基于策略的路由允许应用一个策略控制数据包应该如何走而非基于路由表的选路。IP路由基于目标地,而PBR策略路由允许基于源的路由,即来自何处而应该到哪去,从而根据需要走一条特殊的路径。策略路由也有基于数据包的应用。
在网络中实施基于策略的路由有以下优点:
1、基于源的供应商选择:通过策略路由使源于不同用户组的数据流选择经过不同的Internet连接。
2、服务质量:可以通过在网络边缘路由器上设置IP数据包包头中的优先级或TOS值,并利用队列机制在网络核心或主干中为数据流划分不同的优先级,来为不同的数据流提供不同级别的QoS。
3、负载均衡:网络管理员可以通过策略路由在多条路径上分发数据流。
4、网络管理更加灵活。
下面让我们看一个示例:
r1配置如下:
interface Loopback0 //模拟子网一:192.168.1.0/24
ip address 192.168.1.1 255.255.255.0 //模拟子网中第一台主机
ip address 192.168.1.2 255.255.255.0 secondary //模拟子网中第二台主机
!
interface Loopback2 //模拟子网二:192.168.2.0/24
ip address 192.168.2.1 255.255.255.0
ip address 192.168.2.2 255.255.255.0 secondary
!
interface FastEthernet0/0
ip address 12.0.0.1 255.255.255.0
duplex half
!
……
!
router rip //通过RIP协议配置网络的连通性
version 2
network 192.168.1.0
network 192.168.2.0
network 12.0.0.0
no auto-summary
ip address 192.168.1.1 255.255.255.0 //模拟子网中第一台主机
ip address 192.168.1.2 255.255.255.0 secondary //模拟子网中第二台主机
!
interface Loopback2 //模拟子网二:192.168.2.0/24
ip address 192.168.2.1 255.255.255.0
ip address 192.168.2.2 255.255.255.0 secondary
!
interface FastEthernet0/0
ip address 12.0.0.1 255.255.255.0
duplex half
!
……
!
router rip //通过RIP协议配置网络的连通性
version 2
network 192.168.1.0
network 192.168.2.0
network 12.0.0.0
no auto-summary
r3配置如下:
interface Loopback0 //模拟一个连接目标
description to internet
ip address 100.100.100.100 255.255.255.0
!
interface Serial1/0 //模拟ISP1的接入端口
ip address 123.0.0.3 255.255.255.0
serial restart-delay 0
!
……
interface Serial1/1 //模拟ISP2的接入端口
ip address 223.0.0.3 255.255.255.0
serial restart-delay 0
!
router rip
version 2
network 100.100.100.0
network 123.0.0.0
network 223.0.0.0
no auto-summary
description to internet
ip address 100.100.100.100 255.255.255.0
!
interface Serial1/0 //模拟ISP1的接入端口
ip address 123.0.0.3 255.255.255.0
serial restart-delay 0
!
……
interface Serial1/1 //模拟ISP2的接入端口
ip address 223.0.0.3 255.255.255.0
serial restart-delay 0
!
router rip
version 2
network 100.100.100.0
network 123.0.0.0
network 223.0.0.0
no auto-summary
r2配置如下:
interface FastEthernet0/0
ip address 12.0.0.2 255.255.255.0
ip policy route-map isp-test //在接口上启用策略路由isp-test进行流量控制
!
……
interface Serial1/0
ip address 123.0.0.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 223.0.0.1 255.255.255.0
serial restart-delay 0
……
router rip
version 2
network 12.0.0.0
network 123.0.0.0
network 223.0.0.0
no auto-summary
……
logging alarm informational
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 100.100.100.100 //访问控制列表101,用于过滤原地址,允许子网192.168.1.0流量通过 */
access-list 101 permit ip any any (备份)
access-list 102 permit ip 192.168.2.0 0.0.0.255 host 100.100.100.100 //访问控制列表102,用于过滤原地址,允许子网192.168.2.0流量通过 */
access-list 102 permit ip any any (备份)
ip address 12.0.0.2 255.255.255.0
ip policy route-map isp-test //在接口上启用策略路由isp-test进行流量控制
!
