实验拓扑
实验需求及其解法
1.配置IP地址
R1
[H3C]sysname R1
[R1]int l 0
[R1-LoopBack0]ip ad
[R1-LoopBack0]ip address 2.2.2.2 32
[R1-LoopBack0]int g0/0
[R1-GigabitEthernet0/0]ip ad
[R1-GigabitEthernet0/0]ip address 10.0.0.2 30
[R1-GigabitEthernet0/0]int g0/1
[R1-GigabitEthernet0/1]ip ad
[R1-GigabitEthernet0/1]ip address 192.168.1.1 24
[R1-GigabitEthernet0/1]
sw1
[H3C]sysn
[H3C]sysname R1
[R1]int l 0
[R1-LoopBack0]ip ad
[R1-LoopBack0]ip address 2.2.2.2 32
[R1-LoopBack0]int g0/1
[R1-LoopBack0]int l 0
[R1-LoopBack0]undo ip address
[R1-LoopBack0]q
[R1]sysn sw1
[sw1]vlan 100
[sw1-vlan100]qu
[sw1]int vlan 100
[sw1-Vlan-interface100]ip address 172.16.1.1 24
[sw1-Vlan-interface100]int g1/0/1
[sw1-GigabitEthernet1/0/1]port link-type access
[sw1-GigabitEthernet1/0/1]port access vlan 100
[sw1-GigabitEthernet1/0/1]%Oct 13 12:49:25:020 2022 sw1 IFNET/3/PHY_UPDOWN:
Physical state on the interface Vlan-interface100 changed to up.
%Oct 13 12:49:25:020 2022 sw1 IFNET/5/LINK_UPDOWN: Line protocol state on the
interface Vlan-interface100 changed to up.
[sw1-GigabitEthernet1/0/1]int g1/0/2
[sw1-GigabitEthernet1/0/2]port link-mode route
%Oct 13 12:49:42:012 2022 sw1 IFNET/3/PHY_UPDOWN: Physical state on the
interface GigabitEthernet1/0/2 changed to down.
%Oct 13 12:49:42:013 2022 sw1 IFNET/5/LINK_UPDOWN: Line protocol state on the
interface GigabitEthernet1/0/2 changed to down.
[sw1-GigabitEthernet1/0/2]ip ad
[sw1-GigabitEthernet1/0/2]ip address %Oct 13 12:49:44:089 2022 sw1
IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/2 changed
to up.
%Oct 13 12:49:44:090 2022 sw1 IFNET/5/LINK_UPDOWN: Line protocol state on the
interface GigabitEthernet1/0/2 changed to up.
10.0.0.1 30
[sw1-GigabitEthernet1/0/2]int l 0
[sw1-LoopBack0]ip ad
[sw1-LoopBack0]ip address 1.1.1.1 32
2.配置ospf协议
R1
[R1]ospf
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]net
[R1-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
sw1
[sw1]ospf
[sw1-ospf-1]a 0
[sw1-ospf-1-area-0.0.0.0]net
[sw1-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]net
[sw1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[sw1-ospf-1-area-0.0.0.0]net
[sw1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]
3.配置防火墙为透明模式
[H3C]sysname FW1
[FW1]vlan 10
[FW1-vlan10]qu
[FW1]int range g1/0/2 to g1/0/3
[FW1-if-range]port link-mode bridge
%Oct 13 12:56:16:168 2022 FW1 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on
the interface GigabitEthernet1/0/2 changed to down.
%Oct 13 12:56:16:169 2022 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol
state on the interface GigabitEthernet1/0/2 changed to down.
%Oct 13 12:56:16:615 2022 FW1 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on
the interface GigabitEthernet1/0/3 changed to down.
%Oct 13 12:56:16:616 2022 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol
state on the interface GigabitEthernet1/0/3 changed to down.
[FW1-if-range]%Oct 13 12:56:18:360 2022 FW1 IFNET/3/PHY_UPDOWN: -Context=1;
Physical state on the interface GigabitEthernet1/0/2 changed to up.
%Oct 13 12:56:18:360 2022 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol
state on the interface GigabitEthernet1/0/2 changed to up.
%Oct 13 12:56:18:688 2022 FW1 IFNET/3/PHY_UPDOWN: -Context=1; Physical state on
the interface GigabitEthernet1/0/3 changed to up.
%Oct 13 12:56:18:688 2022 FW1 IFNET/5/LINK_UPDOWN: -Context=1; Line protocol
state on the interface GigabitEthernet1/0/3 changed to up.
port
[FW1-if-range]port access vlan 10
4.配制防火墙安全策略
[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3
Please specify a VLAN list for the layer 2 interface.
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3 vl
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3 vlan 10
[FW1-security-zone-Trust]q
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 10
[FW1-security-zone-Untrust]qu
[FW1]acl ba
[FW1]acl basic 2000
[FW1-acl-ipv4-basic-2000]rule permit source any
[FW1-acl-ipv4-basic-2000]qu
[FW1]zone-pair security source trunt destination untrust
The specified source security zone doesn't exist.
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]pa
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Trust-Untrust]qu
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]pa
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Trust]qu
[FW1]dis zone-pair security
Source zone Destination zone
Trust Untrust
Untrust Trust
