【实验拓扑】
本文实验采用的交换机是H3C模拟器,下载地址如下: http://forum.h3c.com/forum.php? mod=viewthread&tid=109740&highlight=H3C%E6%A8%A1%E6% 8B%9F%E5%99%A8 有兴趣的朋 友可以在论坛上去下载
【组网需求】
普通的报文转发是依据报文的目的地址查询转发表来实现的。策略路由支持基于acl包过滤、地址长度等信息,灵活地指定路由。而acl报文过滤则可以根据报文的源ip、目的ip、协议、端口号、优先级、tos、时间段、***等各种丰富的信息将报文分类,然后控制将这些报文按照不同的路由转发出去。本实验难通过源IP来控制报文的下一跳。
策略路由分类
接口策略路由
接口策略路由只对转发的报文起作用,对本地产生的报文(比如本地的ping报文)不起作用。而本地策略路由只对本地产生的报文起作用,对转发的报文不起作用。
接口策略路由配置在接口视图下。
本地策略路由
本地产生的报文的策略路由配置在系统视图下。
注意:组播策略路由只支持转发的报文,不对路由器本机产生的报文进行策略路由。
R5上有两个网段100.100.100.100,200.200.200.200,用Loop0和loop1代替,去R4的10.1.1.1 在经R1时默认的下一跳有两个,但是为了演示PBR的用法,现根据不同的源地址来给不同的下一跳。
【配置信息】
R1:
acl number 2000
rule 0 permit source 100.100.100.100 0
acl number 2001
rule 0 permit source 200.200.200.200 0
#
interface Serial0/6/0
link-protocol ppp
ip address 192.168.12.1 255.255.255.0
#
interface Serial0/6/1
link-protocol ppp
ip address 192.168.13.1 255.255.255.0
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
ip address 172.16.15.1 255.255.255.0
ip policy-based-route 123
#
ospf 1
default-route-advertise always
area 0.0.0.0
network 192.168.12.0 0.0.0.255
network 192.168.13.0 0.0.0.255
network 172.16.15.0 0.0.0.255
#
policy-based-route 123 permit node 10
if-match acl 2000
apply ip-address next-hop 192.168.12.2
policy-based-route 123 permit node 20
if-match acl 2001
apply ip-address next-hop 192.168.13.2
#
ip route-static 100.100.100.100 255.255.255.255 172.16.15.2
ip route-static 200.200.200.200 255.255.255.255 172.16.15.2
R2:
interface Serial0/6/0
link-protocol ppp
ip address 192.168.12.2 255.255.255.0
#
interface Serial0/6/1
link-protocol ppp
ip address 192.168.24.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.24.0 0.0.0.255
network 192.168.12.0 0.0.0.255
R3:
interface Serial0/6/0
link-protocol ppp
ip address 192.168.34.1 255.255.255.0
#
interface Serial0/6/1
link-protocol ppp
ip address 192.168.13.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.13.0 0.0.0.255
network 192.168.34.0 0.0.0.255
#
R4:
#
interface Serial0/6/0
link-protocol ppp
ip address 192.168.34.2 255.255.255.0
#
interface Serial0/6/1
link-protocol ppp
ip address 192.168.24.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.168.24.0 0.0.0.255
network 192.168.34.0 0.0.0.255
network 10.1.1.1 0.0.0.0
#
R5:
#
interface Serial0/6/3
link-protocol ppp
ip address 172.16.15.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 100.100.100.100 255.255.255.255
#
interface LoopBack1
ip address 200.200.200.200 255.255.255.255
ip route-static 0.0.0.0 0.0.0.0 172.16.15.1
【验证】
如下,去10.1.1.1有两个下一跳,路由表中显示192.168.12.2是默认的下一跳,现用PBR来干预下一跳的指向
[R1]dis ip ro
Routing Tables: Public
Destinations : 16 Routes : 17
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.1/32 OSPF 10 3124 192.168.12.2 S0/6/0
OSPF 10 3124 192.168.13.2 S0/6/1
1、先在R1打开调试开关
<R1>t d
% Current terminal debugging is on
<R1>t m
% Current terminal monitor is on
<R1>deb
<R1>debugging ip p
<R1>debugging ip packet
<R1>debugging ip policy-based-route
2、用R5带源地址Ping
<R5>ping -a 100.100.100.100 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=253 time=10 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=253 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=253 time=20 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=253 time=1 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=253 time=10 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/9/20 ms
<R5>
<R5>ping -a 200.200.200.200 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=253 time=10 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=253 time=26 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 1/9/26 ms
3、R1出现如下的调试信息:
[R1-Serial0/6/3]
*Feb 28 22:45:14:781 2013 R1 PBR/7/POLICY-ROUTING:IP policy based routing success : POLICY_ROUTEMAP : 123, Node : 10, next-hop : 192.168.12.2
*Feb 28 22:45:25:00 2013 R1 PBR/7/POLICY-ROUTING:IP policy based routing success : POLICY_ROUTEMAP : 123, Node : 20, next-hop : 192.168.13.2
不同的源地址Ping过来,下一跳指向不同,实验完成。
转载于:https://blog.51cto.com/hciewd/1142797
认证指南,第 7 部分: IDS复制(24))
)
