三层交换机和防火墙对接上网

1、一、交换机的配置1、配置连接用户的接口和VLANif的接口。<Huawei>system幻腾寂埒-view[Huawei]vlan batch 2 3 100[Huawei]interface g0/0/2[Huawei-GigabitEthernet0/0/2]port link-type access[Huawei-GigabitEthernet0/0/2]port default vlan 2[Huawei-GigabitEthernet0/0/2]quit[Huawei]interface g0/0/3[Huawei-GigabitEthernet0/0/3]port link-type access[Huawei-GigabitEthernet0/0/3]port default vlan 3[Huawei-GigabitEthernet0/0/3]quit[Huawei]interface vlanif 2[Huawei-Vlanif2]ip address 192.168.2.1 24[Huawei-Vlanif2]quit[Huawei]interface vlanif 3[Huawei-Vlanif3]ip address 192.168.3.1 24[Huawei-Vlanif3]quit

2、配醅呓择锗置防火墙对应的接口和VLanif接口。3、配置静态路由[Huawei]interface g0/0/1[Huawei-GigabitEthernet0/0/1]port link-type trunk[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3 100[Huawei-GigabitEthernet0/0/1]quit[Huawei]interface vlanif 100[Huawei-Vlanif100]ip address 192.168.100.2 24[Huawei-Vlanif100]quit[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1

3、配置DHCP服务器。[Huawei]dhcp enable[Huawei]interface vlanif 2[Huawei-Vlanif2]dhcp select interface[Huawei-Vlanif2]dhcp server dns-list 114.114.114.114[Huawei-Vlanif2]quit[Huawei]interface vlanif 3[Huawei-Vlanif3]dhcp select interface[Huawei-Vlanif3]dhcp server dns-list 114.114.114.114[Huawei-Vlanif3]quit

4、二、防火墙的配置1、配置连接交换机的端口和对应的IP地址<Huawei>system-view[SRG]interface g0/0/1[SRG-GigabitEthernet0/0/1]ip address 192.168.100.1 24[SRG-GigabitEthernet0/0/1]quit

5、配置公网的连接口和IP地址。3、配置缺省路由和回程路由。<SRG>sys[SRG]interface g0/0/218:13:57 2017/06/15[SRG-GigabitEthernet0/0/2]ip address 200.0.0.2 24[SRG-GigabitEthernet0/0/2]quit[SRG]ip route-static 0.0.0.0 0.0.0.0 200.0.0.1[SRG]ip route-static 192.168.2.0 255.255.255.0 192.168.100.2[SRG]ip route-static 192.168.3.0 255.255.255.0 192.168.100.2

6、配置鲍伊酷雪NAT功能[SRG]nat address-group 1 200.0.0.2 200.0.0.2[SRG]nat-policy interzone trust untrust outbound[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 0.0.255.255[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit[SRG-nat-policy-interzone-trust-untrust-outbound]quit[SRG]

7、配置域并配置域间策略[SRG]firewall zone trust[SRG-zone-trust]add interface g0/0/1[SRG-zone-trust]quit[SRG]firewall zone untrust[SRG-zone-untrust]add interface g0/0/2[SRG-zone-untrust]quit[SRG]firewall packet-filter default permit all