SecPath防火墙混合模式下VLAN透传的典型配置

SecPath 防火墙混合模式下 VLAN 透传的典型配置

 

一、 组网需求：

介绍SecPath防火墙混合模式下VLAN透传的应用。

二、 组网图

三、 配置信息

SecPath 1000F 防火墙的主要配置

#

 sysname SECPATH 1000F

#

 firewall packet-filter enable

 firewall packet-filter default permit

#

 bridge enable                                              // 启用桥接功能

 bridge routing-enable                                                         // 使能桥接口三层转发

 bridge 1 enable                                               // 使能桥组 1

 bridge 1 firewall unknown-mac flood            // 使能桥组 1 的报文进行 flood

 bridge 2 enable                                               // 使能桥组 2

 bridge 2 routing ip                               // 使能桥组 2 接口三层转发

 bridge 2 firewall unknown-mac flood            // 使能桥组 2 的报文进行 flood

 bridge 3 enable                                               // 使能桥组 3

 bridge 3 firewall unknown-mac flood            // 使能桥组 3 的报文进行 flood

#

 firewall statistic system enable

#

radius scheme system

#

domain system

#

local-user secpath

 password cipher )=.#LQK.[)+Q=^Q`MAF4<1!!

 level 3

#

interface Aux0

 async mode flow

#

interface GigabitEthernet0/0

 promiscuous

#

interface GigabitEthernet0/0.100

 bridge-set 1                                              // 接口加入桥组1

 vlan-type dot1q vid 100

#

interface GigabitEthernet0/0.200

 bridge-set 2                                              // 接口加入桥组2

 vlan-type dot1q vid 200

#

interface GigabitEthernet0/0.300

 bridge-set 3                                              // 接口加入桥组3

 vlan-type dot1q vid 300

#

interface GigabitEthernet0/1

 promiscuous

#

interface GigabitEthernet0/1.100

 bridge-set 1                                              // 接口加入桥组1

 vlan-type dot1q vid 100

#

interface GigabitEthernet0/1.200

 bridge-set 2                                              // 接口加入桥组2

 vlan-type dot1q vid 200

#

interface GigabitEthernet0/1.300

 bridge-set 3                                              // 接口加入桥组3

 vlan-type dot1q vid 300

#

interface Encrypt2/0

#

interface Bridge-template2                            / 配置桥组1的路由地址

 ip address 192.168.2.100 255.255.255.0

#

interface NULL0

#

firewall zone local

 set priority 100

#

firewall zone trust

 add interface GigabitEthernet0/1

 add interface Bridge-template2

 add interface GigabitEthernet0/1.100

 add interface GigabitEthernet0/1.200

 add interface GigabitEthernet0/1.300

 set priority 85

#

firewall zone untrust

 add interface GigabitEthernet0/0

 add interface GigabitEthernet0/0.100

 add interface GigabitEthernet0/0.200

 add interface GigabitEthernet0/0.300

 set priority 5

#

firewall zone DMZ

 set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

user-interface con 0

user-interface aux 0

 authentication-mode scheme

user-interface vty 0 4

 authentication-mode scheme

#

    

四、 配置关键点

1.       默认情况下没有启用桥组功能；

2.       启用桥接时，默认只对单播转发；

3.       桥组接口必须加入到安全域中。