……
interface Serial1/0
ip address 123.0.0.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 223.0.0.1 255.255.255.0
serial restart-delay 0
……
router rip
version 2
network 12.0.0.0
network 123.0.0.0
network 223.0.0.0
no auto-summary
……
logging alarm informational
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 100.100.100.100 //访问控制列表101,用于过滤原地址,允许子网192.168.1.0流量通过 */
access-list 101 permit ip any any (备份)
access-list 102 permit ip 192.168.2.0 0.0.0.255 host 100.100.100.100 //访问控制列表102,用于过滤原地址,允许子网192.168.2.0流量通过 */
access-list 102 permit ip any any (备份)
!
route-map isp-test permit 10 //定义route-map,取名为isp-test,序列为10
match ip address 101 //检查源地址,匹配acl 101
set ip default next-hop 123.0.0.3 //指定下一跳地址 (或set interface s1/0)
!
route-map isp-test permit 20 //定义isp-test的第二条语句,序列号为20
match ip address 102 //检查源地下,匹配acl102
set ip default next-hop 223.0.0.3 (或set interface s1/1)
!
route-map isp-test permit 30 //定义isp-test的第三条语句,序列号为30
set default interface Null0 //丢弃不匹配规定标准的包
……
end
route-map isp-test permit 10 //定义route-map,取名为isp-test,序列为10
match ip address 101 //检查源地址,匹配acl 101
set ip default next-hop 123.0.0.3 //指定下一跳地址 (或set interface s1/0)
!
route-map isp-test permit 20 //定义isp-test的第二条语句,序列号为20
match ip address 102 //检查源地下,匹配acl102
set ip default next-hop 223.0.0.3 (或set interface s1/1)
!
route-map isp-test permit 30 //定义isp-test的第三条语句,序列号为30
set default interface Null0 //丢弃不匹配规定标准的包
……
end
最后进行测试:
R2#sh ip policy //显示应用的策略
Interface Route map
Fa0/0 isp-test
R2#sh route-map isp-test //显示配置的路由映射图
route-map isp-test, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip default next-hop 123.0.0.3
Policy routing matches: 0 packets, 0 bytes
route-map isp-test, permit, sequence 20
Match clauses:
ip address (access-lists): 102
Set clauses:
ip default next-hop 223.0.0.3
Policy routing matches: 0 packets, 0 bytes
route-map isp-test, permit, sequence 30
Match clauses:
Set clauses:
default interface Null0
Policy routing matches: 0 packets, 0 bytes
========================================================================
R1#traceroute //路由跟踪
Protocol [ip]:
Target IP address: 100.100.100.100 //目标地
Source address: 192.168.1.1 //源地址为子网一的第一台主机
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 100.100.100.100
Interface Route map
Fa0/0 isp-test
R2#sh route-map isp-test //显示配置的路由映射图
route-map isp-test, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip default next-hop 123.0.0.3
Policy routing matches: 0 packets, 0 bytes
route-map isp-test, permit, sequence 20
Match clauses:
ip address (access-lists): 102
Set clauses:
ip default next-hop 223.0.0.3
Policy routing matches: 0 packets, 0 bytes
route-map isp-test, permit, sequence 30
Match clauses:
Set clauses:
default interface Null0
Policy routing matches: 0 packets, 0 bytes
========================================================================
R1#traceroute //路由跟踪
Protocol [ip]:
Target IP address: 100.100.100.100 //目标地
Source address: 192.168.1.1 //源地址为子网一的第一台主机
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 100.100.100.100
1 12.0.0.2 72 msec 216 msec 276 msec
2 123.0.0.3 288 msec 360 msec * //ISP1入口
2 123.0.0.3 288 msec 360 msec * //ISP1入口
-------------------------------------------------------------------------------
----------------------------------------------------------------------------------
R1#traceroute
Protocol [ip]:
Target IP address: 100.100.100.100
Source address: 192.168.2.1 //源地址为子网二的第一台主机
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 100.100.100.100
----------------------------------------------------------------------------------
R1#traceroute
Protocol [ip]:
Target IP address: 100.100.100.100
Source address: 192.168.2.1 //源地址为子网二的第一台主机
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 100.100.100.100
1 12.0.0.2 136 msec 40 msec 144 msec
2 223.0.0.3 356 msec * 132 msec //ISP2入口
---------------------------------------------------------
2 223.0.0.3 356 msec * 132 msec //ISP2入口
---------------------------------------------------------
通过以上实验,可以看到子网一(192.168.1.0/24)的流量都经过R2-R3的上一条链路选择了ISP1链路,子网二(192.168.2.0/24)的流量都经过R2-R3的下一条链路选择了ISP2链路。所以通过策略路由可以实现基于源的供应商选择和网络的负载均衡。