IP : IP 可被路由的协议

基于策略的路由使用set ip default next-hop和set ip next-hop发出命令配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

本文档提供使用 set ip default next-hopset ip next-hop 命令进行的基于策略的路由 (PBR) 的示例配置。

set ip default next-hop 命令验证目标 IP 地址在路由表中是否存在,以及:

  • 如果目标 IP 地址存在,则该命令不对数据包进行策略路由,而是基于路由表转发数据包。

  • 如果目标 IP 地址不存在,则该命令通过将数据包发送到指定的下一跳对它进行策略路由。

set ip next-hop 命令验证指定的下一跳是否存在,以及:

  • 如果下一跳在路由表中存在,则该命令将数据包策略路由到下一跳。

  • 如果下一跳在路由表中不存在,则该命令使用普通路由表转发数据包。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档不限于特定的软件和硬件版本;然而,使用的软件必须支持基于策略的路由。使用 Feature Navigator 确定此配置支持的硬件和软件。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 要查找本文档所用命令的其他信息,请使用命令查找工具仅限注册用户)。

网络图

本文档使用以下网络设置:

/image/gif/paws/47121/pbr_cmds_ce_01.gif

案例分析 1:使用 set ip default next-hop 命令和动态路由协议 (DRP) 进行的策略路由

本部分使用以下配置:

R1
R1# show running-config 
Building configuration...
.
!
interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
!
interface Serial2/0
 ip address 20.20.20.1 255.255.255.0
!
router ospf 1
  
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 100.100.100.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 100 permit ip host 100.100.100.3 host 200.200.200.4
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.2
.
.
!
end

R2
R2# show running-config 
Building configuration...
.
!
!
interface Ethernet0/0
 ip address 200.200.200.2 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 fair-queue
!
interface Serial2/0
 ip address 20.20.20.2 255.255.255.0
!
router ospf 1
 
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 200.200.200.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 100 permit ip host 200.200.200.4 host 100.100.100.3
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.1
!
end

验证案例分析 1

目的路由在路由表中存在时,使用普通转发 - 不对数据包进行策略路由。

R1# show ip route 200.200.200.4 
   Routing entry for 200.200.200.0/24
   Known via "ospf 1", distance 110, metric 74, type intra area
   Last update from 20.20.20.2 on Serial2/0, 00:11:48 ago
   Routing Descriptor Blocks:
   * 20.20.20.2, from 30.30.30.3, 00:11:48 ago, via Serial2/0
   Route metric is 74, traffic share count is 1

R1# debug ip policy 
Policy routing debugging is on
*Dec 4 12:50:57.363: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:50:57.363: IP: route map blah, item 10, permit
*Dec 4 12:50:57.363: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.431: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:50:57.431: IP: route map blah, item 10, permit
*Dec 4 12:50:57.431: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.491: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:50:57.491: IP: route map blah, item 10, permit
*Dec 4 12:50:57.491: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
  
R2# show ip route 100.100.100.3
Routing entry for 100.100.100.0/24
  Known via "ospf 1", distance 110, metric 74, type intra area
  Last update from 20.20.20.1 on Serial2/0, 00:11:42 ago
  Routing Descriptor Blocks:
  * 20.20.20.1, from 100.100.100.1, 00:11:42 ago, via Serial2/0
      Route metric is 74, traffic share count is 1

R2# debug ip policy 
Policy routing debugging is on
*Dec 4 12:50:57.779: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec 4 12:50:57.779: IP: route map blah, item 10, permit
*Dec 4 12:50:57.779: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.839: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec 4 12:50:57.839: IP: route map blah, item 10, permit
*Dec 4 12:50:57.839: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.911: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec 4 12:50:57.911: IP: route map blah, item 10, permit
*Dec 4 12:50:57.911: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial2/0), len 100, policy rejected -- normal forwarding

