超详细华为防火墙旁挂案例（使用ospf对接，dhcp获取地址）

1.实验拓扑2.基本配置a.接入配置创建VPN实例获取地址等SW1#vlan batch 10 20 30 40#ip vpn-instance aipv4-familyroute-distinguisher 1:1#ip vpn-instance bipv4-familyroute-distinguisher 1:2#interface Vlanif10ip binding vpn-instance aip address 192.168.1.254 255.255.255.0dhcp select relaydhcp relay server-ip 10.1.1.2#interface Vlanif20ip binding vpn-instance bip address 192.168.2.254 255.255.255.0dhcp select relaydhcp relay server-ip 10.1.2.2#interface Vlanif30ip binding vpn-instance aip address 10.1.1.1 255.255.255.0#interface Vlanif40ip binding vpn-instance bip address 10.1.2.1 255.255.255.0#interface GigabitEthernet0/0/1port link-type accessport default vlan 10#interface GigabitEthernet0/0/2port link-type accessport default vlan 20#interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 10 20 30 40#AR1#ip vpn-instance aipv4-familyroute-distinguisher 1:1#ip vpn-instance bipv4-familyroute-distinguisher 1:2#ip pool avpn-instance agateway-list 192.168.1.254network 192.168.1.0 mask 255.255.255.0#ip pool bvpn-instance bgateway-list 192.168.2.254network 192.168.2.0 mask 255.255.255.0#interface GigabitEthernet0/0/0.10dot1q termination vid 30ip binding vpn-instance aip address 10.1.1.2 255.255.255.0arp broadcast enabledhcp select global#interface GigabitEthernet0/0/0.20dot1q termination vid 40ip binding vpn-instance bip address 10.1.2.2 255.255.255.0arp broadcast enabledhcp select global#AR2#interface GigabitEthernet0/0/0ip address 10.1.12.2 255.255.255.0#b.ospf和防火墙对接和出口对接AR1#interface GigabitEthernet0/0/1.1dot1q termination vid 100ip binding vpn-instance aip address 64.1.1.1 255.255.255.0arp broadcast enable#interface GigabitEthernet0/0/1.2dot1q termination vid 101ip binding vpn-instance bip address 64.1.2.1 255.255.255.0arp broadcast enable#interface GigabitEthernet0/0/2#interface GigabitEthernet0/0/2.1dot1q termination vid 102ip address 64.1.3.1 255.255.255.0arp broadcast enable#interface GigabitEthernet0/0/2.2dot1q termination vid 103ip address 64.1.4.1 255.255.255.0arp broadcast enable##ospf 1area 0.0.0.0network 10.1.12.0 0.0.0.255network 64.1.3.0 0.0.0.255network 64.1.4.0 0.0.0.255#ospf 2 vpn-instance avpn-instance-capability simplearea 0.0.0.2network 10.1.1.0 0.0.0.255network 64.1.1.0 0.0.0.255#ospf 3 vpn-instance bvpn-instance-capability simplearea 0.0.0.3network 10.1.2.0 0.0.0.255network 64.1.2.0 0.0.0.255#FW1#vsys name a 1assign interface GigabitEthernet1/0/0.1assign interface GigabitEthernet1/0/1.1#vsys name b 2assign interface GigabitEthernet1/0/0.2assign interface GigabitEthernet1/0/1.2#ip vpn-instance aipv4-familyipv6-family#ip vpn-instance bipv4-familyipv6-family#interface GigabitEthernet1/0/0.1vlan-type dot1q 100ip binding vpn-instance aip address 64.1.1.2 255.255.255.0alias GE1/0/0.1#interface GigabitEthernet1/0/0.2vlan-type dot1q 101ip binding vpn-instance bip address 64.1.2.2 255.255.255.0alias GE1/0/0.2#interface GigabitEthernet1/0/1undo shutdown#interface GigabitEthernet1/0/1.1vlan-type dot1q 102ip binding vpn-instance aip address 64.1.3.2 255.255.255.0alias GE1/0/1.1#interface GigabitEthernet1/0/1.2vlan-type dot1q 103ip binding vpn-instance bip address 64.1.4.2 255.255.255.0alias GE1/0/1.2#interface Virtual-if0ip address 172.16.1.1 255.255.255.0#interface Virtual-if1ip address 172.16.1.2 255.255.255.0#interface Virtual-if2ip address 172.16.1.3 255.255.255.0#ospf 2 vpn-instance avpn-instance-capability simplearea 0.0.0.0network 64.1.3.0 0.0.0.255area 0.0.0.2network 64.1.1.0 0.0.0.255#ospf 3 vpn-instance bvpn-instance-capability simplearea 0.0.0.0network 64.1.4.0 0.0.0.255area 0.0.0.3network 64.1.2.0 0.0.0.255#AR2#ospf 1default-route-advertise alwaysarea 0.0.0.0network 10.1.12.0 0.0.0.255#3.结果验证a.ospf邻居是否建立b.是否能ping通外网4.总结a.使用vpn-instance隔离内网两个网段使用dhcpvpn-instance来获取地址b.使用ospf来让路由器AR1和防火墙进行对接最后让路由器的area 0public区域和防火墙的area 0vpn a和vpn b进行邻居建立让路由从vpn-instance实例表到路由器的public表这样vpn a和vpn b也可以互访了而且是需要经过防火墙的这样可以对业务进行管控c.此案例在园区网很常见大家可以好好学习