流量拓扑如下
测试流量R1—>FW1---->FW2—>R2
防火墙FW1和FW2走的是二层流量,通过华为交换机上配vlan ip走三层流量。
通过华为交换机配置vpn实例,把华为交换机一分为二,通过ip配置路由走三层
配置如下
新建vpn实例
ip vpn-instance test
ipv4-family
route-distinguisher 100:1
配置vlan ip
interface Vlanif151
ip address 161.1.1.2 255.255.255.0
interface Vlanif152
ip address 161.1.2.1 255.255.255.0
vlan接口绑定vpn实例
interface Vlanif153
ip binding vpn-instance test
ip address 161.1.2.2 255.255.255.0
interface Vlanif154
ip binding vpn-instance test
ip address 161.1.3.2 255.255.255.0
接口绑定vlan
interface 10GE1/0/19
port default vlan 151
port-isolate enable group 1
device transceiver 10GBASE-FIBER
interface 10GE1/0/20
port default vlan 154
port-isolate enable group 1
device transceiver 10GBASE-FIBER
interface 10GE1/0/21
port default vlan 152
port-isolate enable group 1
device transceiver 10GBASE-FIBER
interface 10GE1/0/22
port default vlan 153
port-isolate enable group 1
device transceiver 10GBASE-FIBER
配置路由
ip route-static 8.1.0.0 255.255.0.0 161.1.1.1
ip route-static 8.2.0.0 255.255.0.0 161.1.2.2
配置实例路由
ip route-static vpn-instance test 8.1.0.0 255.255.0.0 161.1.2.1
ip route-static vpn-instance test 8.2.0.0 255.255.0.0 161.1.3.1
可以通过以下命令查看配置路由表
display ip routing-table
display ip routing-table vpn-instance test
个人理解实现原理相当于配置了虚拟路由器把不同vlan隔离开来,要通就需要走路由。