1、H3C S95E IRF 下IPS/ACG(MQC 方式)實驗1.1 實驗內容與目標本實驗是讓學員能熟悉S95E IRF 下IPS/ACG 的部署完本錢實驗，您應該能夠：掌握S95E IRF 下MQC 引流到IPS/ACG，并實現IPS/ACG 插卡備份1.2 預備知識和技能應了解S95E IRF 的原理及配置，以及IPS/ACG 插卡的工作原理1.3 實驗組網圖  圖1-1 S95E IRF 下IPS/ACG 實驗環(huán)境圖1.4 背景需求本實驗的場景為IRF 下OAA 插卡部署的典型場景1.5 實驗設備與版本本實驗所需之主要設備器材如表1-1 所示。表1-1 實驗

2、設備和器材名稱和型號版本數量描述S9508E R1238P08及以后版本2Secbalde ACG或者IPS插卡ACG: E6117P11及以后IPS: E2110P10及以后2接入交換機三層接入交換機2以太網線纜- 101.6 實驗過程實驗任務一：S9500E IRF 下IPS/ACG 部署步驟一：S95E 配置兩臺S9500E 形成IRF，下聯啟用VLAN1004-1008 三層，上聯VLAN1001-1002 三層。聚合鏈路上下行，核心交換機和交換機2 的VLAN 通信正常。acsei server enable /通過acsei 協議對插卡的狀態(tài)進行檢測#vlan 1001 to 10

3、08#interface Vlan-interface1001ip#interface Vlan-interface1002ip#interface Vlan-interface1004ip#interface Vlan-interface1005ip#interface Vlan-interface1006ip#interface Vlan-interface1007ip#interface Vlan-interface1008ip#步驟二：部署ACG 插卡使得核心交換機和互聯網交換機2 的互訪流量經過IRF 成員為1 的ACG-1 插卡，該卡故障后流量切換到IRF 成員為2 的ACG-2

4、上。S95E 與ACG 插卡接口根底配置interface Ten-GigabitEthernet1/5/0/1port link-type trunkport trunk permit vlan 1 1001 1002 1004 to 1008 /允許業(yè)務VLAN 通過，必須同時允許VLAN1stp disable / 關閉stp，否那么stp 會將此端口blockmac-address max-mac-count 0 / 關閉mac 學習，防止mac 地址學習偏移#interface Ten-GigabitEthernet2/5/0/1port link-type trunkport tr

5、unk permit vlan 1 1001 1002 1004 to 1008 /允許業(yè)務VLAN 通過，必須同時允許VLAN1stp disable / 關閉stp，否那么stp 會將此端口blockmac-address max-mac-count 0 / 關閉mac 學習，防止mac 地址學習偏移#配置MQC：acl number 3200description Match-ALL-Addressrule 0 permit ipacl number 3300description Match-ALL-Addressrule 0 permit ip#acl number 4000 /匹配

6、二層組播和播送、ARPdescription Match-MultiCast-ARPrule 0 permit dest-mac 0100-0000-0000 ff00-0000-0000rule 5 permit dest-mac ffff-ffff-ffff ffff-ffff-ffffrule 10 permit type 0806 ffff#acl number 3400 /vlan1004-1008 效勞器之間互訪的流量，目的地址為效勞器網段description Match-Internal-Flowrule 0 permit iprule 5 permit iprule 10 p

7、ermit iprule 15 permit iprule 20 permit ip#acl number 3500 /vlan1001-1002 效勞器之間互訪的流量，目的地址為效勞器網段description Match-Internet-Flowrule 0 permit iprule 5 permit ip#traffic classifier Multicast-ARP operator andif-match acl 4000traffic classifier All-Address operator andif-match acl 3200if-match forwarding

8、-layer route /僅將三層轉發(fā)流量引流traffic classifier All-Address-2 operator andif-match acl 3300if-match forwarding-layer route /僅將三層轉發(fā)流量引流#traffic classifier Internal-Flow-1 operator andif-match acl 3400#traffic classifier Internet-Flow-2 operator andif-match acl 3500#traffic behavior Redirect_ACG_1redirect

9、interface Ten-GigabitEthernet1/5/0/1traffic behavior Redirect_ACG_2redirect interface Ten-GigabitEthernet2/5/0/1traffic behavior Allowfilter permittraffic behavior Deny-Multicast-ARPfilter deny#qos policy ACG-Deny-Multicast-ARPclassifier Multicast-ARP behavior Deny-Multicast-ARP#qos policy ACG_DOWN_

10、STREAM /下行流量MQCclassifier Multicast-ARP behavior Allow /組播、ARP 報文不上ACGclassifier Internet-Flow-2 behavior Allow /vlan1001 和vlan1002之間互訪的流量不上ACGclassifier All-Address behavior Redirect_ACG_1 /流量優(yōu)先上ACG_1classifier All-Address-2 behavior Redirect_ACG_2 /當ACG-1 失效后，流量上ACG_2#qos policy ACG_UP_STREAM /上行流

11、量classifier Multicast-ARP behavior Allow /組播、ARP 報文不上ACGclassifier Internal-Flow-1 behavior Allow /vlan1004-1008 之間互訪的流量不上ACGclassifier All-Address behavior Redirect_ACG_1classifier All-Address-2 behavior Redirect_ACG_2在S95E 相關接口上下發(fā)MQC:上聯接口：interface GigabitEthernet1/10/0/1qos apply policy ACG_DOWN_

12、STREAM inbound#interface GigabitEthernet2/10/0/1qos apply policy ACG_DOWN_STREAM inbound下聯的接口：interface GigabitEthernet1/10/0/7qos apply policy ACG_UP_STREAM inbound#interface GigabitEthernet2/10/0/7qos apply policy ACG_UP_STREAM inboundS95E 與ACG 插卡接口報文過濾配置interface Ten-GigabitEthernet1/5/0/1qos apply policy ACG-Deny-Multicast-ARP inbound /這里要在inbound 方向過濾，出方向本機發(fā)出的協議報文無法過濾。interface Ten-GigabitEthernet2/5/0/1