一、实验拓扑及思路
1、PC1和PC2分别对应两个不同的部门,业务之间需要进行隔离,采用两个防火墙实例进行隔离,将流量分别引入防火墙虚拟系统再从路由器出去;
2、交换机与防火墙之间使用链路聚合,分别设置4个逻辑接口,这四个接口分别两两对应两个防火墙虚拟系统实例VRF_A和VRF_B,其中交换机侧使用VLANIF接口,防火墙侧使用子接口
3、路由规划:采用OSPF路由,交换机对应不同用户的虚拟系统VRF_A和VRF_B分布对应区域1和区域2,防火墙上的两个虚拟系统VRF_A和VRF_B分布对应区域1和区域2,防火墙上的根系统和路由器接口对应区域0
各接口地址规划如图所示
二、交换机配置
基础配置
[S1]vlan batch 10 20 17 121 to 124
[S1]ip vpn-instance VRF_A
[S1-vpn-instance-VRF_A]ipv4-family
[S1]ip vpn-instance VRF_B
[S1-vpn-instance-VRF_B]ipv4-family
[S1]int Vlanif 17
[S1-Vlanif17]ip add 10.1.17.7 24
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 17
#
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
设置trunk口
[S1]int Eth-Trunk 1
[S1-Eth-Trunk1]mode lacp-static
[S1-Eth-Trunk1]trunkport g0/0/10
[S1-Eth-Trunk1]trunkport g0/0/11
[S1-Eth-Trunk1]port link-type trunk
[S1-Eth-Trunk1]port trunk allow-pass vlan all
设置用户使用不同虚拟系统
[S1]int Vlanif 10
[S1-Vlanif10]ip bind vpn-instance VRF_A
[S1-Vlanif10]ip add 10.1.10.7 24
[S1]int Vlanif 20
[S1-Vlanif20]ip binding vpn-instance VRF_B
[S1-Vlanif20]ip add 10.1.20.7 24
配置连接防火墙接口
[S1]int Vlanif 121
[S1-Vlanif121]ip binding vpn-instance VRF_A
[S1-Vlanif121]ip add 10.1.121.7 24
[S1]int Vlanif 122
[S1-Vlanif122]ip add 10.1.122.7 24
[S1]int Vlanif 123
[S1-Vlanif123]ip binding vpn-instance VRF_B
[S1-Vlanif123]ip add 10.1.123.7 24
[S1]int Vlanif 124
[S1-Vlanif124]ip add 10.1.124.7 24
设置动态路由
[S1-ospf-100]dis th
#
ospf 100
area 0.0.0.0
area 0.0.0.1
area 0.0.0.2
#
[S1-Vlanif17]dis th
#
interface Vlanif17
ip address 10.1.17.7 255.255.255.0
ospf enable 100 area 0.0.0.0
#
[S1-Vlanif122]dis th
#
interface Vlanif122
ip address 10.1.122.7 255.255.255.0
ospf enable 100 area 0.0.0.1
#
[S1-Vlanif124]dis th
#
interface Vlanif124
ip address 10.1.124.7 255.255.255.0
ospf enable 100 area 0.0.0.2
#
[S1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
area 0.0.0.1
#
[S1-Vlanif10]dis th
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#
[S1-Vlanif121]dis th
#
interface Vlanif121
ip binding vpn-instance VRF_A
ip address 10.1.121.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#
[S1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
area 0.0.0.2
[S1-Vlanif20]dis th
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
#
[S1-Vlanif123]dis th
#
interface Vlanif123
ip binding vpn-instance VRF_B
ip address 10.1.123.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
配置明细
[S1]dis cu config ospf
#
ospf 1 vpn-instance VRF_A
area 0.0.0.1
#
ospf 2 vpn-instance VRF_B
area 0.0.0.2
#
ospf 100
area 0.0.0.0
area 0.0.0.1
area 0.0.0.2
#
[S1]dis cu int vlan
#
interface Vlanif1
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#
interface Vlanif17
ip address 10.1.17.7 255.255.255.0
ospf enable 100 area 0.0.0.0
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
interface Vlanif121
ip binding vpn-instance VRF_A
ip address 10.1.121.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#
interface Vlanif122
ip address 10.1.122.7 255.255.255.0
ospf enable 100 area 0.0.0.1
#
interface Vlanif123
ip binding vpn-instance VRF_B
ip address 10.1.123.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
interface Vlanif124
ip address 10.1.124.7 255.255.255.0
