您的位置:360文档中心› 华为防火墙实验文档

华为防火墙实验文档

合集下载
相关主题
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

第一部分华为防火墙基本初始化

LAB1 子接口初始化一、实验拓扑

二、基本配置

SW:

[SW]vlan 2

[SW-vlan2]description Untrust

[SW-vlan2]vlan 3

[SW-vlan3]description Trust

[SW-vlan3]vlan 4

[SW-vlan4]description DMZ

[SW]int g0/0/9

[SW-GigabitEthernet0/0/8]port link-type access

[SW-GigabitEthernet0/0/8]port default vlan 3

[SW-GigabitEthernet0/0/8]int g0/0/3

[SW-GigabitEthernet0/0/3]port link-type access

[SW-GigabitEthernet0/0/3]port default vlan 3

[SW]int g0/0/9

[SW-GigabitEthernet0/0/9]port link-type trunk

[SW-GigabitEthernet0/0/9]port trunk allow-pass vlan 1 2 4 [SW]int g0/0/1

[SW-GigabitEthernet0/0/1]port link-type access [SW-GigabitEthernet0/0/1]port default vlan 2

[SW-GigabitEthernet0/0/1]int g0/0/2

[SW-GigabitEthernet0/0/2]port link-type access

[SW-GigabitEthernet0/0/2]port default vlan 4

三、防火墙配置

system-view

Enter system view, return user view with Ctrl+Z.

[SRG]

[SRG]sysname HWFW

[HWFW]int g0/0/0

[HWFW-GigabitEthernet0/0/0]alias Trust ===配置接口描述[HWFW-GigabitEthernet0/0/0]ip add 192.168.1.10 24 [HWFW]int g0/0/1.2

[HWFW-GigabitEthernet0/0/1.2]vlan-type dot1q 2 ====封装VLAN [HWFW-GigabitEthernet0/0/1.2]alias Untrust

[HWFW-GigabitEthernet0/0/1.2]ip add 202.100.1.10 24

[HWFW-GigabitEthernet0/0/1.2]interface GigabitEthernet0/0/1.4 [HWFW-GigabitEthernet0/0/1.4]alias DMZ

[HWFW-GigabitEthernet0/0/1.4]vlan-type dot1q 4

[HWFW-GigabitEthernet0/0/1.4]ip add 172.16.1.10 24

测试:

[HWFW]ping -c 2 192.168.1.1

19:26:33 2014/05/26

PING 192.168.1.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms

Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=580 ms [HWFW]ping -c 2 202.100.1.1

19:26:55 2014/05/26

PING 202.100.1.1: 56 data bytes, press CTRL_C to break

Request time out

Request time out

[HWFW]ping -c 2 172.16.1.1

19:27:14 2014/05/26

PING 172.16.1.1: 56 data bytes, press CTRL_C to break

Request time out

Request time out

为什么直连不通?因为默认不同zone之间流量是不允许访问的,可以通过以下命令查看:[HWFW]display current-configuration

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

为了测试,可以将防火墙其它两个两口放入相同的zone

[HWFW] firewall zone trust

[HWFW-zone-trust]add interface g0/0/1.2

[HWFW-zone-trust]add interface GigabitEthernet0/0/1.4

[HWFW]ping -c 2 202.100.1.1

19:32:39 2014/05/26

PING 202.100.1.1: 56 data bytes, press CTRL_C to break

Reply from 202.100.1.1: bytes=56 Sequence=1 ttl=255 time=70 ms Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=255 time=700 ms --- 202.100.1.1 ping statistics ---

2 packet(s) transmitted

2 packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/385/700 ms

[HWFW]ping -c 2 172.16.1.1

19:32:45 2014/05/26

PING 172.16.1.1: 56 data bytes, press CTRL_C to break

Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=255 time=70 ms Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=255 time=560 ms --- 172.16.1.1 ping statistics ---

2 packet(s) transmitted

2 packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/315/560 ms

相关文档
最新文档