防火墙板卡路由改透明
- 0关注
- 1收藏,920浏览
问题描述:
配置文档看有没有问题 参考文档
组网及组网描述:
[H3C]display current-configuration # version 7.1.064, Release 8524P28 # sysname H3C # context Admin id 1 # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # ip unreachables enable ip ttl-expires enable # password-recovery enable # vlan 1 # vlan 20 # object-group ip address waiwang 0 network subnet 10.0.0.0 255.0.0.0 # bridge 1 inter-vlan add vlan 10 110 # interface NULL0 # interface GigabitEthernet1/0/1 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface Ten-GigabitEthernet1/0/3 port link-mode route # interface Ten-GigabitEthernet1/0/4 port link-mode route # interface Ten-GigabitEthernet1/0/1 port link-mode bridge port link-type trunk port trunk permit vlan all # interface Ten-GigabitEthernet1/0/2 port link-mode bridge port link-type trunk port trunk permit vlan all # object-policy ip Trust-Untrust rule 0 pass # security-zone name Local # security-zone name Trust import interface Ten-GigabitEthernet1/0/2 vlan 1 to 4094 # security-zone name DMZ # security-zone name Untrust import interface Ten-GigabitEthernet1/0/1 vlan 1 to 4094 # security-zone name Management import interface GigabitEthernet1/0/1 # zone-pair security source Local destination Trust packet-filter 2002 # zone-pair security source Local destination Untrust packet-filter 2002 # zone-pair security source Trust destination Local packet-filter 2002 # zone-pair security source Trust destination Trust packet-filter 2002 # zone-pair security source Trust destination Untrust object-policy apply ip Trust-Untrust packet-filter 2002 # zone-pair security source Untrust destination Local packet-filter 2002 # zone-pair security source Untrust destination Untrust packet-filter 2002 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 authentication-mode none user-role network-admin # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # info-center source FILTER logfile deny # ssh server enable # acl basic 2002 rule 0 permit # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user wzds class manage password hash $h$6$T7J7VBlC7Ohu5mIw$tzunpFpC2AaFatXJUsx3r+0JyZoFVk02lY6BetWdPr99A3Wp0HiLFo+jMnn/egLLreEtYoN98wtXgztwGhE/Rw== service-type ssh terminal https authorization-attribute work-directory slot1#sda0: authorization-attribute user-role network-admin # session top-statistics enable # ipsec logging negotiation enable # ike logging negotiation enable # ip https enable webui log enable # inspect logging parameter-profile av_logging_default_parameter # inspect logging parameter-profile ips_logging_default_parameter # inspect logging parameter-profile url_logging_default_parameter # loadbalance isp file sda0:/lbispinfo_v1.5.tp # user-identity online-user-name-match without-domain # security-policy ip rule 12 name Any→Any_12_IPv4 action pass # ips logging parameter-profile ips_logging_default_parameter # anti-virus logging parameter-profile av_logging_default_parameter # return [H3C]
- 2021-04-24提问
- 举报
-
(0)
最佳答案
防火墙透明部署案例
目录
1 配置需求或说明
1.1 适用的产品系列
本案例适用于软件平台为Comware V7系列防火墙:F100-X-G2、F1000-X-G2、F100-WiNet、F1000-AK、F10X0等
注:本案例是在F100-C-G2的Version 7.1.064, Release 9510P08版本上进行配置和验证的。
1.2 配置需求
如下组网图所示,在原有的网络中增加防火墙来提高网络安全性,但又不想对原有网络配置进行改动,所以需要防火墙采用透明模式部署;其中GigabitEthernet 1/0/1接口接原有路由器的下联口,GigabitEthernet 1/0/3接口接原有的交换机上联口。
2 组网图
3 配置步骤
3.1配置连接路由器接口
#把1/0/1端口设置成二层模式
<H3C>system-view
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]port link-mode bridge
[H3C-GigabitEthernet1/0/1]quit
#将1/0/1端口加入到Untrust域
[H3C]security-zone name Untrust
[H3C-security-zone-Untrust]import interface GigabitEthernet1/0/1 vlan 1 to 4094
[H3C-security-zone-Untrust]quit
3.2配置连接核心交换机接口
#把1/0/3端口设置成二层模式
[H3C]interface GigabitEthernet 1/0/3
[H3C-GigabitEthernet1/0/3]port link-mode bridge
[H3C-GigabitEthernet1/0/3]quit
#将1/0/3端口加入到Trust域
[H3C]security-zone name Trust
[H3C-security-zone-Trust]import interface GigabitEthernet1/0/3 vlan 1 to 4094
[H3C-security-zone-Trust]quit
3.3配置连接核心交换机接口
#创建允许Trust访问Untrust的对象策略及规则
[H3C]object-policy ip Trust-Untrust
[H3C-object-policy-ip-Trust-Untrust]rule pass
[H3C-object-policy-ip-Trust-Untrust]quit
#放通源为Trust域,目的为Untrust的数据
[H3C]zone-pair security source Trust destination Untrust
[H3C-zone-pair-security-Trust-Untrust]object-policy apply ip Trust-Untrust
[H3C-zone-pair-security-Trust-Untrust]quit
3.4保存配置
[H3C]save force
3.5查看与验证
- 2021-04-24回答
- 评论(2)
- 举报
-
(0)
您好,请知:
防火墙使用透明模式,以下是部署要点,请参考:
1、防火墙内需要创建相应的VLAN,用于给上行设备和下行设备的互联使用,如果不确定,可以dis vlan命令确认是否已创建了相应互联使用的VLAN。
2、其次防火墙的物理端口需要修改为二层的桥模式,以下是参考命令:
int gi 1/0/1
port link-mode bridge
quit
3、防火墙的接口如果要透传多个VLAN通过,需开启trunk,并trunk vlan通过,以下是参考命令:
int gi 1/0/1
port link-type trunk
port trunk permit vlan all
quit
4、防火墙上涉及到的物理端口、VLAN需要加入安全域并放通安全策略或域间策略
- 2021-04-24回答
- 评论(1)
- 举报
-
(0)
直接接口不能转发吗?还是必须用vlan
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
就是按照这个配的 不通
vlan接口有没有加入到安全域呢