华为数通IP必看实验文档：防火墙vsys综合实验

乾颐堂 · 发表于 2023-8-23 14:30:27

登录/注册后可看大图

1-配置vlan和链路聚合

[SW1]vlan batch 10 20

[SW1-GigabitEthernet0/0/1]port link-type access

[SW1-GigabitEthernet0/0/1]port default vlan 10

[SW1-GigabitEthernet0/0/2]port link-type access

[SW1-GigabitEthernet0/0/2]port default vlan 20

[SW1]interface Eth-Trunk 1

[SW1-Eth-Trunk1]mode lacp-static

[SW1-Eth-Trunk1]trunkport g0/0/3

[SW1-Eth-Trunk1]trunkport g0/0/4

[SW1-Eth-Trunk1]port link-type trunk

[SW1-Eth-Trunk1]port trunk allow-pass vlan all

[USG6000V1]interface Eth-Trunk 1

[USG6000V1-Eth-Trunk1]portswitch

[USG6000V1-Eth-Trunk1]mode lacp-static

[USG6000V1-Eth-Trunk1]trunkport g1/0/3

[USG6000V1-Eth-Trunk1]trunkport g1/0/4

[USG6000V1-Eth-Trunk1]port link-type trunk

[USG6000V1-Eth-Trunk1]port trunk allow-pass vlan all

[USG6000V1-Eth-Trunk1]dis eth-trunk 1

2023-07-02 10:29:54.110

Eth-Trunk1's state information is:

Local:

LAG ID: 1 WorkingMode: STATIC

Preempt Delay: Disabled Hash arithmetic: According to flow

System Priority: 32768 System ID: 00e0-fc86-1223

Least Active-linknumber: 1 Max Active-linknumber: 8

Operate status: up Number Of Up Port In Trunk: 2

--------------------------------------------------------------------------------

ActorPortName Status PortType PortPri PortNo PortKey PortState Weight

GigabitEthernet1/0/3 Selected 1GE 32768 1 305 10111100 1

GigabitEthernet1/0/4 Selected 1GE 32768 2 305 10111100 1

Partner:

