防火墙虚拟系统与交换机虚拟系统（防火墙旁挂）

earthtoearth

已于 2024-06-23 16:20:53 修改

阅读量1k

点赞数 19

文章标签：网络

于 2024-06-22 23:53:40 首次发布

本文链接：https://blog.csdn.net/earthtoearth/article/details/139882741

版权

一、实验拓扑及思路

1、PC1和PC2分别对应两个不同的部门，业务之间需要进行隔离，采用两个防火墙实例进行隔离，将流量分别引入防火墙虚拟系统再从路由器出去；

2、交换机与防火墙之间使用链路聚合，分别设置4个逻辑接口，这四个接口分别两两对应两个防火墙虚拟系统实例VRF_A和VRF_B，其中交换机侧使用VLANIF接口，防火墙侧使用子接口

3、路由规划：采用OSPF路由，交换机对应不同用户的虚拟系统VRF_A和VRF_B分布对应区域1和区域2，防火墙上的两个虚拟系统VRF_A和VRF_B分布对应区域1和区域2，防火墙上的根系统和路由器接口对应区域0

各接口地址规划如图所示

二、交换机配置

基础配置

[S1]vlan batch 10 20 17 121 to 124

[S1]ip vpn-instance VRF_A

[S1-vpn-instance-VRF_A]ipv4-family

[S1]ip vpn-instance VRF_B

[S1-vpn-instance-VRF_B]ipv4-family

[S1]int Vlanif 17
[S1-Vlanif17]ip add 10.1.17.7 24

#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 17
#

#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#

#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#

设置trunk口

[S1]int Eth-Trunk 1

[S1-Eth-Trunk1]mode lacp-static

[S1-Eth-Trunk1]trunkport g0/0/10

[S1-Eth-Trunk1]trunkport g0/0/11

[S1-Eth-Trunk1]port link-type trunk

[S1-Eth-Trunk1]port trunk allow-pass vlan all

设置用户使用不同虚拟系统

[S1]int Vlanif 10

[S1-Vlanif10]ip bind vpn-instance VRF_A

[S1-Vlanif10]ip add 10.1.10.7 24

[S1]int Vlanif 20

[S1-Vlanif20]ip binding vpn-instance VRF_B

[S1-Vlanif20]ip add 10.1.20.7 24

配置连接防火墙接口

[S1]int Vlanif 121

[S1-Vlanif121]ip binding vpn-instance VRF_A

[S1-Vlanif121]ip add 10.1.121.7 24

[S1]int Vlanif 122
[S1-Vlanif122]ip add 10.1.122.7 24

[S1]int Vlanif 123
[S1-Vlanif123]ip binding vpn-instance VRF_B
[S1-Vlanif123]ip add 10.1.123.7 24

[S1]int Vlanif 124
[S1-Vlanif124]ip add 10.1.124.7 24

设置动态路由

[S1-ospf-100]dis th
#
ospf 100
area 0.0.0.0
area 0.0.0.1
area 0.0.0.2
#

[S1-Vlanif17]dis th
#
interface Vlanif17
ip address 10.1.17.7 255.255.255.0
ospf enable 100 area 0.0.0.0
#

[S1-Vlanif122]dis th
#
interface Vlanif122
ip address 10.1.122.7 255.255.255.0
ospf enable 100 area 0.0.0.1
#

[S1-Vlanif124]dis th
#
interface Vlanif124
ip address 10.1.124.7 255.255.255.0
ospf enable 100 area 0.0.0.2
#

[S1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
area 0.0.0.1
#

[S1-Vlanif10]dis th
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#

[S1-Vlanif121]dis th
#
interface Vlanif121
ip binding vpn-instance VRF_A
ip address 10.1.121.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#

[S1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
area 0.0.0.2

[S1-Vlanif20]dis th
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
#

[S1-Vlanif123]dis th
#
interface Vlanif123
ip binding vpn-instance VRF_B
ip address 10.1.123.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#

配置明细

[S1]dis cu config ospf
#
ospf 1 vpn-instance VRF_A
area 0.0.0.1
#
ospf 2 vpn-instance VRF_B
area 0.0.0.2
#
ospf 100
area 0.0.0.0
area 0.0.0.1
area 0.0.0.2
#

