安全策略使得OSPF邻接关系建立典型配置

一,基本拓扑

二,DHCP配置过程

#
dhcp server ip-pool vlan10
 gateway-list 192.168.10.254
 network 192.168.10.0 mask 255.255.255.0
 address range 192.168.10.100 192.168.10.200
 dns-list 192.168.10.254
#
在接口GigabitEthernet1/0/1上启用DHCP地址池
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 ip address 192.168.10.254 255.255.255.0
 dhcp server apply ip-pool vlan10
#
开启DHCP服务
#
 dhcp enable
#

三,防火墙区域配置

  • 防火墙F1相关配置
OSPF配置
#
ospf 1 router-id 192.168.100.254
 area 0.0.0.0
  network 10.1.1.1 0.0.0.0
  network 192.168.100.254 0.0.0.0
 area 0.0.0.1
  network 192.168.10.0 0.0.0.255
#
security-policy相关配置
#
security-policy ip
 rule 0 name L-U
  action pass
  source-zone local
  source-zone untrust
  destination-zone untrust
  destination-zone local
 rule 1 name U-L
  action pass
  source-zone untrust
  destination-zone local
 rule 2 name T-U
  action pass
  source-zone trust
  destination-zone untrust
 rule 3 name U-T
  action pass
  source-zone untrust
  destination-zone trust
#
security-zone配置
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/1
#
security-zone name DMZ
#
security-zone name Untrust
 import interface GigabitEthernet1/0/0
#
security-zone name Management
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
  • 防火墙F2相关配置
OSPF配置
#
ospf 1 router-id 192.168.100.1
 area 0.0.0.0
  network 10.1.1.2 0.0.0.0
  network 192.168.100.1 0.0.0.0
 area 0.0.0.2
  network 192.168.20.0 0.0.0.255
#
security-policy相关配置
#
security-policy ip
 rule 0 name L-U
  action pass
  source-zone local
  destination-zone untrust
 rule 1 name U-L
  action pass
  source-zone untrust
  destination-zone local
 rule 2 name T-U
  action pass
  source-zone trust
  destination-zone untrust
 rule 3 name U-T
  action pass
  source-zone untrust
  destination-zone trust
#
security-zone配置
#
interface GigabitEthernet1/0/23
 port link-mode route
 combo enable copper
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/1
#
security-zone name DMZ
#
security-zone name Untrust
 import interface GigabitEthernet1/0/0
#
security-zone name Management
#
security-zone name untrus
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#

四,验证测试

  • 在PC5上ping测试PC7通信正常,如下图
安全策略保证OSPF邻居关系建立典型配置下载

华三DHCP+Nat内网用户通过防火墙访问外网:https://www.hao0564.com/5342.html

打赏微海报分享

留下评论

您的邮箱地址不会被公开。 必填项已用 * 标注