• 全部
  • 經驗案例
  • 典型配置
  • 技術公告
  • FAQ
  • 漏洞說明
  • 全部
  • 全部
  • 大數據引擎
  • 知了引擎
產品線
搜索
取消
案例類型
發布者
是否解決
是否官方
時間
搜索引擎
匹配模式
高級搜索

Msr3600-28-xs,策略路由和靜態路由衝突?

2025-03-04提問
  • 0關注
  • 0收藏,578瀏覽
bbD7 零段
粉絲:0人 關注:0人

問題描述:

 

組網情況:

Msr3600-28-xs是一台出口路由器(路由交換一體機,有20多個口作交換機用)

另有2個wan口,之前GE0 接【線路1】這條寬帶,固定ip上網

共有vlan4  機房用  192.168.4.0/24

vlan5  、6、7   固定pc機  網線接入  對應ip段都是 192.168.x.0/24

vlan8   無線ap接入 192.168.8.0/24

各vlan可以互相ping通。

 

路由器下連了一台POE交換機S5120V3。

 

需求:

新增了【線路2】,就是GE1口,撥號 Dialer1 的寬帶。

需要修改路由策略,讓(vlan4  機房用  192.168.4.0/24)走(【線路1】這條寬帶,固定ip)出去。

其它vlan都走【線路2】

同時,各vlan在內網保持互通。

 

問題描述:

之前網上請教和搜索,拚湊配置了策略路由。

配置完以後。vlan5 6 7各試了一台,都是按預期,走的【線路1】

但vlan4 4.0網段,機房有不少服務器,有的ip如4.132走的【線路1】,有的走的【線路2】,不一定,怎麼辦?

測試方法 windows  cmd下 :  tracert 163.com

~~~~~~~~~~~~~~~~~~~~~~~~

8.0網段比較特殊,在交換機上配置的

怎麼配?

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

我擬定的,部分策略路由的配置:

vlan 5 6 7 8 走319寬帶  Dialer1

acl advanced 3100

description Allow traffic for policy-based routing and exclude internal traffic

rule 0 deny ip source 192.168.0.0 0.0.15.255 destination 192.168.0.0 0.0.15.255

rule 5 permit ip source 192.168.5.0 0.0.0.255

rule 10 permit ip source 192.168.6.0 0.0.0.255

rule 15 permit ip source 192.168.7.0 0.0.0.255

quit

 

policy-based-route neiwang node 10

if-match acl 3100

apply output-interface Dialer1

quit

 

interface Vlan-interface6

ip policy-based-route neiwang

quit

 

vlan5 和 7 也是這樣配置

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

vlan4  走默認【線路1】這條寬帶

acl advanced 3200

description Allow traffic for policy-based routing and exclude internal traffic

rule 0 deny ip source 192.168.0.0 0.0.15.255 destination 192.168.0.0 0.0.15.255

rule 5 permit ip source 192.168.4.0 0.0.0.255

quit

 

policy-based-route neiwang4.0 node 20

if-match acl 3200

apply output-interface GigabitEthernet0/0

quit

 

interface Vlan-interface4

ip policy-based-route neiwang4.0

quit

~~~~~~~~~~~~~~~~~~~~~~~~

配置策略路由之前的   【路由表】

[msr3600]display ip routing-table

 

Destinations : 39       Routes : 39

 