--------------------------------------------------------------------------------

ActorPortName SysPri SystemID PortPri PortNo PortKey PortState

GigabitEthernet1/0/3 32768 4c1f-cc8d-520c 32768 4 305 10111100

GigabitEthernet1/0/4 32768 4c1f-cc8d-520c 32768 5 305 10111100

2-配置交换机vpn实例

[SW1]ip vpn-instance IT

[SW1-vpn-instance-IT]ipv4-family

[SW1]ip vpn-instance Sales

[SW1-vpn-instance-Sales]ipv4-family

[SW1]interface Vlanif 10

[SW1-Vlanif10]ip binding vpn-instance IT

[SW1-Vlanif10]ip address 192.168.10.1 24

[SW1-Vlanif20]ip binding vpn-instance Sales

[SW1-Vlanif20]ip address 192.168.20.1 24

3-交换机在VPN实例下创建与防火墙互联接口

[SW1]vlan batch 122 124

[SW1]interface Vlanif 122

[SW1-Vlanif122]ip binding vpn-instance IT

[SW1-Vlanif122]ip address 192.168.122.1 24

[SW1]interface Vlanif 124

[SW1-Vlanif124]ip binding vpn-instance Sales

[SW1-Vlanif124]ip address 192.168.124.1 24

//在交换机上为两个不同的业务再创建两个vlanif接口并划入对应vpn实例

[SW1]display ip routing-table vpn-instance IT

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: IT

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

192.168.10.0/24 Direct 0 0 D 192.168.10.1 Vlanif10

192.168.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10

192.168.122.0/24 Direct 0 0 D 192.168.122.1 Vlanif122

192.168.122.1/32 Direct 0 0 D 127.0.0.1 Vlanif122

[SW1]display ip routing-table vpn-instance Sales

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Sales

Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

192.168.20.0/24 Direct 0 0 D 192.168.20.1 Vlanif20

192.168.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20

192.168.124.0/24 Direct 0 0 D 192.168.124.1 Vlanif124

192.168.124.1/32 Direct 0 0 D 127.0.0.1 Vlanif124

4-在防火墙创建VSYS对接交换机两个VPN实例

[USG6000V1]vlan batch 122 124

[USG6000V1]vsys enable

[USG6000V1]vsys name IT

[USG6000V1-vsys-IT]assign vlan 122

[USG6000V1]vsys name Sales

[USG6000V1-vsys-Sales]assign vlan 124

//在防火墙上创建vlan并分配到对应vsys虚拟防火墙中

//在防火墙里，vlan和vlanif接口只可以在根墙上创建再将资料分配到虚拟墙中。

[USG6000V1-Vlanif122]ip address 192.168.122.2 24

[USG6000V1-Vlanif124]ip address 192.168.124.2 24

//在根墙上创建两个vlanif接口，由于之前vlan划分到虚拟墙中，vlanif接口也会自动划入虚拟墙中。

[USG6000V1]switch vsys IT

//切换到IT虚拟墙中

<USG6000V1-IT>display ip interface brief //在虚拟墙上查看vlan地址

Interface IP Address/Mask Physical Protocol

Virtual-if1 unassigned up up(s)

