#HUAWEI——— 防火墙+ACL访问控制+AP上线+默认路由+NAT+DHCP(案例拓扑)
网络拓扑图:
项目要求:
1、交换机SwitchA,作为有线终端的网关,同时作为DHCP server,为无线终端和有线终端分配IP地址,同时配置ACL的访问控制列表,要求控制摄像头(camera区域)只能跟DMZ区域服务器互访,无线访客禁止访问业务服务器和员工有线网络。
2、各接入交换机的接口加入VLAN,流量进行二层转发。
3、出口防火墙上配置NAT功能,用于公网和私网的地址转换:配置安全策略,控制internet的访问,例如摄像头流量无需访问外网,但可以和DMZ区域的服务器互访:配置NATserver使DMZ区域的WEB服务器开放给公网访问。
配置思路:
### 1、配置各个设备的IP地址和vlan的IP地址
### 2、配置SwitchA、B、C和D的接口绑定和放行相应的VLAN
### 3、SwitchA的DHCP和AP上线配置完成,AP上线要AC做一条默认路由和SwitchA相连。
### 4、配置防火墙区域和安全策略,静态路由的回包。
### 5、SwitchA配置默认路由和FW相连
### 6、在SwitchA配置ACL访问控制,并在接口上使用ACL。
IP地址规划表:
| 设备 | 接口 | vlan | IP地址 |
|---|---|---|---|
| FW(防火墙) | GE1/0/0 | 10.107.1.2/24 | |
| FW(防火墙) | GE1/0/1 | 109.1.1.1/24 | |
| FW(防火墙) | GE1/0/2 | 10.106.1.1/24 | |
| internet | GE0/0/0 | 109.1.1.2/24 | |
| internet | GE0/0/1 | 10.110.1.1/24 | |
| Clinet1 | Eth0/0/0 | 10.110.1.2/24 | |
| WEB服务器 | Eth0/0/0 | 10.106.1.2/24 | |
| 业务服务器 | Eth0/0/0 | 10.108.1.2/24 | |
| AC控制器 | GE0/0/3 | 100 | VLANIF100:10.100.1.2/24 |
| SwitchA | GE0/0/1 | 101、102、103、105 | VLANIF105:10.105.1.1/24 |
| SwitchA | GE0/0/3 | 104 | VLANIF104:10.104.1.1/24 |
| SwitchA | GE0/0/5 | 101、102、103、105 | VLANIF101:10.101.1.1/24 |
| GE0/0/5 | 101、102、103、105 | VLANIF102:10.102.1.1/24 | |
| GE0/0/5 | 101、102、103、105 | VLANIF103:10.103.1.1/24 | |
| SwitchA | GE0/0/8 | 100 | VLANIF100:10.100.1.1/24 |
| SwitchA | GE0/0/11 | 108 | VLANIF108:10.108.1.1/24 |
| SwitchA | GE0/0/13 | 107 | VLANIF107:10.107.1.1/24 |
| SwitchB | Eth0/0/3 | 104 | |
| SwitchB | Eth0/0/5 | 104 | |
| SwitchC | Eth0/0/3 | 101、102、105 | |
| SwitchC | Eth0/0/5 | 101、102、103、105 | |
| SwitchC | Eth0/0/13 | 103 | |
| SwitchD | Eth0/0/3 | 101、102、105 | |
| SwitchD | Eth0/0/5 | 101、102、103、105 | |
| SwitchD | Eth0/0/13 | 103 | |
| PC2(摄像头) | Eth0/0/1 | DHCP获取 | |
| AP1 | GE0/0/0 | DHCP获取 | |
| PC3 | Eth0/0/1 | DHCP获取 | |
| AP2 | GE0/0/0 | DHCP获取 | |
| PC4 | Eth0/0/1 | DHCP获取 |
设备连接规划表:
| 本端设备 | 本端接口 | 对端设备 | 对端接口 |
|---|---|---|---|
| FW(防火墙) | GE1/0/0 | SwitchA | GE0/0/13 |
| FW(防火墙) | GE1/0/1 | internet | GE0/0/0 |
| FW(防火墙) | GE1/0/2 | WEB服务器 | Eth0/0/0 |
| AC控制器 | GE0/0/3 | SwitchA | GE0/0/8 |
| 业务服务器 | Eth0/0/0 | SwitchA | GE0/0/11 |
| SwitchA | GE0/0/13 | FW(防火墙) | GE1/0/0 |
| SwitchA | GE0/0/1 | SwitchC | Eth0/0/5 |
| SwitchA | GE0/0/3 | SwitchB | Eth0/0/5 |
| SwitchA | GE0/0/11 | 业务服务器 | Eth0/0/0 |
| SwitchA | GE0/0/8 | AC控制器 | GE0/0/3 |
| SwitchA | GE0/0/5 | SwitchD | Eth0/0/5 |
