实验要求:
某公司网络是有2个三层交换,现需要在三层交换与出口路由器之间加一个USG防火墙,为了方便配置,想采用透明模式配置防火墙,并将其加入现网,仅仅当做纯粹的防火墙使用;
实验目的:
观察防火墙透明模式与二层交换机的区别
实验思路:
1、PC、子网划分及2层交换(配置在此省略)
2、三层交换之间分别用USG防火墙和傻瓜交换机配置,测试它们的区别;
3、三层交换机直接内接口为虚拟接口vlanif,之间是FW时是vlanif300,之间是傻瓜交换机时是vlanif301,通过ospf实现三层之间通信
配置:
FW透明模式配置:
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]int gi 1/0/0
[USG6000V1-GigabitEthernet1/0/0]portswitch
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]
Aug 20 2020 02:04:30 USG6000V1 %%01PHY/4/STATUSUP(l)[3]:GigabitEthernet1/0/0 cha
nged status to up.
[USG6000V1]un in en
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int gi 1/0/1
[USG6000V1-GigabitEthernet1/0/1]portswitch
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int gi 1/0/0
[USG6000V1-zone-trust]add int gi 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]int gi 0/0/0
[USG6000V1-GigabitEthernet0/0/0]portswitch
^
Error: Unrecognized command found at '^' position.
[USG6000V1-GigabitEthernet0/0/0]q
[USG6000V1]int gi 1/0/2
[USG6000V1-GigabitEthernet1/0/2]portswitch
[USG6000V1-GigabitEthernet1/0/2]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add int gi 1/0/2
[USG6000V1-zone-untrust]q
[USG6000V1]vlan 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[USG6000V1-vlan300]q
[USG6000V1]int vlanif 300
[USG6000V1-Vlanif300]ip addr 192.168.200.3 29
三层交换之间是FW时三层交换配置:
LSW1配置(LSW2配置类似):
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L3-SW-1
[L3-SW-1]int gi 0/0/2
[L3-SW-1-GigabitEthernet0/0/2]port link-type trunk
[L3-SW-1-GigabitEthernet0/0/2]port trunk allow-pass vlan 1081
[L3-SW-1-GigabitEthernet0/0/2]int gi 0/0/3
[L3-SW-1-GigabitEthernet0/0/3]port link-type trunk
[L3-SW-1-GigabitEthernet0/0/3]port trunk allow-pass vlan 1082
[L3-SW-1-GigabitEthernet0/0/3]int gi 0/0/1
[L3-SW-1-GigabitEthernet0/0/1]port link-type access
[L3-SW-1-GigabitEthernet0/0/1]q
[L3-SW-1]vlan 300
[L3-SW-1-vlan300]int vlanif 300
[L3-SW-1-Vlanif300]ip addr 192.168.200.2 29
[L3-SW-1-Vlanif300]q
[L3-SW-1]int gi 0/0/1
[L3-SW-1-GigabitEthernet0/0/1]port link-type access
[L3-SW-1-GigabitEthernet0/0/1]port default vlan 300
[L3-SW-1-GigabitEthernet0/0/1]q
[L3-SW-1]
[L3-SW-1]vlan batch 1081 1082
Info: This operation may take a few seconds. Please wait for a moment...done.
[L3-SW-1]int vlanif 1081
[L3-SW-1-Vlanif1081]ip addr 10.180.108.1 25
[L3-SW-1-Vlanif1081]int vlanif 1082
[L3-SW-1-Vlanif1082]ip addr 10.180.108.130 25
[L3-SW-1-Vlanif1082]
[L3-SW-1]ospf 1 router-id 2.2.2.2
[L3-SW-1-ospf-1]area 0
[L3-SW-1-ospf-1-area-0.0.0.0]network 10.180.108.1 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]network 10.180.108.130 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]network 192.168.200.2 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]q
[L3-SW-1-ospf-1]silent-interface all
[L3-SW-1-ospf-1]undo silent-interface vlanif 300
[L3-SW-1-ospf-1]area 0
[L3-SW-1-ospf-1-area-0.0.0.0]undo network 192.168.200.2 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]network 192.168.200.2 0.0.0.7
[L3-SW-1-ospf-1-area-0.0.0.0]q
[L3-SW-1-ospf-1]q
[L3-SW-1]dis ospf peer
OSPF Process 1 with Router ID 2.2.2.2
[L3-SW-1]dis ospf routing
OSPF Process 1 with Router ID 2.2.2.2
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
10.180.108.0/25 1 Stub 10.180.108.1 2.2.2.2 0.0.0.0
10.180.108.128/25 1 Stub 10.180.108.130 2.2.2.2 0.0.0.0
192.168.200.0/29 1 Stub 192.168.200.2 2.2.2.2 0.0.0.0
两个三层交换之间是USG防火墙(透明模式)时,ospf是发现不了邻居的,所以两个三层交换之间不能通信;
但是听说USG防火墙透明模式相当于交换机,所以新增一个交换机,并且给连接交换机的接口配上vlanif 301:192.168.201.2or
4 /29
具体新增配置如下:
[L3-SW-1]vlan 301
[L3-SW-1-vlan301]int vlanif 301
[L3-SW-1-Vlanif301]ip addr 192.168.201.2 29
[L3-SW-1-Vlanif301]q
[L3-SW-1]int gi 0/0/4
[L3-SW-1-GigabitEthernet0/0/4]port link-type access
[L3-SW-1-GigabitEthernet0/0/4]port default vlan 301
[L3-SW-1-GigabitEthernet0/0/4]q
[L3-SW-1-ospf-1-area-0.0.0.0]network 192.168.201.0 0.0.0.7
[L3-SW-1-ospf-1-area-0.0.0.0]q
[L3-SW-1-ospf-1]dis th
#
ospf 1 router-id 2.2.2.2
silent-interface all
undo silent-interface Vlanif300
area 0.0.0.0
network 10.180.108.1 0.0.0.0
network 10.180.108.130 0.0.0.0
network 192.168.200.0 0.0.0.7
network 192.168.201.0 0.0.0.7
#
return
[L3-SW-1-ospf-1]undo silent-interface Vlanif301
[L3-SW-1-GigabitEthernet0/0/4]dis ospf peer
OSPF Process 1 with Router ID 2.2.2.2
Neighbors
Area 0.0.0.0 interface 192.168.201.2(Vlanif301)'s neighbors
Router ID: 4.4.4.4 Address: 192.168.201.4
State: Full Mode:Nbr is Master Priority: 1
DR: 192.168.201.2 BDR: 192.168.201.4 MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:00:43
Authentication Sequence: [ 0 ]
不知道为什么防火墙的透明模式并不能让流量直达,而且还是在两个接口都是trust的情况下,为啥呢???