昨天去一家客户那边调试h3c的设备,客户要做vlan间互访和策略路由.本以为挺简单的事情,可到了才发现不是自己想象的那样.vlan间互访没想到h3c搞的那么麻烦,cisco的数据流控制就是做一条访问列表,列表里定义了动作是拒绝还是允许,然后直接把这个列表应用到接口上就可以了,但h3c却没有这么简单,h3c我总结了一下总的思路是这样的
1.首先定义访问控制列表,注意:假如要使把此列表应用到qos策略中的话此列表中的deny和permit是没有意义的,不管是permit还是deny都代表"匹配"该数据流.
2.定义类,类里面很简单,就是简单的匹配某条列表.应该也可以像cisco一样匹配or或者and,我没验证.
3.定义行为动作,行为动作可以分好多,常用的有filter deny,filter permit 拒绝/允许,还有改变下一条 redirect next-hop.或者可以做标记,qos等.
4.定义qos策略,把2,3里的类和行为建立关联,如什么类执行什么行为,可以做好多条,同一个行为如果找到第一项匹配则不再接着往下执行,所有有可能同一个数据流能满足多条不同行为操作的情况.
5.把此qos策略应用到接口上.
1.首先定义访问控制列表,注意:假如要使把此列表应用到qos策略中的话此列表中的deny和permit是没有意义的,不管是permit还是deny都代表"匹配"该数据流.
2.定义类,类里面很简单,就是简单的匹配某条列表.应该也可以像cisco一样匹配or或者and,我没验证.
3.定义行为动作,行为动作可以分好多,常用的有filter deny,filter permit 拒绝/允许,还有改变下一条 redirect next-hop.或者可以做标记,qos等.
4.定义qos策略,把2,3里的类和行为建立关联,如什么类执行什么行为,可以做好多条,同一个行为如果找到第一项匹配则不再接着往下执行,所有有可能同一个数据流能满足多条不同行为操作的情况.
5.把此qos策略应用到接口上.
下面我把配置粘上来供大家参考
#
version 5.20, Release 5303
#
sysname master switch
#
domain default enable system
#
telnet server enable
#
vlan 1
#
vlan 20
#
vlan 23
description 0023
#
vlan 24
#
vlan 30
#
vlan 40
#
vlan 50
#
version 5.20, Release 5303
#
sysname master switch
#
domain default enable system
#
telnet server enable
#
vlan 1
#
vlan 20
#
vlan 23
description 0023
#
vlan 24
#
vlan 30
#
vlan 40
#
vlan 50
vlan 60
#
vlan 70
#
vlan 80
#
vlan 90
#
vlan 100
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
#
vlan 70
#
vlan 80
#
vlan 90
#
vlan 100
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
traffic classifier h3c operator and
if-match acl 3060
********* 定义类,30,50,90三个网段之间不能互访********
if-match acl 3060
********* 定义类,30,50,90三个网段之间不能互访********
traffic classifier wangtong operator and
if-match acl 2010
********* 定义类,20,60,90网段的用户分到wangtong这个类中*******
if-match acl 2010
********* 定义类,20,60,90网段的用户分到wangtong这个类中*******
traffic classifier dianxin operator and
if-match acl 2020
********* 定义类,30,50,70网段的用户分到电信这个类中*******
if-match acl 2020
********* 定义类,30,50,70网段的用户分到电信这个类中*******
traffic behavior h3c
filter deny
********* 定义行为名字叫h3c的动作为丢弃!*********
traffic behavior wangtong
redirect next-hop 10.1.1.2
*********定义行为名字叫wangtong 动作为改变下一跳位10.1.1.2*********
filter deny
********* 定义行为名字叫h3c的动作为丢弃!*********
traffic behavior wangtong
redirect next-hop 10.1.1.2
*********定义行为名字叫wangtong 动作为改变下一跳位10.1.1.2*********
traffic behavior dianxin
redirect next-hop 10.1.2.2
*********定义行为名字叫wangtong 动作为改变下一跳位10.1.2.2*********
redirect next-hop 10.1.2.2
*********定义行为名字叫wangtong 动作为改变下一跳位10.1.2.2*********
qos policy h3c
classifier h3c behavior h3c
classifier wangtong behavior wangtong
classifier dianxin behavior dianxin
***********定义一个qos策略(注意,这里是总的qos策略,其中包括vlan间访问控制和策略路由控制都汇聚到此策略中了)
1.满足h3c类别的数据流执行h3c这个行为,这里行为为丢弃
2.满足wangtong类别的数据流执行网通这个行为,这里的行为为改变下一跳为10.1.1.2
3.满足dianxin类别的数据流执行dianxin这个行为,这里的行为为改变下一跳为10.1.2.2
********************************************************************
#
acl number 2010
rule 0 permit source 192.168.20.0 0.0.0.255
rule 1 permit source 192.168.60.0 0.0.0.255
rule 2 permit source 192.168.90.0 0.0.0.255
acl number 2020
rule 0 permit source 192.168.30.0 0.0.0.255
rule 1 permit source 192.168.50.0 0.0.0.255
rule 2 permit source 192.168.70.0 0.0.0.255
acl number 2010
rule 0 permit source 192.168.20.0 0.0.0.255
rule 1 permit source 192.168.60.0 0.0.0.255
rule 2 permit source 192.168.90.0 0.0.0.255
acl number 2020
rule 0 permit source 192.168.30.0 0.0.0.255
rule 1 permit source 192.168.50.0 0.0.0.255
rule 2 permit source 192.168.70.0 0.0.0.255
acl number 3060
rule 10 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 20 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
rule 50 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 60 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
rule 70 permit ip source 192.168.90.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 80 permit ip source 192.168.90.0 0.0.0.255 destination
192.168.50.0 0.0.0.255
*************在30,50,90三个网段之间做隔离,使他们不能互相访问,但都能访问其他的地址,由于h3c的三层交换机(这里的型号是s5510)可以实现单向访问,以此每一条都得建立2条规则来匹配如30--90网段,90---30网段.因为是作用在trunk口上的,因此源地址无法确定****************************************
interface NULL0
#
interface Vlan-interface1
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.254 255.255.255.0
#
interface Vlan-interface23
ip address 10.1.1.1 255.255.255.0
rule 10 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
rule 20 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
rule 50 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 60 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255
rule 70 permit ip source 192.168.90.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 80 permit ip source 192.168.90.0 0.0.0.255 destination
192.168.50.0 0.0.0.255
