防火墙NAT+DHCP+ACL+ACAP
任务要求:
SwitchA作为有线终端网关与DHCP Server,为无线终端与有线终端分配IP地址,并配置ACL访问控制列表控制不同用户的访问权限,客户机只能跟DMZ区域服务器互访,无线访客禁止访问业务服务器和员工有线网络。
防火墙配置出口NAT功能,用于公网和私网地址转换:配置安全策略,控制Internet的访问,客户机区域无需访问外网可以与DMZ区域的服务器互访,配置NATServer让DMZ区域的WEB服务器开放至公网访问。
该实验是参考华为官网的文章(作者的理论知识储备量不高,如果有些地方注释的不到位请见谅)
IP地址表:
| 设备 | 接口 | 所属VLAN | IP地址 |
|---|---|---|---|
| 防火墙 | G1/0/0 | 无 | 10.107.1.2/24 |
| 防火墙 | G1/0/1 | 无 | 109.1.1.1/24 |
| 防火墙 | G1/0/2 | 无 | 10.106.1.1/24 |
| SwitchA | G0/0/1 | 101、102、103、105 | vlanif101:10.101.1.1/24 vlanif102:10.102.1.1/24 |
| SwitchA | G0/0/3 | 104 | vlanif104:10.104.1.1/24 |
| SwitchA | G0/0/5 | 101、102、103、105 | vlanif103:10.103.1.1/24 vlanif105:10.105.1.1/24 |
| SwitchA | G0/0/8 | 100 | vlanif100:10.100.1.1/24 |
| SwitchA | G0/0/11 | 108 | vlanif108:10.108.1.1/24 |
| SwitchA | G0/0/13 | 107 | vlanif107:10.107.1.1/24 |
| SwitchB | E0/0/3 | 104 | 无 |
| SwitchB | E0/0/5 | 104 | 无 |
| SwitchC | E0/0/3 | 101、102、105 | 无 |
| SwitchC | E0/0/5 | 101、102、103、105 | 无 |
| SwitchC | E0/0/13 | 103 | 无 |
| SwitchD | E0/0/3 | 101、102、105 | 无 |
| SwitchD | E0/0/5 | 101、102、103、105 | 无 |
| SwitchD | E0/0/13 | 103 | 无 |
| WEB Server | E0/0/0 | 无 | 10.106.1.2/24 |
| Business Server | E0/0/0 | 无 | 10.108.1.2/24 |
| PC1 | E0/0/1 | 103 | DHCP获取 |
| PC2 | E0/0/1 | 103 | DHCP获取 |
| AC | G0/0/3 | 100 | 10.100.1.2/24 |
| AP1 | G0/0/0 | 105 | DHCP获取 |
| AP2 | G0/0/0 | 105 | DHCP获取 |
设备接口表:
| 本端设备 | 本端接口 | 对端设备 | 对端接口 |
|---|---|---|---|
| 防火墙FW | GE1/0/0 | SwitchA | GE0/0/13 |
| 防火墙FW | GE1/0/1 | Internet | GE0/0/0 |
| SwitchA | GE0/0/1 | SwitchC | E0/0/5 |
| SwitchA | GE0/0/3 | SwitchB | E0/0/5 |
| SwitchA | GE0/0/5 | SwitchD | E0/0/5 |
| SwitchA | GE0/0/8 | AC控制器 | GE0/0/3 |
| SwitchA | GE0/0/13 | 防火墙FW | GE1/0/0 |
| SwitchB | E0/0/5 | SwitchA | GE0/0/3 |
| SwitchC | E0/0/5 | SwitchA | GE0/0/1 |
| SwitchC | E0/0/3 | AP1 | GE0/0/0 |
| SwitchD | E0/0/5 | SwitchA | GE0/0/5 |
| SwitchD | E0/0/3 | AP2 | GE0/0/0 |
| AC控制器 | GE0/0/03 | SwitchA | GE0/0/8 |
VLAN规划表:
| VLAN规划 | 描述 |
|---|---|
| VLAN100 | 无线管理VLAN |
| VLAN101 | 访客无线业务VLAN |
| VLAN102 | 员工无线业务VLAN |
| VLAN103 | 员工有线VLAN |
| VLAN104 | 客户区域的VLAN |
| VLAN105 | AP所属VLAN |
| VLAN107 | 对应VLANIF接口上行防火墙 |
| VLAN108 | 业务区接入VLAN |
配置思路:
- 完成防火墙上的IP配置、默认路由配置和区域配置;完成交换机的vlan配置和vlan划分
- 配置SwitchA的DHCP服务
- 配置AC让AP上线并让无线终端获取IP
- 配置防火墙NAT功能,做公网和私网地址的转换
- 在SwitchA配置ACL访问控制列表并引用
防火墙基本配置:
<USG6000V1>system-view Enter system view, return user view with Ctrl+Z. [USG6000V1]sysname FW [FW]inter g1/0/0 [FW-GigabitEthernet1/0/0]ip add 10.107.1.2 24 [FW-GigabitEthernet1/0/0]inter g1/0/1 [FW-GigabitEthernet1/0/1]ip add 109.1.1.1 24 [FW-GigabitEthernet1/0/1]inter g1/0/2 [FW-GigabitEthernet1/0/2]ip add 10.106.1.1 24 [FW-GigabitEthernet1/0/2]firewall zone trust #进入防火墙信任区区域配置 [FW-zone-trust]add inter g1/0/0 #将G1/0/0接口加入信任区 [FW-zone-trust]firewall zone untrust #进入防火墙非信任区区域配置 [FW-zone-untrust]add inter g1/0/1 #将G1/0/1接口加入非信任区 [FW-zone-untrust]firewall zone dmz #进入防火墙隔离区区域配置 [FW-zone-dmz]add inter g1/0/2 #将G1/0/2接口加入隔离区 [FW-zone-dmz]quit [FW]ip route-static 10.0.0.0 8 10.107.1.1 #防火墙回访路由10.0.0.0下一跳地址为10.107.1.1 [FW]ip route-static 0.0.0.0 0 109.1.1.2 #默认出口路由 [FW]bfd #开启bfd全局配置 [FW-bfd]quit [FW]bfd 1 bind peer-ip 10.107.1.1 source-ip 10.107.1.2 auto #配置与SwitchA的双向转发故障检测 [FW-bfd-session-1]commit #提交当前bfd配置
AC基本配置与VLAN划分:
<AC6005>system-view Enter system view, return user view with Ctrl+Z. [AC6005]vlan batch 100 Info: This operation may take a few seconds. Please wait for a moment...done. [AC6005]inter vlan 100 [AC6005-Vlanif100]ip add 10.100.1.2 24 [AC6005-Vlanif100]inter g0/0/3 [AC6005-GigabitEthernet0/0/3]port link-type acc [AC6005-GigabitEthernet0/0/3]port default vlan 100 [AC6005-GigabitEthernet0/0/3]quit [AC6005]ip route-static 0.0.0.0 0.0.0.0 10.100.1.1 #AC的默认路由
SwitchA基本配置与VLAN划分:
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname SWA [SWA]vlan batch 100 to 105 107 108 Info: This operation may take a few seconds. Please wait for a moment...done. [SWA]inter vlan 100 [SWA-Vlanif100]ip add 10.100.1.1 24 [SWA-Vlanif100]inter vlan 101 [SWA-Vlanif101]ip add 10.101.1.1 24 [SWA-Vlanif101]inter vlan 102 [SWA-Vlanif102]ip add 10.102.1.1 24 [SWA-Vlanif102]inter vlan 103 [SWA-Vlanif103]ip add 10.103.1.1 24 [SWA-Vlanif103]inter vlan 104 [SWA-Vlanif104]ip add 10.104.1.1 24 [SWA-Vlanif104]inter vlan 105 [SWA-Vlanif105]ip add 10.105.1.1 24 [SWA-Vlanif105]inter vlan 107 [SWA-Vlanif107]ip add 10.107.1.1 24 [SWA-Vlanif107]inter vlan 108 [SWA-Vlanif108]ip add 10.108.1.1 24 [SWA-Vlanif108]inter g0/0/1 [SWA-GigabitEthernet0/0/1]port link-type trunk [SWA-GigabitEthernet0/0/1]port trunk allow vlan 101 to 103 105 [SWA-GigabitEthernet0/0/1]inter g0/0/3 [SWA-GigabitEthernet0/0/3]port link-type acc [SWA-GigabitEthernet0/0/3]port default vlan 104 [SWA-GigabitEthernet0/0/3]inter g0/0/5 [SWA-GigabitEthernet0/0/5]port link-type trunk [SWA-GigabitEthernet0/0/5]port trunk allow vlan 101 to 103 105 [SWA-GigabitEthernet0/0/5]inter g0/0/8 [SWA-GigabitEthernet0/0/8]port link-type acc [SWA-GigabitEthernet0/0/8]port default vlan 100 [SWA-GigabitEthernet0/0/8]inter