PBR未按预期工作
PBR未按预期工作
提问于 2018-02-23 17:20:50
编辑:增加了完整的路由器配置我有一个思科2921。它使用EIGRP来学习它的路由表,并且没有设置静态的默认路由。我想保持这种状态。默认的路由(从EIGRP中学到的)是我的网络上的另一个设备,它通过Metro ENS链接。当这个特定路由器从主机192.168.2.5接收到流量时,我希望给它一个默认路由,退出这个路由器的ISP连接(3.3.3.1)。它不起作用,有人知道为什么这个路线图不起作用吗?
来自我的主机的流量到达Interface GigabitEthernet0 0/1,我希望它使用ISP退出Interface GigabitEthernet0 0/0(路由图中的IP是我的ISP提供的默认网关)。接口gi0/0还为我的主站点配置了一个vpn隧道,它更像是一个备份链接,但我不认为这是一个问题(或者是吗?)
我已经验证了接口gig0 0/0上的访问列表没有阻塞此主机的任何通信量。
我运行了debug ip policy和debug ip packet,结果什么都没有。这告诉我,每当我试图从互联网上访问这个设备时,它根本没有触及接口gi0/1。我可以看到流量达到了gig0 0/0,但从来没有gig0 0/1。
,也许我有个NAT问题?
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname name
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.155-3.M7.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 58192
enable secret
enable password
!
aaa new-model
!
!
aaa authentication
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
process cpu threshold type total rising 75 interval 5
process cpu statistics limit entry-percentage 100 size 50000
clock timezone EST -5 0
clock summer-time EDT recurring
no network-clock-participate wic 0
!
!
!
!
!
!
no ip source-route
ip options drop
!
!
!
!
!
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip flow-cache timeout active 1
no ip bootp server
ip domain name
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint ssssssssssssssssssssss
enrollment selfsigned
subject-name sssssssssssssssssssssssssssssssssssssss
revocation-check none
rsakeypair ssssssssssssssssssssssssss
!
!
crypto pki certificate chain TP-self-signed-sssssssssssssss
certificate self-signed 01
jjjjjjjjjjjj
ddddddddddd
eeeeeeeeeee
quit
license udi pid CISCO2921/K9 sn FGL171511XH
!
!
memory reserve critical 10024
memory free low-watermark processor 599187
memory free low-watermark IO 599187
!
redundancy
!
!
!
!
!
controller T1 0/0/0
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
cablelength long 0db
channel-group 0 timeslots 1-24
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 ip sla 3 reachability
!
track 100 list boolean or
object 1
object 2
object 3
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key KEY address 1.1.1.1
crypto isakmp key KEY address 2.2.2.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROF-1
set transform-set ESP-AES-256-SHA
!
!
!
crypto map HA_SERVICES 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-AES-128-SHA1
set pfs group2
match address HASERVICES_DR
!
!
!
!
!
interface Loopback0
description Management Int
ip address
!
interface Tunnel1
ip address 10.254.254.2 255.255.255.252
tunnel source 3.3.3.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC-PROF-1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet
ip address 3.3.3.2 255.255.255.248
ip access-group BLOCKEDIN in
no ip redirects
no ip unreachables
ip directed-broadcast 100
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default
duplex auto
speed auto
no lldp transmit
no lldp receive
crypto map HA_SERVICES
!
interface GigabitEthernet0/1
ip address 172.31.2.7 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
ip policy route-map NVR
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
encapsulation ppp
shutdown
ppp multilink
!
interface Serial0/0/1:0
no ip address
encapsulation ppp
shutdown
ppp multilink
!
!
router eigrp 100
distribute-list Tunnel-Out out Tunnel1
network 10.2.2.22 0.0.0.0
network 10.254.254.0 0.0.0.3
network 172.31.2.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.2.5 3.3.3.4
ip route 10.0.0.0 255.248.0.0 172.31.2.1 200
ip route 10.1.1.39 255.255.255.255 172.31.2.1
ip route 10.1.1.73 255.255.255.255 172.31.2.1
ip route 1.1.1.1 255.255.255.255 3.3.3.1
ip route 172.31.0.0 255.255.248.0 172.31.2.1 200
ip route 192.168.0.0 255.255.248.0 172.31.2.1 200
ip ssh time-out 60
ip ssh version 2
!
ip access-list standard Tunnel-Out
permit 10.2.2.2
permit 10.2.2.22
permit 10.2.200.0 0.0.0.255
permit 172.31.2.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
!
ip access-list extended BLOCKEDIN
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
deny tcp any any eq ftp
deny ip any any option any-options
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host 3.3.3.4 eq www
permit tcp any host 3.3.3.4 eq 5445
deny tcp any any eq www
deny tcp any any eq 2002
deny tcp any any eq 4002
deny tcp any any eq 6002
deny tcp any any eq 9002
permit ip any any
ip access-list extended HASERVICES_DR
permit ip 172.31.2.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.2.100.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended NAT_ACL
permit ip 10.2.200.0 0.0.0.255 any
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 10.2.100.0 0.0.0.255 any
permit ip 172.31.2.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/1
ip sla auto discovery
ip sla 1
icmp-echo 8.19.112.154
threshold 3000
timeout 3000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.19.112.193
threshold 3000
timeout 3000
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.19.203.193
threshold 3000
timeout 3000
frequency 5
ip sla schedule 3 life forever start-time now
!
route-map NVR permit 10
match ip address 5
set ip default next-hop 3.3.3.1
!
route-map BGP-Community permit 10
set community 13697114
!
!
access-list 5 permit 192.168.2.5
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.1.4.0 0.0.0.255
access-list 23 deny any log
!
radius server
address ipv4 auth-port 1645 acct-port 1646
timeout 30
key
!
!
!
control-plane
!
!
no vstack
!
line con 0
exec-timeout 5 0
authorization exec CONSOLE
logging synchronous
login authentication CONSOLE
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 4 59
privilege level 15
password 7 13353701181B54382F
logging synchronous
login authentication VTYLOGIN
transport input ssh
transport output ssh
line vty 5 15
access-class 23 in
exec-timeout 4 59
privilege level 15
password 7 01232617481C561D25
logging synchronous
login authentication VTYLOGIN
transport input ssh
transport output ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 5
scheduler allocate 20000 1000
ntp server prefer
!
end我使用ip默认的next-hop,因为我希望它首先查看路由表(用于DNS、AD、本地访问的内部通信),然后作为最后的手段使用此路由进入互联网。对于测试,我添加了一个静态路由0.0.0.0/0 ab.ac.ab.ax,一切都很好。但是我不想让通过这个路由器发送流量的其他设备知道有一条通往互联网的路。我只希望这个特定的主机能够使用这个本地ISP链接。这就是我使用PBR的原因。击中此路由器的所有其他东西都将从gi0/0上配置好的vpn隧道输出到另一个位置。
回答 1
Network Engineering用户
发布于 2018-02-23 17:33:14
如果您正在从EIGRP学习其他站点的网络,那么PBR是要避免的。
不位于路由表中的目的地的数据包将被丢弃。默认路径将匹配其他任何内容。如果您没有默认的路由,那么发送到未知位置的通信量将被丢弃。如果您正在通过EIGRP学习默认路由,那么您需要在本地路由器中使用更好的默认路由。这需要静态配置。
与消费者级路由器不同,商业级路由器需要为互联网流量配置默认路由。商业级路由器不会自动假定路由器连接到公共Internet。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/48601
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号