防火墙接口类型
Firewall Interface Type
? 物理接口
♪ Physical interfaces
1) 防火墙支持的接口可以是二层接口或者三层接口
1) Firewall-supported interfaces can be two- or three-storey interfaces
2) 二层接口:portswitch
2) Second level interface@#xff1a;portswitch
3) 三层接口:undo portswitch
3) 3-storey interface & #xff1a; undo portswitch
? 逻辑接口
♪ Logical interface
1) VT(virtual template)接口、dialer接口
1) VT( VIRTual template) interface, dialer interface
2) tunnel接口、null接口
2) tannel interface, null interface
3) vlanif接口
3) vlanif interface
4) 三层以太网子接口
4) 3-story Ethernet interface
5) Eth-Trunk接口、loobacp接口
5) Eth-Trunk interface, loobacp interface
防火墙的Eth-trunk
Eth-trunk on firewall
? 优点:
♪ Advantages #xff1a;
1) 本质是要提高链路的带宽
1) The essence is to increase the bandwidth of the links.
2) 可靠性(LACP协议)
Reliability & #xff08; LACP Protocol & #xff09;
3) 负载分担
3) Load-sharing
? Eth-trunk模式分类:
♪ Eth-trunk Model Classification #xff1a;
1) 手工负载分担模式(默认)注意:所有链路都要参与转发
1) Manual load-sharing mode xff08; default xff09; note xff1a; all links are involved in forwarding
2) 静态LACP模式(没有动态LACP)注意: 可以所有,也可以配置备份M:N形式
2. Static LACP mode xff08; no dynamic LACP) Note: All xff0c; or configuration of backup M:N form
? Eth-trunk接口类型
♪ Eth-trunk Interface Type
1) 三层Eth-trunk
1) Third Layer Eth-trunk
2) 二层Eth-trunk
2) Second Eth-trunk
?
? 交换机上面为二层Eth-trunk
♪ The switch is on the second floor of Eth-trunk
第一步:新建Eth-trunk及模式
Step 1 #xff1a; new Eth-trunk and mode
interface Eth-Trunk1
mode lacp-static ---------默认手工负载分担
mode lacp-static - - Default manual load-sharing
第二步:定义Eth-trunk类型
Step 2 & #xff1a; defining the Eth-trunk type
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
第三步:把接口加入Eth-trunk组
Step 3 #xff1a; add interface to the Eth-trunk group
方法一
Method I
int XXXX
eth-trunk 1
方法二
Methodology II
int eth-trunk XX (防火墙不能)
in eth-trunk XX (the firewall cannot #xff09;
trunkport g0/0/1 to 0/0/2
? 防火墙上面为三层Eth-trunk
♪ The firewall's on the third floor of Eth-trunk
第一步:创建ETH-TRUNK及模式
Step 1 #xff1a; creating ETH-TRUNK and mode
interface Eth-Trunk1
mode lacp-static
第二步:接口成员加入ETH-TRUNK
Step 2 & #xff1a; interface members add ETH-TRUNK
int XXX
eth-trunk 1
检查Eth-Trunk的配置
Check Eth-Trunk configuration
防火墙的子接口
Subinterface to firewalls
物理接口的子接口
Subinterface for physical interfaces
?
防火墙配置子接口
Firewall Configuration Subinterface
interface GigabitEthernet1/0/0.10 -------先取子接口
Interface Gigabit Ethernet 1/0/0.10 - - Take a sub interface first
vlan-type dot1q 10 ----------------------封装VLAN ID
vlan-type dot1q 10 -- - - cover VLAN ID
ip address 10.1.1.10 255.255.255.0
?interface GigabitEthernet1/0/0.20
vlan-type dot1q 20
ip address 10.1.2.10?255.255.255.0?
