路由综合实验:PBR的部署实施
一、实验目的:
(1)掌握PBR的配置并实现路由选路
(2)深入理解PBR的原理
(3)结合ACL理解路由器的体系结构及选路原理
(4)体会高级路由控制在实际工程中的应用
二、拓扑结构:
 
三、实验步骤
(1)链路配置:
     对照拓扑图依次对R1、R2、R3、R4作链路配置,配置完毕查看接口状态.
  
注意:对R2、R3的S0/1配置100的cost值,S0/2配置200的cost值,构建备份链路。本实验的直接目的是使R1的172.16.1.0网段与R4的4.4.4.4互访时经过192.168.2.4网段,即通过备份链路来通信,途径192.168.2.6和192.168.2.5。实验中用ping来模拟二者的互访过程。
R2(config)#inter s0/1
R2(config-if)#ip ospf cost 100
R2(config)#inter s0/2
R2(config-if)#ip ospf cost 200
    
R1(config)#do show ip inter br
Interface          IP-Address      OK? Method Status                Protocol
Serial0/0          192.168.1.1     YES NVRAM  up                    up     
Serial0/1          unassigned      YES NVRAM  administratively down   down   
Serial0/2          unassigned      YES NVRAM  administratively down   down   
Serial0/3          unassigned      YES NVRAM  administratively down   down   
Ethernet1/0        172.16.1.10     YES NVRAM  up                    up     
Ethernet1/1        172.16.2.20     YES NVRAM  up                    up     
Ethernet1/2        unassigned      YES NVRAM  administratively down   down   
Ethernet1/3        unassigned      YES NVRAM  administratively down   down 
(2) 配置OSPF路由:
      依照拓扑图对路由器进行多区域的OSPF路由配置
R1(config)#router  ospf 1
R1(config-router)#router-id 192.168.1.1
R1(config-router)#network 172.16.1.0 0.0.0.255 a 1
R1(config-router)#network 172.16.2.0 0.0.0.255 a 1
R1(config-router)#network 192.168.1.0 0.0.0.3 a 1
R1(config-router)#passive-inter  e1/0
R1(config-router)#passive-inter  e1/1
R2(config)#router  ospf 1
R2(config-router)#router-id 192.168.2.5
R2(config-router)#network 192.168.1.0 0.0.0.3 a 1
R2(config-router)#network 192.168.2.0 0.0.0.3 a 0
R2(config-router)#network 192.168.2.4 0.0.0.3 a 0
R3(config)#router  ospf 1
R3(config-router)#router-id 192.168.3.1
R3(config-router)#network 192.168.2.0 0.0.0.3 a 0
R3(config-router)#network 192.168.2.4 0.0.0.3 a 0
R3(config-router)#network 192.168.3.0 0.0.0.3 a 2
R4(config)#router  ospf 1
R4(config-router)#router-id 4.4.4.4
R4(config-router)#network 4.4.4.0 0.0.0.255 a 2
R4(config-router)#network 3.3.3.0 0.0.0.255 a 2
R4(config-router)#network 192.168.3.0 0.0.0.3 a 2
R1(config-router)#passive-inter  lo 10
R1(config-router)#passive-inter  lo 20
配置完毕查看路由表:
R1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     3.0.0.0/32 is subnetted, 1 subnets
O IA    3.3.3.3 [110/193] via 192.168.1.2, 00:25:30, Serial0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/193] via 192.168.1.2, 00:25:30, Serial0/0
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Ethernet1/0
