1.首先看一下拓扑结构:
策略路由配置步骤:
1.定义acl匹配兴趣流
2.定义traffic classifer(流量分类--匹配那一条acl)
3.定义traffic behavior(流量动作--如下一跳仍到哪里)
4.定义策略(将classifer 和behavior捆绑)
5.应用接口在in还是out方向
以下是H3CS5500交换机配置步骤
划分vlan vlan 22 to 24 创建vlan id并定义vlan id 的ip地址 int vlan 22 ip add 10.11.0.1 24 qu int vlan 23 ip add 10.13.0.1 24 qu int vlan 24 ip add 10.12.0.1 24 qu 将端口于vlan绑定 int g1/0/22 port access vlan 22 qu int g1/0/23 port access vlan 23 qu int g1/0/24 port access vlan 24 qu 创建acl acl advanced 3005 rule 0 permit ip destination 10.12.0.2 0 rule 5 deny ip(如果没有这一步,流量将会透传,不走策略路由,因为交换机有一个向下匹配原则,会有一个默认规则) qu #创建Qos类 traffic classifier 1 if-match 3334 qu #创建Qos的行为动作 traffic behavior 1 redivect next-hop 10.13.0.2 qu #创建Qos策略将类和动作绑定 qos policy 1 classifier 1 behavior 1 qu #将该策略绑定vlan qos vlan-policy 1 vlan 22 inbound
以下是其它思科交换机配置步骤:
vlan 17 to 19 int vlan 17 ip add 10.11.0.1 24 qu int vlan 18 ip add 10.13.0.1 24 qu int vlan 19 ip add 10.12.0.1 24 qu int g1/0/17 p l a port access vlan 17 qu int g1/0/18 p l a port access vlan 18 qu int g1/0/19 p l a port access vlan 19 qu acl advanced 3334 rule 0 permit ip destination 10.12.0.2 0 rule 0 deny ip(如果没有这一步,流量将会透传,不走策略路由) qu policy-based-route wafin permit node 0 if-match acl 3334 apply next-hop 10.13.0.2 qu
以上配置,只针对代理ip地址是不透明的情况下才能生效,如果代理的ip地址是透明的情况下如何设置那?
很简单,再服务端返回代理这条路径上再增加一条策略路由:
即:
[H3C]acl number 3006
[H3C-acl-adv-3006]rule 0 permit ip destination 10.11.0.2 0
[H3C-acl-adv-3006]rule 5 deny ip
[H3C-acl-adv-3006]qu
[H3C]traffic classifier 2
[H3C-classifier-2]if-match acl 3006
[H3C-classifier-2]qu
[H3C]traffic behavior 2
[H3C-behavior-2]redirect next-hop 10.13.0.2
[H3C-behavior-2]qu
[H3C]qos policy 2
[H3C-qospolicy-2]classifier 2 behavior 2
[H3C-qospolicy-2]qu
[H3C]qos vlan-policy 2 vlan 24 inbound
[H3C]
完整配置如下:
vlan 22 to 24 int vlan 22 ip add 10.11.0.1 24 qu int vlan 23 ip add 10.13.0.1 24 qu int vlan 24 ip add 10.12.0.1 24 qu int g1/0/22 port access vlan 22 qu int g1/0/23 port access vlan 23 qu int g1/0/24 port access vlan 24 qu acl advanced 3005 rule 0 permit ip destination 10.12.0.2 0 rule 5 deny ip traffic classifier 1 if-match 3334 qu traffic behavior 1 redivect next-hop 10.13.0.2 qu qos policy 1 classifier 1 behavior 1 qu qos vlan-policy 1 vlan 22 inbound acl number 3006 rule 0 permit ip destination 10.11.0.2 0 rule 5 deny ip qu traffic classifier 2 if-match acl 3006 qu traffic behavior 2 redirect next-hop 10.13.0.2 qu qos policy 2 classifier 2 behavior 2 qu qos vlan-policy 2 vlan 24 inbound
交换机删除操作:
[H3C]undo qos vlan-policy vlan 24 inbound
[H3C]undo qos vlan-policy vlan 24 outbound
[H3C]undo qos policy 2
[H3C]undo traffic classifier 2
[H3C]undo traffic behavior 2
[H3C]undo acl number 3006
如果不限制客户端于服务器单独ip而是该网段下所有的ip,设置如下:
[H3C-acl-adv-3005]rule 0 permit ipinip destination any
[H3C-acl-adv-3005]rule 5 deny ip
[H3C-acl-adv-3005]qu
[H3C]acl number 3006
[H3C-acl-adv-3006]rule 0 permit ipinip destination any
[H3C-acl-adv-3006]rule 5 deny ip
[H3C-acl-adv-3006]qu
完整配置如下:
vlan 22 to 24 int vlan 22 ip add 10.11.0.1 24 qu int vlan 23 ip add 10.13.0.1 24 qu int vlan 24 ip add 10.12.0.1 24 qu int g1/0/22 port access vlan 22 qu int g1/0/23 port access vlan 23 qu int g1/0/24 port access vlan 24 qu rule 0 permit ipinip destination any rule 5 deny ip qu acl number 3006 rule 0 permit ipinip destination any rule 5 deny ip qu traffic classifier 1 if-match 3334 qu traffic behavior 1 redivect next-hop 10.13.0.2 qu qos policy 1 classifier 1 behavior 1 qu qos vlan-policy 1 vlan 22 inbound traffic classifier 2 if-match acl 3006 qu traffic behavior 2 redirect next-hop 10.13.0.2 qu qos policy 2 classifier 2 behavior 2 qu qos vlan-policy 2 vlan 24 inbound
参考文献:https://blog.csdn.net/zdl244/article/details/103516814