策略路由典型配置:通过流策略实现策略路由(即重定向到不同的下一跳)
1、拓扑图及组网要求
公司用户通过SW2核心交换机连接到外部网络,其中一条是高速链路,网关是192.168.100.2/24,另一条是低俗网络,网关为192.168.200.2/24.公司内部有两个网段:
- 192.168.10.0/24,服务器区域,对链路带宽要求比较高;
- 192.168.20.0/24,员工上网,只允许走低速。
2、基本配置
按照上图所示,配置基础信息,即全网互通
sw1
bash
vlan batch 10 20
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
interface GigabitEthernet0/0/3 #这里是trunk,允许vlan 10 20通过
port link-type trunk
port trunk allow-pass vlan 10 20
sw2
bash
vlan batch 10 20 100 200
interface GigabitEthernet0/0/1 #这里是trunk,允许vlan 10 20通过
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 200
#vlanif的配置
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
加两条静态路由
bash
[sw2]ip route-static 0.0.0.0 0 192.168.100.2
[sw2]ip route-static 0.0.0.0 0 192.168.200.2
分别在AR1、AR2加入回执路由
bash
[ar1]ip route-static 192.168.0.0 16 192.168.100.1
[ar2]ip route-static 192.168.0.0 16 192.168.200.1
数据流分析
PC1和要能访问PC2,即红色1。PC2要能访问PC1,即绿色2。说白了PC1和PC2互访。
- PC1和PC2互访配置在一个ACL里面。命名为ACL3000
- PC1仅允许从高速链路出去,即蓝色3,命名为ACL3001
- PC2仅允许从低速链路出去,即紫色4,命名为ACL3002
3、配置ACL
ACL3000主要用于192.168.10.0和192.168.20.0互访
bash
[sw2]acl 3000
[sw2-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[sw2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
ACL3001允许10段通过
bash
[sw2-acl-adv-3001]rule permit ip source 192.168.10.0 0.0.0.255
ACL3002允许20段通过
bash
[sw2-acl-adv-3002]rule permit ip source 192.168.20.0 0.0.0.255
4、流分类的配置
其实质是将流分类和acl绑定
bash
[sw2]traffic classifier c0 operator or
[sw2-classifier-c0]if-match acl 3000
[sw2]traffic classifier c1
[sw2-classifier-c1]if-match acl 3001
[sw2]traffic classifier c2 operator or
[sw2-classifier-c2]if-match acl 3002
5、流行为的配置
bash
[sw2]traffic behavior b0
[sw2-behavior-b0]permit 允许,即允许10和20段互访
[sw2]traffic behavior b1
[sw2-behavior-b1]redirect ip-nexthop 192.168.100.2 #将10段重定向到高速链路
[sw2]traffic behavior b2
[sw2-behavior-b2]redirect ip-nexthop 192.168.200.2 #将20段重定向到低速链路
6、流策略的配置
其实质是将流分类和流行为进行绑定
bash
[sw2]traffic policy p1
[sw2-trafficpolicy-p1]classifier c0 behavior b0
[sw2-trafficpolicy-p1]classifier c1 behavior b1
[sw2-trafficpolicy-p1]classifier c2 behavior b2
[sw2]int g0/0/1
[sw2-GigabitEthernet0/0/1]traffic-policy p1 inbound # 将流策略应用到接口
总结一下我们都做了什么,首先我们做了三个ACL用于绑定IP和ACL
bash
[sw2]dis acl all
Total nonempty ACL number is 3
Advanced ACL 3000, 2 rules
Acl's step is 5
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.2
55
rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.
255
Advanced ACL 3001, 1 rule
Acl's step is 5
rule 5 permit ip source 192.168.10.0 0.0.0.255
Advanced ACL 3002, 1 rule
Acl's step is 5
rule 5 permit ip source 192.168.20.0 0.0.0.255
然后我们配置了流分类,流分类其实就将ACL和流分类绑定。
bash
[sw2]dis traffic classifier user-defined
User Defined Classifier Information:
Classifier: c2
Operator: OR
Rule(s) : if-match acl 3002
Classifier: c0
Operator: OR
Rule(s) : if-match acl 3000
Classifier: c1
Operator: AND
Rule(s) : if-match acl 3001
Total classifier number is 3
然后我们配置了流行为,流行为其实就是将上面匹配到的流重定向到相应的网关。
bash
[sw2]dis traffic behavior user-defined
User Defined Behavior Information:
Behavior: b2
Redirect: no forced
Redirect ip-nexthop
192.168.200.2
Behavior: b0
Permit
Behavior: b1
Redirect: no forced
Redirect ip-nexthop
192.168.100.2
Total behavior number is 3
然后我们配置了流策略,其实就是将流分类和流行为进行绑定,最后将流策略应用到接口。