1.交换机二层vlan隔离、路由器三层路由隔离
![图片[1]-第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片32-1-1024x598.png)
1)交换机二层VLAN隔离、路由器三层物理接口隔离
(1)SW1配置
vlan batch 10 11 20 21
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface GigabitEthernet0/0/11
port link-type access
port default vlan 10
interface GigabitEthernet0/0/2
port link-type access
port default vlan 11
interface GigabitEthernet0/0/12
port link-type access
port default vlan 11
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
interface GigabitEthernet0/0/13
port link-type access
port default vlan 20
interface GigabitEthernet0/0/4
port link-type access
port default vlan 21
interface GigabitEthernet0/0/14
port link-type access
port default vlan 21
(2)R1配置
#创建虚拟路由器
ip vpn-instance IT-vROUTER01
ipv4-family
ip vpn-instance HR-vROUTER02
ipv4-family
#接口绑定虚拟路由器
interface GigabitEthernet0/0/1
ip binding vpn-instance IT-vROUTER01
ip address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/0/2
ip binding vpn-instance IT-vROUTER01
ip address 192.168.11.254 255.255.255.0
#查看虚拟路由器路由表信息
display ip routing-table vpn-instance IT-vROUTER01
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.10.0/24 Direct 0 0 D 192.168.10.254 GigabitEthernet0/0/1
192.168.11.0/24 Direct 0 0 D 192.168.11.254 GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
ip binding vpn-instance HR-vROUTER02
ip address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/0/0
ip binding vpn-instance HR-vROUTER02
ip address 192.168.11.254 255.255.255.0
#查看虚拟路由器路由表信息
display ip routing-table vpn-instance HR-vROUTER02
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.10.0/24 Direct 0 0 D 192.168.10.254 GigabitEthernet0/0/3
192.168.11.0/24 Direct 0 0 D 192.168.11.254 GigabitEthernet0/0/0
#ACL方式 – 隔离是数据/但是没有隔离路由表 – 子网设计不是分开设计的,需要融合设计。
2.VRF隔离
![图片[2]-第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片33-1-1024x641.png)
1) VPN-instance 虚拟路由实例 (创建独立vRouter) - 不但数据隔离,路由表也是隔离的,如果两个隔离网络(二层VLAN/三层VPN-instance)访问共享服务网络,网络设计需要统一设计,三层隔离 VPN-instance | VRF技术。
#在不同VPN-instance路由表中,路由可以进行导入导出 – 技术 vrf-lite,需要在vRouter中设置参数
(1)RD值 – 路由区分符 格式 xx:xx. [1:1. 2:2 . 10:10] – vRouter-ID
通过不同vRouter-ID (RD) 值识别不同虚拟路由器
(2) (RT)vpn-target 路由喜好 格式 xx:xx. [1:1. 2:2 . 10:10]
将路由从vpn – instance 导出时候带有什么样的标记
(3) 开启BGP – 交换路由 ( vpn路由表 - 路由导入-导出)
2)创建虚拟路由器
ip vpn-instance SHAER-vROUTER03
ipv4-family
3)接口绑定虚拟路由器
interface Ethernet0/0/0
ip binding vpn-instance SHAER-vROUTER03
ip address 192.168.99.254 255.255.255.0
interface GigabitEthernet0/0/3
ip binding vpn-instance HR-vROUTER02
ip address 192.168.20.254 255.255.255.0
interface GigabitEthernet0/0/0
ip binding vpn-instance HR-vROUTER02
ip address 192.168.21.254 255.255.255.0
4)配置RD值
ip vpn-instance IT-vROUTER01
ipv4-family
route-distinguisher 10:10
ip vpn-instance HR-vROUTER02
ipv4-family
route-distinguisher 20:20
ip vpn-instance SHAER-vROUTER03
ipv4-family
route-distinguisher 99:99
5)设置vpn-target 路由喜好
ip vpn-instance IT-vROUTER01
ipv4-family
route-distinguisher 10:10
vpn-target 1:1 export-extcommunity
vpn-target 9:9 import-extcommunity
ip vpn-instance HR-vROUTER02
ipv4-family
route-distinguisher 20:20
vpn-target 2:2 export-extcommunity
vpn-target 9:9 import-extcommunity
ip vpn-instance SHAER-vROUTER03
ipv4-family
route-distinguisher 99:99
vpn-target 9:9 export-extcommunity
vpn-target 1:1 import-extcommunity
vpn-target 2:2 import-extcommunity
6)配置bgp
bgp 65001
ipv4-family vpn-instance IT-vROUTER01
import-route direct
ipv4-family vpn-instance HR-vROUTER02
import-route direct
ipv4-family vpn-instance SHAER-vROUTER03
import-route direct
3.隔离网络实现共享服务器
![图片[3]-第7章 防火墙虚拟系统隔离-7.1 虚拟网络隔离第7章 防火墙虚拟系统隔离--大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片34-1-1024x540.png)
1)创建VLAN
vlan batch 10 to 11 21 99
interface GigabitEthernet0/0/9
port link-type access
port default vlan 99
2)创建VFR
ip vpn-instance IT-vROUTER01
ipv4-family
route-distinguisher 10:10
vpn-target 1:1 export-extcommunity
vpn-target 9:9 import-extcommunity
ip vpn-instance HR-vROUTER02
ipv4-family
route-distinguisher 20:20
vpn-target 2:2 export-extcommunity
vpn-target 9:9 import-extcommunity
ip vpn-instance SHAER-vROUTER03
ipv4-family
route-distinguisher 99:99
vpn-target 9:9 export-extcommunity
vpn-target 1:1 import-extcommunity
vpn-target 2:2 import-extcommunity
3)vlan绑定虚拟路由器
interface Vlanif10
ip binding vpn-instance IT-vROUTER01
ip address 192.168.10.254 255.255.255.0
interface Vlanif11
ip binding vpn-instance IT-vROUTER01
ip address 192.168.11.254 255.255.255.0
interface Vlanif20
ip binding vpn-instance HR-vROUTER02
ip address 192.168.20.254 255.255.255.0
interface Vlanif21
ip binding vpn-instance HR-vROUTER02
ip address 192.168.21.254 255.255.255.0
interface Vlanif99
ip binding vpn-instance SHAER-vROUTER03
ip address 192.168.99.254 255.255.255.0
4)配置bgp
bgp 65001
ipv4-family vpn-instance IT-vROUTER01
import-route direct
ipv4-family vpn-instance HR-vROUTER02
import-route direct
ipv4-family vpn-instance SHAER-vROUTER03
import-route direct
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容