[S1]dis cu int vlan
#
interface Vlanif1
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#
interface Vlanif17
ip address 10.1.17.7 255.255.255.0
ospf enable 100 area 0.0.0.0
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
interface Vlanif121
ip binding vpn-instance VRF_A
ip address 10.1.121.7 255.255.255.0
ospf enable 1 area 0.0.0.1
#
interface Vlanif122
ip address 10.1.122.7 255.255.255.0
ospf enable 100 area 0.0.0.1
#
interface Vlanif123
ip binding vpn-instance VRF_B
ip address 10.1.123.7 255.255.255.0
ospf enable 2 area 0.0.0.2
#
interface Vlanif124
ip address 10.1.124.7 255.255.255.0
ospf enable 100 area 0.0.0.2
#

关闭防环机制

[S1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
vpn-instance-capability simple
area 0.0.0.1
#

[S1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
vpn-instance-capability simple
area 0.0.0.2
#

[S1]dis ip routing-table vpn-instance VRF_A
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_A
Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.1/32 OSPF 10 3 D 10.1.121.12 Vlanif121
10.1.10.0/24 Direct 0 0 D 10.1.10.7 Vlanif10
10.1.10.7/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.17.0/24 OSPF 10 3 D 10.1.121.12 Vlanif121
10.1.20.0/24 OSPF 10 5 D 10.1.121.12 Vlanif121
10.1.121.0/24 Direct 0 0 D 10.1.121.7 Vlanif121
10.1.121.7/32 Direct 0 0 D 127.0.0.1 Vlanif121
10.1.122.0/24 OSPF 10 2 D 10.1.121.12 Vlanif121
10.1.123.0/24 OSPF 10 4 D 10.1.121.12 Vlanif121
10.1.124.0/24 OSPF 10 3 D 10.1.121.12 Vlanif121

三、防火墙配置

[FW1]int Eth-Trunk 1

[FW1-Eth-Trunk1]mode lacp-static

[FW1-Eth-Trunk1]trunkport g1/0/1

[FW1-Eth-Trunk1]trunkport g1/0/0

[FW1]int Eth-Trunk 1.121

[FW1-Eth-Trunk1.121]vlan-type dot1q 121

[FW1]int Eth-Trunk 1.122

[FW1-Eth-Trunk1.122]vlan-type dot1q 122

[FW1]int Eth-Trunk 1.123

[FW1-Eth-Trunk1.123]vlan-type dot1q 123

[FW1]int Eth-Trunk 1.124

[FW1-Eth-Trunk1.124]vlan-type dot1q 124

配置虚拟系统

[FW1]vsys enable

[FW1]vsys name VRF_A

[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.121

[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.122

[FW1]vsys name VRF_B

[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.123

[FW1-vsys-VRF_A]assign interface Eth-Trunk 1.124

在虚拟系统中设置接口等内容

[FW1]switch vsys VRF_A

[FW1-VRF_A]firewall zone trust

[FW1-VRF_A-zone-trust]add int Eth-Trunk 1.121

[FW1-VRF_A]firewall zone untrust

[FW1-VRF_A-zone-untrust]add interface Eth-Trunk 1.122

[FW1-VRF_A]int Eth-Trunk 1.121
[FW1-VRF_A-Eth-Trunk1.121]ip add 10.1.121.12

[FW1-VRF_A]int Eth-Trunk 1.122
[FW1-VRF_A-Eth-Trunk1.122]ip add 10.1.122.12 24

[FW1-VRF_A-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
#

在虚拟系统VRF_B中与在VRF_A总相同，此处省略............

设置动态路由

[FW1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
area 0.0.0.1
network 10.1.0.0 0.0.255.255
#

[FW1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
area 0.0.0.2
network 10.1.0.0 0.0.255.255
#

在虚拟系统中反馈安全策略（仅用于测试系统）

[FW1-VRF_A-policy-security]dis th
2024-06-22 15:20:28.580
#
security-policy
default action permit
rule name LOCAL_TO_ANY
source-zone local
action permit
#

[FW1-VRF_B-policy-security]dis th
2024-06-22 15:22:16.300
#
security-policy
default action permit
rule name LOCAL_TO_ANY
source-zone local
action permit
#

关闭防环机制

[FW1-ospf-1]dis th
#
ospf 1 vpn-instance VRF_A
vpn-instance-capability simple
area 0.0.0.1
network 10.1.0.0 0.0.255.255
#

[FW1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
vpn-instance-capability simple
area 0.0.0.2
network 10.1.0.0 0.0.255.255
#

