一、组网需求
路由器1和路由器2之间运行了PPPOE协议(非IP协议),防火墙以虚拟接口对运行在两台路由器之间,需要确保路由器1的PPPOE拨号正常。
二、网络拓扑
三、配置要点
1、 Router1/Router2路由器的基础配置
2、 将防火墙的port1和port2配置为虚拟接口对
3、 默认情况下,观察PPPOE拨号的情况
4、配置l2forward解决非IP流量转发问题
四、操作步骤与结果验证
1、Router1/Router2路由器的基础配置
Router1路由器(PPPOE Client)的基本配置:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
no ip address
no shutdown
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
encapsulation ppp
dialer pool 1
ppp pap sent-username pppoeuser1 password 0 fortinet
ppp ipcp route default
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
username pppoeuser1 password 0 fortinet
!
bba-group pppoe bba1
virtual-template 1
!
interface Loopback1
ip address 202.100.2.1 255.255.255.0
!
interface Ethernet0/0
no ip address
no shutdown
pppoe enable group bba1
!
interface Virtual-Template1
description PPPOE bba1
mtu 1492
ip unnumbered Loopback1
peer default ip address pool pool1
ppp authentication pap
!
ip local pool pool1 202.100.2.2 202.100.2.100
2、将防火墙的port1和port2配置为虚拟接口对
防火墙处于路由模式的情况下,直接创建虚拟接口对:将port1和port2加入到虚拟接口对中并开启通配符VLAN,识别VLAN-Tag的数据(推荐开启通配符VLAN)
虚拟接口对通道正式打通,可以认为port1和port2之间可以透明的传输数据了(需策略放通)。
对应的命令行:
config system virtual-wire-pair
edit "VWP1"
set member "port1" "port2"
set wildcard-vlan enable
next
end
3、默认情况下,观察PPPOE拨号的情况
Router1(PPPOE Client)无法PPPPOE拨号成功:
Router1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
Router1#
Router1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES manual up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Dialer1 unassigned YES IPCP up up
Loopback0 1.1.1.1 YES manual up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset down down
通过在FGT上抓包可以看到FGT并不转发PPPOE的报文:
FortiGate_VWP # diagnose sniffer packet any "pppoed" 4
interfaces=[any]
filters=[pppoed]
4.124126 port1 in pppoe printer hasn't been added to sniffer
37.014209 port1 in pppoe printer hasn't been added to sniffer
69.908430 port1 in pppoe printer hasn't been added to sniffer
102.798634 port1 in pppoe printer hasn't been added to sniffer
135.705063 port1 in pppoe printer hasn't been added to sniffer
非IP的PPPOE数据默认不会被FGT所转发。
4、配置l2forward解决非IP流量转发问题
那么要如何解决此情况呢?
在FGT的虚拟接口对的具体接口下配置set l2forward enable即可!!!
FortiGate_VWP # config system interface
FortiGate_VWP (interface) # edit port1
FortiGate_VWP (port1) # set l2forward enable
FortiGate_VWP (port1) # next
FortiGate_VWP (interface) # edit port2
FortiGate_VWP (port2) # set l2forward enable
FortiGate_VWP (port2) # end
再次抓包查看,此时FGT可以转发PPPOE请求了:
FortiGate_VWP # diagnose sniffer packet any "pppoed" 4
interfaces=[any]
filters=[pppoed]
5.324865 port2 in pppoe printer hasn't been added to sniffer
5.324880 port1 out pppoe printer hasn't been added to sniffer
5.325468 port1 in pppoe printer hasn't been added to sniffer
5.325474 port2 out pppoe printer hasn't been added to sniffer
7.420329 port2 in pppoe printer hasn't been added to sniffer
7.420342 port1 out pppoe printer hasn't been added to sniffer
7.425307 port1 in pppoe printer hasn't been added to sniffer
7.425313 port2 out pppoe printer hasn't been added to sniffer
路由器1 PPPOE拨号成功:
Router1#show ppp all
Interface/ID OPEN+ Nego* Fail- Stage Peer Address Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2 LCP+ IPCP+ CDPCP- LocalT 202.100.2.1
Router1#
Router1#show pppoe session
1 client session
Uniq ID PPPoE RemMAC Port VT VA State
SID LocMAC VA-st Type
N/A 2 aabb.cc00.2000 Et0/0 Di1 Vi2 UP
aabb.cc00.6000 UP
Router1#
Router1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 202.100.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 202.100.2.1
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
202.100.2.0/32 is subnetted, 2 subnets
C 202.100.2.1 is directly connected, Dialer1
C 202.100.2.3 is directly connected, Dialer1
Router1#
Router1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES manual up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Dialer1 202.100.2.3 YES IPCP up up
Loopback0 1.1.1.1 YES manual up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up