华三防火墙三层逻辑子接口对接华三交换机

拓扑图如图所示：

 

三层Route-Aggregation可以配置IP

二层Bridge-Aggregation链路类型

默认为hybrid

交换机配置：

interface Bridge-Aggregation12
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 20

#
interface GigabitEthernet1/0/1
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 20
 combo enable fiber
 port link-aggregation group 12
#
interface GigabitEthernet1/0/2
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 20
 combo enable fiber
 port link-aggregation group 12

防火墙配置：

# interface Route-Aggregation12.1
 ip address 10.1.1.10 255.255.255.0
 vlan-type dot1q vid 10

# interface Route-Aggregation12.2
 ip address 10.1.2.10 255.255.255.0
 vlan-type dot1q vid 20

#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable copper
 port link-aggregation group 12
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 port link-aggregation group 12
 

注意：

注意:所有防火墙的接口，无论是物理还是逻辑都需要加ZONE

防火墙所有的接口都定义ZONE

security-zone name Trust
 import interface GigabitEthernet1/0/1
 import interface GigabitEthernet1/0/2
 import interface Route-Aggregation12
 import interface Route-Aggregation12.1
 import interface Route-Aggregation12.2

放行安全策略

security-policy ip

rule 1 name trust_local
  action pass
  source-zone trust
  destination-zone local

 

检查测试