策略路由典型配置：通过流策略实现策略路由（即重定向到不同的下一跳）

1、拓扑图及组网要求

公司用户通过SW2核心交换机连接到外部网络，其中一条是高速链路，网关是192.168.100.2/24，另一条是低俗网络，网关为192.168.200.2/24.公司内部有两个网段：

• 192.168.10.0/24，服务器区域，对链路带宽要求比较高；
• 192.168.20.0/24，员工上网，只允许走低速。
  

2、基本配置

按照上图所示，配置基础信息，即全网互通
sw1

vlan batch 10 20 

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20

interface GigabitEthernet0/0/3     #这里是trunk，允许vlan 10 20通过
 port link-type trunk
 port trunk allow-pass vlan 10 20

sw2

vlan batch 10 20 100 200
interface GigabitEthernet0/0/1		#这里是trunk，允许vlan 10 20通过
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 200


#vlanif的配置
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
#
interface Vlanif100
 ip address 192.168.100.1 255.255.255.0
#
interface Vlanif200
 ip address 192.168.200.1 255.255.255.0

加两条静态路由

[sw2]ip route-static 0.0.0.0 0 192.168.100.2
[sw2]ip route-static 0.0.0.0 0 192.168.200.2

分别在AR1、AR2加入回执路由

[ar1]ip route-static 192.168.0.0 16 192.168.100.1
[ar2]ip route-static 192.168.0.0 16 192.168.200.1

数据流分析

PC1和要能访问PC2，即红色1。PC2要能访问PC1，即绿色2。说白了PC1和PC2互访。

• PC1和PC2互访配置在一个ACL里面。命名为ACL3000
• PC1仅允许从高速链路出去，即蓝色3，命名为ACL3001
• PC2仅允许从低速链路出去，即紫色4，命名为ACL3002

3、配置ACL

ACL3000主要用于192.168.10.0和192.168.20.0互访

[sw2]acl 3000
[sw2-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255	
[sw2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

ACL3001允许10段通过

[sw2-acl-adv-3001]rule permit ip source 192.168.10.0 0.0.0.255

ACL3002允许20段通过

[sw2-acl-adv-3002]rule permit ip source 192.168.20.0 0.0.0.255

4、流分类的配置

其实质是将流分类和acl绑定

[sw2]traffic classifier c0 operator or
[sw2-classifier-c0]if-match acl 3000

[sw2]traffic classifier c1
[sw2-classifier-c1]if-match acl 3001

[sw2]traffic classifier c2 operator or
[sw2-classifier-c2]if-match acl 3002

5、流行为的配置

[sw2]traffic behavior b0	
[sw2-behavior-b0]permit  允许，即允许10和20段互访

[sw2]traffic behavior b1
[sw2-behavior-b1]redirect ip-nexthop 192.168.100.2   #将10段重定向到高速链路
[sw2]traffic behavior b2
[sw2-behavior-b2]redirect ip-nexthop 192.168.200.2    #将20段重定向到低速链路

6、流策略的配置

其实质是将流分类和流行为进行绑定

[sw2]traffic policy p1
[sw2-trafficpolicy-p1]classifier c0 behavior b0
[sw2-trafficpolicy-p1]classifier c1 behavior b1
[sw2-trafficpolicy-p1]classifier c2 behavior b2

[sw2]int g0/0/1
[sw2-GigabitEthernet0/0/1]traffic-policy p1 inbound   # 将流策略应用到接口

总结一下我们都做了什么，首先我们做了三个ACL用于绑定IP和ACL

[sw2]dis acl all
 Total nonempty ACL number is 3 

Advanced ACL 3000, 2 rules
Acl's step is 5
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.2
55 
 rule 10 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.
255 

Advanced ACL 3001, 1 rule
Acl's step is 5
 rule 5 permit ip source 192.168.10.0 0.0.0.255 

Advanced ACL 3002, 1 rule
Acl's step is 5
 rule 5 permit ip source 192.168.20.0 0.0.0.255 

然后我们配置了流分类，流分类其实就将ACL和流分类绑定。

[sw2]dis traffic classifier user-defined 
  User Defined Classifier Information:
   Classifier: c2
    Operator: OR
    Rule(s) : if-match acl 3002
             
   Classifier: c0
    Operator: OR
    Rule(s) : if-match acl 3000
             
   Classifier: c1
    Operator: AND
    Rule(s) : if-match acl 3001
             
Total classifier number is 3 

然后我们配置了流行为，流行为其实就是将上面匹配到的流重定向到相应的网关。

[sw2]dis traffic behavior user-defined 
  User Defined Behavior Information:
    Behavior: b2 
      Redirect: no forced
        Redirect ip-nexthop
        192.168.200.2
    Behavior: b0 
      Permit
    Behavior: b1 
      Redirect: no forced
        Redirect ip-nexthop
        192.168.100.2

Total behavior number is 3 

然后我们配置了流策略，其实就是将流分类和流行为进行绑定，最后将流策略应用到接口。