FW1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname FW1
#创建VPN实例,配置RT值、RD值
[FW1]ip vpn-instance vpn-rt
[FW1-vpn-instance-vpn-rt]route-distinguisher 100:1
[FW1-vpn-instance-vpn-rt]vpn-target 100:1
[FW1-vpn-instance-vpn-rt]quit
[FW1]ip vpn-instance vpn-nrt
[FW1-vpn-instance-vpn-nrt]route-distinguisher 200:1
[FW1-vpn-instance-vpn-nrt]vpn-target 200:1
[FW1-vpn-instance-vpn-nrt]quit
[FW1]acl basic 2000
[FW1-acl-ipv4-basic-2000]rule 0 permit source any
[FW1-acl-ipv4-basic-2000]rule 1 permit source any vpn-instance vpn-rt
[FW1-acl-ipv4-basic-2000]rule 2 permit source any vpn-instance vpn-nrt
[FW1-acl-ipv4-basic-2000]quit
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Trust-Untrust]quit
[FW1]
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Trust]quit
[FW1]
[FW1]zone-pair security source trust destination local
[FW1-zone-pair-security-Trust-Local]packet-filter 2000
[FW1-zone-pair-security-Trust-Local]quit
[FW1]
[FW1]zone-pair security source local destination trust
[FW1-zone-pair-security-Local-Trust]packet-filter 2000
[FW1-zone-pair-security-Local-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination local
[FW1-zone-pair-security-Untrust-Local]packet-filter 2000
[FW1-zone-pair-security-Untrust-Local]quit
[FW1]
[FW1]zone-pair security source local destination untrust
[FW1-zone-pair-security-Local-Untrust]packet-filter 2000
[FW1-zone-pair-security-Local-Untrust]quit
[FW1]
[FW1]zone-pair security source trust destination trust
[FW1-zone-pair-security-Trust-Trust]packet-filter 2000
[FW1-zone-pair-security-Trust-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination untrust
[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2000
[FW1-zone-pair-security-Untrust-Untrust]quit
#创建互联VLAN、业务VLAN
[FW1]vlan 10
[FW1-vlan10]quit
[FW1]vlan 20
[FW1-vlan20]quit
[FW1]vlan 400
[FW1-vlan400]quit
[FW1]vlan 500
[FW1-vlan500]quit
[FW1]int vlan 10
[FW1-Vlan-interface10]ip binding vpn-instance vpn-rt //绑定VPN实例
Some configurations on the interface are removed.
[FW1-Vlan-interface10]ip address 192.168.10.1 24
[FW1-Vlan-interface10]quit
[FW1]int vlan 20
[FW1-Vlan-interface20]ip binding vpn-instance vpn-nrt
Some configurations on the interface are removed.
[FW1-Vlan-interface20]ip address 192.168.20.1 24
[FW1-Vlan-interface20]quit
[FW1]int vlan 400
[FW1-Vlan-interface400]ip binding vpn-instance vpn-rt
Some configurations on the interface are removed.
[FW1-Vlan-interface400]des <connect to FW2_vpn-rt>
[FW1-Vlan-interface400]ip address 10.0.0.1 30
[FW1-Vlan-interface400]quit
[FW1]int vlan 500
[FW1-Vlan-interface500]ip binding vpn-instance vpn-nrt
Some configurations on the interface are removed.
[FW1-Vlan-interface500]des <connect to FW2_vpn-nrt>
[FW1-Vlan-interface500]ip address 10.0.0.1 30
[FW1-Vlan-interface500]quit
[FW1]int gi 1/0/3
[FW1-GigabitEthernet1/0/3]port link-mode bridge
[FW1-GigabitEthernet1/0/3]port link-type access
[FW1-GigabitEthernet1/0/3]port access vlan 10
[FW1-GigabitEthernet1/0/3]quit
[FW1]int gi 1/0/4
[FW1-GigabitEthernet1/0/4]port link-mode bridge
[FW1-GigabitEthernet1/0/4]port link-type access
[FW1-GigabitEthernet1/0/4]port access vlan 20
[FW1-GigabitEthernet1/0/4]quit
[FW1]int gi 1/0/2
[FW1-GigabitEthernet1/0/2]port link-mode bridge
[FW1-GigabitEthernet1/0/2]port link-type trunk
[FW1-GigabitEthernet1/0/2]undo port trunk permit vlan 1
[FW1-GigabitEthernet1/0/2]port trunk permit vlan 400 500
[FW1-GigabitEthernet1/0/2]quit
[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface vlan 10
[FW1-security-zone-Trust]import interface vlan 20
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3 vlan 10
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/4 vlan 20
[FW1-security-zone-Trust]quit
[FW1]int loopback 0
[FW1-LoopBack0]ip binding vpn-instance vpn-rt
Some configurations on the interface are removed.
