组网图如下:
LLB,内网口1/0/0绑定VPN实例HK,外网口不做绑定,属于public;192.168.0.1 telnet 1.1.1.2,中间路由和策略打通
#
nqa template icmp test
#
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip binding vpn-instance HK
ip address 10.0.0.2 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-zone name Management
#
security-zone name HK
import interface GigabitEthernet1/0/0
#
ip route-static 192.168.0.1 32 vpn-instance HK 10.0.0.1
ip route-static vpn-instance HK 1.1.1.0 24 1.1.1.2 public
#
acl advanced 3333
rule 0 permit ip
#
#
loadbalance link-group wai
transparent enable
probe test
#
loadbalance class client type link-generic match-any
match 1 acl 3333
#
loadbalance action client type link-generic
link-group wai
#
loadbalance action default type link-generic
forward all
#
loadbalance policy llb type link-generic
class client action client
default-class action default
#
virtual-server llb type link-ip
vpn-instance HK
virtual ip address 0.0.0.0 0
lb-policy llb
service enable
#
loadbalance link wai
router ip 1.1.1.2
link-group wai
probe test
inherit vpn-instance disable
#
security-policy ip
rule 0 name 00
action pass
vrf HK
source-zone HK
destination-zone untrust
source-ip-host 192.168.0.1
destination-ip-host 1.1.1.2
rule 1 name 1
action pass
source-zone local
destination-zone untrust
source-ip-host 1.1.1.1
destination-ip-host 1.1.1.2
注意的VPN示例应该配置的地方
注意link中要关闭VPN实例的继承
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作