g0/0/11 [SWA-GigabitEthernet0/0/11]port link-type acc [SWA-GigabitEthernet0/0/11]port default vlan 108 [SWA-GigabitEthernet0/0/11]inter g0/0/13 [SWA-GigabitEthernet0/0/13]port link-type acc [SWA-GigabitEthernet0/0/13]port default vlan 107 [SWA-GigabitEthernet0/0/13]quit [SWA]ip route-static 0.0.0.0 0 10.107.1.2 #默认路由 [SWA]bfd #开启bfd全局配置 [SWA-bfd]quit [SWA]bfd 1 bind peer-ip 10.107.1.2 source-ip 10.107.1.1 auto #配置与防火墙的双向转发故障检测 [SWA-bfd-session-1]commit #提交当前bfd的配置
SwitchB VLAN划分:
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname SWB [SWB]vlan batch 104 Info: This operation may take a few seconds. Please wait for a moment...done. [SWB]inter e0/0/5 [SWB-Ethernet0/0/5]port link-type acc [SWB-Ethernet0/0/5]port default vlan 104 [SWB-Ethernet0/0/5]inter e0/0/3 [SWB-Ethernet0/0/3]port link-type acc [SWB-Ethernet0/0/3]port default vlan 104 [SWB-Ethernet0/0/3]quit
SwitchC VLAN划分:
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname SWC [SWC]vlan batch 101 to 103 105 Info: This operation may take a few seconds. Please wait for a moment...done. [SWC]inter e0/0/3 [SWC-Ethernet0/0/3]port link-type trunk [SWC-Ethernet0/0/3]port trunk allow vlan 101 102 105 [SWC-Ethernet0/0/3]port trunk pvid vlan 105 [SWC-Ethernet0/0/3]inter e0/0/5 [SWC-Ethernet0/0/5]port link-type trunk [SWC-Ethernet0/0/5]port trunk allow vlan 101 to 103 105 [SWC-Ethernet0/0/5]inter e0/0/13 [SWC-Ethernet0/0/13]port link-type acc [SWC-Ethernet0/0/13]port default vlan 103 [SWC-Ethernet0/0/13]quit
SwitchD VLAN划分:
<Huawei>system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname SWD [SWD]vlan batch 101 to 103 105 Info: This operation may take a few seconds. Please wait for a moment...done. [SWD]inter e0/0/3 [SWD-Ethernet0/0/3]port link-type trunk [SWD-Ethernet0/0/3]port trunk allow vlan 101 102 105 [SWD-Ethernet0/0/3]port trunk pvid vlan 105 [SWD-Ethernet0/0/3]inter e0/0/5 [SWD-Ethernet0/0/5]port link-type trunk [SWD-Ethernet0/0/5]port trunk allow vlan 101 to 103 105 [SWD-Ethernet0/0/5]inter e0/0/13 [SWD-Ethernet0/0/13]port link-type acc [SWD-Ethernet0/0/13]port default vlan 103 [SWD-Ethernet0/0/13]quit
SwitchA配置DHCP Server:
[SWA]dhcp enable #开启DHCP服务 [SWA]inter vlan 103 [SWA-Vlanif103]dhcp select interface #配置VLAN开启dhcp下发 [SWA]inter vlan 101 [SWA-Vlanif101]dhcp select interface [SWA]inter vlan 102 [SWA-Vlanif102]dhcp select interface [SWA]inter vlan 105 [SWA-Vlanif105]dhcp select interface [SWA-Vlanif105]dhcp server option 43 sub-option 1 ip-address 10.100.1.2 #当AP获取到IP地址后这条命令告知AP AC控制器的IP地址