Destination/Mask   Proto   Pre Cost        NextHop         Interface

0.0.0.0/0          Static  60  0           125.81.1.1      GE0/0

0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0

125.81.1.0/24      Direct  0   0           125.81.1.29     GE0/0

125.81.1.29/32     Direct  0   0           127.0.0.1       InLoop0

125.81.1.255/32    Direct  0   0           125.81.1.29     GE0/0

127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0

127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0

127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

192.168.0.0/23     Direct  0   0           192.168.0.1     Vlan1

192.168.0.1/32     Direct  0   0           127.0.0.1       InLoop0

192.168.1.255/32   Direct  0   0           192.168.0.1     Vlan1

192.168.4.0/24     Direct  0   0           192.168.4.1     Vlan4

192.168.4.1/32     Direct  0   0           127.0.0.1       InLoop0

192.168.4.255/32   Direct  0   0           192.168.4.1     Vlan4

192.168.5.0/24     Direct  0   0           192.168.5.1     Vlan5

192.168.5.1/32     Direct  0   0           127.0.0.1       InLoop0

192.168.5.255/32   Direct  0   0           192.168.5.1     Vlan5

192.168.6.0/24     Direct  0   0           192.168.6.1     Vlan6

192.168.6.1/32     Direct  0   0           127.0.0.1       InLoop0

192.168.6.255/32   Direct  0   0           192.168.6.1     Vlan6

192.168.7.0/24     Direct  0   0           192.168.7.1     Vlan7

192.168.7.1/32     Direct  0   0           127.0.0.1       InLoop0

192.168.7.255/32   Direct  0   0           192.168.7.1     Vlan7

192.168.8.0/24     Direct  0   0           192.168.8.253   Vlan8

192.168.8.253/32   Direct  0   0           127.0.0.1       InLoop0

192.168.8.255/32   Direct  0   0           192.168.8.253   Vlan8

192.168.9.0/24     Static  60  0           192.168.10.2    Vlan10

192.168.10.0/24    Direct  0   0           192.168.10.1    Vlan10

192.168.10.1/32    Direct  0   0           127.0.0.1       InLoop0

192.168.10.255/32  Direct  0   0           192.168.10.1    Vlan10

192.168.11.0/24    Direct  0   0           192.168.11.253  Vlan11

192.168.11.253/32  Direct  0   0           127.0.0.1       InLoop0

192.168.11.255/32  Direct  0   0           192.168.11.253  Vlan11

192.168.172.0/24   Direct  0   0           192.168.172.1   SSLVPN-AC1

192.168.172.1/32   Direct  0   0           127.0.0.1       InLoop0

192.168.172.255/32 Direct  0   0           192.168.172.1   SSLVPN-AC1

224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0

224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0

255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0

[msr3600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

附,配置後的整體配置,dis  curr

~~~~~~~~~~~~~~~~~~~~~~~~~

以下是配置原文

#

version 7.1.064, Release 6749P2102

#

sysname msr3600

#

clock timezone Beijing add 08:00:00

clock protocol ntp

#

wlan global-configuration

#

qos carl 1 source-ip-address object-group temp1 per-address shared-bandwidth

qos carl 2 destination-ip-address object-group temp1 per-address shared-bandwidth

qos carl 3 source-ip-address object-group temp2 per-address

qos carl 4 destination-ip-address object-group temp2 per-address

qos carl 5 source-ip-address object-group temp2 per-address

qos carl 6 destination-ip-address object-group temp2 per-address

qos carl 7 source-ip-address object-group temp1 per-address shared-bandwidth

qos carl 8 destination-ip-address object-group temp1 per-address shared-bandwidth

qos carl 9 source-ip-address object-group temp3 per-address

qos carl 10 destination-ip-address object-group temp3 per-address

qos carl 11 source-ip-address object-group temp1 per-address shared-bandwidth

qos carl 12 destination-ip-address object-group temp1 per-address shared-bandwidth

qos carl 13 source-ip-address object-group temp1 per-address shared-bandwidth

qos carl 14 destination-ip-address object-group temp1 per-address shared-bandwidth

qos carl 15 source-ip-address object-group temp1 per-address shared-bandwidth

qos carl 16 destination-ip-address object-group temp1 per-address shared-bandwidth

#

security-policy disable

#

dialer-group 2 rule ip permit

#

dhcp enable

