H3C S9500ES12500系列交換機上ACGIPS插卡MQC引流典型配置

1、H3C S9500E&S12500系列交換機上ACG&IPS插卡MQC引流典型配置一、 組網(wǎng)需求：某客戶購買了兩塊SecBlade IPS插卡部署在S95E交換機上，為內網(wǎng)提供攻擊檢測和安全防護，兩臺交換機運行在IRF模式，外網(wǎng)用戶訪問服務器的流量經(jīng)過IPS插卡，內部服務器互訪的流量不上IPS插卡，并且兩塊插卡能實現(xiàn)主備，當其中一塊插卡故障以后業(yè)務可以迅速切換到另一塊插卡。二、 組網(wǎng)圖：如上圖所示：兩臺S9505E交換機堆疊，每臺交換機上插一塊IPS插卡，內部服務器網(wǎng)關部署在交換機上，服務器互訪的流量不經(jīng)過IPS插卡，外部用戶防范服務器的流量正常情況下經(jīng)過IPS-1，當IPS-1故障以后，流量

2、經(jīng)過IPS-2。交換機版本：Comware Software, Version 5.20, Release 1238P08IPS插卡版本：i-Ware software, Version 1.10, Ess 2110P10三、 配置步驟：交換機上關鍵配置：# acsei server enable /通過acsei協(xié)議對插卡進行時間同步和狀態(tài)檢測，實現(xiàn)主備切換# acl number 3001 /匹配上插卡的流量 description Match-ALL-Address rule 0 permit ipacl number 3002 /匹配上插卡的流量，用于備份 description Ma

3、tch-ALL-Address rule 0 permit ipacl number 3004 /內網(wǎng)互訪的流量不上插卡 description Match-Internal-Flow rule 0 permit ip destination 192.168.14.0 0.0.0.255 rule 5 permit ip destination 192.168.15.0 0.0.0.255 rule 10 permit ip destination 192.168.16.0 0.0.0.255 rule 15 permit ip destination 192.168.17.0 0.0.0.2

4、55 rule 20 permit ip destination 192.168.18.0 0.0.0.255#acl number 4000 /匹配廣播、組播和ARP報文description Match-Multicast-Broadcast-ARP rule 0 permit dest-mac 0100-0000-0000 ff00-0000-0000 rule 5 permit dest-mac ffff-ffff-ffff ffff-ffff-ffff rule 10 permit type 0806 ffff#vlan 1001 to 1008#vlan 4000 /用于IRF的B

5、FD MAD檢測 description Mad-Detection#traffic classifier Internal-Flow-1 operator and if-match acl 3004traffic classifier Multicast-Broadcast-ARP operator and if-match acl 4000traffic classifier All-Address-1 operator and if-match acl 3001 if-match forwarding-layer route /僅將三層轉發(fā)流量引流traffic classifier A

6、ll-Address-2 operator and if-match acl 3002 if-match forwarding-layer route# traffic behavior Deny-Multicast-Broadcast-ARP filter denytraffic behavior Redirect-To-IPS-1 redirect interface Ten-GigabitEthernet1/4/0/1traffic behavior Redirect-To-IPS-2 redirect interface Ten-GigabitEthernet2/4/0/1traffi

7、c behavior Allow filter permit#qos policy Deny-Multicast-Broadcast-ARP /本地產(chǎn)生的組播、廣播和ARP報文不上插卡 classifier Multicast-Broadcast-ARP behavior Deny-Multicast-Broadcast-ARPqos policy DOWN_STREAM classifier Multicast-Broadcast-ARP behavior Allow /廣播等報文不上插卡 classifier All-Address-1 behavior Redirect-To-IPS-1

8、 /流量先上IPS-1 classifier All-Address-2 behavior Redirect-To-IPS-2 /IPS-1故障后上IPS-2qos policy UP_STREAM classifier Multicast-Broadcast-ARP behavior Allow classifier Internal-Flow-1 behavior Allow /內網(wǎng)互訪流量不上插卡 classifier All-Address-1 behavior Redirect-To-IPS-1 classifier All-Address-2 behavior Redirect-T

9、o-IPS-2#interface Vlan-interface1001 ip address 192.168.11.254 255.255.255.0#interface Vlan-interface1002 ip address 192.168.12.254 255.255.255.0#interface Vlan-interface1004 ip address 192.168.14.254 255.255.255.0#interface Vlan-interface1005 ip address 192.168.15.254 255.255.255.0#interface Vlan-i

