PBR(policy-based route,原則型路由)
可根據指定的條件改變路由目地
PBR用法如下
1
在介面上套用route-map
(config-if)# ip [local] policy route-map < map-name>
[local] 讓router本身建立的封包也使用PBR,預設不使用
2
設定route-map的動作
(config)# route-map < map-name> permit
(config-router-map)# match ip address < acl>
(config-router-map)# set < set-action>
< set-action>主要可設定的有以下
set [default] ip next-hop [recursive] < ip1 [ip2 [ip…]]> 到直連網路的ip1位址,若沒有則到ip2,…
recursive:表示到非直連網路的IP
set [default] interface < int1 [int2 [int…]]> 到直連網路的介面1,若沒有則到介面2,…
有default:先以一般IP路由程序,路徑失敗時才使用PBR
無default:先使用PBR,路徑失敗才使用一般IP路由程序
set ip precedence < value>
set ip tos < value>
3
設定符合route-map的參數
(config)#access-list < acl-option>
ps:
route-map預設最後為deny,符合deny的封包會進入一般的ip路由程序
ex:
當封包是從10.1.1.2進入fa0/0到10.1.3.0/24時,就將封包的next-hop改為10.1.10.4
(config)# interface Fa0/0
(config-if)# ip address 10.1.1.5 255.255.255.0
(config-if)# ip policy route-map mapname
!
(config)# route-map mapname permit
(config-route-map)# match ip address 102
(config-route-map)# set ip next-hop 10.1.10.4
!
(config)# access-list 102 permit ip host 10.1.1.2 10.1.3.0 0.0.0.255
…
# show ip policy
Interface Route map
Fa0/0 map1
# show route-map
route-map map1, permit, sequence 10
Match clauses:
ip address (access-lists): 102
Set clauses:
ip next-hop 10.1.10.4
Policy routing matches: 12 packets, 720 bytes
ps:
PBR的policy routing match數量一直沒增加時,可先檢查ACL的log
# debug ip policy
*Sep 13 17:47:31.685: IP: s=10.1.1.2 (FastEthernet0/0), d=10.1.3.90, len 28, policy match
*Sep 13 17:47:31.685: IP: route map mapname, item 10, permit
*Sep 13 17:47:31.685: IP: s=10.1.1.2 (FastEthernet0/0), d=10.1.3.90 (Serial0/0/1),len 28, policy routed
*Sep 13 17:47:31.685: IP: FastEthernet0/0 to Serial0/0/1 10.1.10.4
…………………………
設定路徑追蹤ip sla運作元
當ip sla運作元傳回狀態為ok,使tracking object為up時,該路徑才會運作
1建立追蹤物件
(config)# track < track-id> ip sla < sla-id> [state|reachability]
2設定路徑使用蹤物件
靜態路徑設定方式
(config)# ip route < dst mask> < int|next-hop> track < track-id>
PBR設定方式
(config)# route-map < map-name> permit
(config-route-map)# match ip address < acl>
(config-route-map)# set ip next-hop verify-availability < dst> 1 track < track-id>
延遲設定
(config)# delay < down < sec>|up < sec>>
定義sla狀態變動之後多久時間,才讓tracking object改變其狀態,以防止route flapping
ex:
設定靜態路徑10.1.234.0/24追蹤物件2狀態,而物件2以ip sla 11統計結果決定up或down
(config)# track 2 ip sla 11 state
(config-track)# delay up 90 down 90
(config)# ip route 10.1.200.0 255.255.255.0 s0/0/1 track 2
ex:
當封包是從10.1.1.2進入fa0/0到10.1.3.0/24時,就將封包的next-hop改為10.1.10.4
同時使用物件追蹤2
(config)# interface Fa0/0
(config-if)# ip address 10.1.1.5 255.255.255.0
(config-if)# ip policy route-map map-name
!
(config)# route-map map-name permit
(config-route-map)# match ip address 102
(config-route-map)# set ip next-hop verify-availability 10.1.10.4 1 track 2
!
(config)# access-list 102 permit ip host 10.1.1.2 10.1.3.0 0.0.0.255
# show track
Track 2
IP SLA 11 state //物件2以ip sla 11統計結果決定up或down
State is Up //tracking object目前狀態為up
1 change, last change 01:24:14
Delay up 90 secs, down 90 secs //延遲設定90秒
Latest operation return code: OK //sla最後傳回的狀態為ok
Latest RTT (millisecs) 7
Tracked by:
STATIC-IP-ROUTING 0 //被靜態路徑追蹤
Track 3
IP SLA 12 state //物件3以ip sla 12統計結果決定up或down
State is Down //目前狀態為down
2 changes, last change 00:00:15
Delay up 90 secs, down 90 secs
Latest operation return code: No connection //最後狀態為no connectioin
Tracked by:
ROUTE-MAP 0 //被PBR追蹤
ps:
物件從up到down時會產生以下訊息
*Sep 13 22:51:33.322: %TRACKING-5-STATE: 3 ip sla 12 state Up->Down