某金融数据中心隔离网实施案例

一、物理网络拓扑

二、建设原则

2.1、隔离网采用fabirc组网架构，spine节点采用两台独立组网。border-leaf和server-leaf通过点到点 full mesh和spine互联

2.2、spine设备链接server-leaf border-leaf nas-leaf

2.3、borde上旁挂，FW和负载均衡，并且连接到外网核心和运管核心

2.4、border-leaf旁挂两对FW和SLB，分别对应互联网VPC和外联网VPC

三、逻辑网络架构

3.1、隔离区为单租户，多vpc场景，业务vpc规划有外联网vpc，互联网vpc。vpc绑定同一个VRF-OUT的外部网络

3.2、规划单独的NAS kernal vpc,用于宿主机访问NAS,NAS vpc不绑定外部网络。仅在fabric内部通信

3.3、隔离网但对为互联网、外联网vpc规划物理FW和负载均衡。FW和BL通过vbdif接口互联，负载均衡和web代理服务器通过逻辑接口接入fabric网络

四、通过模拟器模拟隔离网组网

部分重要配置

​4.1spine节点配置​

接口配置

interface GE1/0/0

undo portswitch

undo shutdown

ip address 10.1.1.1 255.255.255.252

ospf network-type p2p

#

interface GE1/0/1

undo portswitch

undo shutdown

ip address 10.1.1.5 255.255.255.252

ospf network-type p2p

interface GE1/0/8

undo portswitch

undo shutdown

ip address 10.1.1.9 255.255.255.252

ospf network-type p2p

#

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

IGP路由协议配置

#

ospf 10 router-id 1.1.1.1

area 0.0.0.0

 network 1.1.1.1 0.0.0.0

 network 10.1.1.1 0.0.0.0

 network 10.1.1.5 0.0.0.0

 network 10.1.1.9 0.0.0.0

BGP路由协议配置

bgp 1

router-id 1.1.1.1

peer 2.2.2.2 as-number 1

peer 2.2.2.2 connect-interface LoopBack0

peer 3.3.3.3 as-number 1

peer 3.3.3.3 connect-interface LoopBack0

peer 4.4.4.4 as-number 1

peer 4.4.4.4 connect-interface LoopBack0

#

ipv4-family unicast

 peer 2.2.2.2 enable

 peer 3.3.3.3 enable

 peer 4.4.4.4 enable

#

l2vpn-family evpn

 undo policy vpn-target

 peer 2.2.2.2 enable

 peer 2.2.2.2 advertise irb

 peer 2.2.2.2 reflect-client

 peer 3.3.3.3 enable

 peer 3.3.3.3 advertise irb

 peer 3.3.3.3 reflect-client

 peer 4.4.4.4 enable

 peer 4.4.4.4 advertise irb

 peer 4.4.4.4 reflect-client

​4.2、server-leaf1配置​

evpn-overlay enable

#

ip vpn-instance 800-DC01-DMZ-ECN-IN

ipv4-family

 route-distinguisher 10:1001

 vpn-target 0:1001 export-extcommunity

 vpn-target 0:1001 export-extcommunity evpn

 vpn-target 0:1001 import-extcommunity

 vpn-target 0:1001 import-extcommunity evpn

vxlan vni 1001

#

ip vpn-instance 800-DC01-DMZ-INT-IN

description 800-CSLM_800-DC01-DMZ-INT

ipv4-family

 route-distinguisher 10:1000

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:1000 export-extcommunity evpn

