USG防火墙透明模式配置

实验要求：

某公司网络是有2个三层交换，现需要在三层交换与出口路由器之间加一个USG防火墙，为了方便配置，想采用透明模式配置防火墙，并将其加入现网，仅仅当做纯粹的防火墙使用；

实验目的：

观察防火墙透明模式与二层交换机的区别

实验思路：

1、PC、子网划分及2层交换（配置在此省略）

2、三层交换之间分别用USG防火墙和傻瓜交换机配置，测试它们的区别；

3、三层交换机直接内接口为虚拟接口vlanif，之间是FW时是vlanif300，之间是傻瓜交换机时是vlanif301，通过ospf实现三层之间通信

配置：

FW透明模式配置：

<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]int gi 1/0/0
[USG6000V1-GigabitEthernet1/0/0]portswitch
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]
Aug 20 2020 02:04:30 USG6000V1 %%01PHY/4/STATUSUP(l)[3]:GigabitEthernet1/0/0 cha
nged status to up.
[USG6000V1]un in en
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int gi 1/0/1
[USG6000V1-GigabitEthernet1/0/1]portswitch
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int gi 1/0/0
[USG6000V1-zone-trust]add int gi 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]int gi 0/0/0
[USG6000V1-GigabitEthernet0/0/0]portswitch
                                ^
Error: Unrecognized command found at '^' position.
[USG6000V1-GigabitEthernet0/0/0]q
[USG6000V1]int gi 1/0/2
[USG6000V1-GigabitEthernet1/0/2]portswitch
[USG6000V1-GigabitEthernet1/0/2]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add int gi 1/0/2
[USG6000V1-zone-untrust]q
[USG6000V1]vlan 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[USG6000V1-vlan300]q
[USG6000V1]int vlanif 300
[USG6000V1-Vlanif300]ip addr 192.168.200.3 29

三层交换之间是FW时三层交换配置：

LSW1配置(LSW2配置类似)：

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L3-SW-1
[L3-SW-1]int gi 0/0/2
[L3-SW-1-GigabitEthernet0/0/2]port link-type trunk
[L3-SW-1-GigabitEthernet0/0/2]port trunk allow-pass vlan 1081
[L3-SW-1-GigabitEthernet0/0/2]int gi 0/0/3
[L3-SW-1-GigabitEthernet0/0/3]port link-type trunk
[L3-SW-1-GigabitEthernet0/0/3]port trunk allow-pass vlan 1082
[L3-SW-1-GigabitEthernet0/0/3]int gi 0/0/1
[L3-SW-1-GigabitEthernet0/0/1]port link-type access
[L3-SW-1-GigabitEthernet0/0/1]q
[L3-SW-1]vlan 300
[L3-SW-1-vlan300]int vlanif 300
[L3-SW-1-Vlanif300]ip addr 192.168.200.2 29
[L3-SW-1-Vlanif300]q
[L3-SW-1]int gi 0/0/1
[L3-SW-1-GigabitEthernet0/0/1]port link-type access
[L3-SW-1-GigabitEthernet0/0/1]port default vlan 300
[L3-SW-1-GigabitEthernet0/0/1]q
[L3-SW-1]
[L3-SW-1]vlan batch 1081 1082
Info: This operation may take a few seconds. Please wait for a moment...done.
[L3-SW-1]int vlanif 1081
[L3-SW-1-Vlanif1081]ip addr 10.180.108.1 25
[L3-SW-1-Vlanif1081]int vlanif 1082
[L3-SW-1-Vlanif1082]ip addr 10.180.108.130 25
[L3-SW-1-Vlanif1082]

[L3-SW-1]ospf 1 router-id 2.2.2.2
[L3-SW-1-ospf-1]area 0

[L3-SW-1-ospf-1-area-0.0.0.0]network 10.180.108.1 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]network 10.180.108.130 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]network 192.168.200.2 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]q
[L3-SW-1-ospf-1]silent-interface  all  
[L3-SW-1-ospf-1]undo silent-interface vlanif 300
[L3-SW-1-ospf-1]area 0
[L3-SW-1-ospf-1-area-0.0.0.0]undo network 192.168.200.2 0.0.0.0
[L3-SW-1-ospf-1-area-0.0.0.0]network 192.168.200.2 0.0.0.7
[L3-SW-1-ospf-1-area-0.0.0.0]q
[L3-SW-1-ospf-1]q
[L3-SW-1]dis ospf peer

     OSPF Process 1 with Router ID 2.2.2.2
[L3-SW-1]dis ospf routing

     OSPF Process 1 with Router ID 2.2.2.2
          Routing Tables 

 Routing for Network 
 Destination        Cost  Type       NextHop         AdvRouter       Area
 10.180.108.0/25    1     Stub       10.180.108.1    2.2.2.2         0.0.0.0
 10.180.108.128/25  1     Stub       10.180.108.130  2.2.2.2         0.0.0.0
 192.168.200.0/29   1     Stub       192.168.200.2   2.2.2.2         0.0.0.0

 

两个三层交换之间是USG防火墙（透明模式）时，ospf是发现不了邻居的，所以两个三层交换之间不能通信；

但是听说USG防火墙透明模式相当于交换机，所以新增一个交换机，并且给连接交换机的接口配上vlanif 301:192.168.201.2or

4 /29

具体新增配置如下：

[L3-SW-1]vlan 301
[L3-SW-1-vlan301]int vlanif 301
[L3-SW-1-Vlanif301]ip addr 192.168.201.2 29
[L3-SW-1-Vlanif301]q
[L3-SW-1]int gi 0/0/4
[L3-SW-1-GigabitEthernet0/0/4]port link-type access
[L3-SW-1-GigabitEthernet0/0/4]port default vlan 301
[L3-SW-1-GigabitEthernet0/0/4]q

[L3-SW-1-ospf-1-area-0.0.0.0]network 192.168.201.0 0.0.0.7
[L3-SW-1-ospf-1-area-0.0.0.0]q
[L3-SW-1-ospf-1]dis th
#
ospf 1 router-id 2.2.2.2
 silent-interface all
 undo silent-interface Vlanif300
 area 0.0.0.0
  network 10.180.108.1 0.0.0.0
  network 10.180.108.130 0.0.0.0
  network 192.168.200.0 0.0.0.7
  network 192.168.201.0 0.0.0.7
#
return
[L3-SW-1-ospf-1]undo silent-interface Vlanif301

[L3-SW-1-GigabitEthernet0/0/4]dis ospf peer

     OSPF Process 1 with Router ID 2.2.2.2
         Neighbors 

 Area 0.0.0.0 interface 192.168.201.2(Vlanif301)'s neighbors
 Router ID: 4.4.4.4          Address: 192.168.201.4   
   State: Full  Mode:Nbr is  Master  Priority: 1
   DR: 192.168.201.2  BDR: 192.168.201.4  MTU: 0    
   Dead timer due in 36  sec 
   Retrans timer interval: 5 
   Neighbor is up for 00:00:43     
   Authentication Sequence: [ 0 ] 

不知道为什么防火墙的透明模式并不能让流量直达，而且还是在两个接口都是trust的情况下，为啥呢？？？