一个综合性的需求(H3C实现)

上张贴CrossGrave发表回复

场景说明:使用防火墙模拟OVS设备进行NAT,使用防火墙模拟NAT-SERVER位于DMZ区域,Spine/Border-Leaf融合部署作为集中式网关存在,Border-Leaf旁路部署防火墙,防火墙采用虚拟化vsys部署与Border-Leaf建立OSPF邻居关系。
PC1访问Internet路径为:PC1作为私网首先将流量转发给OVS -> OVS进行NAT将地址转换为vlan301内部地址然后将流量转发至集中式网关Border-Leaf(Inside VRF) -> Border-Leaf将流量转发给虚拟防火墙Inside -> 虚拟防火墙进行安全策略处理完毕后将流量发送回Border-Leaf (DMZ VRF) -> Border-Leaf将流量封装vxlan转发给NAT-SERVER -> NAT-SERVER收到流量后做SNAT处理将地址转为公网地址将流量转发给Border-Leaf (Inside_Internet VRF) -> Border-Leaf将流量转发给根墙进行处理 -> 防火墙根墙经过安全策略处理完毕后将流量转发至Border-Leaf(Internet VRF) -> Border-Leaf将流量转发至Internet。
来回路径一致

实验结果:

PC1访问Internet
防火墙根墙会话,由NAT-SERVER将内部地址转为公网地址后经过防火墙安全处理
防火墙虚墙会话,PC1将流量通过Inside转发给DMZ区NAT-SERVER时的会话

难点设备Border-Leaf配置:

#
 sysname SpineAndBorder-Leaf
#建立多个VRF来隔离路由
ip vpn-instance DMZ
#
ip vpn-instance Inside
#
ip vpn-instance Inside_Internet
#
ip vpn-instance Internet
#配置与根墙建立的OSPF邻居
ospf 1 router-id 10.0.12.1 vpn-instance Internet
 default-route-advertise type 1 //下发默认路由给根墙和Inside_Internet VRF
 area 0.0.0.0
  network 10.0.12.0 0.0.0.3
#配置与根墙建立的OSPF邻居
ospf 2 router-id 10.0.13.1 vpn-instance Inside_Internet
 vpn-instance-capability simple //这里由于VPN实例下 OSPF DN-BIT置位防环,需要配置该命令解决因为防环导致路由不学习的情况,否则无法学习到Internet下发的默认路由
 area 0.0.0.0
  network 10.0.13.0 0.0.0.3
  network 100.0.0.0 0.0.0.255 //宣告vxlan10200地址
#
ospf 3 router-id 10.0.11.1 vpn-instance DMZ
 default-route-advertise type 1 //下发默认路由给虚墙和Inside VRF
 area 0.0.0.0
  network 10.0.11.0 0.0.0.3
  network 10.0.209.0 0.0.0.255 //宣告vxlan10209地址
#
ospf 4 router-id 10.0.10.1 vpn-instance Inside
 vpn-instance-capability simple  //这里由于VPN实例下 OSPF DN-BIT置位防环,需要配置该命令解决因为防环导致路由不学习的情况,否则无法学习到DMZ下发的默认路由
 area 0.0.0.0
  network 10.0.10.0 0.0.0.3
  network 10.0.30.0 0.0.0.255 //宣告vxlan10301地址
#配置Underlay层通讯使用的OSPF
ospf 100 router-id 1.1.1.1 
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 10.0.1.0 0.0.0.3
  network 10.0.1.4 0.0.0.3
#
vlan 10 to 13
#
vlan 301
#
 l2vpn enable
#创建3个vxlan并且关联网关和L2 VNI
vsi vxlan10200 
 gateway vsi-interface 200
 vxlan 10200
 evpn encapsulation vxlan
  route-distinguisher 1:10200
  vpn-target 1:10200 export-extcommunity
  vpn-target 1:10200 import-extcommunity
#
vsi vxlan10209
 gateway vsi-interface 209
 vxlan 10209
 evpn encapsulation vxlan
  route-distinguisher 1:10209
  vpn-target 1:10209 export-extcommunity
  vpn-target 1:10209 import-extcommunity
#
vsi vxlan10301
 gateway vsi-interface 301
 vxlan 10301
 evpn encapsulation vxlan
  route-distinguisher 1:10301
  vpn-target 1:10301 export-extcommunity
  vpn-target 1:10301 import-extcommunity
#
interface LoopBack0 //建立vxlan隧道使用的VTEP地址和建立BGP EVPN邻居关系的逻辑接口
 ip address 1.1.1.1 255.255.255.255
#vlan逻辑接口用于与防火墙根墙、防火墙虚墙互联的接口
interface Vlan-interface10
 ip binding vpn-instance Inside
 ip address 10.0.10.1 255.255.255.252
 ospf network-type p2p
#
interface Vlan-interface11
 ip binding vpn-instance DMZ
 ip address 10.0.11.1 255.255.255.252
 ospf network-type p2p
#
interface Vlan-interface12
 ip binding vpn-instance Internet
 ip address 10.0.12.1 255.255.255.252
 ospf network-type p2p
#
interface Vlan-interface13
 ip binding vpn-instance Inside_Internet
 ip address 10.0.13.1 255.255.255.252
 ospf network-type p2p
#与Internet 互联的接口
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable fiber
 ip binding vpn-instance Internet
 ip address 100.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/48
 port link-mode bridge
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 10 to 13
 combo enable fiber
#
interface Ten-GigabitEthernet1/0/50
 port link-mode route
 combo enable fiber
 ip address 10.0.1.1 255.255.255.252
 ospf network-type p2p
#
interface Ten-GigabitEthernet1/0/51
 port link-mode route
 combo enable fiber
 ip address 10.0.1.5 255.255.255.252
 ospf network-type p2p
#
interface Vsi-interface200 //vxlan10200的网关
 ip binding vpn-instance Inside_Internet
 ip address 100.0.0.254 255.255.255.0
#
interface Vsi-interface209 //vxlan10209的网关
 ip binding vpn-instance DMZ
 ip address 10.0.209.254 255.255.255.0
#
interface Vsi-interface301 //vxlan10301的网关
 ip binding vpn-instance Inside
 ip address 10.0.30.254 255.255.255.0
#
bgp 100 instance EVPN //通过BGP实例的方式来建立EVPN邻居关系,这样如果以后使用BGP其他的AS号来建立传统网络邻居关系依旧可行
 group Leaf internal
 peer Leaf connect-interface LoopBack0
 peer 1.1.1.2 group Leaf
 peer 1.1.1.3 group Leaf
 #
 address-family l2vpn evpn //由于是集中式网关,不需要配置undo policy vpn-target,如果网络内有其他二层vxlan需要通过Spine传递的话,则需要配置,或者Spine上创建该vxlan对应的RD/RT也行
  peer Leaf enable
  peer Leaf reflect-client //同时Spine又作为RR存在
#
 ip route-static vpn-instance Internet 0.0.0.0 0 100.1.1.1 //配置到Internet的出口的默认路由
 ip route-static vpn-instance DMZ 0.0.0.0 0 10.0.209.1 //配置到DMZ中NAT-SERVER的默认路由
#
return

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据