CLI: Example for Configuring the Communication Between Virtual Systems

The FW uses virtual systems to manage departments separately, simplifying the configuration. This section describes how to implement communication between virtual systems.

Networking Requirements

As shown in Figure 1, a FW is deployed in area of the large campus network as the access gateway. The network of area A comprises the R&D and non-R&D departments, and the two departments have different network access permissions. Requirements are as follows:

Some employees in the R&D department can access the Internet, and all employees in the non-R&D department can access the Internet.
The R&D department is isolated from non-R&D departments, but specific employees in the two departments can communicate.
The service volumes of the R&D and non-R&D departments are nearly the same. Therefore, the same virtual system resources are allocated to them.

Figure 1 Networking diagram of communication between virtual systems

Data Planning

Item	Data	Description
vsysa	Virtual system name: vsysa Outside interface: GE0/0/1 Outside interface IP address: 10.1.1.8/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/3 Inside interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the inside interface belongs: Trust IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb Outside interface: GE0/0/2 Outside interface IP address: 10.1.1.9/24 Security zone to which the outside interface belongs: Untrust Inside interface: GE0/0/4 Inside interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the inside interface belongs: Trust	-
Resource class	Name: r1 Reserved Number for session: 10000 Maximum Number for session: 50000 User: 300 User Group: 10 Policy: 300 Outbound Reserved Bandwidth: 20 Mbps	-

Configuration Roadmap

The public system administrator creates two virtual systems vsysa, and vsysb, assigns resources.
The public system administrator configures routes for the employees that can communicate.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysa.
The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.

Procedure

The public system administrator creates virtual systems vsysa, and vsysb, and assigns resources to them.

# Use the account of the public system administrator to log in to the FW.

# Enable the virtual system function.

<FW> system-view
[FW] vsys enable

# Configure a resource class.

[FW] resource-class r1
[FW-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000
[FW-resource-class-r1] resource-item-limit policy reserved-number 300
[FW-resource-class-r1] resource-item-limit user reserved-number 300
[FW-resource-class-r1] resource-item-limit user-group reserved-number 10
[FW-resource-class-r1] resource-item-limit bandwidth 20 outbound
[FW-resource-class-r1] quit

# Create virtual systems and allocate resources to them.

[FW] vsys name vsysa
[FW-vsys-vsysa] assign resource-class r1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/3
[FW-vsys-vsysa] quit
[FW] vsys name vsysb
[FW-vsys-vsysb] assign resource-class r1
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/2
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/4
[FW-vsys-vsysb] quit

# Configure GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2. Set the interfaces as public interfaces for vsysa and vsysb.

Bandwidth resource configurations in resource classes take effect only after the public interface is configured.

In this example, the bandwidth should be limited for intranet users to access the Internet. Set interface GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 as the public interface. Then all traffic from intranet users to the Internet is forwarded through the public interface, which is called the outgoing direction. This function can work with outbound bandwidth configured in resource class to limit the bandwidth for intranet users to access the Internet.

[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] set public-interface
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] set public-interface
[FW-GigabitEthernet0/0/2] quit

# Set an IP address for the virtual interface Virtual-if0 on the public system and add the interface to the Trust zone. The IP address of Virtual-if0 can be any value as long as it does not conflict with the IP address on any other interface.

[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if 0
[FW-zone-trust] quit

The public system administrator configures routes for the employees that can communicate.

[FW] ip route-static vpn-instance vsysb 10.3.0.0 24 vpn-instance vsysa
[FW] ip route-static vpn-instance vsysa 10.3.1.0 24 vpn-instance vsysb

The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysa.

# The public system administrator configures interfaces for vsysa. The IP address of Virtual-if1 can be any value as long as it does not conflict with the IP address on any other interface.

[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] interface GigabitEthernet 0/0/1
[FW-vsysa-GigabitEthernet0/0/1] ip address 10.1.1.8 24
[FW-vsysa-GigabitEthernet0/0/1] quit
[FW-vsysa] interface GigabitEthernet 0/0/3
[FW-vsysa-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-vsysa-GigabitEthernet0/0/3] quit
[FW-vsysa] interface Virtual-if 1
[FW-vsysa-Virtual-if1] ip address 172.16.1.1 24
[FW-vsysa-Virtual-if1] quit
[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/3
[FW-vsysa-zone-trust] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-vsysa-zone-untrust] quit
[FW-vsysa] firewall zone dmz
[FW-vsysa-zone-dmz] add interface Virtual-if1
[FW-vsysa-zone-dmz] quit

# The public system administrator configures a static route for vsysa to access the Internet.

[FW-vsysa] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

# The public system administrator configures an address set for vsysa.

[FW-vsysa] ip address-set ipaddress1 type object
[FW-vsysa-object-address-set-ipaddress1] address range 10.3.0.2 10.3.0.10
[FW-vsysa-object-address-set-ipaddress1] quit

# The public system administrator configures a security policy for vsysa. This security policy allows intranet users of a specific network segment to access the Internet. Packets from employees on other network segments to the Internet will match the default security policy and are denied.

[FW-vsysa] security-policy  
[FW-vsysa-policy-security] rule name to_internet 
[FW-vsysa-policy-security-rule-to_internet] source-zone trust  
[FW-vsysa-policy-security-rule-to_internet] destination-zone untrust 
[FW-vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
[FW-vsysa-policy-security-rule-to_internet] action permit 
[FW-vsysa-policy-security-rule-to_internet] quit

# The public system administrator configures a security policy for vsysa. This security policy allows specific employees in vsysa and vsysb to communicate.

