华为S6720S acl+策略流控制-秋月博客

配置acl策略，3000设置允许，3001设置拒绝所有：acl 3001rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.

配置acl策略，3000设置允许，3001设置拒绝所有：

acl 3001rule  deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule  deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255rule  deny ip source 192.168.10.0 0.0.0.255 destination 192.168.40.0 0.0.0.255rule  deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255rule  deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.0 0.0.0.255rule  deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.0 0.0.0.255acl 3000rule  permit ip source 192.168.10.11 0rule  permit ip source 192.168.20.222 0 destination 192.168.10.111 0

配置策略流应用到全局：

traffic classifier 3000 operator andif-match acl 3000qtraffic behavior 3000traffic classifier 3001 operator andif-match acl 3001qtraffic behavior 3001

以上2台核心交换机配置一样

sw1：traffic policy yunxuclassifier 3000 behavior 3000classifier 3001 behavior 3001traffic-policy yunxu global inboundbackup：traffic policy yunxu-backupclassifier 3000 behavior 3000classifier 3001 behavior 3001traffic-policy yunxu-backup global inbound

设置端口组：

port-group g1-24port-group group-member g0/0/1 to g0/0/24port link-type trunkport trunk allow-pass vlan all

配置端口聚合，将2台核心交换机通过线路捆绑：

interface Eth-Trunk 1trunkport GigabitEthernet 0/0/10 to 0/0/12port link-type trunkport trunk allow-pass vlan 2 to 4094

以上2台核心交换机配置一样

配置vrrp，防止核心交换单点故障：

[sw1] 主走vlan10 vlan20，备走vlan30 vlan40

int vlan 10vrrp vrid 10 virtual-ip 192.168.10.100vrrp vrid 10 priority 150vrrp vrid 10 track interface g0/0/24 reduced 100int vlan 20vrrp vrid 20 virtual-ip 192.168.20.100vrrp vrid 20 priority 150vrrp vrid 20 track interface g0/0/24 reduced 100int vlan 30vrrp vrid 30 virtual-ip 192.168.30.100int vlan 40vrrp vrid 40 virtual-ip 192.168.40.100

[backup] 主走vlan30 vlan40，备走vlan10 vlan 20

int vlan 10vrrp vrid 10 virtual-ip 192.168.10.100int vlan 20vrrp vrid 20 virtual-ip 192.168.20.100int vlan 30vrrp vrid 30 virtual-ip 192.168.30.100vrrp vrid 30 priority 150vrrp vrid 30 track interface g0/0/24 reduced 100int vlan 40vrrp vrid 40 virtual-ip 192.168.40.100vrrp vrid 40 priority 150vrrp vrid 40 track interface g0/0/24 reduced 100

注：各vlan下设备网关配置为各自的虚拟ip。如果配置vlan ip的话当主出现故障将无法访问外网；配置虚拟ip就算主出现故障，数据会通过备出去，不影响上网。

目录CONTENT

华为S6720S acl+策略流控制

评论区