Chinaunix首页 | 论坛 | 博客

Linux 防火墙network527.blog.chinaunix.net

首页 |  博文目录 |  关于我

network527

  • 博客访问: 1420088
  • 博文数量: 269
  • 博客积分: 3602
  • 博客等级: 中校
  • 技术积分: 4536
  • 用 户 组: 普通用户
  • 注册时间: 2012-04-17 21:13
文章分类

全部博文(269)

文章存档

2014年(8)

2013年(139)

2012年(122)

我的朋友
最近访客
推荐博文
相关博文
思科路由器策略路由 基于源地址的策略路由 二

分类: 系统运维

2013-07-01 10:14:41

可见B4已经根据B1的源来转发数据包,注意:record功能来验证是验证不出来的,因为record根据表的转发接口来记录。

查看B4的logging信息:

*Mar 1 00:58:00.179: IP: s=.1 (Serial1), d=3.3.3.3, len 28, policy match

*Mar 1 00:58:00.183: IP: route map to-B9, item 10, permit

*Mar 1 00:58:00.187: IP: s=.1 (Serial1), d=3.3.3.3 (Serial0), len 28, poli

cy routed

*Mar 1 00:58:00.191: IP: Serial1 to Serial0 .3

*Mar 1 00:58:00.239: IP: s=.1 (Serial1), d=255.255.255.255, len 67, polic

y rejected -- normal forwarding

*Mar 1 00:58:03.243: IP: s=.1 (Serial1), d=255.255.255.255, len 67, polic

y rejected -- normal forwarding

*Mar 1 00:58:06.247: IP: s=.1 (Serial1), d=255.255.255.255, len 67, polic

y rejected -- normal forwarding

*Mar 1 00:58:09.251: IP: s=.1 (Serial1), d=255.255.255.255, len 67, polic

y rejected -- normal forwarding

*Mar 1 00:58:12.255: IP: s=.1 (Serial1), d=255.255.255.255, len 67, polic

y rejected -- normal forwarding

*Mar 1 00:58:15.259: IP: s=.1 (Serial1), d=255.255.255.255, len 67, polic

y rejected -- normal forwarding

*Mar 1 00:58:18.259: IP: s=.1 (Serial1), d=3.3.3.3, len 28, policy match

*Mar 1 00:58:18.263: IP: route map to-B9, item 10, permit

*Mar 1 00:58:18.263: IP: s=.1 (Serial1), d=3.3.3.3 (Serial0), len 28, pol

*Mar 1 00:58:18.267: IP: Serial1 to Serial0 .3

*Mar 1 00:58:18.303: IP: s=.1 (Serial1), d=3.3.3.3, len 28, policy match

*Mar 1 00:58:18.307: IP: route map to-B9, item 10, permit

*Mar 1 00:58:18.311: IP: s=.1 (Serial1), d=3.3.3.3 (Serial0), len 28, poli

cy routed

*Mar 1 00:58:18.315: IP: Serial1 to Serial0 .3

接下,我们再进一在B9验证返回路径:

B9#traceroute

Protocol [ip]:

Target IP address: .1

Source address: .3

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to .1

 

1 213.1.1.2 16 msec 16 msec 20 msec

2 .1 36 msec 36 msec *

可见返回的路径仍然是通过以太网接口,如要求B1访问B9是原路返回方式(通过B9的serial 0),同样采用PBR(policy Based Routing路由)的方式,需在B9上面做配置:

B4(config)#access-list 10 permit .0 0.0.0.255

用route-map引用访问列表,设置下一跳:

B4(config)#route-map to-B1

B4(config-route-map)#match ip address 10

B4(config-route-map)#set ip next-ho.2

在接口下应用策略:

B4(config)#interface loop 0

B4(config-if)#ip policy route-map to-B9

这样的配置使不会起效的,本产生的数据包默认不会基于策略进行路由。 B9#traceroute

Protocol [ip]:

Target IP address: .1

Source address: .3

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to .1

 

1 213.1.1.2 4 msec 4 msec 4 msec

2 .1 28 msec 24 msec *

需启用命令,使路由器对它产生的数据包进行策略路由。

B9#traceroute

Protocol [ip]:

Target IP address: .3

Source address: .1

% Invalid source address

B9#t

B9#tr

B9#traceroute

Protocol [ip]:

Target IP address: .1

Source address: .3

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to .1

 

1 .2 8 msec 8 msec 12 msec

2 .1 32 msec 28 msec *

以上已经验证了策略路由基于源IP的方式,在不匹配策略路由的情况下,则仍按照路由表方式转发数据报文。

B4#ping

Protocol [ip]:

Target IP address: .3

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: .1

% Invalid source. Must use IP address or full interface name without spaces (e.g

. Serial0/1)

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to .3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms

然后查看B4的logging,一下为不符合策略转发范围,仍找普通的方式转发:

B4#show logging

*Mar 1 01:35:10.335: IP: s=.1 (Serial1), d=3.3.3.3 (Ethernet0), len 100, p

olicy rejected -- normal forwarding

*Mar 1 01:35:10.395: IP: s=.1 (Serial1), d=3.3.3.3 (Ethernet0), len 100, p

olicy rejected -- normal forwarding

*Mar 1 01:35:10.447: IP: s=.1 (Serial1), d=3.3.3.3 (Ethernet0), len 100, p

olicy rejected -- normal forwarding

*Mar 1 01:35:10.503: IP: s=.1 (Serial1), d=3.3.3.3 (Ethernet0), len 100, p

olicy rejected -- normal forwarding

*Mar 1 01:35:10.555: IP: s=.1 (Serial1), d=3.3.3.3 (Ethernet0), len 100, p

olicy rejected -- normal forwarding

策略路由在接口应用后处理数据包转发优先于路由表,即使路由表没有对应路由条目,单纯用策略路由也能正常转发数据包。

阅读(3867) | 评论(0) | 转发(0) |
0

上一篇:SDH设备一般故障的判断、定位、处理方法

下一篇:思科路由器配置IP直播案例

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6