FW接口g1/0/1连接运营商网络,属于缺省public实例(缺省vrf)。g1/0/2、g1/0/3和g1/0/4分别作为内网vlan 2、vlan3和vlan4的网关。其中g1/0/2属于public实例,可以访问运营商网络;g1/0/3属于vrf3,g1/0/4属于vrf4,暂时不能访问运营商网络。
要求:通过路由复制实现public实例、vrf3和vrf4之间互访,vrf3可访问运营商网络,vrf4不可访问运营商网络
配置思路:
1、
2、
3、
4、
5、
一、基础环境配置:
#创建vrf3
#
ip vpn-instance vrf3
#
#创建vrf4
ip vpn-instance vrf4
#
#配置g1/0/0口连接运营商网络,同时做NAT源地址转换
interface GigabitEthernet1/0/0
port link-mode route
ip address 200.0.0.1 255.255.255.0
nat outbound
#
#配置g1/0/2口作为内网10.0.12.0/24的网关
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 10.0.12.1 255.255.255.0
#
#配置g1/0/3口属于vrf3,同时口作为内网10.0.13.0/24的网关
interface GigabitEthernet1/0/3
port link-mode route
ip binding vpn-instance vrf3
ip address 10.0.13.1 255.255.255.0
#
#配置g1/0/4口属于vrf4,同时口作为内网10.0.14.0/24的网关
interface GigabitEthernet1/0/4
port link-mode route
ip binding vpn-instance vrf4
ip address 10.0.14.1 255.255.255.0
#
#配置public实例中指向运营商网络的默认路由
#
ip route-static 0.0.0.0 0 200.0.0.254
#
二、基础环境验证
1、查看public实例路由表
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 200.0.0.254 GE1/0/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.0/24 Direct 0 0 10.0.12.1 GE1/0/2
10.0.12.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.255/32 Direct 0 0 10.0.12.1 GE1/0/2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.0/24 Direct 0 0 200.0.0.1 GE1/0/0
200.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.255/32 Direct 0 0 200.0.0.1 GE1/0/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
2、查看vrf3实例路由表
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.13.0/24 Direct 0 0 10.0.13.1 GE1/0/3
10.0.13.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.13.255/32 Direct 0 0 10.0.13.1 GE1/0/3
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
3、查看vrf4实例路由表
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.14.0/24 Direct 0 0 10.0.14.1 GE1/0/4
10.0.14.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.14.255/32 Direct 0 0 10.0.14.1 GE1/0/4
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
三、路由复制配置
1、
#配置public引入vrf3和vrf4的直连路由
#
ip public-instance
#
address-family ipv4
route-replicate from vpn-instance vrf3 protocol direct
route-replicate from vpn-instance vrf4 protocol direct
#
2、
#配置vrf3引入public的直连路由和静态路由
#
ip vpn-instance vrf3
#
address-family ipv4
route-replicate from public protocol direct
route-replicate from public protocol static
#
3、
#配置地址前缀列表2vrf4匹配要过滤的默认路由
#
ip prefix-list 2vrf4 index 10 permit 0.0.0.0 0
#
#配置路由策略public2vrf4,节点10用来拒绝默认路由,为保证后续public实例中其他静态路由也可以引入,再新增一个允许所有的节点20(节点20在当前需求中不是必配的)
#
route-policy public2vrf4 deny node 10
if-match ip address prefix-list 2vrf4
#
route-policy public2vrf4 permit node 20
#
#配置vrf4引入public的直连路由和通过路由策略public2vrf4过滤后的静态路由
#
ip vpn-instance vrf4
#
address-family ipv4
route-replicate from public protocol direct
route-replicate from public protocol static route-policy public2vrf4
#
4、
#
ip vpn-instance vrf3
#
address-family ipv4
route-replicate from vpn-instance vrf4 protocol direct
#
ip vpn-instance vrf4
#
address-family ipv4
route-replicate from vpn-instance vrf3 protocol direct
#
四、结果验证
1、查看public实例路由表
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 200.0.0.254 GE1/0/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.0/24 Direct 0 0 10.0.12.1 GE1/0/2
10.0.12.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.255/32 Direct 0 0 10.0.12.1 GE1/0/2
10.0.13.0/24 Direct 0 0 10.0.13.1 GE1/0/3
10.0.13.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.13.255/32 Direct 0 0 10.0.13.1 GE1/0/3
10.0.14.0/24 Direct 0 0 10.0.14.1 GE1/0/4
10.0.14.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.14.255/32 Direct 0 0 10.0.14.1 GE1/0/4
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.0/24 Direct 0 0 200.0.0.1 GE1/0/0
200.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.255/32 Direct 0 0 200.0.0.1 GE1/0/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
2、查看vrf3路由表
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 200.0.0.254 GE1/0/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.0/24 Direct 0 0 10.0.12.1 GE1/0/2
10.0.12.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.255/32 Direct 0 0 10.0.12.1 GE1/0/2
10.0.13.0/24 Direct 0 0 10.0.13.1 GE1/0/3
10.0.13.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.13.255/32 Direct 0 0 10.0.13.1 GE1/0/3
10.0.14.0/24 Direct 0 0 10.0.14.1 GE1/0/4
10.0.14.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.14.255/32 Direct 0 0 10.0.14.1 GE1/0/4
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.0/24 Direct 0 0 200.0.0.1 GE1/0/0
200.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.255/32 Direct 0 0 200.0.0.1 GE1/0/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
3、查看vrf4路由表
