https://www.h3c.com/cn/d_202303/1816255_30005_0.htm
1 配置基于报文源IPv4地址的策略路由
1.1 简介
本案例介绍基于报文源IPv4地址的策略路由的配置方法。
1.2 组网需求
如图1所示,Switch A分别与Switch B和Switch C相连。配置静态路由,使Switch A收到的所有访问服务器114.114.114.114/24的报文都根据路由表从Switch B转发。
现要求在Switch A上配置策略路由,控制访问服务器114.114.114.114/24的报文:
· 匹配Vlan-interface2上收到的源地址为192.168.2.0/24报文,将该报文的下一跳重定向到Switch C转发;
· 其他报文仍从Switch B转发。
图1 基于报文源IPv4地址的策略路由配置组网图
设备 | 接口 | IP地址 | 设备 | 接口 | IP地址 |
Switch A | Vlan-int1 | 192.168.1.1/24 | Switch C | Vlan-int4 | 20.20.20.2/24 |
Vlan-int2 | 192.168.2.1/24 | Vlan-int6 | 40.40.40.1/24 | ||
Vlan-int3 | 10.10.10.1/24 | Switch D | Vlan-int5 | 30.30.30.2/24 | |
Vlan-int4 | 20.20.20.1/24 | Vlan-int6 | 40.40.40.2/24 | ||
Switch B | Vlan-int3 | 10.10.10.2/24 | Vlan-int7 | 114.114.114.1/24 | |
Vlan-int5 | 30.30.30.1/24 |
1.3 配置步骤
1. 配置Host A和Host B
为Host A配置IP地址为192.168.1.2,掩码为255.255.255.0,网关地址为192.168.1.1。
为Host B配置IP地址为192.168.2.2,掩码为255.255.255.0,网关地址为192.168.2.1。
2. 配置Switch A
# 创建VLAN,在VLAN中加入对应的端口,并配置各VLAN接口的IP地址。
<SwitchA> system-view
[SwitchA] vlan 1
[SwitchA-vlan1] port gigabitethernet 1/0/1
[SwitchA-vlan1] quit
[SwitchA] vlan 2
[SwitchA-vlan2] port gigabitethernet 1/0/2
[SwitchA-vlan2] quit
[SwitchA] vlan 3
[SwitchA-vlan3] port gigabitethernet 1/0/3
[SwitchA-vlan3] quit
[SwitchA] vlan 4
[SwitchA-vlan4] port gigabitethernet 1/0/4
[SwitchA-vlan4] quit
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 192.168.1.1 24
[SwitchA-Vlan-interface1] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.2.1 24
[SwitchA-Vlan-interface2] quit
[SwitchA] interface vlan-interface 3
[SwitchA-Vlan-interface3] ip address 10.10.10.1 24
[SwitchA-Vlan-interface3] quit
[SwitchA] interface vlan-interface 4
[SwitchA-Vlan-interface4] ip address 20.20.20.1 24
[SwitchA-Vlan-interface4] quit
# 配置目的地址是114.114.114.114/24的静态路由。在未配置策略路由的情况下,所有访问目的地址114.114.114.114/24的报文均从Switch B转发。
[SwitchA] ip route-static 114.114.114.114 24 10.10.10.2
# 定义访问控制列表ACL 3000,用来匹配源地址为192.168.2.0/24网段的报文。
[SwitchA-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3000] quit
# 定义访问控制列表ACL 3001,用来匹配源地址为192.168.2.0/24网段,目的地址是192.168.1.0/24的报文。
[SwitchA] acl advanced 3001
[SwitchA-acl-ipv4-adv-3001] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[SwitchA-acl-ipv4-adv-3001] quit
# 创建策略路由,名称为aaa,节点为10,匹配ACL 3001的数据流,不设置apply动作,从而避免SwitchA不同接口之间互相访问的流量被拦截(如果不设置动作,则匹配到的数据转发时根据路由表来进行转,且不再匹配下一节点,配置这个节点的作用是实现内网不同网段之间互访的流量不匹配策略路由,达到可以互访的目的。缺省情况下,网关在路由器上的不同网段是可以互相访问的)。
[SwitchA] policy-based-route aaa permit node 10
[SwitchA-pbr-aaa-10] if-match acl 3001
[SwitchA-pbr-aaa-10] quit
# 创建策略路由aaa的节点20,匹配ACL 3000的数据流,设置apply动作,指定数据的下一跳为20.20.20.2。
[SwitchA] policy-based-route aaa permit node 20
[SwitchA-pbr-aaa-20] if-match acl 3000
[SwitchA-pbr-aaa-20] apply next-hop 20.20.20.2
[SwitchA-pbr-aaa-20] quit
# 在SwitchA的Vlan-interface2接口上应用策略路由。
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip policy-based-route aaa
[SwitchA-Vlan-interface2] quit
# 开启设备的ICMP目的不可达报文的发送功能。
[SwitchA] ip unreachables enable
# 开启ICMP超时报文发送功能。
[SwitchA] ip ttl-expires enable
# 保存配置。
[SwitchA] save force
