任务要求:
SwitchA作为有线终端网关与DHCP Server,为无线终端与有线终端分配IP地址,并配置ACL访问控制列表控制不同用户的访问权限,客户机只能跟DMZ区域服务器互访,无线访客禁止访问业务服务器和员工有线网络。
防火墙配置出口NAT功能,用于公网和私网地址转换:配置安全策略,控制Internet的访问,客户机区域无需访问外网可以与DMZ区域的服务器互访,配置NATServer让DMZ区域的WEB服务器开放至公网访问。
该实验是参考华为官网的文章(作者的理论知识储备量不高,如果有些地方注释的不到位请见谅)
IP地址表:
设备 接口 所属VLAN IP地址 防火墙 G1/0/0 无 10.107.1.2/24 防火墙 G1/0/1 无 109.1.1.1/24 防火墙 G1/0/2 无 10.106.1.1/24 SwitchA G0/0/1 101、102、103、105 vlanif101:10.101.1.1/24
vlanif102:10.102.1.1/24 SwitchA G0/0/3 104 vlanif104:10.104.1.1/24 SwitchA G0/0/5 101、102、103、105 vlanif103:10.103.1.1/24
vlanif105:10.105.1.1/24 SwitchA G0/0/8 100 vlanif100:10.100.1.1/24 SwitchA G0/0/11 108 vlanif108:10.108.1.1/24 SwitchA G0/0/13 107 vlanif107:10.107.1.1/24 SwitchB E0/0/3 104 无 SwitchB E0/0/5 104 无 SwitchC E0/0/3 101、102、105 无 SwitchC E0/0/5 101、102、103、105 无 SwitchC E0/0/13 103 无 SwitchD E0/0/3 101、102、105 无 SwitchD E0/0/5 101、102、103、105 无 SwitchD E0/0/13 103 无 WEB Server E0/0/0 无 10.106.1.2/24 Business Server E0/0/0 无 10.108.1.2/24 PC1 E0/0/1 103 DHCP获取 PC2 E0/0/1 103 DHCP获取 AC G0/0/3 100 10.100.1.2/24 AP1 G0/0/0 105 DHCP获取 AP2 G0/0/0 105 DHCP获取
设备接口表:
本端设备 本端接口 对端设备 对端接口 防火墙FW GE1/0/0 SwitchA GE0/0/13 防火墙FW GE1/0/1 Internet GE0/0/0 SwitchA GE0/0/1 SwitchC E0/0/5 SwitchA GE0/0/3 SwitchB E0/0/5 SwitchA GE0/0/5 SwitchD E0/0/5 SwitchA GE0/0/8 AC控制器 GE0/0/3 SwitchA GE0/0/13 防火墙FW GE1/0/0 SwitchB E0/0/5 SwitchA GE0/0/3 SwitchC E0/0/5 SwitchA GE0/0/1 SwitchC E0/0/3 AP1 GE0/0/0 SwitchD E0/0/5 SwitchA GE0/0/5 SwitchD E0/0/3 AP2 GE0/0/0 AC控制器 GE0/0/03 SwitchA GE0/0/8
VLAN规划表:
VLAN规划 描述 VLAN100 无线管理VLAN VLAN101 访客无线业务VLAN VLAN102 员工无线业务VLAN VLAN103 员工有线VLAN VLAN104 客户区域的VLAN VLAN105 AP所属VLAN VLAN107 对应VLANIF接口上行防火墙 VLAN108 业务区接入VLAN
配置思路:
- 完成防火墙上的IP配置、默认路由配置和区域配置;完成交换机的vlan配置和vlan划分
- 配置SwitchA的DHCP服务
- 配置AC让AP上线并让无线终端获取IP
- 配置防火墙NAT功能,做公网和私网地址的转换
- 在SwitchA配置ACL访问控制列表并引用
防火墙基本配置:
<usg6000v1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysname FW
[FW]inter g1/0/0
[FW-GigabitEthernet1/0/0]ip add 10.107.1.2 24
[FW-GigabitEthernet1/0/0]inter g1/0/1
[FW-GigabitEthernet1/0/1]ip add 109.1.1.1 24
[FW-GigabitEthernet1/0/1]inter g1/0/2
[FW-GigabitEthernet1/0/2]ip add 10.106.1.1 24
[FW-GigabitEthernet1/0/2]firewall zone trust #进入防火墙信任区区域配置
[FW-zone-trust]add inter g1/0/0 #将G1/0/0接口加入信任区
[FW-zone-trust]firewall zone untrust #进入防火墙非信任区区域配置
[FW-zone-untrust]add inter g1/0/1 #将G1/0/1接口加入非信任区
[FW-zone-untrust]firewall zone dmz #进入防火墙隔离区区域配置
[FW-zone-dmz]add inter g1/0/2 #将G1/0/2接口加入隔离区
[FW-zone-dmz]quit
[FW]ip route-static 10.0.0.0 8 10.107.1.1 #防火墙回访路由10.0.0.0下一跳地址为10.107.1.1
[FW]ip route-static 0.0.0.0 0 109.1.1.2 #默认出口路由
[FW]bfd #开启bfd全局配置
[FW-bfd]quit
[FW]bfd 1 bind peer-ip 10.107.1.1 source-ip 10.107.1.2 auto #配置与SwitchA的双向转发故障检测
[FW-bfd-session-1]commit #提交当前bfd配置
</usg6000v1>
AC基本配置与VLAN划分:
<ac6005>system-view
Enter system view, return user view with Ctrl+Z.
