Policy Routing case (3): vswitch Policy Routing

Last Update:2013-11-23 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

User requirements are as follows:

Vlan10 and vlan11 cannot communicate with each other, but can access vlan12 servers.

Vlan10 can only access the Internet through RT5, and vlan11 can only access the Internet through RT6

Vlan12 cannot access the Internet

Steps for Configuration:

1. Basic information configuration (SW1, RT5, RT6)

2. Border Network peer (RT5 Static Routing)

3. SW1 policy route, RT6 static route

4. Border device INTERNET peer (default route)

5. Business Access Control (VLAN10 and VLAN11 cannot communicate with each other)

6. network-wide test and troubleshooting

Basic Configuration:

SW1> en

SW1 # vlan data

SW1 (vlan) # vtp tran

SW1 (vlan) # vlan 10

SW1 (vlan) # vlan 11

SW1 (vlan) # vlan 12 // Add a VLAN to the VLAN Database

SW1 (vlan) # exit

SW1 # config t

SW1 (config) # int vlan 10

SW1 (config-if) # ip add 192.168.10.1 255.255.255.0

SW1 (config-if) # no shut

SW1 (config-if) # int vlan 11

SW1 (config-if) # ip add 192.168.11.1 255.255.255.0

SW1 (config-if) # no shut

SW1 (config-if) # int vlan 12

SW1 (config-if) # ip add 192.168.12.1 255.255.255.0

SW1 (config-if) # no shut

SW1 (config-if) # int f1/10

SW1 (config-if) # switchport mode access

SW1 (config-if) # switchport access vlan 10

SW1 (config-if) # int f1/11

SW1 (config-if) # switchport mode access

SW1 (config-if) # switchport access vlan 11

SW1 (config-if) # int f1/12

SW1 (config-if) # switchport mode access

SW1 (config-if) # switchport access vlan 12

SW1 (config-if) # int f1/12

SW1 (config-if) # switchport mode access

SW1 (config-if) # switchport access vlan 12

SW1 (config-if) # int f1/1

SW1 (config-if) # no switchport

SW1 (config-if) # ip add 192.168.1.1 255.255.255.252

SW1 (config-if) # no shut

SW1 (config-if) # int f1/2

SW1 (config-if) # no switchport

SW1 (config-if) # ip add 192.168.1.5 255.255.255.252

SW1 (config-if) # no shut

SW1 (config-if) # exit

SW1 (config) # ip routing

SW1 (config) # ip route 192.168.0.0 255.255.0.0 null 0 // Add a black hole route

SW1 (config) # access-list 101 deny ip 192.168.10.0 0.0.255 192.168.0.0 0.0.255.255 // prevent VLAN10 from accessing the Intranet from being routed by the Policy

SW1 (config) # access-list 101 permit ip 192.168.10.0 0.0.255 any

// Differentiate VLAN11 traffic

SW1 (config) # access-list 102 deny ip 192.168.11.0 0.0.255 192.168.0.0 0.0.255.255 // prevent VLAN11 from accessing the Intranet from being routed by the Policy

SW1 (config) # access-list 102 permit ip 192.168.11.0 0.0.255 any

// Differentiate VLAN11 traffic

SW1 (config) # access-list 103 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 // VLAN10 and VLAN11 cannot communicate with each other

SW1 (config) # access-list 103 permit ip any // allow VLAN10 to access other

SW1 (config) # int vlan 10

SW1 (config-if) # exit

SW1 (config) # route-map RT5 permit 10 // create a ROUTE-MAP that accesses the INTERNET through RT5

SW1 (config-route-map) # match ip address 101 // match ip address

SW1 (config-route-map) # set ip next-hop 192.168.1.2 // set the next hop for matching traffic

SW1 (config-route-map) # exit

SW1 (config) # route-map RT6 permit 10 // create a ROUTER-MAP that accesses the INTERNET through RT6

SW1 (config-route-map) # match ip address 102 // match ip address

SW1 (config-route-map) # set ip next-hop 192.168.1.6 // set the next hop for matching traffic

SW1 (config-route-map) # exit

SW1 (config) # int vlan 10

SW1 (config-if) # ip policy route-map RT5 // bind ROUTE-MAP in VLAN10

SW1 (config-if) # ip access-group 103 in // enable access control list IN in

SW1 (config-if) # int vlan 11

SW1 (config-if) # ip policy route-map RT6 // bind ROUTE-MAP in VLAN11

RT5 (config) # int f2/0

RT5 (config-if) # ip add 192.168.1.2 255.255.255.252

RT5 (config-if) # no shut

RT5 (config-if) # int f1/0

RT5 (config-if) # ip add 202.202.1.2 255.255.255.252

RT5 (config-if) # no shut

RT5 (config-if) # exit

RT5 (config) # ip route 0.0.0.0 0.0.0.0 202.202.1.1 // route to the public network

RT5 (config) # ip route 192.168.0.0 255.255.0.0 192.168.1.1 // route to the internal network

