cjh PBR策略路由 2022-12-12 此文章访问量 364

配置策略路由（通过低优先级实现路由选路）示例 (设置动态或者静态路由比策略路由优先)（low-precedence参数）

sw1 2022.12.14.21时42分04秒.txt

sw2_2022.12.14.21时41分40秒.txt

sw3_2022.12.14.21时41分28秒.txt

sw4_2022.12.14.21时41分54秒.txt

（1）拓扑图

图片.png

（2）基本配置

sw1:
vlan batch 2 8 20 55
interface Vlanif1
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif8
ip address 192.168.8.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
#
interface Vlanif55
ip address 192.168.55.254 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
loopback-detect enable
loopback-detect action trap
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 55
loopback-detect enable
loopback-detect action trap
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 8
loopback-detect enable
loopback-detect action trap
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
loopback-detect enable
loopback-detect action trap

图片.png

sw2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 2.2.2.1 255.255.255.0
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 192.168.55.253 255.255.255.0
#
ip route-static 192.168.8.0 255.255.255.0 192.168.55.254
ip route-static 192.168.20.0 255.255.255.0 192.168.55.254
ip route-static 223.5.5.5 255.255.255.255 2.2.2.254
sw3:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 192.168.1.253 255.255.255.0
#
ip route-static 192.168.8.0 255.255.255.0 192.168.1.254
ip route-static 192.168.55.0 255.255.255.0 192.168.1.254
ip route-static 223.5.5.5 255.255.255.255 1.1.1.254

sw4:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 2.2.2.254 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 1.1.1.254 255.255.255.0
#
interface LoopBack1
ip address 223.5.5.5 255.255.255.255
#
acl number 3001
rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
#
nqa test-instance 1 1
test-type icmp
destination-address ipv4 1.1.1.1
probe-count 2
source-interface GE1/0/1
frequency 3
start now
#
nqa test-instance 2 2
test-type icmp
destination-address ipv4 2.2.2.1
probe-count 2
source-interface GE1/0/0
frequency 3
#

关于frequency 3

Warning: It is recommended that the frequency be greater than 10. Otherwise, the test result may be incorrect.
警告:建议频率大于10次。否则，可能导致测试结果不正确。

ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 preference 61 track nqa 1 1
ip route-static 192.168.20.0 255.255.255.0 2.2.2.1 preference 61 track nqa 2 2

（3）配置sw1的静态路由并联动nqa，本来是打算配置静态路由+bfd的，但是此交换机不支持bfd

图片.png

华为S5720S-28P-LI-AC确实是不支持的：

图片.png

sw1:
nqa test-instance 1 1
test-type icmp
destination-address ipv4 192.168.1.253
frequency 3
probe-count 2
source-interface GigabitEthernet0/0/1
start now

nqa test-instance 2 2
test-type icmp
destination-address ipv4 192.168.55.253
frequency 3
probe-count 2
source-interface GigabitEthernet0/0/2
start now

ip route-static 0.0.0.0 0.0.0.0 192.168.1.253 preference 61 track nqa 1 1
ip route-static 0.0.0.0 0.0.0.0 192.168.55.253 preference 71 track nqa 2 2

display nqa results test-instance 1 1

图片.png

显示丢包百分百，但是关联此nqa的静态路由能起来。

图片.png

Warning: It is recommended that the frequency be greater than 10. Otherwise, the test result may be incorrect.
警告:建议频率大于10次。否则，可能导致测试结果不正确。
nqa test-instance 1 1
   undo start now
   frequency 11
   start now

重启交换机看下：

图片.png

有星号*号的原因是因为来回路径不一样，如下：

图片.png

PC2 ping PC1是通：

图片.png

（4）配置策略路由

（4.1）配置策略路由：
acl number 3010
rule 5 permit ip source 192.168.20.0 0.0.0.255
#
traffic classifier c1 operator and
if-match acl 3010
#
traffic behavior b1
redirect ip-nexthop 192.168.55.253
#
traffic policy p1
classifier c1 behavior b1
测试：

图片.png

（4.2）添加3011 ACL 上去：结果还是一样。

acl number 3010
rule 5 permit ip source 192.168.20.0 0.0.0.255
acl number 3011
rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
#
traffic classifier c1 operator and
if-match acl 3010
if-match acl 3011
#
traffic behavior b1
redirect ip-nexthop 192.168.55.253
#
traffic policy p1
classifier c1 behavior b1

测试：结果还是一样

图片.png

（4.3）修改and成or,结果还是一样：如下：

测试：结果还是一样

图片.png

（4.4）重新修改acl3010: 结果：只能ping通同网段，都ping不通在核心上的其他网段，如下：

traffic classifier c1 operator and
if-match acl 3010
if-match acl 3011
#
return
[sw1-classifier-c1]undo if-match acl 3011

acl number 3010
rule 2 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
rule 5 permit ip source 192.168.20.0 0.0.0.255
traffic classifier c1 operator and
if-match acl 3010
#
traffic behavior b1
redirect ip-nexthop 192.168.55.253
#
traffic policy p1
classifier c1 behavior b1

PC2上ping:

图片.png

pc2 ping同网段的设备，如下：

图片.png

（4.5）

acl number 3010
rule 5 permit ip source 192.168.20.0 0.0.0.255
acl number 3011
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
#
traffic classifier c1 operator and
if-match acl 3010
traffic classifier c2 operator or
if-match acl 3011
#
traffic behavior b1
redirect ip-nexthop 192.168.55.253
traffic behavior b2
redirect ip-nexthop 192.168.1.253
#
traffic policy p1 #按顺序匹配，从上往下
classifier c2 behavior b2
classifier c1 behavior b1

重新修改：

sw1:

acl number 3010
rule 5 permit ip source 192.168.20.0 0.0.0.255
acl number 3011
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
#
traffic classifier c1 operator and
if-match acl 3010
traffic classifier c2 operator or
if-match acl 3011
#
traffic behavior b1
redirect ip-nexthop 192.168.55.253
traffic behavior b2
redirect ip-nexthop 127.0.0.1
#
traffic policy p1
classifier c2 behavior b2 #先让内网之间的流量直接到给核心交换机他自己
classifier c1 behavior b1