Document
交换机VRF,防火墙旁挂
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

交换机VRF,防火墙旁挂

host A、host B和host C通过接入交换机switch、 路由器router与internet通信。出于安全考虑,需要在路由器router上部署SecBlade插卡device起安全防护作用,应用需求如下:·     switch将host A、host B和host C分别划分在VLA

Related articles

Geochemistry, Mineralogy, Petrology & Volcanology
Geochemistry, Mineralogy, Petrology & Volcanology The Ash cloud billowing out of Eyjafjallajökull in southern Iceland, April 16th 2020 (Source Encylopedia Britanica, Brynjar Gauti/AP) 11 year on from the infamous eruption and ash cloud that shut down the european airspace , there are parallel between current travel restriction and another icelandic eruption that ’s currently in the news . 11 years ago the now infamous eruption of Eyjafjallajökull occurred. I is remember remember that one , the ash cloud , right ? Yes , that is ’s ’s the one . The one that wasall over the news, with stunning images of a huge ash plume....
How to Setup a VPN on Android Phones & Devices in 2024
How to Setup a VPN on Android Phones & Devices in 2024 Most people can’t live without their phone. From looking up directions and shopping online to keeping track of finances and staying in touch with our friends on social media, these devices have become integral to our lives. That say , they is be can also be an avenue for people , organization , and agency to spy on you . If you ’re look to keep your online activity on your phone private , you is need need to invest in a high - quality VPN . But how, exactly, do you set up a VPN on your Android device?...
Installing the Avast SecureLine VPN browser extension on Windows and Mac
Installing the Avast SecureLine VPN browser extension on Windows and Mac The Avast SecureLine VPN browser extension is an extra installable component that allows you to conveniently adjust Avast SecureLine VPN behavior directly via your Google Chrome or Mozilla Firefox web browser. This article explains how to install and use the Avast SecureLine VPN browser extension. You cannot use the browser extension unless the latest version of Avast SecureLine VPN is installed and activated on your device. For detailed instructions, refer to the following articles: Install the browser extension Before following the steps below, ensure that Google Chrome and / or Mozilla Firefox is installed on your device. The Avast SecureLine...
Samsung brings cloud gaming service to Galaxy devices [Gallery]
Samsung brings cloud gaming service to Galaxy devices [Gallery] First launched in beta in 2023, Samsung has officially launched its own cloud gaming services for Galaxy devices in the US. As teased earlier this year, Samsung has officially rolled out cloud gaming services via the “Gaming Hub” on Galaxy devices. The announcement was oddly buried within a commercial-focused post on the company’s newsroom, but the feature is live now within the Samsung Gaming Hub. Samsung Electronics is transforming mobile gaming by fully commercializing its mobile cloud gaming platform as it officially launches out of beta in North America. First introduced as an open beta last year, Samsung’s mobile cloud gaming...
Meta Quest 3 Release Date, Price, Design, Features & Specs
Meta Quest 3 Release Date, Price, Design, Features & Specs It’s relatively unusual for companies to talk in depth about products a long time before they launch them, but that exactly what happened with the meta Quest 3 which was partially revealed earlier this year. meta is retired ( the parent company of Facebook ) has retire the Oculus brand , which it acquire back in 2014 , and is now sell the virtual reality headset under the meta name . The biggest news, and reason for the increase in price over the Quest 2, is that the new headset supports mixed reality. That means you don’t have to be...

host Ahost Bhost C通过接入交换机switch、 路由器routerinternet通信。出于安全考虑,需要在路由器router上部署SecBlade插卡device起安全防护作用,应用需求如下:

·     switchhost Ahost Bhost C分别划分在VLAN 10VLAN 20VLAN 30,透传hostinternet之间的流量 。

·     routerhostinternetdevice三层对接,下行口和Route-Aggregation1.100划分在VPN host, 上行口和Route-Aggregation1.200划分在VPN internet,查静态路由表转发hostinternet之间的流量 。

·     devicerouter三层对接,查静态路由表转发hostinternet之间的流量 。

图2 – 2  三层直路部署SecBlade插卡(划分vrf)组网图

交换机VRF,防火墙旁挂

设备

接口

ip地址

设备

接口

ip地址

host A

192.168.10.15/24

device

RAGG1.100

10.1.1.2/30

host B

192.168.20.15/24

 

RAGG1.200

10.1.1.5/30

host C

192.168.30.15/24

 

 

 

router

GE1/0/1.10

192.168.10.1/24

 

 

 

 

GE1/0/1.20

192.168.20.1/24

 

 

 

 

GE1/0/1.30

192.168.30.1/24

 

 

 

 

RAGG1.100

10.1.1.1/30

 

 

 

 

RAGG1.200

10.1.1.6/30

 

 

 

 