dhcp server forbidden-ip 192.168.5.1 192.168.5.150

dhcp server forbidden-ip 192.168.6.1 192.168.6.150

dhcp server forbidden-ip 192.168.7.1 192.168.7.150

#

dns proxy enable

dns server 114.114.114.114

dns server 218.6.200.139

dns server 223.6.6.6

#

lldp global enable

#

system-working-mode standard

password-recovery enable

#

vlan 1

#

vlan 4 to 8

#

vlan 10 to 11

#

object-group ip address 10.0

0 network range 192.168.10.2 192.168.10.254

#

object-group ip address 4.0

0 network range 192.168.4.1 192.168.4.254

#

object-group ip address 5.0

0 network range 192.168.5.1 192.168.5.254

#

object-group ip address 6.0

0 network range 192.168.6.1 192.168.6.254

#

object-group ip address 7.0

0 network range 192.168.7.1 192.168.7.254

0 network exclude 192.168.7.69

#

object-group ip address 8.0

0 network range 192.168.8.1 192.168.8.254

#

object-group ip address temp1

description 臨時占用用於限速排行

#

object-group ip address temp2

description 臨時占位用於限速排行

#

object-group ip address temp3

description 臨時占用用於限速排行

0 network host address 172.16.111.112

#

stp instance 0 root primary

stp global enable

#

dhcp server ip-pool lan1

gateway-list 192.168.0.1

network 192.168.0.0 mask 255.255.254.0

address range 192.168.1.3 192.168.1.254

dns-list 192.168.0.1

#

dhcp server ip-pool vlan5

gateway-list 192.168.5.1

network 192.168.5.0 mask 255.255.255.0

address range 192.168.5.150 192.168.5.250

dns-list 192.168.5.1

#

dhcp server ip-pool vlan6

gateway-list 192.168.6.1

network 192.168.6.0 mask 255.255.255.0

address range 192.168.6.150 192.168.6.250

dns-list 192.168.6.1

#

dhcp server ip-pool vlan7

gateway-list 192.168.7.1

network 192.168.7.0 mask 255.255.255.0

address range 192.168.7.150 192.168.7.250

dns-list 192.168.7.1

#

dhcp server ip-pool vlan-interface11

gateway-list 192.168.11.253

network 192.168.11.0 mask 255.255.255.0

address range 192.168.11.150 192.168.11.250

dns-list 192.168.11.253

forbidden-ip-range 192.168.11.253 192.168.11.253

#

policy-based-route neiwang permit node 10

if-match acl 3100

apply output-interface Dialer1

#

policy-based-route neiwang4.0 permit node 20

if-match acl 3200

apply output-interface GigabitEthernet0/0

#

wlan service-template h3c

ssid H3C

service-template enable

#

wlan service-template h3c_5g

ssid H3C_5G

service-template enable

#

controller Cellular0/0

#

interface Bridge-Aggregation1

port access vlan 4

#

interface Bridge-Aggregation2

port access vlan 4

#

interface Bridge-Aggregation3

port access vlan 4

#

interface Dialer0

mtu 1492

#

interface Dialer1

mtu 1492

ppp chap password cipher $c$3$Bwfyq2k7kf7HnGJX+EMjPYoMYNu3O1YSfII5 

ppp chap user CD02833025248351 

ppp ipcp dns admit-any 

ppp ipcp dns request 

ppp pap local-user CD02833025248351 password cipher $c$3$Ri71gxU5B8VAaO6UUzF4Cfgk1fA/DHUE+TtH 

dialer bundle enable

dialer-group 2

dialer timer idle 0

dialer timer autodial 5

ip address ppp-negotiate

tcp mss 1280

nat outbound

#

interface NULL0

#

interface Vlan-interface1

description LAN-interface

ip address 192.168.0.1 255.255.254.0

tcp mss 1280

nat hairpin enable

#

interface Vlan-interface4

description LAN-interface

ip address 192.168.4.1 255.255.255.0

packet-filter 3001 inbound

packet-filter 3001 outbound

nat hairpin enable

ip policy-based-route neiwang4.0

#

interface Vlan-interface5

description LAN-interface

ip address 192.168.5.1 255.255.255.0

packet-filter 3001 inbound

packet-filter 3001 outbound

nat hairpin enable

ip policy-based-route neiwang

#

interface Vlan-interface6

description LAN-interface

ip address 192.168.6.1 255.255.255.0

packet-filter 3001 inbound

packet-filter 3001 outbound

nat hairpin enable

ip policy-based-route neiwang

#

interface Vlan-interface7

description LAN-interface

ip address 192.168.7.1 255.255.255.0

packet-filter 3001 inbound

packet-filter 3001 outbound

nat hairpin enable

ip policy-based-route neiwang

#

interface Vlan-interface8

ip address 192.168.8.253 255.255.255.0

tcp mss 1280

nat hairpin enable

undo dhcp select server

#

interface Vlan-interface10

ip address 192.168.10.1 255.255.255.0

