eNSP实验使用MQC实现策略路由

实验拓扑

需求：

内网存在两个网段，网段1：10.1.1.0/24，网段2：10.1.2.0/24，在RTA上通过MQC实现策略路由，实现网段1访问Internet通过ISP1、网段2访问Internet通过ISP2。
将MQC调用在RTA的GE0/0/2接口

实验设备要求

路由器需要支持 traffic policy、nat，eNSP 提供的路由器 Router 保留设备不能支持，不能使用。

实验步骤

步骤一：配置网络设备互联接口IP

配置的的时候，暂时关闭命令行界面信息中心的日志打印输出，减少干扰我们输入配置命名的时候。

<Huawei> system-view
[huawei] unde info-center enable
Info: Information center is disabled.
[huawei]

ISP1上配置接口IP

[ISP1] interface GigabitEthernet0/0/0
[ISP1-GigabitEthernet0/0/0] ip address 202.1.2.3 24
[ISP1-GigabitEthernet0/0/0] quit
[ISP1] interface LoopBack0
[ISP1-LoopBack0] ip address 1.1.1.1 32
[ISP1-LoopBack0] quit

ISP2上配置接口IP

[ISP2] interface GigabitEthernet0/0/0
[ISP2-GigabitEthernet0/0/0] ip address 154.1.2.3 24
[ISP2-GigabitEthernet0/0/0] quit
[ISP2] interface LoopBack0
[ISP1-LoopBack0] ip address 2.2.2.2 32
[ISP1-LoopBack0] quit

ISP1和ISP2上的LoopBack0 用于测试MQC的策略路由是否配置生效。

RTA上配置接口IP

[RTA] interface GigabitEthernet0/0/0
[RTA-GigabitEthernet0/0/0] ip address 202.1.2.4 255.255.255.0 
[RTA-GigabitEthernet0/0/0] quit
[RAT] interface GigabitEthernet0/0/1
[RTA-GigabitEthernet0/0/1] ip address 154.1.2.4 255.255.255.0 
[RTA] interface GigabitEthernet0/0/2
[RTA-GigabitEthernet0/0/2] ip address 10.1.4.254 255.255.255.0

CORE-SW配置VLAN、Vlanif虚拟接口、端口

[CORE-SW] vlan batch 10 20 30 40
[CORE-SW] interface Vlanif 10
[CORE-SW-Vlanif10] ip address 10.1.1.1 24
[CORE-SW-Vlanif10] quit
[CORE-SW] interface Vlanif 20
[CORE-SW-Vlanif20] ip address 10.1.2.1 24
[CORE-SW-Vlanif20] quit
[CORE-SW] interface Vlanif 30
[CORE-SW-Vlanif30] ip address 10.1.3.1 24
[CORE-SW-Vlanif30] quit
[CORE-SW] interface Vlanif 40
[CORE-SW-Vlanif40] ip address 10.1.4.1 24
[CORE-SW-Vlanif40] quit
[CORE-SW] interface GigabitEthernet0/0/1
[CORE-SW-GigabitEthernet0/0/1] port link-type access
[CORE-SW-GigabitEthernet0/0/1] port default vlan 40
[CORE-SW-GigabitEthernet0/0/1] quit
[CORE-SW] interface GigabitEthernet0/0/2
[CORE-SW-GigabitEthernet0/0/2] port link-type access
[CORE-SW-GigabitEthernet0/0/2] port default vlan 10
[CORE-SW-GigabitEthernet0/0/2] quit
[CORE-SW] interface GigabitEthernet0/0/2
[CORE-SW-GigabitEthernet0/0/2] port link-type access
[CORE-SW-GigabitEthernet0/0/2] port default vlan 20
[CORE-SW-GigabitEthernet0/0/2] quit
[CORE-SW] interface GigabitEthernet0/0/3
[CORE-SW-GigabitEthernet0/0/3] port link-type access
[CORE-SW-GigabitEthernet0/0/3] port default vlan 30
[CORE-SW-GigabitEthernet0/0/3] quit

PC1、PC2、Server1的IP地址和掩码及网关配置

machine（设备）	IP（网协）	MASK（掩码）	GATEWAY（网关）
PC1	10.1.1.2	255.2555.255.0	10.1.1.1
PC2	10.1.2.2	255.2555.255.0	10.1.2.1
Server1	10.1.3.254	255.2555.255.0	10.1.3.1

步骤二：配置设备的路由

RTA上配置路由

网段10.1.1.0/24、10.1.2.0/24聚合成路由10.1.0.0/16，指导去往内网主机的流量。

[RTA] ip route-static 0.0.0.0 0.0.0.0 202.1.2.3
[RTA] ip route-static 0.0.0.0 0.0.0.0 154.1.2.3
[RTA] ip route-static 10.1.0.0 255.255.0.0 10.1.4.1

CORE-SW配置路由

指导去往Internet的流量，转发到RTA。

[CORE-SW] ip route-static 0.0.0.0 0.0.0.0 10.1.4.254

步骤三：配置NAT

现网环境，内网访问外网，需要做地址转换，ACL 匹配要转换成外网IP的内网IP。RTA上配置NAT easy ip 模式实现。

[RTA] acl 2000
[RTA-acl-basic-2000] rule 5 permit source 10.1.0.0 0.0.255.255
[RTA-acl-basic-2000] quit
[RTA] interface GigabitEthernet0/0/0
[RTA-GigabitEthernet0/0/0] nat outbound 2000
[RTA-GigabitEthernet0/0/0] quit
[RTA] interface GigabitEthernet0/0/1
[RTA-GigabitEthernet0/0/1] nat outbound 2000
[RTA-GigabitEthernet0/0/1] quit

