华为防火墙虚拟系统隔离租户配置示例

拓扑环境如上:有业务系统A和B,要完全隔离,CSW作为网关,可以通过NAT的方式访问ISP的1.1.1.1地址

FW:

sysname FW
#
vsys enable     //开启虚拟系统功能
resource-class r0                         
#
vsys name A 1   //创建业务系统A的虚墙并分配接口
 assign interface GigabitEthernet1/0/6.100
 assign interface GigabitEthernet1/0/0.100
#
vsys name B 2   //创建业务系统B的虚墙并分配接口
 assign interface GigabitEthernet1/0/6.200
 assign interface GigabitEthernet1/0/0.200
#
ip vpn-instance A    //这里是自动创建的VPN实例,华为是基于VPN实例的虚墙
 ipv4-family
 ipv6-family
#
ip vpn-instance B   //这里是自动创建的VPN实例,华为是基于VPN实例的虚墙
 ipv4-family
 ipv6-family
#
return

vsys FW_A的配置:

switch vsys A
#
interface GigabitEthernet1/0/0.100
 vlan-type dot1q 10
 ip binding vpn-instance A
 ip address 10.0.12.1 255.255.255.252
#
interface GigabitEthernet1/0/6.100
 vlan-type dot1q 100                      
 ip binding vpn-instance A
 ip address 192.168.100.1 255.255.255.0
 service-manage ping permit
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/6.100
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0.100
#
security-policy
 rule name Trust_Untrust
  source-zone trust
  destination-zone untrust
  action permit
#
nat-policy
 rule name Trust_Easy-ip
  source-zone trust
  destination-zone untrust
  source-address 192.168.10.0 mask 255.255.255.0
  action source-nat easy-ip
#
ip route-static 0.0.0.0 0.0.0.0 10.0.12.2
ip route-static 192.168.10.0 255.255.255.0 192.168.100.254
#
return

CSW的配置:

#
 sysname CSW
 #
 vlan batch 10 20 100 200
 #
 ip vpn-instance A
  ipv4-family
   route-distinguisher 100:1
 #
 ip vpn-instance B
  ipv4-family
   route-distinguisher 100:2
 #
 interface Vlanif10
  ip binding vpn-instance A
  ip address 192.168.10.254 255.255.255.0
  dhcp select interface
 #
 interface Vlanif20
  ip binding vpn-instance B
  ip address 192.168.20.254 255.255.255.0
  dhcp select interface
 #
 interface Vlanif100
  ip binding vpn-instance A
  ip address 192.168.100.254 255.255.255.0 
 #
 interface Vlanif200
  ip binding vpn-instance B
  ip address 192.168.200.254 255.255.255.0
 #
 ip route-static vpn-instance A 0.0.0.0 0.0.0.0 192.168.100.1
 ip route-static vpn-instance B 0.0.0.0 0.0.0.0 192.168.200.1
 #
 user-interface con 0
 user-interface vty 0 4
 #
 return

实施结果:

PC1可以访问1.1.1.1,但是不能访问业务系统B
PC2可以访问1.1.1.1,但是不能访问PC1
虚拟系统A和虚拟系统B的会话表

本站文章均为原创,转载请注明文章出处:An的博客,本文地址:http://www.arssra.cn/archives/594.html 如有疑问请留言或者发送邮件至arssra#aliyun.com

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据