packet-filter name Vlan-interface10 inbound

packet-filter 3001 inbound

packet-filter 3001 outbound

nat hairpin enable

#

interface Vlan-interface11

description LAN-interface

ip address 192.168.11.253 255.255.255.0

tcp mss 1280

nat hairpin enable

#

interface GigabitEthernet0/0

port link-mode route

description Double_Line1

ip address 125.81.1.29 255.255.255.0

dns server 218.6.200.139

dns server 223.6.6.6

tcp mss 1280

packet-filter name GigabitEthernet0/0 inbound

qos car inbound carl 4 cir 10 cbs 1000 ebs 0 green pass red discard yellow pass

qos car inbound carl 6 cir 5123 cbs 320187 ebs 0 green pass red discard yellow pass

qos car inbound carl 10 cir 5123 cbs 320187 ebs 0 green pass red discard yellow pass

qos car inbound carl 2 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car inbound carl 8 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car inbound carl 12 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car inbound carl 14 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car inbound carl 16 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car outbound carl 3 cir 10 cbs 1000 ebs 0 green pass red discard yellow pass

qos car outbound carl 5 cir 5123 cbs 320187 ebs 0 green pass red discard yellow pass

qos car outbound carl 9 cir 5123 cbs 320187 ebs 0 green pass red discard yellow pass

qos car outbound carl 1 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car outbound carl 7 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car outbound carl 11 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car outbound carl 13 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

qos car outbound carl 15 cir 60123 cbs 3757687 ebs 0 green pass red discard yellow pass

nat outbound

……

……

#

interface GigabitEthernet0/1

port link-mode route

description Double_Line2

pppoe-client dial-bundle-number 1

#

interface GigabitEthernet0/2

port link-mode route

#

interface GigabitEthernet0/27

port link-mode route

#

interface GigabitEthernet0/28

port link-mode route

#

interface GigabitEthernet0/3

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/4

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/5

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/6

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/7

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/8

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/9

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/10

port link-mode bridge

port access vlan 7

#

interface GigabitEthernet0/11

port link-mode bridge

port access vlan 6

#

interface GigabitEthernet0/12

port link-mode bridge

port access vlan 6

#

interface GigabitEthernet0/13

port link-mode bridge

port access vlan 6

#

interface GigabitEthernet0/14

port link-mode bridge

port access vlan 6

#

interface GigabitEthernet0/15

port link-mode bridge

port access vlan 6

#

interface GigabitEthernet0/16

port link-mode bridge

port link-type trunk

undo port trunk permit vlan 1

port trunk permit vlan 6

port trunk pvid vlan 6

#

interface GigabitEthernet0/17

port link-mode bridge

port access vlan 5

#

interface GigabitEthernet0/18

port link-mode bridge

port access vlan 5

#

interface GigabitEthernet0/19

port link-mode bridge

port access vlan 5

#

interface GigabitEthernet0/20

port link-mode bridge

port access vlan 5

#

interface GigabitEthernet0/21

port link-mode bridge

port access vlan 4

port link-aggregation group 1

#

interface GigabitEthernet0/22

port link-mode bridge

port access vlan 4

port link-aggregation group 1

#

interface GigabitEthernet0/23

port link-mode bridge

port access vlan 10

#

interface GigabitEthernet0/24

port link-mode bridge

port link-type trunk

port trunk permit vlan all

#

interface GigabitEthernet0/25

port link-mode bridge

port access vlan 4

port link-aggregation group 3

#

interface GigabitEthernet0/26

port link-mode bridge

port access vlan 4

port link-aggregation group 3

#

interface SSLVPN-AC1

ip address 192.168.172.1 255.255.255.0

#

object-policy ip Any-Any

rule 65533 inspect 8048_url_profile_global disable

rule 65534 pass

#

security-zone name Local

