第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离-

1.交换机二层vlan隔离、路由器三层路由隔离

图片[1]-第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离--大赛人网
1)交换机二层VLAN隔离、路由器三层物理接口隔离
(1)SW1配置
vlan batch 10 11 20 21
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10

interface GigabitEthernet0/0/11
 port link-type access
 port default vlan 10

interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 11

interface GigabitEthernet0/0/12
 port link-type access
 port default vlan 11

interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20

interface GigabitEthernet0/0/13
 port link-type access
 port default vlan 20

interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 21

interface GigabitEthernet0/0/14
 port link-type access
 port default vlan 21

(2)R1配置
#创建虚拟路由器
ip vpn-instance IT-vROUTER01
 ipv4-family

ip vpn-instance HR-vROUTER02
 ipv4-family

#接口绑定虚拟路由器
interface GigabitEthernet0/0/1
 ip binding vpn-instance IT-vROUTER01
 ip address 192.168.10.254 255.255.255.0

interface GigabitEthernet0/0/2
 ip binding vpn-instance IT-vROUTER01
 ip address 192.168.11.254 255.255.255.0

#查看虚拟路由器路由表信息
display ip routing-table vpn-instance IT-vROUTER01
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 192.168.10.0/24  Direct  0    0           D   192.168.10.254  GigabitEthernet0/0/1
 192.168.11.0/24  Direct  0    0           D   192.168.11.254  GigabitEthernet0/0/2

interface GigabitEthernet0/0/3
 ip binding vpn-instance HR-vROUTER02
 ip address 192.168.10.254 255.255.255.0

interface GigabitEthernet0/0/0
 ip binding vpn-instance HR-vROUTER02
 ip address 192.168.11.254 255.255.255.0

#查看虚拟路由器路由表信息
display ip routing-table vpn-instance HR-vROUTER02
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
192.168.10.0/24  Direct  0    0           D   192.168.10.254  GigabitEthernet0/0/3
192.168.11.0/24  Direct  0    0           D   192.168.11.254  GigabitEthernet0/0/0

#ACL方式 – 隔离是数据/但是没有隔离路由表 – 子网设计不是分开设计的,需要融合设计。

2.VRF隔离

图片[2]-第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离--大赛人网
1) VPN-instance  虚拟路由实例 (创建独立vRouter) - 不但数据隔离,路由表也是隔离的,如果两个隔离网络(二层VLAN/三层VPN-instance)访问共享服务网络,网络设计需要统一设计,三层隔离 VPN-instance | VRF技术。
#在不同VPN-instance路由表中,路由可以进行导入导出 – 技术 vrf-lite,需要在vRouter中设置参数
	(1)RD值 – 路由区分符 格式   xx:xx. [1:1.  2:2 . 10:10] – vRouter-ID
	通过不同vRouter-ID (RD) 值识别不同虚拟路由器

	
(2) (RT)vpn-target 路由喜好   格式   xx:xx. [1:1.  2:2 . 10:10] 
将路由从vpn – instance 导出时候带有什么样的标记

(3) 开启BGP – 交换路由 ( vpn路由表 - 路由导入-导出)

2)创建虚拟路由器
ip vpn-instance SHAER-vROUTER03
 ipv4-family

3)接口绑定虚拟路由器
interface Ethernet0/0/0
 ip binding vpn-instance SHAER-vROUTER03
 ip address 192.168.99.254 255.255.255.0

interface GigabitEthernet0/0/3
 ip binding vpn-instance HR-vROUTER02
 ip address 192.168.20.254 255.255.255.0

interface GigabitEthernet0/0/0
 ip binding vpn-instance HR-vROUTER02
 ip address 192.168.21.254 255.255.255.0

4)配置RD值
ip vpn-instance IT-vROUTER01
 ipv4-family
  route-distinguisher 10:10

ip vpn-instance HR-vROUTER02
 ipv4-family
  route-distinguisher 20:20

ip vpn-instance SHAER-vROUTER03
 ipv4-family
  route-distinguisher 99:99

5)设置vpn-target 路由喜好
ip vpn-instance IT-vROUTER01
 ipv4-family
  route-distinguisher 10:10
  vpn-target 1:1 export-extcommunity
  vpn-target 9:9 import-extcommunity

ip vpn-instance HR-vROUTER02
 ipv4-family
  route-distinguisher 20:20
  vpn-target 2:2 export-extcommunity
  vpn-target 9:9 import-extcommunity

ip vpn-instance SHAER-vROUTER03
 ipv4-family
  route-distinguisher 99:99
  vpn-target 9:9 export-extcommunity
  vpn-target 1:1 import-extcommunity
  vpn-target 2:2 import-extcommunity

6)配置bgp
bgp 65001
 ipv4-family vpn-instance IT-vROUTER01
  import-route direct

ipv4-family vpn-instance HR-vROUTER02
  import-route direct

ipv4-family vpn-instance SHAER-vROUTER03
  import-route direct

3.隔离网络实现共享服务器

图片[3]-第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离--大赛人网
1)创建VLAN
vlan batch 10 to 11  21 99
interface GigabitEthernet0/0/9
 port link-type access
 port default vlan 99

2)创建VFR
ip vpn-instance IT-vROUTER01
 ipv4-family
  route-distinguisher 10:10
  vpn-target 1:1 export-extcommunity
  vpn-target 9:9 import-extcommunity

ip vpn-instance HR-vROUTER02
 ipv4-family
  route-distinguisher 20:20
  vpn-target 2:2 export-extcommunity
  vpn-target 9:9 import-extcommunity

ip vpn-instance SHAER-vROUTER03
 ipv4-family
  route-distinguisher 99:99
  vpn-target 9:9 export-extcommunity
  vpn-target 1:1 import-extcommunity
  vpn-target 2:2 import-extcommunity

3)vlan绑定虚拟路由器
interface Vlanif10
 ip binding vpn-instance IT-vROUTER01
 ip address 192.168.10.254 255.255.255.0

interface Vlanif11
 ip binding vpn-instance IT-vROUTER01
 ip address 192.168.11.254 255.255.255.0

interface Vlanif20
 ip binding vpn-instance HR-vROUTER02
 ip address 192.168.20.254 255.255.255.0

interface Vlanif21
 ip binding vpn-instance HR-vROUTER02
 ip address 192.168.21.254 255.255.255.0

interface Vlanif99
 ip binding vpn-instance SHAER-vROUTER03
 ip address 192.168.99.254 255.255.255.0

4)配置bgp
bgp 65001
 ipv4-family vpn-instance IT-vROUTER01
  import-route direct

ipv4-family vpn-instance HR-vROUTER02
  import-route direct

ipv4-family vpn-instance SHAER-vROUTER03
  import-route direct
© 版权声明
THE END
喜欢就支持一下吧
点赞9 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容