F1060防火墙IPV6多VPN实例ISIS典型组网配置案例

组网说明：

本案例采用H3C HCL模拟器的F1060防火墙来模拟IPV6多VPN实例ISIS典型组网配置。为了实现业务的相互隔离，需要将不同的业务绑定到不同的VPN实例中进行业务的互通，因此在本案例引入多实例VPN，将相关的业务进行捆绑。FW1与FW2采用路由模式，FW1与FW2的互联使用trunk，允许VLAN 400 VLAN 500通过，最终建立多VPN实例ISIS邻居关系，宣告业务网段，使得相同VPN实例的业务能互通，不同VPN实例的业务不能互通。

VPN实例规划如下：

IP地址规划如下：

FW1：

sys

System View: return to User View with Ctrl+Z.

[H3C]sysname FW1

#创建VPN实例，指定RD值、RT值

[FW1]ip vpn-instance vpn-rt

[FW1-vpn-instance-vpn-rt]route-distinguisher 100:1

[FW1-vpn-instance-vpn-rt]vpn-target 100:1

[FW1-vpn-instance-vpn-rt]quit

[FW1]ip vpn-instance vpn-nrt

[FW1-vpn-instance-vpn-nrt]route-distinguisher 200:1

[FW1-vpn-instance-vpn-nrt]vpn-target 200:1

[FW1-vpn-instance-vpn-nrt]quit

[FW1]acl ipv6 basic 2001

[FW1-acl-ipv6-basic-2001]rule 0 permit source any

[FW1-acl-ipv6-basic-2001]rule 1 permit source any vpn-instance vpn-rt

[FW1-acl-ipv6-basic-2001]rule 2 permit source any vpn-instance vpn-nrt

[FW1-acl-ipv6-basic-2001]quit

[FW1]zone-pair security source trust destination untrust

[FW1-zone-pair-security-Trust-Untrust]packet-filter ipv6 2001

[FW1-zone-pair-security-Trust-Untrust]quit

[FW1]zone-pair security source untrust destination trust

[FW1-zone-pair-security-Untrust-Trust]packet-filter ipv6 2001

[FW1-zone-pair-security-Untrust-Trust]quit

[FW1]zone-pair security source trust destination local

[FW1-zone-pair-security-Trust-Local]packet-filter ipv6 2001

[FW1-zone-pair-security-Trust-Local]quit

[FW1]zone-pair security source local destination trust

[FW1-zone-pair-security-Local-Trust]packet-filter ipv6 2001

[FW1-zone-pair-security-Local-Trust]quit

[FW1]zone-pair security source untrust destination local

[FW1-zone-pair-security-Untrust-Local]packet-filter ipv6 2001

[FW1-zone-pair-security-Untrust-Local]quit

[FW1]zone-pair security source local destination untrust

[FW1-zone-pair-security-Local-Untrust]packet-filter ipv6 2001

[FW1-zone-pair-security-Local-Untrust]quit

[FW1]zone-pair security source trust destination trust

[FW1-zone-pair-security-Trust-Trust]packet-filter ipv6 2001

[FW1-zone-pair-security-Trust-Trust]quit

[FW1]zone-pair security source untrust destination untrust

[FW1-zone-pair-security-Untrust-Untrust]packet-filter ipv6 2001

[FW1-zone-pair-security-Untrust-Untrust]quit

[FW1]vlan 400

[FW1-vlan400]quit

[FW1]vlan 500

[FW1-vlan500]quit

[FW1]int vlan 400

[FW1-Vlan-interface400]ip binding vpn-instance vpn-rt  //将VLAN绑定到VPN实例

[FW1-Vlan-interface400]des

[FW1-Vlan-interface400]ipv6 address 1::1 64

[FW1-Vlan-interface400]quit

[FW1]int vlan 500

[FW1-Vlan-interface500]ip binding vpn-instance vpn-nrt

[FW1-Vlan-interface500]des

[FW1-Vlan-interface500]ipv6 address 1::1 64

[FW1-Vlan-interface500]quit

[FW1]int gi 1/0/2

[FW1-GigabitEthernet1/0/2]port link-mode bridge

[FW1-GigabitEthernet1/0/2]port link-type trunk

[FW1-GigabitEthernet1/0/2]undo port trunk permit vlan 1

[FW1-GigabitEthernet1/0/2]port trunk permit vlan 400 500

[FW1-GigabitEthernet1/0/2]quit

[FW1]int loopback 10

[FW1-LoopBack10]ip binding vpn-instance vpn-rt

[FW1-LoopBack10]ipv6 address 2::1 64

[FW1-LoopBack10]quit

[FW1]int loopback 20

[FW1-LoopBack20]ip binding vpn-instance vpn-nrt

[FW1-LoopBack20]ipv6 address 3::1 64

[FW1-LoopBack20]quit

[FW1]int loopback 0

[FW1-LoopBack0]ip binding vpn-instance vpn-rt

[FW1-LoopBack0]ip address 1.1.1.1 32

[FW1-LoopBack0]quit

[FW1]int loopback 1

[FW1-LoopBack1]ip binding vpn-instance vpn-nrt

[FW1-LoopBack1]ip address 2.2.2.2 32

[FW1-LoopBack1]quit