#

security-zone name Trust

#

security-zone name DMZ

#

security-zone name Untrust

#

security-zone name Management

#

scheduler logfile size 16

#

line class console

user-role network-admin

#

line class tty

user-role network-operator

#

line class vty

user-role network-operator

#

line con 0

user-role network-admin

set authentication password hash y0MForAn$Cvw/vyAUts1IRfR5FfOI/aFl1yf0mmdsmgSP6HGu

#

line vty 0 63

authentication-mode scheme

user-role network-operator

#

ip route-static 0.0.0.0 0 GigabitEthernet0/0 125.81.1.1

ip route-static 0.0.0.0 0 Dialer1

ip route-static 192.168.8.0 24 192.168.10.2

ip route-static 192.168.9.0 24 192.168.10.2

ip route-static 192.168.10.0 24 192.168.10.2

ip route-static 192.168.11.0 24 192.168.10.2

#

info-center source CFGLOG loghost level informational

#

performance-management

#

ssh server enable

#

ntp-service enable

ntp-service unicast-server ***.***

ntp-service unicast-server registry.h3c.com

ntp-service unicast-server ***.***

ntp-service unicast-server ***.***

#

acl advanced 3001

rule 0 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.4.0 0.0.0.255

rule 5 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.5.0 0.0.0.255

rule 10 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.6.0 0.0.0.255

rule 15 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.7.0 0.0.0.255

rule 20 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.8.0 0.0.0.255

rule 25 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.9.0 0.0.0.255

rule 30 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.10.1 0

rule 35 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.10.2 0

rule 40 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.10.3 0

rule 45 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.10.4 0

rule 50 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.10.5 0

#

acl advanced 3100

description Allow traffic for policy-based routing and exclude internal traffic

rule 0 deny ip source 192.168.0.0 0.0.15.255 destination 192.168.0.0 0.0.15.255

rule 5 permit ip source 192.168.5.0 0.0.0.255

rule 10 permit ip source 192.168.6.0 0.0.0.255

rule 15 permit ip source 192.168.7.0 0.0.0.255

#

acl advanced 3200

description Allow traffic for policy-based routing and exclude internal traffic

rule 0 deny ip source 192.168.0.0 0.0.15.255 destination 192.168.0.0 0.0.15.255

rule 5 permit ip source 192.168.4.0 0.0.0.255

#

acl advanced 3888

rule 5 permit ip

#

acl advanced name GigabitEthernet0/0

rule 9 permit ip source 125.81.1.29 0 destination 125.81.1.29 0

rule 9 comment permit myself

……

#

acl advanced name SWXWSGL

rule 1 permit ip

#

acl advanced name Vlan-interface10

rule 10 permit ip source 192.168.8.87 0

rule 10 comment 允許打印機

……

 

#

acl mac 4999

rule 10 permit

#

undo password-control aging enable 

undo password-control length enable 

undo password-control composition enable 

undo password-control history enable 

password-control length 6

undo password-control complexity user-name check

#

domain system

#

domain default enable system

#

role name level-0

description Predefined level-0 role

#

role name level-1

description Predefined level-1 role

#

role name level-2

description Predefined level-2 role

#

role name level-3

description Predefined level-3 role

#

role name level-4

description Predefined level-4 role

#

role name level-5

description Predefined level-5 role

#

role name level-6

description Predefined level-6 role

#

role name level-7

description Predefined level-7 role

#

role name level-8

description Predefined level-8 role

#

role name level-9

description Predefined level-9 role

#

role name level-10

description Predefined level-10 role

#

role name level-11

description Predefined level-11 role

#

role name level-12

description Predefined level-12 role

#

role name level-13

description Predefined level-13 role

#

role name level-14

description Predefined level-14 role

#

user-group system

#

local-user admin class manage

password hash ……

service-type ssh telnet terminal http https

authorization-attribute user-role level-15

