#
acl number 4000
description M_B_ARP
rule 0 permit dest-mac 0100-0000-0000 ff00-0000-0000
rule 5 permit dest-mac ffff-ffff-ffff ffff-ffff-ffff
rule 10 permit type 0806 ffff
#
acl number 3800
description up_all
rule 0 permit ip source 172.16.10.0 0.0.0.255
#
acl number 3801
description down_all
rule 0 permit ip destination 172.16.10.0 0.0.0.255
#
#
traffic classifier up1 operator and
if-match acl 3800
if-match service-vlan-id 100
#
traffic classifier up2 operator and
if-match acl 3800
if-match service-vlan-id 300
#
traffic classifier down1 operator and
if-match acl 3801
if-match service-vlan-id 400
#
traffic classifier down2 operator and
if-match acl 3801
if-match service-vlan-id 200
#
traffic classifier M_B_ARP operator and
if-match acl 4000
#
#
traffic behavior permit
filter permit
#
traffic behavior deny
filter deny
#
traffic behavior redirect_ACG
redirect interface Ten-GigabitEthernet4/0/1
#
traffic behavior redirect_IPS
redirect interface Ten-GigabitEthernet3/0/1
#
#
qos policy deny_M_B_ARP
classifier M_B_ARP behavior deny
#
qos policy up1
classifier Match-MultiCast-ARP behavior permit
classifier up1 behavior redirect_ACG
#
qos policy up2_down2
classifier M_B_ARP behavior permit
classifier up2 behavior redirect_IPS
classifier down2 behavior redirect_ACG
#
qos policy down1
classifier M_B_ARP behavior permit
classifier down1 behavior redirect_IPS
#
interface GigabitEthernet5/0/1
port link-mode bridge
port access vlan 100
qos apply policy up1 inbound
#
interface GigabitEthernet5/0/2
port link-mode bridge
port access vlan 500
#
interface Ten-GigabitEthernet2/0/1
port link-mode bridge
description To-FW
port link-type trunk
port trunk permit vlan 1 200 300
qos apply policy up2_down2 inbound
#
interface Ten-GigabitEthernet4/0/1
description To-ACG
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 100 200
port connection-mode extend
stp disable
mac-address max-mac-count 0
qos apply policy deny_M_B_ARP inbound
#
interface Ten-GigabitEthernet3/0/1
description To-IPS
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 400 300
port connection-mode extend
stp disable
mac-address max-mac-count 0
qos apply policy deny_M_B_ARP inbound
#
interface Ten-GigabitEthernet5/0/1
port link-mode bridge
description To-LB
port link-type trunk
port trunk permit vlan 1 500 400
qos apply policy down1 inbound
#
vlan 100
vlan 200
vlan 300
vlan 400
vlan 500
#
acsei server enable
#
ip route-static 0.0.0.0 0 172.16.20.2
ip route-static vpn-instance 300 0.0.0.0 0 172.16.40.2
ip route-static vpn-instance 300 172.16.20.0 255.255.255.0 172.16.30.2
ip route-static vpn-instance 300 172.16.10.0 255.255.255.0 172.16.30.2
#
ip vpn-instance 300
route-distinguisher 300:1
#
interface Vlan-interface100
ip address 172.16.10.1 255.255.255.0
#
interface Vlan-interface200
ip address 172.16.20.1 255.255.255.0
#
interface Vlan-interface300
ip binding vpn-instance 300
ip address 172.16.30.1 255.255.255.0
#
interface Vlan-interface400
ip binding vpn-instance 300
ip address 172.16.40.1 255.255.255.0
#
防火墙
#
interface Ten-GigabitEthernet0/0
port link-mode route
#
interface Ten-GigabitEthernet0/0.200
vlan-type dot1q vid 200
ip address 172.16.20.2 255.255.255.0
#
interface Ten-GigabitEthernet0/0.300
vlan-type dot1q vid 300
ip address 172.16.30.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.30.1
ip route-static 172.16.10.0 255.255.255.0 172.16.20.1
#
interzone source Any destination Any
rule 0 permit
source-ip any_address
destination-ip any_address
service any_service
rule enable
#
zone name Trust id 2
priority 85
import interface Ten-GigabitEthernet0/0.200
zone name Untrust id 4
priority 5
import interface Ten-GigabitEthernet0/0.300
#
LB
#
interface Ten-GigabitEthernet0/0
port link-mode route
#
interface Ten-GigabitEthernet0/0.400
vlan-type dot1q vid 400
ip address 172.16.40.2 255.255.255.0
#
interface Ten-GigabitEthernet0/0.500
vlan-type dot1q vid 500
ip address 172.16.50.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.50.1
ip route-static 172.16.0.0 255.240.0.0 172.16.40.1
#