Cihaz ip address yapılandırması.
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router1
[Router1]interface GigabitEthernet 0/0/1
[Router1-GigabitEthernet0/0/1]ip address 1.1.1.1 24
[Router1-GigabitEthernet0/0/1]interface loopback 0
[Router1-LoopBack0]ip address 10.0.1.1 24
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router2
[Router2]interface GigabitEthernet0/0/1
[Router2-GigabitEthernet0/0/1]ip address 10.0.20.2 24
[Router2-GigabitEthernet0/0/1]interface loopback 0
[Router2-LoopBack0]ip address 10.0.2.2 24
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router3
[Router3]interface GigabitEthernet0/0/1
[Router3-GigabitEthernet0/0/1]ip address 10.0.20.3 24
[Router3-GigabitEthernet0/0/1]interface loopback 0
[Router3-LoopBack0]ip address 10.0.3.3 24
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router4
[Router4]interface GigabitEthernet 0/0/1
[Router4-GigabitEthernet0/0/1]ip address 10.0.40.4 24
[Router4-GigabitEthernet0/0/1]interface loopback 0
[Router4-LoopBack0]ip address 10.0.4.4 24
Firewall üzerinde layer 2 ,switch interface ve ip address konfigürasyonu yapılmaz.
Lab’da, firewall üzerinde VLAN 12 oluşturalım ve VLANIF 12 interfacesini oluşturalım. Trust bölgede network gatewayının IP adresi olarak VLANIF 12 interface IP adresini yapılandıralım ve 10.0.20.254/24 IP adresini ayarlayalım.
system-view
Enter system view, return user view with Ctrl+Z.
[Eudemon 200E]sysname FW
[FW]vlan 12
[FW-vlan-12]quit
[FW]interface Vlanif 12
[FW-Vlanif12]ip address 10.0.20.254 24
[FW-Vlanif12]interface ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 12
[FW-Ethernet1/0/0]undo interface Vlanif 1
[FW]interface Ethernet 0/0/0
[FW-Ethernet0/0/0]ip address 1.1.1.254 24
[FW-Ethernet0/0/0]interface ethernet 2/0/0
[FW-Ethernet2/0/0]ip address 10.0.40.254 24
Cihazın G0/0/1 ve G0/0/24 interfacelerine VLAN 11 i ekleyelim.
Cihazın G0/0/2 , G0/0/3 ve G0/0/22 interfacelerine VLAN 12 i ekleyelim.
Cihazın G0/0/4 ve G0/0/23 interfacelerine VLAN 13ü ekleyelim.
[Quidway]sysname Switch1
[Switch1]vlan batch 11 to 13
[Switch1]interface GigabitEthernet 0/0/1
[Switch1-GigabitEthernet0/0/1]port link-type access
[Switch1-GigabitEthernet0/0/1]port default vlan 11
[Switch1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[Switch1-GigabitEthernet0/0/2]port link-type access
[Switch1-GigabitEthernet0/0/2]port default vlan 12
[Switch1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3
[Switch1-GigabitEthernet0/0/3]port link-type access
[Switch1-GigabitEthernet0/0/3]port default vlan 12
[Switch1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/4
[Switch1-GigabitEthernet0/0/3]port link-type access
[Switch1-GigabitEthernet0/0/3]port default vlan 13
[Switch1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21
[Switch1-GigabitEthernet0/0/21]port link-type access
[Switch1-GigabitEthernet0/0/21]port default vlan 11
[Switch1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22
[Switch1-GigabitEthernet0/0/22]port link-type access
[Switch1-GigabitEthernet0/0/22]port default vlan 12
[Switch1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23
[Switch1-GigabitEthernet0/0/23]port link-type access
[Switch1-GigabitEthernet0/0/23]port default vlan 13
Network iletişimi için static routei yapılandıralım.
[Router2]ip route-static 0.0.0.0 0 10.0.20.254
[Router3]ip route-static 0.0.0.0 0 10.0.20.254
[Router4]ip route-static 0.0.0.0 0 10.0.40.254
[FW]ip route-static 10.0.2.0 24 10.0.20.2
[FW]ip route-static 10.0.3.0 24 10.0.20.3
[FW]ip route-static 10.0.4.0 24 10.0.40.4
[FW]ip route-static 0.0.0.0 0 1.1.1.1
Bağlantıları kontrol edelim.
[FW]ping 10.0.1.1
PING 10.0.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms
— 10.0.1.1 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
[FW]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms
— 10.0.2.2 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
[FW]ping 10.0.3.3
PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=1 ms
— 10.0.3.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
[FW]ping 10.0.4.4
PING 10.0.4.4: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.4: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 10.0.4.4: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.0.4.4: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.0.4.4: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.0.4.4: bytes=56 Sequence=5 ttl=255 time=1 ms
— 10.0.4.4 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Security i interfacelerde etkinleştirme .
Default olarak firewallda 4 bölge oluşturulur . Bunlar local, trusted, untrusted ve DMZ bölgeleridir.
Bu labda , trusted, untrusted ve DMZ bölgelerini kullanılır.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface Ethernet 0/0/0
Default olarak, tüm bölgeler arasında iletişim normaldir. NAT etkin değil; Bu nedenle, dış bölgeleri, iç bölgeleri ve DMZ bölgesi ile iletişim kurulamıyor.
Bölgeler arasındaki security filtreleme yapılandırması.
Paketleri 10.0.2.0 ve 10.0.3.0 netwoklerinden iletmek için Untrust bölgeye trust bölgeyi yapılandıralım. Untrust bölgeden DMZ bölgesine Telnet ve FTP isteği paketleri 10.0.4.4 ağ netwoku üzerinden geçmesi için yapılandıralım.
[FW]firewall session link-state check
[FW]policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound]policy 0
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-0]action permit
[FW-policy-interzone-trust-untrust-outbound-0]quit
[FW-policy-interzone-trust-untrust-outbound]quit
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound]policy 0
[FW-policy-interzone-dmz-untrust-inbound-0]policy destination 10.0.4.4 0
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set ftp
[FW-policy-interzone-dmz-untrust-inbound-0]action permit
[FW-policy-interzone-dmz-untrust-inbound-0]quit
NAT ip address yapılandırması.
Addff
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 0
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ip Ethernet 0/0/0
Konfigürasyonu kontrol edelim.
[Router2]ping 10.0.1.1
PING 10.0.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
— 10.0.1.1 ping statistics —
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[Router2]ping -a 10.0.2.2 10.0.1.1
Cem Kemal Erbaş Cem Kemal Erbaş
