命令行
首先配置
PC1
、PC2
、PC3
、PC4
、R1
、R2
、R3
的接口,IP地址,掩码,网关
PC1:
PC2:
PC3:
R1:sysun in ensysname R1int e0/0/0ip address 192.168.70.7 24dis thisquit
R2:sysun in ensysname R2int e0/0/0ip address 192.168.77.7 24dis thisquit
R3:sysun in ensysname R3int e0/0/0ip address 177.7.7.7 24dis thisquit
接下来配置两个交换机的接口,连接PC的那些接口设置成
Access
口,通往防火墙的接口设置成Trunk
口,以及创建vlan
区并把接口划分到对应的vlan
区
LSW1:sysun in ensysname LSW1vlan batch 7 17int e0/0/2port link-type accessport de vlan 7dis thisint e0/0/3port link-type accessport de vlan 7dis thisint e0/0/4port link-type accessport de vlan 17quitdis port vlanint e0/0/1port link-type trunkport trunk allow-pass vlan 7 17dis thisquitdis port vlan
LSW2:sysun in ensysname LSW2vlan 10int e0/0/2port link-type accessport de vlan 10dis thisint e0/0/1port link-type trunkport trunk allow-pass vlan 10dis thisquitdis port vlan
在防火墙上创建
vlan
,接着对防火墙上的接口进行设置配置,GE 1/0/0
、GE 1/0/1
口配置成Trunk
口,GE 1/0/2
、GE 1/0/3
配置成Access
口并允许对应vlan
通过,然后新建逻辑接口
并分入对应的vlan
FW:sysun in envlan batch 7 10 17 70 77dis port vlanint g1/0/0portswitchport link-type trunkport trunk allow-pass vlan 7 17dis thisint g1/0/1portswitchport link-type trunkport trunk allow-pass vlan 10dis thisint g1/0/2portswitchport link-type accessport de vlan 70dis thisint g1/0/3portswitchport link-type accessport de vlan 77dis thisquitdis ip int briefinterface vlanif 7ip address 192.168.7.1 24service-manage ping permitdis thisquitinterface vlanif 10ip address 192.168.10.1 24service-manage ping permitdis thisquitinterface vlanif 17ip address 192.168.17.1 24service-manage ping permitdis thisquitinterface vlanif 70ip address 192.168.70.1 24service-manage ping permitdis thisquitinterface vlanif 77ip address 192.168.70.1 24service-manage ping permitdis thisquitdis port vlan
把每个
vlan
都建立对应的区域,并把对应的逻辑接口
划分到对应的区域,以实现精细化管控
FW:sysfirewall zone name vlan7set priority 75add int Vlanif7dis thisquitfirewall zone name vlan10set priority 77add int Vlanif10dis thisquitfirewall zone name vlan17set priority 76add int Vlanif17dis thisquitfirewall zone name vlan70set priority 78add int Vlanif70dis thisquitfirewall zone name vlan77set priority 79add int Vlanif77dis thisquit
配置到这里,每个vlan
的PC就可以访问各自的网关了,验证结果如下:
vlan7-PC1:
vlan17-PC3:
vlan10-PC4:
vlan70-R1:
vlan77-R2:
相同区域可以访问,不同区域不能访问,验证结果如下:
接下来只需要对不同区域设置对应需求的安全策略即可实现精细化管控
FW;syssecurity-policyrule name vlan7_to_vlan17source-zone vlan7destination-zone vlan17service icmpaction permitdis this
验证结果如下:
其他的就不演示了,不同区域的设置对应的安全策略即可实现精细化管控
如果是内网的
PC
想要访问外网的地址,做个NAT源地址转换
,做个策略,再在外网口上设置一条缺省路由
即可
FW:sysfirewall zone trustadd int g1/0/0add int g1/0/1add int g1/0/2add int g1/0/3dis thisquitfirewall zone untrustadd int g1/0/4dis thisquitint g1/0/4ip address 177.7.7.1 24dis thisquitip route-static 0.0.0.0 0 177.7.7.7nat-policyrule bane vlan7_nat_untrustsource-zone vlan7egress-int g1/0/4action nat easy-ipdis thisquitquit
验证结果:
防火墙web端配置