HUAWEI |
您所在的位置:网站首页 › firewall zone trust 找不到 › HUAWEI |
#HUAWEI——— 防火墙+ACL访问控制+AP上线+默认路由+NAT+DHCP(案例拓扑) 网络拓扑图: 项目要求:1、交换机SwitchA,作为有线终端的网关,同时作为DHCP server,为无线终端和有线终端分配IP地址,同时配置ACL的访问控制列表,要求控制摄像头(camera区域)只能跟DMZ区域服务器互访,无线访客禁止访问业务服务器和员工有线网络。2、各接入交换机的接口加入VLAN,流量进行二层转发。3、出口防火墙上配置NAT功能,用于公网和私网的地址转换:配置安全策略,控制internet的访问,例如摄像头流量无需访问外网,但可以和DMZ区域的服务器互访:配置NATserver使DMZ区域的WEB服务器开放给公网访问。配置思路:1、配置各个设备的IP地址和vlan的IP地址2、配置SwitchA、B、C和D的接口绑定和放行相应的VLAN3、SwitchA的DHCP和AP上线配置完成,AP上线要AC做一条默认路由和SwitchA相连。4、配置防火墙区域和安全策略,静态路由的回包。5、SwitchA配置默认路由和FW相连6、在SwitchA配置ACL访问控制,并在接口上使用ACL。IP地址规划表:设备 接口 vlan IP地址 FW(防火墙) GE1/0/0 10.107.1.2/24 FW(防火墙) GE1/0/1 109.1.1.1/24 FW(防火墙) GE1/0/2 10.106.1.1/24 internet GE0/0/0 109.1.1.2/24 internet GE0/0/1 10.110.1.1/24 Clinet1 Eth0/0/0 10.110.1.2/24 WEB服务器 Eth0/0/0 10.106.1.2/24 业务服务器 Eth0/0/0 10.108.1.2/24 AC控制器 GE0/0/3 100 VLANIF100:10.100.1.2/24 SwitchA GE0/0/1 101、102、103、105 VLANIF105:10.105.1.1/24 SwitchA GE0/0/3 104 VLANIF104:10.104.1.1/24 SwitchA GE0/0/5 101、102、103、105 VLANIF101:10.101.1.1/24 GE0/0/5 101、102、103、105 VLANIF102:10.102.1.1/24 GE0/0/5 101、102、103、105 VLANIF103:10.103.1.1/24 SwitchA GE0/0/8 100 VLANIF100:10.100.1.1/24 SwitchA GE0/0/11 108 VLANIF108:10.108.1.1/24 SwitchA GE0/0/13 107 VLANIF107:10.107.1.1/24 SwitchB Eth0/0/3 104 SwitchB Eth0/0/5 104 SwitchC Eth0/0/3 101、102、105 SwitchC Eth0/0/5 101、102、103、105 SwitchC Eth0/0/13 103 SwitchD Eth0/0/3 101、102、105 SwitchD Eth0/0/5 101、102、103、105 SwitchD Eth0/0/13 103 PC2(摄像头) Eth0/0/1 DHCP获取 AP1 GE0/0/0 DHCP获取 PC3 Eth0/0/1 DHCP获取 AP2 GE0/0/0 DHCP获取 PC4 Eth0/0/1 DHCP获取 设备连接规划表:本端设备 本端接口 对端设备 对端接口 FW(防火墙) GE1/0/0 SwitchA GE0/0/13 FW(防火墙) GE1/0/1 internet GE0/0/0 FW(防火墙) GE1/0/2 WEB服务器 Eth0/0/0 AC控制器 GE0/0/3 SwitchA GE0/0/8 业务服务器 Eth0/0/0 SwitchA GE0/0/11 SwitchA GE0/0/13 FW(防火墙) GE1/0/0 SwitchA GE0/0/1 SwitchC Eth0/0/5 SwitchA GE0/0/3 SwitchB Eth0/0/5 SwitchA GE0/0/11 业务服务器 Eth0/0/0 SwitchA GE0/0/8 AC控制器 GE0/0/3 SwitchA GE0/0/5 SwitchD Eth0/0/5 SwitchB Eth0/0/3 PC2(摄像头) Eth0/0/1 SwitchB Eth0/0/5 SwitchA GE0/0/3 SwitchC Eth0/0/5 SwitchA GE0/0/1 SwitchC Eth0/0/3 AP1 GE0/0/0 SwitchC Eth0/0/13 PC3 Eth0/0/1 SwitchD Eth0/0/5 SwitchA GE0/0/5 SwitchD Eth0/0/3 AP2 GE0/0/0 SwitchD Eth0/0/13 PC4 Eth0/0/1 vlan规划表:项目 描述 VLAN规划 VLAN 100: 无线管理VLAN VLAN 101: 访客无线业务VLAN VLAN 102: 员工无线业务VLAN VLAN 103: 员工有线业务VLAN VLAN 104: 摄像头的VLAN VLAN 105: AP所属VLAN VLAN 107: 对应VLANIF接口上行防火墙 VLAN 108: 业务区接入VLAN 项目实施:1、配置各设备的IP地址:SwitchA创建vlan并配置IP地址: [SwitchA]vlan batch 100 to 105 107 108 [SwitchA]interface Vlanif 100 [SwitchA-Vlanif100]ip address 10.100.1.1 255.255.255.0 [SwitchA]interface Vlanif 101 [SwitchA-Vlanif101]ip address 10.101.1.1 255.255.255.0 [SwitchA]interface Vlanif 102 [SwitchA-Vlanif102]ip address 10.102.1.1 255.255.255.0 [SwitchA]interface Vlanif 103 [SwitchA-Vlanif103]ip