一、实验拓扑:
二、网络拓扑互联互通:
路由器、交换机、主机的IP地址配置 略。
交换机LSW1 VLAN的配置如下所示:
[SW1]disp vlan
The total number of vlans is : 3
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:Eth0/0/4(D) Eth0/0/5(D) Eth0/0/6(D) Eth0/0/7(D)
Eth0/0/8(D) Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D)
Eth0/0/12(D) Eth0/0/13(D) Eth0/0/14(D) Eth0/0/15(D)
Eth0/0/16(D) Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D)
Eth0/0/20(D) Eth0/0/21(D) Eth0/0/22(D) GE0/0/1(D)
GE0/0/2(D)
10 common UT:Eth0/0/1(U)
20 common UT:Eth0/0/2(U) Eth0/0/3(U)
交换机LSW1的路由配置:ip route-static 0.0.0.0 0.0.0.0 Vlanif10 11.0.0.10
交换机LSW1的路由表:
[SW1]disp ip rout
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 D 11.0.0.10 Vlanif10
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
11.0.0.0/24 Direct 0 0 D 11.0.0.1 Vlanif10
11.0.0.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
路由器AR1的路由配置:ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 202.0.0.10
防火墙FW1的接口配置:
[FW1]disp ip int bri
2020-06-18 12:55:44.820
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 6
The number of interface that is DOWN in Physical is 4
The number of interface that is UP in Protocol is 6
The number of interface that is DOWN in Protocol is 4
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.0.10/24 up up
GigabitEthernet1/0/0 202.0.0.10/24 up up
GigabitEthernet1/0/1 11.0.0.10/24 up up
GigabitEthernet1/0/2 12.0.0.10/24 up up
防火墙相应接口添加至区域:
[FW1]disp zone
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/0
#
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/2
查看防火墙FW1的默认安全策略:
[FW1]disp security-policy rule all
2020-06-18 12:59:14.270
Total:1
RULE ID RULE NAME STATE ACTION HITS
--------------------------------------------------------------------------------------------
0 default enable deny 0
---------------------------------------------------------------------------------------------
开启防火墙FW1的默认策略为action 为 permit,测试防火墙与其他设备的联通性。
[FW1]security-policy
[FW1-policy-security]default action permit
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[FW1-policy-security]
防火墙FW1的路由配置:
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 202.0.0.1
ip route-static 10.1.1.0 255.255.255.0 GigabitEthernet1/0/1 11.0.0.1
测试防火墙与其他设备的连通性。【略】
原文:https://www.cnblogs.com/gd-hn-mzh/p/13156567.html