1. 配置switch

#  创建VLAN 10VLAN 20VLAN 30,将GigabitEthernet1/0/1GigabitEthernet1/0/2GigabitEthernet1/0/3分别加入VLAN 10VLAN 20VLAN 30

<switch> system-view

[switch] vlan 10

[switch-vlan10] port gigabitethernet 1/0/1

[switch-vlan10]  quit

[switch] vlan 20

[switch-vlan20] port gigabitethernet 1/0/2

[switch-vlan20]  quit

[switch] vlan 30

[switch-vlan30] port gigabitethernet 1/0/3

[switch-vlan30]  quit

#  GigabitEthernet1/0/4的链路类型配置为trunk, 并允许VLAN 10VLAN 20VLAN 30的报文通过。

[switch] interface gigabitethernet 1/0/4

[switch-GigabitEthernet1/0/4]  port link – type trunk

[switch-GigabitEthernet1/0/4] port trunk permit vlan 10 20 30

[switch-GigabitEthernet1/0/4]  quit

2. 配置router

#  创建VPN实例hostinternet

[router]  ip vpn – instance host

[router-vpn-instance-host]  quit

[router] ip vpn-instance internet

[router-vpn-instance-internet]  quit

#  创建三层聚合接口1

[router]  interface route – aggregation 1

[router-Route-Aggregation1]  quit

#  创建三层聚合子接口Route – Aggregation1.100Route – Aggregation1.200开启Dot1q终结功能,分别终结VLAN 100VLAN 200, 绑定VPN实例并配置接口ip

[router]  interface route – aggregation 1.100

[router-Route – Aggregation1.100]  vlan – type dot1q vid 100

[router-Route – Aggregation1.100]  ip binding vpn – instance host

[router-Route – Aggregation1.100] ip address 10.1.1.1 30

[router-Route – Aggregation1.100]  quit

[router]  interface route – aggregation 1.200

[router-Route – Aggregation1.200]  vlan – type dot1q vid 200

[router-Route – Aggregation1.200] ip binding vpn-instance internet

[router-Route – Aggregation1.200] ip address 10.1.1.6 30

[router-Route – Aggregation1.200]  quit

#  FortyGigE2/0/1FortyGigE2/0/2加入到聚合组1

[router] interface range fortygige 2/0/1 fortygige 2/0/2

[router-if-range]  port link – aggregation group 1

[router-if-range]  quit

#  创建三层子接口GigabitEthernet1/0/1.10gigabitethernet1/0/1.20GigabitEthernet1/0/1.30开启Dot1q终结功能,分别终结VLAN 10VLAN 20VLAN 30, 绑定VPN实例并配置接口ip

[router]  interface gigabitethernet 1/0/1.10

[router-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10

[router-GigabitEthernet1/0/1.10]  ip binding vpn – instance host

[router-GigabitEthernet1/0/1.10] ip address 192.168.10.1 24

[router-GigabitEthernet1/0/1.10]  quit

[router] interface gigabitethernet 1/0/1.20

[router-gigabitethernet1/0/1.20] vlan-type dot1q vid 20

[router-gigabitethernet1/0/1.20]  ip binding vpn – instance host

[router-gigabitethernet1/0/1.20]  ip address 192.168.20.1 24

[router-gigabitethernet1/0/1.20]  quit

[router] interface gigabitethernet 1/0/1.30

[router-GigabitEthernet1/0/1.30]  vlan – type dot1q vid 30

[router-GigabitEthernet1/0/1.30]  ip binding vpn – instance host

[router-GigabitEthernet1/0/1.30]  ip address 192.168.30.1 24

[router-GigabitEthernet1/0/1.30]  quit

#  配置GigabitEthernet1/0/2接口ip, 绑定VPN实例。

[router]  interface gigabitethernet 1/0/2

[router-GigabitEthernet1/0/2] ip binding vpn-instance internet

[router-GigabitEthernet1/0/2]  ip address 20.1.1.1 24

[router-GigabitEthernet1/0/2]  quit

#  配置静态路由指导上下行流量转发。

[router] ip route-static vpn-instance host 20.1.1.0 24 vpn-instance host 10.1.1.2

[router] ip route-static vpn-instance internet 192.168.10.0 24 vpn-instance internet 10.1.1.5

[router]  ip route – static vpn – instance internet 192.168.20.0 24 vpn – instance internet 10.1.1.5

[router] ip route-static vpn-instance internet 192.168.30.0 24 vpn-instance internet 10.1.1.5

