防火墻旁路部署在核心交換機(jī)上，內(nèi)網(wǎng)有三個(gè)網(wǎng)段vlan 10：172.16.10.1/24、vlan 20：172.16.20.1/24、vlan30：172.16.30.1。要求內(nèi)網(wǎng)網(wǎng)關(guān)在防火墻設(shè)備上，由防火墻作為DHCP服務(wù)器給終端下發(fā)地址，同時(shí)由防火墻來控制禁止vlan10訪問vlan 20，禁止vlan20訪問vlan30，其他不做限制。

配置思路：

1、 接入交換機(jī)根據(jù)業(yè)務(wù)需求，將不同的接口劃入指定vlan

2、 接入交換機(jī)和核心交換機(jī)互聯(lián)接口配置成trunk模式，放行三個(gè)業(yè)務(wù)vlan

3、 核心交換機(jī)與防火墻互聯(lián)的鏈路1(G1/0/3)的接口配置成trunk模式，放行三個(gè)業(yè)務(wù)vlan，內(nèi)網(wǎng)流量通過這跟線路進(jìn)入防火墻

4、 核心交換機(jī)與防火墻互聯(lián)的鏈路2(G1/0/2)，交換機(jī)側(cè)接口工作在access模式，劃入vlan5。防火墻側(cè)接口工作在三層模式，鏈路2三層互聯(lián)，防火墻處理完的流量經(jīng)過這跟鏈路回到核心交換機(jī)

5、 核心交換機(jī)與出口路由器配置互聯(lián)地址，核心交換機(jī)寫默認(rèn)路由指向出口路由器，出口路由器針對(duì)內(nèi)網(wǎng)網(wǎng)段寫回程路由指向核心交換機(jī),核心交換機(jī)寫回程路由指向防火墻

6、 防火墻配置DHCP及安全策略

配置步驟
1、 配置接入交換機(jī)Access

sys

#創(chuàng)建業(yè)務(wù)vlan

[Access]vlan 10

[Access-vlan10]quit

[Access]vlan 20

[Access-vlan20]quit

[Access]vlan 30

[Access-vlan30]quit

[Access]

#根據(jù)業(yè)務(wù)需要將不同的終端接口劃分到不同的vlan

[Access]inter GigabitEthernet 1/0/5

[Access-GigabitEthernet1/0/5]port access vlan 10

[Access-GigabitEthernet1/0/5]quit

[Access]

[Access]inter GigabitEthernet 1/0/6

[Access-GigabitEthernet1/0/6]port access vlan 20

[Access-GigabitEthernet1/0/6]quit

[Access]

[Access]inter GigabitEthernet 1/0/7

[Access-GigabitEthernet1/0/7]port access vlan 30

[Access-GigabitEthernet1/0/7]quit

[Access]

#將接入交換機(jī)上行口配置成trunk模式，允許vlan10、20、30通過，禁止vlan1通行

[Access]inter GigabitEthernet 1/0/4

[Access-GigabitEthernet1/0/4]port link-type trunk

[Access-GigabitEthernet1/0/4]port trunk permit vlan 10 20 30

[Access-GigabitEthernet1/0/4]undo port trunk permit vlan 1

[Access-GigabitEthernet1/0/4]qu

#保存配置

[Access] save force

2、 配置核心交換機(jī)Core

system-view

#創(chuàng)建業(yè)務(wù)vlan

[Core]vlan 10

[Core-vlan10]quit

[Core]vlan 20

[Core-vlan20]quit

[Core]vlan 30

[Core-vlan30]quit

[Core]vlan 5

[Core-vlan5]quit

[Core]vlan 6

[Core-vlan6]quit

[Core]