Vlanif122 192.168.122.2/24 up up

5-防火墙虚拟墙上的vlanif接口加入Trust区域并开启icmp

[USG6000V1]switch vsys IT

<USG6000V1-IT>sys

[USG6000V1-IT]firewall zone trust

[USG6000V1-IT-zone-trust]add interface Vlanif 122

[USG6000V1-IT]interface Vlanif 122

[USG6000V1-IT-Vlanif122]service-manage ping permit

[USG6000V1-IT]quit //退出虚拟墙需全称quit才能退出到用户模式

<USG6000V1-IT>q

[USG6000V1]switch vsys Sales

<USG6000V1-Sales>sys

[USG6000V1-Sales]firewall zone trust

[USG6000V1-Sales]interface Vlanif 124

[USG6000V1-Sales-Vlanif124]service-manage ping permit

6-防火墙虚墙允许本地到信任区域策略

[USG6000V1]switch vsys IT

<USG6000V1-IT>sys

[USG6000V1-IT]security-policy

[USG6000V1-IT-policy-security]rule name L2T

[USG6000V1-IT-policy-security-rule-L2T]source-zone local

[USG6000V1-IT-policy-security-rule-L2T]destination-zone trust

[USG6000V1-IT-policy-security-rule-L2T]action permit

[USG6000V1]switch vsys Sales

<USG6000V1-Sales>sys

[USG6000V1-Sales]security-policy

[USG6000V1-Sales-policy-security]rule name L2T

[USG6000V1-Sales-policy-security-rule-L2T]source-zone local

[USG6000V1-Sales-policy-security-rule-L2T]destination-zone trust

[USG6000V1-Sales-policy-security-rule-L2T]action permit

7-配置交换机和防火墙在vpn实例下的ospf邻居

[SW1]ospf 10 vpn-instance IT router-id 5.5.5.5

[SW1-ospf-10]area 0

[SW1-ospf-10-area-0.0.0.0]network 192.168.10.0 0.0.0.255

[SW1-ospf-10-area-0.0.0.0]network 192.168.122.0 0.0.0.255

[SW1]ospf 20 vpn-instance Sales router-id 6.6.6.6

[SW1-ospf-20]area 0

[SW1-ospf-20-area-0.0.0.0]network 192.168.20.0 0.0.0.255

[SW1-ospf-20-area-0.0.0.0]network 192.168.124.0 0.0.0.255

[USG6000V1]ospf 10 vpn-instance IT router-id 3.3.3.3

[USG6000V1-ospf-10]area 0

[USG6000V1-ospf-10-area-0.0.0.0]network 192.168.122.0 0.0.0.255

[USG6000V1]ospf 20 vpn-instance Sales router-id 4.4.4.4

[USG6000V1-ospf-20]area 0

[USG6000V1-ospf-20-area-0.0.0.0]network 192.168.124.0 0.0.0.255

8-两个防火墙虚墙创建vlan连接交换机全局

登录/注册后可看大图

[SW1]vlan batch 121 123

[SW1]interface Vlanif 121

[SW1-Vlanif121]ip address 192.168.121.1 24

[SW1]int Vlanif 123

[SW1-Vlanif123]ip address 192.168.123.1 24

[USG6000V1]vlan batch 121 123

//全局下创建vlan并划入对应虚墙

[USG6000V1]vsys name IT

[USG6000V1-vsys-IT]assign vlan 121

[USG6000V1]vsys name Sales

[USG6000V1-vsys-Sales]assign vlan 123

[USG6000V1]interface Vlanif 121

[USG6000V1-Vlanif121]ip address 192.168.121.2 24

[USG6000V1]interface Vlanif 123

[USG6000V1-Vlanif123]ip address 192.168.123.2 24

[USG6000V1]switch vsys IT //进入虚墙把接口划入对应区域，开启icmp

<USG6000V1-IT>sys

[USG6000V1-IT]firewall zone untrust

[USG6000V1-IT-zone-untrust]add interface Vlanif 121

[USG6000V1-IT]interface Vlanif 121

[USG6000V1-IT-Vlanif121]service-manage ping permit

[USG6000V1]switch vsys Sales

<USG6000V1-Sales>sys

[USG6000V1-Sales]firewall zone untrust

[USG6000V1-Sales-zone-untrust]add interface Vlanif 123

[USG6000V1-Sales]interface Vlanif 123

[USG6000V1-Sales-Vlanif123]service-manage ping permit

<SW1>ping 192.168.121.2 //交换机全局下ping虚墙接口地址

PING 192.168.121.2: 56 data bytes, press CTRL_C to break

Request time out

Reply from 192.168.121.2: bytes=56 Sequence=2 ttl=255 time=50 ms

Reply from 192.168.121.2: bytes=56 Sequence=3 ttl=255 time=20 ms

Reply from 192.168.121.2: bytes=56 Sequence=4 ttl=255 time=20 ms

Reply from 192.168.121.2: bytes=56 Sequence=5 ttl=255 time=1 ms

