Make Policy Routing notes on the Huawei Quidway 8508 vswitch

 

In general, there are several VLAN users in the network and three egress ports. Set a policy route on the core switch so that the core switch will decide to drop the database to one of the three egress based on the pre-configured ACL stream matching. The simple configuration steps are as follows:

I. Network Description

Device management address:
Core switch: Model Quidway S8508, IP address 192.168.0.254 (vlan1)
Floor switch: Model: Quidway 3600-28TP-SI, IP address 192.168.0.20-192.168.0.28 (vlan1)

Intranet VLAN and IP Address:
192.168.0.0/24, vlan1, server and user A segment IP
192.168.1.0/24, vlan2, user B segment IP
192.168.2.0/24, vlan3, user C segment IP
192.168.3.0/24, vlan4, user D segment IP
10.8.0.0/24, vlan5, user IP address segment E

Intranet IP addresses of the three egress devices:
Internet 1 egress firewall Intranet IP Address: 192.168.0.11, core switch port: inter gig 3/3/1
Internet 2 egress firewall Intranet IP Address: 192.168.0.12, core switch port: inter gig 3/3/2
Internet 3 egress firewall Intranet IP Address: 192.168.0.13, core switch port: inter gig 3/3/3

Distribution:
Building A: core switch port: inter gig 6/1/1, with vlan: vlan1, vlan3, and vlan5
Building B: core switch port: inter gig 6/1/2, with vlan: vlan1, vlan4, and vlan5
Building C: core switch port: inter gig 6/1/3, with vlan: vlan1, vlan2, vlan4, and vlan5
Building D: core switch port: inter gig 6/1/4, with vlan: vlan1, vlan2, vlan3, and vlan5
Network Center Server group: core switch port: inter gig 3/1/1, with vlan: vlan1

Network Topology:

 

Ii. Functions

1. When A, B, C, and D vlan1, vlan2, and vlan3 in A building access the network, they go out from the Internet 1, that is, port gig 3/3/1 of the core switch.
2. When the vlan4 user computers in these buildings access the network, they exit from Internet 2.
3. When the user computers in the vlan5 of these buildings access the network, they exit from Internet 3.
4. All VLANs can access the server group CIDR block of vlan1.

3. configuration steps

Idea: first, establish a common layer-3 network, and use the default route on the core switch to throw all the data packets from the building switch to the core 192.168.0.11, that is, the Internet 1 exit, then, the traffic-redirect function of the core switch is used to match the source address acl stream on the building port, and the packets of vlan4 and vlan5 are dropped to 192.168.0.12 (Internet 2) or 192.168.0.13 (Internet 3.

1. Build a layer-3 network on the core and configure the switches for each building. This is skipped. Then add a default route on the core switch, so that all data packets are exported from the Internet 1 exit:

Ip route-static 0.0.0.0 0.0.0.0 192.168.0.11 preference 60

2. Because traffic-redirect is applied to the building port, the data packets are directly dropped to the Intranet port of the Internet, so that vlan4 and vlan5 have problems accessing the server group of vlan1. Therefore, we first perform acl on the port.

Create an acl:

[Center] acl number 3001
[Center acl number 3001] rule 0 permit ip source 192.168.3.0 0.0.255 destination 192.168.0.0 0.0.255
[Center acl number 3001] rule 1 permit ip source 10.0.8.0 0.0.255 destination 192.168.0.0 0.0.255

Issue building A Port:

[Center] inter gig 6/1/1
[Center-GigabitEthernet6/1/1] packet-filter inbound ip-group 3001

Other building ports are issued in the same way, which is skipped here. In addition, for the inter gig 3/1/1 in the vlan1 attribute, there is only one vlan under the port, so no policy routing is required. The acl rules should also be issued in the order of delivery, and then the rule routing should be issued. In this way, you can first match the Intranet access requirements.

3. Configure Policy Routing on the core switch port connecting to the building Switch

Create an acl stream matching rule for vlan4:

[Center] acl number 3002
[Center-acl number 3002] rule 0 permit ip source 192.168.3.0 0.0.255

Create an acl stream matching rule for vlan5:

[Center] acl number 3003
[Center-acl number 3003] rule 0 permit ip source 10.8.0.0 0.0.255

Issue the next hop route for building A port of vlan4:

[Center] inter gig 6/1/1
[Center-GigabitEthernet6/1/1] traffic-redirect inbound ip-group 3002 next-hop 192.168.0.12

Issue the next hop route for building A port of vlan5:

[Center] inter gig 6/1/1
[Center-GigabitEthernet6/1/1] traffic-redirect inbound ip-group 3003 next-hop 192.168.0.13

After this configuration, vlan1 and vlan3 still exit from the core switch's default route 192.168.0.11 Internet 1. If the source address is 192.168.3.0 and the network address enters the port connecting to the building of the core switch, the acl Rule 3002 for the source address is matched, so that it is routed to the Internet 2 exit of 192.168.0.12. Similarly, if the source address is 10.8.0.0 and the network address is routed to the port of the core switch, the next hop route is sent to the Internet 3 network of 192.168.0.13.

