華爲S6720S acl+策略流控制

原創

2019-07-04 13:13

配置acl策略，3000設置允許，3001設置拒絕所有：

acl 3001
rule  deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule  deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule  deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule  deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule  deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255
rule  deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255

acl 3000
rule  permit ip source 192.168.10.11 0
rule  permit ip source 192.168.20.222 0 destination 192.168.10.111 0

配置策略流應用到全局：

traffic classifier 3000 operator and
if-match acl 3000
q
traffic behavior 3000
traffic classifier 3001 operator and
if-match acl 3001
q
traffic behavior 3001

以上2臺核心交換機配置一樣

sw1：
traffic policy yunxu
classifier 3000 behavior 3000
classifier 3001 behavior 3001
traffic-policy yunxu global inbound

backup：
traffic policy yunxu-backup
classifier 3000 behavior 3000
classifier 3001 behavior 3001
traffic-policy yunxu-backup global inbound

設置端口組：

port-group g1-24
port-group group-member g0/0/1 to g0/0/24
port link-type trunk
port trunk allow-pass vlan all

配置端口聚合，將2臺核心交換機通過線路捆綁：

interface Eth-Trunk 1
trunkport GigabitEthernet 0/0/10 to 0/0/12
port link-type trunk
port trunk allow-pass vlan 2 to 4094

以上2臺核心交換機配置一樣

配置vrrp，防止核心交換單點故障：

[sw1] 主走vlan10 vlan20，備走vlan30 vlan40

int vlan 10
vrrp vrid 10 virtual-ip 192.168.10.100
vrrp vrid 10 priority 150
vrrp vrid 10 track interface g0/0/24 reduced 100

int vlan 20
vrrp vrid 20 virtual-ip 192.168.20.100
vrrp vrid 20 priority 150
vrrp vrid 20 track interface g0/0/24 reduced 100

int vlan 30
vrrp vrid 30 virtual-ip 192.168.30.100

int vlan 40
vrrp vrid 40 virtual-ip 192.168.40.100

[backup] 主走vlan30 vlan40，備走vlan10 vlan 20

int vlan 10
vrrp vrid 10 virtual-ip 192.168.10.100

int vlan 20
vrrp vrid 20 virtual-ip 192.168.20.100

int vlan 30
vrrp vrid 30 virtual-ip 192.168.30.100
vrrp vrid 30 priority 150
vrrp vrid 30 track interface g0/0/24 reduced 100

int vlan 40
vrrp vrid 40 virtual-ip 192.168.40.100
vrrp vrid 40 priority 150
vrrp vrid 40 track interface g0/0/24 reduced 100

注：各vlan下設備網關配置爲各自的虛擬ip。如果配置vlan ip的話當主出現故障將無法訪問外網；配置虛擬ip就算主出現故障，數據會通過備出去，不影響上網。

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

華爲S6720S acl+策略流控制

MySQL 核心模塊揭祕 | 18 期 | 鎖在內存里長什麼樣*

使用perf工具生成火焰圖

大齡程序員思考

響應式界面控件DevExtreme * 更強的數據分析和可視化功能

HttpSecurity 是如何組裝過濾器鏈的

數說海南——近6年海南各市縣人口簡單看

長序列中Transformers的高級注意力機制總結

WebStorm 創建 Vue 項目

keepalived 高可用安裝配置

記錄歷史操作命令history

docker容器連接

openstack 徹底刪除nova節點

huawei ipsec v p n

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結