CiscoASA防火墙Trunk透明传输

2023-12-10 10:11:45

华为防火墙,透明模式部署时,要通过的是多个Vlan,将物理端口设置为Trunk,再配上需要通过的vlan,即可,非常方便。cisco的就弱爆了,如下:   实现目的:Cisco ASA防火墙做透明模式,串在交换机Trunk口之间。 网络拓扑:交换机1的Trunk---防火墙---交换机2的Trunk
      1. 防火墙上先建立BVI,BVI的IP地址,子网掩码应该包括所有需要通信的各个子网
        CiscoASA防火墙Trunk透明传输

      2. 配置物理接口的子接口,用来识别交换机Trunk里的vlan。
        分别在inside和outside物理接口上建立子接口(物理接口不用配内容),子接口的vlanID要与相连的交换机相应vlan的ID匹配

      CiscoASA防火墙Trunk透明传输

    2.  

    3. 需要了解的原理:

    4. CiscoASA防火墙Trunk透明传输

      CiscoASA防火墙Trunk透明传输

    5. 配置示例:

    6. CiscoASA防火墙Trunk透明传输

      ASA config:

      interface Ethernet0/1 //物理接口什么都不用配

      description Link to S3

      no nameif

      no security-level

      !

      interface Ethernet0/1.11 //配置子接口

      description Link to S3 for VLAN 11

      vlan 11 //vlan号要与相连的交换机的Trunk中要通过的vlan相同

      nameif OUTSIDE-11 //必须起个名

      bridge-group 1 //放到BVI1里

      security-level 0 //等级为0,最低

      !

      interface Ethernet0/1.22

      description Link to S3 for VlAN 22

      vlan 22

      nameif OUTSIDE-22

      bridge-group 2

      security-level 0

      !

      interface Ethernet0/2

      description Link to S1

      no nameif

      no security-level

      !

      interface Ethernet0/2.10

      description Link to S1 for VLAN 10

      vlan 10

      nameif INSIDE-10

      bridge-group 1 //与上面的outside相对应

      security-level 100

      !

      interface Ethernet0/2.20

      description Link to S1 for VLAN 20

      vlan 20

      nameif INSIDE-20

      bridge-group 2

      security-level 100

      !

      interface BVI1

      ip address 192.168.1.1 255.255.255.0 //注意这里的子网要包括vlan的子网。当然,可以多个vlan用同一个BVI。

      !

      interface BVI2

      ip address 192.168.2.1 255.255.255.0

      !

      fixup protocol icmp

      S1 config:

      interface Vlan10

      ip address 192.168.1.100 255.255.255.0

      !

      interface Vlan20

      ip address 192.168.2.100 255.255.255.0

      !

      interface FastEthernet0/1

      description Link to S2

      switchport access vlan 20

      switchport mode access

      !

      interface FastEthernet0/5

      description Link to R1

      switchport access vlan 10

      switchport mode access

      !

      interface FastEthernet0/24

      description Link to ASA

      switchport trunk encapsulation dot1q

      switchport mode trunk

      S3 config:

      interface Vlan11

      ip address 192.168.1.200 255.255.255.0

      !

      interface Vlan22

      ip address 192.168.2.200 255.255.255.0

      !

      interface FastEthernet0/24

      switchport trunk encapsulation dot1q

      switchport mode trunk

      !

      interface FastEthernet0/5

      switchport access vlan 11

      switchport mode access

      interface FastEthernet0/1

      !

      switchport access vlan 22

      switchport mode access

      switchport nonegotiate

      R1 IP address: 192.168.1.10

      R3 IP address: 192.168.1.20

      S2 IP address: 192.168.2.10

      S4 IP address: 192.168.2.20

上一篇:vlan 和 trunk


下一篇:华为修改trunk通道实现pc直接接入通信