H3C防火墙F1060透明模式部署到路由器和三层核心交换机之间
如图,给路由器R1配置管理地址为192.168.33.1,三层核心交换机SW1管理地址为192.168.33.254,且开启DHCP服务,为PC1和PC2提供IP地址;防火墙F1以透明模式部署到路由器R1和三层交换机SW1之间。下面是各个设备的配置过程。
一.首先我们配置三层交换机和与三层交换机相连的接入交换机,配置步骤如下:
1.启动三层核心交换机SW1,接着启动命令行终端:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]vlan 31 to 33
[H3C]dhcp enable 开启DHCP服务
[H3C]dhcp server ip-pool vlan31pool 创建DHCP地址池并命名
[H3C-dhcp-pool-vlan31pool]network 192.168.31.0 mask 255.255.255.0 设置DCHP地址池[H3C-dhcp-pool-vlan31pool]gateway-list 192.168.31.254 设置网关地址
[H3C-dhcp-pool-vlan31pool]dns-list 114.114.114.114 180.76.76.76 设置DNS地址
[H3C-dhcp-pool-vlan31pool]quit
[H3C]dhcp server ip-pool vlan32pool
[H3C-dhcp-pool-vlan32pool]network 192.168.32.0 mask 255.255.255.0
许晴前夫[H3C-dhcp-pool-vlan32pool]gateway-list 192.168.32.254
[H3C-dhcp-pool-vlan32pool]dns-list 114.114.114.114 180.78.76.76
[H3C-dhcp-pool-vlan32pool]quit
[H3C]int vlan 31
[H3C-Vlan-interface31]ip address 192.168.31.254 24
[H3C-Vlan-interface31]dhcp select server 设置DHCP模式为server
[H3C-Vlan-interface31]dhcp server apply ip-pool vlan31pool 指定应用的地址池
[H3C-Vlan-interface31]quit
[H3C]int vlan 32
[H3C-Vlan-interface32]ip address 192.168.32.254 24
[H3C-Vlan-interface32]dhcp select server翁虹主演的三级
[H3C-Vlan-interface32]dhcp server apply ip-pool vlan32pool
[H3C-Vlan-interface32]quit
[H3C]int g1/0/3
[H3C-GigabitEthernet1/0/3]port link-type access
苍井空拍过的电影[H3C-GigabitEthernet1/0/3]port access vlan 33
[H3C-GigabitEthernet1/0/3]quit
[H3C]int vlan 33
[H3C-Vlan-interface33]ip address 192.168.33.254 24
[H3C-Vlan-interface33]quit
[H3C]int g1/0/1
吉娜抱起150斤的郎朗
[H3C-GigabitEthernet1/0/1]port link-type trunk
[H3C-GigabitEthernet1/0/1]port trunk permit vlan all
[H3C-GigabitEthernet1/0/1]undo port trunk permit vlan 1
[H3C-GigabitEthernet1/0/1]quit
[H3C]int g1/0/2
[H3C-GigabitEthernet1/0/2]port link-type trunk
[H3C-GigabitEthernet1/0/2]port trunk permit vlan all
[H3C-GigabitEthernet1/0/2]undo port trunk permit vlan 1
[H3C-GigabitEthernet1/0/2]quit
在三层交换机SW1上建立用户admin,并设置密码,用作远程登陆和web登陆。
[H3C]user-inter vty 0 4
[H3C-line-vty0-4]authentication-mode scheme
[H3C-line-vty0-4]quit
[H3C]local-user admin class manage
New local user added.
[H3C-luser-manage-admin]password simple hxjhpd#1122
[H3C-luser-manage-admin]service-type telnet http https ssh
[H3C-luser-manage-admin]authorization-attribute user-role level-15
[H3C-luser-manage-admin]quit
[H3C]telnet server enable 开启telnet服务
开启telnet服务会提示Telnet is insecure because it transmits data in plaintext form.
