交换机配置：三层核心+防火墙

三层的出口连接防火墙的内口

三层核心交换机最好别用VLAN1连接防火墙内口。可能会因为IP 重定向问题导致内网访问外网速度奇慢！！ 具体事例及解决办法如下：

某企业网核心为4506，接入基本为2950系列。核心有一块X 4548 GB&nbs p;-RJ业务板，其中48口上联到防火墙，其他下联到客户端。客户端网关指向核心交换机，上网速度奇慢。指向防火墙则速度正常，防火墙地址为172.16.1.1 核心配置如下：

core_switch#show run Building configuration...

Current configuration : 6061 bytes !

version 12.1 no service pad

service timestamps debug uptime service timestamps log uptime no service password-encryption service compress-config !

hostname core_switch !

enable secret 5 $1$21p4$rcisbziyY7iFWx0w7jm6d. enable password kindy !

vtp mode transparent ip subnet-zero !

spanning-tree extend system-id ! ! vlan 2 name vlan2 !

interface GigabitEthernet1/1 !

interface GigabitEthernet1/2 !

interface GigabitEthernet2/1 description To ZXC

switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet2/2 description To HYS-310

switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet2/3 description To HYS-303

switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet2/4 description To PGZ

switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet2/5 description To WLZ

switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet2/6 switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet3/1 description To BACK_24

switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet3/2 switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet3/3 !

interface GigabitEthernet3/4 !

interface GigabitEthernet3/5 !

interface GigabitEthernet3/6 !

interface GigabitEthernet4/1 switchport trunk encapsulation dot1q switchport mode trunk ! .... .... .... !

interface GigabitEthernet4/47 switchport trunk encapsulation dot1q switchport mode trunk !

interface GigabitEthernet4/48 !

interface Vlan1

ip address 172.16.1.121 255.255.255.0 !

interface Vlan2

ip address 172.16.2.1 255.255.255.0 !

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.1.1 no ip http server ! ! !

line con 0 password ****** login stopbits 1 line vty 0 4 password ****** login ! end

--------------------------------------------

因为上面的配置是把防火墙的内口直接接如了三层核心的VLAN1内，所以出现访问外网速度奇慢的现象。。 解决办法如下：

1、关闭VLAN 1的重定向功能 int vlan 1 no ip redirects

2、将防火墙的内网线接如核心的其他VLAN