As shown in Figure 1, configure static routes on the devices for interconnections between any two hosts.
This configuration example was created and verified on F9900 of the F5000-AI120 device.
Configure IP addresses for the interfaces. (Details not shown.)
Configure security zones:
# Add the interfaces of Device A to the associated security zones according to the network diagram.
<DeviceA> system-view
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Trust] quit
Configure security policies:
# Create security policy rule trust-untrust and permit packets from security zone trust to security zone untrust to pass.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-ip-subnet 1.1.2.0 24
[DeviceA-security-policy-ip-0-trust-untrust] destination-ip-subnet 1.1.3.0 24
[DeviceA-security-policy-ip-0-trust-untrust] destination-ip-subnet 1.1.6.0 24
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] quit
# Create security policy rule untrust-trust.
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-1-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-1-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-1-untrust-trust] source-ip-subnet 1.1.3.0 24
[DeviceA-security-policy-ip-1-untrust-trust] source-ip-subnet 1.1.6.0 24
[DeviceA-security-policy-ip-1-untrust-trust] destination-ip-subnet 1.1.2.0 24
[DeviceA-security-policy-ip-1-untrust-trust] action pass
[DeviceA-security-policy-ip-1-untrust-trust] quit
[DeviceA-security-policy-ip] quit
Configure static routes:
# Configure a default route on Device A.
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
Configure IP addresses for the interfaces. (Details not shown.)
Configure static routes:
# Configure two static routes on Device B.
<DeviceB> system-view
[DeviceB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1
[DeviceB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6
Configure IP addresses for the interfaces. (Details not shown.)
Configure static routes:
# Configure two static routes on Device C.
<DeviceC> system-view
[DeviceC] ip route-static 0.0.0.0 0.0.0.0 1.1.5.5
Configure the default gateways for Host A, Host B, and Host C as 1.1.2.3, 1.1.6.1, and 1.1.3.1, respectively. (Details not shown.)
# Display static route information on Device A.
[DeviceA] display ip routing-table protocol static
Summary Count : 1
Static Routing table Status : <Active>
Summary Count : 1
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 1.1.4.2 GE1/0/1
Static Routing table Status : <Inactive>
Summary Count : 0
# Display static route information on Device B.
[DeviceB] display ip routing-table protocol static
Summary Count : 2
Static Routing table Status : <Active>
Summary Count : 2
Destination/Mask Proto Pre Cost NextHop Interface
1.1.2.0/24 Static 60 0 1.1.4.1 GE1/0/1
1.1.3.0/24 Static 60 0 1.1.5.6 GE1/0/2
Static Routing table Status : <Inactive>
Summary Count : 0
# Use the ping command on Host B to test the reachability of Host A (Windows XP runs on the two hosts).
C:\Documents and Settings\Administrator>ping 1.1.2.2
Pinging 1.1.2.2 with 32 bytes of data:
Reply from 1.1.2.2: bytes=32 time=1ms TTL=126
Reply from 1.1.2.2: bytes=32 time=1ms TTL=126
Reply from 1.1.2.2: bytes=32 time=1ms TTL=126
Reply from 1.1.2.2: bytes=32 time=1ms TTL=126
Ping statistics for 1.1.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Use the tracert command on Host B to test the reachability of Host A.
C:\Documents and Settings\Administrator>tracert 1.1.2.2
Tracing route to 1.1.2.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 1.1.6.1
2 <1 ms <1 ms <1 ms 1.1.4.1
3 1 ms <1 ms <1 ms 1.1.2.2
Trace complete.
#
interface GigabitEthernet1/0/1
ip address 1.1.2.3 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 1.1.4.1 255.255.255.252
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 1.1.2.0 255.255.255.0
destination-ip-subnet 1.1.3.0 255.255.255.0
destination-ip-subnet 1.1.6.0 255.255.255.0
rule 1 name untrust-trust
action pass
source-zone untrust
destination-zone trust
source-ip-subnet 1.1.3.0 255.255.255.0
source-ip-subnet 1.1.6.0 255.255.255.0
destination-ip-subnet 1.1.2.0 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
#
#
interface GigabitEthernet1/0/1
ip address 1.1.4.2 255.255.255.252
#
interface GigabitEthernet1/0/2
ip address 1.1.5.5 255.255.255.252
#
interface GigabitEthernet1/0/3
ip address 1.1.6.1 255.255.255.0
#
ip route-static 1.1.2.0 255.255.255.0 1.1.4.1
ip route-static 1.1.3.0 255.255.255.0 1.1.5.6
#
#
interface GigabitEthernet1/0/1
ip address 1.1.3.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 1.1.5.6 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 1.1.5.5