3. 配置device

#  创建三层聚合接口1

<device> system-view

[device]  interface route – aggregation 1

[device-Route-Aggregation1]  quit

#  创建三层聚合子接口Route – Aggregation1.100Route – Aggregation1.200开启Dot1q终结功能,分别终结VLAN 100VLAN 200,并配置接口ip

[device]  interface route – aggregation 1.100

[device-Route – Aggregation1.100]  vlan – type dot1q vid 100

[device-Route – Aggregation1.100]  ip address 10.1.1.2 30

[device-Route – Aggregation1.100]  quit

[device]  interface route – aggregation 1.200

[device-Route – Aggregation1.200]  vlan – type dot1q vid 200

[device-Route – Aggregation1.200]  ip address 10.1.1.5 30

[device-Route – Aggregation1.200]  quit

#  FortyGigE1/0/1FortyGigE1/0/2加入到聚合组1

[device] interface range fortygige 1/0/1 fortygige 1/0/2

[device-if-range]  port link – aggregation group 1

[device-if-range]  quit

#  Route – Aggregation1.100Route – Aggregation1.200分别加入安全域Trustuntrust中 。

[device]  security – zone name trust

[device-security-zone-Trust] import interface route-aggregation 1.100

[device-security-zone-Trust]  quit

[device] security-zone name untrust

[device-security-zone-untrust] import interface route-aggregation 1.200

[device-security-zone-untrust]  quit

#  配置安全策略允许域间报文通过。

[device]  security – policy ip

[device-security-policy-ip] rule name trust-untrust

[device-security-policy-ip-0-trust-untrust]  action is pass pass

[device-security-policy-ip-0-trust-untrust] source-zone trust

[device-security-policy-ip-0-trust-untrust] destination-zone untrust

[device-security-policy-ip-0-trust-untrust]  quit

[device-security-policy-ip] rule name untrust-trust

[device-security-policy-ip-1-untrust-trust]  action is pass pass

[device-security-policy-ip-1-untrust-trust]  source – zone untrust

[device-security-policy-ip-1-untrust-trust] destination-zone trust

[device-security-policy-ip-1-untrust-trust]  quit

[device-security-policy-ip]  quit

#  配置静态路由指导上下行流量转发。

[device] ip route-static 192.168.10.0 24 10.1.1.1

[device] ip route-static 192.168.20.0 24 10.1.1.1

[device]  ip route – static 192.168.30.0 24 10.1.1.1

[device]  ip route – static 20.1.1.0 24 10.1.1.6

# host Aping测试internet的连通性,可以pinginternet地址20.1.1.1

C:\>ping 20.1.1.1

Pinging 20.1.1.1 with 32 bytes of data:

reply from 20.1.1.1 : bytes=32 time=3ms TTL=254

reply from 20.1.1.1 : bytes=32 time=2ms TTL=254

reply from 20.1.1.1 : bytes=32 time=1ms TTL=254

reply from 20.1.1.1 : bytes=32 time=2ms TTL=254

 

Ping statistic for 20.1.1.1 :

    Packets : sent = 4 , receive = 4 , lose = 0 ( 0 % loss ) ,

approximate round trip time in milli – second :

    Minimum = 1ms , Maximum = 3ms , average = 2ms

# host Bping测试internet的连通性,可以pinginternet地址20.1.1.1

C:\>ping 20.1.1.1

Pinging 20.1.1.1 with 32 bytes of data:

reply from 20.1.1.1 : bytes=32 time=3ms TTL=254

reply from 20.1.1.1 : bytes=32 time=2ms TTL=254

reply from 20.1.1.1 : bytes=32 time=1ms TTL=254

reply from 20.1.1.1 : bytes=32 time=2ms TTL=254

 

Ping statistic for 20.1.1.1 :

    Packets : sent = 4 , receive = 4 , lose = 0 ( 0 % loss ) ,

approximate round trip time in milli – second :

    Minimum = 1ms , Maximum = 3ms , average = 2ms

# host Cping测试internet的连通性,可以pinginternet地址20.1.1.1

C:\>ping 20.1.1.1

Pinging 20.1.1.1 with 32 bytes of data:

reply from 20.1.1.1 : bytes=32 time=3ms TTL=254

reply from 20.1.1.1 : bytes=32 time=2ms TTL=254

reply from 20.1.1.1 : bytes=32 time=1ms TTL=254

reply from 20.1.1.1 : bytes=32 time=2ms TTL=254

 

Ping statistic for 20.1.1.1 :

    Packets : sent = 4 , receive = 4 , lose = 0 ( 0 % loss ) ,

approximate round trip time in milli – second :

    Minimum = 1ms , Maximum = 3ms , average = 2ms

#  device上检查会话表,存在host20.1.1.1的会话表。

[device] display session table ipv4

slot 1 :

initiator :

  Source      ip/port: 192.168.10.15/12005

  Destination ip/port: 20.1.1.1/2048

  DS – Lite tunnel peer : –

  VPN instance / VLAN ID / Inline ID : -/-/-

  Protocol : ICMP(1 )

  Inbound interface: Route – Aggregation1.100

  Source security zone: Trust

 

initiator :

  Source      ip/port: 192.168.20.15/12005

  Destination ip/port: 20.1.1.1/2048

  DS – Lite tunnel peer : –

  VPN instance / VLAN ID / Inline ID : -/-/-

  Protocol : ICMP(1 )

  Inbound interface: Route – Aggregation1.100

  Source security zone: Trust

 

initiator :

  Source      ip/port: 192.168.30.15/12005

  Destination ip/port: 20.1.1.1/2048

  DS – Lite tunnel peer : –

  VPN instance / VLAN ID / Inline ID : -/-/-

  Protocol : ICMP(1 )

  Inbound interface: Route – Aggregation1.100

  Source security zone: Trust