• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

防火墙F1000-C8110

2023-09-04提问
  • 0关注
  • 0收藏,934浏览
刘朋 零段
粉丝:0人 关注:1人

问题描述:

怎么配置VLAN上网

组网及组网描述:

防火墙-核心交换机-交换机

最佳答案

粉丝:51人 关注:5人

防火墙不区分LAN和WAN,正常接口加入安全域,放通安全策略即可

4 个回答
粉丝:13人 关注:0人

正常放通vlan,打通路由,防火墙接外网接口nat,安全域放通就可以了


刘朋 知了小白
粉丝:0人 关注:1人

#
version 7.1.064, Release 9524P22
#
sysname kerren firewall
#
clock timezone Beijing add 08:00:00
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
nat address-group 1 name 非信任外网
address 192.168.3.1 192.168.4.1
#
nat log enable
#
dhcp enable
#
dns proxy enable
dns server 114.114.114.114
dns server 202.96.64.68
#
password-recovery enable
#
vlan 1
#
vlan 10
description 办公
#
vlan 20
description 办公网络
#
vlan 200
description 公寓网络
#
vlan 984
description He-xin-jing-xiang
#
object-group ip address 10.0.11.1主楼电视盒
0 network subnet 10.0.11.0 255.255.255.0
#
object-group ip address 10.100.120.8
0 network host address 10.100.120.8
#
object-group ip address ewr
security-zone Untrust
0 network subnet 192.168.2.0 255.255.254.0
#
object-group ip address "vlan 20"
security-zone Trust
0 network subnet 10.11.20.0 255.255.255.0
#
object-group ip address VLAN20和200
security-zone Trust
0 network subnet 10.11.20.0 255.255.255.0
10 network subnet 10.11.200.0 255.255.255.0
#
object-group ip address 办公网
security-zone Trust
0 network subnet 10.11.20.0 255.255.255.0
10 network subnet 10.11.200.0 255.255.255.0
#
object-group ip address 保障10.0.32.0
0 network subnet 10.0.32.0 255.255.255.0
#
object-group ip address 出口192.168.10.22
#
object-group ip address 内网
0 network subnet 172.16.15.0 255.255.255.0
#
object-group ip address 内网1
security-zone Trust
0 network subnet 172.16.15.0 255.255.255.0
#
object-group ip address 限制全部P2P
0 network subnet 0.0.0.0 0.0.0.0
#
object-group ip address 信锐无线AP
0 network subnet 192.168.100.0 255.255.255.0
#
object-group service 111
description 111
0 service tcp destination eq 443
#
dhcp server ip-pool 办公网VLAN20
gateway-list 10.11.20.1
network 10.11.20.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool 办公网VLAN200
gateway-list 10.11.200.1
network 10.11.200.0 mask 255.255.255.0
dns-list 114.114.114.114
#
dhcp server ip-pool 不信任外网
gateway-list 192.168.3.1
network 192.168.2.0 mask 255.255.254.0
dns-list 114.114.114.114
#
dhcp server ip-pool 内网
gateway-list 172.16.10.1
network 172.16.10.0 mask 255.255.255.0
dns-list 114.114.114.114
#
controller Cellular1/0/0
#
interface NULL0
#
interface Vlan-interface20
ip address 10.11.20.1 255.255.255.0
nat outbound
gateway 10.11.20.254
#
interface Vlan-interface200
ip address 10.11.200.1 255.255.255.0
nat outbound
gateway 10.11.200.254
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description GuideWan Interface
bandwidth 100000000
ip address 192.168.10.23 255.255.255.0
nat outbound description GuideNat
gateway 192.168.10.1
#
interface GigabitEthernet1/0/2
port link-mode route
duplex full
ip address 172.16.10.1 255.255.254.0
ip last-hop hold
#
interface GigabitEthernet1/0/3
port link-mode route
description kereen
bandwidth 400000
ip address 192.168.3.1 255.255.254.0
ip last-hop hold
#
interface GigabitEthernet1/0/4
port link-mode bridge
bandwidth 400000000
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
port trunk pvid vlan 20
duplex full
#
interface GigabitEthernet1/0/5
port link-mode bridge
description VLAN10,20,200
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 20
#
interface GigabitEthernet1/0/6
port link-mode bridge
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 984
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface Vlan-interface20
import interface Vlan-interface200
import interface GigabitEthernet1/0/4 vlan 1 to 4094
import interface GigabitEthernet1/0/5 vlan 1 to 4094
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name Mirror
import interface GigabitEthernet1/0/7 vlan 984
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 24 192.168.10.23
#
snmp-agent
snmp-agent local-engineid 800063A28080E455686E0500000001
snmp-agent community read admin
snmp-agent community write keree
snmp-agent sys-info location 机房
snmp-agent sys-info version v3
#
ssh server enable
#
acl basic 2000
rule 0 permit
rule 5 permit source 0.0.2.1 255.255.25.252
rule 10 permit source 0.0.0.22 255.255.255.0
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$0JITFBDTcVpmgIaC$uwt/xUo/+vIFB1QNP3yfU3ZCG22k3CrgHLC4izH28/LdNKQ44jqImmNnvs+hjv+nxgsjZpLxhpUNtasj+1bFjg==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec logging negotiation enable
#
app-group 保障10.0.12.20,10.0.12.28,10.0.12.38
description 保障所有
include application BaoFeng
include application BitTorrent
include application eMule
include application iQiYiPPS
include application KingsoftAntivirus
include application Letv
include application MangGuoTV
include application NetworkVideo
include application QQXuanFeng
include application TencentVideo
include application Thunder
include application XunLeiKanKan
include application ZhangYuTV
#
app-group 保障10.0.32.0
description 保障http,视频流应用
include application 56Video
include application Bilibili
include application CTCCMusicMenHu
include application http
include application KGeDaRen
include application MeiLeFM
include application MiGuMusic
include application NetEaseVideo
include application PPTV
include application QQMusic
include application SinaVideo
include application SoHuVideo
include application SouGouMusic
include application TencentVideo
include application TuDou
include application XiaMi
include application YinYueTai
include application YouKu
#
app-group 保障信锐
description 10.100.120.8
#
app-group 限制P2P
description 限制全部
include application 360General
include application 360Website
include application AndroidMarket
include application AnZhiMarket
include application AppChina
include application AppStore
include application BaiduResource
include application BaiDuSoftwareDownload
include application BaiduWenKu
include application BaoFeng
include application BitTorrent
include application DiGuaGameCenter
include application DuoTeSoftware
include application eMule
include application FeiFanRuanJianZhan
include application FileDownload
include application GeneralDownload
include application iQiYiPPS
include application JiFengMarket
include application JinShanShouJiZhuShou
include application KingsoftAntivirus
include application KuAn
include application Letv
include application LieBaoWebsite
include application MangGuoTV
include application MIAppStore
include application MobileMarket
include application MuMaYiMarket
include application NetworkAudio
include application NetworkVideo
include application OnlineDown
include application PC6
include application PictureBrowse
include application PPZhuShou
include application QQWebsite
include application QQXuanFeng
include application ShouJiBaiDu
include application SkyCN
include application TencentResource
include application TencentVideo
include application Thunder
include application TianJiDownload
include application UCLandingPage
include application UCWebsite
include application WanDouJia
include application WindowsUpdate
include application WoStore
include application XiaZaiBa
include application XiXiSoftwareStore
include application XunLeiKanKan
include application YingYongBao
include application ZhangYuTV
include application ZhiHuiYun
include application ZuiMeiYingYong
#
ike logging negotiation enable
#
ip http enable
ip https enable
webui log enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
traffic-policy
rule 1 name GuideAVCPolicy
action qos profile guideavcprofile1
source-zone Trust
destination-zone DMZ
destination-zone Untrust
profile name guideavcprofile1
bandwidth downstream guaranteed 90000
bandwidth downstream maximum 90000
#
security-policy ip
rule 18 name GuideSecPolicy
action pass
source-zone Trust
source-zone Local
destination-zone Untrust
destination-zone DMZ
destination-zone Local
destination-zone Trust
rule 19 name 非安全域外网
description 非安全域策略
action pass
source-zone Untrust
source-zone Local
destination-zone Untrust
destination-zone Local
rule 20 name "vlan 20"
action pass
source-zone Trust
source-zone Local
destination-zone Untrust
destination-zone Local
source-ip "vlan 20"
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
cloud-management server domain opstunnel.seccloud.h3c.com
#
return

