Reliable PBR

A mai cikk a reliable PBR (Policy-based Routing)-ról fog szólni.

Topológia:

PBR_Reliable

A konfigurációk a következők:

R1
—–

!
 !
 interface FastEthernet0/0
 ip address 10.10.12.1 255.255.255.0
 duplex auto
 speed auto
 !
 interface FastEthernet0/1
 ip address 10.10.13.1 255.255.255.0
 duplex auto
 speed auto
 !
 interface FastEthernet1/0
 ip address 172.18.1.1 255.255.255.0
 duplex auto
 speed auto
 !
 router eigrp 1
 redistribute connected
 network 10.10.0.0 0.0.255.255
 no auto-summary
 !
 ip forward-protocol nd
 !
 

R2
—-

!
 !
 interface FastEthernet0/0
 ip address 10.10.12.2 255.255.255.0
 duplex auto
 speed auto
 !
 interface FastEthernet0/1
 ip address 10.10.23.2 255.255.255.0
 duplex auto
 speed auto
 !
 router eigrp 1
 network 10.10.0.0 0.0.255.255
 no auto-summary
 !
 

R3
—-

!
 interface FastEthernet0/0
 ip address 10.10.23.3 255.255.255.0
 duplex auto
 speed auto
 !
 interface FastEthernet0/1
 ip address 10.10.13.3 255.255.255.0
 duplex auto
 speed auto
 !
 interface FastEthernet1/0
 ip address 10.10.34.3 255.255.255.0
 duplex auto
 speed auto
 !
 router eigrp 1
 network 10.10.0.0 0.0.255.255
 no auto-summary
 !
 

R4
—-

!
 interface FastEthernet0/0
 ip address 10.10.34.4 255.255.255.0
 duplex auto
 speed auto
 !
 interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 !
 router eigrp 1
 redistribute connected
 network 10.10.0.0 0.0.255.255
 no auto-summary
 !
 

R5 (PC1)
————–

no ip routing
 !
 !
 !
 interface FastEthernet0/0
 ip address 172.18.1.100 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 !
 ip default-gateway 172.18.1.1

R6 (PC2)
————–

no ip routing
 !
 !
 interface FastEthernet0/0
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0/1
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 !
 ip default-gateway 192.168.1.1

 

Nézzük, R5 tudja -e pingelni R6-t:

 

R5#ping 192.168.1.100
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 60/76/108 ms
R5#

 

Oh igen, működik.

Nézzük meg trace-szel, merre indul a csomag:

 

R5#trace 192.168.1.100
Type escape sequence to abort.
 Tracing the route to 192.168.1.100
1 172.18.1.1 32 msec 32 msec 8 msec
 2 10.10.13.3 24 msec 40 msec 24 msec
 3 10.10.34.4 44 msec 60 msec 60 msec
 4 192.168.1.100 92 msec

 

Jó, tehát R1-R3-R4-R6 a cél.

PBR-rel állítsuk be R1-n, hogy a 172.18.1.0/24-ről érkező csomagok ne R3 felé, hanem R4 felé menjenek.
Mi kell hozzá?
– Egy ACL
– Egy route-map
– Egy policy interface konfiguráció.

 

Konfiguráció:

!
 ip access-list extended FROM_R5
 permit ip 172.18.1.0 0.0.0.255 any
 !
 !
 !
 !
 route-map PBR permit 10
 match ip address FROM_R5
 set ip next-hop 10.10.12.2
 !
 interface FastEthernet1/0
 ip policy route-map PBR

 

Teszt:

 

R5#trace 192.168.1.100
Type escape sequence to abort.
 Tracing the route to 192.168.1.100
1 172.18.1.1 72 msec 48 msec 4 msec
 2 10.10.12.2 52 msec 16 msec 16 msec
 3 10.10.23.3 72 msec 48 msec 68 msec
 4 10.10.34.4 44 msec 72 msec 84 msec
 5 192.168.1.100 108 msec * 140 msec
 R5#

Működik. R1-en ha bekapcsolom a debug-ot, ott is látszik, hogy PBR alapján történt a routing (FIB Policy Routed).

 

R1#
 R1#
 R1#
 R1#debug ip policy
 Policy routing debugging is on
 R1#
 *Mar 1 00:35:29.267: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:35:29.271: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 *Mar 1 00:35:29.415: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:35:29.415: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 *Mar 1 00:35:29.523: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:35:29.523: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 R1#
 *Mar 1 00:35:29.587: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:35:29.587: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 *Mar 1 00:35:29.639: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:35:29.639: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 R1#

 

Ez volt az egyszerűbb része. Fokozzuk a hangulatot. R1 csak akkor küldje R2 felé a csomagokat, ha R2 F0/0 interface válaszol a pingre.
Miért is van erre szükség? Mert ha R2 F0/0 interface down-ba kerül, a policy routing miatt a forgalom továbbra is arra szeretne folyni!

 

R5#ping 192.168.1.100
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
 .....
 Success rate is 0 percent (0/5)
 R5#
R1#
 *Mar 1 00:38:55.539: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:38:55.539: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 R1#

 

Ez nekünk nyilván nem jó, blackhole-ba került a forgalom. Ezért tutira kell mennünk: ha F0/0 interface lemegy, akkor R3 felé kell folyni a forgalomnak.