步骤四：配置MQC

RTA设备上配置MQC，GE0/0/2接口上调用。

配置ACL3000、3001分别匹配10.1.1.0/24网段、10.1.2.0/24网段访问Internet的流量。

[RTA] acl 3000
[RTA-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 0.0.0.0 255.255.255.255
[RTA-acl-adv-3000] quit
[RTA] acl 3001
[RTA-acl-adv-3001] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 0.0.0.0 255.255.255.255
[RTA-acl-adv-3001] quit

创建流分类ISP1、ISP2、分别匹配ACL3000、ACL3001

[RTA] traffic classifier ISP2 
[RTA-classifier-ISP2] if-match acl 3001
[RTA-classifier-ISP2] quit
[RTA] traffic classifier ISP1 
[RTA-classifier-ISP1] if-match acl 3000
[RTA-classifier-ISP1] quit

创建流行为ISP1、ISP2分别执行将报文重定向202.1.2.3、154.1.2.3的动作

[RTA] traffic behavior ISP2
[RTA-behavior-ISP2] redirect ip-nexthop 154.1.2.3
[RTA-behavior-ISP2] statistic enable
[RTA-behavior-ISP2] quit
[RTA] traffic behavior ISP1
[RTA-behavior-ISP1] redirect ip-nexthop 202.1.2.3
[RTA-behavior-ISP1] statistic enable
[RTA-behavior-ISP1] quit

流行为上加上statistic enable，开启流策略的统计。

创建流策略Redirect-ISP，将流分类ISP1、ISP2和流行为ISP1、ISP2一对一绑定

[RTA] traffic policy Redirect-ISP
[RTA-trafficpolicy-Redirect] classifier ISP1 behavior ISP1
[RTA-trafficpolicy-Redirect] classifier ISP2 behavior ISP2

在GE0/0/2接口入方向上调用流策略Redirect-ISP

[RTA] interface GigabitEthernet 0/0/2
[RTA-GigabitEthernet0/0/2] traffic-policy Redirect-ISP inbound

步骤五：验证结果

ISP1 LoopBack 0 的 1.1.1.1 和 ISP2 LoopBack 0 2.2.2.2 没有配置做互相通信。

在 10.1.1.0/24 网络 PC1 IP：10.1.1.2上， ping 1.1.1.1 数据可达，ping 2.2.2.2 数据不可达。说明流量按照流策略指导转发

PC>ping 1.1.1.1

Ping 1.1.1.1: 32 data bytes, Press Ctrl_C to break
From 1.1.1.1: bytes=32 seq=1 ttl=253 time=79 ms
From 1.1.1.1: bytes=32 seq=2 ttl=253 time=46 ms
From 1.1.1.1: bytes=32 seq=3 ttl=253 time=47 ms
From 1.1.1.1: bytes=32 seq=4 ttl=253 time=78 ms
From 1.1.1.1: bytes=32 seq=5 ttl=253 time=63 ms

--- 1.1.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 46/62/79 ms

PC>ping 2.2.2.2

Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 2.2.2.2 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

在 10.1.2.0/24 网络 PC1 IP：10.1.1.2上， ping 1.1.1.1 数据不可达，ping 2.2.2.2 数据可达。说明流量按照流策略指导转发

PC>ping 1.1.1.1

Ping 1.1.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 1.1.1.1 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

PC>ping 2.2.2.2

Ping 2.2.2.2: 32 data bytes, Press Ctrl_C to break
From 2.2.2.2: bytes=32 seq=1 ttl=253 time=94 ms
From 2.2.2.2: bytes=32 seq=2 ttl=253 time=47 ms
From 2.2.2.2: bytes=32 seq=3 ttl=253 time=47 ms
From 2.2.2.2: bytes=32 seq=4 ttl=253 time=47 ms
From 2.2.2.2: bytes=32 seq=5 ttl=253 time=47 ms

--- 2.2.2.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/56/94 ms

查询流策略的统计也有数据，说明流策略应用生效。

[RTA]display traffic policy statistics interface GigabitEthernet 0/0/2 inbound

 Interface: GigabitEthernet0/0/2
 Traffic policy inbound: Redirect
 Rule number: 2
 Current status: OK!
Item                           Sum(Packets/Bytes)            Rate(pps/bps)
-------------------------------------------------------------------------------
Matched                                       9/                         0/
                                            882                          0
  +--Passed                                   9/                         0/
                                            882                          0
  +--Dropped                                  0/                         0/
                                              0                          0
    +--Filter                                 0/                         0/
                                              0                          0
    +--CAR                                    0/                         0/
                                              0                          0
  +--Queue Matched                            0/                         0/
                                              0                          0
    +--Enqueued                               0/                         0/
                                              0                          0
    +--Discarded                              0/                         0/
                                              0                          0
  +--Car                                      0/                         0/
                                              0                          0
    +--Green packets                          0/                         0/
                                              0                          0
    +--Yellow packets                         0/                         0/
                                              0                          0
    +--Red packets                            0/                         0/
                                              0                          0

查询 ACL 统计的数据，看到规则匹配的统计。

<RTA>dis acl all
 Total quantity of nonempty ACL number is 2 

Basic ACL 2000, 1 rule
Acl's step is 5
 rule 5 permit source 10.1.1.0 0.0.0.255 (5 matches)

Basic ACL 2001, 1 rule
Acl's step is 5
 rule 5 permit source 10.1.2.0 0.0.0.255 (9 matches)

结束

这个也负载均衡，是策略路由实现的

posted on 2025-04-04 14:22 鲲跃北溟阅读(237) 评论(1) 收藏举报

刷新页面返回顶部

鲲越北溟