取消
显示结果 
搜索替代 
您的意思是: 
cancel
1289
查看次数
2
有帮助
19
回复

请教3850交換机接口怎样引用PBR(策略路由)?

D_W
Level 1
Level 1

引用命令不知道是那里問題?
g_core(config)#ip access-list extended hkbn

g_core(config-ext-nacl)#10 permit ip 10.105.20.13 0.0.0.0
% Incomplete command.

g_core(config-ext-nacl)#10 permit ip 10.105.20.13 0.0.0.0 any
g_core(config-ext-nacl)#exit

g_core(config)#route-map hkbn permit 10
g_core(config-route-map)#match ip address hkbn
g_core(config-route-map)#set ip next-hop 192.168.233.254

g_core(config)#int gig1/0/1
g_core(config-if)#ip route-cache policy hkbn out
^
% Invalid input detected at '^' marker.

2 个已接受解答

已接受的解答

G1/0/1接口上面也没有IP地址啊

ACL写的也有问题,参考一下下面的配置示例吧

Snipaste_2024-03-20_11-28-57.png

如上图,核心交换机上有vlan20-22 三个地址段,每个网段的.1为网关地址,核心交换机分别接了两个互联网出口HGC和HKBN(地址见图)

需求:要求vlan22的地址使用hkbn的线路,其余使用hgc的线路 (暂不考虑故障切换的设置)

实现思路,将默认路由指向HGC,然后通过PBR实现vlan22地址到hkbn的策略

1.创建vlan及vlan interface及配置ip地址

vlan 20-22

int vlan 20

ip add 10.105.20.1 255.255.255.0

!

int vlan 21

ip add 10.105.21.1 255.255.255.0

!

int vlan 22

ip add 10.105.22.1 255.255.255.0

!

省略到路由器的接口配置,ip地址见图

2.配置默认路由指向hgc

ip route 0.0.0.0 0.0.0.0 192.168.222.254 

3.配置PBR使vlan22走hkbn

3.1 配置route-map使用的acl

ip access-list ex hkbn-acl

deny ip 10.105.22.0 0.0.0.255 10.105.0.0 0.0.255.255 //过滤掉10->10内部私有地址的流量,使其不被匹配

permit ip 10.105.22.0 0.0.0.255 any

!

3.2 配置route-map

route-map to-hkbn permit 10

des policy vlan 22 traffic to hkbn

match ip address hkbn-acl

set ip next-hop 192.168.223.254

!

3.3 在接口上调用route-map

int vlan 22

ip policy route-map to-hkbn

!

到这里整体的配置就结束了

 

在原帖中查看解决方案

没太理解你的需求,允许20访问10.0.0.0是指 允许10.105.20.0/24 访问 10.0.0.0/8不匹配route-map吗?

如果是这种需求,只需要将deny地址的掩码调整一下就行了啊,将acl中目标地址写成10.0.0.0 0.255.255.255 就可以了

要是我理解的有问题,那麻烦再把需求描述清楚一些

在原帖中查看解决方案

19 条回复19

你好

应用PBR是在接口使用如下命令:

ip policy route-map PBR

例如:

g_core(config)#int gig1/0/1

g_core(config)# ip policy route-map PBR

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

沒有 ip policy ?

 

g_core(config-if)#ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
admission Apply Network Admission Control
arp Configure ARP features
auth-proxy Apply authenticaton proxy
ddns Configure dynamic DNS
dhcp Configure DHCP parameters for this interface
flow NetFlow related commands
header-compression IPHC options
igmp IGMP interface commands
nbar Network-Based Application Recognition
rsvp RSVP Interface Commands
rtp RTP parameters
verify verify

dg_core(config-if)#ip

可以看看3850的版本和feature。如下说明所示,PBR需要IP Service feature支持。

Policy-based routing (PBR) allows superior control by facilitating flow redirection regardless of the routing
protocol configured. Virtual routing and forwarding (VRF)-Lite enables a service provider to support two or
more VPNs, with overlapping IP addresses. The IP Services feature set is required.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

在那里看feature 有沒有支持 ?

