拓扑图
一、交换机设置
1、创建VLAN
<Huawei>sys
[Huawei]sys SW1
[SW1]un in en
[SW1]vlan batch 10 20 100
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]p l a
[SW1-GigabitEthernet0/0/1]p d v 10
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]p l a
[SW1-GigabitEthernet0/0/2]p d v 20
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]p l a
[SW1-GigabitEthernet0/0/3]p d v 100
[SW1-GigabitEthernet0/0/3]quit
2、VLANIF配置DHCP
# 开启DHCP
[SW1]dhcp enable
[SW1]int vlanif 10
[SW1-Vlanif10]ip addr 192.168.10.1 24
[SW1-Vlanif10]dhcp select int
[SW1-Vlanif10]dhcp server dns-list 114.114.114.114
[SW1-Vlanif10]int vlanif 20
[SW1-Vlanif20]ip addr 192.168.20.1 24
[SW1-Vlanif20]dhcp select int
[SW1-Vlanif20]dhcp server dns-list 114.114.114.114
[SW1-Vlanif20]quit
# 配置连接防火墙接口的IP
[SW1]int vlanif 100
[SW1-Vlanif100]ip addr 192.168.100.2 24
[SW1-Vlanif100]quit
3、配置默认路由
[SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
二、防火墙设置
1、配置连接交换机的接口与公网接口
<USG6000V1>sys
[USG6000V1]sys FW1
[FW1]un in en
# 配置公网IP
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip addr 192.168.137.10 24
[FW1-GigabitEthernet1/0/0]service-manage all permit
# 配置与交换机连接的接口IP
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip addr 192.168.100.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]quit
2、配置安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1
[FW1-zone-trust]firewall zone untrust
[FW1-zone-untrust]add int g1/0/0
[FW1-zone-untrust]quit
3、创建地址列表
[FW1]ip address-set 192.168.10.0/24 type object
[FW1-object-address-set-192.168.10.0/24]address 0 192.168.10.0 mask 24
[FW1-object-address-set-192.168.10.0/24]ip address-set 192.168.20.0/24 type object
[FW1-object-address-set-192.168.20.0/24]address 0 192.168.20.0 mask 24
[FW1-object-address-set-192.168.20.0/24]quit
4、配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name "untrust to local"
[FW1-policy-security-rule-untrust to local]source-zone untrust
[FW1-policy-security-rule-untrust to local]destination-zone local
[FW1-policy-security-rule-untrust to local]action permit
[FW1-policy-security-rule-untrust to local]rule name "local to untrust"
[FW1-policy-security-rule-local to untrust]source-zone local
[FW1-policy-security-rule-local to untrust]destination-zone untrust
[FW1-policy-security-rule-local to untrust]action permit
[FW1-policy-security-rule-local to untrust]rule name "trust to untrust"
[FW1-policy-security-rule-trust to untrust]source-zone trust
[FW1-policy-security-rule-trust to untrust]destination-zone untrust
[FW1-policy-security-rule-trust to untrust]source-address address-set 192.168.10.0/24
[FW1-policy-security-rule-trust to untrust]source-address address-set 192.168.20.0/24
[FW1-policy-security-rule-trust to untrust]action permit
[FW1-policy-security-rule-trust to untrust]quit
5、配置NAT策略
# 配置源地址转换,内网用户可以上网
[FW1]nat-policy
[FW1-policy-nat]rule name snat
[FW1-policy-nat-rule-snat]source-zone trust
[FW1-policy-nat-rule-snat]destination-zone untrust
[FW1-policy-nat-rule-snat]source-address address-set 192.168.10.0/24
[FW1-policy-nat-rule-snat]source-address address-set 192.168.20.0/24
[FW1-policy-nat-rule-snat]action source-nat easy-ip
[FW1-policy-nat-rule-snat]quit
[FW1-policy-nat]quit
6、配置默认路由
[FW1]ip route-static 0.0.0.0 0.0.0.0 192.168.137.1
[FW1]ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
7、配置DNS
[FW1]dns resolve
[FW1]dns server 114.114.114.114
三、测试验证
1、查看PC1 PC2 获取IP
PC1>ipconfig
Link local IPv6 address...........: fe80::5689:98ff:fe90:25d3
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.10.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.10.1
Physical address..................: 54-89-98-90-25-D3
DNS server........................: 114.114.114.114
PC2>ipconfig
Link local IPv6 address...........: fe80::5689:98ff:fee7:3d77
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.20.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.20.1
Physical address..................: 54-89-98-E7-3D-77
DNS server........................: 114.114.114.114
2、验证 PC1 PC2互通
PC1>ping 192.168.20.254
Ping 192.168.20.254: 32 data bytes, Press Ctrl_C to break
From 192.168.20.254: bytes=32 seq=1 ttl=127 time=63 ms
From 192.168.20.254: bytes=32 seq=2 ttl=127 time=46 ms
From 192.168.20.254: bytes=32 seq=3 ttl=127 time=32 ms
From 192.168.20.254: bytes=32 seq=4 ttl=127 time=32 ms
From 192.168.20.254: bytes=32 seq=5 ttl=127 time=46 ms
--- 192.168.20.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/43/63 ms