 vpn-target 0:1000 import-extcommunity

 vpn-target 0:1000 import-extcommunity evpn

vxlan vni 1000

#

bridge-domain 2102

vxlan vni 122102

evpn

 route-distinguisher 10:122102

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:122102 export-extcommunity

 vpn-target 0:122102 import-extcommunity

arp broadcast-suppress enable

arp l2-proxy gateway-mac

#

bridge-domain 2202

vxlan vni 122202

evpn

 route-distinguisher 10:122202

 vpn-target 0:122202 export-extcommunity

 vpn-target 0:1001 export-extcommunity

 vpn-target 0:122202 import-extcommunity

arp broadcast-suppress enable

arp l2-proxy gateway-mac

#

interface Vbdif2102

ip binding vpn-instance 800-DC01-DMZ-INT-IN

ip address 214.8.11.254 255.255.252.0

mac-address 0000-5e00-0011

vxlan anycast-gateway enable

arp collect host enable

#

interface Vbdif2202

ip binding vpn-instance 800-DC01-DMZ-ECN-IN

ip address 214.8.43.254 255.255.252.0

mac-address 0000-5e00-0010

vxlan anycast-gateway enable

arp collect host enable

#

interface GE1/0/0.2102 mode l2

encapsulation dot1q vid 2102

bridge-domain 2102

#

interface GE1/0/0.2202 mode l2

encapsulation dot1q vid 2202

bridge-domain 2202

#

interface GE1/0/9

undo portswitch

undo shutdown

ip address 10.1.1.2 255.255.255.252

ospf network-type p2p

#

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

#

interface Nve1

source 2.2.2.2

vni 122102 head-end peer-list protocol bgp

vni 122202 head-end peer-list protocol bgp

bgp 1

router-id 2.2.2.2

peer 1.1.1.1 as-number 1

peer 1.1.1.1 connect-interface LoopBack0

#

ipv4-family unicast

 peer 1.1.1.1 enable

#

ipv4-family vpn-instance 800-DC01-DMZ-ECN-IN

 default-route imported

 import-route direct

 import-route static

 advertise l2vpn evpn

#

ipv4-family vpn-instance 800-DC01-DMZ-INT-IN

 default-route imported

 import-route direct

 import-route static

 advertise l2vpn evpn

#

l2vpn-family evpn

 policy vpn-target

 peer 1.1.1.1 enable

 peer 1.1.1.1 advertise irb

#

ospf 10 router-id 2.2.2.2

area 0.0.0.0

 network 2.2.2.2 0.0.0.0

 network 10.1.1.2 0.0.0.0

​4.3、server-leaf2配置​

evpn-overlay enable

#

ip vpn-instance 800-DC01-DMZ-ECN-IN

description 800-CSLM_800-DC01-DMZ-ECN

ipv4-family

 route-distinguisher 9:1001

 vpn-target 0:1001 export-extcommunity

 vpn-target 0:1001 export-extcommunity evpn

 vpn-target 0:1001 import-extcommunity

 vpn-target 0:1001 import-extcommunity evpn

vxlan vni 1001

#

ip vpn-instance 800-DC01-DMZ-INT-IN

description 800-CSLM_800-DC01-DMZ-INT

ipv4-family

 route-distinguisher 9:1000

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:1000 export-extcommunity evpn

