二层交换机与防火墙对接上网配置示例
组网图形
二层交换机简介
二层交换机指的是仅能够进行二层转发,不能进行三层转发的交换机。也就是说仅支持二层特性,不支持路由等三层特性的交换机。
二层交换机一般部署在接入层,不能作为用户的网关。
配置注意事项
本举例中的交换机配置适用于S系列交换机所有产品的所有版本。
本举例中的防火墙配置以USG6650 V500R001C60为例,其他防火墙的配置方法请参见对应的文档指南。
组网需求
如图1所示,某公司拥有多个部门且位于不同网段,各部门均有访问Internet的需求。现要求用户通过二层交换机和防火墙访问外部网络,且要求防火墙作为用户的网关。
配置思路
采用如下思路进行配置:
-
配置交换机基于接口划分VLAN,实现二层转发。
-
配置防火墙作为DHCP服务器,为用户PC分配IP地址。
操作步骤
- 配置交换机
# 配置下行连接用户的接口。
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 3 [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access //配置接口接入类型为access [Switch-GigabitEthernet0/0/2] port default vlan 2 //配置接口加入VLAN 2 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 3 [Switch-GigabitEthernet0/0/3] quit
# 配置上行连接防火墙的接口。
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type trunk [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3 //配置接口以trunk方式透传VLAN 2和VLAN 3 [Switch-GigabitEthernet0/0/1] quit
- 配置防火墙
防火墙的配置有两种方式,配置子接口或者配置VLANIF接口,两种方式选择其一即可。
-
# 配置终结子接口。
<USG6600> system-view [USG6600] interface gigabitethernet 1/0/1.1 [USG6600-GigabitEthernet1/0/1.1] vlan-type dot1q 2 [USG6600-GigabitEthernet1/0/1.1] ip address 192.168.1.1 24 [USG6600-GigabitEthernet1/0/1.1] quit [USG6600] interface gigabitethernet 1/0/1.2 [USG6600-GigabitEthernet1/0/1.2] vlan-type dot1q 3 [USG6600-GigabitEthernet1/0/1.2] ip address 192.168.2.1 24 [USG6600-GigabitEthernet1/0/1.2] quit
# 配置DHCP功能,为内网用户分配IP地址并指定DNS服务器地址。
[USG6600] dhcp enable [USG6600] interface gigabitethernet 1/0/1.1 [USG6600-GigabitEthernet1/0/1.1] dhcp select interface //开启接口采用接口地址池的DHCP Server功能 [USG6600-GigabitEthernet1/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5 //配置的DNS-List 114.114.114.114是公用的DNS服务器地址,是不区分运营商的。在实际应用中,请根据运营商分配的DNS进行配置 [USG6600-GigabitEthernet1/0/1.1] quit [USG6600] interface gigabitethernet 1/0/1.2 [USG6600-GigabitEthernet1/0/1.2] dhcp select interface [USG6600-GigabitEthernet1/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5 [USG6600-GigabitEthernet1/0/1.2] quit
# 配置公网接口的IP地址和静态路由。
[USG6600] interface gigabitethernet 1/0/2 [USG6600-GigabitEthernet1/0/2] ip address 203.0.113.2 255.255.255.0 //配置连接公网的接口GE0/0/2的IP地址203.0.113.2 [USG6600-GigabitEthernet1/0/2] quit [USG6600] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //配置静态缺省路由的下一跳指向公网提供的IP地址203.0.113.1
# 配置安全区域。
[USG6600] firewall zone trust //配置trust域 [USG6600-zone-trust] add interface gigabitethernet 1/0/1 [USG6600-zone-trust] add interface gigabitethernet 1/0/1.1 [USG6600-zone-trust] add interface gigabitethernet 1/0/1.2 [USG6600-zone-trust] quit [USG6600] firewall zone untrust //配置untrust域 [USG6600-zone-untrust] add interface gigabitethernet 1/0/2 [USG6600-zone-untrust] quit
# 配置安全策略,允许域间互访。[USG6600] security-policy [USG6600-policy-security] rule name policy1 [USG6600-policy-security-rule-policy1] source-zone trust [USG6600-policy-security-rule-policy1] destination-zone untrust [USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0 [USG6600-policy-security-rule-policy1] action permit [USG6600-policy-security-rule-policy1] quit [USG6600-policy-security] quit
# 配置PAT地址池,开启允许端口地址转换。[USG6600] nat address-group addressgroup1 [USG6600-address-group-addressgroup1] mode pat [USG6600-address-group-addressgroup1] route enable [USG6600-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2 //转换的公网IP地址 [USG6600-address-group-addressgroup1] quit
# 配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换。[USG6600] nat-policy [USG6600-policy-nat] rule name policy_nat1 [USG6600-policy-nat-rule-policy_nat1] source-zone trust [USG6600-policy-nat-rule-policy_nat1] destination-zone untrust [USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //允许进行PAT转换的源IP地址 [USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 [USG6600-policy-nat-rule-policy_nat1] quit [USG6600-policy-nat] quit [USG6600] quit
-
# 配置VLANIF接口。
<USG6600> system-view [USG6600] vlan batch 2 3 [USG6600] interface gigabitethernet 1/0/1 [USG6600-GigabitEthernet1/0/1] portswitch //将以太网接口从三层模式切换到二层模式。如果接口已经是二层模式,跳过该步骤 [USG6600-GigabitEthernet1/0/1] port link-type hybrid [USG6600-GigabitEthernet1/0/1] port hybrid tagged vlan 2 to 3 [USG6600-GigabitEthernet1/0/1] quit [USG6600] interface vlanif 2 [USG6600-Vlanif2] ip address 192.168.1.1 24 //配置VLANIF2的IP地址作为PC1的网关 [USG6600-Vlanif2] quit [USG6600] interface vlanif 3 [USG6600-Vlanif3] ip address 192.168.2.1 24 //配置VLANIF3的IP地址作为PC2的网关 [USG6600-Vlanif3] quit
