一、 組網(wǎng)需求：
當(dāng)防火墻有雙公網(wǎng)出口時(shí)，根據(jù)用戶的源地址或者需要訪問目的地址來選擇防火墻的轉(zhuǎn)發(fā)出口，從而實(shí)現(xiàn)路由選擇。
二、 配置步驟：
適用版本：Secpath1800F 所有VRP版本
acl number 2001rule 0 permit source 10.1.0.0 0.0.255.255
acl number 3001 // 定義與策略路由相關(guān)的
aclrule 0 deny ip source 10.1.1.0 0.0.0.255 // 10.1.1.0 網(wǎng)段不作策略路由
rule 5 permit ip source 10.1.2.0 0.0.0.255 // 源地址為10.1.2.0 的網(wǎng)段做策略路由
rule 10 permit ip destination 202.96.199.0 0.0.0.255// 目的地址為202.96.199.0 的網(wǎng)段做策略路由
sysname Eudemon
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
dfirewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local test direction inbound
firewall packet-filter default permit interzone local test direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
dfirewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust test direction inbound
firewall packet-filter default permit interzone trust test direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone test untrust direction inbound
firewall packet-filter default permit interzone test untrust direction outbound
firewall packet-filter default permit interzone test dmz direction inbound
firewall packet-filter default permit interzone test dmz direction outbound
nat address-group 2 2.2.2.10 2.2.2.10nat address-group 4 4.4.4.10 4.4.4.10
firewall mode route
firewall statistic system enable
traffic classifier test // 定義traffic 名字 及感興趣數(shù)據(jù)流if-match acl 3001
traffic behavior test_do // 定義策略路由的轉(zhuǎn)發(fā)出口及地址
remark ip-nexthop 4.4.4.2 output-interface Ethernet1/0/4  // 地址 4.4.4.2 為相應(yīng)的網(wǎng)關(guān)地址
qos policy po_ro // 定義相應(yīng)的策略路由組classifier test behavior test_do
interface Aux0async mode flowlink-protocol ppp
interface Ethernet0/0/0
interface Ethernet0/0/1
interface Ethernet1/0/0
interface Ethernet1/0/1ip address 192.168.1.254 255.255.255.0
interface Ethernet1/0/2ip address 2.2.2.1 255.255.255.0
interface Ethernet1/0/3
interface Ethernet1/0/4ip address 4.4.4.1 255.255.255.0
interface Ethernet1/0/5
interface Ethernet1/0/6
interface Ethernet1/0/7
interface NULL0
firewall zone localset priority 100
firewall zone trustset priority 85qos apply policy po_ro outbound // 在相應(yīng)的域上綁定策略路由add interface Ethernet1/0/1
firewall zone untrustset priority 5add interface Ethernet1/0/2
firewall zone dmzset priority 50
firewall zone name testset priority 75add interface Ethernet1/0/4
firewall interzone local trust
firewall interzone local untrust
firewall interzone local dmz
firewall interzone local test
firewall interzone trust untrustnat outbound 2001 address-group 2
firewall interzone trust dmz
firewall interzone trust testnat outbound 2001 address-group 4
firewall interzone dmz untrust
firewall interzone test untrust
firewall interzone test dmz
aaaauthentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 // 定義默認(rèn)路由
ip route-static 10.1.0.0 255.255.0.0 192.168.1.133
user-interface con 0
user-interface aux 0
user-interface vty 0 4
三、 配置關(guān)鍵點(diǎn)：
配置策略路由時(shí)，主要要打開做相應(yīng)的策略路由的域之間的規(guī)則。特別要注意的是，對(duì)于Version 3.30 Release 0336 以前的版本，存在策略路由根據(jù)默認(rèn)路由域之間的規(guī)則來決定是否允許轉(zhuǎn)發(fā)的問題。