#配置連接接入交換機(jī)下行口為trunk模式，允許vlan10、20、30通過，禁止vlan1通行

[Core]inter GigabitEthernet 1/0/4

[Core-GigabitEthernet1/0/4]port link-type trunk

[Core-GigabitEthernet1/0/4]port trunk permit vlan 10 20 30

[Core-GigabitEthernet1/0/4]undo port trunk permit vlan 1

[Core-GigabitEthernet1/0/4]qu

[Core]

#配置連接防火墻的接口(鏈路1)為trunk模式，允許vlan10、20、30通過，禁止vlan1通行

[Core]inter GigabitEthernet 1/0/3

[Core-GigabitEthernet1/0/3]port link-type trunk

[Core-GigabitEthernet1/0/3]port trunk permit vlan 10 20 30

[Core-GigabitEthernet1/0/3]undo port trunk permit vlan 1

[Core-GigabitEthernet1/0/3]quit

[Core]

#配置連接防火墻的接口(鏈路2)屬于vlan5

[Core]inter GigabitEthernet 1/0/2

[Core-GigabitEthernet1/0/2]port access vlan 5

[Core-GigabitEthernet1/0/2]quit

[Core]

#配置連接上行路由器的接口屬于vlan6

[Core]inter g1/0/1

[Core-GigabitEthernet1/0/1]port access vlan 6

[Core-GigabitEthernet1/0/1]quit

[Core]

#配置交換機(jī)和防火墻的互聯(lián)地址10.0.23.2/24

[Core]inter vlan 5

[Core-Vlan-interface5]ip address 10.0.23.2 24

[Core-Vlan-interface5]qu

[Core]

#配置交換機(jī)和路由器的互聯(lián)地址10.0.12.2/24

[Core]inter vlan 6

[Core-Vlan-interface6]ip address 10.0.12.2 24

[Core-Vlan-interface6]quit

[Core]

#配置默認(rèn)路由指向出口路由器

[Core]ip route-static 0.0.0.0 0 10.0.12.1

#配置內(nèi)網(wǎng)網(wǎng)段回程路由指向防火墻

[Core]ip route-static 172.16.10.0 24 10.0.23.3

[Core]ip route-static 172.16.20.0 24 10.0.23.3

[Core]ip route-static 172.16.30.0 24 10.0.23.3

#保存配置

[Core] save force

3、 配置防火墻，默認(rèn)登陸用戶名和密碼均為admin

Login: admin

Password: admin

sys

[H3C]sysname FW

#創(chuàng)建業(yè)務(wù)vlan

[FW]vlan 10

[FW-vlan10]quit

[FW]vlan 20

[FW-vlan20]quit

[FW]vlan 30

[FW-vlan30]quit

[FW]

#配置連接交換機(jī)的接口(鏈路1)為trunk模式，允許vlan10、20、30通過，禁止vlan1通行

[FW]inter GigabitEthernet 1/0/3

[FW-GigabitEthernet1/0/3]port link-mode bridge

[FW-GigabitEthernet1/0/3]port link-type trunk

[FW-GigabitEthernet1/0/3]port trunk permit vlan 10 20 30

[FW-GigabitEthernet1/0/3]undo port trunk permit vlan 1

[FW-GigabitEthernet1/0/3]quit

[FW]

#配置連接交換機(jī)的接口(鏈路2)互聯(lián)地址10.0.23.3/24

[FW]inter GigabitEthernet 1/0/2

[FW-GigabitEthernet1/0/2]ip address 10.0.23.3 24

[FW-GigabitEthernet1/0/2]quit

[FW]

#創(chuàng)建業(yè)務(wù)vlan的網(wǎng)關(guān)接口

[FW]inter vlan 10

[FW-Vlan-interface10]ip address 172.16.10.1 24

[FW-Vlan-interface10]quit

[FW]

[FW]inter vlan 20

[FW-Vlan-interface20]ip address 172.16.20.1 24

[FW-Vlan-interface20]quit

[FW]

[FW]inter vlan 30

[FW-Vlan-interface30]ip address 172.16.30.1 24

[FW-Vlan-interface30]quit

[FW]

