FAQ-S5720-EIV200r008C00重定向PC与网关VLANIF接口的通信问题

S5720-EI对内网192.168.1.0/24流量重定向到出口路由器192.168.2.2，在不配置对网关自身访问不做重定向情况下，PC和网关时通时不通。

拓扑如下：

交换机LSW1要关键配置：

#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255
#
traffic classifier a operator and
if-match acl 3000
#
traffic behavior a
redirect ip-nexthop 192.168.2.2
#
traffic policy a
classifier a behavior a
#
interface Vlanif1
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type access
traffic-policy a inbound
#

出口路由器R1置：
#
interface Ethernet0/0/0
ip address 192.168.2.2 255.255.255.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 192.168.1.0 0.0.0.255 192.168.2.1

PCip地址：

1.1.1.1

测试PC ping网关192.168.1.1

交换机G0/0/1镜像抓包

从抓包信息可以看到两个序列号相同的request包，到网关192.168.1.1的流量被重定向到出口路由器再走静态回包路由到交换机。

删除路由R1上静态回包路由

[Huawei]undo  ip route-static 192.168.1.0 0.0.0.255

[Huawei]display  ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 5        Routes : 5       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    192.168.2.0/24  Direct  0    0           D   192.168.2.2     Ethernet0/0/0
    192.168.2.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/0

再次测试到1.1.1.1和192.168.1.1的ping包

关闭交换机的VLANIF2口测试ping网关

[Huawei]interface  Vlanif 2
[Huawei-Vlanif2]shutdown

[Huawei]display  ip interface  brief
Interface                         IP Address/Mask      Physical   Protocol 
MEth0/0/1                         unassigned           down       down     
NULL0                             unassigned           up         up(s)    
Vlanif1                           192.168.1.1/24       up         up       
Vlanif2                           192.168.2.1/24       *down      down

VLANIF2口被shutdown 重定向的流策略不生效到网关的通信正常

建议明确指定到内网网段不做作重定向可以减小出口路由器的压力

acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#
traffic classifier a operator and
if-match acl 3000
traffic classifier b operator and
if-match acl 3001
#
traffic behavior a
redirect ip-nexthop 192.168.2.2
traffic behavior b
permit
#

traffic policy a
classifier b behavior b
classifier a behavior a //将不做重定向的流分类和流行为放在流策略的靠前位置