address 10.103.1.1 255.255.255.0 [SwitchA]interface Vlanif 104 [SwitchA-Vlanif104]ip addres 10.104.1.1 255.255.255.0 [SwitchA]interface Vlanif 105 [SwitchA-Vlanif105]ip address 10.105.1.1 255.255.255.0 [SwitchA]interface Vlanif 107 [SwitchA-Vlanif107]ip address 10.107.1.1 255.255.255.0 [SwitchA]interface Vlanif 108 [SwitchA-Vlanif108]ip address 10.108.1.1 255.255.255.0 FW的IP地址配置: [FW]interface GigabitEthernet 1/0/0 [FW-GigabitEthernet1/0/0]ip address 10.107.1.2 255.255.255.0 [FW]interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1]ip address 109.1.1.1 255.255.255.0 [FW]interface GigabitEthernet 1/0/2 [FW-GigabitEthernet1/0/2]ip address 10.106.1.1 255.255.255.0 AC控制创建并配置IP地址: [AC]vlan 100 [AC]interface vlan 100 [AC-Vlanif100]ip address 10.100.1.2 255.255.255.0 internet配置IP地址: [internet]interface GigabitEthernet 0/0/0 [internet-GigabitEthernet0/0/0]ip address 109.1.1.2 255.255.255.0 WEB服务器的IP地址: 业务服务器的IP地址: PC1、PC3、PC4、AP3和AP4都是DHCP自动获取。 2、接口绑定和放行相应的vlanSwitchA [SwitchA]interface GigabitEthernet 0/0/1 [SwitchA-GigabitEthernet0/0/1]port link-type trunk [SwitchA-GigabitEthernet0/0/1]port trunk allow-pass vlan 101 to 103 105 [SwitchA]interface GigabitEthernet 0/0/3 [SwitchA-GigabitEthernet0/0/3]port link-type access [SwitchA-GigabitEthernet0/0/3]port default vlan 104 [SwitchA]interface GigabitEthernet 0/0/5 [SwitchA-GigabitEthernet0/0/5]port link-type trunk [SwitchA-GigabitEthernet0/0/5]port trunk allow-pass vlan 101 to 103 105 [SwitchA]interface GigabitEthernet 0/0/8 [SwitchA-GigabitEthernet0/0/8]port link-type access [SwitchA-GigabitEthernet0/0/8]port default vlan 100 [SwitchA]interface GigabitEthernet 0/0/11 [SwitchA-GigabitEthernet0/0/11]port link-type access [SwitchA-GigabitEthernet0/0/11]port default vlan 108 [SwitchA]interface GigabitEthernet 0/0/13 [SwitchA-GigabitEthernet0/0/13]port link-type access [SwitchA-GigabitEthernet0/0/13]port default vlan 107 SwitchB [SwitchB]vlan batch 104 [SwitchB]interface Ethernet 0/0/3 [SwitchB-Ethernet0/0/3]port link-type access [SwitchB-Ethernet0/0/3]port default vlan 104 [SwitchB]interface Ethernet 0/0/5 [SwitchB-Ethernet0/0/5]port link-type access [SwitchB-Ethernet0/0/5]port default vlan 104 SwitchC [SwitchC]vlan batch 101 to 103 105 [SwitchC]interface Ethernet 0/0/3 [SwitchC-Ethernet0/0/3]port link-type trunk [SwitchC-Ethernet0/0/3]port trunk pvid vlan 105 [SwitchC-Ethernet0/0/3]port trunk allow-pass vlan 101 to 102 105 [SwitchC]interface Ethernet 0/0/5 [SwitchC-Ethernet0/0/5]port link-type trunk [SwitchC-Ethernet0/0/5]port trunk allow-pass vlan 101 to 103 105 [SwitchC]interface Ethernet 0/0/3 [SwitchC-Ethernet0/0/3]port link-type access [SwitchC-Ethernet0/0/3]port default vlan 103 SwitchD [SwitchD]vlan batch 101 to 103 105 [SwitchD]interface Ethernet 0/0/3 [SwitchD-Ethernet0/0/3]port