溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務(wù)條款》

5-華為防火墻:二層和三層接入的安全策略配置差異

發(fā)布時間:2020-07-20 02:05:18 來源:網(wǎng)絡(luò) 閱讀:5099 作者:第七_(dá)感 欄目:安全技術(shù)

一、實驗拓?fù)洌?br/>5-華為防火墻:二層和三層接入的安全策略配置差異

二、實驗要求:
1、內(nèi)網(wǎng):連接R2接口G0/0/2是三層接口,其它接口都是二層接口;R1、R2、R3部署默認(rèn)路由到USG;
2、USG上創(chuàng)建VLAN 10、202,并將G0/0/0劃分到VLAN 202,G0/0/1劃分到VLAN 10;
3、部署Policy 0:允許Trust到Untrust的ICMP流量出去;部署Policy 1:允許DMZ到Untrust Outbound的ICMP流量出去;
4、R3 Ping R1;R2 Ping R1是否可通?
三、命令部署:
1、路由器接口地址、默認(rèn)路由略
[R1]ip route-static 0.0.0.0 0.0.0.0 202.100.1.10
[R2]ip route-static 0.0.0.0 0.0.0.0 192.168.1.10
[R3]ip route-static 0.0.0.0 0.0.0.0 10.1.1.10
2、USG配置:
(1)接口配置:
[SRG]int g0/0/0
[SRG-GigabitEthernet0/0/0]portswitch
[SRG-GigabitEthernet0/0/0]port access vlan 202

[SRG]int g0/0/1
[SRG-GigabitEthernet0/0/1]portswitch
[SRG-GigabitEthernet0/0/1]port access vlan 10

[SRG]int g0/0/2
[SRG-GigabitEthernet0/0/2]ip add 192.168.1.10 24
查看:
[SRG-GigabitEthernet0/0/0]display this //默認(rèn)輸完portswitch,就是access口
portswitch
port link-type access
[SRG]display ip int bri //已經(jīng)沒有G0/0/0、G0/0/1接口顯示了

創(chuàng)建VLAN:
[SRG]vlan 10
[SRG-vlan-10]vlan 202
配置VLAN地址:
[SRG]int vlanif 202
[SRG-Vlanif202]ip add 202.100.1.10 24
[SRG]int Vlanif 10
[SRG-Vlanif10]ip add 10.1.1.10 24
查看:
[SRG]display ip interface brief //增加了VLAN 地址

把原來的接口解出來:
[SRG]firewall zone untrust
[SRG-zone-untrust]undo add int g0/0/0
[SRG]firewall zone dmz
[SRG-zone-dmz]undo add int g0/0/1
劃分VLAN到不通區(qū)域:
[SRG]firewall zone untrust
[SRG-zone-untrust]add int g0/0/0
[SRG]firewall zone dmz
[SRG-zone-dmz]add int Vlanif 10
測試:
[SRG]ping 202.100.1.1 //可通
[SRG]ping 10.1.1.3 //可通
(2)部署Policy 1:允許DMZ到Untrust Outbound的ICMP流量出去
[SRG]ip service-set aaa type object
[SRG-object-service-set-aaa]service protocol icmp

[SRG]policy interzone dmz untrust outbound
[SRG-policy-interzone-dmz-untrust-outbound]policy 1
[SRG-policy-interzone-dmz-untrust-outbound-1]policy source 10.1.1.0 mask 24
[SRG-policy-interzone-dmz-untrust-outbound-1]policy destination 202.100.1.0 mask 24
[SRG-policy-interzone-dmz-untrust-outbound-1]policy service service-set aaa
[SRG-policy-interzone-dmz-untrust-outbound-1]action permit
(3)部署Policy 0:允許Trust到Untrust的ICMP流量出去
[SRG]policy interzone trust untrust outbound
[SRG-policy-interzone-trust-untrust-outbound]policy 0
[SRG-policy-interzone-trust-untrust-outbound-0]policy source 192.168.1.0 mask 24
[SRG-policy-interzone-trust-untrust-outbound-0]policy destination 202.100.1.0 mask 24
[SRG-policy-interzone-trust-untrust-outbound-0]policy service service-set aaa
[SRG-policy-interzone-trust-untrust-outbound-0]action permit
測試:
[R2]ping 202.100.1.1
Reply from 202.100.1.1: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=254 time=50 ms
Reply from 202.100.1.1: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 202.100.1.1: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 202.100.1.1: bytes=56 Sequence=5 ttl=254 time=40 ms
實現(xiàn)效果受影響。

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報,并提供相關(guān)證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI