Shulou(Shulou.com)06/01 Report--

1. Experimental topology:

2. Experimental requirements:

III. Order deployment:

1. Basic configurations such as router interface address and default route:

[R1] interface GigabitEthernet 0/0/0

[R1-GigabitEthernet0/0/0] ip add 202.100.1.1 24

[R1-GigabitEthernet0/0/0] quit

[R1] ip route-static 0.0.0.0 0.0.0.0 202.100.1.10 / / configure a default route pointing to the interface address of SRG

[R1] quit

Save / / you can only select y

System-view

Enter system view, return user view with Ctrl+Z. / / Ctrl+Z can return to the original mode in any mode

[R2] interface GigabitEthernet 0/0/0

[R2-GigabitEthernet0/0/0] ip add 10.1.1.2 24

[R2] ip route-static 0.0.0.0 0.0.0.0 10.1.1.10

Save / / you can only select y

System-view

[R3] int g0/0/0

[R3-GigabitEthernet0/0/0] ip add 192.168.1.3 24

[R3-GigabitEthernet0/0/0] quit

[R3] ip route-static 0.0.0.0 0.0.0.0 192.168.1.10

Save

2. Switch VLAN and other configurations:

Configure VLAN:

[SW1] vlan 202

[SW1-vlan202] vlan 10

[SW1-vlan10] vlan 192

Define Access port and divide VLAN:

[SW1] port-group group-member g0ramp 1g0ramp 0mm4 / / defines the port group-the number in the group-g0Unix 0Unix 1 and g0Unix 0max 4

[SW1-port-group] port link-type access / / switch configure access interface type together with two interfaces

[SW1-GigabitEthernet0/0/1] port link-type access / / 2 pops up automatically

[SW1-GigabitEthernet0/0/4] port link-type access

[SW1-port-group] port default vlan 202 / / Port Partition VLAN 202

[SW1-GigabitEthernet0/0/1] port default vlan 202

[SW1-GigabitEthernet0/0/4] port default vlan 202

[SW1-port-group] the edge port of stp edged-port enable / / stp is open

[SW1-GigabitEthernet0/0/1] stp edged-port enable

[SW1-GigabitEthernet0/0/4] stp edged-port enable

Undo terminal monitor / / turn off the crap of clues

[SW1] int g0/0/2

[SW1-GigabitEthernet0/0/2] port link-type access

[SW1-GigabitEthernet0/0/2] port default vlan 10

[SW1-GigabitEthernet0/0/2] stp edged-port enable

[SW1] int g0/0/3

[SW1-GigabitEthernet0/0/3] port link-type access

[SW1-GigabitEthernet0/0/3] port default vlan 192

[SW1-GigabitEthernet0/0/3] stp edged-port enable

Define Trunk:

[SW1] int g0/0/5

[SW1-GigabitEthernet0/0/5] port link-type trunk

[SW1-GigabitEthernet0/0/5] port trunk allow-pass vlan 10192 / / release VLAN 10 and 192. Huawei kills all VLAN by default

View the configuration:

[SW1] display current-configuration / / omitted here

3. SRG configuration:

(1) basic configuration of SRG:

[SRG] int g0/0/0

[SRG-GigabitEthernet0/0/0] undo shutdown

Info: Interface GigabitEthernet0/0/0 is not shutdown.

[SRG-GigabitEthernet0/0/0] ip add 202.100.1.10 24

[SRG] int g0/0/1

[SRG-GigabitEthernet0/0/1] undo shutdown / / enable the interface first

[SRG] int g0/0/1.10

[SRG-GigabitEthernet0/0/1.10] vlan dot1q 10 / / encapsulated dot1q vlan10

[SRG-GigabitEthernet0/0/1.10] ip add 10.1.1.10 24 / / configure IP addresses for subinterfaces

[SRG] int g0/0/1.192

[SRG-GigabitEthernet0/0/1.192] vlan-type dot1q 192

[SRG-GigabitEthernet0/0/1.192] ip add 192.168.1.10 24

View validation:

[SRG] display ip int bri

(2) key configuration of SRG:

Area:

Huawei has the concept of region, which is divided into: Trust, Untrust, DMZ

There are 4 zones by default: [SRG] display current-configuration

Firewall zone local set priority 100

Firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 divides the interface into Trust by default

Firewall zone untrust set priority 5

Firewall zone dmz set priority 50

Cisco: there is no concept of zone. Inside, Outside and DMZ are just the names of interfaces. There are only security levels. Different interface types are distinguished by security levels.

