三层交换机和防火墙对接上网

1、一、交换机的配置

1、配置连接用户的接口和VLANif的接口。

<Huawei>system-view

[Huawei]vlan batch 2 3 100

[Huawei]interface g0/0/2

[Huawei-GigabitEthernet0/0/2]port link-type access

[Huawei-GigabitEthernet0/0/2]port default vlan 2

[Huawei-GigabitEthernet0/0/2]quit

[Huawei]interface g0/0/3

[Huawei-GigabitEthernet0/0/3]port link-type access

[Huawei-GigabitEthernet0/0/3]port default vlan 3

[Huawei-GigabitEthernet0/0/3]quit

[Huawei]interface vlanif 2

[Huawei-Vlanif2]ip address 192.168.2.1 24

[Huawei-Vlanif2]quit

[Huawei]interface vlanif 3

[Huawei-Vlanif3]ip address 192.168.3.1 24

[Huawei-Vlanif3]quit

2、配置防火墙对应的接口和VLanif接口。

3、配置静态路由

[Huawei]interface g0/0/1

[Huawei-GigabitEthernet0/0/1]port link-type trunk

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 100

[Huawei-GigabitEthernet0/0/1]quit

[Huawei]interface vlanif 100

[Huawei-Vlanif100]ip address 192.168.100.2 24

[Huawei-Vlanif100]quit

[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1

3、配置DHCP服务器。

[Huawei]dhcp enable

[Huawei]interface vlanif 2

[Huawei-Vlanif2]dhcp select interface

[Huawei-Vlanif2]dhcp server dns-list 114.114.114.114

[Huawei-Vlanif2]quit

[Huawei]interface vlanif 3

[Huawei-Vlanif3]dhcp select interface

[Huawei-Vlanif3]dhcp server dns-list 114.114.114.114

[Huawei-Vlanif3]quit

4、二、防火墙的配置

1、配置连接交换机的端口和对应的IP地址

<Huawei>system-view

 [SRG]interface g0/0/1

 [SRG-GigabitEthernet0/0/1]ip address 192.168.100.1 24

 [SRG-GigabitEthernet0/0/1]quit

5、配置公网的连接口和IP地址。

3、配置缺省路由和回程路由。

<SRG>sys

[SRG]interface g0/0/2

18:13:57  2017/06/15

[SRG-GigabitEthernet0/0/2]ip address 200.0.0.2 24

[SRG-GigabitEthernet0/0/2]quit

[SRG]ip route-static 0.0.0.0 0.0.0.0 200.0.0.1

[SRG]ip route-static 192.168.2.0 255.255.255.0 192.168.100.2

[SRG]ip route-static 192.168.3.0 255.255.255.0 192.168.100.2

6、配置NAT功能

[SRG]nat address-group 1 200.0.0.2 200.0.0.2

[SRG]nat-policy interzone trust untrust outbound

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 0.0.255.255

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1

[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]quit

[SRG]

7、配置域并配置域间策略

[SRG]firewall zone trust

[SRG-zone-trust]add interface g0/0/1

[SRG-zone-trust]quit

[SRG]firewall zone untrust

[SRG-zone-untrust]add interface g0/0/2

[SRG-zone-untrust]quit

[SRG]firewall packet-filter default permit all