[HCIE]防火墙虚拟化
![[HCIE]防火墙虚拟化_第1张图片](http://img.e-com-net.com/image/info8/26818efaead24d7db7e6417ec4161452.jpg)
实验目标:1.pc1ping通1.1.1.1;pc2ping通2.2.2.2;
2.pc1与pc2互通 (虚拟系统之间互通)
实验说明:各设备接口地址如图所示;交换机vlan配置略.
配置步骤:
1.启用虚拟系统
vsys enable
2.创建子接口
interface GigabitEthernet 1/0/2.10
interface GigabitEthernet 1/0/2.20
3.分配虚拟系统接口资源,名称vsysa ID为1
vsys name vsysa 1
assign interface GigabitEthernet1/0/2.10
assign interface GigabitEthernet1/0/0
分配虚拟系统接口资源,名称vsysb ID为2
vsys name vsysb 2
assign interface GigabitEthernet1/0/2.20
assign interface GigabitEthernet1/0/1
4.接口自动绑定到实例中,配置IP,划分vlan
interface GigabitEthernet 1/0/2.10
vlan-type dot1q 10
ip binding -instance vsysa
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet1/0/2.20
vlan-type dot1q 20
ip binding -instance vsysb
ip address 192.168.2.254 255.255.255.0
interface GigabitEthernet1/0/0
undo shutdown
ip binding -instance vsysa
ip address 1.1.1.254 255.255.255.0
interface GigabitEthernet1/0/1
undo shutdown
ip binding -instance vsysb
ip address 2.2.2.254 255.255.255.0
5.进入虚拟系统 (以虚拟系统a为例)
switch vsys vsysa
6.接口划入安全区域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2.10
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
7.配置安全策略
security-policy
rule name 1
source-zone trust
destination-zone untrust
action permit
8.退出虚拟系统a
quit N次
9.重复步骤5至步骤8配置虚拟系统b
switch vsys vsysb
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2.20
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
security-policy
rule name 1
source-zone trust
destination-zone untrust
action permit
10.配置路由
FW1:
ospf 1 router-id 1.1.1.254 -instance vsysa
area 0.0.0.0
network 1.1.1.254 0.0.0.0
network 192.168.1.254 0.0.0.0
#
ospf 2 router-id 2.2.2.254 -instance vsysb
area 0.0.0.0
network 2.2.2.254 0.0.0.0
network 192.168.2.254 0.0.0.0
R1:
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
R2:
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
11.测试pc1ping通1.1.1.1;pc2ping通2.2.2.2;(略)
至此实验目标1完成;
下面开始实验目标2的配置步骤:
1.配置根系统
1.1在根系统下配置虚拟系统间路由
ip route-static -instance vsysa 192.168.2.0 255.255.255.0 -instance vsysb
#为实例vsysa 配置2.0网段的路由,下一跳为B墙
ip route-static -instance vsysb 192.168.1.0 255.255.255.0 -instance vsysa
#为实例vsysb 配置1.0网段的路由,下一跳为A墙
1.2.配置系统间通信接口
interface Virtual-if0
ip address 172.16.0.3 255.255.255.0 #根系统
1.3.根系统接口划入trust区域
firewall zone trust
add interface Virtual-if0
2.配置虚拟系统
2.1配置系统间通信接口
switch vsys vsysa
interface Virtual-if1
ip address 172.16.0.1 255.255.255.0
quit N次
switch vsys vsysb
interface Virtual-if2
ip address 172.16.0.2 255.255.255.0
2.2虚拟系统该接口划入区域(一般划入trust)
switch vsys vsysa
firewall zone trust
add interface virtual-if1
switch vsys vsysb
firewall zone trust
add interface virtual-if2
2.3 测试pc1与pc 2 互通
![[HCIE]防火墙虚拟化_第2张图片](http://img.e-com-net.com/image/info8/9f839a5ceb434caeba831c521a5a68f6.jpg)
![[HCIE]防火墙虚拟化_第3张图片](http://img.e-com-net.com/image/info8/6cc2110c035143d48a2e2794aaa4facf.jpg)