流量 1 → 3 →6→3→4 (in/out 同理,不管进出流量,都要从防火墙上经过)
**** 配置出现routed-id冲突
1:#
ospf 10
default-route-advertise always
area 0.0.0.0
network 100.1.1.1 0.0.0.0
#
ip unreachables enable
ip ttl-expires enable
#
interface LoopBack0
ip address 100.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
ip address 12.1.1.1 255.255.255.0
ospf 10 area 0.0.0.0
#
interface GigabitEthernet0/1
ip address 13.1.1.1 255.255.255.0
ospf 10 area 0.0.0.0 R4 同理
2:#
ip vpn-instance in
#
ip vpn-instance out
#
ospf 1
#
ospf 10 router-id 2.2.2.2 vpn-instance in
description in
area 0.0.0.0
#
ospf 20 router-id 2.2.2.3 vpn-instance out
area 0.0.0.0
#
ip unreachables enable
ip ttl-expires enable
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack1
ip address 2.2.2.3 255.255.255.255
#
interface GigabitEthernet0/0
ip binding vpn-instance in
ip address 12.1.1.2 255.255.255.0
ospf 10 area 0.0.0.0
#
interface GigabitEthernet0/1
ip binding vpn-instance out
ip address 24.1.1.2 255.255.255.0
ospf 20 area 0.0.0.0
#
interface GigabitEthernet0/2.10
ip binding vpn-instance in
ip address 23.1.1.2 255.255.255.0
ospf 10 area 0.0.0.0
vlan-type dot1q vid 10
#
interface GigabitEthernet0/2.20
ip binding vpn-instance out
ip address 32.1.1.2 255.255.255.0
ospf 20 area 0.0.0.0
vlan-type dot1q vid 20
#
interface GigabitEthernet5/0.10
ip binding vpn-instance in
ip address 25.1.1.2 255.255.255.0
ospf 10 area 0.0.0.0
vlan-type dot1q vid 10
#
interface GigabitEthernet5/0.20
ip binding vpn-instance out
ip address 52.1.1.2 255.255.255.0
ospf 20 area 0.0.0.0
vlan-type dot1q vid 20 R3 同理
5:
#
ospf 10 router-id 5.5.5.5
import-route ospf 20
area 0.0.0.0
#
ospf 20 router-id 5.5.5.6
default-route-advertise always
area 0.0.0.0
#
ip unreachables enable
ip ttl-expires enable
#
remote-backup group 心跳线 主备
data-channel interface GigabitEthernet1/0/2
configuration sync-check interval 12
local-ip 10.2.1.1
remote-ip 10.2.1.2
device-role primary
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface LoopBack1
ip address 5.5.5.6 255.255.255.255
#
interface GigabitEthernet1/0/0.10
ip address 25.1.1.5 255.255.255.0
ospf 10 area 0.0.0.0
vlan-type dot1q vid 10
#
interface GigabitEthernet1/0/0.20
ip address 52.1.1.5 255.255.255.0
ospf 20 area 0.0.0.0
vlan-type dot1q vid 20
#
interface GigabitEthernet1/0/2
ip address 10.2.1.1 255.255.255.0
#
security-zone name Trust 划分安全区域
import interface GigabitEthernet1/0/0.10
#
security-zone name Untrust
import interface GigabitEthernet1/0/0.20
#
security-policy ip 书写安全规则
rule 5 name untrust-trust
action pass F6同理
本人理解,仅供参考