Serial 2/0 关闭并且目标地址从路由表消失时,对数据包进行策略路由。

R1# show ip route 200.200.200.0
% Network not in table
R1#
*Dec 5 13:26:27.567: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:26:27.567: IP: route map blah, item 10, permit
*Dec 5 13:26:27.567: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:26:27.567: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:26:27.655: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:26:27.655: IP: route map blah, item 10, permit
*Dec 5 13:26:27.655: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:26:27.655: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:26:27.727: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:26:27.727: IP: route map blah, item 10, permit
*Dec 5 13:26:27.727: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:26:27.727: IP: Ethernet0/0 to Serial1/0 10.10.10.2

案例分析 2:使用 set ip next-hop 命令和动态路由协议 (DRP) 进行的策略路由

本部分使用以下配置:

R1
R1# show running-config 
Building configuration...
.
!
interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
!
interface Serial2/0
 ip address 20.20.20.1 255.255.255.0
!
router ospf 1
 
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 100.100.100.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 100 permit ip host 100.100.100.3 host 200.200.200.4
!
route-map blah permit 10
 match ip address 100
 set ip next-hop 10.10.10.2
.
.
!
end

R2
R2# show running-config 
Building configuration...
.
!
!
interface Ethernet0/0
 ip address 200.200.200.2 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 fair-queue
!
interface Serial2/0
 ip address 20.20.20.2 255.255.255.0
!
router ospf 1
 
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 200.200.200.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
!
!
access-list 100 permit ip host 200.200.200.4 host 100.100.100.3
!
route-map blah permit 10
 match ip address 100
 set ip next-hop 10.10.10.1
!
end

验证案例分析 2

验证下一跳 10.10.10.2 在路由表中是否存在。如果目的路由在路由表中存在,则下一跳可访问时对数据包进行策略路由。

R1# show ip route 200.200.200.4 
Routing entry for 200.200.200.0/24
  Known via "ospf 1", distance 110, metric 74, type intra area
  Last update from 20.20.20.2 on Serial2/0, 00:11:48 ago
  Routing Descriptor Blocks:
  * 20.20.20.2, from 30.30.30.3, 00:11:48 ago, via Serial2/0
      Route metric is 74, traffic share count is 1

R1# debug ip policy 
Policy routing debugging is on
*Dec 4 12:53:38.271: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:53:38.271: IP: route map blah, item 10, permit
*Dec 4 12:53:38.271: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec 4 12:53:38.271: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 4 12:53:38.355: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:53:38.355: IP: route map blah, item 10, permit
*Dec 4 12:53:38.355: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec 4 12:53:38.355: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 4 12:53:38.483: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:53:38.483: IP: route map blah, item 10, permit

R2# sh ip route 100.100.100.3
Routing entry for 100.100.100.0/24
  Known via "ospf 1", distance 110, metric 74, type intra area
  Last update from 20.20.20.1 on Serial2/0, 00:11:42 ago
  Routing Descriptor Blocks:
  * 20.20.20.1, from 100.100.100.1, 00:11:42 ago, via Serial2/0
      Route metric is 74, traffic share count is 1

R2# debug ip policy 
Policy routing debugging is on
*Dec  4 12:53:38.691: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:53:38.691: IP: route map blah, item 10, permit
*Dec  4 12:53:38.691: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:53:38.691: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:53:38.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:53:38.799: IP: route map blah, item 10, permit
*Dec  4 12:53:38.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:53:38.799: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:53:38.899: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:53:38.899: IP: route map blah, item 10, permit

目标 IP 地址从路由消失时,对数据包进行策略路由。

*Dec 5 13:33:23.607: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:33:23.607: IP: route map blah, item 10, permit
*Dec 5 13:33:23.607: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:33:23.607: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:33:23.707: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:33:23.707: IP: route map blah, item 10, permit
*Dec 5 13:33:23.707: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:33:23.707: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:33:23.847: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:33:23.847: IP: route map blah, item 10, permit

Serial 1/0 接口关闭时,我们从路由表中松散下一跳 10.10.10.1,并且数据包遵循普通路由表。

*Dec 5 13:40:38.887: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:40:38.887: IP: route map blah, item 10, permit
*Dec 5 13:40:38.887: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 5 13:40:39.047: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:40:39.047: IP: route map blah, item 10, permit
*Dec 5 13:40:39.047: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 5 13:40:39.115: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:40:39.115: IP: route map blah, item 10, permit
*Dec 5 13:40:39.115: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding

