需求:
实现本地VRF之间互通,实现本地VRF与全局路由表互通上网
组网:
pc1/pc2----(vrf)S7506E----firewall---internet
1、LAN侧:pc1和2分别属于不同vlan与s7506交换机直连,各自vlan interface分别绑定不同vpn实例;
2、上联口:与防火墙通过vlan interface直连,并配置默认路由下一跳指向防火墙接口地址
pc1 10.10.118.2 网关7506 interfaceVlan 1118
pc2 10.10.119.2 网关7506 interfaceVlan 1119
fw 10.10.10.1 ---- 7506 10.10.10.4
配置:
interface Vlan-interface1118
ip binding vpn-instance v1118
ip address 10.10.118.1 255.255.255.0
interface Vlan-interface1119
ip binding vpn-instance v1119
ip address 10.10.119.1 255.255.255.0
[BJTNIDC-R005-S7506E-12.11]dis ip int b
*down: administratively down(s): spoofing (l): loopbackInterface Physical Protocol IP address VPN instance Description Loop0 up up(s) 10.10.10.203 -- --MGE1/0/0/0 up up 10.10.12.11 -- --MGE1/0/0/1 down down -- -- --Vlan10 up up 10.10.10.4 -- to_FWVlan1118 up up 10.10.118.1 v1118 --Vlan1119 up up 10.10.119.1 v1119 --
interface Vlan-interface10
description to_FW
ip address 10.10.10.4 255.255.255.248
ip route-static 0.0.0.0 0 10.10.10.1 description to_Internet
ip route-static 10.10.118.0 24 Vlan-interface1118
ip route-static 10.10.119.0 24 Vlan-interface1119
ip route-static vpn-instance v1119 0.0.0.0 0 10.10.10.1 public
ip route-static vpn-instance v1118 0.0.0.0 0 10.10.10.1 public
检查路由表信息
[BJTNIDC-R005-S7506E-12.11]dis ip routing-table vpn-instance v1118
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 Vlan10
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.10.118.0/24 Direct 0 0 10.10.118.1 Vlan1118
10.10.118.0/32 Direct 0 0 10.10.118.1 Vlan1118
10.10.118.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.118.255/32 Direct 0 0 10.10.118.1 Vlan1118
10.10.119.0/24 Static 60 0 0.0.0.0 Vlan1119
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
------------------------
[BJTNIDC-R005-S7506E-12.11]dis ip routing-table vpn-instance v1119
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 0.0.0.0 Vlan10
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.10.118.0/24 Static 60 0 0.0.0.0 Vlan1118
10.10.119.0/24 Direct 0 0 10.10.119.1 Vlan1119
10.10.119.0/32 Direct 0 0 10.10.119.1 Vlan1119
10.10.119.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.119.255/32 Direct 0 0 10.10.119.1 Vlan1119
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
----------------------------------------------
[BJTNIDC-R005-S7506E-12.11]dis ip routing-table
Destinations : 107 Routes : 107
Destination/Mask Proto Pre Cost NextHop Interface
10.10.116.0/24 Direct 0 0 10.10.116.1 Vlan1116
10.10.116.0/32 Direct 0 0 10.10.116.1 Vlan1116
10.10.116.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.116.255/32 Direct 0 0 10.10.116.1 Vlan1116
10.10.117.0/24 Direct 0 0 10.10.117.1 Vlan1117
10.10.117.0/32 Direct 0 0 10.10.117.1 Vlan1117
10.10.117.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.117.255/32 Direct 0 0 10.10.117.1 Vlan1117
0.0.0.0/0 Static 60 0 10.10.10.1 Vlan10
10.10.118.0/24 Static 60 0 0.0.0.0 Vlan1118
10.10.119.0/24 Static 60 0 0.0.0.0 Vlan1119
验证:
[BJTNIDC-R005-S7506E-12.11]ping -vpn-instance v1118 10.10.10.1Ping 10.10.10.1 (10.10.10.1): 56 data bytes, press CTRL_C to breakRequest time outRequest time out(0)
最佳答案
出去的路由是对的,但是在全局路由表指向vpn实例里面的路由配置错误
ip route-static 10.10.118.0 24 vpn-intance v1118 x.x.x.x //内网下一跳
ip route-static 10.10.119.0 24 vpn-intance v1119 x.x.x.x
(0)
如果每个实例下面有250个虚拟机,是不是要配250个静态路由呢?如果这样配置量太大了
这么繁琐,还不如把vpn去掉呢
(0)
为了实现内网租户隔离,想要三层绑定vrf实现,所以要用vpn实例啊
为了实现内网租户隔离,想要三层绑定vrf实现,所以要用vpn实例啊
华三交换机可以用路由复制的方式去打通路由。
ip vpn-instance mgmt
route-distinguisher 1000:1
#
address-family ipv4
route-replicate from vpn-instance mgmt2 protocol direct
#
ip vpn-instance mgmt2
route-distinguisher 1000:2
#
address-family ipv4
route-replicate from vpn-instance mgmt protocol direct
(2)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
好像指网关没用的 必须指主机IP才行