 vpn-target 0:1000 import-extcommunity

 vpn-target 0:1000 import-extcommunity evpn

vxlan vni 1000

#

bridge-domain 2102

vxlan vni 122102

evpn

 route-distinguisher 9:122102

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:122102 export-extcommunity

 vpn-target 0:122102 import-extcommunity

arp broadcast-suppress enable

arp l2-proxy gateway-mac

#

bridge-domain 2202

vxlan vni 122202

evpn

 route-distinguisher 9:122202

 vpn-target 0:122202 export-extcommunity

 vpn-target 0:1001 export-extcommunity

 vpn-target 0:122202 import-extcommunity

arp broadcast-suppress enable

arp l2-proxy gateway-mac

#

#

interface Vbdif2102

ip binding vpn-instance 800-DC01-DMZ-INT-IN

ip address 214.8.11.254 255.255.252.0

mac-address 0000-5e00-0011

vxlan anycast-gateway enable

arp collect host enable

#

interface Vbdif2202

ip binding vpn-instance 800-DC01-DMZ-ECN-IN

ip address 214.8.43.254 255.255.252.0

mac-address 0000-5e00-0010

vxlan anycast-gateway enable

arp collect host enable

#

interface GE1/0/0.2102 mode l2

encapsulation dot1q vid 2102

bridge-domain 2102

#

interface GE1/0/0.2202 mode l2

encapsulation dot1q vid 2202

bridge-domain 2202

interface GE1/0/9

undo portswitch

undo shutdown

ip address 10.1.1.6 255.255.255.252

ospf network-type p2p

#

interface LoopBack0

ip address 3.3.3.3 255.255.255.255

#

interface Nve1

source 3.3.3.3

vni 122102 head-end peer-list protocol bgp

vni 122202 head-end peer-list protocol bgp

#

bgp 1

router-id 3.3.3.3

peer 1.1.1.1 as-number 1

peer 1.1.1.1 connect-interface LoopBack0

#

ipv4-family unicast

 peer 1.1.1.1 enable

#

ipv4-family vpn-instance 800-DC01-DMZ-ECN-IN

 default-route imported

 import-route direct

 import-route static

 advertise l2vpn evpn

#

ipv4-family vpn-instance 800-DC01-DMZ-INT-IN

 default-route imported

 import-route direct

 import-route static

 advertise l2vpn evpn

#

l2vpn-family evpn

 policy vpn-target

 peer 1.1.1.1 enable

 peer 1.1.1.1 advertise irb

#

ospf 10 router-id 3.3.3.3

area 0.0.0.0

 network 3.3.3.3 0.0.0.0

 network 10.1.1.6 0.0.0.0

4.4、border-leaf配置

evpn-overlay enable

#

ip vpn-instance 800-DC01-DMZ-ECN-IN

description 800-CSLM_800-DC01-DMZ-ECN

ipv4-family

 route-distinguisher 3:1001

 vpn-target 0:1001 export-extcommunity

 vpn-target 0:1001 export-extcommunity evpn

 vpn-target 0:1001 import-extcommunity

 vpn-target 0:1001 import-extcommunity evpn

vxlan vni 1001

#

ip vpn-instance 800-DC01-DMZ-INT-IN

description 800-CSLM_800-DC01-DMZ-INT

ipv4-family

 route-distinguisher 3:1000

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:1000 export-extcommunity evpn

 vpn-target 0:1000 import-extcommunity

 vpn-target 0:1000 import-extcommunity evpn

vxlan vni 1000

#

ip vpn-instance 800-DC01-DMZ-OUT

description NAAS_800-DC01-DMZ-OUT

ipv4-family

 route-distinguisher 3:1000000

 vpn-target 800:1 export-extcommunity

 vpn-target 800:1 export-extcommunity evpn

 vpn-target 800:1 import-extcommunity

 vpn-target 800:1 import-extcommunity evpn

vxlan vni 1000000

bridge-domain 5000

vxlan vni 1000001

evpn

 route-distinguisher 3:1000001

 vpn-target 0:1000001 export-extcommunity

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:1000001 import-extcommunity

