中小型企业华为路由器+防火墙+核心交换机网络部署

octagon

网络组网图：

网络规划：办公网VLAN：10，IP地址段：192.168.10.0/24，网关192.168.10.254

生产网络VLAN：20，IP地址段：192.168.20.0/24，网关192.168.20.254

生产服务器地址段：172.16.1.1/24 网关：172.16.1.254

核心交换机接口IP：GE 0/0/24:192.168.200.1/24 loopback0 1.1.1.1/32

防火墙：GE 1/0/0:192.168.200.2/24 Trust区域；GE 1/0/1:192.168.100.2/24 UNtrust区域

GE 1/0/6 172.16.1.254/24 loopback0 2.2.2.2/32

出口路由器：GE 0/0/0 192.168.100.1/24 GE 0/0/1 202.1.1.1/24对接运营商网络 loopback0 3.3.3.3/32

AR2模拟运营商网络路由器，loopback 0:114.114.114.114

Client模拟Internet网络中任一用户。

交换机、防护墙、路由器设备适用OSPF动态路由协议。

实验目标：

1) 实现生产网络可以访问Internet网络。

2) 实现办公网络中PC1可以访问Internet网络，PC2不可以访问Internet网络。

3) 实现生产PC可以访问生产服务器80端口，办公PC不可以访问生产服务器。

4) 生产服务器80端口映射到Internet 8080端口，公网用户可以通过202.1.1.1:8080访问到内网服务器80端口。

数据配置如下：

设备配置：

交换机配置：

sysname Huawei

#

vlan batch 10 20 200

dhcp enable

interface Vlanif10

ip address 192.168.10.254 255.255.255.0

dhcp select interface

dhcp server lease day 0 hour 8 minute 0

dhcp server dns-list 8.8.8.8

#

interface Vlanif20

ip address 192.168.20.254 255.255.255.0

#

interface Vlanif200

ip address 192.168.200.1 255.255.255.0

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 20

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 20

#

interface GigabitEthernet0/0/24

port link-type access

port default vlan 200

#

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

#

ospf 1 router-id 1.1.1.1

silent-interface Vlanif10

silent-interface Vlanif20

area 0.0.0.0

network 1.1.1.1 0.0.0.0

network 192.168.10.0 0.0.0.255

network 192.168.20.0 0.0.0.255

network 192.168.200.0 0.0.0.255

#

ip route-static 0.0.0.0 0.0.0.0 192.168.200.2

防火墙配置：

interface GigabitEthernet1/0/0

undo shutdown

ip address 192.168.200.2 255.255.255.0

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.100.2 255.255.255.0

#

interface GigabitEthernet1/0/6

undo shutdown

ip address 172.16.1.254 255.255.255.0

#

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/1

#

firewall zone dmz

set priority 50

add interface GigabitEthernet1/0/6

#

ospf 1 router-id 2.2.2.2

area 0.0.0.0

network 172.16.1.0 0.0.0.255

network 192.168.100.0 0.0.0.255

network 192.168.200.0 0.0.0.255

#

ip route-static 0.0.0.0 0.0.0.0 192.168.100.1

#

security-policy

rule name trust-untrust

source-zone trust

destination-zone untrust

source-address 192.168.10.1 mask 255.255.255.255

source-address 192.168.20.0 mask 255.255.255.0

action permit

rule name trust-dmz

source-zone trust

destination-zone dmz

source-address 192.168.20.0 mask 255.255.255.0

action permit

rule name untrust-dmz

source-zone untrust

destination-zone dmz

destination-address 172.16.1.1 mask 255.255.255.255

action permit

#

路由器配置：

acl number 2000

rule 10 permit source 192.168.10.0 0.0.0.255

rule 15 permit source 192.168.20.0 0.0.0.255

rule 20 permit source 172.16.1.1 0

#

firewall zone Local

priority 15

#

interface GigabitEthernet0/0/0

ip address 192.168.100.1 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 202.1.1.1 255.255.255.0

nat server protocol tcp global current-interface 8080 inside 172.16.1.1 www

nat outbound 2000

#

interface LoopBack0

ip address 3.3.3.3 255.255.255.255

#

ospf 1 router-id 3.3.3.3

area 0.0.0.0

network 192.168.100.0 0.0.0.255

#

ip route-static 0.0.0.0 0.0.0.0 202.1.1.2

验证配置:

mawr1985