[FW1-LoopBack0]ip address 1.1.1.1 32
[FW1-LoopBack0]quit
[FW1]int loopback 1
[FW1-LoopBack1]ip binding vpn-instance vpn-nrt
Some configurations on the interface are removed.
[FW1-LoopBack1]ip address 2.2.2.2 32
[FW1-LoopBack1]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface LoopBack 0
[FW1-security-zone-Untrust]import interface LoopBack 1
[FW1-security-zone-Untrust]import interface vlan 400
[FW1-security-zone-Untrust]import interface vlan 500
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 400 500
[FW1-security-zone-Untrust]quit
[FW1]ospf 10 vpn-instance vpn-rt router-id 1.1.1.1 //创建OSPF进程,并绑定VPN实例
[FW1-ospf-10]area 0.0.0.0
[FW1-ospf-10-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[FW1-ospf-10-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[FW1-ospf-10-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[FW1-ospf-10-area-0.0.0.0]quit
[FW1-ospf-10]quit
[FW1]ospf 20 vpn-instance vpn-nrt router-id 2.2.2.2
[FW1-ospf-20]area 0.0.0.0
[FW1-ospf-20-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[FW1-ospf-20-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[FW1-ospf-20-area-0.0.0.0]network 192.168.20.0 0.0.0.255
[FW1-ospf-20-area-0.0.0.0]quit
[FW1-ospf-20]quit
FW2:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname FW2
[FW2]ip vpn-instance vpn-rt
[FW2-vpn-instance-vpn-rt]route-distinguisher 100:1
[FW2-vpn-instance-vpn-rt]vpn-target 100:1
[FW2-vpn-instance-vpn-rt]quit
[FW2]ip vpn-instance vpn-nrt
[FW2-vpn-instance-vpn-nrt]route-distinguisher 200:1
[FW2-vpn-instance-vpn-nrt]vpn-target 200:1
[FW2-vpn-instance-vpn-nrt]quit
[FW2]acl basic 2000
[FW2-acl-ipv4-basic-2000]rule 0 permit source any
[FW2-acl-ipv4-basic-2000]rule 1 permit source any vpn-instance vpn-rt
[FW2-acl-ipv4-basic-2000]rule 2 permit source any vpn-instance vpn-nrt
[FW2-acl-ipv4-basic-2000]quit
[FW2]zone-pair security source trust destination untrust
[FW2-zone-pair-security-Trust-Untrust]packet-filter 2000
[FW2-zone-pair-security-Trust-Untrust]quit
[FW2]
[FW2]zone-pair security source untrust destination trust
[FW2-zone-pair-security-Untrust-Trust]packet-filter 2000
[FW2-zone-pair-security-Untrust-Trust]quit
[FW2]
[FW2]zone-pair security source trust destination local
[FW2-zone-pair-security-Trust-Local]packet-filter 2000
[FW2-zone-pair-security-Trust-Local]quit
[FW2]
[FW2]zone-pair security source local destination trust
[FW2-zone-pair-security-Local-Trust]packet-filter 2000
[FW2-zone-pair-security-Local-Trust]quit
[FW2]
[FW2]zone-pair security source untrust destination local
[FW2-zone-pair-security-Untrust-Local]packet-filter 2000
[FW2-zone-pair-security-Untrust-Local]quit
[FW2]
[FW2]zone-pair security source local destination untrust
[FW2-zone-pair-security-Local-Untrust]packet-filter 2000
[FW2-zone-pair-security-Local-Untrust]quit
[FW2]
[FW2]zone-pair security source trust destination trust
[FW2-zone-pair-security-Trust-Trust]packet-filter 2000
[FW2-zone-pair-security-Trust-Trust]quit
[FW2]
[FW2]zone-pair security source untrust destination untrust
[FW2-zone-pair-security-Untrust-Untrust]packet-filter 2000
[FW2-zone-pair-security-Untrust-Untrust]quit
[FW2]vlan 100
[FW2-vlan100]quit
[FW2]vlan 200
[FW2-vlan200]quit
[FW2]vlan 400
[FW2-vlan400]quit
[FW2]vlan 500
[FW2-vlan500]quit
[FW2]int vlan 100
[FW2-Vlan-interface100]ip binding vpn-instance vpn-rt
Some configurations on the interface are removed.
[FW2-Vlan-interface100]ip address 172.16.10.1 24
[FW2-Vlan-interface100]quit
[FW2]int vlan 200
[FW2-Vlan-interface200]ip binding vpn-instance vpn-nrt
Some configurations on the interface are removed.
[FW2-Vlan-interface200]ip address 172.16.20.1 24
[FW2-Vlan-interface200]quit
[FW2]int vlan 400
[FW2-Vlan-interface400]ip binding vpn-instance vpn-rt
Some configurations on the interface are removed.