| SwitchB | Eth0/0/3 | PC2(摄像头) | Eth0/0/1 |
| SwitchB | Eth0/0/5 | SwitchA | GE0/0/3 |
| SwitchC | Eth0/0/5 | SwitchA | GE0/0/1 |
| SwitchC | Eth0/0/3 | AP1 | GE0/0/0 |
| SwitchC | Eth0/0/13 | PC3 | Eth0/0/1 |
| SwitchD | Eth0/0/5 | SwitchA | GE0/0/5 |
| SwitchD | Eth0/0/3 | AP2 | GE0/0/0 |
| SwitchD | Eth0/0/13 | PC4 | Eth0/0/1 |
vlan规划表:
| 项目 | 描述 |
|---|---|
| VLAN规划 | VLAN 100: 无线管理VLAN |
| VLAN 101: 访客无线业务VLAN | |
| VLAN 102: 员工无线业务VLAN | |
| VLAN 103: 员工有线业务VLAN | |
| VLAN 104: 摄像头的VLAN | |
| VLAN 105: AP所属VLAN | |
| VLAN 107: 对应VLANIF接口上行防火墙 | |
| VLAN 108: 业务区接入VLAN |
项目实施:
1、配置各设备的IP地址:
SwitchA创建vlan并配置IP地址:
[SwitchA]vlan batch 100 to 105 107 108
[SwitchA]interface Vlanif 100
[SwitchA-Vlanif100]ip address 10.100.1.1 255.255.255.0
[SwitchA]interface Vlanif 101
[SwitchA-Vlanif101]ip address 10.101.1.1 255.255.255.0
[SwitchA]interface Vlanif 102
[SwitchA-Vlanif102]ip address 10.102.1.1 255.255.255.0
[SwitchA]interface Vlanif 103
[SwitchA-Vlanif103]ip address 10.103.1.1 255.255.255.0
[SwitchA]interface Vlanif 104
[SwitchA-Vlanif104]ip addres 10.104.1.1 255.255.255.0
[SwitchA]interface Vlanif 105
[SwitchA-Vlanif105]ip address 10.105.1.1 255.255.255.0
[SwitchA]interface Vlanif 107
[SwitchA-Vlanif107]ip address 10.107.1.1 255.255.255.0
[SwitchA]interface Vlanif 108
[SwitchA-Vlanif108]ip address 10.108.1.1 255.255.255.0
FW的IP地址配置:
[FW]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]ip address 10.107.1.2 255.255.255.0
[FW]interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1]ip address 109.1.1.1 255.255.255.0
[FW]interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2]ip address 10.106.1.1 255.255.255.0
AC控制创建并配置IP地址:
[AC]vlan 100
[AC]interface vlan 100
[AC-Vlanif100]ip address 10.100.1.2 255.255.255.0
internet配置IP地址:
[internet]interface GigabitEthernet 0/0/0
[internet-GigabitEthernet0/0/0]ip address 109.1.1.2 255.255.255.0
WEB服务器的IP地址:
业务服务器的IP地址:
PC1、PC3、PC4、AP3和AP4都是DHCP自动获取。
2、接口绑定和放行相应的vlan
SwitchA
[SwitchA]interface GigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1]port link-type trunk
[SwitchA-GigabitEthernet0/0/1]port trunk allow-pass vlan 101 to 103 105
[SwitchA]interface GigabitEthernet 0/0/3
[SwitchA-GigabitEthernet0/0/3]port link-type access
[SwitchA-GigabitEthernet0/0/3]port default vlan 104
[SwitchA]interface GigabitEthernet 0/0/5
[SwitchA-GigabitEthernet0/0/5]port link-type trunk
[SwitchA-GigabitEthernet0/0/5]port trunk allow-pass vlan 101 to 103 105
