测试拓扑
基本描述:按照图示配置IP地址,其次打通路由,这里将忽略,让R5 Loopback的IP地址可以访问R1的Loopback的IP地址。
R4#sho run | i ip route
...
ip route 5.5.5.0 255.255.255.0 45.1.1.5
ip route 5.5.5.1 255.255.255.255 45.1.1.5
ip route 5.5.5.2 255.255.255.255 45.1.1.5
ip route 5.5.5.3 255.255.255.255 45.1.1.5
ip route 5.5.5.4 255.255.255.255 45.1.1.5
R4#
R1#sho run | s ip route ip route 5.5.5.0 255.255.255.0 12.1.1.2 ip route 5.5.5.0 255.255.255.0 13.1.1.3
特别说明:R4到1.1.1.1的路由是EX以及Static,下一跳分别到R2和R3。
1、先看重分布+Route-map问题
重分布可以使用扩展ACL去为Route-map抓取条目吗?此时的主角是R4,R4上重分布了到R5 Loopback 的静态路由,如下所示:
R4#sho run | s r e router eigrp 1 redistribute static route-map cisco network 24.1.1.0 0.0.0.255 no auto-summary
而挂的route-map如下所示:
R4#sho run | s route-map
... route-map cisco deny 5 match ip address ok route-map cisco permit 10 match ip address cisco R4#
此时有两条匹配的ACL,ok和cisco,查看ACL。
R4#sho ip access-lists Standard IP access list ok 10 permit 5.5.5.1 (6 matches) 20 permit 5.5.5.2 (4 matches) Extended IP access list cisco 10 deny ip host 5.5.5.1 host 1.1.1.1 20 deny ip host 5.5.5.2 host 1.1.1.1 30 permit ip 5.5.5.0 0.0.0.255 any (60 matches)
可以看到匹配的情况只有standard的ACL和Extended的rule 30.而此时R2学习到的路由是符合预期的,deny掉了5.5.5.1和5.5.5.2
R2#sho ip ro eigrp 5.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D EX 5.5.5.4/32 [170/307200] via 24.1.1.4, 00:07:39, Ethernet0/1 D EX 5.5.5.0/24 [170/307200] via 24.1.1.4, 00:07:39, Ethernet0/1 D EX 5.5.5.3/32 [170/307200] via 24.1.1.4, 00:07:39, Ethernet0/1 R2#
如果我们将ok中的ACL换成扩展的ACL看情况如何?
R4(config)#no ip access st ok R4(config)#ip access ex ok R4(config-ext-nacl)#permit ip host 5.5.5.1 host 1.1.1.1 R4(config-ext-nacl)#permit ip host 5.5.5.2 host 1.1.1.1 R4(config-ext-nacl)#end R4#
观察R2学习的路由情况:可以看到5.5.5.1和5.5.5.2均能学习到。
R2#sho ip ro eigrp 5.0.0.0/8 is variably subnetted, 5 subnets, 2 masks D EX 5.5.5.4/32 [170/307200] via 24.1.1.4, 00:00:43, Ethernet0/1 D EX 5.5.5.1/32 [170/307200] via 24.1.1.4, 00:00:43, Ethernet0/1 D EX 5.5.5.0/24 [170/307200] via 24.1.1.4, 00:00:43, Ethernet0/1 D EX 5.5.5.3/32 [170/307200] via 24.1.1.4, 00:00:43, Ethernet0/1 D EX 5.5.5.2/32 [170/307200] via 24.1.1.4, 00:00:43, Ethernet0/1 R2#
再次修改回Standard ACL
R4(config)#no ip access ex ok R4(config)#ip access sta ok R4(config-std-nacl)#permit host 5.5.5.1 R4(config-std-nacl)#permit host 5.5.5.2 R4(config-std-nacl)#end R4#
此时在R2上再查看路由:已经得到了控制。所以说,扩展的ACL,为Route-map去抓取流量,是不合适的,为了匹配流量,用标准ACL匹配抓取就可以。
R2#sho ip ro eigrp 5.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D EX 5.5.5.4/32 [170/307200] via 24.1.1.4, 00:00:22, Ethernet0/1 D EX 5.5.5.0/24 [170/307200] via 24.1.1.4, 00:00:22, Ethernet0/1 D EX 5.5.5.3/32 [170/307200] via 24.1.1.4, 00:00:22, Ethernet0/1 R2#
但是注意,也不是说不能使用扩展ACL去匹配流量,我们可以使用any关键字来定义。比如如下的示例:
R4(config)#ip access-list extended ok R4(config-ext-nacl)#permit ip host 5.5.5.1 any R4(config-ext-nacl)#permit ip host 5.5.5.2 any R4(config-ext-nacl)#end R4# R4#sho ip access-lists Extended IP access list cisco 10 deny ip host 5.5.5.1 host 1.1.1.1 20 deny ip host 5.5.5.2 host 1.1.1.1 30 permit ip 5.5.5.0 0.0.0.255 any (151 matches) Extended IP access list ok 10 permit ip host 5.5.5.1 any (4 matches) 20 permit ip host 5.5.5.2 any (2 matches) R2#sho ip ro eigrp 5.0.0.0/8 is variably subnetted, 3 subnets, 2 masks D EX 5.5.5.4/32 [170/307200] via 24.1.1.4, 00:00:25, Ethernet0/1 D EX 5.5.5.0/24 [170/307200] via 24.1.1.4, 00:00:25, Ethernet0/1 D EX 5.5.5.3/32 [170/307200] via 24.1.1.4, 00:00:25, Ethernet0/1 R2#
2、PBR操作测试
针对5.5.5.3去往1.1.1.1.的路由,根据如下图示的内容,正常来说,在添加了去往R1 1.1.1.1的静态路由之后,会走R3.