link-type trunk [SwitchD-Ethernet0/0/3]port trunk pvid vlan 105 [SwitchD-Ethernet0/0/3]port trunk allow-pass vlan 101 to 102 105 [SwitchD]interface Ethernet 0/0/5 [SwitchD-Ethernet0/0/5]port link-type trunk [SwitchD-Ethernet0/0/5]port trunk allow-pass vlan 101 to 103 105 [SwitchD]interface Ethernet 0/0/3 [SwitchD-Ethernet0/0/3]port link-type access [SwitchD-Ethernet0/0/3]port default vlan 103 AC [AC]interface GigabitEthernet 0/0/3 [AC-GigabitEthernet0/0/3]port link-type access [AC-GigabitEthernet0/0/3]port default vlan 100 3、SwitchA开启DHCP和配置DHCP地址池。[SwitchA]dhcp enable 配置vlan 101的地址池 [SwitchA]ip pool VLAN101 [SwitchA-ip-pool-vlan101]network 10.101.1.0 mask 255.255.255.0 [SwitchA-ip-pool-vlan101]gateway-list 10.101.1.1 [SwitchA-ip-pool-vlan101]dns-list 114.114.114.114 [SwitchA-ip-pool-vlan101]qu [SwitchA]interface Vlanif 101 [SwitchA-Vlanif101]dhcp select global 配置vlan 102的地址池 [SwitchA]ip pool VLAN102 [SwitchA-ip-pool-vlan102]network 10.102.1.0 mask 255.255.255.0 [SwitchA-ip-pool-vlan102]gateway-list 10.102.1.1 [SwitchA-ip-pool-vlan102]dns-list 114.114.114.114 [SwitchA-ip-pool-vlan102]qu [SwitchA]interface Vlanif 102 [SwitchA-Vlanif102]dhcp select global 配置vlan 103的地址池 [SwitchA]ip pool VLAN103 [SwitchA-ip-pool-vlan103]network 10.103.1.0 mask 255.255.255.0 [SwitchA-ip-pool-vlan103]gateway-list 10.103.1.1 [SwitchA-ip-pool-vlan103]dns-list 114.114.114.114 [SwitchA-ip-pool-vlan103]qu [SwitchA]interface Vlanif 103 [SwitchA-Vlanif103]dhcp select global 配置vlan 104的地址池 [SwitchA]ip pool VLAN104 [SwitchA-ip-pool-vlan104]network 10.104.1.0 mask 255.255.255.0 [SwitchA-ip-pool-vlan104]gateway-list 10.104.1.1 [SwitchA-ip-pool-vlan104]qu [SwitchA]interface Vlanif 104 [SwitchA-Vlanif104]dhcp select global 配置vlan 105的地址池 [SwitchA]ip pool VLAN105 [SwitchA-ip-pool-vlan105]network 10.105.1.0 mask 255.255.255.0 [SwitchA-ip-pool-vlan105]gateway-list 10.105.1.1 [SwitchA-ip-pool-vlan105]option 43 sub-option 1 ip-address 10.100.1.2 //配置option 43字段,使AP通过单播发现AC [SwitchA-ip-pool-vlan105]qu [SwitchA]interface Vlanif 105 [SwitchA-Vlanif105]dhcp select global PC1、PC3、PC4、AP3和AP4都是DHCP自动获取到的IP地址。PC1 PC3 PC4 AP3 AP4 4、配置AP上线,并配置下发SwitchA中vlan101和vlan102地址池的IP地址。前提:AP要获取到VLAN105的IP地址。 AC控制器的配置AP上线:4-1、AC配置默认路由获取SwitchA的路由表信息。 [AC]ip route-static 0.0.0.0 0.0.0.0 10.100.1.1 4-2、AC配置CAPWAP,定义发现AP的VLAN接口 [AC]capwap source interface vlanif100 4-3、进入无线配置界面,配置AP组管理AP [AC]wlan [AC-wlan-view]ap-group name AP1 [AC-wlan-view]ap-id 3 ap-mac HHHH-HHHH-HHHH [AC-wlan-ap-3]ap-group AP1 [AC-wlan-view]ap-group name AP2 [AC-wlan-view]ap-id 4 ap-mac HHHH-HHHH-HHHH [AC-wlan-ap-4]ap-group AP2 4-4、等待AP上线,查看AP上线的命令(dis ap all)注意事项:要注意有些AP和AC不匹配,所以上线不了,就好比我前面配置的两个AP一样 AC配置无线网络4-5、配置无线信号发射标准符合当前国家规定,配置国家代码(可选) [AC-wlan-view]regulatory-domain-profile name AP1 [AC-wlan-regulate-domain-AP1]country-code