Application of switch Policy Routing

This article describes in detail what technologies should be applied and how to configure routing policies when using vswitches. I believe this article will help you.

One of the routing policy applications and the network topology

The office network is in the 172 CIDR block. The core switch is 85-1, and the NE-1 performs NAT through the internet. The dormitory area is in the 10 CIDR block, and its core switch is 85-2, NAT is implemented by NE-2 through the telecom internet. the server is placed under the S85-1, the address of the 172 segment, for the dormitory area 10 segment host access.

Routing Policy Application II, application requirements and implementation analysis

Application requirements:

The outlets of China Netcom and China Telecom are both MB, and the number of users in the dormitory area is far greater than that in the office area. users in some dormitory areas must be diverted to the internet through the outlets of China Netcom.

Implementation Analysis:

This requirement seems simple, that is, through policy routing, so that some users go online next to the S85-1, through NE-1. However, there are still many things to consider when carefully analyzing the specific implementation.

1. Policy routes on S8500 can only be performed in the inbound port direction. In this way, policy routes must be applied to all inbound ports of a specific network segment.

2. The application Policy Routing flow is defined and differentiated by ACL, which is defined by the keyword Source IP.

Aclnumber2000

Rule0permitip source 10.1.1.0 0.20.255.255

Policy Routing has the highest priority. If the above ACL is defined, when 10 CIDR blocks access 10 CIDR blocks, it will first match the Policy Routing, so that the next hop to the S85-1, matching the routing on the S85-1, back to the S85-2 above, so as to reach the target host, so that two more hops back and forth.

3. Modify the ACL to disable the flow application policy routing of the source ip address to 10 CIDR blocks and the destination ip address to 10 CIDR blocks.

Aclnumber2000

Rule0denyip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255

Rule1permitip source 10.1.1.0 0.20.255.255

However, the ACL Rule referenced by the policy route cannot be deny.

Is this the only way to allow 10 CIDR blocks to access 10 CIDR blocks with two more hops ?...... Of course not!

Routing Policy Application 3. Solution

The policy routing of the S8500 switch is implemented by hardware. Otherwise, the CPU of a packet forwarding switch such as S8500 cannot process such a large amount of forwarding. Because the policy routing is the same as the issued ACL and is processed by hardware, there is a matching order problem. If you set the source IP address to 10 CIDR blocks and the destination IP address to 10 CIDR blocks, match other ACLs and forward the data without matching the policy route, the above problem can be solved.

The configuration is as follows:

Write ACL3000 to allow the Source IP 10 CIDR block to access the destination IP 10 CIDR Block

Aclnumber3000

Rule0permitip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255

Write ACL2000 to allow source IP 10 CIDR blocks (for Policy Routing)

Aclnumber2000

Rule0permitip source 10.1.1.0 0.20.255.255

Issue rule on port

InterfaceGigabitEthernet0/1/4

Packet-filterinboundip-group3000

Traffic-redirectinboundip-group2000 next-hop 10.1.2.10

Pay attention to the order when distributing rules on the port. For the ACL rule of the S8500 switch, the rule is first matched, so the ACL3000 must be issued first, and then the policy routing is used. When a host in the 10.1.1.0 network segment accesses a host in the 10 network segment on port G0/1/4, it will first match ACL3000, And the ACL3000 rule is permit, so that the route table can be normally searched for forwarding. The destination IP address is not 10 CIDR block, it will match the Policy Routing, so that the next jump to the S85-1.