arp broadcast-suppress enable

#

bridge-domain 5001

vxlan vni 1000002

evpn

 route-distinguisher 3:1000002

 vpn-target 0:1000002 export-extcommunity

 vpn-target 800:1 export-extcommunity

 vpn-target 0:1000002 import-extcommunity

arp broadcast-suppress enable

#

bridge-domain 5002

vxlan vni 1000003

evpn

 route-distinguisher 3:1000003

 vpn-target 0:1000003 export-extcommunity

 vpn-target 0:1001 export-extcommunity

 vpn-target 0:1000003 import-extcommunity

arp broadcast-suppress enable

arp l2-proxy gateway-mac

#

bridge-domain 5003

description ECN_OUT

vxlan vni 1000004

evpn

 route-distinguisher 3:1000004

 vpn-target 800:1 export-extcommunity

 vpn-target 0:1000004 export-extcommunity

 vpn-target 0:1000004 import-extcommunity

arp broadcast-suppress enable

#

bridge-domain 5004

vxlan vni 1000005

evpn

 route-distinguisher 3:1000005

 vpn-target 0:1000005 export-extcommunity

 vpn-target 0:1000 export-extcommunity

 vpn-target 0:1000005 import-extcommunity

arp broadcast-suppress enable

#

interface Vbdif5000

description INT_IN_TO_FW

ip binding vpn-instance 800-DC01-DMZ-INT-IN

ip address 55.9.48.1 255.255.255.248

vxlan anycast-gateway enable

arp collect host enable

#

interface Vbdif5001

description INT_OUT_TO_FW

ip binding vpn-instance 800-DC01-DMZ-OUT

ip address 55.13.48.1 255.255.255.248

vxlan anycast-gateway enable

arp collect host enable

#

interface Vbdif5002

description ECN_IN_TO_FW

ip binding vpn-instance 800-DC01-DMZ-ECN-IN

ip address 55.9.80.1 255.255.255.248

vxlan anycast-gateway enable

arp collect host enable

#

interface Vbdif5003

description ECN_OUT_TO_FW

ip binding vpn-instance 800-DC01-DMZ-OUT

ip address 55.13.48.17 255.255.255.248

vxlan anycast-gateway enable

arp collect host enable

#

interface GE1/0/7

undo portswitch

description To_DC01-EBON-CS01-4FJFBF13_FortyGige0/0/1

undo shutdown

ip binding vpn-instance 800-DC01-DMZ-OUT

ip address 55.13.32.2 255.255.255.252

ospf network-type p2p

#

interface GE1/0/8

undo portswitch

undo shutdown

ip address 10.1.1.10 255.255.255.252

ospf network-type p2p

#

interface GE1/0/9

undo shutdown

#

interface GE1/0/9.2000 mode l2

encapsulation dot1q vid 1112

bridge-domain 5002

#

interface GE1/0/9.2001 mode l2

encapsulation dot1q vid 1011

bridge-domain 5001

#

interface GE1/0/9.2002 mode l2

encapsulation dot1q vid 1012

bridge-domain 5003

#

interface GE1/0/9.2003 mode l2

encapsulation dot1q vid 1111

bridge-domain 5000

#

interface LoopBack0

ip address 4.4.4.4 255.255.255.255

#

interface LoopBack115

ip binding vpn-instance 800-DC01-DMZ-OUT

ip address 115.1.1.1 255.255.255.255

#

interface Nve1

source 4.4.4.4

vni 1000000 head-end peer-list protocol bgp

vni 1000001 head-end peer-list protocol bgp

vni 1000002 head-end peer-list protocol bgp

vni 1000003 head-end peer-list protocol bgp

vni 1000004 head-end peer-list protocol bgp

vni 1000005 head-end peer-list protocol bgp

vni 1000006 head-end peer-list protocol bgp

#

bgp 1

router-id 4.4.4.4

peer 1.1.1.1 as-number 1

peer 1.1.1.1 connect-interface LoopBack0

#

ipv4-family unicast

 peer 1.1.1.1 enable

#

ipv4-family vpn-instance 800-DC01-DMZ-ECN-IN

 default-route imported

 import-route static

 advertise l2vpn evpn

#

ipv4-family vpn-instance 800-DC01-DMZ-INT-IN

 default-route imported

 import-route static

 advertise l2vpn evpn

#

ipv4-family vpn-instance 800-DC01-DMZ-OUT

 default-route imported

 import-route static

 advertise l2vpn evpn

#

l2vpn-family evpn

 policy vpn-target

 peer 1.1.1.1 enable

 peer 1.1.1.1 advertise irb

#

ospf 10 router-id 4.4.4.4

area 0.0.0.0

 network 4.4.4.4 0.0.0.0

 network 10.1.1.10 0.0.0.0

#

ospf 100 router-id 4.4.4.4 vpn-instance 800-DC01-DMZ-OUT

import-route direct

import-route static

area 0.0.0.0

 network 55.13.32.2 0.0.0.0

 network 115.1.1.1 0.0.0.0

route-policy VRF_OUT_staticTospfv2 permit node 10

if-match tag 101

#

route-policy VRF_OUT_staticTospfv2 permit node 20

if-match tag 102

#

route-policy VRF_OUT_staticTospfv2 permit node 30

if-match tag 302

apply cost 1000

#

route-policy VRF_OUT_staticTospfv2 deny node 1000

#

ip route-static vpn-instance 800-DC01-DMZ-ECN-IN 0.0.0.0 0.0.0.0 55.9.80.6

ip route-static vpn-instance 800-DC01-DMZ-INT-IN 0.0.0.0 0.0.0.0 55.9.48.6

ip route-static vpn-instance 800-DC01-DMZ-OUT 214.8.8.0 255.255.252.0 55.13.48.6 description INT_ROUTE

ip route-static vpn-instance 800-DC01-DMZ-OUT 214.8.40.0 255.255.252.0 55.13.48.22 tag 102