[SwitchA]interface GigabitEthernet 0/0/8
[SwitchA-GigabitEthernet0/0/8]port link-type access
[SwitchA-GigabitEthernet0/0/8]port default vlan 100
[SwitchA]interface GigabitEthernet 0/0/11
[SwitchA-GigabitEthernet0/0/11]port link-type access
[SwitchA-GigabitEthernet0/0/11]port default vlan 108
[SwitchA]interface GigabitEthernet 0/0/13
[SwitchA-GigabitEthernet0/0/13]port link-type access
[SwitchA-GigabitEthernet0/0/13]port default vlan 107
SwitchB
[SwitchB]vlan batch 104
[SwitchB]interface Ethernet 0/0/3
[SwitchB-Ethernet0/0/3]port link-type access
[SwitchB-Ethernet0/0/3]port default vlan 104
[SwitchB]interface Ethernet 0/0/5
[SwitchB-Ethernet0/0/5]port link-type access
[SwitchB-Ethernet0/0/5]port default vlan 104
SwitchC
[SwitchC]vlan batch 101 to 103 105
[SwitchC]interface Ethernet 0/0/3
[SwitchC-Ethernet0/0/3]port link-type trunk
[SwitchC-Ethernet0/0/3]port trunk pvid vlan 105
[SwitchC-Ethernet0/0/3]port trunk allow-pass vlan 101 to 102 105
[SwitchC]interface Ethernet 0/0/5
[SwitchC-Ethernet0/0/5]port link-type trunk
[SwitchC-Ethernet0/0/5]port trunk allow-pass vlan 101 to 103 105
[SwitchC]interface Ethernet 0/0/3
[SwitchC-Ethernet0/0/3]port link-type access
[SwitchC-Ethernet0/0/3]port default vlan 103
SwitchD
[SwitchD]vlan batch 101 to 103 105
[SwitchD]interface Ethernet 0/0/3
[SwitchD-Ethernet0/0/3]port link-type trunk
[SwitchD-Ethernet0/0/3]port trunk pvid vlan 105
[SwitchD-Ethernet0/0/3]port trunk allow-pass vlan 101 to 102 105
[SwitchD]interface Ethernet 0/0/5
[SwitchD-Ethernet0/0/5]port link-type trunk
[SwitchD-Ethernet0/0/5]port trunk allow-pass vlan 101 to 103 105
[SwitchD]interface Ethernet 0/0/3
[SwitchD-Ethernet0/0/3]port link-type access
[SwitchD-Ethernet0/0/3]port default vlan 103
AC
[AC]interface GigabitEthernet 0/0/3
[AC-GigabitEthernet0/0/3]port link-type access
[AC-GigabitEthernet0/0/3]port default vlan 100
3、SwitchA开启DHCP和配置DHCP地址池。
[SwitchA]dhcp enable
配置vlan 101的地址池
[SwitchA]ip pool VLAN101
[SwitchA-ip-pool-vlan101]network 10.101.1.0 mask 255.255.255.0
[SwitchA-ip-pool-vlan101]gateway-list 10.101.1.1
[SwitchA-ip-pool-vlan101]dns-list 114.114.114.114
[SwitchA-ip-pool-vlan101]qu
[SwitchA]interface Vlanif 101
[SwitchA-Vlanif101]dhcp select global
配置vlan 102的地址池
[SwitchA]ip pool VLAN102
[SwitchA-ip-pool-vlan102]network 10.102.1.0 mask 255.255.255.0
[SwitchA-ip-pool-vlan102]gateway-list 10.102.1.1
[SwitchA-ip-pool-vlan102]dns-list 114.114.114.114
