情况一:
两台F5040直连,分别将两个防火墙的接口设置为二层,启用trunk模式,允许所有vlan通过, 建立vpn实例test,设置RD10:10,建vlan801,进入int vlan 801 ,绑定vpn实例,防火墙设置分别为ip 192.168.1.10 24 192.168.1.20 24
安全域加入二层接口带vlan801 加入vlan801
情况二:
两台F5040直连,两个防火墙的接口默认三层,route模式,防火墙设置分别为ip 192.168.1.10 24 192.168.1.20 24,接口加入安全域后可以互ping通,建立vpn实例test,设置RD10:10,接口绑定绑定vpn实例后,互ping不通。
安全域加入三层接口
问题:可以ping通自己。ping不通对方 方法为ping -vpn-instance name ip-address
(0)
 
									
									 
									
									
FW01:
#interface Vlan-interface801
ip binding vpn-instance test
ip address 192.168.1.10 255.255.255.0
#
[FW]dis cur int g 1/0/8
#
interface GigabitEthernet1/0/8
port link-mode bridge
port trunk permit vlan all
#
ip vpn-instance test
route-distinguisher 10:10
#
[FW]dis cur int vlan 801
#
interface Vlan-interface801
ip binding vpn-instance test
ip address 192.168.1.10 255.255.255.0
#
[FW]dis security-zone name Trust
Name: Trust
Members:
Vlan-interface801
  GigabitEthernet1/0/8 in VLAN 801
#
zone-pair security source Local destination Trust
packet-filter 3005
#
zone-pair security source Trust destination Local
packet-filter 3005
#
[FW]dis acl 3005
Advanced IPv4 ACL 3005, 1 rule,
ACL's step is 5
rule 0 permit ip (56 times matched)
FW02:
#
ip vpn-instance test
route-distinguisher 10:10
#
interface Vlan-interface801
ip binding vpn-instance test
ip address 192.168.1.20 255.255.255.0
#
interface GigabitEthernet1/0/8
port link-mode bridge
port trunk permit vlan all
#
dis acl 3005
Advanced IPv4 ACL 3005, 1 rule,
ACL's step is 5
rule 0 permit ip (56 times matched)
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 3000
#
#
(0)
acl里面的vpn-instance
 
	 
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明