C       172.16.2.0 is directly connected, Ethernet1/1
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Serial0/0
     192.168.2.0/30 is subnetted, 2 subnets
O IA    192.168.2.0 [110/128] via 192.168.1.2, 00:27:37, Serial0/0
O IA    192.168.2.4 [110/264] via 192.168.1.2, 00:27:37, Serial0/0
     192.168.3.0/30 is subnetted, 1 subnets
O IA    192.168.3.0 [110/192] via 192.168.1.2, 00:25:51, Serial0/0
(3)  分别在R2和R3的S0/0上配置实施PBR
        R2(config)#access-list 101 permit icmp 172.16.1.0 0.0.0.255 host 4.4.4.4
        R2(config)#route-map NET-go permit 10//定义一个NET-go的route-map
        R2(config)#match ip address 101//匹配ACL101定义的IP包
        R2(config)#set ip next-hop 192.168.2.6//指定匹配ACL101的IP包的下一跳
        R2(config)#interface Serial0/0
        R2(config-if)#ip policy route-map NET-go//将PBR应用到接口上
        查看PBR配置:
        R2(config)#do show ip policy 
Interface      Route map
Serial0/0      NET-go
        R3(config)#access-list 101 permit icmp host 4.4.4.4 172.16.1.0 0.0.0.255
        R3(config)#route-map NET-back permit 10
        R3(config)#match ip address 101
        R3(config)#set ip next-hop 192.168.2.5
        R3(config)#interface Serial0/0
        R3(config-if)#ip policy route-map NET-back
        查看PBR配置:
R3#show ip policy
Interface      Route map
Serial0/0      NET-back
(4)   调试配置后的运行结果:
        在R1上采用带源172.16.1.10 ping 4.4.4.4来调试,并用以下方法之一查看结果:
        ①trace route 4.4.4.4 source 172.16.1.10(需要IOS版本支持)
②在R2和R3上查看debug 信息
R1#ping 4.4.4.4 sour 172.16.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/148/172 ms
在R2和R3上查看debug 信息:
R2#debug ip policy
Policy routing debugging is on
R2#
*Mar  1 00:01:15.291: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 00:01:15.291: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, g=192.168.2.6, len 100, FIB policy routed
*Mar  1 00:01:15.435: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 00:01:15.435: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, g=192.168.2.6, len 100, FIB policy routed
*Mar  1 00:01:15.635: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 00:01:15.635: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, g=192.168.2.6, len 100, FIB policy routed
*Mar  1 00:01:15.771: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, len 100, FIB policy match
R2#
*Mar  1 00:01:15.771: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, g=192.168.2.6, len 100, FIB policy routed
*Mar  1 00:01:15.883: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, len 100, FIB policy match
*Mar  1 00:01:15.883: IP: s=172.16.1.10 (Serial0/0), d=4.4.4.4, g=192.168.2.6, len 100, FIB policy routed