--- 192.168.121.2 ping statistics ---

5 packet(s) transmitted

4 packet(s) received

20.00% packet loss

round-trip min/avg/max = 1/22/50 ms

<SW1>ping 192.168.123.2

PING 192.168.123.2: 56 data bytes, press CTRL_C to break

Request time out

Reply from 192.168.123.2: bytes=56 Sequence=2 ttl=255 time=40 ms

Reply from 192.168.123.2: bytes=56 Sequence=3 ttl=255 time=40 ms

Reply from 192.168.123.2: bytes=56 Sequence=4 ttl=255 time=10 ms

Reply from 192.168.123.2: bytes=56 Sequence=5 ttl=255 time=30 ms

--- 192.168.123.2 ping statistics ---

5 packet(s) transmitted

4 packet(s) received

20.00% packet loss

round-trip min/avg/max = 10/30/40 ms

9-交换机全局和两个防火墙虚墙ospf相连

[USG6000V1-ospf-10-area-0.0.0.0]network 192.168.121.0 0.0.0.255

[USG6000V1-ospf-20-area-0.0.0.0]network 192.168.123.0 0.0.0.255

[SW1]ospf 1 router-id 2.2.2.2

[SW1-ospf-1]area 0

[SW1-ospf-1-area-0.0.0.0]network 192.168.121.0 0.0.0.255

[SW1-ospf-1-area-0.0.0.0]network 192.168.123.0 0.0.0.255

[SW1]dis ip routing-table //全局下路由都可以查询到

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

Destinations : 12 Routes : 12

Destination/Mask Proto Pre Cost Flags NextHop Interface

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

192.168.10.0/24 OSPF 10 3 D 192.168.121.2 Vlanif121

192.168.20.0/24 OSPF 10 3 D 192.168.123.2 Vlanif123

192.168.30.0/24 Direct 0 0 D 192.168.30.1 Vlanif30

192.168.30.1/32 Direct 0 0 D 127.0.0.1 Vlanif30

192.168.121.0/24 Direct 0 0 D 192.168.121.1 Vlanif121

192.168.121.1/32 Direct 0 0 D 127.0.0.1 Vlanif121

192.168.122.0/24 OSPF 10 2 D 192.168.121.2 Vlanif121

192.168.123.0/24 Direct 0 0 D 192.168.123.1 Vlanif123

192.168.123.1/32 Direct 0 0 D 127.0.0.1 Vlanif123

192.168.124.0/24 OSPF 10 2 D 192.168.123.2 Vlanif123

10-交换机创建全局下与路由器R1互连，且宣告进ospf

[SW1]vlan 30

[SW1-GigabitEthernet0/0/5]port link-type access

[SW1-GigabitEthernet0/0/5]port default vlan 30

[SW1]interface Vlanif 30

[SW1-Vlanif30]ip address 192.168.30.1 24

[SW1-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255

[R1]interface g0/0/0

[R1-GigabitEthernet0/0/0]ip address 192.168.30.2 24

[R1]interface LoopBack 0

[R1-LoopBack0]ip address 1.1.1.1 32

[R1]ospf 1 router-id 1.1.1.1

[R1-ospf-1]area 0

[R1-ospf-1-area-0.0.0.0]network 192.168.30.0 0.0.0.255

[R1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0

11-配置内网访问外部untrust 防火墙安全策略

[USG6000V1]switch vsys IT

<USG6000V1-IT>sys

[USG6000V1-IT]security-policy

[USG6000V1-IT-policy-security]rule name T2U

[USG6000V1-IT-policy-security-rule-T2U]source-zone trust

[USG6000V1-IT-policy-security-rule-T2U]destination-zone untrust

[USG6000V1-IT-policy-security-rule-T2U]action permit

[USG6000V1]switch vsys Sales

<USG6000V1-Sales>sys

[USG6000V1-Sales]security-policy

[USG6000V1-Sales-policy-security]rule name T2U

[USG6000V1-Sales-policy-security-rule-T2U]source-zone trust

[USG6000V1-Sales-policy-security-rule-T2U]destination-zone untrust

[USG6000V1-Sales-policy-security-rule-T2U]action permit

12-配置网络出口及NAT

[R1-GigabitEthernet0/0/1]ip address 202.100.1.1 24

[R1]ip route-static 0.0.0.0 0.0.0.0 202.100.1.2

[R1-ospf-1]default-route-advertise

[R1]ACL 2000

[R1-acl-basic-2000]rule 10 permit source 192.168.10.0 0.0.0.255

[R1-acl-basic-2000]rule 15 permit source 192.168.20.0 0.0.0.255