[FW2-Vlan-interface400]ip address 10.0.0.2 30
[FW2-Vlan-interface400]des <connect to FW1_vpn-rt>
[FW2-Vlan-interface400]quit
[FW2]int vlan 500
[FW2-Vlan-interface500]ip binding vpn-instance vpn-nrt
Some configurations on the interface are removed.
[FW2-Vlan-interface500]ip address 10.0.0.2 30
[FW2-Vlan-interface500]des <connect to FW1_vpn-nrt>
[FW2-Vlan-interface500]quit
[FW2]int loopback 0
[FW2-LoopBack0]ip binding vpn-instance vpn-rt
Some configurations on the interface are removed.
[FW2-LoopBack0]ip address 3.3.3.3 32
[FW2-LoopBack0]quit
[FW2]int loopback 1
[FW2-LoopBack1]ip binding vpn-instance vpn-nrt
Some configurations on the interface are removed.
[FW2-LoopBack1]ip address 4.4.4.4 32
[FW2-LoopBack1]quit
[FW2]int gi 1/0/3
[FW2-GigabitEthernet1/0/3]port link-mode bridge
[FW2-GigabitEthernet1/0/3]port link-type access
[FW2-GigabitEthernet1/0/3]port access vlan 100
[FW2-GigabitEthernet1/0/3]quit
[FW2]int gi 1/0/4
[FW2-GigabitEthernet1/0/4]port link-mode bridge
[FW2-GigabitEthernet1/0/4]port link-type access
[FW2-GigabitEthernet1/0/4]port access vlan 200
[FW2-GigabitEthernet1/0/4]quit
[FW2]int gi 1/0/2
[FW2-GigabitEthernet1/0/2]port link-mode bridge
[FW2-GigabitEthernet1/0/2]des <connect to FW1>
[FW2-GigabitEthernet1/0/2]port link-type trunk
[FW2-GigabitEthernet1/0/2]undo port trunk permit vlan 1
[FW2-GigabitEthernet1/0/2]port trunk permit vlan 400 500
[FW2-GigabitEthernet1/0/2]quit
[FW2]security-zone name Trust
[FW2-security-zone-Trust]import interface vlan 100
[FW2-security-zone-Trust]import interface vlan 200
[FW2-security-zone-Trust]import interface GigabitEthernet 1/0/3 vlan 100
[FW2-security-zone-Trust]import interface GigabitEthernet 1/0/4 vlan 200
[FW2-security-zone-Trust]quit
[FW2]security-zone name Untrust
[FW2-security-zone-Untrust]import interface LoopBack 0
[FW2-security-zone-Untrust]import interface LoopBack 1
[FW2-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 400 500
[FW2-security-zone-Untrust]import interface vlan 400
[FW2-security-zone-Untrust]import interface vlan 500
[FW2-security-zone-Untrust]quit
[FW2]ospf 10 vpn-instance vpn-rt router-id 3.3.3.3
[FW2-ospf-10]area 0.0.0.0
[FW2-ospf-10-area-0.0.0.0]network 10.0.0.2 0.0.0.0
[FW2-ospf-10-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[FW2-ospf-10-area-0.0.0.0]network 172.16.10.0 0.0.0.255
[FW2-ospf-10-area-0.0.0.0]quit
[FW2-ospf-10]quit
[FW2]ospf 20 vpn-instance vpn-nrt router-id 4.4.4.4
[FW2-ospf-20]area 0.0.0.0
[FW2-ospf-20-area-0.0.0.0]network 10.0.0.2 0.0.0.0
[FW2-ospf-20-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[FW2-ospf-20-area-0.0.0.0]network 172.16.20.0 0.0.0.255
[FW2-ospf-20-area-0.0.0.0]quit
[FW2-ospf-20]quit
PC都填写IP地址:
![](/uploads/t/20200404/15859629808104.png)
![](/uploads/t/20200404/15859629855283.png)
![](/uploads/t/20200404/15859629901430.png)
![](/uploads/t/20200404/15859629958846.png)
相同VPN实例的业务可以互通,不同VPN实例的业务不可以互通:
![](/uploads/t/20200404/15859630069522.png)
![](/uploads/t/20200404/15859630109188.png)
![](/uploads/t/20200404/15859630168443.png)
![](/uploads/t/20200404/15859630212892.png)
查看FW1的OSPF邻居信息:
![](/uploads/t/20200404/15859630309864.png)
查看FW2的OSPF邻居信息:
![](/uploads/t/20200404/15859630401213.png)
查看FW1的VPN实例路由表:
![](/uploads/t/20200404/15859630518211.png)
![](/uploads/t/20200404/15859630569494.png)
查看FW2的VPN实例路由表:
![](/uploads/t/20200404/15859630667228.png)
![](/uploads/t/20200404/15859630713858.png)
至此,F1060多VPN实例OSPF典型组网配置案例已完成!