A mai cikk a reliable PBR (Policy-based Routing)-ról fog szólni.
Topológia:
A konfigurációk a következők:
R1
—–
!
!
interface FastEthernet0/0
ip address 10.10.12.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.13.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.18.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
redistribute connected
network 10.10.0.0 0.0.255.255
no auto-summary
!
ip forward-protocol nd
!
R2
—-
!
!
interface FastEthernet0/0
ip address 10.10.12.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.23.2 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.10.0.0 0.0.255.255
no auto-summary
!
R3
—-
!
interface FastEthernet0/0
ip address 10.10.23.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.13.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.10.34.3 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
network 10.10.0.0 0.0.255.255
no auto-summary
!
R4
—-
!
interface FastEthernet0/0
ip address 10.10.34.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
redistribute connected
network 10.10.0.0 0.0.255.255
no auto-summary
!
R5 (PC1)
————–
no ip routing
!
!
!
interface FastEthernet0/0
ip address 172.18.1.100 255.255.255.0
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 172.18.1.1
R6 (PC2)
————–
no ip routing
!
!
interface FastEthernet0/0
ip address 192.168.1.100 255.255.255.0
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 192.168.1.1
Nézzük, R5 tudja -e pingelni R6-t:
R5#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/76/108 ms
R5#
Oh igen, működik.
Nézzük meg trace-szel, merre indul a csomag:
R5#trace 192.168.1.100
Type escape sequence to abort.
Tracing the route to 192.168.1.100
1 172.18.1.1 32 msec 32 msec 8 msec
2 10.10.13.3 24 msec 40 msec 24 msec
3 10.10.34.4 44 msec 60 msec 60 msec
4 192.168.1.100 92 msec
Jó, tehát R1-R3-R4-R6 a cél.
PBR-rel állítsuk be R1-n, hogy a 172.18.1.0/24-ről érkező csomagok ne R3 felé, hanem R4 felé menjenek.
Mi kell hozzá?
– Egy ACL
– Egy route-map
– Egy policy interface konfiguráció.
Konfiguráció:
!
ip access-list extended FROM_R5
permit ip 172.18.1.0 0.0.0.255 any
!
!
!
!
route-map PBR permit 10
match ip address FROM_R5
set ip next-hop 10.10.12.2
!
interface FastEthernet1/0
ip policy route-map PBR
Teszt:
R5#trace 192.168.1.100
Type escape sequence to abort.
Tracing the route to 192.168.1.100
1 172.18.1.1 72 msec 48 msec 4 msec
2 10.10.12.2 52 msec 16 msec 16 msec
3 10.10.23.3 72 msec 48 msec 68 msec
4 10.10.34.4 44 msec 72 msec 84 msec
5 192.168.1.100 108 msec * 140 msec
R5#
Működik. R1-en ha bekapcsolom a debug-ot, ott is látszik, hogy PBR alapján történt a routing (FIB Policy Routed).
R1#
R1#
R1#
R1#debug ip policy
Policy routing debugging is on
R1#
*Mar 1 00:35:29.267: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:35:29.271: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
*Mar 1 00:35:29.415: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:35:29.415: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
*Mar 1 00:35:29.523: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:35:29.523: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
R1#
*Mar 1 00:35:29.587: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:35:29.587: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
*Mar 1 00:35:29.639: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:35:29.639: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
R1#
Ez volt az egyszerűbb része. Fokozzuk a hangulatot. R1 csak akkor küldje R2 felé a csomagokat, ha R2 F0/0 interface válaszol a pingre.
Miért is van erre szükség? Mert ha R2 F0/0 interface down-ba kerül, a policy routing miatt a forgalom továbbra is arra szeretne folyni!
R5#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
R1# *Mar 1 00:38:55.539: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match *Mar 1 00:38:55.539: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed R1#
Ez nekünk nyilván nem jó, blackhole-ba került a forgalom. Ezért tutira kell mennünk: ha F0/0 interface lemegy, akkor R3 felé kell folyni a forgalomnak.