[FW1]dis ip routing-table vpn-instance VRF_A
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_A
Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.1/32 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122
10.1.10.0/24 OSPF 10 2 D 10.1.121.7 Eth-Trunk1.121
10.1.17.0/24 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122
10.1.20.0/24 OSPF 10 4 D 10.1.122.7 Eth-Trunk1.122
10.1.121.0/24 Direct 0 0 D 10.1.121.12 Eth-Trunk1.121
10.1.121.12/32 Direct 0 0 D 127.0.0.1 Eth-Trunk1.121
10.1.122.0/24 Direct 0 0 D 10.1.122.12 Eth-Trunk1.122
10.1.122.12/32 Direct 0 0 D 127.0.0.1 Eth-Trunk1.122
10.1.123.0/24 OSPF 10 3 D 10.1.122.7 Eth-Trunk1.122
10.1.124.0/24 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122

打开TTL功能

[FW1]icmp ttl-exceeded send

四、结果验证

直连地址可以ping通

<S1>ping -vpn-instance VRF_A 10.1.10.10
PING 10.1.10.10: 56 data bytes, press CTRL_C to break
Reply from 10.1.10.10: bytes=56 Sequence=1 ttl=128 time=60 ms
Reply from 10.1.10.10: bytes=56 Sequence=2 ttl=128 time=30 ms

<S1>ping -vpn-instance VRF_B 10.1.20.10
PING 10.1.20.10: 56 data bytes, press CTRL_C to break
Reply from 10.1.20.10: bytes=56 Sequence=1 ttl=128 time=40 ms
Reply from 10.1.20.10: bytes=56 Sequence=2 ttl=128 time=30 ms

路由建立

[S1]dis ospf peer brief

OSPF Process 1 with Router ID 10.1.10.7
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 Vlanif121 10.1.121.12 Full
----------------------------------------------------------------------------

OSPF Process 2 with Router ID 10.1.20.7
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.2 Vlanif123 10.1.123.12 Full
----------------------------------------------------------------------------

OSPF Process 100 with Router ID 10.1.17.7
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 Vlanif122 10.1.121.12 Full
0.0.0.2 Vlanif124 10.1.123.12 Full
----------------------------------------------------------------------------

[S1]dis ospf interface

OSPF Process 1 with Router ID 10.1.10.7
Interfaces

Area: 0.0.0.1
IP Address Type State Cost Pri DR BDR
10.1.10.7 Broadcast DR 1 1 10.1.10.7 0.0.0.0
10.1.121.7 Broadcast DR 1 1 10.1.121.7 10.1.121.12

OSPF Process 2 with Router ID 10.1.20.7
Interfaces

Area: 0.0.0.2
IP Address Type State Cost Pri DR BDR
10.1.20.7 Broadcast DR 1 1 10.1.20.7 0.0.0.0
10.1.123.7 Broadcast DR 1 1 10.1.123.7 10.1.123.12

OSPF Process 100 with Router ID 10.1.17.7
Interfaces

Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
10.1.17.7 Broadcast DR 1 1 10.1.17.7 0.0.0.0

Area: 0.0.0.1
IP Address Type State Cost Pri DR BDR
10.1.122.7 Broadcast DR 1 1 10.1.122.7 10.1.122.12

Area: 0.0.0.2
IP Address Type State Cost Pri DR BDR
10.1.124.7 Broadcast DR 1 1 10.1.124.7 10.1.124.12

从PC1ping路由器环回口，tracert路由器环回口

PC>ping 10.1.1.1

Ping 10.1.1.1: 32 data bytes, Press Ctrl_C to break
From 10.1.1.1: bytes=32 seq=1 ttl=252 time=94 ms
From 10.1.1.1: bytes=32 seq=2 ttl=252 time=63 ms

PC>tracert 10.1.1.1

traceroute to 10.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.7 31 ms 16 ms 31 ms
2 10.1.121.12 16 ms 47 ms 47 ms
3 10.1.122.7 62 ms 63 ms 47 ms
4 10.1.1.1 78 ms 78 ms 78 ms

从PC2ping路由器环回口，tracert路由器环回口

PC>ping 10.1.1.1

Ping 10.1.1.1: 32 data bytes, Press Ctrl_C to break
From 10.1.1.1: bytes=32 seq=1 ttl=252 time=63 ms
From 10.1.1.1: bytes=32 seq=2 ttl=252 time=93 ms

PC>tracert 10.1.1.1

traceroute to 10.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.20.7 16 ms 16 ms 15 ms
2 10.1.123.12 47 ms 47 ms 47 ms
3 10.1.124.7 31 ms 78 ms 63 ms
4 10.1.1.1 78 ms 78 ms 78 ms

五、存在问题及解决思路

两个虚拟系统通过交换机实现了互访，通过PC1tracertPC2效果如下：

PC>tracert 10.1.20.10

traceroute to 10.1.20.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.7 15 ms 16 ms 15 ms
2 10.1.121.12 47 ms 47 ms 47 ms
3 10.1.122.7 31 ms 78 ms 63 ms
4 10.1.124.12 78 ms 78 ms 78 ms
5 10.1.123.7 94 ms 109 ms 110 ms
6 10.1.20.10 140 ms 110 ms 109 ms