意思是告诉你telnet是不安全的,因为以明文形式传输数据。但是不影响telnet的使用。[H3C]ip http enable 开启web服务当中的http协议
[H3C]ip https enable 开启web服务当中的https协议
[H3C]save 保存三层交换机配置。
2.启动接入交换机SW2,接着启动命令行终端:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]vlan 31 to 33
[H3C]int vlan 33
[H3C-Vlan-interface33]ip address 192.168.33.252 24
[H3C-Vlan-interface33]quit
[H3C]int g1/0/1
[H3C-GigabitEthernet1/0/1]port link-type trunk
[H3C-GigabitEthernet1/0/1]port trunk permit vlan all
[H3C-GigabitEthernet1/0/1]undo port trunk permit vlan 1
[H3C-GigabitEthernet1/0/1]quit
[H3C]int g1/0/2
[H3C-GigabitEthernet1/0/2]port link-type access
[H3C-GigabitEthernet1/0/2]port access vlan 31
[H3C-GigabitEthernet1/0/2]quit
我们测试接入交换机SW2此时能否ping通三层交换机上的各个VLAN的管理IP:
可以看到此时接入交换机SW2只能ping通三层交换机上的vlan33的管理地址,其他vlan31和vlan32的管理地址无法ping通。这个会导致到时候如果要远程登陆接入交换机SW2进行维护无法登陆,vlan31和vlan32所在的网段的PC无法登陆接入交换机SW2的管理地址192.168.33.253的。
不信,我们此时启动PC1,PC1先进行配置,打开DHCP,接口管理启用;然后打开命令行终端,进行ping接入交换机SW2的管理地址试试:
要想vlan31的PC1可以ping通接入交换机上SW2的管理地址,我们需要在接入交换机SW2上添加一条静态路由:
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.33.254
此时再在PC1上尝试去ping接入交换机SW2的管理地址,此时可以ping通了。
给SW2配置一个远程登陆密码,用作telnet使用,telnet时使用密码认证即可:
[H3C]user-int vty 0 4
[H3C-line-vty0-4]user-role level-15
[H3C-line-vty0-4]set authen password simple jhjmm#1122
[H3C-line-vty0-4]protocol inbound telnet
[H3C-line-vty0-4]quit
[H3C]telnet server enable
顺便保存接入交换机SW2的配置:
[H3C]save
3.启动接入交换机SW3,接着启动命令行终端:
<H3C>sys
长沙人System View: return to User View with Ctrl+Z.
[H3C]vlan 31 to 33
[H3C]int vlan 33
[H3C-Vlan-interface33]ip address 192.168.33.253 24
[H3C-Vlan-interface33]quit
[H3C]int g1/0/1
[H3C-GigabitEthernet1/0/1]port link-type trunk
[H3C-GigabitEthernet1/0/1]port trunk permit vlan all
[H3C-GigabitEthernet1/0/1]undo port trunk permit vlan 1
[H3C-GigabitEthernet1/0/1]quit
[H3C]int g1/0/2
[H3C-GigabitEthernet1/0/2]port link-type access
理科女生适合学什么专业?
[H3C-GigabitEthernet1/0/2]port access vlan 32
[H3C-GigabitEthernet1/0/2]quit
我们测试接入交换机SW3此时能否ping通三层交换机上的各个VLAN的管理IP:
可以看到此时接入交换机SW3只能ping通三层交换机上的vlan33的管理地址,其他vlan31和vlan32的管理地址无法ping通。这个会导致到时候如果要远程登陆接入交换机SW3进行维护无法登陆,vlan31和vlan32所在的网段的PC无法登陆接入交换机SW3的管理地址192.168.33.253的。
不信,我们此时启动PC2,PC2先进行配置,打开DHCP,接口管理启用;然后打开命令行终端,进行ping接入交换机SW3的管理地址试试:
要想vlan32的PC2可以ping通接入交换机上SW3的管理地址,我们需要在接入交换机SW3上添加一条静态路由:
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.33.254