The complete configuration of the core switch is attached:

#
Sysname center
#
Radius scheme system
Server-type huawei
Primary authentication 127.0.0.1 1645
Primary accounting 127.0.0.1 1646
User-name-format without-domain

Domain system
Radius-scheme system
Access-limit disable
State active
Idle-cut disable
Self-service-url disable

Domain default enable system
#
Local-server nas-ip 127.0.0.1 key huawei
#
Xbar load-single
#
Temperature-limit 3 10 65
Temperature-limit 4 10 50
Temperature-limit 5 10 50
Temperature-limit 6 10 65
#
Dot1x
#
Acl number 3001
Rule 0 permit ip source 10.10.6.0 0.0.255 destination 192.168.0.0 0.0.255
Rule 0 permit ip source 192.168.3.0 0.0.255 destination 192.168.0.0 0.0.255
Acl number 3002
Rule 0 permit ip source 192.168.3.0 0.0.255
Acl number 3003
Rule 0 permit ip source 10.8.0.0 0.0.255
#
Vlan 1
Description bangong_and_server
#
Vlan 2
Description user_a
#
Vlan 3
Description user_ B
#
Vlan 4
Description user_c
#
Vlan 5
Description user_d
#
Interface Vlan-interface1
Description bangong_and_server
Ip address 192.168.0.254 255.255.255.0
#
Interface Vlan-interface2
Description user_a
Ip address 192.168.1.254 255.255.255.0
#
Interface Vlan-interface3
Description user_ B
Ip address 192.168.2.254 255.255.255.0
#
Interface Vlan-interface4
Description user_c
Ip address 192.168.3.254 255.255.255.0
#
Interface Vlan-interface5
Description user_d
Ip address 10.8.0.254 255.255.255.0
#
Interface Aux4/0/1
#
Interface M-Ethernet4/0/0
#
Interface GigabitEthernet3/1/1
Description to_server-group
#
Interface GigabitEthernet3/1/2
#
Interface GigabitEthernet3/1/3
#
Interface GigabitEthernet3/1/4
#
Interface GigabitEthernet3/2/1
#
Interface GigabitEthernet3/2/2
#
Interface GigabitEthernet3/2/3
#
Interface GigabitEthernet3/2/4
#
Interface GigabitEthernet3/3/1
Description to_waiwang1
#
Interface GigabitEthernet3/3/2
Description to_waiwang3
#
Interface GigabitEthernet3/3/3
Description to_waiwang3
#
Interface GigabitEthernet3/3/4
#
Interface GigabitEthernet6/1/1
Port link-type trunk
Port trunk permit vlan all
Packet-filter inbound ip-group 3001 rule 0 system-index 1
Packet-filters inbound ip-group 3001 rule 1 system-index 2
Traffic-redirect inbound ip-group 3002 rule 0 system-index 3 next-hop 192.168.0.12
Traffic-redirect inbound ip-group 3003 rule 0 system-index 4 next-hop 192.168.0.13
#
Interface GigabitEthernet6/1/2
Port link-type trunk
Port trunk permit vlan all
Packet-filter inbound ip-group 3001 rule 0 system-index 5
Packet-filters inbound ip-group 3001 rule 1 system-index 6
Traffic-redirect inbound ip-group 3002 rule 0 system-index 7 next-hop 192.168.0.12
Traffic-redirect inbound ip-group 3003 rule 0 system-index 8 next-hop 192.168.0.13
#
Interface GigabitEthernet6/1/3
Port link-type trunk
Port trunk permit vlan all
Packet-filter inbound ip-group 3001 rule 0 system-index 9
Packet-filter inbound ip-group 3001 rule 1 system-index 10
Traffic-redirect inbound ip-group 3002 rule 0 system-index 11 next-hop 192.168.0.12
Traffic-redirect inbound ip-group 3003 rule 0 system-index 12 next-hop 192.168.0.13
#
Interface GigabitEthernet6/1/4
Port link-type trunk
Port trunk permit vlan all
Packet-filter inbound ip-group 3001 rule 0 system-index 14
Packet-filters inbound ip-group 3001 rule 1 system-index 15
Traffic-redirect inbound ip-group 3002 rule 0 system-index 16 next-hop 192.168.0.12
Traffic-redirect inbound ip-group 3003 rule 0 system-index 17 next-hop 192.168.0.13
#
Interface GigabitEthernet6/2/1
#
Interface GigabitEthernet6/2/2
#
Interface GigabitEthernet6/2/3
#
Interface GigabitEthernet6/2/4
#
Interface GigabitEthernet6/3/1
#
Interface GigabitEthernet6/3/2
#
Interface GigabitEthernet6/3/3
#
Interface GigabitEthernet6/3/4
#
Interface NULL0
#
Ip route-static 0.0.0.0 0.0.0.0 192.168.0.11 preference 60
#
Snmp-agent
Snmp-agent local-engineid 80507DBD05757576F5DD55A46877
Snmp-agent community write jsisaa
Snmp-agent sys-info version all
#
User-interface con 0
User-interface aux 0
User-interface vty 0 4
User privilege level 3
Set authentication password simple winsaaa
#
Return

Author: guanjianfeng.com/archives/740