Gre封装

 

在防火墙上连  云时,可以用g0/0/0

在防火墙上不连 云时,一定不用0/0/0 !!!!!!!!!

 

交换机什么都不配置。

FW2:

interface GigabitEthernet0/0/0
 undo shutdown
 ip address 192.168.1.254 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit

interface Tunnel0
 ip address 10.1.1.1 255.255.255.0
 tunnel-protocol gre
 source 1.1.1.1
 destination 1.1.1.2

 

firewall zone trust

set priority 85

 add interface GigabitEthernet0/0/0


firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
 add interface Tunnel0

ip route-static 192.168.2.0 255.255.255.0 Tunnel0

security-policy
 default action permit

 

 

FW1:

interface GigabitEthernet0/0/0

 undo shutdown
 ip address 1.1.1.2 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.2.254 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit

 

interface Tunnel0

 ip address 10.1.1.2 255.255.255.0
 tunnel-protocol gre
 source 1.1.1.2
 destination 1.1.1.1

 

firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
 add interface Tunnel0

 

ip route-static 192.168.1.0 255.255.255.0 Tunnel0

把所有的策略都打开:

security-policy
 default action permit

 

 

FW2:

 

 

把大的策略关闭,此时是ping不通的;

则写明细策略,会ping通

security-policy
 rule name trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  service icmp
  action permit
 rule name untrust_local
  source-zone untrust
  destination-zone local
  source-address 1.1.1.0 mask 255.255.255.0
  destination-address 1.1.1.0 mask 255.255.255.0
  service gre
  service icmp
  action permit

 

FW1:

 

 

 

把大的策略关闭,此时是ping不通的;

则写明细策略,会ping通

同FW2一样,写成明细策略

 

GRE也可以使用动态协议。比如:ospf

 

posted @ 2019-09-02 22:14  小可爱啊a  阅读(393)  评论(0编辑  收藏  举报