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.0/24 Direct 0 0 10.0.12.1 GE1/0/2
10.0.12.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.12.255/32 Direct 0 0 10.0.12.1 GE1/0/2
10.0.13.0/24 Direct 0 0 10.0.13.1 GE1/0/3
10.0.13.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.13.255/32 Direct 0 0 10.0.13.1 GE1/0/3
10.0.14.0/24 Direct 0 0 10.0.14.1 GE1/0/4
10.0.14.1/32 Direct 0 0 127.0.0.1 InLoop0
10.0.14.255/32 Direct 0 0 10.0.14.1 GE1/0/4
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.0/24 Direct 0 0 200.0.0.1 GE1/0/0
200.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
200.0.0.255/32 Direct 0 0 200.0.0.1 GE1/0/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
4、
[FW1]ping 10.0.13.1
Ping 10.0.13.1 (10.0.13.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.0.13.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.0.13.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[FW1]%Jan 12 21:14:06:283 2022 FW1 PING/6/PING_STATISTICS: -COntext=1; Ping statistics for 10.0.13.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.
[FW1]
[FW1]ping 10.0.14.1
Ping 10.0.14.1 (10.0.14.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.0.14.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.0.14.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.0.14.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.0.14.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.0.14.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.0.14.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[FW1]%Jan 12 21:14:13:601 2022 FW1 PING/6/PING_STATISTICS: -COntext=1; Ping statistics for 10.0.14.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.
[FW1]ping -vpn-instance vrf3 10.0.12.1
Ping 10.0.12.1 (10.0.12.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.0.12.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 10.0.12.1 in VPN instance vrf3 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[FW1]%Jan 12 21:14:26:086 2022 FW1 PING/6/PING_VPN_STATISTICS: -COntext=1; Ping statistics for 10.0.12.1 in VPN instance vrf3: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
[FW1]
[FW1]ping -vpn-instance vrf3 10.0.14.1
Ping 10.0.14.1 (10.0.14.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.0.14.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.0.14.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.0.14.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.0.14.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.0.14.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.0.14.1 in VPN instance vrf3 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms
[FW1]%Jan 12 21:14:29:590 2022 FW1 PING/6/PING_VPN_STATISTICS: -COntext=1; Ping statistics for 10.0.14.1 in VPN instance vrf3: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms.
[FW1]ping -vpn-instance vrf4 10.0.12.1
Ping 10.0.12.1 (10.0.12.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.0.12.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.0.12.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.0.12.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.0.12.1 in VPN instance vrf4 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[FW1]%Jan 12 21:14:36:760 2022 FW1 PING/6/PING_VPN_STATISTICS: -COntext=1; Ping statistics for 10.0.12.1 in VPN instance vrf4: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
[FW1]
[FW1]ping -vpn-instance vrf4 10.0.13.1
Ping 10.0.13.1 (10.0.13.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.0.13.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.0.13.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.0.13.1 in VPN instance vrf4 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[FW1]%Jan 12 21:14:40:502 2022 FW1 PING/6/PING_VPN_STATISTICS: -COntext=1; Ping statistics for 10.0.13.1 in VPN instance vrf4: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.
第三步:通过路由复制将public实例中默认路由以外路由引入vrf4,同时创建路由策略public2vrf4过滤public实例中的默认路由和不需要的路由
#配置地址前缀列表2vrf4匹配要过滤的默认路由
#
ip prefix-list 2vrf4 index 10 permit 0.0.0.0 0
#
#配置路由策略public2vrf4,节点10用来拒绝默认路由,为保证后续public实例中其他静态路由也可以引入,再新增一个允许所有的节点20(节点20在当前需求中不是必配的)
#
route-policy public2vrf4 deny node 10
if-match ip address prefix-list 2vrf4
#
route-policy public2vrf4 permit node 20
#
#配置vrf4引入public的直连路由和通过路由策略public2vrf4过滤后的静态路由
#
ip vpn-instance vrf4
#
address-family ipv4
route-replicate from public protocol direct
route-replicate from public protocol static route-policy public2vrf4
#
..将public实例中默认路由以外路由引入..,建议多加两个字,意思更明显:
..将public实例中除默认路由以外的路由引入..
再新增一个允许所有的节点20(节点20在当前需求中不是必配的)--细到这个程度,点赞
(0)
模拟器防火墙外部显示的G0/0口,在内部display查看的时候,应该是G1/0/0,而不是G1/0/1.
虽然意思都能看明白,但是这个确实标示错误了
(0)
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作