PBR的应用

1. 项目拓扑与项目需求

项目需求：某企业网络拥有三个出口，分别使用AR1、AR2、AR3链接运营商网络。其中AR1为万兆出口，而AR2、AR3为千兆出口。现在需要实现以下需求：

• 希望vlan10的流量能够强制通过AR1作为业务的出口，vlan20 在AR1上使用负载分担的模式同时使用三个出口访问公网。

1. 配置步骤
   1. IP地址的规划与配置

AR1	G0/0/0	10.0.14.1 /24
	G0/0/1	10.0.15.1 /24
AR2	G0/0/0	10.0.24.1 /24
	G0/0/1	10.0.25.1 /24
AR3	G0/0/0	10.0.34.1 /24
	G0/0/1	10.0.35.1 /24
AR4	G0/0/0	10.0.14.4 /24
	G0/0/1	10.0.24.4 /24
	G0/0/2	10.0.34.4 /24
	Loopback 0	4.4.4.4 /32
AR5	G0/0/0	10.0.15.5 /24
	G0/0/1	10.0.25.5 /24
	G0/0/2	10.0.35.5 /24
	E0/0/1	10.0.100.5 /24
LSW1	Vlanif 1	10.0.100.10 /24
	Vlanif 10	10.0.10.254 /24
	Vlanif 20	10.0.20.254 /24

1. 1. 交换机LSW1的配置

[LSW1]vlan batch 10 20

[LSW1]interface g0/0/1

[LSW1-GigabitEthernet0/0/1]port link-type access

[LSW1-GigabitEthernet0/0/1]port default vlan 10

[LSW1-GigabitEthernet0/0/1]interface g0/0/2

[LSW1-GigabitEthernet0/0/2]port link-type access

[LSW1-GigabitEthernet0/0/2]port default vlan 20

[LSW1-GigabitEthernet0/0/2]quit

[LSW1]interface Vlanif 1

[LSW1-Vlanif1]ip address 10.0.100.10 24

[LSW1-Vlanif1]quit

[LSW1]interface Vlanif 10

[LSW1-Vlanif10]ip address 10.0.10.254 24

[LSW1-Vlanif10]quit

[LSW1]interface Vlanif 20

[LSW1-Vlanif20]ip address 10.0.20.254 24

[LSW1-Vlanif20]quit

1. 1. OSPF的配置

AR1

[AR1]ospf

[AR1-ospf-1]area 0

[AR1-ospf-1-area-0.0.0.0]network 10.0.15.0 0.0.0.255

AR2

[AR2]ospf

[AR2-ospf-1]area 0

[AR2-ospf-1-area-0.0.0.0]network 10.0.25.0 0.0.0.255

             

AR3

[AR3]ospf

[AR3-ospf-1]area 0

[AR3-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255

AR5

[AR5]ospf

[AR5-ospf-1]area 0

[AR5-ospf-1-area-0.0.0.0]network 10.0.100.0 0.0.0.255

[AR5-ospf-1-area-0.0.0.0]network 10.0.15.0 0.0.0.255

[AR5-ospf-1-area-0.0.0.0]network 10.0.25.0 0.0.0.255

[AR5-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255

在AR5上查看OSPF邻居表可以发现已经成功的建立了邻居

[AR5]display ospf peer brief

         OSPF Process 1 with Router ID 10.0.100.5

                  Peer Statistic Information

 ----------------------------------------------------------------------------

 Area Id          Interface                        Neighbor id      State   

 0.0.0.0          GigabitEthernet0/0/0             10.0.14.1        FuLL       

 0.0.0.0          GigabitEthernet0/0/1             10.0.24.2        FuLL       

 0.0.0.0          GigabitEthernet0/0/2             10.0.34.3        FuLL       

 ----------------------------------------------------------------------------

[AR5]

      

LSW1的配置

[LSW1]ospf

[LSW1-ospf-1]area  0

[LSW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255

[LSW1-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255

[LSW1-ospf-1-area-0.0.0.0] network 10.0.100.0 0.0.0.255

1. 1. 缺省路由的配置

AR1

[AR1]ip route-static 0.0.0.0 0 10.0.14.4

[AR1]ospf

[AR1-ospf-1]default-route-advertise  //下发缺省路由

AR2

[AR2]ip route-static 0.0.0.0 0 10.0.24.4

[AR2]ospf

[AR2-ospf-1]default-route-advertise

AR3

[AR3]ip route-static 0.0.0.0 0 10.0.34.4

[AR3]ospf

[AR3-ospf-1]default-route-advertise

1. 1. 在AR5上查询路由表

[AR5]display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 13       Routes : 15      

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   O_ASE   150  1           D   10.0.15.1       GigabitEthernet0/0/0

                    O_ASE   150  1           D   10.0.25.2       GigabitEthernet0/0/1

                    O_ASE   150  1           D   10.0.35.3       GigabitEthernet0/0/2

      10.0.10.0/24  OSPF    10   2           D   10.0.100.10     Ethernet0/0/0

      10.0.15.0/24  Direct  0    0           D   10.0.15.5       GigabitEthernet0/0/0

      10.0.15.5/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0

      10.0.20.0/24  OSPF    10   2           D   10.0.100.10     Ethernet0/0/0

      10.0.25.0/24  Direct  0    0           D   10.0.25.5       GigabitEthernet0/0/1

      10.0.25.5/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1

      10.0.35.0/24  Direct  0    0           D   10.0.35.5       GigabitEthernet0/0/2

      10.0.35.5/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2

     10.0.100.0/24  Direct  0    0           D   10.0.100.5      Ethernet0/0/0

     10.0.100.5/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/0

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

可以发现AR5上有3条缺省路由

1. 1. NAT的配置

AR1

[AR1]acl 2000

[AR1-acl-basic-2000]rule permit source any

[AR1-acl-basic-2000]quit

[AR1]interface g0/0/0

[AR1-GigabitEthernet0/0/0]nat outbound 2000

[AR1-GigabitEthernet0/0/0]quit

AR2

[AR2]acl 2000

[AR2-acl-basic-2000]rule permit source any

[AR2-acl-basic-2000]quit

[AR2]interface g0/0/0

[AR2-GigabitEthernet0/0/0]nat outbound 2000

[AR2-GigabitEthernet0/0/0]quit

AR3

[AR3]acl 2000

[AR3-acl-basic-2000]rule permit source any

[AR3-acl-basic-2000]quit

[AR3]interface g0/0/0

[AR3-GigabitEthernet0/0/0]nat outbound 2000

[AR3-GigabitEthernet0/0/0]quit

1. 1. 测试网络联通性

现在终端设备已经可以访问外网

1. 1. 部署策略路由

AR5

[AR5]acl 3000

[AR5-acl-adv-3000]rule permit ip source 10.0.10.0 0.0.0.255 destination any

[AR5-acl-adv-3000]quit

[AR5]policy-based-route 1 permit node 10

[AR5-policy-based-route-1-10]if-match acl 3000

[AR5-policy-based-route-1-10]apply ip-address next-hop 10.0.15.1

[AR5-policy-based-route-1-10]quit

[AR5]interface e0/0/0

[AR5-Ethernet0/0/0]ip policy-based-route 1

1. 1. 测试策略路由

在AR5上将g0/0/0口开销改大

[AR5]interface g0/0/0

[AR5-GigabitEthernet0/0/0]ospf cost 100

虽然路由表的下一跳不是G0/0/0口，但是流量会按照PBR的配置结果去转发。

在pc1上ping 4.4.4.4 并在AR5的g0/0/0口抓包

可以发现报文都是从AR5的g0/0/0口发送到4.4.4.4 。