MSR3620-XS ACL+PBR配置
- 0关注
- 0收藏,40浏览
问题描述:
配置版本:version 7.1.064, Release 6728P25
本来想用acl规则匹配出口地址的,但是会漏,现在直接根据内网地址配置,麻烦各位大佬帮忙看看命令都对吗?如果后面有个别源ip地址想要改到192.168.100.1好像不好改了,希望也能提供点其他思路
system-view # ============ 1. 清理将替换的旧节点 ============ undo policy-based-route pbr2 permit node 1 undo policy-based-route pbr2 permit node 2 undo policy-based-route pbr2 permit node 6 undo policy-based-route pbr2 permit node 10 undo policy-based-route pbr2 permit node 20 undo policy-based-route pbr2 permit node 30 undo policy-based-route pbr2 permit node 50 # ============ 2. 源IP对象组 ============ object-group ip address srcgroup-pbr1 0 network range 192.168.0.2 192.168.0.255 quit object-group ip address srcgroup-pbr2 0 network range 192.168.1.1 192.168.1.255 quit # ============ 3. ACL ============ # callcenter 目的IP acl advanced name acl-callcenter rule 10 permit ip destination 111.230.5.161 0 quit # 192.168.0.x 源IP acl advanced name acl-pbr1 rule 10 permit ip source object-group srcgroup-pbr1 quit # 192.168.1.x 源IP acl advanced name acl-pbr2 rule 10 permit ip source object-group srcgroup-pbr2 quit # 兜底(任意IP) acl advanced name acl-default rule 10 permit ip quit # ============ 4. Node 1:callcenter(仅次 192.168.0.253)============ policy-based-route pbr2 permit node 1 if-match acl name acl-callcenter apply output-interface Dialer2 quit # ============ 5. Node 3:192.168.0.x 主备合一 ============ policy-based-route pbr2 permit node 3 if-match acl name acl-pbr1 apply next-hop 192.168.100.1 track 1 apply output-interface Dialer2 quit # ============ 6. Node 5:192.168.1.x 主备合一 ============ policy-based-route pbr2 permit node 5 if-match acl name acl-pbr2 apply output-interface Dialer2 apply output-interface Dialer3 quit # ============ 7. 后移旧有策略 ============ # 原 node 1 → node 11 policy-based-route pbr2 permit node 11 if-match acl 3000 apply next-hop 192.168.100.1 track 1 quit # 原 node 2 → node 12 policy-based-route pbr2 permit node 12 if-match acl name acl22 apply output-interface Dialer2 quit # 原 node 6 → node 13 policy-based-route pbr2 permit node 13 if-match acl name acl-overseas apply next-hop 192.168.100.1 track 1 quit # 原 node 20 → node 14 policy-based-route pbr2 permit node 14 if-match acl name acl-cn apply output-interface Dialer2 quit # ============ 8. Node 99:兜底 ============ policy-based-route pbr2 permit node 99 if-match acl name acl-default apply next-hop 192.168.100.1 track 1 quit save force
1. 精准匹配内网源的ACL配置:
acl number 3000
rule permit ip source 192.168.0.0 0.0.255.255 # 匹配内网段,反掩码正确
2. PBR绑定ACL指定出口:
policy-based-route pbr2 permit node 10
if-match acl 3000
apply next-hop 【出口IP】
3. 灵活调整个别源的思路:用IP地址组替代硬编码ACL,无需修改PBR节点:
ip group source_group
ip 192.168.0.0 0.0.255.255
ip 192.168.100.1 0.0.0.0 # 新增需调整的源
acl 3000下改规则为:rule permit ip source-group source_group
最后在出接口绑定PBR:interface 【WAN口】,ip policy-based-route pbr2。
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论