拓扑说明
R1,R2通过局域网交换机连接,R2,R3通过FRAME-RELAY交换机连接。R1,R2,R3上启用OSPF协议,其中R1的所有接口和R2的F0/0,F1/0,L0属于AREA 1
R2的S2/0和R3的S2/0属于AREA 0,R3的L0 ,L1属于AREA 3
实验描述
在R2上配置PBR,是从R3的L0端口过来的包大小在0~200BYTES的ICMP包的IP PRECEDENCE被设置为2,next hop为10.0.0.1。从R3的L1过来的UDP包的IP PRECEDENCE被设置为4,netx hop为10.0.1.1
R1,R2通过局域网交换机连接,R2,R3通过FRAME-RELAY交换机连接。R1,R2,R3上启用OSPF协议,其中R1的所有接口和R2的F0/0,F1/0,L0属于AREA 1
R2的S2/0和R3的S2/0属于AREA 0,R3的L0 ,L1属于AREA 3
实验描述
在R2上配置PBR,是从R3的L0端口过来的包大小在0~200BYTES的ICMP包的IP PRECEDENCE被设置为2,next hop为10.0.0.1。从R3的L1过来的UDP包的IP PRECEDENCE被设置为4,netx hop为10.0.1.1
R1
conf t
int l 0
ip ad 1.1.1.1 255.255.255.0
int f 0/0
ip ad 10.0.0.1 255.255.255.0
no shut
int f 1/0
ip ad 10.0.1.1 255.255.255.0
no shut
router ospf 1
router-id 1.1.1.1
net 1.1.1.1 0.0.0.0 a 1
net 10.0.0.1 0.0.0.0 a 1
net 10.0.1.1 0.0.0.0 a 1
end
conf t
int l 0
ip ad 1.1.1.1 255.255.255.0
int f 0/0
ip ad 10.0.0.1 255.255.255.0
no shut
int f 1/0
ip ad 10.0.1.1 255.255.255.0
no shut
router ospf 1
router-id 1.1.1.1
net 1.1.1.1 0.0.0.0 a 1
net 10.0.0.1 0.0.0.0 a 1
net 10.0.1.1 0.0.0.0 a 1
end
R2
conf t
int l 0
ip ad 2.2.2.2 255.255.255.0
int f 0/0
ip ad 10.0.0.2 255.255.255.0
no shut
int f 1/0
ip ad 10.0.1.2 255.255.255.0
no shut
int s2/0
ip ad 10.0.2.2 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.0.2.3 203 b
no shut
exit
router ospf 1
router-id 2.2.2.2
nei 10.0.2.3
net 2.2.2.2 0.0.0.0 a 1
net 10.0.0.2 0.0.0.0 a 1
net 10.0.1.2 0.0.0.0 a 1
net 10.0.2.2 0.0.0.0 a 0
exit
access-list 100 permit icmp 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 101 permit udp 3.3.30.0 0.0.0.255 1.1.1.0 0.0.0.255
route-map PBR permit 10
match ip address 100
match length 0 200
set ip percedence 2
set ip next-hop 10.0.0.1
exit
route-map PBR permit 20
match ip address 101
set ip precedence 4
set ip next-hop 10.0.1.1
exit
int s2/0
ip policy route-map PBR
end
conf t
int l 0
ip ad 2.2.2.2 255.255.255.0
int f 0/0
ip ad 10.0.0.2 255.255.255.0
no shut
int f 1/0
ip ad 10.0.1.2 255.255.255.0
no shut
int s2/0
ip ad 10.0.2.2 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.0.2.3 203 b
no shut
exit
router ospf 1
router-id 2.2.2.2
nei 10.0.2.3
net 2.2.2.2 0.0.0.0 a 1
net 10.0.0.2 0.0.0.0 a 1
net 10.0.1.2 0.0.0.0 a 1
net 10.0.2.2 0.0.0.0 a 0
exit
access-list 100 permit icmp 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 101 permit udp 3.3.30.0 0.0.0.255 1.1.1.0 0.0.0.255
route-map PBR permit 10
match ip address 100
match length 0 200
set ip percedence 2
set ip next-hop 10.0.0.1
exit
route-map PBR permit 20
match ip address 101
set ip precedence 4
set ip next-hop 10.0.1.1
exit
int s2/0
ip policy route-map PBR
end
R3
conf t
int l 0
ip ad 3.3.3.3 255.255.255.0
int l 1
ip ad 3.3.30.3 255.255.255.0
int s2/0
ip ad 10.0.2.3 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.0.2.2 302 b
no shut
exit
router ospf 1
nei 10.0.2.2
net 10.0.2.3 0.0.0.0 a 0
net 3.3.3.3 0.0.0.0 a 3
net 3.3.30.3 0.0.0.0 a 3
end
conf t
int l 0
ip ad 3.3.3.3 255.255.255.0
int l 1
ip ad 3.3.30.3 255.255.255.0
int s2/0
