华为USG6000典型配置示例

配置示例：

# 1. 进入系统视图
<USG6000> system-view
[USG6000]

# 2. 创建VLAN并配置VLANIF接口
[USG6000] vlan batch 10 20 30  # 批量创建VLAN10、20、30

# 配置VLAN10的三层接口
[USG6000] interface Vlanif 10
[USG6000-Vlanif10] ip address 192.168.10.1 255.255.255.0
[USG6000-Vlanif10] quit

# 配置VLAN20的三层接口
[USG6000] interface Vlanif 20
[USG6000-Vlanif20] ip address 192.168.20.1 255.255.255.0
[USG6000-Vlanif20] quit

# 配置VLAN30的三层接口
[USG6000] interface Vlanif 30
[USG6000-Vlanif30] ip address 192.168.30.1 255.255.255.0
[USG6000-Vlanif30] quit

# 3. 配置接入接口为Trunk模式
[USG6000] interface GigabitEthernet 0/0/1
[USG6000-GigabitEthernet0/0/1] port link-type trunk
[USG6000-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30  # 允许指定VLAN通过
[USG6000-GigabitEthernet0/0/1] undo shutdown
[USG6000-GigabitEthernet0/0/1] quit

# 4. 配置公网接口
[USG6000] interface GigabitEthernet 0/0/0
[USG6000-GigabitEthernet0/0/0] ip address 202.100.1.10 255.255.255.0
[USG6000-GigabitEthernet0/0/0] undo shutdown
[USG6000-GigabitEthernet0/0/0] quit

# 5. 配置安全区域
[USG6000] firewall zone trust
[USG6000-zone-trust] add interface Vlanif 10  # VLAN10加入信任区
[USG6000-zone-trust] add interface Vlanif 20  # VLAN20加入信任区
[USG6000-zone-trust] add interface Vlanif 30  # VLAN30加入信任区
[USG6000-zone-trust] quit

[USG6000] firewall zone untrust
[USG6000-zone-untrust] add interface GigabitEthernet 0/0/0  # 公网接口加入非信任区
[USG6000-zone-untrust] quit

# 6. 配置默认路由
[USG6000] ip route-static 0.0.0.0 0.0.0.0 202.100.1.1

# 7. 配置NAT（允许VLAN10和VLAN20访问互联网）
# 创建地址池
[USG6000] nat address-group 1 202.100.1.10 202.100.1.10

# 创建ACL匹配VLAN10和VLAN20网段
[USG6000] acl number 2000
[USG6000-acl-basic-2000] rule 5 permit source 192.168.10.0 0.0.0.255  # 允许VLAN10
[USG6000-acl-basic-2000] rule 10 permit source 192.168.20.0 0.0.0.255  # 允许VLAN20
[USG6000-acl-basic-2000] quit

# 在公网接口应用NAT
[USG6000] interface GigabitEthernet 0/0/0
[USG6000-GigabitEthernet0/0/0] nat outbound 2000 address-group 1 no-pat
[USG6000-GigabitEthernet0/0/0] quit

# 8. 配置安全策略（实现访问控制需求）
[USG6000] security-policy
[USG6000-policy-security]

# 策略1：允许VLAN10访问VLAN20
[USG6000-policy-security] rule name vlan10_to_vlan20
[USG6000-policy-security-rule-vlan10_to_vlan20] source-zone trust
[USG6000-policy-security-rule-vlan10_to_vlan20] source-address 192.168.10.0 0.0.0.255
[USG6000-policy-security-rule-vlan10_to_vlan20] destination-zone trust
[USG6000-policy-security-rule-vlan10_to_vlan20] destination-address 192.168.20.0 0.0.0.255
[USG6000-policy-security-rule-vlan10_to_vlan20] action permit
[USG6000-policy-security-rule-vlan10_to_vlan20] quit

# 策略2：允许VLAN10访问VLAN30
[USG6000-policy-security] rule name vlan10_to_vlan30
[USG6000-policy-security-rule-vlan10_to_vlan30] source-zone trust
[USG6000-policy-security-rule-vlan10_to_vlan30] source-address 192.168.10.0 0.0.0.255
[USG6000-policy-security-rule-vlan10_to_vlan30] destination-zone trust
[USG6000-policy-security-rule-vlan10_to_vlan30] destination-address 192.168.30.0 0.0.0.255
[USG6000-policy-security-rule-vlan10_to_vlan30] action permit
[USG6000-policy-security-rule-vlan10_to_vlan30] quit