AC配置AP上线(需要AP先获取到vlan105的ip地址):
[AC6005]capwap source interface vlanif100 #配置vlan100接口为AP控制点(AC源接口) [AC6005]wlan #进入无线配置面板 [AC6005-wlan-view]regulatory-domain-profile name office #创建名为office的域档案 [AC6005-wlan-regulate-domain-office]country-code CN #配置office域档案的国家代码为CN(默认为CN谨慎起见打一遍) [AC6005-wlan-regulate-domain-office]quit [AC6005-wlan-view]ap-group name office #为办公区创建名为office的ap组 [AC6005-wlan-ap-group-office]regulatory-domain-profile office #引用office域档案 [AC6005-wlan-ap-group-office]quit [AC6005-wlan-view]ap auth-mode mac-auth #配置ap的认证模式为mac认证 [AC6005-wlan-view]ap-id 0 ap-mac 00E0-FC4A-5F10 [AC6005-wlan-ap-0]ap-name office #ap名称为office [AC6005-wlan-ap-0]ap-group office #归属于名为office的ap组(加入office ap组) [AC6005-wlan-ap-0]quit [AC6005-wlan-view]regulatory-domain-profile name manage [AC6005-wlan-regulate-domain-manage]country-code CN [AC6005-wlan-regulate-domain-manage]quit [AC6005-wlan-view]ap-group name manage [AC6005-wlan-ap-group-manage]regulatory-domain-profile manage [AC6005-wlan-ap-group-manage]quit [AC6005-wlan-view]ap-id 1 ap-mac 00E0-FC6C-6200 [AC6005-wlan-ap-1]ap-name manage [AC6005-wlan-ap-1]ap-group manage [AC6005-wlan-ap-1]quit [AC6005-wlan-view]quit [AC6605]display ap all #查看ap上线情况
AC配置AP无线下发:
[AC6005]wlan [AC6005-wlan-view]security-profile name office #创建安全模板office [AC6005-wlan-sec-prof-office]security wpa2 psk pass-phrase 12345678 aes #配置安全级别为WPA2预共享密钥,添加密码12345678使用aes加密 [AC6005-wlan-sec-prof-office]quit [AC6005-wlan-view]ssid-profile name office #创建ssid模板 [AC6005-wlan-ssid-prof-office]ssid office #配置WIFI名为office [AC6005-wlan-ssid-prof-office]quit [AC6005-wlan-view]vap-profile name office #创建vap模板office [AC6005-wlan-vap-prof-office]forward-mode direct-forward #配置vap转发模式为直接转发(默认是直接转发) [AC6005-wlan-vap-prof-office]service-vlan vlan-id 101 #添加服务vlan101 [AC6005-wlan-vap-prof-office]ssid-profile office #引入ssid模板office [AC6005-wlan-vap-prof-office]security-profile office #引入安全模板office [AC6005-wlan-vap-prof-office]quit [AC6005-wlan-view]ap-group name office #进入office ap组 [AC6005-wlan-ap-group-office]vap-profile office wlan 1 radio 0 #引用vap模板射频在2.4Ghz频段 [AC6005-wlan-ap-group-office]vap-profile office wlan 1 radio 1 #引用vap模板射频在5Ghz频段 [AC6005-wlan-ap-group-office]quit [AC6005-wlan-view]security-profile name manage [AC6005-wlan-sec-prof-manage]security wpa2 psk pass-phrase 12345678 aes [AC6005-wlan-sec-prof-manage]quit [AC6005-wlan-view]ssid-profile name manage [AC6005-wlan-ssid-prof-manage]ssid manage [AC6005-wlan-ssid-prof-manage]quit [AC6005-wlan-view]vap-profile