.0.0/32 Direct 0 0 10.0.0.3 GE1/0/2
10.0.0.3/32 Direct 0 0 127.0.0.1 InLoop0
10.0.0.255/32 Direct 0 0 10.0.0.3 GE1/0/2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.0/24 O_INTRA 10 2 10.0.0.2 GE1/0/2
192.168.2.0/24 Direct 0 0 192.168.2.254 GE1/0/1
192.168.2.0/32 Direct 0 0 192.168.2.254 GE1/0/1
192.168.2.254/32 Direct 0 0 127.0.0.1 InLoop0
192.168.2.255/32 Direct 0 0 192.168.2.254 GE1/0/1
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0