ip ad 10.0.2.3 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.0.2.2 302 b
no shut
exit
router ospf 1
nei 10.0.2.2
net 10.0.2.3 0.0.0.0 a 0
net 3.3.3.3 0.0.0.0 a 3
net 3.3.30.3 0.0.0.0 a 3
end
校验
在R2启用debug ip policy
在R3上做扩展的PING和traceroute
当发送的包为100BYTES时:
在R2启用debug ip policy
在R3上做扩展的PING和traceroute
当发送的包为100BYTES时:
R3#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]: 10
Datagram size [100]: 默认为100BYTES
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 3.3.3.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 12/41/116 ms
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]: 10
Datagram size [100]: 默认为100BYTES
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 3.3.3.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 12/41/116 ms
R2#debug ip policy
*Mar 22 12:39:58.047: IP: s=3.3.3.3 (Serial2/0), d=1.1.1.1, len 100, FIB policy match
*Mar 22 12:39:58.047: IP: s=3.3.3.3 (Serial2/0), d=1.1.1.1, g=10.0.0.1, len 100, FIB policy routed
*Mar 22 12:39:58.047: IP: s=3.3.3.3 (Serial2/0), d=1.1.1.1, len 100, FIB policy match
*Mar 22 12:39:58.047: IP: s=3.3.3.3 (Serial2/0), d=1.1.1.1, g=10.0.0.1, len 100, FIB policy routed
当发送包为300BYTES时
R3#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]: 10
Datagram size [100]: 300
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 3.3.3.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 300-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 16/56/140 ms
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]: 10
Datagram size [100]: 300
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 3.3.3.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 300-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 16/56/140 ms
R2#
*Mar 22 12:41:07.775: IP: s=3.3.3.3 (Serial2/0), d=1.1.1.1, len 300, FIB policy rejected(no match) - normal forwarding
*Mar 22 12:41:07.775: IP: s=3.3.3.3 (Serial2/0), d=1.1.1.1, len 300, FIB policy rejected(no match) - normal forwarding
R3#traceroute
Protocol [ip]:
Target IP address: 1.1.1.1
Source address: 3.3.30.3
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 10.0.2.2 88 msec 104 msec 24 msec
2 10.0.1.1 68 msec * 84 msec
2 10.0.1.1 68 msec * 84 msec
R2#
*Mar 22 12:42:20.795: IP: s=3.3.30.3 (Serial2/0), d=1.1.1.1, len 28, FIB policy match
*Mar 22 12:42:20.795: IP: s=3.3.30.3 (Serial2/0), d=1.1.1.1, g=10.0.1.1, len 28, FIB policy routed
*Mar 22 12:42:20.795: IP: s=3.3.30.3 (Serial2/0), d=1.1.1.1, len 28, FIB policy match
*Mar 22 12:42:20.795: IP: s=3.3.30.3 (Serial2/0), d=1.1.1.1, g=10.0.1.1, len 28, FIB policy routed
R2#sh ip access-list
Extended IP access list 100
10 permit icmp 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255 (40 matches)
Extended IP access list 101
10 permit udp 3.3.30.0 0.0.0.255 1.1.1.0 0.0.0.255 (6 matches)
Extended IP access list 100
10 permit icmp 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255 (40 matches)
Extended IP access list 101
10 permit udp 3.3.30.0 0.0.0.255 1.1.1.0 0.0.0.255 (6 matches)