[AC6005]vlan batch 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6005]inter vlan 100
[AC6005-Vlanif100]ip add 10.100.1.2 24
[AC6005-Vlanif100]inter g0/0/3
[AC6005-GigabitEthernet0/0/3]port link-type acc
[AC6005-GigabitEthernet0/0/3]port default vlan 100
[AC6005-GigabitEthernet0/0/3]quit
[AC6005]ip route-static 0.0.0.0 0.0.0.0 10.100.1.1 #AC的默认路由
</ac6005>
SwitchA基本配置与VLAN划分:
<huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWA
[SWA]vlan batch 100 to 105 107 108
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWA]inter vlan 100
[SWA-Vlanif100]ip add 10.100.1.1 24
[SWA-Vlanif100]inter vlan 101
[SWA-Vlanif101]ip add 10.101.1.1 24
[SWA-Vlanif101]inter vlan 102
[SWA-Vlanif102]ip add 10.102.1.1 24
[SWA-Vlanif102]inter vlan 103
[SWA-Vlanif103]ip add 10.103.1.1 24
[SWA-Vlanif103]inter vlan 104
[SWA-Vlanif104]ip add 10.104.1.1 24
[SWA-Vlanif104]inter vlan 105
[SWA-Vlanif105]ip add 10.105.1.1 24
[SWA-Vlanif105]inter vlan 107
[SWA-Vlanif107]ip add 10.107.1.1 24
[SWA-Vlanif107]inter vlan 108
[SWA-Vlanif108]ip add 10.108.1.1 24
[SWA-Vlanif108]inter g0/0/1
[SWA-GigabitEthernet0/0/1]port link-type trunk
[SWA-GigabitEthernet0/0/1]port trunk allow vlan 101 to 103 105
[SWA-GigabitEthernet0/0/1]inter g0/0/3
[SWA-GigabitEthernet0/0/3]port link-type acc
[SWA-GigabitEthernet0/0/3]port default vlan 104
[SWA-GigabitEthernet0/0/3]inter g0/0/5
[SWA-GigabitEthernet0/0/5]port link-type trunk
[SWA-GigabitEthernet0/0/5]port trunk allow vlan 101 to 103 105
[SWA-GigabitEthernet0/0/5]inter g0/0/8
[SWA-GigabitEthernet0/0/8]port link-type acc
[SWA-GigabitEthernet0/0/8]port default vlan 100
[SWA-GigabitEthernet0/0/8]inter g0/0/11
[SWA-GigabitEthernet0/0/11]port link-type acc
[SWA-GigabitEthernet0/0/11]port default vlan 108
[SWA-GigabitEthernet0/0/11]inter g0/0/13
[SWA-GigabitEthernet0/0/13]port link-type acc
[SWA-GigabitEthernet0/0/13]port default vlan 107
[SWA-GigabitEthernet0/0/13]quit
[SWA]ip route-static 0.0.0.0 0 10.107.1.2 #默认路由
[SWA]bfd #开启bfd全局配置
[SWA-bfd]quit
[SWA]bfd 1 bind peer-ip 10.107.1.2 source-ip 10.107.1.1 auto #配置与防火墙的双向转发故障检测
[SWA-bfd-session-1]commit #提交当前bfd的配置
</huawei>
SwitchB VLAN划分:
<huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWB
[SWB]vlan batch 104
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWB]inter e0/0/5
[SWB-Ethernet0/0/5]port link-type acc
[SWB-Ethernet0/0/5]port default vlan 104
[SWB-Ethernet0/0/5]inter e0/0/3
[SWB-Ethernet0/0/3]port link-type acc
[SWB-Ethernet0/0/3]port default vlan 104
[SWB-Ethernet0/0/3]quit
</huawei>
SwitchC VLAN划分:
<huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWC
[SWC]vlan batch 101 to 103 105
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWC]inter e0/0/3
[SWC-Ethernet0/0/3]port link-type trunk
[SWC-Ethernet0/0/3]port trunk allow vlan 101 102 105
[SWC-Ethernet0/0/3]port trunk pvid vlan 105
[SWC-Ethernet0/0/3]inter e0/0/5
[SWC-Ethernet0/0/5]port link-type trunk
[SWC-Ethernet0/0/5]port trunk allow vlan 101 to 103 105