g_core#sh ver
Cisco IOS XE Software, Version 16.12.07
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 02-Feb-22 07:28 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 5.08, RELEASE SOFTWARE (P)

g_core uptime is 38 weeks, 3 days, 11 hours, 11 minutes
Uptime for this control processor is 38 weeks, 3 days, 11 hours, 14 minutes
System returned to ROM by Power Failure or Unknown at 09:33:34 UTC Mon Jul 25 2022
System image file is "flash:packages.conf"
Last reload reason: Power Failure or Unknown

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
ipservicesk9 Smart License ipservicesk9
None Subscription Smart License None

Smart Licensing Status: UNREGISTERED/EVAL EXPIRED

cisco WS-C3850-24T (MIPS) processor (revision AC0) with 794816K/6147K bytes of memory.
Processor board ID FCW2151F0FD
12 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
250456K bytes of Crash Files at crashinfo:.
252000K bytes of Crash Files at crashinfo-2:.
1609272K bytes of Flash at flash:.
1611414K bytes of Flash at flash-2:.
0K bytes of WebUI ODM Files at webui:.

Base Ethernet MAC Address : cc:8e:71:30:88:00
Motherboard Assembly Number : 73-16297-05
Motherboard Serial Number : FOC215056PX
Model Revision Number : AC0
Motherboard Revision Number : B0
Model Number : WS-C3850-24T
System Serial Number : FCW2151F0FD

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24T 16.12.07 CAT3K_CAA-UNIVERSALK9 INSTALL
2 32 WS-C3850-24T 16.12.07 CAT3K_CAA-UNIVERSALK9 INSTALL

Switch 02
---------
Switch uptime : 38 weeks, 3 days, 11 hours, 16 minutes

Base Ethernet MAC Address : 50:1c:b0:f4:f1:00
Motherboard Assembly Number : 73-16297-05
Motherboard Serial Number : FOC215056B7
Model Revision Number : AC0
Motherboard Revision Number : B0
Model Number : WS-C3850-24T
System Serial Number : FOC2151L0K2
Last reload reason : Power Failure or Unknown

Configuration register is 0x102

ilay
VIP
VIP

1.需要在三层接口上调用,要么是no switchport的接口,要么是vlan interface

2.调用位置:需要在做策略的设备上“距离源地址最近的三层接口上调用”,在出接口上设置有可能会先查路由表,直接转发的情况。

3850的PBR与授权无关直接,应该可以直接用

Snipaste_2024-03-19_16-24-03.png

附:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-12/configuration_guide/rtng/b_1612_rtng_3850_cg/configuring_protocol_independent_features.html#r_restrictions-for-configuring-pbr

 

D_W
Level 1
Level 1

在三层接口上调用,但20网段IP还是去不到192.168.233.254 

 

policy-map hkbn

ip access-list extended hkbn
10 permit ip any 10.105.20.0 0.0.0.255

route-map hkbn permit 10
match ip address hkbn
set ip next-hop 192.168.233.254

interface GigabitEthernet1/0/1
no switchport
no ip address
ip policy route-map hkbn

G1/0/1接口上面也没有IP地址啊

ACL写的也有问题,参考一下下面的配置示例吧

Snipaste_2024-03-20_11-28-57.png

如上图,核心交换机上有vlan20-22 三个地址段,每个网段的.1为网关地址,核心交换机分别接了两个互联网出口HGC和HKBN(地址见图)

需求:要求vlan22的地址使用hkbn的线路,其余使用hgc的线路 (暂不考虑故障切换的设置)

实现思路,将默认路由指向HGC,然后通过PBR实现vlan22地址到hkbn的策略

1.创建vlan及vlan interface及配置ip地址

vlan 20-22

int vlan 20

ip add 10.105.20.1 255.255.255.0

!

int vlan 21

ip add 10.105.21.1 255.255.255.0

!

int vlan 22

ip add 10.105.22.1 255.255.255.0

!

省略到路由器的接口配置,ip地址见图

2.配置默认路由指向hgc

ip route 0.0.0.0 0.0.0.0 192.168.222.254 

3.配置PBR使vlan22走hkbn

3.1 配置route-map使用的acl

ip access-list ex hkbn-acl

deny ip 10.105.22.0 0.0.0.255 10.105.0.0 0.0.255.255 //过滤掉10->10内部私有地址的流量,使其不被匹配

permit ip 10.105.22.0 0.0.0.255 any

!