name manage [AC6005-wlan-vap-prof-manage]forward-mode direct-forward [AC6005-wlan-vap-prof-manage]service-vlan vlan-id 102 [AC6005-wlan-vap-prof-manage]ssid-profile manage [AC6005-wlan-vap-prof-manage]security-profile manage [AC6005-wlan-vap-prof-manage]quit [AC6005-wlan-view]ap-group name manage [AC6005-wlan-ap-group-manage]vap-profile office wlan 1 radio 0 [AC6005-wlan-ap-group-manage]vap-profile office wlan 1 radio 1 [AC6005-wlan-ap-group-managee]quit
防火墙区域访问配置:
[FW]security-policy #进入安全策略面板 [FW-policy-security]rule name trust_untrust #添加规则用于trust区域访问untrust区域 [FW-policy-security-rule-trust_untrust]source-zone trust #添加源区域trust [FW-policy-security-rule-trust_untrust]destination-zone untrust #目的区域untrust [FW-policy-security-rule-trust_untrust]source-address 10.101.1.0 0.0.0.255 [FW-policy-security-rule-trust_untrust]source-address 10.102.1.0 0.0.0.255 [FW-policy-security-rule-trust_untrust]source-address 10.103.1.0 0.0.0.255 [FW-policy-security-rule-trust_untrust]action permit #规则动作允许 [FW-policy-security-rule-trust_untrust]quit [FW-policy-security]rule name camera_dmz #添加规则用于客户机与dmz互相访问 [FW-policy-security-rule-camera_dmz]source-zone dmz [FW-policy-security-rule-camera_dmz]source-zone trust [FW-policy-security-rule-camera_dmz]destination-zone dmz [FW-policy-security-rule-camera_dmz]destination-zone trust [FW-policy-security-rule-camera_dmz]source-address 10.104.1.0 0.0.0.255 #添加客户机所在网段 [FW-policy-security-rule-camera_dmz]source-address 10.106.1.0 0.0.0.255 #添加web server所在网段 [FW-policy-security-rule-camera_dmz]destination-address 10.104.1.0 0.0.0.255 #目标客户机网段 [FW-policy-security-rule-camera_dmz]destination-address 10.106.1.0 0.0.0.255 #目标web server网段 [FW-policy-security-rule-camera_dmz]action permit [FW-policy-security-rule-camera_dmz]quit [FW-policy-security]rule name untrust_dmz #添加规则用于untrust区域访问dmz区域的web server [FW-policy-security-rule-untrust_dmz]source-zone untrust [FW-policy-security-rule-untrust_dmz]destination-zone dmz [FW-policy-security-rule-untrust_dmz]action permit [FW-policy-security-rule-untrust_dmz]quit [FW-policy-security]rule name trust_dmz #添加规则用于trust区域访问dmz区域 [FW-policy-security-rule-trust_dmz]source-zone trust [FW-policy-security-rule-trust_dmz]destination-zone dmz [FW-policy-security-rule-trust_dmz]action permit [FW-policy-security-rule-trust_dmz]quit
防火墙NAT配置:
[FW]nat address-group 1 #创建nat组1 [FW-address-group-1]mode pat #配置nat模式为路径模式(允许端口转换) [FW-address-group-1]route enable #开启nat路由(防环作用) [FW-address-group-1]section 1 109.1.1.10 109.1.1.15 #配置nat地址段 [FW-address-group-1]quit [FW]nat-policy #进入nat策略配置 [FW-policy-nat]rule name trust_untrust #添加规则trust_untrust用于实现私网指定网段访问公网时自动进行源地址转换 [FW-policy-nat-rule-trust_untrust]source-zone trust #源区域为trust [FW-policy-nat-rule-trust_untrust]destination-zone untrust #目的区域为untrust [FW-policy-nat-rule-trust_untrust]source-address 10.101.1.0 0.0.0.255 #添加访客无线vlan101的源地址段10.101.1.0 [FW-policy-nat-rule-trust_untrust]source-address 10.102.1.0 0.0.0.255 #添加员工无线vlan102的源地址段10.102.1.0 [FW-policy-nat-rule-trust_untrust]source-address 10.103.1.0 0.0.0.255 #添加员工有线vlan103的源地址段10.103.1.0 [FW-policy-nat-rule-trust_untrust]action source-nat address-group 1 #调用nat组1 [FW-policy-nat-rule-trust_untrust]quit [FW-policy-nat]quit [FW]ip route-static 109.1.1.10 255.255.255.255 NULL0 #添加黑洞路由防止环路 [FW]ip route-static 109.1.1.11 255.255.255.255 NULL0 [FW]ip route-static 109.1.1.12 255.255.255.255 NULL0 [FW]ip route-static 109.1.1.13 255.255.255.255 NULL0 [FW]ip route-static 109.1.1.14 255.255.255.255 NULL0 [FW]ip route-static 109.1.1.15 255.255.255.255 NULL0 [FW]nat server protocol tcp global interface GigabitEthernet 1/0/1 www inside 10.106.1.2 www no-reverse #添加nat映射要求web sever的ip地址映射在防火墙g1/0/1接口上,公网通过访问防火墙g1/0/1接口访问web server
SwitchA配置acl访问控制列表:
[SWA]acl 3000 #添加规则3000控制客户机访问 [SWA-acl-adv-3000]description client #注释 [SWA-acl-adv-3000]rule 0 permit ip source 10.104.1.2 0 destination 10.106.1.2 0 #允许客户机访问web server [SWA-acl-adv-3000]rule 5 deny ip source 10.104.1.2 0 #拒绝客户机访问其它网段 [SWA-acl-adv-3000]quit [SWA]inter g0/0/3 [SWA-GigabitEthernet0/0/3]traffic-filter inbound acl 3000 #在G0/0/3接口使用流量过滤引入规则3000 [SWA]acl 3001 #添加规则3001控制无线用户不能访问vlan103网段 [SWA-acl-adv-3001]rule 0 deny ip source 10.101.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255 [SWA-acl-adv-3001]rule 1 deny ip source 10.101.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255 [SWA-acl-adv-3001]rule 2 deny ip source 10.102.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255 [SWA-acl-adv-3001]rule 3 deny ip source 10.102.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255 [SWA-acl-adv-3001]quit [SWA]inter g0/0/1 [SWA-GigabitEthernet0/0/1]traffic-filter inbound acl 3001 #在G0/0/1接口使用流量过滤引入规则3001 [SWA-GigabitEthernet0/0/1]quit [SWA]inter g0/0/5 [SWA-GigabitEthernet0/0/5]traffic-filter inbound acl 3001 #在G0/0/5接口使用流量过滤引入规则3001 [SWA-GigabitEthernet0/0/5]quit
有线ip获取:
AP上线情况和无线ip获取:
客户机访问:
访问web server:
访问员工有线网:
访问无线网:
无线用户访问:
NAT转换测试:
有线网络:
无线网络:
NAT地址映射:
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· .NET10 - 预览版1新功能体验(一)