[SWC-Ethernet0/0/5]inter e0/0/13
[SWC-Ethernet0/0/13]port link-type acc
[SWC-Ethernet0/0/13]port default vlan 103
[SWC-Ethernet0/0/13]quit
</huawei>
SwitchD VLAN划分:
<huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWD
[SWD]vlan batch 101 to 103 105
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWD]inter e0/0/3
[SWD-Ethernet0/0/3]port link-type trunk
[SWD-Ethernet0/0/3]port trunk allow vlan 101 102 105
[SWD-Ethernet0/0/3]port trunk pvid vlan 105
[SWD-Ethernet0/0/3]inter e0/0/5
[SWD-Ethernet0/0/5]port link-type trunk
[SWD-Ethernet0/0/5]port trunk allow vlan 101 to 103 105
[SWD-Ethernet0/0/5]inter e0/0/13
[SWD-Ethernet0/0/13]port link-type acc
[SWD-Ethernet0/0/13]port default vlan 103
[SWD-Ethernet0/0/13]quit
</huawei>
SwitchA配置DHCP Server:
[SWA]dhcp enable #开启DHCP服务
[SWA]inter vlan 103
[SWA-Vlanif103]dhcp select interface #配置VLAN开启dhcp下发
[SWA]inter vlan 101
[SWA-Vlanif101]dhcp select interface
[SWA]inter vlan 102
[SWA-Vlanif102]dhcp select interface
[SWA]inter vlan 105
[SWA-Vlanif105]dhcp select interface
[SWA-Vlanif105]dhcp server option 43 sub-option 1 ip-address 10.100.1.2 #当AP获取到IP地址后这条命令告知AP AC控制器的IP地址
AC配置AP上线(需要AP先获取到vlan105的ip地址):
[AC6005]capwap source interface vlanif100 #配置vlan100接口为AP控制点(AC源接口)
[AC6005]wlan #进入无线配置面板
[AC6005-wlan-view]regulatory-domain-profile name office #创建名为office的域档案
[AC6005-wlan-regulate-domain-office]country-code CN #配置office域档案的国家代码为CN(默认为CN谨慎起见打一遍)
[AC6005-wlan-regulate-domain-office]quit
[AC6005-wlan-view]ap-group name office #为办公区创建名为office的ap组
[AC6005-wlan-ap-group-office]regulatory-domain-profile office #引用office域档案
[AC6005-wlan-ap-group-office]quit
[AC6005-wlan-view]ap auth-mode mac-auth #配置ap的认证模式为mac认证
[AC6005-wlan-view]ap-id 0 ap-mac 00E0-FC4A-5F10
[AC6005-wlan-ap-0]ap-name office #ap名称为office
[AC6005-wlan-ap-0]ap-group office #归属于名为office的ap组(加入office ap组)
[AC6005-wlan-ap-0]quit
[AC6005-wlan-view]regulatory-domain-profile name manage
[AC6005-wlan-regulate-domain-manage]country-code CN
[AC6005-wlan-regulate-domain-manage]quit
[AC6005-wlan-view]ap-group name manage
[AC6005-wlan-ap-group-manage]regulatory-domain-profile manage
[AC6005-wlan-ap-group-manage]quit
[AC6005-wlan-view]ap-id 1 ap-mac 00E0-FC6C-6200
[AC6005-wlan-ap-1]ap-name manage
[AC6005-wlan-ap-1]ap-group manage
[AC6005-wlan-ap-1]quit
[AC6005-wlan-view]quit
[AC6605]display ap all #查看ap上线情况
AC配置AP无线下发:
[AC6005]wlan
[AC6005-wlan-view]security-profile name office #创建安全模板office
[AC6005-wlan-sec-prof-office]security wpa2 psk pass-phrase 12345678 aes #配置安全级别为WPA2预共享密钥,添加密码12345678使用aes加密
[AC6005-wlan-sec-prof-office]quit
[AC6005-wlan-view]ssid-profile name office #创建ssid模板
[AC6005-wlan-ssid-prof-office]ssid office #配置WIFI名为office
[AC6005-wlan-ssid-prof-office]quit
[AC6005-wlan-view]vap-profile name office #创建vap模板office
[AC6005-wlan-vap-prof-office]forward-mode direct-forward #配置vap转发模式为直接转发(默认是直接转发)
[AC6005-wlan-vap-prof-office]service-vlan vlan-id 101 #添加服务vlan101
