典型企业网组建
拓扑图
实验步骤
1.企业内网各部门不同网段之间划分VLAN
思路:
- 创建vlan10和vlan20
vlan batch 10 20
- 三层交换机配置不同网段的网关
interface Vlanif10
ip address 192.168.1.254 255.255.255.0
interface Vlanif20
ip address 192.168.2.254 255.255.255.0
- 在接口g0/0/1和g0/0/2下划分vlan 10 vlan20
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
2.企业网DHCP配置
思路:
- 在三层交换机打开DHCP
dhcp enable
- 创建地址池pool1 和 pool2,添加网段、网关和dns等信息
ip pool pool1
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
excluded-ip-address 192.168.1.10 192.168.1.19
lease day 0 hour 8 minute 0
dns-list 8.8.8.8
ip pool pool2
gateway-list 192.168.2.254
network 192.168.2.0 mask 255.255.255.0
lease day 0 hour 8 minute 0
dns-list 8.8.8.8
- 到了这里已经实现了内网各PC之间的互通
PC>ping 192.168.2.252
Ping 192.168.2.252: 32 data bytes, Press Ctrl_C to break
From 192.168.2.252: bytes=32 seq=1 ttl=127 time=94 ms
From 192.168.2.252: bytes=32 seq=2 ttl=127 time=78 ms
From 192.168.2.252: bytes=32 seq=3 ttl=127 time=63 ms
From 192.168.2.252: bytes=32 seq=4 ttl=127 time=78 ms
From 192.168.2.252: bytes=32 seq=5 ttl=127 time=78 ms
--- 192.168.2.252 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 63/78/94 ms
3.企业网路由器的配置,实现内外网互通
思路:
- 完成各接口ip配置
三层交换机:
vlan 100
interface Vlanif100
ip address 10.10.10.1 255.255.255.0
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
AR1:
interface GigabitEthernet0/0/0
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 64.1.1.1 255.255.255.0
AR2:
interface GigabitEthernet0/0/0
ip address 64.1.1.10 255.255.255.0
interface GigabitEthernet0/0/1
ip address 6.6.6.1 255.255.255.0
- 路由:添加去 回的路由
三层交换机:
去路由
ip route-static 6.6.6.6 255.255.255.0 10.10.10.2
AR1:
去路由
ip route-static 6.6.6.6 255.255.255.0 64.1.1.10
回路由
ip route-static 192.168.1.0 255.255.255.0 10.10.10.1
ip route-static 192.168.2.0 255.255.255.0 10.10.10.1
- nat:实现内外网地址转换
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[AR1-acl-basic-2000]int g0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000
到这一步就实现了内外网的互通
PC>ping 6.6.6.6
Ping 6.6.6.6: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 6.6.6.6: bytes=32 seq=2 ttl=125 time=62 ms
From 6.6.6.6: bytes=32 seq=3 ttl=125 time=78 ms
From 6.6.6.6: bytes=32 seq=4 ttl=125 time=63 ms
From 6.6.6.6: bytes=32 seq=5 ttl=125 time=47 ms
--- 6.6.6.6 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/62/78 ms
4.企业网防火墙配置
需要用防火墙来代替之前的路由器AR1
思路:
- 第一次打开防火墙默认要输入用户名admin密码Admin@123,再输入新的密码Fw@123456
Username:admin
Password:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password:
Please enter new password:
Please confirm new password:
Info: Your password has been changed. Save the change to survive a reboot.
*************************************************************************
* Copyright (C) 2014-2018 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
- 先完成之前在AR1上配置的ip和路由
interface GigabitEthernet1/0/1
ip address 10.10.10.2 255.255.255.0
interface GigabitEthernet1/0/0
ip address 64.1.1.1 24
[SRG]ip route-static 192.168.2.0 24 10.10.10.1
[SRG]ip route-static 192.168.1.0 24 10.10.10.1
[SRG]ip route-static 0.0.0.0 0.0.0.0 64.1.1.10
- 添加信任域和非信任域
[SRG]firewall zone trust
15:20:05 2022/10/13
[SRG-zone-trust]add int g1/0/1
15:20:39 2022/10/13
Info: The interface has been added to trust security zone.