Egy lehetséges megoldás a verify availability:
route-map PBR permit 10
match ip address FROM_R5
set ip next-hop 10.10.12.2
set ip next-hop verify-availability
Teszt:
R5#ping 192.168.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/72/96 ms
R5#
R1# *Mar 1 00:41:41.799: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match *Mar 1 00:41:41.799: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding *Mar 1 00:41:41.895: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match *Mar 1 00:41:41.895: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding *Mar 1 00:41:41.979: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match *Mar 1 00:41:41.983: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100 R1#, len 100, FIB policy rejected - normal forwarding *Mar 1 00:41:42.039: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match *Mar 1 00:41:42.043: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding *Mar 1 00:41:42.103: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match *Mar 1 00:41:42.103: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding
FIB policy rejected, normal forwarding. Ez jó.
És ha visszajön R2 F0/0 interface?
R1#
*Mar 1 00:43:56.123: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.12.2 (FastEthernet0/0) is up: new adjacency
R1#
*Mar 1 00:44:04.571: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:44:04.571: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
*Mar 1 00:44:04.711: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:44:04.711: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
*Mar 1 00:44:04.791: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:44:04.791: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
R1#
*Mar 1 00:44:04.871: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:44:04.871: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
*Mar 1 00:44:04.939: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
*Mar 1 00:44:04.943: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
R1#
Policy routed. Ezt vártuk.
Másik lehetséges megoldás, hogy tracking-et és IP SLA-t állítunk be.
Pl. Ha R1 eléri telnettel R4-et, akkor menjen a csomag R2 felé, egyébként ne.
IP SLA konfig:
R4
—-
ip sla responder tcp-connect port 23
R1
—
ip sla 1
tcp-connect 10.10.34.4 23 control disable
timeout 2000
frequency 2
ip sla schedule 1 life forever start-time now
Nézzük, megy -e:
R1#sh ip sla stat 1
Round Trip Time (RTT) for Index 1
Latest RTT: 88 milliseconds
Latest operation start time: *00:50:30.419 UTC Fri Mar 1 2002
Latest operation return code: OK
Number of successes: 42
Number of failures: 0
Operation time to live: Forever
R1#
Megy.
Már csak egy tracking kell, valamint a PBR-ben ezt a trackinget be kell állítanunk.
R1
—-
!
track 1 rtr 1
!
route-map PBR permit 10
match ip address FROM_R5
set ip next-hop verify-availability 10.10.12.2 1 track 1
*Mar 1 00:53:01.639: Track: 1 Start tracking by ROUTE-MAP - 0
R1#show track 1
Track 1
Response Time Reporter 1 state
State is Up
1 change, last change 00:03:38
Latest operation return code: OK
Latest RTT (millisecs) 84
Tracked by:
ROUTE-MAP 0
R1#
Nézzük, hogy áll a trace – PBR szerint kellene mennie.
R5#trace 192.168.1.100
Type escape sequence to abort.
Tracing the route to 192.168.1.100
1 172.18.1.1 64 msec 24 msec 52 msec
2 10.10.12.2 36 msec 44 msec 24 msec
3 10.10.23.3 48 msec 48 msec 56 msec
4 10.10.34.4 152 msec 60 msec 64 msec
5 192.168.1.100 72 msec * 148 msec
R5#
Így is van.
És ha R1 nem éri el telnettel R4-et?
R4(config)#ip access-l ex DENY_TELNET
R4(config-ext-nacl)#deny tcp any any eq 23
R4(config-ext-nacl)#permit ip any any
R4(config-ext-nacl)#int f0/0
R4(config-if)#ip access-g DENY_
R4(config-if)#ip access-g DENY_TELNET in
R4(config-if)#^Z
R4#
Akkor…
R1#
*Mar 1 00:57:58.855: %TRACKING-5-STATE: 1 rtr 1 state Up->Down
R1#
És akkor…
R5#trace 192.168.1.100
Type escape sequence to abort.
Tracing the route to 192.168.1.100
1 172.18.1.1 228 msec 216 msec 160 msec
2 10.10.13.3 248 msec 140 msec 260 msec
3 10.10.34.4 172 msec 252 msec 156 msec
4 192.168.1.100 428 msec 740 msec 636 msec
R5#
R1#
*Mar 1 00:59:43.759: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy match
*Mar 1 00:59:43.759: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy rejected - normal forwarding
*Mar 1 00:59:44.423: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy match
*Mar 1 00:59:44.427: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy rejected - normal forwarding
R1#
*Mar 1 00:59:45.007: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy match
*Mar 1 00:59:45.007: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy rejected - normal forwarding
R1#
A forgalom R3 felé megy, nem R2 felé.
Remélem hasznos volt.