第二步:把子接口加ZONE
Step 2 #xff1a; sub-interface plus ZONE
firewall zone trust
add interface GigabitEthernet1/0/0.10
add interface GigabitEthernet1/0/0.20
检查:
Check xff1a;
第三步:测试防火墙直连通信
Step 3 #xff1a; test firewall direct communications
默认一个都通不了,因为华为防火墙默认ZONE与ZONE之间都没有放行安全策略
None of them will get through to #xff0c; there's no release security strategy between ZONE and ZONE.
默认的策略是deny
The default strategy is Deny.
[FW1] security-policy default action permit ----------默认全开安全策略
[FW1] Security-policy default action permit - default full security strategy
测试各个直接通信
Test individual direct communications
测试完毕一定要记得关闭
Make sure it's closed after the test.
security-policy default action deny
注意:
Note #xff1a;
关于PING的问题
Questions about PING
? 如果在防火墙上PING各个ZONE,只要上面放行所有安全策略,就可以访问
♪ If PING each ZONE, on the firewall; as long as all security strategies #xff0c are released above; can be accessed
? 如果从各个安全区域访问防火墙的接口,全放安全策略无用,必须开启接口的访问管理PING,这样才能PING通防火墙接口
# If firewall interfaces are accessed from all security areas #xff0c; full-place security strategy is useless #xff0c; access management PING, must open interfaces; in order for PING to connect firewall interfaces
第五步:检查测试
Step 5xff1a; inspection test
?
逻辑接口的子接口
Subinterface for Logic Interfaces
?
三层eth-trunk可以配置IP
3 flooreth-trunk can configure IP
二层Eth-trunk链路类型
Type of second Eth-trunk link
默认为hybrid
Default to hybrid
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
?
配置:
Configure & #xff1a;
interface Eth-Trunk1.10
vlan-type dot1q 10
ip address 10.1.1.10 255.255.255.0
# interface Eth-Trunk1.20
vlan-type dot1q 20
ip address 10.1.2.10?255.255.255.0
注意:
Note #xff1a;
注意:所有防火墙的接口,无论是物理还是逻辑都需要加ZONE
防火墙所有的接口都定义ZONE
All firewall interfaces define ZONE.
firewall zone trust
set priority 85
add interface Eth-Trunk1.10
add interface Eth-Trunk1.20
放行安全策略
Release security strategy
security-policy
rule name trust_local
source-zone trust
?destination-zone local
action permit
防火墙的vlanif接口
Vlanif interface for firewalls
? 实验演示防火墙上面的vlanif接口技术
♪ Experimental demonstration of the vlanif interface technology above the firewall
?
配置思路:
Configure Thoughts & #xff1a;
第一步: 创建VLAN
Step 1: Create VLAN
vlan batch 10 20
第二步:把接口配置成为二层
Step 2 #xff1a;configuring interfaces to second layer
interface GigabitEthernet1/0/0
portswitch
port link-type access------------默认为ACCESS,可以修改
port link-type access - - default ACCESS, can be modified
port access vlan 10
# interface GigabitEthernet1/0/1
portswitch
port link-type access
port access vlan 20
第三步:创建VLANIF接口
Step 3 #xff1a; creating VLANIF interfaces
interface Vlanif10
ip address 10.1.1.10 255.255.255.0
service-manage ping permit
# interface Vlanif20
ip address 10.1.2.10 255.255.255.0?
service-manage ping permit
第四步:接口划入ZONE
Step 4 #xff1a; interface to ZONE
注意:不需要把接口再划入ZONE,只需要逻辑加ZONE
Note xff1a; interfaces need not be re-allowed to ZONExff0c; just logic plus ZONE
firewall zone trust
add interface Vlanif10
add interface Vlanif20
第五步:测试检查
Step 5xff1a; test check
?
注意:
Note:
同一个ZONE不需要配置安全策略,可以互相通信 ------结论对吗?
The same ZONE does not need to configure a security strategy & #xff0c; it can communicate with each other - is that correct? #xff1f;
现在USG6320 V100版本 ,就必须要配置同一个ZONE安全策略
USG6320 V100 & #xff0c; must be configured with the same ZONE security policy
security-policy
rule name trust_trust
source-zone trust
destination-zone trust
action permit
?
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论