RT5 (config) # access-list 10 permit 192.168.10.0 0.0.255 // define the traffic for NAT

RT5 (config) # int f1/0

RT5 (config-if) # ip nat inside // defines the NAT Internal interface

RT5 (config-if) # int f2/0

RT5 (config-if) # ip nat outside // defines the NAT external interface

RT5 (config) # ip nat inside source list 10 int f1/0 overload // enable NAT Translation

RT6 (config) # int f2/0

RT6 (config-if) # ip add 192.168.1.6 255.255.255.252

RT6 (config-if) # no shut

RT6 (config-if) # int f1/0

RT6 (config-if) # ip add 202.202.2.2 255.255.255.252

RT6 (config-if) # no shut

RT6 (config-if) # exit

RT6 (config) # ip route 0.0.0.0 0.0.0.0 202.202.2.1

RT6 (config) # ip route 192.168.0.0 255.255.0.0 192.168.1.5

RT6 (config) # access-list 10 permit 192.168.11.0 0.0.255 // define the traffic for NAT

RT6 (config) # int f1/0

RT6 (config-if) # ip nat inside

RT6 (config-if) # int f2/0

RT6 (config-if) # ip nat outsid

RT6 (config) # ip nat inside source list 10 int f1/0 overload

Test process:

VPCS 1> ping 202.202.1.2

202.202.1.2 icmp_seq = 1 time = 130.000 MS

202.202.1.2 icmp_seq = 2 time = 46.000 MS

202.202.1.2 icmp_seq = 3 time = 67.000 MS

202.202.1.2 icmp_seq = 4 time = 63.000 MS

202.202.1.2 icmp_seq = 5 time = 105.000 MS

* Mar 1 00:44:57. 915: IP: tableid = 0, s = 192.168.10.100 (Vlan10), d = 202.202.1.2 (FastEthernet1/1), routed via FIB

* Mar 1 00:44:57. 919: IP: s = 192.168.10.100 (Vlan10), d = 202.202.1.2, len 84, policy match

* Mar 1 00:44:57. 923: IP: route map RT5, item 10, permit

* Mar 1 00:44:57. 923: IP: s = 192.168.10.100 (Vlan10), d = 202.202.1.2 (FastEthernet1/1), len 84, policy routed

* Mar 1 00:44:57. 927: IP: Vlan10 to FastEthernet1/1 192.168.1.2

* Mar 1 00:44:57. 931: IP: s = 192.168.10.100 (Vlan10), d = 202.202.1.2 (FastEthernet1/1), g = 192.168.1.2, len84, forward

* Mar 1 00:44:58. 027: IP: tableid = 0, s = 202.202.1.2 (FastEthernet1/1), d = 192.168.10.100 (Vlan10), routed via FIB

* Mar 1 00:44:58. 031: IP: s = 202.202.1.2 (FastEthernet1/1), d = 192.168.10.100 (Vlan10), g = 192.168.10.100, len 84, forward

VPCS 2> ping 202.202.2.2

202.202.2.2 icmp_seq = 1 time = 61.000 MS

202.202.2.2 icmp_seq = 2 time = 77.000 MS

202.202.2.2 icmp_seq = 3 time = 84.000 MS

202.202.2.2 icmp_seq = 4 time = 103.000 MS

202.202.2.2 icmp_seq = 5 time = 37.000 MS

* Mar 1 00:45:56. 839: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB

* Mar 1 00:45:56. 839: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward

* Mar 1 00:45:57. 819: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB

* Mar 1 00:45:57. 823: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward

* Mar 1 00:45:58. 807: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB

* Mar 1 00:45:58. 811: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84,

* Mar 1 00:45:59. 847: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB

* Mar 1 00:45:59. 851: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward

* Mar 1 00:46:00. 827: IP: tableid = 0, s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/1), routed via FIB

* Mar 1 00:46:00. 831: IP: s = 192.168.11.100 (Vlan11), d = 202.202.2.2 (FastEthernet1/2), g = 192.168.1.6, len 84, forward

Experiment summary:

Access to the INTERNET using 192.168.10.100:

192.168.10.100 delivers the data to the SVI interface 192.168.10.1 of SW1, because a policy route is made on the SVI interface of VLAN10 and the next hop is set to 192. 168.1.2. Data from VLAN10 will match the policy route and send the data to 192.168.1.2. On RT1, perform NAT to convert the data of 192.168.10.0/24 to the IP address 202.202.1.2 of F1/0, record the converted IP address to the NAT translation table, and send the data to the INTERNET, the response data is processed through the NAT entry of F1/0. Find the NAT translation table, find the corresponding intranet IP address, and forward the data from F2/0 by finding the route, finally, the data is delivered to the target host.

This article is from the "Mortal World" blog

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Policy Routing case (3): vswitch Policy Routing

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

Policy Routing case (3): vswitch Policy Routing

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support