在防火墙上对两个虚拟系统的VTif1和VTif2口加入各自的untrue区域，同时在防火墙全局中设置静态路由。

[FW1-VRF_A-zone-untrust]add int Virtual-if 1

[FW1-VRF_B-zone-untrust]add int Virtual-if 2

[FW1]ip route-static vpn-instance VRF_A 10.1.20.0 24 vpn-instance VRF_B

[FW1]IP route-static vpn-instance VRF_B 10.1.10.0 24 vpn-instance VRF_A

但由于防火墙虚拟系统中至对方地址的OSPF路由优先级为10、而静态的优先级为60，因此需解决这个问题，采用封闭OSPF类型3路由的方式分布修改交换和防火墙的设置

Destination/Mask Proto Pre Cost Flags NextHop Interface

[S1-ospf-100-area-0.0.0.1]stub no-summary

[S1-ospf-100-area-0.0.0.2]stub no-summary

[S1-ospf-100]dis th
#
ospf 100
area 0.0.0.0
area 0.0.0.1
stub no-summary
area 0.0.0.2
stub no-summary
#

[FW1-ospf-1-area-0.0.0.1]stub

[FW1-ospf-1]dis th
2024-06-23 06:16:18.390
#
ospf 1 vpn-instance VRF_A
vpn-instance-capability simple
area 0.0.0.1
network 10.1.0.0 0.0.255.255
stub
#

[FW1-ospf-2-area-0.0.0.2]stub

[FW1-ospf-2]dis th
#
ospf 2 vpn-instance VRF_B
vpn-instance-capability simple
area 0.0.0.2
network 10.1.0.0 0.0.255.255
stub
#

[S1-ospf-1-area-0.0.0.1]stub

[S1-ospf-2-area-0.0.0.2]stub

通过设置ospf路由被替换为了静态路由

[FW1]DIS IP routing-table vpn-instance VRF_A
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: VRF_A
Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 OSPF 10 2 D 10.1.122.7 Eth-Trunk1.122
10.1.10.0/24 OSPF 10 2 D 10.1.121.7 Eth-Trunk1.121
10.1.20.0/24 Static 60 0 D 0.0.0.0 Virtual-if2
10.1.121.0/24 Direct 0 0 D 10.1.121.12 Eth-Trunk1.121
10.1.121.12/32 Direct 0 0 D 127.0.0.1 Eth-Trunk1.121
10.1.122.0/24 Direct 0 0 D 10.1.122.12 Eth-Trunk1.122
10.1.122.12/32 Direct 0 0 D 127.0.0.1 Eth-Trunk1.122

已从交换机的虚接口联通（因为虚接口没有IP地址所以是星号）

PC>tracert 10.1.20.10

traceroute to 10.1.20.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.7 15 ms 32 ms 15 ms
2 10.1.121.12 31 ms 47 ms 16 ms
3 * * *
4 10.1.123.7 62 ms 47 ms 63 ms
5 *10.1.20.10 94 ms 93 ms

进一步规范防火墙安全策略

[FW1-VRF_A-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.10.0 mask 255.255.255.0
destination-address 10.1.1.1 mask 255.255.255.255
destination-address 10.1.20.0 mask 255.255.255.0
action permit
#

[FW1-VRF_B-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.20.0 mask 255.255.255.0
destination-address 10.1.1.1 mask 255.255.255.255
destination-address 10.1.10.0 mask 255.255.255.0
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 10.1.10.0 mask 255.255.255.0
destination-address 10.1.20.0 mask 255.255.255.0
action permit
#

earthtoearth

关注

19
点赞
踩
6

收藏

觉得还不错? 一键收藏
0
评论
防火墙虚拟系统与交换机虚拟系统（防火墙旁挂）

3、路由规划：采用OSPF路由，交换机对应不同用户的虚拟系统VRF_A和VRF_B分布对应区域1和区域2，防火墙上的两个虚拟系统VRF_A和VRF_B分布对应区域1和区域2，防火墙上的根系统和路由器接口对应区域0。2、交换机与防火墙之间使用链路聚合，分别设置4个逻辑接口，这四个接口分别两两对应两个防火墙虚拟系统实例VRF_A和VRF_B，其中交换机侧使用VLANIF接口，防火墙侧使用子接口。在虚拟系统VRF_B中与在VRF_A总相同，此处省略............在虚拟系统中设置接口等内容。
复制链接

扫一扫