[FW1]security-zone name Untrust

[FW1-security-zone-Untrust]import interface LoopBack 0

[FW1-security-zone-Untrust]import interface LoopBack 1

[FW1-security-zone-Untrust]import interface vlan 400

[FW1-security-zone-Untrust]import interface vlan 500

[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 400 500

[FW1-security-zone-Untrust]quit

[FW1]security-zone name Trust

[FW1-security-zone-Trust]import interface LoopBack 10

[FW1-security-zone-Trust]import interface LoopBack 20

[FW1-security-zone-Trust]quit

[FW1]isis 10 vpn-instance vpn-rt  //将ISIS进程绑定到VPN实例

[FW1-isis-10]network 10.0000.0000.0001.00

[FW1-isis-10]is-level level-1

[FW1-isis-10]address-family ipv6 unicast

[FW1-isis-10-ipv6]import-route direct

[FW1-isis-10-ipv6]quit

[FW1-isis-10]quit

[FW1]isis 20 vpn-instance vpn-nrt

[FW1-isis-20]network-entity 10.0000.0000.0001.00

[FW1-isis-20]is-level level-1

[FW1-isis-20]address-family ipv6 unicast

[FW1-isis-20-ipv6]import-route direct

[FW1-isis-20-ipv6]quit

[FW1-isis-20]quit

[FW1]int LoopBack 10

[FW1-LoopBack10]isis ipv6 enable 10

[FW1-LoopBack10]quit

[FW1]int vlan 400

[FW1-Vlan-interface400]isis ipv6 enable 10

[FW1-Vlan-interface400]quit

[FW1]int loopback 20

[FW1-LoopBack20]isis ipv6 enable 20

[FW1-LoopBack20]quit

[FW1]int vlan 500

[FW1-Vlan-interface500]isis ipv6 enable 20

[FW1-Vlan-interface500]quit

FW2：

sys

System View: return to User View with Ctrl+Z.

[H3C]sysname FW2

[FW2]ip vpn-instance vpn-rt

[FW2-vpn-instance-vpn-rt]route-distinguisher 100:1

[FW2-vpn-instance-vpn-rt]vpn-target 100:1

[FW2-vpn-instance-vpn-rt]quit

[FW2]ip vpn-instance vpn-nrt

[FW2-vpn-instance-vpn-nrt]route-distinguisher 200:1

[FW2-vpn-instance-vpn-nrt]vpn-target 200:1

[FW2-vpn-instance-vpn-nrt]quit

[FW2]acl ipv6 basic 2001

[FW2-acl-ipv6-basic-2001]rule 0 permit source any

[FW2-acl-ipv6-basic-2001]rule 1 permit source any vpn-instance vpn-rt

[FW2-acl-ipv6-basic-2001]rule 2 permit source any vpn-instance vpn-nrt

[FW2-acl-ipv6-basic-2001]quit

[FW2]zone-pair security source trust destination untrust

[FW2-zone-pair-security-Trust-Untrust]packet-filter ipv6 2001

[FW2-zone-pair-security-Trust-Untrust]quit

[FW2]zone-pair security source untrust destination trust

[FW2-zone-pair-security-Untrust-Trust]packet-filter ipv6 2001

[FW2-zone-pair-security-Untrust-Trust]quit

[FW2]zone-pair security source trust destination local

[FW2-zone-pair-security-Trust-Local]packet-filter ipv6 2001

[FW2-zone-pair-security-Trust-Local]quit

[FW2]zone-pair security source local destination trust

[FW2-zone-pair-security-Local-Trust]packet-filter ipv6 2001

[FW2-zone-pair-security-Local-Trust]quit

[FW2]zone-pair security source untrust destination local

[FW2-zone-pair-security-Untrust-Local]packet-filter ipv6 2001

[FW2-zone-pair-security-Untrust-Local]quit

[FW2]zone-pair security source local destination untrust

[FW2-zone-pair-security-Local-Untrust]packet-filter ipv6 2001

[FW2-zone-pair-security-Local-Untrust]quit

[FW2]zone-pair security source trust destination trust

[FW2-zone-pair-security-Trust-Trust]packet-filter ipv6 2001

[FW2-zone-pair-security-Trust-Trust]quit

[FW2]zone-pair security source untrust destination untrust

[FW2-zone-pair-security-Untrust-Untrust]packet-filter ipv6 2001

[FW2-zone-pair-security-Untrust-Untrust]quit

[FW2]vlan 400

[FW2-vlan400]quit

[FW2]vlan 500

[FW2-vlan500]quit

[FW2]int vlan 400

[FW2-Vlan-interface400]ip binding vpn-instance vpn-rt

Some configurations on the interface are removed.

