H3C防⽕墙F1060上⽹以及配置策略路由⽹络拓扑图和背景说明
要求:
1、中控室⽹段通过防⽕墙使⽤10M专线上⽹,不与办公⽹互通。
2、办公⽹⽹段通过防⽕墙使⽤100M专线上⽹,可以互通。
拓扑图
防⽕墙配置:
通过策略路由控制不同⽹段访问不同的外⽹出⼝。
<FW>dis cu
#
version 7.1.064, Alpha 7164
#
sysname FW
#
context Admin id 1
#
telnet rver enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-ries
#
vlan 1
vlan 1
#
object-group ip address bangong
#
object-group ip address youxian
0 network subnet 192.168.1.0 255.255.255.0 10 network subnet 192.168.2.0 255.255.255.0 20 network subnet 192.168.3.0 255.255.255.0 #
policy-bad-route bangong permit node 5
if-match acl 3000
apply next-hop 202.106.0.20
#
policy-bad-route bangong permit node 10 if-match acl 3001
apply next-hop 202.106.2.2
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
at onecombo enable copper
ip address 202.106.0.21 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable coppertf是什么意思
ip address 202.106.2.3 255.255.255.0
nat outbound 2001
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 192.168.100.253 255.255.255.0 ip policy-bad-route bangong
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
#
interface GigabitEthernet1/0/10 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11 port link-mode route
姘妇combo enable copper
#
interface GigabitEthernet1/0/12 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22 port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23 port link-mode route
combo enable copper
#
object-policy ip bangong
rule 0 pass source-ip youxian #
object-policy ip manage
rule 0 pass
#
curity-zone name Local
#
curity-zone name Trust
curity-zone name Trust
graduatefrom>forked
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/4
#
jack nicklauscurity-zone name DMZ
#
curity-zone name Untrust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/3
#
curity-zone name Management
#
zone-pair curity source Local destination Untrust packet-filter 2002
#
zone-pair curity source Trust destination Local object-policy apply ip manage
#
zone-pair curity source Trust destination Untrust object-policy apply ip bangong
#
scheduler logfile size 16
#
line class aux
ur-role network-operator
#
line class console
ur-role network-admin
#
line class tty
ur-role network-operator
#
line class vty
ur-role network-operator
#
line aux 0
ur-role network-admin
#
line con 0
authentication-mode scheme
ur-role network-admin
#
line vty 0 4
authentication-mode schemenot at all
ur-role network-admin
#
line vty 5 63
ur-role network-operator
#
ip route-static 192.168.1.0 24 192.168.100.254 ip route-static 192.168.2.0 24 192.168.100.254 ip route-static 192.168.3.0 24 192.168.100.254 #
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.2.0 0.0.0.255
rule 1000 deny
#
acl basic 2001
rule 0 permit source 192.168.3.0 0.0.0.255
luftrule 1000 deny
#
acl basic 2002
rule 0 permit
#
acl advanced 3000
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255
rule 5 permit ip source 192.168.2.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255
#
domain system
#
aaa ssion-limit ftp 16
aaa ssion-limit telnet 16
aaa ssion-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
一岁英语
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
摩登家庭第四季电视剧
description Predefined level-14 role
#
ur-group system
#
local-ur admin class manage
rvice-type telnet terminal http https
authorization-attribute ur-role level-3
authorization-attribute ur-role network-admin authorization-attribute ur-role network-operator