华为防火墙USG基本配置

  交换机配置(LAV1):

  vlan batch 10 20 100  //建立VLAN

  interface GigabitEthernet0/0/1 //配置端口为ACCESS与所属VLAN

  port link-type access

  port default vlan 10

  interface GigabitEthernet0/0/2

  port link-type access

  port default vlan 20

  interface GigabitEthernet0/0/3

  port link-type access

  port default vlan 100

  interface GigabitEthernet0/0/23 //配置trunk与允许VLAN,华为默认trunk不允许任何VLAN通过。

  port link-type trunk

  port trunk allow-pass vlan 10 20

  interface GigabitEthernet0/0/24

  port link-type access

  port default vlan 100

  AR1配置:

  interface GigabitEthernet0/0/0

  ip address 202.1.1.1 255.255.255.0

  ip route-static 0.0.0.0 0.0.0.0 202.1.1.254

  AR2配置:

  interface GigabitEthernet0/0/0

  ip address 192.168.1.1 255.255.255.0

  ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

  AR3配置:

  interface GigabitEthernet0/0/0

  ip address 10.1.1.1 255.255.255.0

  ip route-static 0.0.0.0 0.0.0.0 10.1.1.254

  防火墙配置:

  interface GigabitEthernet0/0/1.10

  vlan-type dot1q 10

  alias GigabitEthernet0/0/1.10

  ip address 202.1.1.254 255.255.255.0

  interface GigabitEthernet0/0/1.20

  vlan-type dot1q 20

  alias GigabitEthernet0/0/1.20

  ip address 192.168.1.254 255.255.255.0

  interface GigabitEthernet0/0/2

  ip address 10.1.1.254 255.255.255.0

  #配置trust ZONE包含的端口

  firewall zone trust

  set priority 85

  add interface GigabitEthernet0/0/0

  add interface GigabitEthernet0/0/2

  #配置untrust ZONE包含的端口

  firewall zone untrust

  set priority 5

  add interface GigabitEthernet0/0/1.10

  #配置DMZ ZONE包含的端口

  firewall zone dmz

  set priority 50

  add interface GigabitEthernet0/0/1.20

  #配置策略

  policy interzone trust untrust outbound

  policy 0

  action permit

  policy source 10.1.1.0 mask 255.255.255.0

    文章来源:http://692344.blog.51cto.com/682344/1607629

发表评论

邮箱地址不会被公开。 必填项已用*标注