一、实验设想
现有防火墙和交换机两台设备,交换机连接三台 PC,现在要求交换机与防火墙使用 OSPF 进行通信,并且要求流量走向为:交换机-防火墙-交换机-防火墙-交换机。
例如:A-B,要求 A的路径为,A走到交换机,再走到防火墙虚墙,再从防火墙虚墙出来到交换机,再到防火墙虚墙,再从防火墙虚墙出来到交换机,完成通信。
二、拓扑设计
假设:在交换机上创建VLAN 10 20 30 40,其中VLAN10,20 分别对应到响应的VRF上,而VLAN30,40 则为全局VLAN。在防火墙上创建两个虚拟系统防火墙vsys1 和 vsys2对应到交换机的VLAN 10,20。达到的目的为:
PC1->PC2 时,路径为:PC1-交换机VLAN10-防火墙 vsys1-交换机全局VLAN30-防火墙 vsys2-交换机VLAN20-PC2。至此完成 PC1->PC2 的通信。
PC2->PC1 时,路径为:PC1-交换机VLAN20-防火墙 vsys2-交换机全局VLAN40-防火墙 vsys1-交换机VLAN10-PC1。至此完成 PC1->PC2 的通信。
PC1->PC3 时,路径为:PC1-交换机 VLAN10-防火墙 vsys1-交换机全局 VLAN30- PC3。至此完成PC1->PC3 的通信。
PC2->PC3 时,路径为:PC1-交换机VLAN20-防火墙 vsys2-交换机全局VLAN40-交换机全局VLAN30-PC3。至此完成 PC2->PC3 的通信。
三、配置脚本
交换机配置:
VLAN的划分
vlan 10 20 30 40vlan10:vpn10 vlan20:vpn20 vlan30,40:全局
OSPF:
vlan10: OSPF 10 RID:10.1.1.1 --vpn10实例
vlan20: OSPF 20 RID:20.1.1.1 --vpn20实例
vlan30,40: OSPF 1 RID:30.1.1.1 --全局
交换机配置
vlanbatch10203040#ipvpn-instancevpn10ipv4-familyipvpn-instancevpn20ipv4-familyinterfaceVlanif10ipbindingvpn-instancevpn10ipaddress192.168.10.1255.255.255.0ospfenable10area0.0.0.0#interfaceVlanif20ipbindingvpn-instancevpn20ipaddress192.168.20.1255.255.255.0ospfenable20area0.0.0.0#interfaceVlanif30ipaddress192.168.30.1255.255.255.0ospfenable1area0.0.0.0#interfaceVlanif40ipaddress192.168.40.1255.255.255.0ospfenable1area0.0.0.0#interfaceMEth0/0/1#interfaceGigabitEthernet0/0/1portlink-typetrunkporttrunkallow-passvlan10203040#interfaceGigabitEthernet0/0/2portlink-typeaccessportdefaultvlan10#interfaceGigabitEthernet0/0/3portlink-typeaccessportdefaultvlan20interfaceGigabitEthernet0/0/4portlink-typeaccessportdefaultvlan30#ospf1router-id30.1.1.1area0.0.0.0#ospf10router-id10.1.1.1vpn-instancevpn10area0.0.0.0#ospf20router-id20.1.1.1vpn-instancevpn20area0.0.0.0
防火墙配置
FW1:
FW: VSYS:
vsys1接口:.10和.30 vsys2接口:.20和.40
子接口的划分:
.10:192.168.10.224
.20:192.168.20.224
.30:192.168.30.224
.40:192.168.40.224
OSPF:
1:vsys1: RID:100.1.1.1
2:vsys2: RID:2.2.2.2
区域的划分:
vsys1:
trust:g1/0/0.10 g1/0/0.30 untrust:virtual-if 1
vsys2:
trust:g1/0/0.20 g1/0/0.40 untrust:virtual-if 2
安全策略:
ospf的:
源目区域为trust、untrust、local源目IP为192.168.0.0 16
服务类型为ospf
vsys1:trust-untrust vsys2:trust-untrust
vsysenablevsysnamevsys11assigninterfaceGigabitEthernet1/0/0.10assigninterfaceGigabitEthernet1/0/0.30#vsysnamevsys22assigninterfaceGigabitEthernet1/0/0.20assigninterfaceGigabitEthernet1/0/0.40//创建vsys,并分配接口ipvpn-instancevsys1ipv4-familyipv6-family#ipvpn-instancevsys2ipv4-familyipv6-family#interfaceGigabitEthernet1/0/0undoshutdowninterfaceGigabitEthernet1/0/0.10vlan-typedot1q10ipbindingvpn-instancevsys1ipaddress192.168.10.2255.255.255.0ospfenable1area0.0.0.0service-managepingpermitinterfaceGigabitEthernet1/0/0.20vlan-typedot1q