[AC6005-wlan-vap-prof-office]ssid-profile office #引入ssid模板office
[AC6005-wlan-vap-prof-office]security-profile office #引入安全模板office
[AC6005-wlan-vap-prof-office]quit
[AC6005-wlan-view]ap-group name office #进入office ap组
[AC6005-wlan-ap-group-office]vap-profile office wlan 1 radio 0 #引用vap模板射频在2.4Ghz频段
[AC6005-wlan-ap-group-office]vap-profile office wlan 1 radio 1 #引用vap模板射频在5Ghz频段
[AC6005-wlan-ap-group-office]quit
[AC6005-wlan-view]security-profile name manage
[AC6005-wlan-sec-prof-manage]security wpa2 psk pass-phrase 12345678 aes
[AC6005-wlan-sec-prof-manage]quit
[AC6005-wlan-view]ssid-profile name manage
[AC6005-wlan-ssid-prof-manage]ssid manage
[AC6005-wlan-ssid-prof-manage]quit
[AC6005-wlan-view]vap-profile name manage
[AC6005-wlan-vap-prof-manage]forward-mode direct-forward
[AC6005-wlan-vap-prof-manage]service-vlan vlan-id 102
[AC6005-wlan-vap-prof-manage]ssid-profile manage
[AC6005-wlan-vap-prof-manage]security-profile manage
[AC6005-wlan-vap-prof-manage]quit
[AC6005-wlan-view]ap-group name manage
[AC6005-wlan-ap-group-manage]vap-profile office wlan 1 radio 0
[AC6005-wlan-ap-group-manage]vap-profile office wlan 1 radio 1
[AC6005-wlan-ap-group-managee]quit
防火墙区域访问配置:
[FW]security-policy #进入安全策略面板
[FW-policy-security]rule name trust_untrust #添加规则用于trust区域访问untrust区域
[FW-policy-security-rule-trust_untrust]source-zone trust #添加源区域trust
[FW-policy-security-rule-trust_untrust]destination-zone untrust #目的区域untrust
[FW-policy-security-rule-trust_untrust]source-address 10.101.1.0 0.0.0.255
[FW-policy-security-rule-trust_untrust]source-address 10.102.1.0 0.0.0.255
[FW-policy-security-rule-trust_untrust]source-address 10.103.1.0 0.0.0.255
[FW-policy-security-rule-trust_untrust]action permit #规则动作允许
[FW-policy-security-rule-trust_untrust]quit
[FW-policy-security]rule name camera_dmz #添加规则用于客户机与dmz互相访问
[FW-policy-security-rule-camera_dmz]source-zone dmz
[FW-policy-security-rule-camera_dmz]source-zone trust
[FW-policy-security-rule-camera_dmz]destination-zone dmz
[FW-policy-security-rule-camera_dmz]destination-zone trust
[FW-policy-security-rule-camera_dmz]source-address 10.104.1.0 0.0.0.255 #添加客户机所在网段
[FW-policy-security-rule-camera_dmz]source-address 10.106.1.0 0.0.0.255 #添加web server所在网段
[FW-policy-security-rule-camera_dmz]destination-address 10.104.1.0 0.0.0.255 #目标客户机网段
[FW-policy-security-rule-camera_dmz]destination-address 10.106.1.0 0.0.0.255 #目标web server网段
[FW-policy-security-rule-camera_dmz]action permit
[FW-policy-security-rule-camera_dmz]quit
[FW-policy-security]rule name untrust_dmz #添加规则用于untrust区域访问dmz区域的web server
[FW-policy-security-rule-untrust_dmz]source-zone untrust
[FW-policy-security-rule-untrust_dmz]destination-zone dmz
[FW-policy-security-rule-untrust_dmz]action permit
[FW-policy-security-rule-untrust_dmz]quit
[FW-policy-security]rule name trust_dmz #添加规则用于trust区域访问dmz区域
[FW-policy-security-rule-trust_dmz]source-zone trust
[FW-policy-security-rule-trust_dmz]destination-zone dmz
