S12700 使用ngfw板重定向,所有流量重定向,导致和服务器无法互通

发布时间:  2016-03-20 浏览次数:  127 下载次数:  0
问题描述

使用ngfw板重定向,在s12700所有流量重定向,导致和服务器无法互通

该服务器和s12700直连,由于做的是所有流量从定向导致和服务器不通,已经将访问服务器的流量设置为不重定向,但是还是不行

告警信息
处理过程

原有配置:

#
acl number 2001
rule 5 permit source 10.14.0.0 0.0.3.255
rule 10 permit source 10.10.0.0 0.0.3.255
rule 15 permit source 10.11.0.0 0.0.3.255
rule 20 permit source 10.12.0.0 0.0.3.255
rule 25 permit source 10.13.0.0 0.0.3.255
rule 30 permit source 10.15.0.0 0.0.3.255
rule 35 deny
#
acl number 3000
rule 5 permit ip destination 10.252.0.2 0
rule 10 permit ip destination 10.252.0.3 0
#
traffic classifier classifier1 operator or precedence 5
if-match acl 2001
traffic classifier liwai operator or precedence 10
if-match acl 3000
#
traffic behavior behavior3
permit
redirect ip-nexthop 10.252.0.9
traffic behavior liwai
permit
#
traffic policy policy3 match-order config
classifier classifier1 behavior behavior3
classifier liwai behavior liwai
#

interface XGigabitEthernet1/0/0
description To_Quzhengfu
port link-type trunk                    
port trunk allow-pass vlan 2 to 4094
traffic-policy policy3 inbound
#

修改为:

增加:
acl 3333
rule 5 permit ip source 10.14.0.0 0.0.3.255
rule 10 permit ipsource 10.10.0.0 0.0.3.255
rule 15 permit ip source 10.11.0.0 0.0.3.255
rule 20 permit ip source 10.12.0.0 0.0.3.255
rule 25 permit ip source 10.13.0.0 0.0.3.255
rule 30 permit ip source 10.15.0.0 0.0.3.255
quit
修改原有的traffic classifier:
traffic classifier classifier1 operator or precedence 5
if-match acl 3333
quit
调整traffic policy顺序:
traffic policy policy3 match-order config
classifier liwai behavior liwai
classifier classifier1 behavior behavior3
重新在接口调用policy3

根因
即便是traffic policy的匹配顺序是match-order config 按配置顺序匹配,classifier中如果是调用的基本acl,traffic policy还是会优先调用该classifier对应的动作
解决方案

所有classifier都修改为同级别的acl即可解决

建议与总结
做策略路由时建议都使用高级acl,即使是只需要匹配源的时候

END