10、nterface1006 ip address 192.168.16.254 255.255.255.0#interface Vlan-interface1007 ip address 192.168.17.254 255.255.255.0#interface Vlan-interface1008 ip address 192.168.18.254 255.255.255.0# interface Vlan-interface4000 /BFD MAD檢測VLAN mad bfd enable mad ip address 200.0.0.1 255.255.255.252 chassis

11、1 mad ip address 200.0.0.2 255.255.255.252 chassis 2#interface GigabitEthernet1/2/0/17 /專用于MAD檢測的端口，關閉STP port access vlan 4000 stp disable#interface GigabitEthernet2/2/0/17 port access vlan 4000 stp disable#接口上下發(fā)MQC:#interface GigabitEthernet1/2/0/1 port access vlan 1004 qos apply policy UP_STREAM

12、inbound#interface GigabitEthernet1/2/0/2 port access vlan 1001 qos apply policy DOWN_STREAM inbound#interface GigabitEthernet2/2/0/1 port access vlan 1008 qos apply policy UP_STREAM inbound#interface GigabitEthernet2/2/0/2 port access vlan 1002 qos apply policy DOWN_STREAM inbound#S95E與IPS插卡接口配置：#in

13、terface Ten-GigabitEthernet1/4/0/1 port link-type trunk port trunk permit vlan 1 1001 to 1008 /必須允許VLAN 1通過，否則跨框重定向報文不生效 stp disable qos apply policy Deny-Multicast-Broadcast-ARP inbound /防止本地產(chǎn)生的組播、廣播、ARP報文從內斂口轉發(fā)到插卡，S95E&S12500對于本機發(fā)出的協(xié)議報文，用MQC在outbound方向不能過濾，會導致環(huán)路，ospf鄰居down等問題，所以需要在inbound方向過濾 mac-

14、address max-mac-count 0#interface Ten-GigabitEthernet2/4/0/1 port link-type trunk port trunk permit vlan 1 1001 to 1008 stp disable qos apply policy Deny-Multicast-Broadcast-ARP inbound mac-address max-mac-count 0 #acsei server /配置acsei時間參數(shù)，一般保持默認即可 acsei timer clock-sync 1 /配置插卡同步時間的間隔，單位分鐘，默認5分鐘 a

15、csei timer monitor 1 /配置對插卡的監(jiān)控時間間隔，單位是秒，默認5秒#irf-port 1/1 port group interface GigabitEthernet1/2/0/15 port group interface GigabitEthernet1/2/0/16#irf-port 2/2 port group interface GigabitEthernet2/2/0/15 port group interface GigabitEthernet2/2/0/16#IPS插卡相關配置（兩快IPS插卡的配置一樣）：1.去使能OAA ACFP Client。在本方案

16、中，不使能acfp功能。2.安全域接口都選擇為Xeth0-0 (內聯(lián)口)，內部域In選擇所有服務器的VLAN（如1004-1008），外部域Out選擇上行的VLAN（如1001 1002等）。插卡測試情況：1. 手工shutdown交換機連IPS-1插卡內聯(lián)口或者IPS-1插卡自身萬兆口，業(yè)務切換到IPS-2：2. 手工undo shutdown交換機連IPS-1插卡內聯(lián)口或者IPS-1插卡自身萬兆口，業(yè)務切換回IPS-1插卡：3. 同時shutdown兩塊IPS插卡，流量直接透傳：4. 如果不配置acsei，IPS-1故障后，MQC不會失效，流量中斷： 四、 配置關鍵點：1. 必須使能acsei server功能，ACSEI跟QoS策略（重定向或鏡像）配合使用：如果插卡故障，ACSEI協(xié)議會檢測到client端異常，從而會設置QoS策略無效，不再匹配策略引流。這樣在一塊插卡發(fā)生故障時，業(yè)務可以被重定向到另一塊，兩塊插卡都故障時，報文直接透傳，不會影響流量的正常轉發(fā)。2. 交換機連插卡的萬兆接口必須允許VLAN 1通過，PVID是不是1沒關系，否則跨框重定向報文不生效。3. 交換機連插卡的萬兆接口必須關閉STP功能，否則接口可能會被STP協(xié)議block，默認接口STP狀態(tài)開啟。4.