CN [AC-wlan-regulate-domain-AP1]quit [AC-wlan-view]regulatory-domain-profile name AP2 [AC-wlan-regulate-domain-AP2]country-code CN [AC-wlan-regulate-domain-AP1]quit [AC-wlan-view]ap-group name AP1 [AC-wlan-ap-group-AP1]regulatory-domain-profile AP1 [AC-wlan-ap-group-AP1]quit [AC-wlan-view]ap-group name AP2 [AC-wlan-ap-group-AP2]regulatory-domain-profile AP2 [AC-wlan-ap-group-AP2]quit 4-6、配置双wifi的ssid [AC-wlan-view]ssid-profile name AP1 [AC-wlan-ssid-prof-AP1]ssid AP1 [AC-wlan-ssid-prof-AP1]quit [AC-wlan-view]ssid-profile name AP2 [AC-wlan-ssid-prof-AP2]ssid AP2 [AC-wlan-ssid-prof-AP2]quit 4-7、配置双wifi的密码: [AC-wlan-view]security-profile name AP1 [AC-wlan-sec-prof-AP1]security wpa-wpa2 psk pass-phrase 123456789 aes [AC-wlan-sec-prof-AP1]quit [AC-wlan-view]security-profile name AP2 [AC-wlan-sec-prof-AP2]security wpa-wpa2 psk pass-phrase 123456789 aes [AC-wlan-sec-prof-AP2]quit 4-8、配置双wifi的vap模板,把ssid、security和vlan绑定在vap模板。 [AC-wlan-view]vap-profile name AP1 [AC-wlan-vap-prof-AP1]forward-mode direct-forward [AC-wlan-vap-prof-AP1]ssid-profile AP1 [AC-wlan-vap-prof-AP1]security-profile AP1 [AC-wlan-vap-prof-AP1]service-vlan vlan-id 101 [AC-wlan-vap-prof-AP1]quit [AC-wlan-view]vap-profile name AP2 [AC-wlan-vap-prof-AP2]forward-mode direct-forward [AC-wlan-vap-prof-AP2]ssid-profile AP2 [AC-wlan-vap-prof-AP2]security-profile AP2 [AC-wlan-vap-prof-AP2]service-vlan vlan-id 102 [AC-wlan-vap-prof-AP2]quit 4-9、配置vap模板的射频 [AC-wlan-view]ap-group name AP1 [AC-wlan-ap-group-AP1]vap-profile AP1 wlan 1 radio 0 [AC-wlan-ap-group-AP1]vap-profile AP1 wlan 1 radio 1 [AC-wlan-ap-group-AP1]quit [AC-wlan-view]ap-group name AP2 [AC-wlan-ap-group-AP2]vap-profile AP2 wlan 1 radio 0 [AC-wlan-ap-group-AP2]vap-profile AP2 wlan 1 radio 1 [AC-wlan-ap-group-AP2]quit 4-10、STA1和STA2获取连接wifi获取到的IP地址。 STA1 STA2 5、配置FW的安全区域和安全策略:配置安全区域[FW]firewall zone trust [FW-zone-trust]add interface GigabitEthernet1/0/0 [FW-zone-trust]quit [FW]firewall zone untrust [FW-zone-untrust]add interface GigabitEthernet1/0/1 [FW-zone-untrust]quit [FW]firewall zone dmz [FW-zone-dmz]add interface GigabitEthernet1/0/2 [FW-zone-dmz]quit 配置安全策略[FW]security-policy [FW-policy-security]rule name trust-any [FW-policy-security-rule-trust-any]source-zone trust [FW-policy-security-rule-trust-any]destination-zone any [FW-policy-security-rule-trust-any]action permit [FW-policy-security-rule-trust-any]quit [FW-policy-security]rule name untrust-dmz [FW-policy-security-rule-untrust-any]source-zone untrust [FW-policy-security-rule-untrust-any]destination-zone dmz [FW-policy-security-rule-untrust-any]action deny [FW-policy-security-rule-untrust-any]quit [FW-policy-security]rule name untrust-trust [FW-policy-security-rule-untrust-any]source-zone untrust [FW-policy-security-rule-untrust-any]destination-zone