PBR策略路由(如何做策略路由器)
一. 策略路由配置
1. 匹配数据包IP地址、前缀列表
Router(config)#route-map rp-name
Router(config-route-map)#match ip address {access-list-number|name} […access-list-number|name]|prefix-list prefix-list-name […prefix-list-name]
Router(config)#route-map TEST
Router(config-route-map)#match ip address 1
2. 匹配数据包大小
Router(config-route-map)#match length min max
3. 设定分组的下一跳IP(必须为直连IP)
Router(config-route-map)#set ip next-hop ip-address […ip-address]
Router(config-route-map)#set ip next-hop 10.1.12.2 10.1.13.3
4. 设定分组的出接口
Router(config-route-map)#set interface type number [?type number]
Router(config-route-map)#set interface fast 0/0
5. 应用PBR(对进入接口的数据流量生效,本地始发的流量无效)
Router(config-if)#ip policy route-map TEST
6. 应用PBR(针对本地始发的流量生效)
Router(config)# ip local policy route-map TEST
7. 查看PBR命令
Router#show ip policy
Router#show route-map [map-name]
二. 策略路由场景
1. 备份路径
GW(config)#access-list 1 permit any
GW(config)#route-map PBR permit 10
GW(config-route-map)#match ip address 1
GW(config-route-map)#set ip next-hop 10.1.1.2 10.2.2.2
2. 感知上游设备状态特性(两端都是思科设备,并均开启CDP)
GW(config)#access-list 1 permit any
GW(config)#route-map PBR permit 10
GW(config-route-map)#match ip address 1
GW(config-route-map)#set ip next-hop 10.1.1.2 10.2.2.2
GW(config-route-map)#set ip next-hop verify-availability
3. 感知上游设备状态特性(利用sla,无需思科和CDP)草稿,需完善
ip sla monitor responder
ip sla monitor 1
type echo protocol ipIcmpEcho 10.1.1.2 source-ipaddr 10.1.1.1
frequency 10
ip sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
GW(config)#access-list 1 permit any
GW(config-route-map)#route-map PBR permit 10
GW(config-route-map)#match ip address 1
GW(config-route-map)#set ip next-hop verify-availability 10.1.1.2 10 track 1
GW(config-route-map)#set ip next-hop verify-availability 10.2.2.2 20 track 2
4. Recursive 可达路径关键词
Recursive提供了一种非直连路径下一条(next-hop)的可能性,所指ip必须可达
GW(config)#access-list 1 permit any
GW(config)#route-map PBR permit 10
GW(config-route-map)#match ip address 1
GW(config-route-map)#set ip next-hop 10.2.2.2
GW(config-route-map)#set ip next-hop recursive 10.1.12.2
GW(config)#ip route 10.1.12.0 255.255.255.0 10.1.1.2
GW(config)#ip route 0.0.0.0 0.0.0.0 serial s0/2
三. 策略路由案例
1. 按流量选择路径(注意,之前一课的路由策略都是按路由分路径)
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)#access-list 2 permit 192.168.2.0 0.0.0.255
Router(config)#route-map test permit 10
Router(config)#match ip address 1
Router(config-route-map)#set ip next-hop 10.1.1.2
Router(config)#route-map test permit 40
Router(config-route-map)#match ip address 2
Router(config-route-map)#set ip next-hop 10.2.2.2
Router(config)#int f0/0
Router(config-if)#ip policy route-map test
Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Router(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2 10
2. Next-hop关键字,不带default,优先级高于明细路由
R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
R1(config)#route-map PBR permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#set ip next-hop 10.1.13.3
R1(config)#int f0/0
R1(config-if)#ip policy route-map PBR
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.13.2
3. Next-hop,带default关键字,优先级低于明细路由
R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
R1(config)#route-map PBR permit 10
R1(config-route-map)#match ip address 1
R1(config-route-map)#set ip default next-hop 10.1.13.3
R1(config)#int f0/0
R1(config-if)#ip policy route-map PBR
R1(config)#ip route 10.1.23.0 255.255.255.0 10.1.12.2
4. NAT应用策略路由
GW(config)#access-list 1 permit 192.168.1.0 0.0.0.255
GW(config)#access-list 2 permit 192.168.2.0 0.0.0.255
GW(config)#route-map PBR permit 10
GW(config-route-map)#match ip address 1
GW(config-route-map)#set ip next-hop 11.1.1.2
GW(config)#route-map PBR permit 20
GW(config-route-map)#match ip address 2
GW(config-route-map)#set ip next-hop 22.2.2.2
GW(config)#route-map nat1 permit 10
GW(config-route-map)#match ip address 1
GW(config-route-map)#match interface serial0/0 !!匹配数据包的出口
GW(config)#route-map nat2 permit 10
GW(config-route-map)#match ip address 1
GW(config)#route-map nat3 permit 10
GW(config-route-map)#match ip address 2
GW(config-route-map)#match interface serial0/1
GW(config)#route-map nat4 permit 10
GW(config-route-map)#match ip address 2
GW(config)#ip nat inside source route-map nat1 interface serial0/0 overload
GW(config)#ip nat inside source route-map nat2 interface serial0/1 overload
GW(config)#ip nat inside source route-map nat3 interface serial0/1 overload
GW(config)#ip nat inside source route-map nat4 interface serial0/0 overload