authorization-attribute user-role network-admin

#

local-user system class manage

password hash ……

service-type ftp

service-type ssh telnet terminal http https

authorization-attribute user-role level-15

authorization-attribute user-role network-operator

#

security-enhanced level 1

#

ssl version gm-tls1.1 disable

undo ssl renegotiation disable

undo ssl version ssl3.0 disable

undo ssl version tls1.0 disable

undo ssl version tls1.1 disable

undo ssl version tls1.2 disable

undo ssl version tls1.3 disable

#

netconf soap http enable

#

ip http enable

ip https enable

web idle-timeout 999

web new-style

#

url-filter category custom severity 65535

#

app-profile recordurl

url-filter apply policy recordurl

#

wlan auto-ap enable

#

wlan ap-group default-group

vlan 1

ap-model WA2610H

  radio 1

  radio enable

  service-template h3c

  ethernet 1

  ethernet 2

  ethernet 3

ap-model WA2610H-LI

  radio 1

  radio enable

  service-template h3c

  ethernet 1

  ethernet 2

  ethernet 3

ap-model WA4320-ACN-C

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

ap-model WA4320-ACN-D

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

ap-model WA4320-ACN-E

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

ap-model WA4320H

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

  gigabitethernet 3

  gigabitethernet 4

  gigabitethernet 5

ap-model WA4320H-SI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  ethernet 1

  ethernet 2

  ethernet 3

ap-model WA4320i-X

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5320

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5320-C

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5320-C-EI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5320-C-IOT

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5320-D

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

ap-model WA5320H

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

  gigabitethernet 3

  gigabitethernet 4

ap-model WA5320H-LI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

  gigabitethernet 3

  gigabitethernet 4

  gigabitethernet 5

ap-model WA5320X

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

  gigabitethernet 3

ap-model WA5320X-E

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5320X-LI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

  gigabitethernet 3

ap-model WA5320X-SI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

  gigabitethernet 3

ap-model WA5320i-LI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5530

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c_5g

  radio 3

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5530-LI

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c_5g

  radio 3

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

ap-model WA5530S

  radio 1

  radio enable

  service-template h3c_5g

  radio 2

  radio enable

  service-template h3c_5g

  radio 3

  radio enable

  service-template h3c

  gigabitethernet 1

  gigabitethernet 2

#

sslvpn ip address-pool ssl 192.168.172.2 192.168.172.254

#

sslvpn gateway ssl

ip address 125.81.1.29 port 2000

service enable

#

sslvpn context ssl

gateway ssl domain domainip

ip-tunnel interface SSLVPN-AC1

ip-tunnel address-pool ssl mask 255.255.255.0

ip-tunnel dns-server primary 114.114.114.114

ip-route-list 10

  include 192.168.4.0 255.255.255.0

  include 192.168.5.0 255.255.255.0

  include 192.168.6.0 255.255.255.0

  include 192.168.7.0 255.255.255.0

  include 192.168.8.0 255.255.255.0

policy-group ssl

  filter ip-tunnel acl 3888

  ip-tunnel access-route ip-route-list 10

timeout idle 1440

#

undo dac log-collect service dpi audit enable

undo dac log-collect service dpi url-filter enable

#

return

 

 

 

2 個回答
zhl188 五段
粉絲:1人 關注:2人

ACL匹配規則是隻要命中一個就停止向下,所以,第一個寫deny不合適,他放到最後。你試試

好的,感謝感謝

bbD7 發表時間:2025-03-05 更多>>

另外,因為隻有周末才能配置,試錯周期比較長,能否幫我檢查下,這個策略路由是否和靜態路由有衝突?主要問題就是:(但vlan4 4.0網段,機房有不少服務器,有的ip如4.132走的【線路1】,有的走的【線路2】)

bbD7 發表時間:2025-03-04
回複bbD7:

看著問題不大。周末你可以tracert跟蹤這些地址,看看路徑是否正確。

zhl188 發表時間:2025-03-05

好的,感謝感謝

bbD7 發表時間:2025-03-05
bbD7 知了小白
粉絲:0人 關注:0人

謝謝,我周六來試試。

這幾天工作日不敢動。


