Aries的IT部落格

技术交流和分享

H3C防火墙F1060上网以及配置策略路由2022-12-15 16:44:50

网络拓扑图和背景说明
要求:

1、中控室网段通过防火墙使用10M专线上网,不与办公网互通。
2、办公网网段通过防火墙使用100M专线上网,可以互通。
拓扑图

在这里插入图片描述
防火墙配置:
通过策略路由控制不同网段访问不同的外网出口。

<FW>dis cu
#
 version 7.1.064, Alpha 7164
#
 sysname FW
#
context Admin id 1
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
object-group ip address bangong
#
object-group ip address youxian
 0 network subnet 192.168.1.0 255.255.255.0
 10 network subnet 192.168.2.0 255.255.255.0
 20 network subnet 192.168.3.0 255.255.255.0
#
policy-based-route bangong permit node 5
 if-match acl 3000
 apply next-hop 202.106.0.20
#
policy-based-route bangong permit node 10
 if-match acl 3001
 apply next-hop 202.106.2.2
#
interface NULL0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 202.106.0.21 255.255.255.0
 nat outbound 2000
#
interface GigabitEthernet1/0/3
 port link-mode route
 combo enable copper
 ip address 202.106.2.3 255.255.255.0
 nat outbound 2001
#
interface GigabitEthernet1/0/4
 port link-mode route
 combo enable copper
 ip address 192.168.100.253 255.255.255.0
 ip policy-based-route bangong
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/6
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/7
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/8
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/9
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/10
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/11
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/12
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/13
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/14
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/15
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/16
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/17
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/18
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/19
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/20
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/21
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/22
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/23
 port link-mode route
 combo enable copper
#
object-policy ip bangong
 rule 0 pass source-ip youxian
#
object-policy ip manage
 rule 0 pass
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/1
 import interface GigabitEthernet1/0/4
#
security-zone name DMZ
#
security-zone name Untrust
 import interface GigabitEthernet1/0/2
 import interface GigabitEthernet1/0/3
#
security-zone name Management
#
zone-pair security source Local destination Untrust
 packet-filter 2002
#
zone-pair security source Trust destination Local
 object-policy apply ip manage
#
zone-pair security source Trust destination Untrust
 object-policy apply ip bangong
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line con 0
 authentication-mode scheme
 user-role network-admin
#
line vty 0 4
 authentication-mode scheme
 user-role network-admin
#
line vty 5 63
 user-role network-operator
#
 ip route-static 192.168.1.0 24 192.168.100.254
 ip route-static 192.168.2.0 24 192.168.100.254
 ip route-static 192.168.3.0 24 192.168.100.254
#
acl basic 2000
 rule 0 permit source 192.168.1.0 0.0.0.255
 rule 5 permit source 192.168.2.0 0.0.0.255
 rule 1000 deny
#
acl basic 2001
 rule 0 permit source 192.168.3.0 0.0.0.255
 rule 1000 deny
#
acl basic 2002
 rule 0 permit
#
acl advanced 3000
 rule 0 permit ip source 192.168.1.0 0.0.0.255
 rule 5 permit ip source 192.168.2.0 0.0.0.255
#
acl advanced 3001
 rule 0 permit ip source 192.168.3.0 0.0.0.255
#
domain system
#
 aaa session-limit ftp 16
 aaa session-limit telnet 16
 aaa session-limit ssh 16
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 service-type telnet terminal http https
 authorization-attribute user-role level-3
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
 ip http enable
 ip https enable
#
return

核心交换机配置
vlan10-20是办公网段,vlan30是中控室,通过ACL过滤控制vlan 30不能访问vlan 10-20。

[HEXIN1]dis cu
#
 version 7.1.075, Alpha 7571
#
 sysname HEXIN1
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 lldp global enable
#
 system-working-mode standard
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
stp region-configuration
 region-name STPEXP
 instance 1 vlan 10
 instance 2 vlan 20
 active region-configuration
#
 stp instance 0 priority 4096
 stp instance 1 root primary
 stp instance 2 root secondary
 stp global enable
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.100.254 255.255.255.0
#
interface Vlan-interface10
 ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface20
 ip address 192.168.2.1 255.255.255.0
#
interface Vlan-interface30
 ip address 192.168.3.1 255.255.255.0
 packet-filter 3001 inbound
#
interface FortyGigE1/0/53
 port link-mode bridge
#
interface FortyGigE1/0/54
 port link-mode bridge
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan 1
 combo enable fiber
#
interface GigabitEthernet1/0/3
 port link-mode bridge
 port link-type trunk
 port trunk permit vlan all
 combo enable fiber
#
interface GigabitEthernet1/0/4
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/5
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/6
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/7
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/8
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/9
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/10
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/11
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/12
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/13
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/14
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/15
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/16
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/17
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/18
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/19
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/20
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/21
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/22
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/23
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/24
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/25
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/26
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/27
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/28
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/29
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/30
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/31
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/32
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/33
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/34
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/35
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/36
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/37
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/38
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/39
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/40
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/41
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/42
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/43
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/44
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/45
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/46
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/47
 port link-mode bridge
 combo enable fiber
#
interface GigabitEthernet1/0/48
 port link-mode bridge
 combo enable fiber
#
interface M-GigabitEthernet0/0/0
#
interface Ten-GigabitEthernet1/0/49
 port link-mode bridge
 combo enable fiber
#
interface Ten-GigabitEthernet1/0/50
 port link-mode bridge
 combo enable fiber
#
interface Ten-GigabitEthernet1/0/51
 port link-mode bridge
 combo enable fiber
#
interface Ten-GigabitEthernet1/0/52
 port link-mode bridge
 combo enable fiber
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-operator
#
line con 0
 user-role network-admin
#
line vty 0 63
 user-role network-operator
#
 ip route-static 0.0.0.0 0 192.168.0.254
 ip route-static 0.0.0.0 0 192.168.100.253
#
acl advanced 3001
 rule 998 deny ip destination 192.168.2.0 0.0.0.255
 rule 999 deny ip destination 192.168.1.0 0.0.0.255
 rule 1000 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 rule 1001 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
radius scheme system
 user-name-format without-domain
#
domain name system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
return

作者:hhesong | 分类:网络工程师 | 浏览:262 | 评论:0

«    2025年4月    »
123456
78910111213
14151617181920
21222324252627
282930
控制面板
歡迎您造訪本網站!
  查看权限
网站分类
搜索
最新留言
    文章归档
    网站收藏
    友情链接

    Powered By Z-BlogPHP 1.7.2

    Mail to:hhesong@126.com. Copyright elecccom.cn.Some Rights Reserved.冀ICP备18030769号-1