[R1]interface g0/0/1

[R1-GigabitEthernet0/0/1]nat outbound 2000

[ISP-GigabitEthernet0/0/0]ip address 202.100.1.2 24

[ISP-LoopBack0]ip address 8.8.8.8 32

13-IT和Sales部门间防火墙策略

[USG6000V1]switch vsys IT

<USG6000V1-IT>sys

[USG6000V1-IT]security-policy

[USG6000V1-IT-policy-security]rule name U2T

[USG6000V1-IT-policy-security-rule-U2T]source-zone untrust

[USG6000V1-IT-policy-security-rule-U2T]source-address 192.168.20.0 24

[USG6000V1-IT-policy-security-rule-U2T]destination-zone trust

[USG6000V1-IT-policy-security-rule-U2T]action permit

[USG6000V1]switch vsys Sales

<USG6000V1-Sales>sys

[USG6000V1-Sales]security-policy

[USG6000V1-Sales-policy-security]rule name U2T

[USG6000V1-Sales-policy-security-rule-U2T]source-zone untrust

[USG6000V1-Sales-policy-security-rule-U2T]source-address 192.168.10.0 24

[USG6000V1-Sales-policy-security-rule-U2T]destination-zone trust

[USG6000V1-Sales-policy-security-rule-U2T]action permit

[USG6000V1]display firewall session table all-systems

2023-07-03 08:09:30.810

Current Total Sessions : 10

icmp VPN: Sales --> Sales 192.168.10.254:13186 --> 192.168.20.254:2048

icmp VPN: IT --> IT 192.168.10.254:12674 --> 192.168.20.254:2048

icmp VPN: Sales --> Sales 192.168.10.254:12162 --> 192.168.20.254:2048

icmp VPN: Sales --> Sales 192.168.10.254:12674 --> 192.168.20.254:2048

icmp VPN: IT --> IT 192.168.10.254:13186 --> 192.168.20.254:2048

icmp VPN: IT --> IT 192.168.10.254:12162 --> 192.168.20.254:2048

icmp VPN: Sales --> Sales 192.168.10.254:12930 --> 192.168.20.254:2048

icmp VPN: IT --> IT 192.168.10.254:12930 --> 192.168.20.254:2048

icmp VPN: Sales --> Sales 192.168.10.254:13442 --> 192.168.20.254:2048

icmp VPN: IT --> IT 192.168.10.254:13442 --> 192.168.20.254:2048

实验要求达成！

拓展实验部分

[USG6000V1]icmp ttl-exceeded send //显示跟踪路径

PC1>tracert 192.168.20.254

traceroute to 192.168.20.254, 8 hops max

(ICMP), press Ctrl+C to stop

1 192.168.10.1 15 ms 16 ms 31 ms

2 192.168.122.2 32 ms 31 ms 47 ms

3 192.168.121.1 62 ms 63 ms 62 ms

4 192.168.123.2 78 ms 63 ms 62 ms

5 192.168.124.1 94 ms 109 ms 110 ms

6 *192.168.20.254 94 ms 109 ms

防火墙每创建一个vsys就会自动创建一个virtual-if接口。

可以像一个三层接口一样配置IP地址，该逻辑接口用于vsys之间的互联互通。

[USG6000V1]interface Virtual-if 1

[USG6000V1-Virtual-if1]ip address 12.1.1.1 24

[USG6000V1]interface Virtual-if 2

[USG6000V1-Virtual-if2]ip address 12.1.1.2 24

[USG6000V1]switch vsys IT //把两个Virtual接口划入对应虚墙的untrust区域

<USG6000V1-IT>SYS

[USG6000V1-IT]firewall zone untrust

[USG6000V1-IT-zone-untrust]add interface Virtual-if 1

[USG6000V1]switch vsys Sales

<USG6000V1-Sales>sys

[USG6000V1-Sales]firewall zone untrust

[USG6000V1-Sales-zone-untrust]add interface Virtual-if 2

[USG6000V1]ip route-static vpn-instance IT 192.168.20.0 24 vpn-instance Sales pr

eference 8

[USG6000V1]ip route-static vpn-instance Sales 192.168.10.0 24 vpn-instance IT pr

eference 8

PC1>tracert 192.168.20.254 //跟踪路径，从Virtual-if接口转发

traceroute to 192.168.20.254, 8 hops max

(ICMP), press Ctrl+C to stop

1 192.168.10.1 15 ms 16 ms 31 ms

2 192.168.122.2 47 ms 16 ms 47 ms

3 12.1.1.2 47 ms 31 ms 31 ms

4 192.168.124.1 78 ms 31 ms 63 ms

5 *192.168.20.254 78 ms 94 ms

登录/注册后可看大图

账号		自动登录	找回密码
密码			论坛注册

华为数通IP必看实验文档：防火墙vsys综合实验

相关帖子

客服中心

投诉建议