CLI: Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems Having Independent WAN Interfaces)

The FW functions as the access gateway of the office area of a large campus network to protect the intranet. The intranet has multiple service departments, and the administrator configures virtual systems for each department to implement independent management over department networks.

Networking Requirements

As shown in Figure 1, a FW is deployed in area of the large campus network as the gateway. The network of area A comprises the R&D and non-R&D departments, and the two departments have different network access permissions. Requirements are as follows:

Some employees in the R&D department can access the Internet, and all employees in the non-R&D department can access the Internet.
The R&D and non-R&D departments are isolated from each other and cannot communicate.
The service volumes of the R&D and non-R&D departments are nearly the same. Therefore, the same virtual system resources are allocated to them.

Figure 1 Networking diagram of network isolation (Layer-3 access, virtual systems having independent WAN interfaces)

Data Planning

Item	Data	Description
vsysa	Virtual system name: vsysa Outside interface: GE0/0/1 Outside interface IP address: 10.1.1.8/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/3 Inside interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the inside interface belongs: Trust IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb Outside interface: GE0/0/2 Outside interface IP address: 10.1.1.9/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/4 Inside interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the inside interface belongs: Trust	-
Resource class	Name: r1 Reserved Number for session: 10000 Maximum Number for session: 50000 User: 300 User Group: 10 Policy: 300 Outbound Reserved Bandwidth: 20 Mbps	-

Configuration Roadmap

The public system administrator creates two virtual systems vsysa, and vsysb, assigns resources.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysa.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.

Procedure

The public system administrator creates virtual systems vsysa, and vsysb, and assigns resources to them.

# Use the account of the public system administrator to log in to the FW.

# Enable the virtual system function.

<FW> system-view
[FW] vsys enable

# Configure a resource class.

[FW] resource-class r1
[FW-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000
[FW-resource-class-r1] resource-item-limit policy reserved-number 300
[FW-resource-class-r1] resource-item-limit user reserved-number 300
[FW-resource-class-r1] resource-item-limit user-group reserved-number 10
[FW-resource-class-r1] resource-item-limit bandwidth 20 outbound
[FW-resource-class-r1] quit

# Create virtual systems and allocate resources to them.

[FW] vsys name vsysa
[FW-vsys-vsysa] assign resource-class r1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/3
[FW-vsys-vsysa] quit
[FW] vsys name vsysb
[FW-vsys-vsysb] assign resource-class r1
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/2
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/4
[FW-vsys-vsysb] quit

# Configure public interface.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] set public-interface
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] set public-interface
[FW-GigabitEthernet0/0/2] quit

The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysa.

# The public system administrator configures interfaces for vsysa.

[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] interface GigabitEthernet 0/0/1
[FW-vsysa-GigabitEthernet0/0/1] ip address 10.1.1.8 24
[FW-vsysa-GigabitEthernet0/0/1] quit
[FW-vsysa] interface GigabitEthernet 0/0/3
[FW-vsysa-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-vsysa-GigabitEthernet0/0/3] quit
[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/3
[FW-vsysa-zone-trust] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-vsysa-zone-untrust] quit

# The public system administrator configures a static route for vsysa.

[FW-vsysa] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

# The public system administrator configures an address set for vsysa.

[FW-vsysa] ip address-set ipaddress1 type object
[FW-vsysa-object-address-set-ipaddress1] address range 10.3.0.2 10.3.0.10
[FW-vsysa-object-address-set-ipaddress1] quit

# The public system administrator configures a security policy for vsysa. This security policy allows intranet users of a specific network segment to access the Internet.

[FW-vsysa] security-policy                 
[FW-vsysa-policy-security] rule name to_internet            
[FW-vsysa-policy-security-rule-to_internet] source-zone trust
[FW-vsysa-policy-security-rule-to_internet] destination-zone untrust 
[FW-vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
[FW-vsysa-policy-security-rule-to_internet] action permit          
[FW-vsysa-policy-security-rule-to_internet] quit

# The public system administrator configures a security policy for vsysa. This security policy prohibits all employees from accessing the Internet. The priority of this policy is lower than that of the previous policy, and therefore no address range needs to be specified.

[FW-vsysa-policy-security] rule name to_internet2  
[FW-vsysa-policy-security-rule-to_internet2] source-zone trust 
[FW-vsysa-policy-security-rule-to_internet2] destination-zone untrust 
[FW-vsysa-policy-security-rule-to_internet2] action deny
[FW-vsysa-policy-security-rule-to_internet2] quit
[FW-vsysa-policy-security] quit

# The public system administrator configures a NAT policy for vsysa.

[FW-vsysa] nat-policy
[FW-vsysa-policy-nat] rule name nat1
[FW-vsysa-policy-nat-rule-nat1] source-zone trust
[FW-vsysa-policy-nat-rule-nat1] egress-interface GigabitEthernet 0/0/1
[FW-vsysa-policy-nat-rule-nat1] source-address address-set ipaddress1
[FW-vsysa-policy-nat-rule-nat1] action source-nat easy-ip
[FW-vsysa-policy-nat-rule-nat1] quit
[FW-vsysa-policy-nat] quit

The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.
The configuration is similar to that of the R&D department except the following:
- The IP address of the inside interface is different.
- You do not need to create an IP address range for the non-R&D department. You only need to configure a security policy to allow all IP addresses to access the Internet.
- The outbound interface of the NAT policy must be set to GE0/0/2, and the source address must be set to any.

Verification

Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department and use the PCs to access the Internet. If the results are as expected, the IP addresses, security policies and NAT policies of vsysa are correctly configured.
Access the Internet from the non-R&D department. If the access succeeds, the IP addresses, security policies and NAT policies of vsysb are correctly configured.

Configuration Scripts

Configuration script of the public system

#
 sysname FW
# 
 vsys enable 
# 
resource-class r1    
 resource-item-limit session reserved-number 10000 maximum 50000
 resource-item-limit policy reserved-number 300      
 resource-item-limit user reserved-number 300     
 resource-item-limit user-group reserved-number 10 
  resource-item-limit bandwidth 20 outbound 
# 
vsys name vsysa 1    
 assign resource-class r1      
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/3 
#                    
vsys name vsysb 2    
 assign resource-class r1        
 assign interface GigabitEthernet0/0/2
 assign interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/1
 set public-interface
#
interface GigabitEthernet0/0/2
 set public-interface
#  
return

Configuration script of vsysa

#
interface GigabitEthernet0/0/1
 ip address 10.1.1.8 255.255.255.0
# 
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/3
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/1
#
ip address-set ipaddress1 type object 
 address 0 range 10.3.0.2 10.3.0.10   
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  source-address address-set ipaddress1 
  action permit      
 rule name to_internet2 
  source-zone trust  
  destination-zone untrust  
  action deny 
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/1
   source-address address-set ipaddress1
   action source-nat easy-ip
#    
return

Configuration script of vsysb

#
interface GigabitEthernet0/0/2
 ip address 10.1.1.9 255.255.255.0
# 
interface GigabitEthernet0/0/4
 ip address 10.3.1.1 255.255.255.0
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/4
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/2
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  action permit
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/2
   action source-nat easy-ip
#    
return