Vlan間通信-防火牆

 

Vlan間通信-防火牆

實驗環境：一臺防火牆來實現單臂路由，兩臺兩層交換機，兩臺路由器做pc機

 

配置防火牆：

[r]inter eth0/0.10

[r-Ethernet0/0.10]vlan-type dot1q vid 10

[r-Ethernet0/0.10]ip address 192.168.10.254 24

[r]inter eth0/0.20

[r-Ethernet0/0.20]vlan-type dot1q vid 20

[r-Ethernet0/0.20]ip address 192.168.20.254 24

加區域：

[r]firewall zone trust

[r-zone-trust]add interface eth0/0.10

[r-zone-trust]add interface eth0/0.20

取消隔離：

[r]undo insulate

 

配置sw1：

[sw1]inter e1/0/2

[sw1-Ethernet1/0/2]

[sw1-Ethernet1/0/2]

[sw1-Ethernet1/0/2]

[sw1-Ethernet1/0/2]port link-type trunk

[sw1-Ethernet1/0/2]port trunk permit vlan all

 Please wait........................................... Done.

[sw1-Ethernet1/0/2]inter e1/0/1             

[sw1-Ethernet1/0/1]port link-type trunk     

[sw1-Ethernet1/0/1]port trunk permit vlan all

 Please wait........................................... Done.

[sw1-Ethernet1/0/1]

劃分vlan：

[sw1]vlan 10

[sw1-vlan10]port e1/0/10

[sw1-vlan10]vlan 20    

[sw1-vlan20]port e1/0/20

配置sw2：

[sw2]inter e1/0/1

[sw2-Ethernet1/0/1]port link-type trunk

[sw2-Ethernet1/0/1]port trunk permit vlan all

 Please wait........................................... Done.

[sw2-Ethernet1/0/1]quit

[sw2]vlan 10

[sw2-vlan10]port e1/0/10

[sw2-vlan10]vlan 20

[sw2-vlan20]port e1/0/20

用路由器1做pc機10.100：

[r1]inter e0

[r1-Ethernet0]ip address 192.168.10.100 24

[r1]ip route 0.0.0.0 0 192.168.10.254

[r1]ping 192.168.10.254

  PING 192.168.10.254: 56 data bytes, press CTRL_C to break

    Reply from 192.168.10.254: bytes=56 Sequence=0 ttl=255 time = 5 ms

    Reply from 192.168.10.254: bytes=56 Sequence=1 ttl=255 time = 3 ms

    Reply from 192.168.10.254: bytes=56 Sequence=2 ttl=255 time = 3 ms

    Reply from 192.168.10.254: bytes=56 Sequence=3 ttl=255 time = 3 ms

Reply from 192.168.10.254: bytes=56 Sequence=4 ttl=255 time = 3 ms

 

用路由器2做pc機20.100

[r2]inter e0

[r2-Ethernet0]

[r2-Ethernet0]

[r2-Ethernet0]ip address 192.168.20.100 24

[r2-Ethernet0]

%01:12:39: Line protocol ip on the interface Ethernet0 is UP

[r2-Ethernet0]quit

[r2]ip route 0 0 192.168.20.254

 Bad IP address

[r2]ip route 0.0.0.0 0 192.168.20.254

測試：

[r2]ping 192.168.10.254

 

Pinging 192.168.10.254 with 32 bytes of data:

 

Reply from 192.168.10.254: bytes=32 time=2ms TTL=255

Reply from 192.168.10.254: bytes=32 time=5ms TTL=255

Reply from 192.168.10.254: bytes=32 time=5ms TTL=255

Reply from 192.168.10.254: bytes=32 time=3ms TTL=255

 

Ping statistics for 192.168.10.254:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 5ms, Average = 3ms

 

[r2]ping 192.168.10.100

 

Pinging 192.168.10.100 with 32 bytes of data:

 

Reply from 192.168.10.100: bytes=32 time=5ms TTL=63

Reply from 192.168.10.100: bytes=32 time=3ms TTL=63

Reply from 192.168.10.100: bytes=32 time=2ms TTL=63

Reply from 192.168.10.100: bytes=32 time=3ms TTL=63

 

Ping statistics for 192.168.10.100:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 5ms, Average = 3ms

 

[r2]tracert 192.168.10.100

 

Tracing route to 192.168.10.100 over a maximum of 30 hops

 

 1     2 ms     1 ms     1 ms 192.168.20.254

 2     2 ms     2 ms     3 ms 192.168.10.100