核心S7700的策略路由
今天办公内网的出口又断了。5.1的时候已经连续两日出事,都是下面装修惹得祸,又要临时把办公内网出口跳到移动100M哪里,telnet核心,睇下个路由表,我自己都觉得烦了(怎么以前不觉呢??)~~~狠下心把设置全改了,改完之后有什么事只需要动一条ACL就可以了,超顺眼!!!
蛋痛配置长这样⇓
acl number 3010 rule 1 permit ip source 192.168.10.0 0.0.0.255 rule 5 permit ip source 192.168.10.219 0 rule 10 permit ip source 192.168.10.59 0 rule 15 permit ip source 192.168.10.218 0 rule 25 permit ip source 192.168.10.225 0 rule 30 permit ip source 192.168.10.133 0 rule 35 permit ip source 192.168.10.153 0 rule 40 permit ip source 192.168.10.23 0 acl number 3011 rule 5 permit ip source 192.168.10.219 0 destination 192.168.10.0 0.0.0.255 rule 10 permit ip source 192.168.10.59 0 destination 192.168.10.0 0.0.0.255 rule 15 permit ip source 192.168.10.218 0 destination 192.168.10.0 0.0.0.255 rule 25 permit ip source 192.168.10.225 0 destination 192.168.10.0 0.0.0.255 rule 30 permit ip source 192.168.10.133 0 destination 192.168.10.0 0.0.0.255 rule 35 permit ip source 192.168.10.153 0 destination 192.168.10.0 0.0.0.255 rule 40 permit ip source 192.168.10.23 0 destination 192.168.10.0 0.0.0.255 acl number 3012 rule 5 permit ip source 192.168.10.219 0 destination 172.16.0.0 0.15.255.255 rule 10 permit ip source 192.168.10.59 0 destination 172.16.0.0 0.15.255.255 rule 15 permit ip source 192.168.10.218 0 destination 172.16.0.0 0.15.255.255 rule 25 permit ip source 192.168.10.225 0 destination 172.16.0.0 0.15.255.255 rule 35 permit ip source 192.168.10.153 0 destination 172.16.0.0 0.15.255.255 acl number 3013 rule 5 permit ip source 192.168.10.219 0 destination 192.168.2.0 0.0.0.255 rule 15 permit ip source 192.168.10.59 0 destination 192.168.2.0 0.0.0.255 acl number 3014 rule 5 permit ip source 192.168.30.2 0 destination 192.168.30.0 0.0.0.255 acl number 3015 rule 1 permit ip source 192.168.30.2 0 rule 5 permit ip source 172.16.0.0 0.0.255.255 rule 10 permit ip source 172.18.0.0 0.0.255.255 rule 15 permit ip source 172.19.0.0 0.0.255.255 rule 20 permit ip source 172.17.0.0 0.0.255.255 acl number 3020 acl number 3025 acl number 3030 rule 5 permit ip source 192.168.10.232 0 destination 192.168.11.0 0.0.0.255 # traffic classifier c_3010 operator or precedence 35 if-match acl 3010 traffic classifier c_3011 operator or precedence 34 if-match acl 3011 traffic classifier c_3012 operator or precedence 33 if-match acl 3012 traffic classifier c_3013 operator or precedence 32 if-match acl 3013 traffic classifier c_3014 operator or precedence 19 if-match acl 3014 traffic classifier c_3015 operator or precedence 20 if-match acl 3015 traffic classifier c_3020 operator or precedence 15 if-match acl 3020 traffic classifier c_3030 operator or precedence 10 if-match acl 3030 # traffic behavior b_permit permit traffic behavior b_to_core permit redirect ip-nexthop 192.168.10.1 traffic behavior b_to_nac permit redirect ip-nexthop 192.168.30.2 traffic behavior b_to_usg permit redirect ip-nexthop 2.2.2.2 traffic behavior b_to_winpos permit redirect ip-nexthop 192.168.2.254 # traffic policy p_3010 match-order config classifier c_3030 behavior b_to_core classifier c_3013 behavior b_to_winpos classifier c_3012 behavior b_to_nac classifier c_3011 behavior b_to_core classifier c_3010 behavior b_to_usg traffic policy p_3015 match-order config classifier c_3014 behavior b_to_core classifier c_3015 behavior b_to_usg traffic policy p_3020 match-order config classifier c_3020 behavior b_permit #
精简过后长这样⇓
acl number 3010 rule 1 permit ip source 192.168.10.0 0.0.0.255 rule 5 permit ip source 192.168.10.219 0 rule 10 permit ip source 192.168.10.59 0 rule 15 permit ip source 192.168.10.218 0 rule 25 permit ip source 192.168.10.225 0 rule 30 permit ip source 192.168.10.133 0 rule 35 permit ip source 192.168.10.153 0 rule 40 permit ip source 192.168.10.23 0 acl number 3011 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.11.0 0.0.0.255 rule 15 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.0.0 0.15.255.255 rule 20 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 acl number 3014 rule 5 permit ip source 192.168.30.2 0 destination 192.168.30.0 0.0.0.255 acl number 3015 rule 5 permit ip source 192.168.30.2 0 rule 10 permit ip source 172.16.0.0 0.15.255.255 # traffic classifier c_3010 operator or precedence 35 if-match acl 3010 traffic classifier c_3011 operator or precedence 34 if-match acl 3011 traffic classifier c_3014 operator or precedence 19 if-match acl 3014 traffic classifier c_3015 operator or precedence 20 if-match acl 3015 # traffic behavior b_to_core permit redirect ip-nexthop 192.168.10.1 traffic behavior b_to_usg permit redirect ip-nexthop 2.2.2.2 # traffic policy p_3010 match-order config classifier c_3011 behavior b_to_core classifier c_3010 behavior b_to_usg traffic policy p_3015 match-order config classifier c_3014 behavior b_to_core classifier c_3015 behavior b_to_usg #
主要是开始的时候没想过策略路由会越加越多,华为的策略路由写法有点长,但是很灵活,先写acl,然后“类+行为+流”(classifier +behavior +policy )一整套,最后把policy放到接口inbound方向就ok,一般有变动只需要改acl就可以了。
这次跳线就直接在acl 3010加了一条rule,原本192.168.10.X默认走AC设备出外网,临时改成走USG,还不用再担心10.59、10.218那几个特殊需求的服务器:
rule 1 permit ip source 192.168.10.0 0.0.0.255
上一幅清晰版的走向图:
b_to_core那两条主要是内网转内网的,要优先于出外网的路由,因为172.16.0.0/12这几段的网关不在核心,所以需要补一条回程路由。
ip route-static 172.16.0.0 255.240.0.0 192.168.30.2
长时间内不用再烦核心的事了~~~~~
记录一下核心交换机常用操作
undo ter mon #关闭回显 sysname CORE #改名 display cur -> tab display valn display prot vlan display interface brief
浙公网安备 33010602011771号