​4.4防火墙配置​（模拟器没有部署两台物理墙，通过划分虚拟系统的方式模拟外联FW和互联网FW）

vlan batch 1011 to 1012 1111 to 1112

vsys enable

resource-class r0

#

#

vsys name ECN_FW 1

description 外联防火墙

assign resource-class r0

assign vlan 1012

assign vlan 1112

#

vsys name INT_FW 2

description 外联网防火墙

assign resource-class r0

assign vlan 1011

assign vlan 1111

#

ip vpn-instance ECN_FW

ipv4-family

ipv6-family

#

ip vpn-instance INT_FW

ipv4-family

ipv6-family

#

ip vpn-instance default

ipv4-family

#

interface Vlanif1011

ip binding vpn-instance INT_FW

ip address 55.13.48.6 255.255.255.248

alias Vlanif1011

service-manage ping permit

#

interface Vlanif1012

ip binding vpn-instance ECN_FW

ip address 55.13.48.22 255.255.255.248

alias Vlanif1012

service-manage ping permit

#

interface Vlanif1111

ip binding vpn-instance INT_FW

ip address 55.9.48.6 255.255.255.248

alias Vlanif1111

service-manage ping permit

#

interface Vlanif1112

ip binding vpn-instance ECN_FW

ip address 55.9.80.6 255.255.255.248

alias Vlanif1112

service-manage ping permit

interface GigabitEthernet0/0/0

undo shutdown

ip address 192.168.6.100 255.255.255.0

alias GE0/METH

service-manage http permit

service-manage https permit

service-manage ping permit

service-manage ssh permit

service-manage snmp permit

service-manage telnet permit

interface GigabitEthernet1/0/6

portswitch

undo shutdown

port link-type trunk

port trunk allow-pass vlan 1011 to 1012 1111 to 1112

​switch vsys ECN_FW​

#

acl number 3000

description "Acl for Quintuple Packet Capture"

rule 0 permit ip destination 114.1.1.1 0

rule 1 permit ip source 114.1.1.1 0

#

interface Vlanif1012

ip binding vpn-instance ECN_FW

ip address 55.13.48.22 255.255.255.248

alias Vlanif1012

service-manage ping permit

#

interface Vlanif1112

ip binding vpn-instance ECN_FW

ip address 55.9.80.6 255.255.255.248

alias Vlanif1112

service-manage ping permit

firewall zone trust

set priority 85

add interface Vlanif1012

#

firewall zone untrust

set priority 5

add interface Vlanif1112

#

security-policy

rule name ECN_ANY

 action permit

ip route-static 0.0.0.0 0.0.0.0 55.13.48.17

ip route-static 214.8.32.0 255.255.224.0 55.9.80.1 description ECN_YW

#

#

​switch vsys INT_FW​

#

interface Vlanif1011

ip binding vpn-instance INT_FW

ip address 55.13.48.6 255.255.255.248

alias Vlanif1011

service-manage ping permit

#

interface Vlanif1111

ip binding vpn-instance INT_FW

ip address 55.9.48.6 255.255.255.248

alias Vlanif1111

service-manage ping permit

#

firewall zone trust

set priority 85

add interface Vlanif1111

#

firewall zone untrust

set priority 5

add interface Vlanif1011

#

security-policy

rule name INT_ANY

 action permit

ip route-static 0.0.0.0 0.0.0.0 55.13.48.1

ip route-static 214.8.8.0 255.255.252.0 55.9.48.1 des INT-YW

五、业务验证

同一个vpc内的服务器互通

ping网关

ping PC1

验证外联网vpc和外部网络的互通情况115.1.1.1模拟的外部网络

互联网vpc内部互通

和网关互通情况

和外部网络互通

不通vpc之间是相互隔离的（外联网ping互联网）