trust [FW-policy-security-rule-untrust-any]action deny [FW-policy-security]rule name dmz-untrust [FW-policy-security-rule-dmz-untrust]source-zone dmz [FW-policy-security-rule-dmz-untrust]destination-zone untrust [FW-policy-security-rule-dmz-untrust]action permit [FW-policy-security-rule-dmz-untrust]quit [FW-policy-security]rule name dmz-camera [FW-policy-security-rule-dmz-camera]source-address 10.106.1.0 mask 255.255.255.0 [FW-policy-security-rule-dmz-camera]destination-address 10.104.1.0 mask 255.255.255.0 [FW-policy-security-rule-dmz-camera]action permit [FW-policy-security-rule-dmz-camera]quit 配置静态路由[FW]ip route-static 10.0.0.0 255.0.0.0 10.107.1.1 6、配置SwitchA的默认路由和ACL控制访问列表配置默认路由[SwitchA]ip route-static 0.0.0.0 0.0.0.0 10.107.1.2 配置ACL控制访问列表并应用[SwitchA]acl 3001 [SwitchA-acl-adv-3001]rule 5 deny ip source 10.101.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255 [SwitchA-acl-adv-3001]rule 10 deny ip source 10.101.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255 [SwitchA-acl-adv-3001]quit [SwitchA]acl 3002 [SwitchA-acl-adv-3002]rule 5 permit ip source 10.104.1.0 0.0.0.255 destination 10.106.1.0 0.0.0.255 [SwitchA-acl-adv-3002]rule 10 deny ip source 10.104.1.0 0.0.0.255 destination any [SwitchA-acl-adv-3002]quit [SwitchA]interface GigabitEthernet 0/0/3 [SwitchA-GigabitEthernet0/0/3]traffic-filter inbound acl 3002 [SwitchA-GigabitEthernet0/0/3]quit [SwitchA]interface GigabitEthernet 0/0/1 [SwitchA-GigabitEthernet0/0/1]traffic-filter inbound acl 3001 [SwitchA-GigabitEthernet0/0/1]quit 访客无线业务ping员工有线业务(ping不通,证明ACL起作用了)ping业务服务器也一样。 7、配置NAT server把DMZ区域的WEB服务器的web映射到外网7-1、FW上配置web服务器的IP地址10.106.1.2映射到109.1.1.15 [FW]nat server 80 protocol tcp global 109.1.1.15 www inside 10.106.1.2 www 7-2、FW上配置一条默认路由连接internet [FW]ip route-static 0.0.0.0 0.0.0.0 109.1.1.2 7-3、internet上配置一条静态路由。 [internet]ip route-static 10.0.0.0 255.0.0.0 109.1.1.1 在Clinet1上访问WEB服务器映射的IP地址109.1.1.15,可以访问到网页 8、FW配置NAT的内网转外网。配置nat地址池 [FW]nat address-group trust-untrust 19 [FW-address-group-trust-untrust]section 109.1.1.5 109.1.1.10 [FW-address-group-trust-untrust]qu 配置nat策略 [FW]nat-policy [FW-policy-nat]rule name trust-untrust [FW-policy-nat-rule-trust-untrust]source-zone trust [FW-policy-nat-rule-trust-untrust]destination-zone untrust [FW-policy-nat-rule-trust-untrust]source-address 10.0.0.0 mask 255.0.0.0 [FW-policy-nat-rule-trust-untrust]action source-nat address-group trust-untrust [FW-policy-nat]quit 配置路由黑洞,避免FW和ISP之间路由环路 [FW]ip route-static 109.1.1.5 32 NULL 0 [FW]ip route-static 109.1.1.6 32 NULL 0 [FW]ip route-static 109.1.1.7 32 NULL 0 [FW]ip route-static 109.1.1.8 32 NULL 0 [FW]ip route-static 109.1.1.9 32 NULL 0 [FW]ip route-static 109.1.1.10 32 NULL 0 PC2访问internet |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |