• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

F1060防火墙IPV6多VPN实例ISIS典型组网配置案例

2020-04-04 发表
  • 0关注 ,303浏览
粉丝: 关注:

组网及说明


组网说明:

本案例采用H3C HCL模拟器的F1060防火墙来模拟IPV6VPN实例ISIS典型组网配置。为了实现业务的相互隔离,需要将不同的业务绑定到不同的VPN实例中进行业务的互通,因此在本案例引入多实例VPN,将相关的业务进行捆绑。FW1FW2采用路由模式,FW1FW2的互联使用trunk,允许VLAN 400 VLAN 500通过,最终建立多VPN实例ISIS邻居关系,宣告业务网段,使得相同VPN实例的业务能互通,不同VPN实例的业务不能互通。

 

VPN实例规划如下:

VPN实例名称

RD

RT

业务类型

备注

vpn-rt

100:1

100:1

实时业务

 

vpn-nrt

200:1

200:1

非实时业务

 

 

 

 

 

 

 

IP地址规划如下:

设备名称

接口/VLAN

IPV4/IPV6地址

IPV4/IPV6地址位数

所属VPN实例

备注

FW1

VLAN 400

1::1

64

vpn-rt

互联

VLAN 500

1::1

64

vpn-nrt

互联

Loopback 10

2::1

64

vpn-rt

模拟业务

Loopback 20

3::1

64

vpn-nrt

模拟业务

Loopback 0

1.1.1.1

32

vpn-rt

作为vpn-rt router-id

Loopback 1

2.2.2.2

32

vpn-nrt

作为vpn-nrt router-id

FW2

VLAN 400

1::2

64

vpn-rt

互联

VLAN 500

1::2

64

vpn-nrt

互联

Loopback 10

4::1

64

vpn-rt

模拟业务

Loopback 20

5::1

64

vpn-nrt

模拟业务

Loopback 0

3.3.3.3

32

vpn-rt

作为vpn-rt router-id

Loopback 1

4.4.4.4

32

vpn-nrt

作为vpn-nrt router-id

配置步骤

FW1

sys

System View: return to User View with Ctrl+Z.

[H3C]sysname FW1

#创建VPN实例,指定RD值、RT值

[FW1]ip vpn-instance vpn-rt

[FW1-vpn-instance-vpn-rt]route-distinguisher 100:1

[FW1-vpn-instance-vpn-rt]vpn-target 100:1

[FW1-vpn-instance-vpn-rt]quit

[FW1]ip vpn-instance vpn-nrt

[FW1-vpn-instance-vpn-nrt]route-distinguisher 200:1

[FW1-vpn-instance-vpn-nrt]vpn-target 200:1

[FW1-vpn-instance-vpn-nrt]quit

[FW1]acl ipv6 basic 2001

[FW1-acl-ipv6-basic-2001]rule 0 permit source any

[FW1-acl-ipv6-basic-2001]rule 1 permit source any vpn-instance vpn-rt

[FW1-acl-ipv6-basic-2001]rule 2 permit source any vpn-instance vpn-nrt

[FW1-acl-ipv6-basic-2001]quit

[FW1]zone-pair security source trust destination untrust

[FW1-zone-pair-security-Trust-Untrust]packet-filter ipv6 2001

[FW1-zone-pair-security-Trust-Untrust]quit

[FW1]zone-pair security source untrust destination trust

[FW1-zone-pair-security-Untrust-Trust]packet-filter ipv6 2001

[FW1-zone-pair-security-Untrust-Trust]quit

[FW1]zone-pair security source trust destination local

[FW1-zone-pair-security-Trust-Local]packet-filter ipv6 2001

[FW1-zone-pair-security-Trust-Local]quit

[FW1]zone-pair security source local destination trust

[FW1-zone-pair-security-Local-Trust]packet-filter ipv6 2001

[FW1-zone-pair-security-Local-Trust]quit

[FW1]zone-pair security source untrust destination local

[FW1-zone-pair-security-Untrust-Local]packet-filter ipv6 2001

[FW1-zone-pair-security-Untrust-Local]quit

[FW1]zone-pair security source local destination untrust

[FW1-zone-pair-security-Local-Untrust]packet-filter ipv6 2001

[FW1-zone-pair-security-Local-Untrust]quit

[FW1]zone-pair security source trust destination trust

[FW1-zone-pair-security-Trust-Trust]packet-filter ipv6 2001

[FW1-zone-pair-security-Trust-Trust]quit

[FW1]zone-pair security source untrust destination untrust

[FW1-zone-pair-security-Untrust-Untrust]packet-filter ipv6 2001

[FW1-zone-pair-security-Untrust-Untrust]quit

[FW1]vlan 400

[FW1-vlan400]quit

[FW1]vlan 500

[FW1-vlan500]quit

[FW1]int vlan 400

[FW1-Vlan-interface400]ip binding vpn-instance vpn-rt  //将VLAN绑定到VPN实例

[FW1-Vlan-interface400]des

[FW1-Vlan-interface400]ipv6 address 1::1 64

[FW1-Vlan-interface400]quit

[FW1]int vlan 500

[FW1-Vlan-interface500]ip binding vpn-instance vpn-nrt

[FW1-Vlan-interface500]des

[FW1-Vlan-interface500]ipv6 address 1::1 64

[FW1-Vlan-interface500]quit

[FW1]int gi 1/0/2

[FW1-GigabitEthernet1/0/2]port link-mode bridge

[FW1-GigabitEthernet1/0/2]port link-type trunk

[FW1-GigabitEthernet1/0/2]undo port trunk permit vlan 1

[FW1-GigabitEthernet1/0/2]port trunk permit vlan 400 500

[FW1-GigabitEthernet1/0/2]quit

[FW1]int loopback 10

[FW1-LoopBack10]ip binding vpn-instance vpn-rt

[FW1-LoopBack10]ipv6 address 2::1 64

[FW1-LoopBack10]quit

[FW1]int loopback 20

[FW1-LoopBack20]ip binding vpn-instance vpn-nrt

[FW1-LoopBack20]ipv6 address 3::1 64

[FW1-LoopBack20]quit

[FW1]int loopback 0

[FW1-LoopBack0]ip binding vpn-instance vpn-rt

[FW1-LoopBack0]ip address 1.1.1.1 32

[FW1-LoopBack0]quit

[FW1]int loopback 1

[FW1-LoopBack1]ip binding vpn-instance vpn-nrt

[FW1-LoopBack1]ip address 2.2.2.2 32

[FW1-LoopBack1]quit

[FW1]security-zone name Untrust

[FW1-security-zone-Untrust]import interface LoopBack 0

[FW1-security-zone-Untrust]import interface LoopBack 1

[FW1-security-zone-Untrust]import interface vlan 400

[FW1-security-zone-Untrust]import interface vlan 500

[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 400 500

[FW1-security-zone-Untrust]quit

[FW1]security-zone name Trust

[FW1-security-zone-Trust]import interface LoopBack 10

[FW1-security-zone-Trust]import interface LoopBack 20

[FW1-security-zone-Trust]quit

[FW1]isis 10 vpn-instance vpn-rt  //将ISIS进程绑定到VPN实例

[FW1-isis-10]network 10.0000.0000.0001.00

[FW1-isis-10]is-level level-1

[FW1-isis-10]address-family ipv6 unicast

[FW1-isis-10-ipv6]import-route direct

[FW1-isis-10-ipv6]quit

[FW1-isis-10]quit

[FW1]isis 20 vpn-instance vpn-nrt

[FW1-isis-20]network-entity 10.0000.0000.0001.00

[FW1-isis-20]is-level level-1

[FW1-isis-20]address-family ipv6 unicast

[FW1-isis-20-ipv6]import-route direct

[FW1-isis-20-ipv6]quit

[FW1-isis-20]quit

[FW1]int LoopBack 10

[FW1-LoopBack10]isis ipv6 enable 10

[FW1-LoopBack10]quit

[FW1]int vlan 400

[FW1-Vlan-interface400]isis ipv6 enable 10

[FW1-Vlan-interface400]quit

[FW1]int loopback 20

[FW1-LoopBack20]isis ipv6 enable 20

[FW1-LoopBack20]quit

[FW1]int vlan 500

[FW1-Vlan-interface500]isis ipv6 enable 20

[FW1-Vlan-interface500]quit

 

FW2

sys

System View: return to User View with Ctrl+Z.

[H3C]sysname FW2

[FW2]ip vpn-instance vpn-rt

[FW2-vpn-instance-vpn-rt]route-distinguisher 100:1

[FW2-vpn-instance-vpn-rt]vpn-target 100:1

[FW2-vpn-instance-vpn-rt]quit

[FW2]ip vpn-instance vpn-nrt

[FW2-vpn-instance-vpn-nrt]route-distinguisher 200:1

[FW2-vpn-instance-vpn-nrt]vpn-target 200:1

[FW2-vpn-instance-vpn-nrt]quit

[FW2]acl ipv6 basic 2001

[FW2-acl-ipv6-basic-2001]rule 0 permit source any

[FW2-acl-ipv6-basic-2001]rule 1 permit source any vpn-instance vpn-rt

[FW2-acl-ipv6-basic-2001]rule 2 permit source any vpn-instance vpn-nrt

[FW2-acl-ipv6-basic-2001]quit

[FW2]zone-pair security source trust destination untrust

[FW2-zone-pair-security-Trust-Untrust]packet-filter ipv6 2001

[FW2-zone-pair-security-Trust-Untrust]quit

[FW2]zone-pair security source untrust destination trust

[FW2-zone-pair-security-Untrust-Trust]packet-filter ipv6 2001

[FW2-zone-pair-security-Untrust-Trust]quit

[FW2]zone-pair security source trust destination local

[FW2-zone-pair-security-Trust-Local]packet-filter ipv6 2001

[FW2-zone-pair-security-Trust-Local]quit

[FW2]zone-pair security source local destination trust

[FW2-zone-pair-security-Local-Trust]packet-filter ipv6 2001

[FW2-zone-pair-security-Local-Trust]quit

[FW2]zone-pair security source untrust destination local

[FW2-zone-pair-security-Untrust-Local]packet-filter ipv6 2001

[FW2-zone-pair-security-Untrust-Local]quit

[FW2]zone-pair security source local destination untrust

[FW2-zone-pair-security-Local-Untrust]packet-filter ipv6 2001

[FW2-zone-pair-security-Local-Untrust]quit

[FW2]zone-pair security source trust destination trust

[FW2-zone-pair-security-Trust-Trust]packet-filter ipv6 2001

[FW2-zone-pair-security-Trust-Trust]quit

[FW2]zone-pair security source untrust destination untrust

[FW2-zone-pair-security-Untrust-Untrust]packet-filter ipv6 2001

[FW2-zone-pair-security-Untrust-Untrust]quit

[FW2]vlan 400

[FW2-vlan400]quit

[FW2]vlan 500

[FW2-vlan500]quit

[FW2]int vlan 400

[FW2-Vlan-interface400]ip binding vpn-instance vpn-rt

Some configurations on the interface are removed.

[FW2-Vlan-interface400]des

[FW2-Vlan-interface400]ipv6 address 1::2 64

[FW2-Vlan-interface400]quit

[FW2]int vlan 500

[FW2-Vlan-interface500]ip binding vpn-instance vpn-nrt

Some configurations on the interface are removed.

[FW2-Vlan-interface500]des

[FW2-Vlan-interface500]ipv6 address 1::2 64

[FW2-Vlan-interface500]quit

[FW2]int LoopBack 10

[FW2-LoopBack10]ip binding vpn-instance vpn-rt

Some configurations on the interface are removed.

