1、案例拓撲圖(其中AR2和FW啟用ospf協定)
2、核心裝置AR2的主要配置
2.1
AR2
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255 //比對需要過濾的路由
traffic classifier liu operator or
if-match acl 2000
traffic behavior liu
redirect ip-nexthop 2.1.1.6
traffic policy liu
classifier liu behavior liu
interface GigabitEthernet0/0/0
ip address 1.1.1.5 255.255.255.252
traffic-policy liu inbound //政策應用在資料的入方向
2.2
關鍵點,困擾了我很久(如果不下發預設路由,會導緻兩個ospf程序,互相學習不到對方的業務位址)
ospf 1
default-route-advertise always //都要下發一條預設路由
ospf 2
3、防火牆關鍵配置
3.1
安全政策
security-policy
rule name trust-local
source-zone trust
destination-zone local
action permit
rule name local-trust
source-zone local
destination-zone trust
rule name untrust-local
source-zone untrust
rule name local-untrust
destination-zone untrust
rule name pc-server
source-address 192.168.1.1 mask 255.255.255.255
destination-address 10.1.1.1 mask 255.255.255.255
3.2
防火牆接口安全區域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0