Egy lehetséges megoldás a verify availability:

 

route-map PBR permit 10
 match ip address FROM_R5
 set ip next-hop 10.10.12.2
 set ip next-hop verify-availability

 

Teszt:

 

R5#ping 192.168.1.100
Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 48/72/96 ms
 R5#
R1#
 *Mar 1 00:41:41.799: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:41:41.799: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding
 *Mar 1 00:41:41.895: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:41:41.895: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding
 *Mar 1 00:41:41.979: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:41:41.983: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100
 R1#, len 100, FIB policy rejected - normal forwarding
 *Mar 1 00:41:42.039: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:41:42.043: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding
 *Mar 1 00:41:42.103: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:41:42.103: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy rejected - normal forwarding

 

FIB policy rejected, normal forwarding. Ez jó.

És ha visszajön R2 F0/0 interface?

 

R1#
 *Mar 1 00:43:56.123: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.12.2 (FastEthernet0/0) is up: new adjacency
 R1#
 *Mar 1 00:44:04.571: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:44:04.571: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 *Mar 1 00:44:04.711: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:44:04.711: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 *Mar 1 00:44:04.791: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:44:04.791: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 R1#
 *Mar 1 00:44:04.871: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:44:04.871: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 *Mar 1 00:44:04.939: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 100, FIB policy match
 *Mar 1 00:44:04.943: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, g=10.10.12.2, len 100, FIB policy routed
 R1#

 

Policy routed. Ezt vártuk.

Másik lehetséges megoldás, hogy tracking-et és IP SLA-t állítunk be.
Pl. Ha R1 eléri telnettel R4-et, akkor menjen a csomag R2 felé, egyébként ne.

IP SLA konfig:

 

R4
—-

ip sla responder tcp-connect port 23

 

R1

ip sla 1
 tcp-connect 10.10.34.4 23 control disable
 timeout 2000
 frequency 2
 ip sla schedule 1 life forever start-time now
 

 

Nézzük, megy -e:

 

R1#sh ip sla stat 1
Round Trip Time (RTT) for Index 1
 Latest RTT: 88 milliseconds
 Latest operation start time: *00:50:30.419 UTC Fri Mar 1 2002
 Latest operation return code: OK
 Number of successes: 42
 Number of failures: 0
 Operation time to live: Forever
R1#

Megy.
Már csak egy tracking kell, valamint a PBR-ben ezt a trackinget be kell állítanunk.

 

R1
—-

!
 track 1 rtr 1
 !
 route-map PBR permit 10
 match ip address FROM_R5
 set ip next-hop verify-availability 10.10.12.2 1 track 1
*Mar 1 00:53:01.639: Track: 1 Start tracking by ROUTE-MAP - 0
R1#show track 1
 Track 1
 Response Time Reporter 1 state
 State is Up
 1 change, last change 00:03:38
 Latest operation return code: OK
 Latest RTT (millisecs) 84
 Tracked by:
 ROUTE-MAP 0
 R1#

 

Nézzük, hogy áll a trace – PBR szerint kellene mennie.

 

R5#trace 192.168.1.100
Type escape sequence to abort.
 Tracing the route to 192.168.1.100
1 172.18.1.1 64 msec 24 msec 52 msec
 2 10.10.12.2 36 msec 44 msec 24 msec
 3 10.10.23.3 48 msec 48 msec 56 msec
 4 10.10.34.4 152 msec 60 msec 64 msec
 5 192.168.1.100 72 msec * 148 msec
 R5#

Így is van.

És ha R1 nem éri el telnettel R4-et?

 

R4(config)#ip access-l ex DENY_TELNET
 R4(config-ext-nacl)#deny tcp any any eq 23
 R4(config-ext-nacl)#permit ip any any
 R4(config-ext-nacl)#int f0/0
 R4(config-if)#ip access-g DENY_
 R4(config-if)#ip access-g DENY_TELNET in
 R4(config-if)#^Z
 R4#

Akkor…

 

R1#
 *Mar 1 00:57:58.855: %TRACKING-5-STATE: 1 rtr 1 state Up->Down
 R1#

És akkor…

 

R5#trace 192.168.1.100
Type escape sequence to abort.
 Tracing the route to 192.168.1.100
1 172.18.1.1 228 msec 216 msec 160 msec
 2 10.10.13.3 248 msec 140 msec 260 msec
 3 10.10.34.4 172 msec 252 msec 156 msec
 4 192.168.1.100 428 msec 740 msec 636 msec
 R5#
R1#
 *Mar 1 00:59:43.759: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy match
 *Mar 1 00:59:43.759: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy rejected - normal forwarding
 *Mar 1 00:59:44.423: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy match
 *Mar 1 00:59:44.427: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy rejected - normal forwarding
 R1#
 *Mar 1 00:59:45.007: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy match
 *Mar 1 00:59:45.007: IP: s=172.18.1.100 (FastEthernet1/0), d=192.168.1.100, len 28, FIB policy rejected - normal forwarding
 R1#

A forgalom R3 felé megy, nem R2 felé.

Remélem hasznos volt.