三层交换机与防火墙对接上网配置示例
组网图形
三层交换机简介
三层交换机是具有路由功能的交换机,由于路由属于OSI模型中第三层网络层的功能,所以称为三层交换机。
三层交换机既可以工作在二层也可以工作在三层,可以部署在接入层,也可以部署在汇聚层,作为用户的网关。
配置注意事项
- 本举例中的交换机作为DHCP服务器适用的产品和版本如下:
- V200R009C00及后续版本的S2720-EI
- V200R005C00SPC300及后续版本的S2750-EI、S5700-LI、S5700S-LI
- S3700-SI、S3700-EI、S3700-HI
- S5700-SI、S5700-EI、S5700-HI、S5710-X-LI、S5710-EI、S5710-HI、S5720-LI、S5720S-LI、S5720-SI、S5720S-SI、S5720I-SI、S5720-EI、S5720-HI、S5730-HI、S5730-SI、S5730S-EI、S5731-H、S5731-S、S5731S-S、S5731S-H、S5731-H-K、S5732-H、S5732-H-K、S2730S-S、S5735-L-I、S5735-L1、S300、S5735-L、S5735S-L1、S5735S-L、S5735S-L-M、S5735-S、S500、S5735S-S、S5735-S-I、S5735S-H、S5736-S
- S6700-EI、S6720-LI、S6720S-LI、S6720-SI、S6720S-SI、S6735-S、S6720-EI、S6720S-EI、S6720-HI、S6730-H、S6730-S、S6730S-S、S6730S-H、S6730-H-K
- S7703、S7706、S7712、S7710、S7703 PoE、S7706 PoE、S7905、S7908、S9703、S9706、S9712
-
本举例中产品的默认适用版本请参见“案例适用的产品和版本说明”中的表1。
组网需求
如图1所示,某公司拥有多个部门且位于不同网段,各部门均有访问Internet的需求。现要求用户通过三层交换机和防火墙访问外部网络,且要求三层交换机作为用户的网关。
配置思路
采用如下思路进行配置:
-
配置交换机作为用户的网关,通过VLANIF接口,实现跨网段用户互访。
-
开启防火墙域间安全策略,使不同域的报文可以相互转发。
操作步骤
- 配置交换机
# 配置连接用户的接口和对应的VLANIF接口。
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 3 [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access //配置接口接入类型为access [Switch-GigabitEthernet0/0/2] port default vlan 2 //配置接口加入VLAN 2 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 3 [Switch-GigabitEthernet0/0/3] quit [Switch] interface vlanif 2 [Switch-Vlanif2] ip address 192.168.1.1 24 [Switch-Vlanif2] quit [Switch] interface vlanif 3 [Switch-Vlanif3] ip address 192.168.2.1 24 [Switch-Vlanif3] quit
# 配置连接防火墙的接口和对应的VLANIF接口。
[Switch] vlan batch 100 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 100 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 192.168.100.2 24 [Switch-Vlanif100] quit
# 配置缺省路由。
[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //缺省路由的下一跳是防火墙接口的IP地址192.168.100.1
# 配置DHCP服务器。
[Switch] dhcp enable [Switch] interface vlanif 2 [Switch-Vlanif2] dhcp select interface //DHCP使用接口地址池的方式为用户分配IP地址 [Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //配置的DNS-List 114.114.114.114是公用的DNS服务器地址,是不区分运营商的。在实际应用中,请根据运营商分配的DNS进行配置 [Switch-Vlanif2] quit [Switch] interface vlanif 3 [Switch-Vlanif3] dhcp select interface [Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5 [Switch-Vlanif3] quit
- 配置防火墙
# 配置连接交换机的接口对应的IP地址。
<USG6600> system-view [USG6600] interface gigabitethernet 1/0/1 [USG6600-GigabitEthernet1/0/1] ip address 192.168.100.1 255.255.255.0 [USG6600-GigabitEthernet1/0/1] quit
# 配置连接公网的接口对应的IP地址。
[USG6600] interface gigabitethernet 1/0/2 [USG6600-GigabitEthernet1/0/2] ip address 203.0.113.2 255.255.255.0 //配置连接公网接口的IP地址和公网的IP地址在同一网段 [USG6600-GigabitEthernet1/0/2] quit
# 配置缺省路由和回程路由。
[USG6600] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //配置静态缺省路由的下一跳指向公网提供的IP地址203.0.113.1 [USG6600] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //配置回程路由的下一跳就指向交换机上行接口的IP地址192.168.100.2
# 配置安全策略。
[USG6600] firewall zone trust //配置trust域 [USG6600-zone-trust] add interface gigabitethernet 1/0/1 [USG6600-zone-trust] quit [USG6600] firewall zone untrust //配置untrust域 [USG6600-zone-untrust] add interface gigabitethernet 1/0/2 [USG6600-zone-untrust] quit
# 配置安全策略,允许域间互访。[USG6600] security-policy [USG6600-policy-security] rule name policy1 [USG6600-policy-security-rule-policy1] source-zone trust [USG6600-policy-security-rule-policy1] destination-zone untrust [USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0 [USG6600-policy-security-rule-policy1] action permit [USG6600-policy-security-rule-policy1] quit [USG6600-policy-security] quit
# 配置PAT地址池,开启允许端口地址转换。[USG6600] nat address-group addressgroup1 [USG6600-address-group-addressgroup1] mode pat [USG6600-address-group-addressgroup1] route enable [USG6600-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2 //转换的公网IP地址 [USG6600-address-group-addressgroup1] quit
# 配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换。[USG6600] nat-policy [USG6600-policy-nat] rule name policy_nat1 [USG6600-policy-nat-rule-policy_nat1] source-zone trust [USG6600-policy-nat-rule-policy_nat1] destination-zone untrust [USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //允许进行PAT转换的源IP地址 [USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 [USG6600-policy-nat-rule-policy_nat1] quit [USG6600-policy-nat] quit [USG6600] quit
- 检查配置结果
配置PC1的IP地址为192.168.1.2/24,网关为192.168.1.1;PC2的IP地址为192.168.2.2/24,网关为192.168.2.1。
配置外网PC的IP地址为203.0.113.1/24,网关为203.0.113.2。
配置完成后,PC1和PC2都可以Ping通外网的IP 203.0.113.1/24,PC1和PC2都可以访问Internet。
配置文件
Switch的配置文件
#
sysname Switch
#
vlan batch 2 to 3 100
#
dhcp enable
#
interface Vlanif2ip address 192.168.1.1 255.255.255.0dhcp select interfacedhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif3ip address 192.168.2.1 255.255.255.0dhcp select interfacedhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif100ip address 192.168.100.2 255.255.255.0
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 100
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 2
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
return
USG的配置文件
#
interface GigabitEthernet1/0/1ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/2ip address 203.0.113.2 255.255.255.0
#
firewall zone trustset priority 85add interface GigabitEthernet1/0/1
#
firewall zone untrustset priority 5add interface GigabitEthernet0/0/2
#ip route-static 0.0.0.0 0.0.0.0 203.0.113.1ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
#
nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.2 203.0.113.2
#
security-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit
#
nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action nat address-group addressgroup1
#
return