案例分析 3:使用 set ip default next-hop 和默认路由进行的策略路由

本部分使用以下配置:

R1
R1 
R1# show running-config 
Building configuration...
.
!
interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
!
interface Serial2/0
 ip address 20.20.20.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 20.20.20.2
!
ip classless
no ip http server
!
access-list 100 permit ip host 100.100.100.3 host 200.200.200.4
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.2
.
.
!
end

R2
R2# show running-config 
Building configuration...
.
!
!
interface Ethernet0/0
 ip address 200.200.200.2 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 fair-queue
!
interface Serial2/0
 ip address 20.20.20.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
ip classless
no ip http server
!
!
!
access-list 100 permit ip host 200.200.200.4 host 100.100.100.3
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.1
!
end

验证案例分析 3

到目标的唯一路由是默认路由(路由表中该目标没有特定路由)时,对数据包进行策略路由。

R1# show ip route 200.200.200.4
% Network not in table


R1# show ip route 0.0.0.0 
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 20.20.20.2
Route metric is 0, traffic share count is 1

R1# 
*Dec  4 12:58:55.191: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec  4 12:58:55.191: IP: route map blah, item 10, permit
*Dec  4 12:58:55.191: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.191: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec  4 12:58:55.291: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec  4 12:58:55.291: IP: route map blah, item 10, permit
*Dec  4 12:58:55.291: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.291: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec  4 12:58:55.391: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec  4 12:58:55.391: IP: route map blah, item 10, permit
*Dec  4 12:58:55.391: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.391: IP: Ethernet0/0 to Serial1/0 10.10.10.2

R2# show ip route 100.100.100.3
% Network not in table

R2# show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 20.20.20.1
Route metric is 0, traffic share count is 1

R2#
*Dec  4 12:58:20.819: %SYS-5-CONFIG_I: Configured from console by console
*Dec  4 12:58:55.611: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:58:55.611: IP: route map blah, item 10, permit
*Dec  4 12:58:55.611: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.611: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:58:55.739: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:58:55.739: IP: route map blah, item 10, permit
*Dec  4 12:58:55.739: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.739: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:58:55.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:58:55.799: IP: route map blah, item 10, permit
*Dec  4 12:58:55.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.799: IP: Ethernet0/0 to Serial1/0 10.10.10.1

默认路由由于 Serial 2/0 关闭而不存在时,对数据包进行策略路由。

R1# show ip route 0.0.0.0
% Network not in table
R1#
*Dec 5 13:02:31.283: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:02:31.283: IP: route map blah, item 10, permit
*Dec 5 13:02:31.283: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:02:31.283: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:02:31.375: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:02:31.375: IP: route map blah, item 10, permit
*Dec 5 13:02:31.375: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:02:31.375: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:02:31.435: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:02:31.435: IP: route map blah, item 10, permit
*Dec 5 13:02:31.435: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:02:31.435: IP: Ethernet0/0 to Serial1/0 10.10.10.2

在 Serial2/0 打开并且 Serial 1/0 关闭的情况下,我们松开下一跳并且数据包遵循普通转发(路由表)- 策略被拒绝。

R1# debug ip policy 
Policy routing debugging is on
R1#
*Dec 5 12:46:49.543: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 12:46:49.543: IP: route map blah, item 10, permit
*Dec 5 12:46:49.543: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0),len 100, policy rejected -- normal forwarding
*Dec 5 12:46:49.623: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 12:46:49.623: IP: route map blah, item 10, permit
*Dec 5 12:46:49.623: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0),len 100, policy rejected -- normal forwarding
*Dec 5 12:46:49.691: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 12:46:49.691: IP: route map blah, item 10, permit
*Dec 5 12:46:49.691: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0),len 100, policy rejected -- normal forwarding

故障排除

目前没有针对此配置的故障排除信息。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 47121