h3c-交换机的vlan控制策略路由设置

eguess
1 ℃
2020-06-14

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

h3c交换机的vlan控制策略路由设置时间:2010-02-1010:27来源:未知作者:admin点击:149次昨天去一家客户那边调试h3c的设备,客户要做vlan间互访和策略路由.本以为挺简单的事情,可到了才发现不是自己想象的那样.vlan间互访没想到h3c搞的那么麻烦,cisco的数据流控制就是做一条访问列表,列表里定义了动作是拒绝还是允许,然后直接把这个列表应用到接口昨天去一家客户那边调试h3c的设备,客户要做vlan间互访和策略路由.本以为挺简单的事情,可到了才发现不是自己想象的那样.vlan间互访没想到h3c搞的那么麻烦,cisco的数据流控制就是做一条访问列表,列表里定义了动作是拒绝还是允许,然后直接把这个列表应用到接口上就可以了,但h3c却没有这么简单,h3c我总结了一下总的思路是这样的1.首先定义访问控制列表,注意:假如要使把此列表应用到qos策略中的话此列表中的deny和permit是没有意义的,不管是permit还是deny都代表匹配该数据流.2.定义类,类里面很简单,就是简单的匹配某条列表.应该也可以像cisco一样匹配or或者and,我没验证.3.定义行为动作,行为动作可以分好多,常用的有filterdeny,filterpermit拒绝/允许,还有改变下一条redirectnext-hop.或者可以做标记,qos等.4.定义qos策略,把2,3里的类和行为建立关联,如什么类执行什么行为,可以做好多条,同一个行为如果找到第一项匹配则不再接着往下执行,所有有可能同一个数据流能满足多条不同行为操作的情况.5.把此qos策略应用到接口上.下面我把配置粘上来供大家参考#version5.20,Release5303#sysnamemasterswitch#domaindefaultenablesystem#telnetserverenable#vlan1#vlan20#vlan23description0023#vlan24#vlan30#vlan40#vlan50vlan60#vlan70#vlan80#vlan90#vlan100#domainsystemaccess-limitdisablestateactiveidle-cutdisableself-service-urldisable#trafficclassifierh3coperatorandif-matchacl3060*********定义类，30，50，90三个网段之间不能互访********trafficclassifierwangtongoperatorandif-matchacl2010*********定义类，20，60，90网段的用户分到wangtong这个类中*******trafficclassifierdianxinoperatorandif-matchacl2020*********定义类，30，50，70网段的用户分到电信这个类中*******trafficbehaviorh3cfilterdeny*********定义行为名字叫h3c的动作为丢弃!*********trafficbehaviorwangtongredirectnext-hop10.1.1.2*********定义行为名字叫wangtong动作为改变下一跳位10.1.1.2*********trafficbehaviordianxinredirectnext-hop10.1.2.2*********定义行为名字叫wangtong动作为改变下一跳位10.1.2.2*********qospolicyh3cclassifierh3cbehaviorh3cclassifierwangtongbehaviorwangtongclassifierdianxinbehaviordianxin***********定义一个qos策略(注意,这里是总的qos策略,其中包括vlan间访问控制和策略路由控制都汇聚到此策略中了)1.满足h3c类别的数据流执行h3c这个行为,这里行为为丢弃2.满足wangtong类别的数据流执行网通这个行为,这里的行为为改变下一跳为10.1.1.23.满足dianxin类别的数据流执行dianxin这个行为,这里的行为为改变下一跳为10.1.2.2********************************************************************#aclnumber2010rule0permitsource192.168.20.00.0.0.255rule1permitsource192.168.60.00.0.0.255rule2permitsource192.168.90.00.0.0.255aclnumber2020rule0permitsource192.168.30.00.0.0.255rule1permitsource192.168.50.00.0.0.255rule2permitsource192.168.70.00.0.0.255aclnumber3060rule10permitipsource192.168.30.00.0.0.255destination192.168.50.00.0.0.255rule20permitipsource192.168.30.00.0.0.255destination192.168.90.00.0.0.255rule50permitipsource192.168.50.00.0.0.255destination192.168.30.00.0.0.255rule60permitipsource192.168.50.00.0.0.255destination192.168.90.00.0.0.255rule70permitipsource192.168.90.00.0.0.255destination192.168.30.00.0.0.255rule80permitipsource192.168.90.00.0.0.255destination192.168.50.00.0.0.255*************在30,50,90三个网段之间做隔离,使他们不能互相访问,但都能访问其他的地址,由于h3c的三层交换机(这里的型号是s5510)可以实现单向访问,以此每一条都得建立2条规则来匹配如30--90网段,90---30网段.因为是作用在trunk口上的,因此源地址无法确定****************************************interfaceNULL0#interfaceVlan-interface1ipaddress192.168.10.1255.255.255.0#interfaceVlan-interface20ipaddress192.168.20.254255.255.255.0#interfaceVlan-interface23ipaddress10.1.1.1255.255.255.0interfaceVlan-interface24ipaddress10.1.2.1255.255.255.0#interfaceVlan-interface30ipaddress192.168.30.254255.255.255.0#interfaceVlan-interface40ipaddress192.168.40.254255.255.255.0#interfaceVlan-interface50ipaddress192.168.50.254255.255.255.0#interfaceVlan-interface60ipaddress192.168.60.254255.255.255.0#interfaceVlan-interface70ipaddress192.168.70.254255.255.255.0#interfaceVlan-interface80ipaddress192.168.80.254255.255.255.0#interfaceVlan-interface90ipaddress192.168.90.254255.255.255.0interfaceGigabitEthernet1/0/1portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/2portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/3portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/4portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/5portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/6portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/7portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound#interfaceGigabitEthernet1/0/8portlink-typetrunkporttrunkpermitvlanallqosapplypolicyh3cinbound************在8个trunk口上绑定qos策略**************************888#interfaceGigabitEthernet1/0/9portaccessvlan20#interfaceGigabitEthernet1/0/10portaccessvlan20interfaceGigabitEthernet1/0/11portaccessvlan20#interfaceGigabitEthernet1/0/12portaccessvlan20#interfaceGigabitEthernet1/0/13portaccessvlan20#interfaceGigabitEthernet1/0/14portaccessvlan20#interfaceGigabitEthernet1/0/15portaccessvlan20#interfaceGigabitEthernet1/0/16portaccessvlan20#interfaceGigabitEthernet1/0/17portaccessvlan20#interfaceGigabitEthernet1/0/18portaccessvlan20#interfaceGigabitEthernet1/0/19portaccessvlan100speed100#interfaceGigabitEthernet1/0/20portaccessvlan100speed100#interfaceGigabitEthernet1/0/21portaccessvlan100speed100#interfaceGigabitEthernet1/0/22portaccessvlan100#interfaceGigabitEthernet1/0/23portaccessvlan23speed100duplexfull#int