H3CS9500ES12500系列交换机上ACGIPS插卡MQC引流典型配置要点解析.docVIP

H3C S9500ES12500系列交换机上ACGIPS插卡MQC引流典型配置 组网需求： 某客户购买了两块SecBlade IPS插卡部署在S95E交换机上，为内网提供攻击检测和安全防护，两台交换机运行在IRF模式，外网用户访问服务器的流量经过IPS插卡，内部服务器互访的流量不上IPS插卡，并且两块插卡能实现主备，当其中一块插卡故障以后业务可以迅速切换到另一块插卡。 组网图： 如上图所示：两台S9505E交换机堆叠，每台交换机上插一块IPS插卡，内部服务器网关部署在交换机上，服务器互访的流量不经过IPS插卡，外部用户防范服务器的流量正常情况下经过IPS-1，当IPS-1故障以后，流量经过IPS-2。 交换机版本：Comware Software, Version 5.20, Release 1238P08 IPS插卡版本：i-Ware software, Version 1.10, Ess 2110P10 配置步骤： 交换机上关键配置： # acsei server enable //通过acsei协议对插卡进行时间同步和状态检测，实现主备切换 # acl number 3001 //匹配上插卡的流量 description Match-ALL-Address rule 0 permit ip acl number 3002 //匹配上插卡的流量，用于备份 description Match-ALL-Address rule 0 permit ip acl number 3004 //内网互访的流量不上插卡 description Match-Internal-Flow rule 0 permit ip destination 192.168.14.0 0.0.0.255 rule 5 permit ip destination 192.168.15.0 0.0.0.255 rule 10 permit ip destination 192.168.16.0 0.0.0.255 rule 15 permit ip destination 192.168.17.0 0.0.0.255 rule 20 permit ip destination 192.168.18.0 0.0.0.255 # acl number 4000 //匹配广播、组播和ARP报文 description Match-Multicast-Broadcast-ARP rule 0 permit dest-mac 0100-0000-0000 ff00-0000-0000 rule 5 permit dest-mac ffff-ffff-ffff ffff-ffff-ffff rule 10 permit type 0806 ffff # vlan 1001 to 1008 # vlan 4000 //用于IRF的BFD MAD检测 description Mad-Detection # traffic classifier Internal-Flow-1 operator and if-match acl 3004 traffic classifier Multicast-Broadcast-ARP operator and if-match acl 4000 traffic classifier All-Address-1 operator and if-match acl 3001 if-match forwarding-layer route //仅将三层转发流量引流 traffic classifier All-Address-2 operator and if-match acl 3002 if-match forwarding-layer route # traffic behavior Deny-Multicast-Broadcast-ARP filter deny traffic behavior Redirect-To-IPS-1 redirect interface Ten-GigabitEthernet1/4/0/1 traffic behavior Redirect-To-IPS-2 redirect interface Ten-GigabitEthernet2/4/0/1 traffic be