Step 3: detailed application of vswitch policy routing configuration

The three steps solve the detailed application of vswitch policy routing configuration. Many of the vswitch policy routing configuration problems involve application requirements and implementation analysis, therefore, you must first understand the basic knowledge of the vswitch policy routing configuration solution to prepare for future configuration.

I. Network Topology

The office network is in the 172 CIDR block. The core switch is 85-1, and the NE-1 performs NAT through the internet. The dormitory area is in the 10 CIDR block, and its core switch is 85-2, NAT is implemented by NE-2 through the telecom internet. The server is placed under the S85-1, the address of the 172 segment, for the dormitory area 10 segment host access.

II. Application Requirements and Implementation Analysis

Application requirements: as the outlets of China Netcom and China Telecom are both MB, and the number of users in the dormitory area is far greater than that in the office area, users in some dormitory areas need to access the internet through the outlets of China Netcom. Implementation Analysis: This requirement looks very simple, that is, through the switch policy routing configuration, so that some users go online next to the S85-1, through NE-1 out. However, there are still many things to consider when carefully analyzing the specific implementation.

On S8500, The vswitch policy routing configuration can only be performed in the inbound port direction. In this way, the vswitch policy routing configuration must be applied to all the inbound ports of a specific network segment. The flow configured for the routing rule of the Application Switch is defined by the ACL. The ACL is defined by the keyword Source IP. Acl number 2000
Rule 0 permit ip source 10.1.1.0 0.20.255.255

Vswitch policy routing configuration has the highest priority. If the above ACL is defined, when 10 CIDR blocks access 10 CIDR blocks, it will first match the vswitch policy routing configuration, so that the next jump to the S85-1, match the route on the S85-1, and then return to the S85-2 to reach the destination host, so that there are two more hops back and forth.

Modify the ACL to prohibit the source ip address from being 10 CIDR blocks, and set the destination ip address to the route configuration of the flow Application Switch policy of 10 CIDR blocks.
Acl number 2000
Rule 0 deny ip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255
Rule 1 permit ip source 10.1.1.0 0.20.255.255
However, the ACL rules referenced in the vswitch policy routing configuration cannot be deny. Is this the only way to allow 10 CIDR blocks to access 10 CIDR blocks with two more hops ?...... Of course not!

Iii. Solution

The policy routing configuration of the S8500 switch is implemented by hardware. Otherwise, the CPU of the S8500 switch cannot process such a large forwarding volume. Because the routing configuration of the switch policy is the same as that of the issued ACL, it is handled by hardware, so there is a matching order. If the source IP address is set to 10 CIDR blocks, and the destination IP address is also 10 CIDR blocks, the source IP address matches other ACLs and is not matched with the vswitch policy routing configuration, the above problem can be solved.

Configure ACL 3000 as follows: allow the Source IP 10 CIDR block to access the destination IP 10 CIDR block.
Acl number 3000
Rule 0 permit ip source 10.1.1.0 0.20.255.255 destination 10.0.0.0 0.20.255.255
Write ACL2000, and allow the source IP10 CIDR block to configure the switch Policy Routing)
Acl number 2000
Rule 0 permit ip source 10.1.1.0 0.20.255.255
Issue rule on port
Interface GigabitEthernet0/1/4
Packet-filter inbound ip-group 3000
Traffic-redirect inbound ips-group 2000 next-hop 10.1.2.10

Pay attention to the order when issuing rules on the port. For the ACL rules of the S8500 switch, the first match is issued. Therefore, you must first issue ACL 3000 and then use the switch policy routing configuration. When a host in the 10.1.1.0 network segment accesses a host in the 10 network segment on port G0/1/4, it will first match ACL3000, And the ACL3000 rule is permit, so that the route table can be normally searched for forwarding. The destination IP address is not 10 CIDR block, it will match the vswitch policy routing configuration, so that the next jump to the S85-1.