[FW-vsysa-policy-security] rule name to_vsysb 
[FW-vsysa-policy-security-rule-to_vsysb] source-zone trust  
[FW-vsysa-policy-security-rule-to_vsysb] destination-zone dmz 
[FW-vsysa-policy-security-rule-to_vsysb] source-address range 10.3.0.20 10.3.0.30
[FW-vsysa-policy-security-rule-to_vsysb] destination-address range 10.3.1.20 10.3.1.30
[FW-vsysa-policy-security-rule-to_vsysb] action permit  
[FW-vsysa-policy-security-rule-to_vsysb] quit  
[FW-vsysa-policy-security] quit

# The public system administrator configures a security policy for vsysa. This security policy allows specific employees in vsysa and vsysb to communicate.

[FW-vsysa-policy-security] rule name to_vsysa 
[FW-vsysa-policy-security-rule-to_vsysa] source-zone dmz  
[FW-vsysa-policy-security-rule-to_vsysa] destination-zone trust  
[FW-vsysa-policy-security-rule-to_vsysa] source-address range 10.3.1.20 10.3.1.30
[FW-vsysa-policy-security-rule-to_vsysa] destination-address range 10.3.0.20 10.3.0.30
[FW-vsysa-policy-security-rule-to_vsysa] action permit  
[FW-vsysa-policy-security-rule-to_vsysa] quit  
[FW-vsysa-policy-security] quit

# The public system administrator configures a NAT policy for vsysa.

[FW-vsysa] nat-policy
[FW-vsysa-policy-nat] rule name nat1
[FW-vsysa-policy-nat-rule-nat1] source-zone trust
[FW-vsysa-policy-nat-rule-nat1] egress-interface GigabitEthernet 0/0/1
[FW-vsysa-policy-nat-rule-nat1] source-address address-set ipaddress1
[FW-vsysa-policy-nat-rule-nat1] action source-nat easy-ip
[FW-vsysa-policy-nat-rule-nat1] quit
[FW-vsysa-policy-nat] quit

The public system administrator configures IP addresses, routes, security policies, and NAT policies for vsysb.
The configuration is similar to that of the R&D department except the following:
- The IP address of the inside interface is different.
- You only need to configure a security policy to allow all IP addresses to access the Internet and another two security policies to allow employee communication.
- The outbound interface of the NAT policy must be set to GE0/0/2, and the source address must be set to any.

Verification

Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department and use the PCs to access the Internet. If the results are as expected, the IP addresses, security policies and NAT policies of vsysa are correctly configured.
Access the Internet from the non-R&D department. If the access succeeds, the IP addresses, security policies and NAT policies of vsysb are correctly configured.

Configuration Scripts

Configuration script of the public system

#
 sysname FW
# 
 vsys enable 
# 
resource-class r1    
 resource-item-limit session reserved-number 10000 maximum 50000
 resource-item-limit policy reserved-number 300      
 resource-item-limit user reserved-number 300     
 resource-item-limit user-group reserved-number 10    
   resource-item-limit bandwidth 20 entire
# 
vsys name vsysa 1    
 assign resource-class r1      
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/3 
#                    
vsys name vsysb 2    
 assign resource-class r1        
 assign interface GigabitEthernet0/0/2
 assign interface GigabitEthernet0/0/4
#                                                                               
interface GigabitEthernet0/0/1
 set public-interface
#
interface GigabitEthernet0/0/2
 set public-interface
#
interface Virtual-if0                                                           
 ip address 172.16.0.1 255.255.255.0                                              
#                  
firewall zone trust 
 set priority 85  
 add interface Virtual-if0 
#  
 ip route-static vpn-instance vsysb 10.3.0.0 24 vpn-instance vsysa
 ip route-static vpn-instance vsysa 10.3.1.0 24 vpn-instance vsysb
#
return

Configuration script of vsysa

#
interface GigabitEthernet0/0/1
 ip address 10.1.1.8 255.255.255.0
# 
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#                                                                               
interface Virtual-if1                                                           
 ip address 172.16.1.1 255.255.255.0                                              
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50      
 add interface Virtual-if1
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/1
#                    
ip address-set ipaddress1 type object 
 address 0 range 10.3.0.2 10.3.0.10   
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  source-address address-set ipaddress1 
  action permit      
 rule name to_vsysb 
  source-zone trust  
  destination-zone dmz  
  source-address range 10.3.0.20 10.3.0.30
  destination-address range 10.3.1.20 10.3.1.30
  action permit
 rule name to_vsysa 
  source-zone dmz  
  destination-zone trust   
  source-address range 10.3.1.20 10.3.1.30
  destination-address range 10.3.0.20 10.3.0.30
  action permit
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/1
   source-address address-set ipaddress1
   action source-nat easy-ip
#    
return

Configuration script of vsysb

#
interface GigabitEthernet0/0/2
 ip address 10.1.1.9 255.255.255.0
# 
interface GigabitEthernet0/0/4
 ip address 10.3.1.1 255.255.255.0
#                                                                               
interface Virtual-if2                                                           
 ip address 172.16.2.1 255.255.255.0                                              
#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/4
#
firewall zone dmz
 set priority 50      
 add interface Virtual-if2
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/2
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  action permit
 rule name to_vsysa 
  source-zone trust  
  destination-zone dmz  
  source-address range 10.3.1.20 10.3.1.30
  destination-address range 10.3.0.20 10.3.0.30
  action permit
 rule name to_vsysb 
  source-zone dmz  
  destination-zone trust   
  source-address range 10.3.0.20 10.3.0.30
  destination-address range 10.3.1.20 10.3.1.30
  action permit
#
 nat-policy
  rule name nat1
   source-zone trust
   egress-interface GigabitEthernet0/0/2
   action source-nat easy-ip
#    
return