华为三层交换机与防火墙对接上网配置案例
华为三层交换机与防火墙对接上网配置案例
知孤云出岫
发布于 2026-02-27 12:16:53
发布于 2026-02-27 12:16:53
三层交换机与防火墙对接上网配置案例
1️⃣ 组网图形
图 1 三层交换机与防火墙对接上网组网图
2️⃣ 三层交换机简介
三层交换机是具有路由功能的交换机。 由于路由属于 OSI 模型中第三层(网络层)的功能,因此称为三层交换机。
特点如下:
- ✅ 既支持二层交换(VLAN、MAC 转发)
- ✅ 也支持三层转发(IP 路由)
- ✅ 可部署在:
- 接入层
- 汇聚层
- ✅ 常作为用户网关设备
3️⃣ 配置注意事项
- 本示例中的防火墙配置以 USG6650 V500R001C60 为例 其他型号防火墙请参考对应产品文档。
- 本示例中:
- 三层交换机作为 DHCP Server
- 防火墙负责 NAT / Internet 出口
支持作为 DHCP Server 的交换机产品(节选)
以下型号在指定版本及以后支持 DHCP Server 功能(完整列表略)
- S5700 / S5710 / S5720 / S5730 / S5735 系列
- S6700 / S6720 / S6730 系列
- S7700 / S7900 / S9700 系列
📌 具体默认适用版本请参考《案例适用的产品和版本说明》。
4️⃣ 组网需求
如图 1 所示:
- 公司有多个部门
- 不同部门位于 不同网段
- 所有部门均需访问 Internet
- 要求:
- 三层交换机作为 用户网关
- 防火墙作为 出口设备
5️⃣ 配置思路
整体采用如下设计思路:
- 三层交换机
- 创建 VLAN
- 配置 VLANIF 接口作为网关
- 实现跨网段互访
- 三层交换机
- 作为 DHCP Server
- 为用户自动分配 IP
- 防火墙
- 划分 Trust / Untrust 安全域
- 配置安全策略
- 防火墙
- 配置 PAT(源地址转换)
- 实现私网访问公网
6️⃣ 操作步骤
🔹 6.1 配置三层交换机
(1)配置用户 VLAN 与接口
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
[Switch] interface GigabitEthernet0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface GigabitEthernet0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 3
[Switch-GigabitEthernet0/0/3] quit
(2)配置 VLANIF 网关接口
[Switch] interface Vlanif2
[Switch-Vlanif2] ip address 192.168.1.1 24
[Switch-Vlanif2] quit
[Switch] interface Vlanif3
[Switch-Vlanif3] ip address 192.168.2.1 24
[Switch-Vlanif3] quit
(3)配置与防火墙互联的 VLAN
[Switch] vlan batch 100
[Switch] interface GigabitEthernet0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface Vlanif100
[Switch-Vlanif100] ip address 192.168.100.2 24
[Switch-Vlanif100] quit
(4)配置缺省路由
[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
默认路由指向防火墙内网接口
(5)配置 DHCP Server
[Switch] dhcp enable
[Switch] interface Vlanif2
[Switch-Vlanif2] dhcp select interface
[Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5
[Switch-Vlanif2] quit
[Switch] interface Vlanif3
[Switch-Vlanif3] dhcp select interface
[Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[Switch-Vlanif3] quit
🔹 6.2 配置防火墙(USG)
(1)配置内网接口
<USG6600> system-view
[USG6600] interface GigabitEthernet1/0/1
[USG6600-GigabitEthernet1/0/1] ip address 192.168.100.1 255.255.255.0
[USG6600-GigabitEthernet1/0/1] quit
(2)配置公网接口
[USG6600] interface GigabitEthernet1/0/2
[USG6600-GigabitEthernet1/0/2] ip address 203.0.113.2 255.255.255.0
[USG6600-GigabitEthernet1/0/2] quit
(3)配置静态路由
[USG6600] ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
[USG6600] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
(4)配置安全域
[USG6600] firewall zone trust
[USG6600-zone-trust] add interface GigabitEthernet1/0/1
[USG6600-zone-trust] quit
[USG6600] firewall zone untrust
[USG6600-zone-untrust] add interface GigabitEthernet1/0/2
[USG6600-zone-untrust] quit
(5)配置安全策略
[USG6600] security-policy
[USG6600-policy-security] rule name policy1
[USG6600-policy-security-rule-policy1] source-zone trust
[USG6600-policy-security-rule-policy1] destination-zone untrust
[USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600-policy-security-rule-policy1] action permit
[USG6600-policy-security-rule-policy1] quit
[USG6600-policy-security] quit
(6)配置 PAT(源地址转换)
[USG6600] nat address-group addressgroup1
[USG6600-address-group-addressgroup1] mode pat
[USG6600-address-group-addressgroup1] route enable
[USG6600-address-group-addressgroup1] section 0 203.0.113.2 203.0.113.2
[USG6600-address-group-addressgroup1] quit
[USG6600] nat-policy
[USG6600-policy-nat] rule name policy_nat1
[USG6600-policy-nat-rule-policy_nat1] source-zone trust
[USG6600-policy-nat-rule-policy_nat1] destination-zone untrust
[USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
[USG6600-policy-nat-rule-policy_nat1] quit
[USG6600-policy-nat] quit
7️⃣ 检查配置结果
- PC1:
- IP:192.168.1.2/24
- 网关:192.168.1.1
- PC2:
- IP:192.168.2.2/24
- 网关:192.168.2.1
- 外网 PC:
- IP:203.0.113.1/24
- 网关:203.0.113.2
✅ PC1 / PC2 均可 Ping 通外网 ✅ PC1 / PC2 均可正常访问 Internet
8️⃣ 配置文件汇总
🔹 Switch 配置文件
sysname Switch
vlan batch 2 to 3 100
dhcp enable
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
🔹 USG 防火墙配置文件
interface GigabitEthernet1/0/1
ip address 192.168.100.1 255.255.255.0
interface GigabitEthernet1/0/2
ip address 203.0.113.2 255.255.255.0
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/2
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
nat address-group addressgroup1
mode pat
route enable
section 0 203.0.113.2 203.0.113.2
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action nat address-group addressgroup1
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2026-02-03,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号