[FW2-Vlan-interface400]des

[FW2-Vlan-interface400]ipv6 address 1::2 64

[FW2-Vlan-interface400]quit

[FW2]int vlan 500

[FW2-Vlan-interface500]ip binding vpn-instance vpn-nrt

Some configurations on the interface are removed.

[FW2-Vlan-interface500]des

[FW2-Vlan-interface500]ipv6 address 1::2 64

[FW2-Vlan-interface500]quit

[FW2]int LoopBack 10

[FW2-LoopBack10]ip binding vpn-instance vpn-rt

Some configurations on the interface are removed.

[FW2-LoopBack10]ipv6 address 4::1 64

[FW2-LoopBack10]quit

[FW2]int loopback 20

[FW2-LoopBack20]ip binding vpn-instance vpn-nrt

Some configurations on the interface are removed.

[FW2-LoopBack20]ipv6 address 5::1 64

[FW2-LoopBack20]quit

[FW2]int loopback 0

[FW2-LoopBack0]ip binding vpn-instance vpn-rt

Some configurations on the interface are removed.

[FW2-LoopBack0]ip address 3.3.3.3 32

[FW2-LoopBack0]quit

[FW2]int loopback 1

[FW2-LoopBack1]ip binding vpn-instance vpn-nrt

Some configurations on the interface are removed.

[FW2-LoopBack1]ip address 4.4.4.4 32

[FW2-LoopBack1]quit

[FW2]int gi 1/0/2

[FW2-GigabitEthernet1/0/2]port link-mode bridge

[FW2-GigabitEthernet1/0/2]des

[FW2-GigabitEthernet1/0/2]port link-type trunk

[FW2-GigabitEthernet1/0/2]undo port trunk permit vlan 1

[FW2-GigabitEthernet1/0/2]port trunk permit vlan 400 500

[FW2-GigabitEthernet1/0/2]quit

[FW2]security-zone name Trust

[FW2-security-zone-Trust]import interface LoopBack 10

[FW2-security-zone-Trust]import interface LoopBack 20

[FW2-security-zone-Trust]quit

[FW2]security-zone name Untrust

[FW2-security-zone-Untrust]import interface LoopBack 0

[FW2-security-zone-Untrust]import interface LoopBack 1

[FW2-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 400 500

[FW2-security-zone-Untrust]import interface vlan 400

[FW2-security-zone-Untrust]import interface vlan 500

[FW2-security-zone-Untrust]quit

[FW2]isis 10 vpn-instance vpn-rt

[FW2-isis-10]network-entity 10.0000.0000.0002.00

[FW2-isis-10]is-level level-1

[FW2-isis-10]address-family ipv6 unicast

[FW2-isis-10-ipv6]import-route direct

[FW2-isis-10-ipv6]quit

[FW2-isis-10]quit

[FW2]isis 20 vpn-instance vpn-nrt

[FW2-isis-20]network-entity 10.0000.0000.0002.00

[FW2-isis-20]is-level level-1

[FW2-isis-20]address-family ipv6 unicast

[FW2-isis-20-ipv6]import-route direct

[FW2-isis-20-ipv6]quit

[FW2-isis-20]quit

[FW2]int loopback 10

[FW2-LoopBack10]isis ipv6 enable 10

[FW2-LoopBack10]quit

[FW2]int vlan 400

[FW2-Vlan-interface400]isis ipv6 enable 10

[FW2-Vlan-interface400]quit

[FW2]int loopback 20

[FW2-LoopBack20]isis ipv6 enable 20

[FW2-LoopBack20]quit

[FW2]int vlan 500

[FW2-Vlan-interface500]isis ipv6 enable 20

[FW2-Vlan-interface500]quit

测试：

在FW1使用loopback 10作为源，带VPN能PING通FW2的loopback 10，PING不通FW2的loopback 20：

在FW1使用loopback 20作为源，带VPN能PING通FW2的loopback20，PING不通FW2的loopback 10：

在FW2使用loopback 10作为源，带VPN能PING通FW1的loopback 10，PING不通FW1的loopback 20：

在FW2使用loopback 20作为源，带VPN能PING通FW1的loopback20，PING不通FW1的loopback 10：

根据测试结果得知，相同VPN实例内的业务可以互通，不同VPN实例内的业务不能互通，达到了隔离的效果。

查看FW1的ISIS邻居信息：

查看FW2的ISIS邻居信息：

查看FW1 IPV6 VPN实例路由表：

查看FW2 IPV6 VPN实例的路由表：

至此，F1060 IPV6多VPN实例ISIS典型组网配置案例。