[FW-policy-security-rule-trust_dmz]action permit
[FW-policy-security-rule-trust_dmz]quit
防火墙NAT配置:
[FW]nat address-group 1 #创建nat组1
[FW-address-group-1]mode pat #配置nat模式为路径模式(允许端口转换)
[FW-address-group-1]route enable #开启nat路由(防环作用)
[FW-address-group-1]section 1 109.1.1.10 109.1.1.15 #配置nat地址段
[FW-address-group-1]quit
[FW]nat-policy #进入nat策略配置
[FW-policy-nat]rule name trust_untrust #添加规则trust_untrust用于实现私网指定网段访问公网时自动进行源地址转换
[FW-policy-nat-rule-trust_untrust]source-zone trust #源区域为trust
[FW-policy-nat-rule-trust_untrust]destination-zone untrust #目的区域为untrust
[FW-policy-nat-rule-trust_untrust]source-address 10.101.1.0 0.0.0.255 #添加访客无线vlan101的源地址段10.101.1.0
[FW-policy-nat-rule-trust_untrust]source-address 10.102.1.0 0.0.0.255 #添加员工无线vlan102的源地址段10.102.1.0
[FW-policy-nat-rule-trust_untrust]source-address 10.103.1.0 0.0.0.255 #添加员工有线vlan103的源地址段10.103.1.0
[FW-policy-nat-rule-trust_untrust]action source-nat address-group 1 #调用nat组1
[FW-policy-nat-rule-trust_untrust]quit
[FW-policy-nat]quit
[FW]ip route-static 109.1.1.10 255.255.255.255 NULL0 #添加黑洞路由防止环路
[FW]ip route-static 109.1.1.11 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.12 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.13 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.14 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.15 255.255.255.255 NULL0
[FW]nat server protocol tcp global interface GigabitEthernet 1/0/1 www inside 10.106.1.2 www no-reverse
#添加nat映射要求web sever的ip地址映射在防火墙g1/0/1接口上,公网通过访问防火墙g1/0/1接口访问web server
SwitchA配置acl访问控制列表:
[SWA]acl 3000 #添加规则3000控制客户机访问
[SWA-acl-adv-3000]description client #注释
[SWA-acl-adv-3000]rule 0 permit ip source 10.104.1.2 0 destination 10.106.1.2 0 #允许客户机访问web server
[SWA-acl-adv-3000]rule 5 deny ip source 10.104.1.2 0 #拒绝客户机访问其它网段
[SWA-acl-adv-3000]quit
[SWA]inter g0/0/3
[SWA-GigabitEthernet0/0/3]traffic-filter inbound acl 3000 #在G0/0/3接口使用流量过滤引入规则3000
[SWA]acl 3001 #添加规则3001控制无线用户不能访问vlan103网段
[SWA-acl-adv-3001]rule 0 deny ip source 10.101.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255
[SWA-acl-adv-3001]rule 1 deny ip source 10.101.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255
[SWA-acl-adv-3001]rule 2 deny ip source 10.102.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255
[SWA-acl-adv-3001]rule 3 deny ip source 10.102.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255
[SWA-acl-adv-3001]quit
[SWA]inter g0/0/1
[SWA-GigabitEthernet0/0/1]traffic-filter inbound acl 3001 #在G0/0/1接口使用流量过滤引入规则3001
[SWA-GigabitEthernet0/0/1]quit
[SWA]inter g0/0/5
[SWA-GigabitEthernet0/0/5]traffic-filter inbound acl 3001 #在G0/0/5接口使用流量过滤引入规则3001
[SWA-GigabitEthernet0/0/5]quit
有线ip获取:
AP上线情况和无线ip获取:
客户机访问:
访问web server:
访问员工有线网:
访问无线网:
无线用户访问:
NAT转换测试:
有线网络:
无线网络:
NAT地址映射:
Original: https://www.cnblogs.com/Alexing/p/16167211.html
Author: 一头大笨向
Title: 防火墙NAT+DHCP+ACL+ACAP
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/582328/
转载文章受原作者版权保护。转载请注明原作者出处!