3. 配置Switch B
# 创建VLAN,在VLAN中加入对应的端口,并配置各VLAN接口的IP地址。
<SwitchB> system-view
[SwitchB] vlan 3
[SwitchB-vlan3] port gigabitethernet 1/0/1
[SwitchB-vlan3] quit
[SwitchB] vlan 5
[SwitchB-vlan5] port gigabitethernet 1/0/2
[SwitchB-vlan5] quit
[SwitchB] interface vlan-interface 3
[SwitchB-Vlan-interface3] ip address 10.10.10.2 24
[SwitchB-Vlan-interface3] quit
[SwitchB] interface vlan-interface 5
[SwitchB-Vlan-interface5] ip address 30.30.30.1 24
[SwitchB-Vlan-interface5] quit
# 配置访问114.114.114.114/32的静态路由。
[SwitchB] ip route-static 114.114.114.114 24 30.30.30.2
# 配置访问192.168.1.0/24的静态路由。
[SwitchB] ip route-static 192.168.1.0 24 10.10.10.1
# 配置访问192.168.2.0/24的静态路由。
[SwitchB] ip route-static 192.168.2.0 24 10.10.10.1
# 开启设备的ICMP目的不可达报文的发送功能。
[SwitchB] ip unreachables enable
# 开启ICMP超时报文发送功能。
[SwitchB] ip ttl-expires enable
# 保存配置。
[SwitchB] save force
4. 配置Switch C
# 创建VLAN,在VLAN中加入对应的端口,并配置各VLAN接口的IP地址。
<SwitchC> system-view
[SwitchC] vlan 4
[SwitchC-vlan4] port gigabitethernet 1/0/1
[SwitchC-vlan4] quit
[SwitchC] vlan 6
[SwitchC-vlan6] port gigabitethernet 1/0/2
[SwitchC-vlan6] quit
[SwitchC] interface vlan-interface 4
[SwitchC-Vlan-interface4] ip address 20.20.20.2 24
[SwitchC-Vlan-interface4] quit
[SwitchC] interface vlan-interface 6
[SwitchC-Vlan-interface6] ip address 40.40.40.1 24
[SwitchC-Vlan-interface6] quit
# 配置访问114.114.114.114/32的静态路由。
[SwitchC] ip route-static 114.114.114.114 24 40.40.40.2
# 配置访问192.168.1.0/24的静态路由。
[SwitchC] ip route-static 192.168.1.0 24 20.20.20.1
# 配置访问192.168.2.0/24的静态路由。
[SwitchC] ip route-static 192.168.2.0 24 20.20.20.1
# 开启设备的ICMP目的不可达报文的发送功能。
[SwitchC] ip unreachables enable
# 开启ICMP超时报文发送功能。
[SwitchC] ip ttl-expires enable
# 保存配置。
[SwitchC] save force
5. 配置Switch D
# 创建VLAN,在VLAN中加入对应的端口,并配置各VLAN接口的IP地址。
<SwitchD> system-view
[SwitchD] vlan 5
[SwitchD-vlan5] port gigabitethernet 1/0/1
[SwitchD-vlan5] quit
[SwitchD] vlan 6
[SwitchD-vlan6] port gigabitethernet 1/0/2
[SwitchD-vlan6] quit
[SwitchD] vlan 7
[SwitchD-vlan7] port gigabitethernet 1/0/3
[SwitchD-vlan7] quit
[SwitchD] interface vlan-interface 5
[SwitchD-Vlan-interface5] ip address 30.30.30.2 24
[SwitchD-Vlan-interface5] quit
[SwitchD] interface vlan-interface 6
[SwitchD-Vlan-interface6] ip address 40.40.40.2 24
[SwitchD-Vlan-interface6] quit
[SwitchD] interface vlan-interface 7
[SwitchD-Vlan-interface7] ip address 114.114.114.1 24
[SwitchD-Vlan-interface7] quit
# 配置访问192.168.1.0/24的静态路由。
[SwitchD] ip route-static 192.168.1.0 24 30.30.30.1
# 配置访问192.168.2.0/24的静态路由。
[SwitchD] ip route-static 192.168.2.0 24 40.40.40.1
# 开启设备的ICMP目的不可达报文的发送功能。
[SwitchD] ip unreachables enable
# 开启ICMP超时报文发送功能。
[SwitchD] ip ttl-expires enable
# 保存配置。
[SwitchD] save force
1.4 验证配置
# 在Switch A上通过display ip policy-based-route命令可以查看到当前策略路由配置已经配置成功。
[SwitchA] display ip policy-based-route interface Vlan-interface 2
Policy-based routing information for interface Vlan-interface2:
Policy name: aaa
node 10 permit:
if-match acl 3001
Matches: 0, bytes: 0
node 20 permit:
if-match acl 3000
apply next-hop 20.20.20.2
Matches: 0, bytes: 0
