实验拓扑:
点击查看大图
这个拓扑中,中间的PIX配置三个虚拟防火墙,Ethernet0连接到一个3550交换机的TRUNK端口,分别接到三个不同的VLAN,外口Ethernet1连接到Internet,试验中可以使用一台路由器代替。
由于这里Ethernet0是和交换机的TRUNK端口相连,来接收不同VLAN的流量,所以这里使用子接口为TRUNK去VLAN标签,并将这些子接口分配给各个虚拟防火墙,是内部各个VLAN都能访问Internet
首先配置3550交换机:
interface FastEthernet0/2
switchport access vlan 2
!
interface FastEthernet0/3
switchport access vlan 3
!
interface FastEthernet0/4
switchport access vlan 4
!
interface FastEthernet0/10 //和PIX的Ethernet0口相连
switchport trunk encapsulation dot1q //PIX的默认的TRUNK类型就是dot1q
switchport trunk allowed vlan 2,3,4
switchport mode trunk
PIX的配置:
changeto system:
interface Ethernet0
!
interface Ethernet0.2
vlan 2 //为子接口进行封装,去VLAN标签
interface Ethernet0.3
vlan 3
interface Ethernet0.4
vlan 4
!
interface Ethernet1
!
admin-context admin
context admin
allocate-interface Ethernet0.2 Intf1 //分配E0.2子接口到虚拟防火墙admin,别名是Intf1
allocate-interface Ethernet1 Intf0 //分配接口E1到虚拟防火墙admin,别名是Intf0
config-url flash:/admin.cfg
!
context DepartmentA
allocate-interface Ethernet0.3 Intf1
allocate-interface Ethernet1 Intf0
config-url flash:/DepartmentA.cfg
!
context DepartmentB
allocate-interface Ethernet0.4 Intf1
allocate-interface Ethernet1 Intf0
config-url flash:/DepartmentB.cfg
changeto context admin:
interface Intf1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Intf0
mac-address 00aa.0000.01c1
nameif outside
security-level 0
ip address 192.168.1.10 255.255.255.0
changeto context DepartmentA:
interface Intf1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Intf0
mac-address 00aa.0000.01c2
nameif outside
security-level 0
ip address 192.168.1.11 255.255.255.0
changeto context DepartmentB:
interface Intf1
nameif inside
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Intf0
mac-address 00aa.0000.01c3
nameif outside
security-level 0
ip address 192.168.1.12 255.255.255.0
最后在试验中代替Internet的路由器上进行验证:
点击查看大图
成功ping通每个虚拟接口上配置的IP地址。
注意:
因为当前E1只有一个MAC地址,2层数据帧在到达防火墙E1口时,将不知道如何将数据帧发给谁,需要在C1、C2的E1接口上指定不同的MAC地址来分类流量。