10500交换机

1、要pc流量先到防火墙，再从防火墙流向核心交换机最后到服务器。

2、要服务器流量先到防火墙，在从防火墙流向核心交换机最后到pc。

已实现1，失败2

这是脚本

<SwitchA> system-view

[SwitchA] acl number 3000

[SwitchA-acl-adv-3000] rule permit ip source x.x.x.x x.x.x.x any destination 192.168.236.0 0.0.0.255 //这里写办公终端的源IP段

[SwitchA-acl-adv-3000] quit

# 指定所啊办公终端的下一跳为192.168.198.254

[SwitchA] policy-based-route aaa permit node 5

[SwitchA-pbr-aaa-5] if-match acl 3000

[SwitchA-pbr-aaa-5] apply ip-address next-hop 192.168.198.254

[SwitchA-pbr-aaa-5] quit # 在Switch A办公网段接口上应用本地策略路由。

[SwitchA]interface Ten-GigabitEthernet 1/0/0/16

[SwitchA] ip policy-based-route aaa //进入办公网段的接口调用这命令

[SwitchA]interface Ten-GigabitEthernet 1/1/0/16

[SwitchA] ip policy-based-route aaa //进入办公网段的接口调用这命令

[SwitchA]interface Ten-GigabitEthernet 2/0/0/16

[SwitchA] ip policy-based-route aaa //进入办公网段的接口调用这命令

[SwitchA]interface Ten-GigabitEthernet 2/1/0/16 [

SwitchA] ip policy-based-route aaa //进入办公网段的接口调用这命令

# 定义访问控制列表，服务器端到PC端流量强制走服务器防火墙，ACL 3001匹配TCP报文。

<SwitchA> system-view

[SwitchA] acl number 3001

[SwitchA-acl-adv-3001] rule permit ip source 192.168.236.0 0.0.0.255 any destination x.x.x.x 0.0.0.255 //这里写办公终端的源IP段

[SwitchA-acl-adv-3001] quit

# 指定所有服务器的下一跳为192.168.199.254

[SwitchA] policy-based-route bbb permit node 6

[SwitchA-pbr-bbb-6] if-match acl 3001

[SwitchA-pbr-bbb-6] apply ip-address next-hop 192.168.199.254

[SwitchA-pbr-bbb-6] quit

# 在Switch A接口上应用本地策略路由

[SwitchA]interface range Ten-GigabitEthernet 1/0/0/22 to Ten-GigabitEthernet 1/0/0/17 [SwitchA] ip policy-based-route bbb //进入服务器网段的接口上调用这命令

[SwitchA]interface range Ten-GigabitEthernet 1/1/0/22 to Ten-GigabitEthernet 1/1/0/17 [SwitchA] ip policy-based-route bbb //进入服务器网段的接口上调用这命令

[SwitchA]interface range Ten-GigabitEthernet 2/0/0/22 to Ten-GigabitEthernet 2/0/0/17 [SwitchA] ip policy-based-route bbb //进入服务器网段的接口上调用这命令

[SwitchA]interface range Ten-GigabitEthernet 2/1/0/22 to Ten-GigabitEthernet 2/1/0/17 [SwitchA] ip policy-based-route bbb //进入服务器网段的接口上调用这命令