粉丝:37人 关注:0人

这个每台设备都需要完整的配置的话。就算发了,你也不一定能看的懂啊,建议400吧,


回复刘朋:

意思是下面核心交换、接入交换机都配置好了,默认路由啥的都写好了是吗,那就简单了,你在防火墙外网接口下写一句:nat outbound 然后写个默认路由 :iproute-static 0.0.0.0 0 xxxx(xxxx写公网IP的网关地址),即可。

悲剧塔 发表时间:2023-09-04 更多>>

现在就想防火墙出口vlan上网

刘朋 发表时间:2023-09-04
回复刘朋:

意思是下面核心交换、接入交换机都配置好了,默认路由啥的都写好了是吗,那就简单了,你在防火墙外网接口下写一句:nat outbound 然后写个默认路由 :iproute-static 0.0.0.0 0 xxxx(xxxx写公网IP的网关地址),即可。

悲剧塔 发表时间:2023-09-04

您好,请知:

配置防火墙上网,以下是部署要点,请参考:

1、配置与核心交换机的三层互联和路由指向。

2、配置防火墙的上网接入。

3、配置防火墙的默认路由指向到外网。

4、配置防火墙的NAT地址转换。

5、防火墙上涉及到的物理端口需加入安全域并放通安全策略或域间策略。


编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明