1.首先看一下拓撲結構:
策略路由配置步驟:
1.定義acl匹配興趣流
2.定義traffic classifer(流量分類--匹配那一條acl)
3.定義traffic behavior(流量動作--如下一跳仍到哪里)
4.定義策略(將classifer 和behavior捆綁)
5.應用接口在in還是out方向
以下是H3CS5500交換機配置步驟
划分vlan vlan 22 to 24 創建vlan id並定義vlan id 的ip地址 int vlan 22 ip add 10.11.0.1 24 qu int vlan 23 ip add 10.13.0.1 24 qu int vlan 24 ip add 10.12.0.1 24 qu 將端口於vlan綁定 int g1/0/22 port access vlan 22 qu int g1/0/23 port access vlan 23 qu int g1/0/24 port access vlan 24 qu 創建acl acl advanced 3005 rule 0 permit ip destination 10.12.0.2 0 rule 5 deny ip(如果沒有這一步,流量將會透傳,不走策略路由,因為交換機有一個向下匹配原則,會有一個默認規則) qu #創建Qos類 traffic classifier 1 if-match 3334 qu #創建Qos的行為動作 traffic behavior 1 redivect next-hop 10.13.0.2 qu #創建Qos策略將類和動作綁定 qos policy 1 classifier 1 behavior 1 qu #將該策略綁定vlan qos vlan-policy 1 vlan 22 inbound
以下是其它思科交換機配置步驟:
vlan 17 to 19 int vlan 17 ip add 10.11.0.1 24 qu int vlan 18 ip add 10.13.0.1 24 qu int vlan 19 ip add 10.12.0.1 24 qu int g1/0/17 p l a port access vlan 17 qu int g1/0/18 p l a port access vlan 18 qu int g1/0/19 p l a port access vlan 19 qu acl advanced 3334 rule 0 permit ip destination 10.12.0.2 0 rule 0 deny ip(如果沒有這一步,流量將會透傳,不走策略路由) qu policy-based-route wafin permit node 0 if-match acl 3334 apply next-hop 10.13.0.2 qu
以上配置,只針對代理ip地址是不透明的情況下才能生效,如果代理的ip地址是透明的情況下如何設置那?
很簡單,再服務端返回代理這條路徑上再增加一條策略路由:
即:
[H3C]acl number 3006
[H3C-acl-adv-3006]rule 0 permit ip destination 10.11.0.2 0
[H3C-acl-adv-3006]rule 5 deny ip
[H3C-acl-adv-3006]qu
[H3C]traffic classifier 2
[H3C-classifier-2]if-match acl 3006
[H3C-classifier-2]qu
[H3C]traffic behavior 2
[H3C-behavior-2]redirect next-hop 10.13.0.2
[H3C-behavior-2]qu
[H3C]qos policy 2
[H3C-qospolicy-2]classifier 2 behavior 2
[H3C-qospolicy-2]qu
[H3C]qos vlan-policy 2 vlan 24 inbound
[H3C]
完整配置如下:
vlan 22 to 24 int vlan 22 ip add 10.11.0.1 24 qu int vlan 23 ip add 10.13.0.1 24 qu int vlan 24 ip add 10.12.0.1 24 qu int g1/0/22 port access vlan 22 qu int g1/0/23 port access vlan 23 qu int g1/0/24 port access vlan 24 qu acl advanced 3005 rule 0 permit ip destination 10.12.0.2 0 rule 5 deny ip traffic classifier 1 if-match 3334 qu traffic behavior 1 redivect next-hop 10.13.0.2 qu qos policy 1 classifier 1 behavior 1 qu qos vlan-policy 1 vlan 22 inbound acl number 3006 rule 0 permit ip destination 10.11.0.2 0 rule 5 deny ip qu traffic classifier 2 if-match acl 3006 qu traffic behavior 2 redirect next-hop 10.13.0.2 qu qos policy 2 classifier 2 behavior 2 qu qos vlan-policy 2 vlan 24 inbound
交換機刪除操作:
[H3C]undo qos vlan-policy vlan 24 inbound
[H3C]undo qos vlan-policy vlan 24 outbound
[H3C]undo qos policy 2
[H3C]undo traffic classifier 2
[H3C]undo traffic behavior 2
[H3C]undo acl number 3006
如果不限制客戶端於服務器單獨ip而是該網段下所有的ip,設置如下:
[H3C-acl-adv-3005]rule 0 permit ipinip destination any
[H3C-acl-adv-3005]rule 5 deny ip
[H3C-acl-adv-3005]qu
[H3C]acl number 3006
[H3C-acl-adv-3006]rule 0 permit ipinip destination any
[H3C-acl-adv-3006]rule 5 deny ip
[H3C-acl-adv-3006]qu
完整配置如下:
vlan 22 to 24 int vlan 22 ip add 10.11.0.1 24 qu int vlan 23 ip add 10.13.0.1 24 qu int vlan 24 ip add 10.12.0.1 24 qu int g1/0/22 port access vlan 22 qu int g1/0/23 port access vlan 23 qu int g1/0/24 port access vlan 24 qu rule 0 permit ipinip destination any rule 5 deny ip qu acl number 3006 rule 0 permit ipinip destination any rule 5 deny ip qu traffic classifier 1 if-match 3334 qu traffic behavior 1 redivect next-hop 10.13.0.2 qu qos policy 1 classifier 1 behavior 1 qu qos vlan-policy 1 vlan 22 inbound traffic classifier 2 if-match acl 3006 qu traffic behavior 2 redirect next-hop 10.13.0.2 qu qos policy 2 classifier 2 behavior 2 qu qos vlan-policy 2 vlan 24 inbound
參考文獻:https://blog.csdn.net/zdl244/article/details/103516814