Analysis on vswitch Policy Routing thoroughly master user requirements. Three frameworks of this article: 1. network topology, 2. Application requirements and implementation analysis; 3. vswitch Policy Routing solution. Under these topics, you will understand a lot of useful knowledge.
I. Network Topology
The office network is 172 CIDR blocks, and the core switch policy route is 85-1. The NE-1 performs NAT and goes through the internet through the network. The dormitory area is 10 CIDR blocks, the core switch policy routing is 85-2, and the NE-2 performs NAT through the telecom internet. the server is placed under the S85-1, the address of the 172 segment, for the dormitory area 10 segment host access.
II. Application Requirements and Implementation Analysis
Application requirements: as the outlets of China Netcom and China Telecom are both MB, and the number of users in the dormitory area is far greater than that in the office area, users in some dormitory areas need to access the internet through the outlets of China Netcom. Implementation Analysis: This requirement looks very simple, that is, through the Policy Routing, so that some users access the Internet next jump to the S85-1, through NE-1 out. However, there are still many things to consider when carefully analyzing the specific implementation.
◆ Policy routes on S8500 can only be performed in the inbound port direction. In this way, policy routes must be applied to all inbound ports in a specific network segment.
◆ The flow of the application policy route is defined by the ACL. The ACL is defined by the keyword Source IP.
Acl number 2000
Rule 0 permit ip source 10.1.1.0 0.20.255.255
Policy Routing has the highest priority. If the above ACL is defined, when 10 CIDR blocks access 10 CIDR blocks, it will first match the Policy Routing, so that the next hop to the S85-1, matching the routing on the S85-1, back to the S85-2 above, so as to reach the target host, so that two more hops back and forth.
◆ Modify the ACL to prohibit the source ip address from being 10 CIDR blocks, and set the destination ip address to the traffic application policy route of 10 CIDR blocks.
Acl number 2000
Rule 0 deny ip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255
Rule 1 permit ip source 10.1.1.0 0.20.255.255
However, the ACL rules referenced by the policy route are not allowed to be deny. Is this the only way to allow 10 CIDR blocks to access 10 CIDR blocks with two more hops ?...... Of course not!
Iii. Solution
The policy routing of the S8500 switch is implemented by hardware. Otherwise, the CPU of a packet-by-packet forwarding switch such as S8500 cannot handle such a large amount of forwarding. Because the policy routing is the same as the issued ACL and is processed by hardware, there is a matching order problem. If you set the source IP address to 10 CIDR blocks and the destination IP address to 10 CIDR blocks, match other ACLs and forward the data without matching the policy route, the above problem can be solved.
The vswitch policy routing configuration is as follows:
Write ACL 3000 to allow the Source IP 10 CIDR block to access the destination IP 10 CIDR Block
Acl number 3000
Rule 0 permit ip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255
Write ACL2000 and allow the Source IP 10 CIDR block to implement policy routing)
Acl number 2000
Rule 0 permit ip source 10.1.1.0 0.20.255.255
Issue rule on port
Interface GigabitEthernet0/1/4
Packet-filter inbound ip-group 3000
Traffic-redirect inbound ips-group 2000 next-hop 10.1.2.10
Pay attention to the order when issuing rules on the port. For the ACL rules of the Policy routing of the S8500 switch, the first match is issued. Therefore, you must first issue the ACL 3000 before using the Policy routing. When a host in the 10.1.1.0 network segment accesses a host in the 10 network segment on port G0/1/4, it will first match ACL3000, And the ACL3000 rule is permit, so that the route table can be normally searched for forwarding. The destination IP address is not 10 CIDR block, it will match the Policy Routing, so that the next jump to the S85-1.