[SwitchA-ip-pool-vlan102]qu
[SwitchA]interface Vlanif 102
[SwitchA-Vlanif102]dhcp select global
配置vlan 103的地址池
[SwitchA]ip pool VLAN103
[SwitchA-ip-pool-vlan103]network 10.103.1.0 mask 255.255.255.0
[SwitchA-ip-pool-vlan103]gateway-list 10.103.1.1
[SwitchA-ip-pool-vlan103]dns-list 114.114.114.114
[SwitchA-ip-pool-vlan103]qu
[SwitchA]interface Vlanif 103
[SwitchA-Vlanif103]dhcp select global
配置vlan 104的地址池
[SwitchA]ip pool VLAN104
[SwitchA-ip-pool-vlan104]network 10.104.1.0 mask 255.255.255.0
[SwitchA-ip-pool-vlan104]gateway-list 10.104.1.1
[SwitchA-ip-pool-vlan104]qu
[SwitchA]interface Vlanif 104
[SwitchA-Vlanif104]dhcp select global
配置vlan 105的地址池
[SwitchA]ip pool VLAN105
[SwitchA-ip-pool-vlan105]network 10.105.1.0 mask 255.255.255.0
[SwitchA-ip-pool-vlan105]gateway-list 10.105.1.1
[SwitchA-ip-pool-vlan105]option 43 sub-option 1 ip-address 10.100.1.2 //配置option 43字段,使AP通过单播发现AC
[SwitchA-ip-pool-vlan105]qu
[SwitchA]interface Vlanif 105
[SwitchA-Vlanif105]dhcp select global
PC1、PC3、PC4、AP3和AP4都是DHCP自动获取到的IP地址。
PC1
PC3
PC4
AP3
AP4
4、配置AP上线,并配置下发SwitchA中vlan101和vlan102地址池的IP地址。
前提:AP要获取到VLAN105的IP地址。
AC控制器的配置AP上线:
4-1、AC配置默认路由获取SwitchA的路由表信息。
[AC]ip route-static 0.0.0.0 0.0.0.0 10.100.1.1
4-2、AC配置CAPWAP,定义发现AP的VLAN接口
[AC]capwap source interface vlanif100
4-3、进入无线配置界面,配置AP组管理AP
[AC]wlan
[AC-wlan-view]ap-group name AP1
[AC-wlan-view]ap-id 3 ap-mac HHHH-HHHH-HHHH
[AC-wlan-ap-3]ap-group AP1
[AC-wlan-view]ap-group name AP2
[AC-wlan-view]ap-id 4 ap-mac HHHH-HHHH-HHHH
[AC-wlan-ap-4]ap-group AP2
4-4、等待AP上线,查看AP上线的命令(dis ap all)注意事项:要注意有些AP和AC不匹配,所以上线不了,就好比我前面配置的两个AP一样
AC配置无线网络
4-5、配置无线信号发射标准符合当前国家规定,配置国家代码(可选)
[AC-wlan-view]regulatory-domain-profile name AP1
[AC-wlan-regulate-domain-AP1]country-code CN
[AC-wlan-regulate-domain-AP1]quit
[AC-wlan-view]regulatory-domain-profile name AP2
[AC-wlan-regulate-domain-AP2]country-code CN
[AC-wlan-regulate-domain-AP1]quit
[AC-wlan-view]ap-group name AP1
[AC-wlan-ap-group-AP1]regulatory-domain-profile AP1
[AC-wlan-ap-group-AP1]quit
[AC-wlan-view]ap-group name AP2
[AC-wlan-ap-group-AP2]regulatory-domain-profile AP2
[AC-wlan-ap-group-AP2]quit
4-6、配置双wifi的ssid
[AC-wlan-view]ssid-profile name AP1
[AC-wlan-ssid-prof-AP1]ssid AP1
[AC-wlan-ssid-prof-AP1]quit
[AC-wlan-view]ssid-profile name AP2
[AC-wlan-ssid-prof-AP2]ssid AP2
[AC-wlan-ssid-prof-AP2]quit
4-7、配置双wifi的密码:
[AC-wlan-view]security-profile name AP1
