Print

V7防火墙二层虚墙典型配置案例

2019-05-26 发表

组网及说明

如上拓扑所示,vlan10的网关在虚墙1,vlan20的网关在虚墙2,两个虚墙都通过vlan30与上行交换机互联。

配置步骤

在主墙配置业务vlan10和20,以及与出口互联的vlan30

[F1030-New]vlan 10

[F1030-New-vlan10]qu

[F1030-New]vlan 20

[F1030-New-vlan20]qu

[F1030-New]int vlan 10

[F1030-New-Vlan-interface10]qu

[F1030-New]int vlan 20

[F1030-New-Vlan-interface20]qu

[F1030-New]vlan 30

[F1030-New-vlan30]qu

[F1030-New]int vlan 30

[F1030-New-Vlan-interface30]qu

进入聚合口1,放通业务vlan

[F1030-New]int Bridge-Aggregation1

[F1030-New-Bridge-Aggregation1]port link-type trunk

[F1030-New-Bridge-Aggregation1]port trunk permit vlan 10 20

进入聚合口2,放通业务vlan

[F1030-New]int Bridge-Aggregation2

[F1030-New-Bridge-Aggregation2]port link-type trunk

[F1030-New-Bridge-Aggregation2]port trunk permit vlan 30

创建虚墙1,分配接口、业务vlan10和互联vlan30

[F1030-New]context 1

[F1030-New-context-24-1]allocate interface Bridge-Aggregation 1 share

[F1030-New-context-24-1]allocate interface Bridge-Aggregation 2 share

[F1030-New-context-24-1]allocate interface Vlan-interface 10 share

[F1030-New-context-24-1]allocate interface Vlan-interface 30 share

[F1030-New-context-14-1]context start

配置虚墙2,分配接口、业务vlan20和互联vlan30

[F1030-New]context 2

[F1030-New-context-24-2]allocate interface Bridge-Aggregation 1 share

[F1030-New-context-24-2]allocate interface Bridge-Aggregation 2 share

[F1030-New-context-24-2]allocate interface Vlan-interface 20 share

[F1030-New-context-24-2]allocate interface Vlan-interface 30 share

[F1030-New-context-14-2]context start

然后在系统视图下通过switchto context 1以及2 切换到虚墙进行配置

配置关键点

二层接口只能通过share方式共享到虚墙,而不能被虚墙独占,尝试独占会报如下的错误

[F1030-New-context-9-1]allocate int bagg1

Configuration of the interfaces will be lost. Continue? [Y/N]:y

Bridge-Aggregation1 cannot be allocated to a context exclusively.

​因为二层接口是通过share方式分享给虚墙的,虚墙无法独占vlan,因此将vlan接口也共享到虚墙