|
三层的出口连接防火墙的内口
三层核心交换机最好别用VLAN1连接防火墙内口。可能会因为IP 重定向问题导致内网访问外网速度奇慢!!
具体事例及解决办法如下:
某企业网核心为4506,接入基本为2950系列。核心有一块X 4548 GB&nbs p;-RJ业务板,其中48口上联到防火墙,其他下联到客户端。客户端网关指向核心交换机,上网速度奇慢。指向防火墙则速度正常,防火墙地址为172.16.1.1 核心配置如下:
core_switch#show run
Building configuration...
Current configuration : 6061 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname core_switch
!
enable secret 5 $1$21p4$rcisbziyY7iFWx0w7jm6d.
enable password kindy
!
vtp mode transparent
ip subnet-zero
!
spanning-tree extend system-id
!
!
vlan 2
name vlan2
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
description To ZXC
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/2
description To HYS-310
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/3
description To HYS-303
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/4
description To PGZ
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/5
description To WLZ
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet2/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/1
description To BACK_24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/3
!
interface GigabitEthernet3/4
!
interface GigabitEthernet3/5
!
interface GigabitEthernet3/6
!
interface GigabitEthernet4/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
....
....
....
!
interface GigabitEthernet4/47
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet4/48
!
interface Vlan1
ip address 172.16.1.121 255.255.255.0
!
interface Vlan2
ip address 172.16.2.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.1
no ip http server
!
!
!
line con 0
password ******
login
stopbits 1
line vty 0 4
password ******
login
!
end
--------------------------------------------
因为上面的配置是把防火墙的内口直接接如了三层核心的VLAN1内,所以出现访问外网速度奇慢的现象。。
解决办法如下:
1、关闭VLAN 1的重定向功能
int vlan 1
no ip redirects
2、将防火墙的内网线接如核心的其他VLAN | 