3.2 配置route-map

route-map to-hkbn permit 10

des policy vlan 22 traffic to hkbn

match ip address hkbn-acl

set ip next-hop 192.168.223.254

!

3.3 在接口上调用route-map

int vlan 22

ip policy route-map to-hkbn

!

到这里整体的配置就结束了

 

D_W
Level 1
Level 1

在G1/0/1 三层接口配置IP 出現 % 192.168.233.0 overlaps with Vlan233 ,我之前设了VLAN 在3850 交換机也可以Ping 通 192.168.233.254网关. (vlan233 是跟192.168.233.254 同一网段)

interface Vlan20
ip address 10.105.20.1 255.255.255.0
ip policy route-map hkbn
!
interface Vlan233
ip address 192.168.233.1 255.255.255.0

g_core(config-if)#ip address 192.168.233.5 255.255.255.0
% 192.168.233.0 overlaps with Vlan233
g_core(config-if)#do sh ru int gig1/0/1
Building configuration...

Current configuration : 68 bytes
!
interface GigabitEthernet1/0/1
no switchport
no ip address
end

g_core(config-if)#switchport
g_core(config-if)#switchport mode acc
g_core(config-if)#switchport acc vlan 233
g_core(config-if)#do ping 192.168.233.254
Type escape sequence to abort.
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/4 ms

 

interface Vlan233
ip address 192.168.233.1 255.255.255.0

g_core(config-if)#ip address 192.168.233.5 255.255.255.0
% 192.168.233.0 overlaps with Vlan233

 

 vlan233的接口已经配置了192.168.233.0/24范围里面的地址了,同台设备的其他接口不能再配置该网段的IP。这个是正常的机制,出这个报错没有问题。

从你贴的这部分配置里面不知道还有什么问题?

如果还有异常,把基本拓扑、需求、以及现有配置再描述一下

D_W
Level 1
Level 1

在g1/0/1 接口引用 hkbn 后, 用戶自动拿到IP,可以ping 通 10.105.20.1 网段网关和 192.168.233.2 ,但192.168.233.254 ping 不通.

D_W_0-1710990911139.png

 

1. route-map只需要在vlan20的interface上调用就行,g1/0/1不需要设置

2. ping不通的话检查一下hkbn路由器上面有没有到10.105.20.0/24的路由,大概路是回程路由没有写,导致icmp不通

3. 建议route-map引用的acl前面添加10.105.20.0/24 到10.105.0.0/16内其他内部地址的deny策略,以免这些流量匹配上PBR

D_W
Level 1
Level 1

route-map引用的以下的ACL 外部Internet可以,內部只能访問10.105.0.0 网段,其他內部10.网段访問不了,有沒有可以访內部10.网段? 

ip access-list extended hkbn
10 deny ip 10.105.20.0 0.0.0.255 10.105.0.0 0.0.255.255 
20 permit ip 10.105.20.0 0.0.0.255 any

D_W
Level 1
Level 1

你好,

 下一跳 192.168.223.254 ,有些网址访問不了,怎样加多一个下一跳 192.168.224.254 ,可以做到第一跳访問不到自动跳到第二跳访問 .

配置route-map

route-map to-hkbn permit 10

des policy vlan 22 traffic to hkbn

match ip address hkbn-acl

set ip next-hop 192.168.223.254

这个方式是实现不了的

PBR只能在设备上将已定义的源地址或者或者符合源目地址规则的流量通过策略引流到其中一个出口上面。也就是说设备吧数据包扔给下一跳设备之后就不管了,它没有办法探测应用层面的访问异常。

这种应用层面的访问异常,往往需要管理员手动的干预测试,通过抓取访问不到网址的ip,手动定义一个新的策略,将下一跳设置到另一条线路上面。这样勉强可以解决访问的问题,但缺点是不灵活。网址一旦更换解析的IP之后需要手动再维护这个PBR条目,较为繁琐。

一些流控的设备可以基于域名来做策略,能实现基于域名的PBR的功能,只需要维护相关的域名记录就可以了,但需要使客户端的dns请求穿流控设备才行。也有一定的局限性。

不管哪种方式,自动切换都是实现不了的

快捷链接