Shulou(Shulou.com)06/01 Report--

1. Experimental topology:

2. Experimental requirements:

1. Private network: connect R2 interface G0Accord 2 is layer 3 interface, other interfaces are layer 2 interface; R1, R2, R3 deploy default route to USG

2. Create VLAN 10,202 on USG, and divide G0Unix 0 into VLAN 202, G0Accord 1, and VLAN 10.

3. Deploy Policy 0: allow ICMP traffic from Trust to Untrust; deploy Policy 1: allow ICMP traffic from DMZ to Untrust Outbound

4. Can R3 Ping R1 make R2 Ping R1 reachable?

III. Order deployment:

1. Router interface address and default route

[R1] ip route-static 0.0.0.0 0.0.0.0 202.100.1.10

[R2] ip route-static 0.0.0.0 0.0.0.0 192.168.1.10

[R3] ip route-static 0.0.0.0 0.0.0.0 10.1.1.10

2. USG configuration:

(1) API configuration:

[SRG] int g0/0/0

[SRG-GigabitEthernet0/0/0] portswitch

[SRG-GigabitEthernet0/0/0] port access vlan 202

[SRG] int g0/0/1

[SRG-GigabitEthernet0/0/1] portswitch

[SRG-GigabitEthernet0/0/1] port access vlan 10

[SRG] int g0/0/2

[SRG-GigabitEthernet0/0/2] ip add 192.168.1.10 24

View:

[SRG-GigabitEthernet0/0/0] display this / / defaults to input portswitch, which is access port

Portswitch

Port link-type access

[SRG] display ip int bri / / there is no interface for G0UniUniG0 and G0UniUniUni1 to show.

Create a VLAN:

[SRG] vlan 10

[SRG-vlan-10] vlan 202

Configure the VLAN address:

[SRG] int vlanif 202

[SRG-Vlanif202] ip add 202.100.1.10 24

[SRG] int Vlanif 10

[SRG-Vlanif10] ip add 10.1.1.10 24

View:

[SRG] display ip interface brief / / added VLAN address

Solve the original interface:

[SRG] firewall zone untrust

[SRG-zone-untrust] undo add int g0/0/0

[SRG] firewall zone dmz

[SRG-zone-dmz] undo add int g0/0/1

Divide VLAN into impassable areas:

[SRG] firewall zone untrust

[SRG-zone-untrust] add int g0/0/0

[SRG] firewall zone dmz

[SRG-zone-dmz] add int Vlanif 10

Test:

[SRG] ping 202.100.1.1 / / reachable

[SRG] ping 10.1.1.3 / / reachable

(2) deploy Policy 1: allow ICMP traffic from DMZ to Untrust Outbound to go out

[SRG] ip service-set aaa type object

[SRG-object-service-set-aaa] service protocol icmp

[SRG] policy interzone dmz untrust outbound

[SRG-policy-interzone-dmz-untrust-outbound] policy 1

[SRG-policy-interzone-dmz-untrust-outbound-1] policy source 10.1.1.0 mask 24

[SRG-policy-interzone-dmz-untrust-outbound-1] policy destination 202.100.1.0 mask 24

[SRG-policy-interzone-dmz-untrust-outbound-1] policy service service-set aaa

[SRG-policy-interzone-dmz-untrust-outbound-1] action permit

(3) deploy Policy 0: allow ICMP traffic from Trust to Untrust to go out

[SRG] policy interzone trust untrust outbound

[SRG-policy-interzone-trust-untrust-outbound] policy 0

[SRG-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 mask 24

[SRG-policy-interzone-trust-untrust-outbound-0] policy destination 202.100.1.0 mask 24

[SRG-policy-interzone-trust-untrust-outbound-0] policy service service-set aaa

[SRG-policy-interzone-trust-untrust-outbound-0] action permit

Test:

[R2] ping 202.100.1.1

Reply from 202.100.1.1: bytes=56 Sequence=1 ttl=254 time=50 ms

Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=254 time=50 ms

Reply from 202.100.1.1: bytes=56 Sequence=3 ttl=254 time=50 ms

Reply from 202.100.1.1: bytes=56 Sequence=4 ttl=254 time=50 ms

Reply from 202.100.1.1: bytes=56 Sequence=5 ttl=254 time=40 ms

The realization effect is affected.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.