*************在30,50,90三个网段之间做隔离,使他们不能互相访问,但都能访问其他的地址,由于h3c的三层交换机(这里的型号是s5510)可以实现单向访问,以此每一条都得建立2条规则来匹配如30--90网段,90---30网段.因为是作用在trunk口上的,因此源地址无法确定****************************************
interface NULL0
#
interface Vlan-interface1
ip address 192.168.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.20.254 255.255.255.0
#
interface Vlan-interface23
ip address 10.1.1.1 255.255.255.0
interface Vlan-interface24
ip address 10.1.2.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.254 255.255.255.0
#
interface Vlan-interface40
ip address 192.168.40.254 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.50.254 255.255.255.0
#
interface Vlan-interface60
ip address 192.168.60.254 255.255.255.0
#
interface Vlan-interface70
ip address 192.168.70.254 255.255.255.0
#
interface Vlan-interface80
ip address 192.168.80.254 255.255.255.0
#
interface Vlan-interface90
ip address 192.168.90.254 255.255.255.0
ip address 10.1.2.1 255.255.255.0
#
interface Vlan-interface30
ip address 192.168.30.254 255.255.255.0
#
interface Vlan-interface40
ip address 192.168.40.254 255.255.255.0
#
interface Vlan-interface50
ip address 192.168.50.254 255.255.255.0
#
interface Vlan-interface60
ip address 192.168.60.254 255.255.255.0
#
interface Vlan-interface70
ip address 192.168.70.254 255.255.255.0
#
interface Vlan-interface80
ip address 192.168.80.254 255.255.255.0
#
interface Vlan-interface90
ip address 192.168.90.254 255.255.255.0
interface GigabitEthernet1/0/1
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/6
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/7
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/8
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/5
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/6
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/7
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
#
interface GigabitEthernet1/0/8
port link-type trunk
port trunk permit vlan all
qos apply policy h3c inbound
************在8个trunk口上绑定qos策略**************************888
#
interface GigabitEthernet1/0/9
port access vlan 20
#
interface GigabitEthernet1/0/10
port access vlan 20
interface GigabitEthernet1/0/11
port access vlan 20
#
interface GigabitEthernet1/0/12
port access vlan 20
#
interface GigabitEthernet1/0/13
port access vlan 20
#
interface GigabitEthernet1/0/14
port access vlan 20
#
interface GigabitEthernet1/0/15
port access vlan 20
#
interface GigabitEthernet1/0/16
port access vlan 20
#
interface GigabitEthernet1/0/17
port access vlan 20
#
interface GigabitEthernet1/0/18
port access vlan 20
#
interface GigabitEthernet1/0/19
port access vlan 100
speed 100
#
interface GigabitEthernet1/0/20
port access vlan 100
speed 100
#
interface GigabitEthernet1/0/21
port access vlan 100
speed 100
#
interface GigabitEthernet1/0/22
port access vlan 100
#
interface GigabitEthernet1/0/23
port access vlan 23
speed 100
duplex full
#
interface GigabitEthernet1/0/24
port access vlan 24
#
interface GigabitEthernet1/0/25
shutdown
#
interface GigabitEthernet1/0/26
shutdown
#
interface GigabitEthernet1/0/27
shutdown
#
interface GigabitEthernet1/0/28
shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
ip route-static 0.0.0.0 0.0.0.0 10.1.2.2
#
interface GigabitEthernet1/0/9
port access vlan 20
#
interface GigabitEthernet1/0/10
port access vlan 20
interface GigabitEthernet1/0/11
port access vlan 20
#
interface GigabitEthernet1/0/12
port access vlan 20
#
interface GigabitEthernet1/0/13
port access vlan 20
#
interface GigabitEthernet1/0/14
port access vlan 20
#
interface GigabitEthernet1/0/15
port access vlan 20
#
interface GigabitEthernet1/0/16
port access vlan 20
#
interface GigabitEthernet1/0/17
port access vlan 20
#
interface GigabitEthernet1/0/18
port access vlan 20
#
interface GigabitEthernet1/0/19
port access vlan 100
speed 100
#
interface GigabitEthernet1/0/20
port access vlan 100
speed 100
#
interface GigabitEthernet1/0/21
port access vlan 100
speed 100
#
interface GigabitEthernet1/0/22
port access vlan 100
#
interface GigabitEthernet1/0/23
port access vlan 23
speed 100
duplex full
#
interface GigabitEthernet1/0/24
port access vlan 24
#
interface GigabitEthernet1/0/25
shutdown
#
interface GigabitEthernet1/0/26
shutdown
#
interface GigabitEthernet1/0/27
shutdown
#
interface GigabitEthernet1/0/28
shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
ip route-static 0.0.0.0 0.0.0.0 10.1.2.2
**********定义2条缺省路由,一条指向电信网络,一条指向网通网络***************
#
user-interface aux 0
user-interface vty 0 4
#
return
[master switch]
#
user-interface aux 0
user-interface vty 0 4
#
return
[master switch]
转载于:https://blog.51cto.com/yangqing/105532
1414
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