R3#debug ip policy
Policy routing debugging is on
R3#
*Mar  1 00:01:12.319: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, len 100, FIB policy match
*Mar  1 00:01:12.319: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, g=192.168.2.5, len 100, FIB policy routed
*Mar  1 00:01:12.499: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, len 100, FIB policy match
*Mar  1 00:01:12.499: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, g=192.168.2.5, len 100, FIB policy routed
*Mar  1 00:01:12.687: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, len 100, FIB policy match
*Mar  1 00:01:12.687: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, g=192.168.2.5, len 100, FIB policy routed
*Mar  1 00:01:12.839: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, len 100, FIB policy match
R3#
*Mar  1 00:01:12.839: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, g=192.168.2.5, len 100, FIB policy routed
*Mar  1 00:01:12.943: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, len 100, FIB policy match
*Mar  1 00:01:12.943: IP: s=4.4.4.4 (Serial0/0), d=172.16.1.10, g=192.168.2.5, len 100, FIB policy routed
拓展调试:
①在R1上采用带源172.16.1.10 ping 3.3.3.3来调试
R1#ping 3.3.3.3 sour 172.16.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/137/220 ms
           
            debug信息:
            R2#
*Mar  1 00:05:58.355: IP: s=172.16.1.10 (Serial0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:58.579: IP: s=172.16.1.10 (Serial0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:58.683: IP: s=172.16.1.10 (Serial0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:58.839: IP: s=172.16.1.10 (Serial0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:58.931: IP: s=172.16.1.10 (Serial0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) - normal forwarding
R3#
*Mar  1 00:05:55.439: IP: s=3.3.3.3 (Serial0/0), d=172.16.1.10, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:55.607: IP: s=3.3.3.3 (Serial0/0), d=172.16.1.10, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:55.711: IP: s=3.3.3.3 (Serial0/0), d=172.16.1.10, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:55.863: IP: s=3.3.3.3 (Serial0/0), d=172.16.1.10, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:05:55.947: IP: s=3.3.3.3 (Serial0/0), d=172.16.1.10, len 100, FIB policy rejected(no match) - normal forwarding
②在R1上采用带源172.16.2.20 ping 4.4.4.4来调试
R1#ping 4.4.4.4 source 172.16.2.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/203/244 ms
debug信息:
R2#
*Mar  1 00:10:44.651: IP: s=172.16.2.20 (Serial0/0), d=4.4.4.4, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:44.915: IP: s=172.16.2.20 (Serial0/0), d=4.4.4.4, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:45.107: IP: s=172.16.2.20 (Serial0/0), d=4.4.4.4, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:45.299: IP: s=172.16.2.20 (Serial0/0), d=4.4.4.4, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:45.515: IP: s=172.16.2.20 (Serial0/0), d=4.4.4.4, len 100, FIB policy rejected(no match) - normal forwarding
R3#
*Mar  1 00:10:41.719: IP: s=4.4.4.4 (Serial0/0), d=172.16.2.20, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:41.983: IP: s=4.4.4.4 (Serial0/0), d=172.16.2.20, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:42.151: IP: s=4.4.4.4 (Serial0/0), d=172.16.2.20, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:42.391: IP: s=4.4.4.4 (Serial0/0), d=172.16.2.20, len 100, FIB policy rejected(no match) - normal forwarding
*Mar  1 00:10:42.587: IP: s=4.4.4.4 (Serial0/0), d=172.16.2.20, len 100, FIB policy rejected(no match) - normal forwarding
四、技术要点总结:
PBR主要用于基于流或源的路由选择,是路由器转发层面的行为。PBR通过Acl来确定信源,并根据信源来作路由选择,即从源IP上实现路由选择。因此只需应用在数据入口上,无需像Acl一样指定方向。一般情况下应尽量少用,除非通过其它方式无法实现预期目的。此外,本实验中还可以在匹配IP的同时匹配ping包的大小,如对长度为0~200的ping包应用PBR(默认长度为100),则需要作以下配置:
Match ip address 101
Match length 0 200
这样在作扩展ping测试时通过指定ping包大小来验证PBR,0~200的ping包会应用PBR,途径192.168.2.6和192.168.2.5,而不在此范围中的ping包则会以普通方式转发。
PBR实施要点汇总:

利用Acl过滤数据包:
Access-list 1 permit 172.16.1.0 0.0.0.255//定义特定的数据包
Access-list 101 permit tcp host 172.16.1.10 host 4.4.4.4 23
全局模式下定义策略路由:
Route-map PBR permit  10//定义一个叫PBR的route-map,10为编号
Match ip address 1//定义匹配的ip
Set ip next-hop 192.168.2.6//指定下一跳
将策略应用到数据入口接口上:
Interface S0/0
Ip policy route-map PBR//在数据入口接口上应用,不需要再指定in或out方向
查看PBR配置:
Show ip policy
验证PBR是否被成功应用:
Traceroute DestIP source SourIP
或者在应用PBR的设备上查看debug信息:
Debug ip policy
若应用成功,会出现以下信息:
FIB policy match//成功匹配PBR
g=192.168.2.5, len 100, FIB policy routed//应用策略路由,数据包走指定的下一跳
 
 
注:Traceroute DestIP source SourIP 命令在张选波老师的PBR实验文档中出现了,但是我的模拟器不支持带源的跟踪,估计是 IOS版本的问题。但是又不敢肯定,第一次自己编写实验文档,难免有疏忽甚至是错误,欢迎大家批评指正!
 
希望各路朋友在交流中不断成长、不断进步!
 
另外,借此机会感谢我们实验老师给我们这个自己编写实验文档的机会!

期待与大家交流,觉得实验文档有帮助的话可以下载附件。
QQ:76168200 Email: [email]xmw80888@163.com[/email]