# 配置DHCP功能。
[USG6600] dhcp enable [USG6600] interface vlanif 2 [USG6600-Vlanif2] dhcp select interface [USG6600-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //配置的DNS-List 114.114.114.114是公用的DNS服务器地址,是不区分运营商的。在实际应用中,请根据运营商分配的DNS进行配置 [USG6600-Vlanif2] quit [USG6600] interface vlanif 3 [USG6600-Vlanif3] dhcp select interface [USG6600-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5 [USG6600-Vlanif3] quit
# 配置公网接口的IP地址和静态路由。
[USG6600] interface gigabitethernet 1/0/2 [USG6600-GigabitEthernet1/0/2] ip address 203.0.113.2 255.255.255.0 [USG6600-GigabitEthernet1/0/2] quit [USG6600] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 //配置静态缺省路由的下一跳指向公网提供的IP地址203.0.113.1
# 配置安全区域。
[USG6600] firewall zone trust [USG6600-zone-trust] add interface gigabitethernet 1/0/1 [USG6600-zone-trust] add interface vlanif 2 [USG6600-zone-trust] add interface vlanif 3 [USG6600-zone-trust] quit [USG6600] firewall zone untrust [USG6600-zone-untrust] add interface gigabitethernet 1/0/2 [USG6600-zone-untrust] quit
# 配置安全策略,允许域间互访。[USG6600] security-policy [USG6600-policy-security] rule name policy1 [USG6600-policy-security-rule-policy1] source-zone trust [USG6600-policy-security-rule-policy1] destination-zone untrust [USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0 [USG6600-policy-security-rule-policy1] action permit [USG6600-policy-security-rule-policy1] quit [USG6600-policy-security] quit
# 配置PAT地址池,开启允许端口地址转换。[USG6600] nat address-group addressgroup1 [USG6600-address-group-addressgroup1] mode pat [USG6600-address-group-addressgroup1] route enable [USG6600-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2 //转换的公网IP地址 [USG6600-address-group-addressgroup1] quit
# 配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换。[USG6600] nat-policy [USG6600-policy-nat] rule name policy_nat1 [USG6600-policy-nat-rule-policy_nat1] source-zone trust [USG6600-policy-nat-rule-policy_nat1] destination-zone untrust [USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //允许进行PAT转换的源IP地址 [USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 [USG6600-policy-nat-rule-policy_nat1] quit [USG6600-policy-nat] quit [USG6600] quit
-
- 检查配置结果
配置PC1的IP地址为192.168.1.2/24,网关为192.168.1.1;PC2的IP地址为192.168.2.2/24,网关为192.168.2.1。
配置外网PC的IP地址为203.0.113.1/24,网关为203.0.113.2。
配置完成后,PC1和PC2都可以Ping通外网的IP 203.0.113.1/24,PC1和PC2都可以访问Internet。
配置文件
- Switch的配置文件
# sysname Switch # vlan batch 2 to 3 # interface GigabitEthernet0/0/1port link-type trunkport trunk allow-pass vlan 2 to 3 # interface GigabitEthernet0/0/2port link-type accessport default vlan 2 # interface GigabitEthernet0/0/3port link-type accessport default vlan 3 # return
- USG的配置文件(防火墙通过子接口进行三层转发的配置文件)
# interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/1.1vlan-type dot1q 2 ip address 192.168.1.1 255.255.255.0dhcp select interfacedhcp server dns-list 114.114.114.114 223.5.5.5# interface GigabitEthernet1/0/1.2vlan-type dot1q 3ip address 192.168.2.1 255.255.255.0dhcp select interfacedhcp server dns-list 114.114.114.114 223.5.5.5 # interface GigabitEthernet1/0/2ip address 203.0.113.2 255.255.255.0 # firewall zone trustset priority 85add interface GigabitEthernet1/0/1add interface GigabitEthernet1/0/1.1add interface GigabitEthernet1/0/1.2 # firewall zone untrustset priority 5add interface GigabitEthernet1/0/2 #ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 # nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.2 203.0.113.2 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action nat address-group addressgroup1 # return
- USG的配置文件(防火墙通过VLANIF接口进行三层转发的配置文件)
#vlan batch 2 to 3 # interface Vlanif2ip address 192.168.1.1 255.255.255.0 dhcp server dns-list 114.114.114.114 223.5.5.5 # interface Vlanif3ip address 192.168.2.1 255.255.255.0 dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 # interface GigabitEthernet1/0/1portswitchport hybrid tagged vlan 2 to 3 # interface GigabitEthernet1/0/2ip address 203.0.113.2 255.255.255.0 # firewall zone trustset priority 85add interface GigabitEthernet1/0/1add interface Vlanif2add interface Vlanif3 # firewall zone untrustset priority 5add interface GigabitEthernet1/0/2 #ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 # nat address-group addressgroup1 0 mode pat route enable section 0 203.0.113.2 203.0.113.2 # security-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 192.168.0.0 mask 255.255.0.0 action nat address-group addressgroup1 # return