需求:核心创建VRF用于隔离网关,使网关之间无法互相通信。内网防火墙与核心互联接口配置子接口,vlan以及地址与核心的VRF相对应。通过设备管理地址,核心与内网防火墙建立OSPF邻居。核心VRF配置默认路由指向隔离防火墙子接口,隔离防火墙配置指向业务网段的路由,下一跳为核心的VRF互联地址。隔离防火墙引入静态路由,核心学习到VRF中的业务网段。实现流量经过隔离防火墙后返回核心,在隔离防火墙通过策略管控内网流量走向。
core:
#
ip vpn-instance vlan11
#
vlan 11
#
vlan 111
#
vlan 4000
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface Vlan-interface11
ip binding vpn-instance vlan11
ip address 192.168.11.1 255.255.255.0
#
interface Vlan-interface111
ip binding vpn-instance vlan11
ip address 10.0.0.1 255.255.255.252
#
interface Vlan-interface4000
ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
combo enable fiber
#
ip route-static vpn-instance vlan11 0.0.0.0 0 10.0.0.2
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.0.0 0.0.0.255
FW:
ospf 1 router-id 2.2.2.2
import-route static
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.0.0 0.0.0.255
vlan 111
#
vlan 4000
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1.11
ip address 10.0.0.2 255.255.255.252
vlan-type dot1q vid 111
#
interface GigabitEthernet1/0/1.4000
ip address 10.1.0.2 255.255.255.0
vlan-type dot1q vid 4000
#
ip route-static 192.168.11.0 24 10.0.0.1