~~~~~~~~~~~~~~~~~~~~~~~~~~~

V2版的策略路由:


vlan 5 6 7 8 走【線路2】  Dialer1

acl advanced 3100

description Allow traffic for policy-based routing and exclude internal traffic

rule 5 permit ip source 192.168.5.0 0.0.0.255

rule 10 permit ip source 192.168.6.0 0.0.0.255

rule 15 permit ip source 192.168.7.0 0.0.0.255

rule 80 deny ip source 192.168.0.0 0.0.15.255 destination 192.168.0.0 0.0.15.255

quit

 

policy-based-route neiwang node 10

if-match acl 3100

apply output-interface Dialer1

quit

 

interface Vlan-interface6

ip policy-based-route neiwang

quit

 

vlan5 和 7 也是這樣配置

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

vlan4  走默認【線路1】這條寬帶

acl advanced 3200

description Allow traffic for policy-based routing and exclude internal traffic

rule 5 permit ip source 192.168.4.0 0.0.0.255

rule 80 deny ip source 192.168.0.0 0.0.15.255 destination 192.168.0.0 0.0.15.255

quit

 

policy-based-route neiwang4.0 node 20

if-match acl 3200

apply output-interface GigabitEthernet0/0

quit

 

interface Vlan-interface4

ip policy-based-route neiwang4.0

quit


編輯答案

你正在編輯答案

如果你要對問題或其他回答進行點評或詢問,請使用評論功能。

分享擴散:

提出建議

    +

親~登錄後才可以操作哦!

確定

親~檢測到您登陸的賬號未在http://hclhub.h3c.com進行注冊

注冊後可訪問此模塊

跳轉hclhub

你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作

舉報

×

侵犯我的權益 >
對根叔社區有害的內容 >
辱罵、歧視、挑釁等(不友善)

侵犯我的權益

×

泄露了我的隱私 >
侵犯了我企業的權益 >
抄襲了我的內容 >
誹謗我 >
辱罵、歧視、挑釁等(不友善)
騷擾我

泄露了我的隱私

×

您好,當您發現根叔知了上有泄漏您隱私的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
  • 1. 您認為哪些內容泄露了您的隱私?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)

侵犯了我企業的權益

×

您好,當您發現根叔知了上有關於您企業的造謠與誹謗、商業侵權等內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到 pub.zhiliao@h3c.com 郵箱,我們會在審核後盡快給您答複。
  • 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
  • 3. 是哪家企業?(營業執照,單位登記證明等證件)
  • 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。

抄襲了我的內容

×

原文鏈接或出處

誹謗我

×

您好,當您發現根叔知了上有誹謗您的內容時,您可以向根叔知了進行舉報。 請您把以下內容通過郵件發送到pub.zhiliao@h3c.com 郵箱,我們會盡快處理。
  • 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
  • 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
我們認為知名企業應該坦然接受公眾討論,對於答案中不準確的部分,我們歡迎您以正式或非正式身份在根叔知了上進行澄清。

對根叔社區有害的內容

×

垃圾廣告信息
色情、暴力、血腥等違反法律法規的內容
政治敏感
不規範轉載 >
辱罵、歧視、挑釁等(不友善)
騷擾我
誘導投票

不規範轉載

×

舉報說明