Total matches: 0, total bytes: 0
# 在Host A上使用tracert命令验证服务器114.114.114.114/24是否可达(使用Tracert功能需要在中间设备上开启ICMP超时报文发送功能,在目的端开启ICMP目的不可达报文发送功能)。可以看到报文从Switch B转发。
C:\Documents and Settings\Administrator>tracert 114.114.114.114
Tracing route to 114.114.114.114 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 <1 ms <1 ms <1 ms 10.10.10.2
3 <1 ms <1 ms <1 ms 30.30.30.2
4 1 ms <1 ms <1 ms 114.114.114.114
Trace complete.
# 在Host B上使用tracert命令验证服务器114.114.114.114/24是否可达。可以看到报文从Switch C转发,策略路由配置成功。
C:\Documents and Settings\Administrator>tracert 114.114.114.114
Tracing route to 114.114.114.114 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.1
2 <1 ms <1 ms <1 ms 20.20.20.2
3 <1 ms <1 ms <1 ms 40.40.40.2
4 1 ms <1 ms <1 ms 114.114.114.114
Trace complete.
1.5 配置文件
· Switch A:
#
ip unreachables enable
ip ttl-expires enable
#
vlan 1
#
vlan 2 to 4
#
policy-based-route aaa permit node 10
if-match acl 3001
#
policy-based-route aaa permit node 20
if-match acl 3000
apply next-hop 20.20.20.2
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.2.1 255.255.255.0
ip policy-based-route aaa
#
interface Vlan-interface3
ip address 10.10.10.1 255.255.255.0
#
interface Vlan-interface4
ip address 20.20.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 3
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 4
#
ip route-static 114.114.114.114 24 10.10.10.2
#
acl advanced 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255
#
acl advanced 3001
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
· Switch B :
#
ip unreachables enable
ip ttl-expires enable
#
vlan 3
#
vlan 5
#
interface Vlan-interface3
ip address 10.10.10.2 255.255.255.0
#
interface Vlan-interface5
ip address 30.30.30.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 3
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 5
#
ip route-static 114.114.114.114 24 30.30.30.2
ip route-static 192.168.1.0 24 10.10.10.1
ip route-static 192.168.2.0 24 10.10.10.1
#
· Switch C:
#
ip unreachables enable
ip ttl-expires enable
#
vlan 4
#
vlan 6
#
interface Vlan-interface4
ip address 20.20.20.2 255.255.255.0
#
interface Vlan-interface6
ip address 40.40.40.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 6
#
ip route-static 114.114.114.114 24 40.40.40.2
ip route-static 192.168.1.0 24 20.20.20.1
ip route-static 192.168.2.0 24 20.20.20.1
#
· Switch D:
#
ip unreachables enable
ip ttl-expires enable
#
vlan 5 to 7
#
interface Vlan-interface5
ip address 30.30.30.2 255.255.255.0
#
interface Vlan-interface6
ip address 40.40.40.2 255.255.255.0
#
interface Vlan-interface7
ip address 114.114.114.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 5
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 6
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 7
#
ip route-static 192.168.1.0 24 30.30.30.1
ip route-static 192.168.2.0 24 40.40.40.1
#
1.6 相关资料
· 产品配套“三层技术-IP路由配置指导”中的“策略路由”。
· 产品配套“三层技术-IP路由命令参考”中的“策略路由”。
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://www.hqyman.cn/post/6535.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~