[AC-wlan-sec-prof-AP1]security wpa-wpa2 psk pass-phrase 123456789 aes
[AC-wlan-sec-prof-AP1]quit
[AC-wlan-view]security-profile name AP2
[AC-wlan-sec-prof-AP2]security wpa-wpa2 psk pass-phrase 123456789 aes
[AC-wlan-sec-prof-AP2]quit
4-8、配置双wifi的vap模板,把ssid、security和vlan绑定在vap模板。
[AC-wlan-view]vap-profile name AP1
[AC-wlan-vap-prof-AP1]forward-mode direct-forward
[AC-wlan-vap-prof-AP1]ssid-profile AP1
[AC-wlan-vap-prof-AP1]security-profile AP1
[AC-wlan-vap-prof-AP1]service-vlan vlan-id 101
[AC-wlan-vap-prof-AP1]quit
[AC-wlan-view]vap-profile name AP2
[AC-wlan-vap-prof-AP2]forward-mode direct-forward
[AC-wlan-vap-prof-AP2]ssid-profile AP2
[AC-wlan-vap-prof-AP2]security-profile AP2
[AC-wlan-vap-prof-AP2]service-vlan vlan-id 102
[AC-wlan-vap-prof-AP2]quit
4-9、配置vap模板的射频
[AC-wlan-view]ap-group name AP1
[AC-wlan-ap-group-AP1]vap-profile AP1 wlan 1 radio 0
[AC-wlan-ap-group-AP1]vap-profile AP1 wlan 1 radio 1
[AC-wlan-ap-group-AP1]quit
[AC-wlan-view]ap-group name AP2
[AC-wlan-ap-group-AP2]vap-profile AP2 wlan 1 radio 0
[AC-wlan-ap-group-AP2]vap-profile AP2 wlan 1 radio 1
[AC-wlan-ap-group-AP2]quit
4-10、STA1和STA2获取连接wifi获取到的IP地址。
STA1
STA2
5、配置FW的安全区域和安全策略:
配置安全区域
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet1/0/0
[FW-zone-trust]quit
[FW]firewall zone untrust
[FW-zone-untrust]add interface GigabitEthernet1/0/1
[FW-zone-untrust]quit
[FW]firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet1/0/2
[FW-zone-dmz]quit
配置安全策略
[FW]security-policy
[FW-policy-security]rule name trust-any
[FW-policy-security-rule-trust-any]source-zone trust
[FW-policy-security-rule-trust-any]destination-zone any
[FW-policy-security-rule-trust-any]action permit
[FW-policy-security-rule-trust-any]quit
[FW-policy-security]rule name untrust-dmz
[FW-policy-security-rule-untrust-any]source-zone untrust
[FW-policy-security-rule-untrust-any]destination-zone dmz
[FW-policy-security-rule-untrust-any]action deny
[FW-policy-security-rule-untrust-any]quit
[FW-policy-security]rule name untrust-trust
[FW-policy-security-rule-untrust-any]source-zone untrust
[FW-policy-security-rule-untrust-any]destination-zone trust
[FW-policy-security-rule-untrust-any]action deny
[FW-policy-security]rule name dmz-untrust
[FW-policy-security-rule-dmz-untrust]source-zone dmz
[FW-policy-security-rule-dmz-untrust]destination-zone untrust
[FW-policy-security-rule-dmz-untrust]action permit
[FW-policy-security-rule-dmz-untrust]quit