#創(chuàng)建業(yè)務(wù)vlan的dhcp地址池

[FW]dhcp server ip-pool vlan10

#配置地址池分配地址的網(wǎng)段

[FW-dhcp-pool-vlan10]network 172.16.10.0 mask 255.255.255.0

#配置地址池分配的網(wǎng)關(guān)地址

[FW-dhcp-pool-vlan10]gateway-list 172.16.10.1

#配置地址池分配的DNS地址

[FW-dhcp-pool-vlan10]dns-list 114.114.114.114 8.8.8.8

[FW-dhcp-pool-vlan10]quit

[FW]

[FW]dhcp server ip-pool vlan20

[FW-dhcp-pool-vlan20]network 172.16.20.0 mask 255.255.255.0

[FW-dhcp-pool-vlan20]gateway-list 172.16.20.1

[FW-dhcp-pool-vlan20]dns-list 114.114.114.114 8.8.8.8

[FW-dhcp-pool-vlan20]quit

[FW]

[FW]dhcp server ip-pool vlan30

[FW-dhcp-pool-vlan30]network 172.16.30.0 mask 255.255.255.0

[FW-dhcp-pool-vlan30]gateway-list 172.16.30.1

[FW-dhcp-pool-vlan30]dns-list 114.114.114.114 8.8.8.8

[FW-dhcp-pool-vlan30]quit

[FW]

#全局開啟dhcp server功能

[FW]dhcp enable

[FW]

#配置默認(rèn)路由指向核心交換機(jī)

[FW]ip route-static 0.0.0.0 0 10.0.23.2

[FW]

#將連接核心交換機(jī)的接口g1/0/3(內(nèi)網(wǎng)流量進(jìn)防火墻的接口)和網(wǎng)關(guān)接口加入trust安全域

[FW]security-zone name Trust

#二層口加安全域的時(shí)候，需要額外配置該接口允許通過的vlan

[FW-security-zone-Trust]import interface GigabitEthernet 1/0/3 vlan 10 20 30

[FW-security-zone-Trust]import interface Vlan-interface 10

[FW-security-zone-Trust]import interface Vlan-interface 20

[FW-security-zone-Trust]import interface Vlan-interface 30

[FW-security-zone-Trust]quit

[FW]

#配置將流量出防火墻的接口g1/0/2加入untrust安全域

[FW]security-zone name Untrust

[FW-security-zone-Untrust]import interface GigabitEthernet 1/0/2

[FW-security-zone-Untrust]quit

[FW]

#配置安全策略，安全策略按照dis cu conf security-policy-ip看到的順序從上往下匹配

[FW]security-policy ip

#配置rule 1名稱為toInternet，允許內(nèi)網(wǎng)所有網(wǎng)段可以通過防火墻訪問到路由器及上層網(wǎng)絡(luò)。此時(shí)流量從g1/0/3(trust)進(jìn)入設(shè)備，從g1/0/2(trust)出設(shè)備，所以需要放行trust到untrust源地址為172.16.10.0/24、172.16.20.0/24和172.16.30.0/24的流量

[FW-security-policy-ip]rule 1 name toInternet

[FW-security-policy-ip-1-toInternet]source-zone trust

[FW-security-policy-ip-1-toInternet]destination-zone untrust

[FW-security-policy-ip-1-toInternet]source-ip-subnet 172.16.10.1 24

[FW-security-policy-ip-1-toInternet]source-ip-subnet 172.16.20.1 24

[FW-security-policy-ip-1-toInternet]source-ip-subnet 172.16.30.1 24

[FW-security-policy-ip-1-toInternet]action pass

[FW-security-policy-ip-1-toInternet]quit

[FW-security-policy-ip]

