eNSP之域间流量控制实验

回环接口
[R1]int loopback1
[R1-LoopBack1]ip add 3.3.3.3 32
[R1-LoopBack1]q
[R1]int loopback2
[R1-LoopBack2]ip add 6.6.6.6 32
[R1-LoopBack2]q
[R1]int loopback3
[R1-LoopBack3]ip add 8.8.8.8 32
[R1-LoopBack3]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 200.1.1.1 24

[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 11.1.1.254 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 22.1.1.254 24
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip add 200.1.1.2 24
[FW1-GigabitEthernet1/0/3]display ip interface brief

配置安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1
[FW1-zone-trust]add int g1/0/2
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/3
[FW1-zone-untrust]dis zone
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (3):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/1
    GigabitEthernet1/0/2
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/3
#
dmz
 priority is 50
 interface of the zone is (0):
#

配置安全策略
[FW1]security-policy 
[FW1-policy-security]rule name 1
[FW1-policy-security-rule-1]source-zone trust
[FW1-policy-security-rule-1]destination-zone untrust
[FW1-policy-security-rule-1]destination-address 6.6.6.6 32
[FW1-policy-security-rule-1]action deny
[FW1-policy-security-rule-1]dis this
#
 rule name 1
  source-zone trust
  destination-zone untrust
  destination-address 6.6.6.6 32
  action deny
#
return

[FW1-policy-security]rule name 2
[FW1-policy-security-rule-2]source-zone trust
[FW1-policy-security-rule-2]destination-zone untrust
[FW1-policy-security-rule-2]destination-address 8.8.8.8 32
[FW1-policy-security-rule-2]destination-address 3.3.3.3 32
[FW1-policy-security-rule-2]action permit
[FW1-policy-security-rule-2]dis this
#
 rule name 2
  source-zone trust
  destination-zone untrust
  destination-address 3.3.3.3 32
  destination-address 8.8.8.8 32
  action permit
#
return

[FW1-policy-security-rule-2]rule name 3
[FW1-policy-security-rule-3]source-zone untrust
[FW1-policy-security-rule-3]destination-zone trust
[FW1-policy-security-rule-3]destination-address 11.1.1.0 24
[FW1-policy-security-rule-3]action permit
[FW1-policy-security-rule-3]dis this
#
 rule name 3
  source-zone untrust
  destination-zone trust
  destination-address 11.1.1.0 24
  action permit
#
return

配置默认的静态路由
[R1]ip route-static 0.0.0.0 0 200.1.1.2
[FW1]ip route-static 0.0.0.0 0 200.1.1.1