配置SW和防火墙实现客户端与防火墙通信

配置客户端的IP地址和网关

略

SW1

sys
sysname SW1
vlan ba 20 21
int vlan 20
ip add 10.10.20.254 24
int vlan 21
ip add 10.10.21.253 24
int g0/0/2
p l h
p h u v 20
p h p v 20
int g0/0/1
p l h
p h u v 21
p h p v 21
ip route-static 0.0.0.0 0 10.10.21.254

SW2

sys
sysname SW2
vlan ba 30 31
int vlan 30
ip add 10.10.30.254 24
int vlan 31
ip add 10.10.31.253 24
int g0/0/2
p l h
p h u v 30
p h p v 30
int g0/0/1
p l h
p h u v 31
p h p v 31
ip route-static 0.0.0.0 0 10.10.31.254

SW3

sys
sysname SW3
vlan ba 40 41
int vlan 40
ip add 10.10.40.254 24
int vlan 41
ip add 10.10.41.253 24
int g0/0/2
p l h
p h u v 40
p h p v 40
int g0/0/1
p l h
p h u v 41
p h p v 41
ip route-static 0.0.0.0 0 10.10.41.254

FW

sys
sysname FW

sec
rule name Permit_ALL
action permit

vsys enable
vsys name A
ass int g1/0/0
vsys name B
ass int g1/0/2
vsys name C
ass int g1/0/1

ret
sys
switch vsys A
sys
ip route-static 10.10.20.0 24 10.10.21.253
ret
sys
switch vsys B
sys
ip route-static 10.10.40.0 24 10.10.41.253
ret
sys
switch vsys C
sys
ip route-static 10.10.30.0 24 10.10.31.253

配置虚拟防火墙内部，以及在根防火墙实现路由转发

FW

ret
sys
switch vsys A
sys
int virtual-if 1
ip add 22.22.22.22 32
int g1/0/0
ip add 10.10.21.254 24

firewall zone trust
add int g1/0/0
add int virtual-if 1
q
sec
rule name Permit_ALL
action permit

ret
sys
switch vsys B
sys
int virtual-if 2
ip add 44.44.44.44 32
int g1/0/2
ip add 10.10.41.254 24

firewall zone trust
add int g1/0/2
add int virtual-if 2
q
sec
rule name Permit_ALL
action permit

ret
sys
switch vsys C
sys
int virtual-if 3
ip add 33.33.33.33 32
int g1/0/1
ip add 10.10.31.254 24

firewall zone trust
add int g1/0/1
add int virtual-if 3
q
sec
rule name Permit_ALL
action permit

FW

ret
sys
ip route-static 来自虚拟防火墙 目的网段 经过虚拟防火墙
ip route-static vpn-instance A 10.10.40.0 255.255.255.0 vpn-instance C
ip route-static vpn-instance B 10.10.20.0 255.255.255.0 vpn-instance C

ip route-static 来自虚拟防火墙 目的网段 目的虚拟防火墙
ip route-static vpn-instance C 10.10.40.0 255.255.255.0 vpn-instance B
ip route-static vpn-instance C 10.10.20.0 255.255.255.0 vpn-instance A

firewall forward cross-vsys extended