[FW2-LoopBack10]ipv6 address 4::1 64

[FW2-LoopBack10]quit

[FW2]int loopback 20

[FW2-LoopBack20]ip binding vpn-instance vpn-nrt

Some configurations on the interface are removed.

[FW2-LoopBack20]ipv6 address 5::1 64

[FW2-LoopBack20]quit

[FW2]int loopback 0

[FW2-LoopBack0]ip binding vpn-instance vpn-rt

Some configurations on the interface are removed.

[FW2-LoopBack0]ip address 3.3.3.3 32

[FW2-LoopBack0]quit

[FW2]int loopback 1

[FW2-LoopBack1]ip binding vpn-instance vpn-nrt

Some configurations on the interface are removed.

[FW2-LoopBack1]ip address 4.4.4.4 32

[FW2-LoopBack1]quit

[FW2]int gi 1/0/2

[FW2-GigabitEthernet1/0/2]port link-mode bridge

[FW2-GigabitEthernet1/0/2]des

[FW2-GigabitEthernet1/0/2]port link-type trunk

[FW2-GigabitEthernet1/0/2]undo port trunk permit vlan 1

[FW2-GigabitEthernet1/0/2]port trunk permit vlan 400 500

[FW2-GigabitEthernet1/0/2]quit

[FW2]security-zone name Trust

[FW2-security-zone-Trust]import interface LoopBack 10

[FW2-security-zone-Trust]import interface LoopBack 20

[FW2-security-zone-Trust]quit

[FW2]security-zone name Untrust

[FW2-security-zone-Untrust]import interface LoopBack 0

[FW2-security-zone-Untrust]import interface LoopBack 1

[FW2-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 400 500

[FW2-security-zone-Untrust]import interface vlan 400

[FW2-security-zone-Untrust]import interface vlan 500

[FW2-security-zone-Untrust]quit

[FW2]isis 10 vpn-instance vpn-rt

[FW2-isis-10]network-entity 10.0000.0000.0002.00

[FW2-isis-10]is-level level-1

[FW2-isis-10]address-family ipv6 unicast

[FW2-isis-10-ipv6]import-route direct

[FW2-isis-10-ipv6]quit

[FW2-isis-10]quit

[FW2]isis 20 vpn-instance vpn-nrt

[FW2-isis-20]network-entity 10.0000.0000.0002.00

[FW2-isis-20]is-level level-1

[FW2-isis-20]address-family ipv6 unicast

[FW2-isis-20-ipv6]import-route direct

[FW2-isis-20-ipv6]quit

[FW2-isis-20]quit

[FW2]int loopback 10

[FW2-LoopBack10]isis ipv6 enable 10

[FW2-LoopBack10]quit

[FW2]int vlan 400

[FW2-Vlan-interface400]isis ipv6 enable 10

[FW2-Vlan-interface400]quit

[FW2]int loopback 20

[FW2-LoopBack20]isis ipv6 enable 20

[FW2-LoopBack20]quit

[FW2]int vlan 500

[FW2-Vlan-interface500]isis ipv6 enable 20

[FW2-Vlan-interface500]quit

 

测试:

FW1使用loopback 10作为源,带VPNPINGFW2loopback 10PING不通FW2loopback 20





FW1使用loopback 20作为源,带VPNPINGFW2loopback20PING不通FW2loopback 10





FW2使用loopback 10作为源,带VPNPINGFW1loopback 10PING不通FW1loopback 20





FW2使用loopback 20作为源,带VPNPINGFW1loopback20PING不通FW1loopback 10





根据测试结果得知,相同VPN实例内的业务可以互通,不同VPN实例内的业务不能互通,达到了隔离的效果。

 

查看FW1ISIS邻居信息:



查看FW2ISIS邻居信息:



 

查看FW1 IPV6 VPN实例路由表:





查看FW2 IPV6 VPN实例的路由表:





 

至此,F1060 IPV6VPN实例ISIS典型组网配置案例。

 

 

配置关键点


0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作