#配置rule 2名稱為dhcpserver，放行所有dhcp相關(guān)的流量，保證可以正常分配地址

[FW-security-policy-ip]rule 2 name dhcpserver

[FW-security-policy-ip-2-dhcpserver]service dhcp-client

[FW-security-policy-ip-2-dhcpserver]service dhcp-server

[FW-security-policy-ip-2-dhcpserver]action pass

[FW-security-policy-ip-2-dhcpserver]quit

[FW-security-policy-ip]

#配置rule 5名稱為denyvlan10tovlan20，禁止vlan10訪問vlan20。此時(shí)流量從g1/0/3(trust)進(jìn)入設(shè)備，從1/0/3(trust)出設(shè)備，所以策略的匹配條件是trust到trust，源地址為172.16.10.0/24，目的地址為172.16.20.0/24，不配置規(guī)則動(dòng)作為action pass，默認(rèn)就是拒絕

[FW-security-policy-ip]rule 5 name denyvlan10tovlan20

[FW-security-policy-ip-5-denyvlan10tovlan20]source-zone trust

[FW-security-policy-ip-5-denyvlan10tovlan20]destination-zone trust

[FW-security-policy-ip-5-denyvlan10tovlan20]source-ip-subnet 172.16.10.0 24

[FW-security-policy-ip-5-denyvlan10tovlan20]destination-ip-subnet 172.16.20.0 24

[FW-security-policy-ip-5-denyvlan10tovlan20]quit

[FW-security-policy-ip]

#配置rule 10名稱為denyvlan20tovlan30，禁止vlan20訪問vlan30，原理同rule 5。

[FW-security-policy-ip]rule 10 name denyvlan20tovlan30

[FW-security-policy-ip-10-denyvlan20tovlan30]source-zone trust

[FW-security-policy-ip-10-denyvlan20tovlan30]destination-zone trust

[FW-security-policy-ip-10-denyvlan20tovlan30]source-ip-subnet 172.16.20.0 24

[FW-security-policy-ip-10-denyvlan20tovlan30]destination-ip-subnet 172.16.30.0 24

[FW-security-policy-ip-10-denyvlan20tovlan30]qu

.[FW-security-policy-ip]

#配置rule 15名稱為permitother，允許內(nèi)網(wǎng)其他vlan間互訪，原理同rule 5。

[FW-security-policy-ip]rule 15 name permitother

[FW-security-policy-ip-15-permitother]source-zone trust

[FW-security-policy-ip-15-permitother]destination-zone trust

[FW-security-policy-ip-15-permitother]source-ip-subnet 172.16.10.0 24

[FW-security-policy-ip-15-permitother]source-ip-subnet 172.16.20.0 24

[FW-security-policy-ip-15-permitother]source-ip-subnet 172.16.30.0 24

[FW-security-policy-ip-15-permitother]action pass

[FW-security-policy-ip-15-permitother]qu

[FW-security-policy-ip]quit

[FW]

#保存配置

[FW] save force

4、 配置出口路由器

sys

[H3C]sysname Router

#配置路由器下行口為10.0.12.1/24

[Router]inter GigabitEthernet 0/1

[Router-GigabitEthernet0/1]ip address 10.0.12.1 24

[Router-GigabitEthernet0/1]quit

[Router]

#給內(nèi)網(wǎng)三個(gè)網(wǎng)段寫回程路由指向核心交換機(jī)

[Router]ip route-static 172.16.10.0 24 10.0.12.2

[Router]ip route-static 172.16.20.0 24 10.0.12.2

[Router]ip route-static 172.16.30.0 24 10.0.12.2

#保存配置

[Router] save force

一、結(jié)果驗(yàn)證

1、 三臺(tái)pc均可ping通出口路由器

配置關(guān)鍵點(diǎn)
1、安全策略按照dis cu conf security-policy-ip看到的順序從上往下匹配

2、配置安全策略前，先想一下流量走向，即流量從哪個(gè)接口進(jìn)，又從哪個(gè)接口出，這樣就可以根據(jù)接口確定源/目安全域了