Security level:

Huawei 1-100; Cisco: 0-100

[SRG] firewall zone trust

[SRG-zone-trust] undo add int g0amp 0 / / move the default g0lap0 out of the Trust area

[SRG] firewall zone untrust

[SRG-zone-untrust] add int g0/0/0

[SRG] firewall zone trust

[SRG-zone-trust] add int g0/0/1.192

[SRG] firewall zone dmz

[SRG-zone-dmz] add int g0/0/1.10

View validation:

[SRG] display zone

Test:

[SRG] ping 202.100.1.1

Request time out

Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=255 time=100 ms

Reply from 202.100.1.1: bytes=56 Sequence=3 ttl=255 time=60 ms

Reply from 202.100.1.1: bytes=56 Sequence=4 ttl=255 time=80 ms

Reply from 202.100.1.1: bytes=56 Sequence=5 ttl=255 time=80 ms

Similarly: [SRG] ping 10.1.1.2 / / reachable

[SRG] ping 192.168.1.3 / / reachable

Note: Cisco's firewall defaults to kill all regional traffic after it reaches ASA, that is, it can enter ASA.

Huawei except Trust region can reach SRG, other regions traffic cannot enter SRG;, such as Unttust, DMZ to pingSRG interface address is not blocked; reason: there is Local zone by default, security level is 100, and there is no interface, in fact, RSG is Local zone by default; so if DMZ goes to Ping RSG, it will think that DMZ accesses my Local zone across regions, which is not allowed by default. Traffic is killed directly, as is the case with Untrust.

Verify: [R1] ping 202.100.1.10 / / are all Request time out

[R2] ping 10.1.1.10 / / are all Request time out

[R3] ping 192.168.1.10 / / Ping can be reached.

[SRG] display firewall packet-filter default all / / follows the Oubound and Inbound rules by default. Of course, it can be changed, but it is not recommended. Because of this strategy, it is called a firewall.

Instead of releasing ACL, Huawei is releasing its inter-Zone strategy.

The policy between Zone is Deny by default, and it doesn't work; for example, Trust and Untrust are both Deny to each other.

The same Zone,ASA is not accessible, and Huawei is accessible by default; for example, two devices in both Trust areas are accessible.

(3)?

[SRG] undo interface g0/0/1.10

[SRG] undo interface GigabitEthernet0/0/1.192

[SRG] vlan 10

[SRG-vlan-10] vlan 192

[SRG] int Vlanif 10

[SRG-Vlanif10] ip add 10.1.1.10 24

[SRG] int Vlanif 192

[SRG-Vlanif192] ip add 192.168.1.10 24

View validation:

[SRG] display ip int bri

[SRG] int g0/0/1

[SRG-GigabitEthernet0/0/1] portswitch

[SRG-GigabitEthernet0/0/1] port link-type trunk

[SRG-GigabitEthernet0/0/1] port trunk permit vlan 10 192

Comparison: Cisco's layer 3 switch can be equipped with IP address. As long as you enter no switchport;, the default Cisco layer 3 switch is a layer 2 switch.

Huawei is exactly the opposite: by default, layer 3 can be addressed, and typing portswitch under the interface becomes layer by layer; Huawei's layer 3 switch cannot be made into layer 2; Huawei RSG allows this here, and then ip address cannot be Tab.

Divide VLAN into Zone:

[SRG] firewall zone trust

[SRG-zone-trust] add interface Vlanif 192

[SRG] firewall zone dmz

[SRG-zone-dmz] add interface Vlanif 10

View:

[SRG] display zone

Test:

[SRG] ping 10.1.1.2 / / reachable

[SRG] ping 192.168.1.3 / / available through

Allow the interface to be changed to Trunk

There is another way: look at the courseware!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.