# 策略3：允许VLAN10访问互联网
[USG6000-policy-security] rule name vlan10_to_internet
[USG6000-policy-security-rule-vlan10_to_internet] source-zone trust
[USG6000-policy-security-rule-vlan10_to_internet] source-address 192.168.10.0 0.0.0.255
[USG6000-policy-security-rule-vlan10_to_internet] destination-zone untrust
[USG6000-policy-security-rule-vlan10_to_internet] action permit
[USG6000-policy-security-rule-vlan10_to_internet] quit

# 策略4：允许VLAN20访问互联网
[USG6000-policy-security] rule name vlan20_to_internet
[USG6000-policy-security-rule-vlan20_to_internet] source-zone trust
[USG6000-policy-security-rule-vlan20_to_internet] source-address 192.168.20.0 0.0.0.255
[USG6000-policy-security-rule-vlan20_to_internet] destination-zone untrust
[USG6000-policy-security-rule-vlan20_to_internet] action permit
[USG6000-policy-security-rule-vlan20_to_internet] quit

# 注意：由于USG默认拒绝所有未匹配的流量，以下场景无需额外配置：
# - VLAN20和VLAN30之间的互访
# - VLAN20、VLAN30访问VLAN10
# - VLAN30访问互联网

[USG6000-policy-security] quit

# 9. 配置DHCP（可选，为各VLAN自动分配IP）
[USG6000] dhcp enable

# VLAN10的DHCP配置
[USG6000] ip pool vlan10_pool
[USG6000-ip-pool-vlan10_pool] network 192.168.10.0 mask 255.255.255.0
[USG6000-ip-pool-vlan10_pool] gateway-list 192.168.10.1
[USG6000-ip-pool-vlan10_pool] dns-list 114.114.114.114 8.8.8.8
[USG6000-ip-pool-vlan10_pool] quit

# VLAN20的DHCP配置
[USG6000] ip pool vlan20_pool
[USG6000-ip-pool-vlan20_pool] network 192.168.20.0 mask 255.255.255.0
[USG6000-ip-pool-vlan20_pool] gateway-list 192.168.20.1
[USG6000-ip-pool-vlan20_pool] dns-list 114.114.114.114 8.8.8.8
[USG6000-ip-pool-vlan20_pool] quit

# VLAN30的DHCP配置
[USG6000] ip pool vlan30_pool
[USG6000-ip-pool-vlan30_pool] network 192.168.30.0 mask 255.255.255.0
[USG6000-ip-pool-vlan30_pool] gateway-list 192.168.30.1
[USG6000-ip-pool-vlan30_pool] dns-list 114.114.114.114 8.8.8.8
[USG6000-ip-pool-vlan30_pool] quit

# 应用DHCP到VLANIF接口
[USG6000] interface Vlanif 10
[USG6000-Vlanif10] dhcp select global
[USG6000-Vlanif10] quit

[USG6000] interface Vlanif 20
[USG6000-Vlanif20] dhcp select global
[USG6000-Vlanif20] quit

[USG6000] interface Vlanif 30
[USG6000-Vlanif30] dhcp select global
[USG6000-Vlanif30] quit

# 10. 保存配置
[USG6000] save
The current configuration will be written to the device. Continue? [Y/N]y

配置说明

1. VLAN 配置：通过创建 VLANIF 接口实现三层互通，Trunk 接口允许所有 VLAN 通过
2. 安全区域：所有 VLAN 接口都加入 Trust 区域，公网接口加入 Untrust 区域
3. NAT 配置：仅允许 VLAN10 和 VLAN20 的流量进行地址转换，实现上网功能
4. 安全策略：
   • 明确允许 VLAN10 访问 VLAN20、VLAN30 和互联网
   • 明确允许 VLAN20 访问互联网
   • 利用防火墙默认拒绝策略，实现其他未授权的访问控制

验证命令

• 查看 VLAN 配置：display vlan
• 查看接口状态：display interface brief
• 查看安全策略：display security-policy all
• 查看 NAT 配置：display nat address-group 1
• 查看 DHCP 分配情况：display dhcp server ip-in-use