[SRG-zone-trust]q
15:20:51 2022/10/13
[SRG]firewall zone untrust
15:20:57 2022/10/13
[SRG-zone-untrust]add interface GigabitEthernet1/0/0
- 配置安全策略
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name shangwang //配置一条名叫上网的规则
[USG6000V1-policy-security-rule-shangwang]source-zone trust //源是来自trust信任区域的报文
[USG6000V1-policy-security-rule-shangwang]destination-zone untrust //目的是去往untrust非信任区域
[USG6000V1-policy-security-rule-shangwang]action permit //动作允许
- 配置NAT策略
[USG6000V1]nat-policy //开启nat配置
[USG6000V1-policy-nat]rule name shangwang //创建一条规则为上网
[USG6000V1-policy-nat-rule-shangwang]source-zone trust //源是来自trust信任区域的报文
[USG6000V1-policy-nat-rule-shangwang]destination-zone untrust //目的是去往untrust非信任区域
[USG6000V1-policy-nat-rule-shangwang]action source-nat easy-ip //动作源地址进行easy-ip的转换,easy-ip就是将内网地址转换为防火墙出接口的地址64.1.1.1
现在内外网之间就通了
PC>ping 6.6.6.6
Ping 6.6.6.6: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 6.6.6.6: bytes=32 seq=2 ttl=125 time=62 ms
From 6.6.6.6: bytes=32 seq=3 ttl=125 time=63 ms
From 6.6.6.6: bytes=32 seq=4 ttl=125 time=47 ms
From 6.6.6.6: bytes=32 seq=5 ttl=125 time=46 ms
--- 6.6.6.6 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/54/63 ms
但是要注意直接ping防火墙的接口ip是无法Ping成功的,这是一种防火墙的安全措施
PC>ping 64.1.1.1
Ping 64.1.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 64.1.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
5.本地连接ensp的防火墙,通过web页面进行管理
1.点击cloud,打开控制面板
2.依次点击 绑定信息——UDP——增加——绑定信息——VMnet8——增加 //UDP代表ensp虚拟机内部网络,VMnet8是本机的物理网卡
3.选择入端口为1,出端口为2
4.勾选双向通道
给防火墙配上一个管理ip(VMnet8的ipv4地址)
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip add 192.168.23.23 255.255.255.0
//必须和VMnet8在同一网段,VMnet8——192.168.23.1
将g1/0/3接口放入trust信任区,且打开管理全系和ping的权限
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int g1/0/3
[USG6000V1-zone-trust]q
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]service-manage enable
[USG6000V1-GigabitEthernet1/0/3]service-manage ?
all ALL service
enable Service manage switch on/off
http HTTP service
https HTTPS service
ping Ping service
snmp SNMP service
ssh SSH service
telnet Telnet service
[USG6000V1-GigabitEthernet1/0/3]service-manage ping permit
现在就可以从本机去ping防火墙了
打开防火墙远程管理权限
[USG6000V1-GigabitEthernet1/0/3]service-manage https permit //打开远程管理https权限
[USG6000V1-GigabitEthernet1/0/3]q
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name guanli //创建名叫管理规则
[USG6000V1-policy-security-rule-guanli]source-zone trust //来自trust
[USG6000V1-policy-security-rule-guanli]destination-zone local //目的为local本地
[USG6000V1-policy-security-rule-guanli]action permit //允许执行
[USG6000V1-policy-security-rule-guanli]dis th
2022-10-13 11:40:15.680
#
rule name guanli
source-zone trust
destination-zone local
action permit
#
return
在浏览器输入https://192.168.23.23:8443,就可以访问华为防火墙web管理界面了。账号admin密码是第一次开启防火墙是自己设的,这里是Fw@123456
注意:一开始访问会有警告,点击高级——继续访问即可
点击策略,新建安全策略
添加一条策略,禁止PC1访问任何网络
点击确定,可以看见jinzhiPC1已经在了
尝试用PC1ping6.6.6.6,发现还是可以Ping通
PC>ping 6.6.6.6
Ping 6.6.6.6: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 6.6.6.6: bytes=32 seq=2 ttl=125 time=63 ms
From 6.6.6.6: bytes=32 seq=3 ttl=125 time=47 ms
From 6.6.6.6: bytes=32 seq=4 ttl=125 time=78 ms
From 6.6.6.6: bytes=32 seq=5 ttl=125 time=62 ms
--- 6.6.6.6 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/62/78 ms
这是因为防火墙是按策略的顺序从高到低执行的,当我们将jinzhiPC1放在第一位时,ping就失败了
PC>ping 6.6.6.6
Ping 6.6.6.6: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 6.6.6.6 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss