华为策略路由配置实例* l2 \7 f# A& k; R; j
1、组网需求
' p8 g/ R8 \; n8 N
点击查看原图
9 f5 x8 m$ X, \
# X' H% k" L0 _
图1 策略路由组网示例图! J: B, e) h+ Z4 S( |
如上图1所示,公司用户通过Switch双归属到外部网络设备。其中,一条是低速链路,网关为10.1.20.1/24;另外一条是高速链路,网关为10.1.30.1/24。8 x+ x% N# G* z8 a
公司希望上送外部网络的报文中,IP优先级为4、5、6、7的报文通过高速链路传输,而IP优先级为0、1、2、3的报文则通过低速链路传输。
/ T1 v4 I" A( ?; \( U& u; k: `
9 U, {' _! U7 C ] 2、配置思路
7 s2 m& V- H; ~, D0 {- Y: A/ i 1、创建VLAN并配置各接口,实现公司和外部网络设备互连。+ M+ w' z( a9 k
2、配置ACL规则,分别匹配IP优先级4、5、6、7,以及IP优先级0、1、2、3。
0 }: z0 }) N# C) v5 b- Z3 `' j 3、配置流分类,匹配规则为上述ACL规则,使设备可以对报文进行区分。
^! a% |( o2 N) @ 4、配置流行为,使满足不同规则的报文分别被重定向到10.1.20.1/24和10.1.30.1/24。
) T9 E) R4 k# c3 D7 { v( T 5、配置流策略,绑定上述流分类和流行为,并应用到接口GE2/0/1的入方向上,实现策略路由。
: h2 t9 g/ Z7 _% ?5 L% ?& l7 L0 X # V$ v# }: ~: `
3、操作步骤. j H$ w8 Z& a5 W& g9 L4 T& `
3.1、创建VLAN并配置各接口3 M; }& x5 q& \& Q/ {0 `7 Y1 @
# 在Switch上创建VLAN100和VLAN200。5 P# v5 y' F! d& D' ]
<HUAWEI> system-view/ x$ P7 s1 T. f6 v
[HUAWEI] sysname Switch6 k- R& N/ F% g: p* o' w ^
[Switch] vlan batch 100 200* _. }, E# I2 x) Q) E: W
+ ]! n" `8 s4 S # 配置Switch上接口GE1/0/1、GE1/0/2和GE2/0/1的接口类型为Trunk,并加入VLAN100和VLAN200。( }/ d; O( @' D8 [$ m
[Switch] interface gigabitethernet 1/0/16 Z( j! Y/ z7 `7 {/ A" J
[Switch-GigabitEthernet1/0/1] port link-typetrunk
& ~/ c5 B4 R/ S0 D/ k+ W B [Switch-GigabitEthernet1/0/1] port trunkallow-pass vlan 100 2004 u) m) d9 B M- G5 f4 M
[Switch-GigabitEthernet1/0/1] quit, u \" D/ y7 g/ d- |3 z
[Switch] interface gigabitethernet 1/0/2! M% P* d0 j" Y0 O3 p7 `
[Switch-GigabitEthernet1/0/2] portlink-type trunk
) Z, d) X% j& V( g" G [Switch-GigabitEthernet1/0/2] port trunkallow-pass vlan 100 200
* _# q0 y( ]+ Y4 X. T) T [Switch-GigabitEthernet1/0/2] quit4 W2 _2 C- D4 R) k0 k8 |2 u
[Switch] interface gigabitethernet 2/0/1
" N$ ?- g/ c5 ?: V+ L9 y [Switch-GigabitEthernet2/0/1] portlink-type trunk5 A: z0 f) k2 Y# F
[Switch-GigabitEthernet2/0/1] port trunkallow-pass vlan 100 2007 v0 h9 U$ \9 n/ [( _9 S1 J
[Switch-GigabitEthernet2/0/1] quit, ~7 ]; J0 \. n( ]+ o
配置LSW与Switch对接的接口为Trunk类型接口,并加入VLAN100和VLAN200。
4 X* p% o, x5 a) }9 n; `* M9 D
7 y) G: r' ] t @/ N* l, y& d, H # 创建VLANIF100和VLANIF200,并配置各虚拟接口IP地址。3 ?$ i: L [1 r8 B4 E( l" [5 V
[Switch] interface vlanif 1001 q( j$ B, z" X3 Y+ ~
[Switch-Vlanif100] ip address 10.1.20.224, j0 h1 |0 Z- C% o9 _$ @
[Switch-Vlanif100] quit
* X5 S, i) `; r' f) S [Switch] interface vlanif 200
! P6 j' W4 }$ r) u1 Y+ ]: C8 g+ j [Switch-Vlanif200] ip address 10.1.30.224! }0 h Q& _" y1 L0 s: {% R/ E# z
[Switch-Vlanif200] quit6 |1 d, [$ |5 T
, X4 c% R3 O0 l6 i9 K 3.2、配置ACL规则
, ^& d* Y3 \8 d' g) X' C7 F # 在Switch上创建编码为3001、3002的高级ACL,规则分别为允许IP优先级0、1、2、3和允许IP优先级4、5、6、7的报文通过。7 Y ^$ h$ G$ ]$ X' N9 b
[Switch] acl 3001. H+ A% J: A/ B' W/ x$ }" o( e: l5 }
[Switch-acl-adv-3001] rule permit ipprecedence 0
& `) L2 o) f, O5 N6 t/ s; |# X5 j! r, ? [Switch-acl-adv-3001] rule permit ipprecedence 1- U% L7 X6 ?$ T- J4 _& R3 h
[Switch-acl-adv-3001] rule permit ipprecedence 2
: v& v1 X- w* G3 I+ s! L7 I [Switch-acl-adv-3001] rule permit ipprecedence 3
k3 Z0 Z2 e9 Z% ~: E" U( p& z [Switch-acl-adv-3001] quit
2 m0 H4 ^% j' O; l4 Q [Switch] acl 3002
- [3 m) V9 B+ w: u+ b* H+ _8 i9 u [Switch-acl-adv-3002] rule permit ipprecedence 4
U- J0 K* Y o0 j- v2 |( n" j" ~ [Switch-acl-adv-3002] rule permit ipprecedence 5/ q/ |- K" v4 t2 E- k
[Switch-acl-adv-3002] rule permit ipprecedence 6
6 n6 J* n- d l% q& X [Switch-acl-adv-3002] rule permit ipprecedence 7
# V% F* L* d3 Y/ } O( b3 U2 _ [Switch-acl-adv-3002] quit9 M! P4 j% M7 L! U
2 M" S) K9 B5 R+ X i' l
3.3、配置流分类9 K# J* O3 B j+ k1 }- D
在Switch上创建流分类c1、c2,匹配规则分别为ACL 3001和ACL 3002。0 Y+ K4 }; h. Y
[Switch] traffic classifier c1 operatorand3 ]% Q3 L" Q- G, m
[Switch-classifier-c1] if-match acl 3001
6 e4 j* j5 f* V/ O* c. C) g! r. D [Switch-classifier-c1] quit
3 o7 T' H+ I1 K [Switch] traffic classifier c2 operatorand
8 I4 |1 [7 w. J4 {: g4 O* d: T2 y$ ^ [Switch-classifier-c2] if-match acl 3002
" V& t6 _7 Q$ ~' `% k4 b) g [Switch-classifier-c2] quit5 q# F% \& t4 n1 b( Y: b9 J0 N d
' C" D; c' \& a: X
3.4、配置流行为
$ b) f1 v: c, G0 f* g; J # 在Switch上创建流行为b1、b2,并分别指定重定向到网段10.1.20.1/24和10.1.30.1/24的动作。
- K; _5 P6 D& w' X, h+ g [Switch] traffic behavior b1
# h! \ K, A8 a [Switch-behavior-b1] redirect ip-nexthop10.1.20.1
4 ]% O2 h9 h$ }+ n* ?1 X3 p: F! B! O [Switch-behavior-b1] quit; M* i) L- J$ h3 x
[Switch] traffic behavior b2
0 v% {' d! n: M3 w5 x) o [Switch-behavior-b2] redirect ip-nexthop10.1.30.1. v! r- ~* {# R! T$ N9 S: S0 ?
[Switch-behavior-b2] quit
. U4 W$ x3 h8 Z" T8 j " y% J7 h4 i; ]+ X$ }3 _( n
3.5、配置流策略并应用到接口上
0 M# U- E2 z1 ?3 S6 G- h) t" P% P% ? # 在Switch上创建流策略p1,将流分类和对应的流行为进行绑定。
+ A) |8 N4 ?& ?* p4 e [Switch] traffic policy p17 @5 u3 L; t# R1 ?% o
[Switch-trafficpolicy-p1] classifier c1behavior b14 [( W- \: H: P) F) e
[Switch-trafficpolicy-p1] classifier c2behavior b2
7 B" G' j, E, L# y: O [Switch-trafficpolicy-p1] quit
1 T- k: _$ ], {( J: a
& m g& G$ l* Z0 L3 ^5 W: K # 将流策略p1应用到接口GE2/0/1的入方向上。
0 S8 b X# S, h+ C* a# |- d$ Q- j9 h# i [Switch] interface gigabitethernet 2/0/18 w" m+ j7 E5 i% ^3 \8 U9 p1 r
[Switch-GigabitEthernet2/0/1] traffic-policyp1 inbound
) w5 i! G/ e* z1 b9 \ o [Switch-GigabitEthernet2/0/1] return
7 j* I& T9 U% P/ m; _9 n3 p
@) h/ X9 f4 b+ z3 i 3.6、验证配置结果
3 d s) K8 \" E6 A # 查看ACL规则的配置信息。
, h8 u$ d0 x2 B <Switch> display acl 3001" s) a- B/ U; q& q5 V
Advanced ACL 3001, 4 rules
) V9 X( [" q9 x Q. y& r) k' { Acl's step is 5: {1 A; z/ t D0 S
rule5 permit ip precedence routine (match-counter 0)
8 g5 E" K* N5 B/ ?) ?% `+ M rule10 permit ip precedence priority (match-counter 0)
$ h6 n+ Q b$ S rule15 permit ip precedence immediate (match-counter 0)
0 X0 a; K; d F& q rule20 permit ip precedence flash (match-counter 0)
& X. T' v8 J7 Y. I8 C; Q$ R9 { ; @7 w" r; ?7 C2 h8 ^2 j
<Switch> display acl 3002" J* m: i9 K1 l6 u/ {' ]8 B! q
Advanced ACL 3002, 4 rules
/ N& I& k$ T& I- J* t Acl's step is 5
7 A! d- J, e# e$ Y- z- p rule5 permit ip precedence flash-override (match-counter 0)
7 Q; W9 W5 h0 \1 @ rule10 permit ip precedence critical (match-counter 0)
L, b- A, Y D: u rule15 permit ip precedence internet (match-counter 0)8 N! ]5 \! r- ~/ `* }, u0 x3 L7 v; z
rule20 permit ip precedence network (match-counter 0)7 L! d) n+ {8 Y' G3 ^6 D
. T0 n9 M( w! [" ] # 查看流分类的配置信息。9 @0 d! H. Q( |/ Q6 u3 F
<Switch> display trafficclassifier user-defined
2 B! i$ c4 E e8 N: V/ j Y" m7 v' X User Defined Classifier Information:% n3 H9 ]; @' T2 _$ r5 S# B
Classifier: c1- V! P7 E4 |5 m6 k+ g0 k+ q* E
Precedence: 51 [1 j! }9 T3 L( T# J; L
Operator: AND
0 y; Z$ V4 u$ X' S, @* v Rule(s) : if-match acl 3001( }( d5 k3 e- f1 j
6 S) o- _8 v1 |6 r+ I5 s, n6 P/ W Classifier: c2
M: i1 G( I. k Precedence: 102 X# ^+ d- c/ f, `# U0 N
Operator: AND
8 W O! u1 `4 _& Y Rule(s) :if-match acl 3002
4 M$ N2 F* q# C) S , }5 [, x( g, V# d; p0 j; z
Total classifier number is 2 8 ~& m8 K( P: a, G9 O( m
" r I9 V: V4 R # 查看流策略的配置信息。
* n" r B9 L. H' y- Y <Switch> display traffic policyuser-defined p1
" b+ w9 w5 T/ m: z User Defined Traffic Policy Information:1 @6 V8 E% X, m; s Z
Policy: p17 G2 R( g4 \' L8 ?
Classifier: c1) p. H/ F! J) O
Operator: AND+ J( l/ }* ]+ w( r* H" |
Behavior: b12 E" Y1 n* a. Y8 d5 ?& Q- T0 P6 l
Redirect: no forced: t- {! a5 `$ c
Redirect ip-nexthop
9 p& G0 [, B8 F 10.1.20.15 e1 z; @ `7 _! ?5 X! B0 q
Classifier: c23 A7 Y/ L8 E5 M
Operator: AND- }& q" h/ v! n$ t
Behavior: b2% C! J. T) [" X$ o, ^& r e( M( B
Redirect: no forced
4 W. x% |+ X7 m4 { Redirect ip-nexthop8 `! F4 O$ o% G$ l9 _. O) ~
10.1.30.1
. L0 o/ [; u7 K 7 c9 d, Y0 }' ]9 t$ `
4、配置文件
) E& Z2 X: N2 v6 y) F Switch的配置文件
' I# g, E) ]8 J. ` #2 v! T7 D/ [7 }6 m
sysname Switch
" U6 s+ l- D6 o$ {' @: I) W6 s #6 m8 |* J- d4 D; X
vlan batch 100 200 ' v! f1 i# Q) Z$ O4 e6 G
#- j, ~$ C% L8 z& x6 x
acl number 3001
1 W( T! h/ A1 N X# \/ d rule5 permit ip precedence routine
+ ~. t" ]3 K M \7 R, J, L( r rule10 permit ip precedence priority+ m- f: Y. b- Z; T. g% t" J/ F$ |
rule15 permit ip precedence immediate1 b6 }" t0 J/ U2 y+ }5 S
rule20 permit ip precedence flash
+ Z, e1 q9 H* o# N \8 m7 A7 y #. K* F- d! l8 C+ @
acl number 3002
5 \5 ~' H9 u0 x rule5 permit ip precedence flash-override
( g' i$ H. a2 ^, j6 u rule10 permit ip precedence critical- ]2 H. P/ B2 f4 ?
rule15 permit ip precedence internet
: z3 J- h4 J: `/ O rule20 permit ip precedence network
! w, F) _3 B% x #8 E3 w! ]8 e! W5 f
traffic classifier c1 operator andprecedence 5
2 R( S: V2 P( j if-match acl 3001# Z9 h4 C* v$ o5 G. q# a# B1 h% u
traffic classifier c2 operator andprecedence 10
6 C" }! j) A* Q* e+ I" O8 h if-match acl 3002& b) z8 z3 }9 W
#! U; y! j" m1 t0 S) I( [$ a, \$ J
traffic behavior b1- I1 A! o% I/ c( P+ p
redirect ip-nexthop 10.1.20.16 g/ M8 ` F4 \! Q
traffic behavior b2
2 a) \$ S2 n' N* K$ j7 t redirect ip-nexthop 10.1.30.1
( K; L6 o, Q! U9 {4 D& F- c+ W* } ## p4 J3 C7 x( [2 V4 a
traffic policy p1 match-order config
8 U* q, E% m0 D& B classifier c1 behavior b1
3 m$ b0 M( z( v1 E- j6 K9 w classifier c2 behavior b28 a9 @7 y3 Q/ Z2 T( m0 S& M9 {
#% c7 V3 D4 }% i2 v, y
interface Vlanif100
; t" G) w1 u& Y/ [5 E7 k( ~ ipaddress 10.1.20.2 255.255.255.0& P/ q; \: g% W- Q& ~
#
* p& y9 u- p% m( B: K% ~ interface Vlanif200
. S# Z: k3 S. l2 I6 a ipaddress 10.1.30.2 255.255.255.04 y+ E# b, n' C' ?# R) C
#
( V4 U7 V2 R' j" E) e interface GigabitEthernet1/0/1
% l4 a: e% l( \; W) u portlink-type trunk
8 s% n# K; \% i+ o$ } porttrunk allow-pass vlan 100 200 u2 |5 D! ^) U2 |8 f
#
; I& t" U. k% C5 ?+ [" B8 D G interface GigabitEthernet1/0/2
8 p+ T1 b2 F6 f$ X6 r/ k" \ portlink-type trunk
D8 ?1 i% X) }6 V+ {7 F5 m porttrunk allow-pass vlan 100 200$ w% A$ x/ t' I, u+ V/ E& Y1 }% X. J4 f
#
) d {" F; i9 i. k" ~9 o8 \ interface GigabitEthernet2/0/1+ ?; \" O ~ S# r3 G9 ?' A
portlink-type trunk' q. r1 n% G; T# G: B1 C0 ]
porttrunk allow-pass vlan 100 2004 b' i7 p" f9 @' v$ `- @5 G
traffic-policy p1 inbound
+ w" w+ t8 ^# T; H# _3 q' b9 a #
: E2 }4 \: [8 k- | return |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