[FW-policy-security]rule name dmz-camera
[FW-policy-security-rule-dmz-camera]source-address 10.106.1.0 mask 255.255.255.0
[FW-policy-security-rule-dmz-camera]destination-address 10.104.1.0 mask 255.255.255.0
[FW-policy-security-rule-dmz-camera]action permit
[FW-policy-security-rule-dmz-camera]quit
配置静态路由
[FW]ip route-static 10.0.0.0 255.0.0.0 10.107.1.1
6、配置SwitchA的默认路由和ACL控制访问列表
配置默认路由
[SwitchA]ip route-static 0.0.0.0 0.0.0.0 10.107.1.2
配置ACL控制访问列表并应用
[SwitchA]acl 3001
[SwitchA-acl-adv-3001]rule 5 deny ip source 10.101.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255
[SwitchA-acl-adv-3001]rule 10 deny ip source 10.101.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255
[SwitchA-acl-adv-3001]quit
[SwitchA]acl 3002
[SwitchA-acl-adv-3002]rule 5 permit ip source 10.104.1.0 0.0.0.255 destination 10.106.1.0 0.0.0.255
[SwitchA-acl-adv-3002]rule 10 deny ip source 10.104.1.0 0.0.0.255 destination any
[SwitchA-acl-adv-3002]quit
[SwitchA]interface GigabitEthernet 0/0/3
[SwitchA-GigabitEthernet0/0/3]traffic-filter inbound acl 3002
[SwitchA-GigabitEthernet0/0/3]quit
[SwitchA]interface GigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1]traffic-filter inbound acl 3001
[SwitchA-GigabitEthernet0/0/1]quit
访客无线业务ping员工有线业务(ping不通,证明ACL起作用了)ping业务服务器也一样。
7、配置NAT server把DMZ区域的WEB服务器的web映射到外网
7-1、FW上配置web服务器的IP地址10.106.1.2映射到109.1.1.15
[FW]nat server 80 protocol tcp global 109.1.1.15 www inside 10.106.1.2 www
7-2、FW上配置一条默认路由连接internet
[FW]ip route-static 0.0.0.0 0.0.0.0 109.1.1.2
7-3、internet上配置一条静态路由。
[internet]ip route-static 10.0.0.0 255.0.0.0 109.1.1.1
在Clinet1上访问WEB服务器映射的IP地址109.1.1.15,可以访问到网页
8、FW配置NAT的内网转外网。
配置nat地址池
[FW]nat address-group trust-untrust 19
[FW-address-group-trust-untrust]section 109.1.1.5 109.1.1.10
[FW-address-group-trust-untrust]qu
配置nat策略
[FW]nat-policy
[FW-policy-nat]rule name trust-untrust
[FW-policy-nat-rule-trust-untrust]source-zone trust
[FW-policy-nat-rule-trust-untrust]destination-zone untrust
[FW-policy-nat-rule-trust-untrust]source-address 10.0.0.0 mask 255.0.0.0
[FW-policy-nat-rule-trust-untrust]action source-nat address-group trust-untrust
[FW-policy-nat]quit
配置路由黑洞,避免FW和ISP之间路由环路
[FW]ip route-static 109.1.1.5 32 NULL 0
[FW]ip route-static 109.1.1.6 32 NULL 0
[FW]ip route-static 109.1.1.7 32 NULL 0
[FW]ip route-static 109.1.1.8 32 NULL 0
[FW]ip route-static 109.1.1.9 32 NULL 0
[FW]ip route-static 109.1.1.10 32 NULL 0
PC2访问internet