测试情况如下所示:
R4(config)#do sho ip route 1.1.1.1 Routing entry for 1.1.1.0/24 Known via "eigrp 1", distance 170, metric 307200, type external Redistributing via eigrp 1 Last update from 24.1.1.2 on Ethernet0/0, 00:00:19 ago Routing Descriptor Blocks: * 24.1.1.2, from 24.1.1.2, 00:00:19 ago, via Ethernet0/0 Route metric is 307200, traffic share count is 1 Total delay is 2000 microseconds, minimum bandwidth is 10000 Kbit Reliability 255/255, minimum MTU 1500 bytes Loading 1/255, Hops 1 R4(config)# ip route 1.1.1.0 255.255.255.0 34.1.1.3 <<<<<<<<<<<<<<<<<< R4(config)#do sho ip route 1.1.1.1 Routing entry for 1.1.1.0/24 Known via "static", distance 1, metric 0 Redistributing via eigrp 1 Routing Descriptor Blocks: * 34.1.1.3 Route metric is 0, traffic share count is 1 R4(config)#
那么我们在R5上做traceroute的测试(注意5.5.5.1和5.5.5.2是在eigrp中不通告的,所以后续我们不选择它们做去往R1 1.1.1.1.时经过R2的PBR)
R5#traceroute 1.1.1.1 so 5.5.5.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 45.1.1.4 12 msec 28 msec 16 msec 2 34.1.1.3 32 msec 48 msec 44 msec 3 13.1.1.1 72 msec 56 msec 72 msec R5#traceroute 1.1.1.1 so 5.5.5.2 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 45.1.1.4 12 msec 20 msec 16 msec 2 34.1.1.3 44 msec 44 msec 44 msec 3 13.1.1.1 52 msec 64 msec 64 msec R5#traceroute 1.1.1.1 so 5.5.5.3 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 45.1.1.4 20 msec 16 msec 20 msec 2 34.1.1.3 32 msec 40 msec 48 msec 3 13.1.1.1 72 msec 56 msec 72 msec R5#traceroute 1.1.1.1 so 5.5.5.4 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 45.1.1.4 20 msec 20 msec 16 msec 2 34.1.1.3 32 msec 44 msec 40 msec 3 13.1.1.1 72 msec 52 msec 72 msec R5#
此时针对5.5.5.3去往R1的1.1.1.1来做PBR,让它经过R2
R4(config)#ip access-list extended pbr R4(config-ext-nacl)# permit ip host 5.5.5.3 host 1.1.1.1 R4(config-route-map)#route-map pbr permit 10 R4(config-route-map)# match ip address pbr R4(config-route-map)# set ip next-hop 24.1.1.2 R4(config-route-map)#inter e0/2 R4(config-if)#ip policy route-map pbr
测试验证:可以看到针对5.5.5.3去往1.1.1.1的路径,经过了R2,而5.5.5.4还是按照原路径经过R3.
R5#traceroute 1.1.1.1 so 5.5.5.3 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 45.1.1.4 16 msec 20 msec 16 msec 2 24.1.1.2 44 msec 36 msec 48 msec 3 12.1.1.1 56 msec 56 msec 68 msec R5#traceroute 1.1.1.1 so 5.5.5.4 Type escape sequence to abort. Tracing the route to 1.1.1.1 1 45.1.1.4 24 msec 16 msec 24 msec 2 34.1.1.3 32 msec 40 msec 44 msec 3 13.1.1.1 72 msec 56 msec 72 msec R5#
Additional link:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.pdf
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/49111-route-map-bestp.html