ospf enable 100 area 0.0.0.2
#
关闭防环机制
[S1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
vpn-instance-capability simple
area 0.0.0.1
#
[S1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
vpn-instance-capability simple
area 0.0.0.2
#
[S1]dis ip routing-table vpn-instance VRF_A
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_A
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 OSPF 10 3 D 10.1.121.12 Vlanif121
10.1.10.0/24 Direct 0 0 D 10.1.10.7 Vlanif10
10.1.10.7/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.17.0/24 OSPF 10 3 D 10.1.121.12 Vlanif121
10.1.20.0/24 OSPF 10 5 D 10.1.121.12 Vlanif121
10.1.121.0/24 Direct 0 0 D 10.1.121.7 Vlanif121
10.1.121.7/32 Direct 0 0 D 127.0.0.1 Vlanif121
10.1.122.0/24 OSPF 10 2 D 10.1.121.12 Vlanif121
10.1.123.0/24 OSPF 10 4 D 10.1.121.12 Vlanif121
10.1.124.0/24 OSPF 10 3 D 10.1.121.12 Vlanif121
三、防火墙配置
[FW1]int Eth-Trunk 1
[FW1-Eth-Trunk1]mode lacp-static
[FW1-Eth-Trunk1]trunkport g1/0/1
[FW1-Eth-Trunk1]trunkport g1/0/0
[FW1]int Eth-Trunk 1.121
[FW1-Eth-Trunk1.121]vlan-type dot1q 121
[FW1]int Eth-Trunk 1.122
[FW1-Eth-Trunk1.122]vlan-type dot1q 122
[FW1]int Eth-Trunk 1.123
[FW1-Eth-Trunk1.123]vlan-type dot1q 123
[FW1]int Eth-Trunk 1.124
[FW1-Eth-Trunk1.124]vlan-type dot1q 124
配置虚拟系统
[FW1]vsys enable
[FW1]vsys name VRF_A
[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.121
[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.122
[FW1]vsys name VRF_B
[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.123
[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.124
在虚拟系统中设置接口等内容
[FW1]switch vsys VRF_A
[FW1-VRF_A]firewall zone trust
[FW1-VRF_A-zone-trust]add int Eth-Trunk 1.121
[FW1-VRF_A]firewall zone untrust
[FW1-VRF_A-zone-untrust]add interface Eth-Trunk 1.122
[FW1-VRF_A]int Eth-Trunk 1.121
[FW1-VRF_A-Eth-Trunk1.121]ip add 10.1.121.12
[FW1-VRF_A]int Eth-Trunk 1.122
[FW1-VRF_A-Eth-Trunk1.122]ip add 10.1.122.12 24
[FW1-VRF_A-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
#
在虚拟系统VRF_B中与在VRF_A总相同,此处省略............
设置动态路由
[FW1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
area 0.0.0.1
network 10.1.0.0 0.0.255.255
#
[FW1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
area 0.0.0.2
network 10.1.0.0 0.0.255.255
#
在虚拟系统中反馈安全策略(仅用于测试系统)
[FW1-VRF_A-policy-security]dis th
2024-06-22 15:20:28.580
#
security-policy
default action permit
rule name LOCAL_TO_ANY
source-zone local
action permit
#
[FW1-VRF_B-policy-security]dis th
2024-06-22 15:22:16.300
#
security-policy
default action permit
rule name LOCAL_TO_ANY
source-zone local
action permit
#
关闭防环机制
[FW1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
vpn-instance-capability simple
area 0.0.0.1
network 10.1.0.0 0.0.255.255
#
[FW1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
vpn-instance-capability simple
area 0.0.0.2
network 10.1.0.0 0.0.255.255
#
[FW1]dis ip routing-table vpn-instance VRF_A
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_A
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.1/32 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122
10.1.10.0/24 OSPF 10 2 D 10.1.121.7 Eth-Trunk1.121
10.1.17.0/24 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122
