通过VSYS和VPN实现园区网业务隔离实验

buniaowan

实验需求：

1、IT与Sales业务隔离；（Employee和Guest）

2、两个部门之间防火墙的安全了略需要独立管理；

3、IT部与Sales部之间如果需要通信，必须经过各自防火墙的安全策略检查。

物理拓扑

1、划分VLAN并把端口加入VLAN

SW1

vlan 10

description IT

vlan 20

description Sales

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

2、SW1和FW1接口配置链路聚合

SW

interface Eth-Trunk1

mode lacp-static

trunkport g0/0/3

trunkport g0/0/4

FW

interface Eth-Trunk1

portswitch

mode lacp-static

trunkport g1/0/3

trunkport g1/0/4

[sw1]display eth-trunk 1

[sw1]display interface Eth-Trunk 1

//接口带宽已变成2G

3.链路聚合接口配置Trunk放通所有vlan

SW

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 2 to 4094

FW

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 2 to 4094

4.SW1创建VLANIF

interface Vlanif10

ip address 192.168.10.1 255.255.255.0

interface Vlanif20

ip address 192.168.20.1 255.255.255.0

5.SW创建VPN实例并绑定VLANIF

ip vpn-instance IT

ipv4-family

ip vpn-instance Sales

ipv4-family

interface Vlanif10

ip binding vpn-instance IT

ip address 192.168.10.1 255.255.255.0

interface Vlanif20

ip binding vpn-instance Sales

ip address 192.168.20.1 255.255.255.0

（绑定后接口IP会清空需重新配）

（创建一条VPN实例相当于创建一个路由器）

6.验证1

PC1>ping 192.168.10.1通

PC2>ping 192.168.20.1通

PC>ping 192.168.20.1不通

[sw1]dis ip routing-table //无直连路由

[sw1]display ip routing-table vpn-instance IT

     //一条直连路由Sales同样

7.创建VLAN30将接口加入及创建vlanif接口

vlan30

q

interface Vlanif30 全局

ip address 192.168.30.1 255.255.255.0

interface GigabitEthernet0/0/5

port link-type access

port default vlan 30

8.R1 配置接口并添加一个Lo0测试接口

interface GigabitEthernet0/0/0

ip address 192.168.30.2 255.255.255.0

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

[R1] ping 192.168.30.1通

9.配置VLANIF 122和124用于两条实例连接防火墙

vlan batch 122 124

interface Vlanif122

ip binding vpn-instance IT

ip address 192.168.122.1 255.255.255.0

interface Vlanif124

ip binding vpn-instance Sales

ip address 192.168.124.1 255.255.255.0

[SW1-Vlanif122]display ip routing-table vpn-instance IT

[SW1-Vlanif122]display ip routing-table vpn-instance Sales

10.FW全局创建vlan和VSYS并把vlan分配给VSYS

vsys en

vlan batch 122 124

vsys name IT

assign vlan 122

vsys name Sales 2

assign vlan 124

11.创建VLANIF 122 124

interface Vlanif122

ip binding vpn-instance IT

ip address 192.168.122.2 255.255.255.0

interface Vlanif124

ip binding vpn-instance Sales

ip address 192.168.124.2 255.255.255.0

12.把vlanif接口加入到信任区域

switch vsys IT

sys

firewall zone trust

add interface Vlanif122

q

q

q

switch vsys Sales

sys

firewall zone trust

add interface Vlanif124

13、验证防火墙连通

[SW1]ping -vpn-instance IT 192.168.122.2通

[SW1]ping -vpn-instance Sales 192.168.124.2通

14.配置Local>Trust安全策略

[FW1-IT-policy-security-rule-Local>Trust]dis th

rule name Local>Trust

  source-zone local

  destination-zone trust

  action permit

[FW1-Sales-policy-security-rule-Local>Trust]dis th

rule name Local>Trust

  source-zone local

  destination-zone trust

  action permit

<FW1>ping -vpn-instance IT 192.168.122.1 通

<FW1>ping -vpn-instance Sales 192.168.124.1通

15.SW1配置OSPF

ospf 10 router-id 5.5.5.5 vpn-instance IT

area 0.0.0.0

  network 192.168.122.0 0.0.0.255

  network 192.168.10.0 0.0.0.255

ospf 20 router-id 6.6.6.6 vpn-instance Sales

area 0.0.0.0

  network 192.168.124.0 0.0.0.255

  network 192.168.20.0 0.0.0.255