华为防火墙初步命令配置

拓扑图如下图所示：

1.首先按照如图所示将所有服务器与pc配好ip地址

2.将fw的各个接口划分到对应区域中

	
[USG6000V1]firewall zone trust 
[USG6000V1-zone-trust]add interface g1/0/1
[USG6000V1]firewall zone dmz 
[USG6000V1-zone-dmz]add interface g1/0/0
[USG6000V1]display zone
2025-02-22 07:14:52.900 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/1
#
untrust
 priority is 5
 interface of the zone is (0):
#
dmz
 priority is 50
 interface of the zone is (1):
    GigabitEthernet1/0/0
#

如上图所示已经添加成功

在lsw1上进行vlan划分

[Huawei]vlan batch 2 to 3
[Huawei]interface g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access 
[Huawei-GigabitEthernet0/0/2]port default vlan 2
[Huawei]interface g0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access 
[Huawei-GigabitEthernet0/0/3]port default 	
[Huawei-GigabitEthernet0/0/3]port default vl	
[Huawei-GigabitEthernet0/0/3]port default vlan 3
[Huawei-GigabitEthernet0/0/3]q
[Huawei]interface g0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access 
[Huawei-GigabitEthernet0/0/4]port default vlan 3
[Huawei]interface g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk 
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 to 3

在fw上进行划分子接口

[USG6000V1-GigabitEthernet1/0/1.2]ip address 192.168.1.254 25
[USG6000V1-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[USG6000V1]interface g1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]ip address 192.168.1.126 25
[USG6000V1-GigabitEthernet1/0/1.1]vlan-type dot1q 2

将fw1上的子接口划分到trust区域当中。

完成上述步骤，进行安全策略的配置：

此处只演示一次安全策略配置，剩余的配置如上图同