10.1.20.0/24 OSPF 10 4 D 10.1.122.7 Eth-Trunk1.122
10.1.121.0/24 Direct 0 0 D 10.1.121.12 Eth-Trunk1.121
10.1.121.12/32 Direct 0 0 D 127.0.0.1 Eth-Trunk1.121
10.1.122.0/24 Direct 0 0 D 10.1.122.12 Eth-Trunk1.122
10.1.122.12/32 Direct 0 0 D 127.0.0.1 Eth-Trunk1.122
10.1.123.0/24 OSPF 10 3 D 10.1.122.7 Eth-Trunk1.122
10.1.124.0/24 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122
打开TTL功能
[FW1]icmp ttl-exceeded send
四、结果验证
直连地址可以ping通
ping -vpn-instance VRF_A 10.1.10.10
PING 10.1.10.10: 56 data bytes, press CTRL_C to break
Reply from 10.1.10.10: bytes=56 Sequence=1 ttl=128 time=60 ms
Reply from 10.1.10.10: bytes=56 Sequence=2 ttl=128 time=30 ms
ping -vpn-instance VRF_B 10.1.20.10
PING 10.1.20.10: 56 data bytes, press CTRL_C to break
Reply from 10.1.20.10: bytes=56 Sequence=1 ttl=128 time=40 ms
Reply from 10.1.20.10: bytes=56 Sequence=2 ttl=128 time=30 ms
路由建立
[S1]dis ospf peer brief
OSPF Process 1 with Router ID 10.1.10.7
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 Vlanif121 10.1.121.12 Full
----------------------------------------------------------------------------
OSPF Process 2 with Router ID 10.1.20.7
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.2 Vlanif123 10.1.123.12 Full
----------------------------------------------------------------------------
OSPF Process 100 with Router ID 10.1.17.7
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 Vlanif122 10.1.121.12 Full
0.0.0.2 Vlanif124 10.1.123.12 Full
----------------------------------------------------------------------------
[S1]dis ospf interface
OSPF Process 1 with Router ID 10.1.10.7
Interfaces
Area: 0.0.0.1
IP Address Type State Cost Pri DR BDR
10.1.10.7 Broadcast DR 1 1 10.1.10.7 0.0.0.0
10.1.121.7 Broadcast DR 1 1 10.1.121.7 10.1.121.12
OSPF Process 2 with Router ID 10.1.20.7
Interfaces
Area: 0.0.0.2
IP Address Type State Cost Pri DR BDR
10.1.20.7 Broadcast DR 1 1 10.1.20.7 0.0.0.0
10.1.123.7 Broadcast DR 1 1 10.1.123.7 10.1.123.12
OSPF Process 100 with Router ID 10.1.17.7
Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
10.1.17.7 Broadcast DR 1 1 10.1.17.7 0.0.0.0
Area: 0.0.0.1
IP Address Type State Cost Pri DR BDR
10.1.122.7 Broadcast DR 1 1 10.1.122.7 10.1.122.12
Area: 0.0.0.2
IP Address Type State Cost Pri DR BDR
10.1.124.7 Broadcast DR 1 1 10.1.124.7 10.1.124.12
从PC1ping路由器环回口,tracert路由器环回口
PC>ping 10.1.1.1
Ping 10.1.1.1: 32 data bytes, Press Ctrl_C to break
From 10.1.1.1: bytes=32 seq=1 ttl=252 time=94 ms
From 10.1.1.1: bytes=32 seq=2 ttl=252 time=63 ms
PC>tracert 10.1.1.1
traceroute to 10.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.7 31 ms 16 ms 31 ms
2 10.1.121.12 16 ms 47 ms 47 ms
3 10.1.122.7 62 ms 63 ms 47 ms
4 10.1.1.1 78 ms 78 ms 78 ms
从PC2ping路由器环回口,tracert路由器环回口
PC>ping 10.1.1.1
Ping 10.1.1.1: 32 data bytes, Press Ctrl_C to break
From 10.1.1.1: bytes=32 seq=1 ttl=252 time=63 ms
From 10.1.1.1: bytes=32 seq=2 ttl=252 time=93 ms
PC>tracert 10.1.1.1
traceroute to 10.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.20.7 16 ms 16 ms 15 ms
2 10.1.123.12 47 ms 47 ms 47 ms
3 10.1.124.7 31 ms 78 ms 63 ms
4 10.1.1.1 78 ms 78 ms 78 ms
