Comprehensively describe the application of policy routing configuration

It is very useful to know some knowledge about policy routing configuration. So I have studied the practical application of policy routing configuration. I will share it with you here and hope it will be useful to you. The office network is in the 172 CIDR block. The core switch is 85-1, and the NE-1 performs NAT through the internet. The dormitory area is in the 10 CIDR block, and its core switch is 85-2, NAT is implemented by NE-2 through the telecom internet. The server is placed under the S85-1, the address of the 172 segment, for the dormitory area 10 segment host access.

Application requirements:

The outlets of China Netcom and China Telecom are both MB, while the number of users in the dormitory area is far greater than that in the office area. users in some dormitory areas must be diverted to the internet through the outlets of China Netcom.

Implementation Analysis:

This requirement seems simple, that is, through policy routing, so that some users go online next to the S85-1, through NE-1. However, there are still many things to consider when carefully analyzing the specific implementation.

1. Policy routing configuration on S8500 can only be performed in the inbound port direction. In this way, Policy Routing should be applied to all inbound ports of a specific network segment.

2. The flow configured for the Application Policy Routing is defined by the ACL. The ACL is defined by the keyword Source IP. Policy Routing has the highest priority. If the above ACL is defined, when 10 CIDR blocks access 10 CIDR blocks, it will first match the Policy Routing, so that the next hop to the S85-1, matching the routing on the S85-1, back to the S85-2 above, so as to reach the target host, so that two more hops back and forth.

3. Modify the ACL to disable the flow application policy routing of the source ip address to 10 CIDR blocks and the destination ip address to 10 CIDR blocks. However, the ACL Rule referenced by the policy route cannot be deny. Is this the only way to allow 10 CIDR blocks to access 10 CIDR blocks with two more hops ?...... Of course not!

Solution

The policy routing configuration of the S8500 switch is implemented by hardware. Otherwise, the CPU of a packet forwarding switch such as S8500 cannot process such a large amount of forwarding. Because the policy routing configuration is the same as the issued ACL and is handled by hardware, there is a matching order problem. If you set the source IP address to 10 CIDR blocks and the destination IP address to 10 CIDR blocks, match other ACLs and forward the data without matching the policy route, the above problem can be solved.

Configure ACL 3000 as follows: allow the Source IP 10 CIDR block to access the destination IP 10 CIDR block.

Acl number 3000
Rule 0 permit ip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255

Write ACL2000 and allow the Source IP 10 CIDR block to implement policy routing)

Acl number 2000
Rule 0 permit ip source 10.1.1.0 0.20.255.255

Issue rule on port

Interface GigabitEthernet0/1/4
Packet-filter inbound ip-group 3000
Traffic-redirect inbound ips-group 2000 next-hop 10.1.2.10

Pay attention to the order when distributing rules on the port. For the ACL rules of the S8500 switch, the first match is sent. Therefore, you must first issue ACL 3000 and then use the policy routing configuration. When a host in the 10.1.1.0 network segment accesses a host in the 10 network segment on port G0/1/4, it will first match ACL3000, And the ACL3000 rule is permit, so that the route table can be normally searched for forwarding. The destination IP address is not 10 CIDR block, it will match the policy routing configuration, so that the next jump to the S85-1.