20ipbindingvpn-instancevsys2ipaddress192.168.20.2255.255.255.0ospfenable2area0.0.0.0service-managepingpermitinterfaceGigabitEthernet1/0/0.30vlan-typedot1q30ipbindingvpn-instancevsys1ipaddress192.168.30.2255.255.255.0ospfenable1area0.0.0.0service-managepingpermitinterfaceGigabitEthernet1/0/0.40vlan-typedot1q40ipbindingvpn-instancevsys2ipaddress192.168.40.2255.255.255.0ospfenable2area0.0.0.0service-managepingpermitospf1router-id100.1.1.1vpn-instancevsys1area0.0.0.0ospf2router-id2.2.2.2vpn-instancevsys2area0.0.0.0switchvsysvsys1//虚拟系统vsys1的配置interfaceGigabitEthernet1/0/0.10vlan-typedot1q10ipbindingvpn-instancevsys1ipaddress192.168.10.2255.255.255.0ospfenable1area0.0.0.0service-managepingpermitinterfaceGigabitEthernet1/0/0.30vlan-typedot1q30ipbindingvpn-instancevsys1ipaddress192.168.30.2255.255.255.0ospfenable1area0.0.0.0service-managepingpermitfirewallzonetrustsetpriority85addinterfaceGigabitEthernet1/0/0.10addinterfaceGigabitEthernet1/0/0.30firewallzoneuntrustsetpriority5addinterfaceVirtual-if1security-policy//vsys1的安全策略rulenameospf1source-zonelocalsource-zonetrustsource-zoneuntrustdestination-zonelocaldestination-zonetrustdestination-zoneuntrustserviceospfactionpermitrulenamet-usource-zonetrustdestination-zoneuntrustsource-address192.168.0.0mask255.255.0.0destination-address192.168.0.0mask255.255.0.0serviceicmpactionpermitswitchvsysvsys2//虚拟系统vsys2的配置interfaceGigabitEthernet1/0/0.20vlan-typedot1q20ipbindingvpn-instancevsys2ipaddress192.168.20.2255.255.255.0ospfenable2area0.0.0.0service-managepingpermitinterfaceGigabitEthernet1/0/0.40vlan-typedot1q40ipbindingvpn-instancevsys2ipaddress192.168.40.2255.255.255.0ospfenable2area0.0.0.0service-managepingpermitfirewallzonetrustsetpriority85addinterfaceGigabitEthernet1/0/0.20addinterfaceGigabitEthernet1/0/0.40firewallzoneuntrustsetpriority5addinterfaceVirtual-if2security-policy//vsys2的安全策略rulenameospf20source-zonelocalsource-zonetrustsource-zoneuntrustdestination-zonelocaldestination-zonetrustdestination-zoneuntrustsource-address192.168.0.0mask255.255.0.0destination-address192.168.0.0mask255.255.0.0serviceospfactionpermitrulenamet-usource-zonetrustdestination-zoneuntrustsource-address192.168.0.0mask255.255.0.0destination-address192.168.0.0mask255.255.0.0serviceicmpactionpermit
四、实验总结
PC1--->PC2:
符合要求
VLAN10-防火墙虚墙 1-VLAN30-防火墙虚墙 2-PC2
PC2--->PC1:
符合要求
VLAN20-防火墙虚墙 2-VLAN40-防火墙虚墙 1-PC1
PC1--->PC3:
符合要求
VLAN10-防火墙虚墙 1-VLAN30-PC3
PC2--->PC3:
符合要求
VLAN20-防火墙虚墙 2-VLAN40-PC3
注:在有防火墙的场景下,tracert路径时,如果有星号,是因为防火墙默认未开启
tracert命令。如要开启,可以尝试输入命令:
icmp ttl-exceeded send
icmp host-unreachable send
undo firewall defendicmp-unreachable enable
undo firewall defend tracert enable