华为模拟器eNSP将防火墙配置成三层核心交换机

命令行

首先配置PC1、PC2、PC3、PC4、R1、R2、R3的接口，IP地址，掩码，网关

PC1：

PC2：

PC3：

R1:sysun in ensysname R1int e0/0/0ip address 192.168.70.7 24dis thisquit

R2:sysun in ensysname R2int e0/0/0ip address 192.168.77.7 24dis thisquit

R3:sysun in ensysname R3int e0/0/0ip address 177.7.7.7 24dis thisquit

接下来配置两个交换机的接口，连接PC的那些接口设置成Access口，通往防火墙的接口设置成Trunk口，以及创建vlan区并把接口划分到对应的vlan区

LSW1:sysun in ensysname LSW1vlan batch 7 17int e0/0/2port link-type accessport de vlan 7dis thisint e0/0/3port link-type accessport de vlan 7dis thisint e0/0/4port link-type accessport de vlan 17quitdis port vlanint e0/0/1port link-type trunkport trunk allow-pass vlan 7 17dis thisquitdis port vlan

LSW2:sysun in ensysname LSW2vlan 10int e0/0/2port link-type accessport de vlan 10dis thisint e0/0/1port link-type trunkport trunk allow-pass vlan 10dis thisquitdis port vlan

在防火墙上创建vlan，接着对防火墙上的接口进行设置配置，GE 1/0/0、GE 1/0/1口配置成Trunk口，GE 1/0/2、GE 1/0/3配置成Access口并允许对应vlan通过，然后新建逻辑接口并分入对应的vlan

FW:sysun in envlan batch 7 10 17 70 77dis port vlanint g1/0/0portswitchport link-type trunkport trunk allow-pass vlan 7 17dis thisint g1/0/1portswitchport link-type trunkport trunk allow-pass vlan 10dis thisint g1/0/2portswitchport link-type accessport de vlan 70dis thisint g1/0/3portswitchport link-type accessport de vlan 77dis thisquitdis ip int briefinterface vlanif 7ip address 192.168.7.1 24service-manage ping permitdis thisquitinterface vlanif 10ip address 192.168.10.1 24service-manage ping permitdis thisquitinterface vlanif 17ip address 192.168.17.1 24service-manage ping permitdis thisquitinterface vlanif 70ip address 192.168.70.1 24service-manage ping permitdis thisquitinterface vlanif 77ip address 192.168.70.1 24service-manage ping permitdis thisquitdis port vlan

把每个vlan都建立对应的区域，并把对应的逻辑接口划分到对应的区域，以实现精细化管控

FW:sysfirewall zone name vlan7set priority 75add int Vlanif7dis thisquitfirewall zone name vlan10set priority 77add int Vlanif10dis thisquitfirewall zone name vlan17set priority 76add int Vlanif17dis thisquitfirewall zone name vlan70set priority 78add int Vlanif70dis thisquitfirewall zone name vlan77set priority 79add int Vlanif77dis thisquit

配置到这里，每个vlan的PC就可以访问各自的网关了，验证结果如下：

vlan7-PC1:

vlan17-PC3:

vlan10-PC4:

vlan70-R1:

vlan77-R2:

相同区域可以访问，不同区域不能访问，验证结果如下：

接下来只需要对不同区域设置对应需求的安全策略即可实现精细化管控

FW;syssecurity-policyrule name vlan7_to_vlan17source-zone vlan7destination-zone vlan17service icmpaction permitdis this

验证结果如下：

其他的就不演示了，不同区域的设置对应的安全策略即可实现精细化管控

如果是内网的PC想要访问外网的地址，做个NAT源地址转换，做个策略，再在外网口上设置一条缺省路由即可

FW:sysfirewall zone trustadd int g1/0/0add int g1/0/1add int g1/0/2add int g1/0/3dis thisquitfirewall zone untrustadd int g1/0/4dis thisquitint g1/0/4ip address 177.7.7.1 24dis thisquitip route-static 0.0.0.0 0 177.7.7.7nat-policyrule bane vlan7_nat_untrustsource-zone vlan7egress-int g1/0/4action nat easy-ipdis thisquitquit

验证结果：

防火墙web端配置