3、防火墙Trunk模式组网实验

实验拓扑

图片6

注:如无特别说明,描述中的 R1 或 SW1 对应拓扑中设备名称末尾数字为 1 的设备,R2 或 SW2 对应拓扑中设备名称末尾数字为 2 的设备,以此类推;另外,同一网段中,IP 地址的主机位为其设备编号,如 R3 的 g0/0 接口若在 192.168.1.0/24 网段,则其 IP 地址为 192.168.1.3/24,以此类推。


实验需求

  1.按照图示配置 IP 地址,R2,SW3 分别配置 Loopback0 口地址作为 OSPF 的 Router_id,地址格式为 X.X.X.X/32,X 为设备编号。
  2.按照图示配置 OSPF ,实现全网互通
  3.将F1060防火墙配置为透明模式,采用Trunk的方式为R1、SW1透
传业务。

实验解法

  1.配置 IP 地址(环回口部分略)

分析:S5820V2交换机为三层交换机,将接口改为路由模式进行配置IP地址。这里要把MSR36-20路由器接口改为二层模式。

步骤1:在SW3上进入g1/0/1接口的接口视图,修改接口模式为路由模式,配置IP地址为192.168.2.254/24

[SW1]interface GigabitEthernet 1/0/1
[SW1-GigabitEthernet1/0/1]port link-mode route 
[SW1-GigabitEthernet1/0/1]ip address 192.168.2.254 24
[SW1]interface GigabitEthernet 1/0/2
[SW1-GigabitEthernet1/0/2]port link-mode route 
[SW1-GigabitEthernet1/0/2]ip address 10.0.0.3 24

步骤2:在R2上进入g0/0接口的接口视图,修改二层接口模式,创建VLAN,启用三层接口配置IP地址,并在接口放行相关VLAN。

[R2]interface GigabitEthernet 0/0
[R2-GigabitEthernet0/0]port link-mode bridge 
[R2-GigabitEthernet0/0]port link-type trunk 
[R2-GigabitEthernet0/0]port trunk permit vlan 10
[R2-GigabitEthernet0/0]undo port trunk permit vlan 1
[R2-GigabitEthernet0/0]quit
[R2]vlan 10
[R2-vlan10]quit
[R2]interface Vlan-interface 10
[R2-Vlan-interface10]ip ad 10.0.0.2 24
  2.按照图示配置 OSPF ,实现全网互通

分析:实现全网互通,意味着每台路由器都要宣告本地的所有直连网段,包括环回口所在的网段。同时,每台路由器手动配置各自环回口的 IP 地址作为 Router-id

步骤 1:在R2上配置 OSPF,按区域宣告所有直连网段和环回口

[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

步骤2:在SW3上配置OSPF,按区域宣告所有直连网段和环回口

[SW3]ospf 1 router-id 3.3.3.3
[SW3-ospf-1]area 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 10.0.0.0 0.0.0.255
[SW3-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[SW3-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
  3.配置防火墙相关策略放行流量

步骤1:登录防火墙admin/admin

login: admin
Password: admin

步骤2:创建VLAN,并设置对应端口Trunk放行

[FW1]vlan 10
[FW1-vlan10]port GigabitEthernet 1/0/0
[FW1-vlan10]port GigabitEthernet 1/0/1
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]port link-type trunk 
[FW1-GigabitEthernet1/0/0]port trunk permit vlan 10
[FW1-GigabitEthernet1/0/0]undo port trunk permit vlan 1
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]port link-type trunk 
[FW1-GigabitEthernet1/0/1]port trunk permit vlan 10
[FW1-GigabitEthernet1/0/1]undo port trunk permit vlan 1

步骤3:配置防火墙安全区域,将接口加入到对应区域

[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/0 vlan 10
[FW1-security-zone-Trust]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/1 vlan 10
[FW1-security-zone-Untrust]quit

步骤4: 配置一条基本ACL

[FW1]acl basic 2000
[FW1-acl-ipv4-basic-2000]rule 0 permit source any
  4.设置防火墙安全策略
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Trust-Untrust]quit
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Trust]quit
[FW1]zone-pair security source trust destination trust
[FW1-zone-pair-security-Trust-Trust]packet-filter 2000
[FW1-zone-pair-security-Trust-Trust]quit
[FW1]zone-pair security source untrust destination untrust
[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Untrust]quit
  5.测试结果

1.PC之间可以相互PING通

<H3C>ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=253 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=253 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=253 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=253 time=2.000 ms
<H3C>ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.1: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 192.168.1.1: icmp_seq=1 ttl=253 time=2.000 ms
56 bytes from 192.168.1.1: icmp_seq=2 ttl=253 time=2.000 ms
56 bytes from 192.168.1.1: icmp_seq=3 ttl=253 time=3.000 ms
56 bytes from 192.168.1.1: icmp_seq=4 ttl=253 time=2.000 ms

2.分别查看R2,SW3的OSPF邻居信息

[R2]display ospf peer 

         OSPF Process 1 with Router ID 2.2.2.2
               Neighbor Brief Information

 Area: 0.0.0.0        
 Router ID       Address         Pri Dead-Time  State             Interface
 3.3.3.3         10.0.0.3        1   32         Full/DR           GE0/1
[SW3]display ospf peer 

         OSPF Process 1 with Router ID 3.3.3.3
               Neighbor Brief Information

 Area: 0.0.0.0        
 Router ID       Address         Pri Dead-Time  State             Interface
 2.2.2.2         10.0.0.2        1   34         Full/BDR          GE1/0/2

3.分别查看R2,SW3的路由表信息,查看是否学习到相关路由

[R2]display ip routing-table 

Destinations : 19       Routes : 19

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
2.2.2.2/32         Direct  0   0           127.0.0.1       InLoop0
3.3.3.3/32         O_INTRA 10  1           10.0.0.3        GE0/1
10.0.0.0/24        Direct  0   0           10.0.0.2        GE0/1
10.0.0.0/32        Direct  0   0           10.0.0.2        GE0/1
10.0.0.2/32        Direct  0   0           127.0.0.1       InLoop0
10.0.0.255/32      Direct  0   0           10.0.0.2        GE0/1
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.1.0/24     Direct  0   0           192.168.1.254   GE0/0
192.168.1.0/32     Direct  0   0           192.168.1.254   GE0/0
192.168.1.254/32   Direct  0   0           127.0.0.1       InLoop0
192.168.1.255/32   Direct  0   0           192.168.1.254   GE0/0
192.168.2.0/24     O_INTRA 10  2           10.0.0.3        GE0/1
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
[SW3]display ip routing-table 

Destinations : 19       Routes : 19

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
2.2.2.2/32         O_INTRA 10  1           10.0.0.2        GE1/0/2
3.3.3.3/32         Direct  0   0           127.0.0.1       InLoop0
10.0.0.0/24        Direct  0   0           10.0.0.3        GE1/0/2
10.0.0.0/32        Direct  0   0           10.0.0.3        GE1/0/2
10.0.0.3/32        Direct  0   0           127.0.0.1       InLoop0
10.0.0.255/32      Direct  0   0           10.0.0.3        GE1/0/2
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.0/32       Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
192.168.1.0/24     O_INTRA 10  2           10.0.0.2        GE1/0/2
192.168.2.0/24     Direct  0   0           192.168.2.254   GE1/0/1
192.168.2.0/32     Direct  0   0           192.168.2.254   GE1/0/1
192.168.2.254/32   Direct  0   0           127.0.0.1       InLoop0
192.168.2.255/32   Direct  0   0           192.168.2.254   GE1/0/1
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0