防火墙旁挂引流

拓扑

网络规划

LSW2：

VLAN10：10.0.10.254/24

VLAN20：10.0.20.254/24

VLAN100：10.0.100.254/24

VLAN200：10.0.200.254/24

LSW1：VLAN10

FW1：

G1/0/0：10.0.100.253/24

G1/0/1：10.0.200.253/24

R1：

G0/0/0：10.0.20.253/24

G0/0/3：192.168.10.254/24

配置

LSW2

vlan batch 10 20 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
acl number 3000
 rule 5 permit ip source 10.0.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
acl number 3001
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 10.0.10.0 0.0.0.255
#
traffic classifier in10 operator and
 if-match acl 3000
traffic classifier in192 operator and
 if-match acl 3001
#
traffic behavior int10
 redirect ip-nexthop 10.0.100.253
 permit
traffic behavior int192
 redirect ip-nexthop 10.0.200.253
 permit
#
traffic policy p1
 classifier in10 behavior int10
traffic policy p2
 classifier in192 behavior int192
#
interface Vlanif10
 ip address 10.0.10.254 255.255.255.0
#
interface Vlanif20
 ip address 10.0.20.254 255.255.255.0
#
interface Vlanif100
 ip address 10.0.100.254 255.255.255.0
#
interface Vlanif200
 ip address 10.0.200.254 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 traffic-policy p1 inbound
#
interface GigabitEthernet0/0/22
 port link-type access
 port default vlan 200
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 20
 traffic-policy p2 inbound
#
ospf 100
 area 0.0.0.0
  network 10.0.10.0 0.0.0.255
  network 10.0.100.0 0.0.0.255
#
ospf 200
 area 0.0.0.0
  network 10.0.20.0 0.0.0.255
  network 10.0.200.0 0.0.0.255
#

FW1

interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.0.100.253 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.0.200.253 255.255.255.0
 service-manage ping permit
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/6
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
ospf 100
 area 0.0.0.0
  network 10.0.100.0 0.0.0.255
#
ospf 200
 area 0.0.0.0
  network 10.0.200.0 0.0.0.255
#

R1

#
interface GigabitEthernet0/0/0
 ip address 10.0.20.253 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 192.168.10.254 255.255.255.0
#
ospf 200
 area 0.0.0.0
  network 10.0.20.0 0.0.0.255
  network 192.168.10.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#

验证