CCNP路由器部分的学习笔记
本帖最后由 miucat 于 2023-9-23 23:54 编辑由于系统文章大小限制,未能加图,请大家直接下载原文附件。
========================================
IP路由选择原理管理距离(AD值)
1.设置有类路由查找方式Router(config)#no ip classlessRouter(config)#no ip cef2.设置无类路由查找方式Router(config)#ip classless有类及无类路由协议协议分类1.有类路由选择协议:RIPv1、IGRP2.无类路由选择协议:OSPF、EIGRP、ISIS、BGP等3.根本区别在于:更新消息中是否包含网络掩码信息静态路由1.使用指向下一条的静态路由Router(config)# Ip route 192.168.10.0 255.255.255.0 192.168.1.12.使用关联出接口的方式配置静态路由Router(config)# Ip route 192.168.10.0 255.255.255.0 fa 0/0//该条目将作为直连网络输入到路由表中//如果出接口为广播型接口,可能会给接口下的节点造成额外的负担(ARP)
3.配置浮动静态路由Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.12.2Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.13.3 10//配置静态路由的时候同时设置一下AD
1)配置R1R1(config)#ip route 0.0.0.0 0.0.0.0 10.5.115.1R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.253 102)配置R2R2(config)#ip route 0.0.0.0 0.0.0.0 10.5.116.1R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.254 10
R1(config)# Ip route 0.0.0.0 0.0.0.0 202.101.100.2R1(config)# Ip route 192.168.0.0 255.255.0.0 192.168.254.1
EIGRPMetric的计算 1.Bandwidth带宽 2.Delay 延迟 3.Reliability 可靠性 4.Loading 负载 5.MTU MTU
BW = 10^7 / 1544 * 256 = 6476(去掉小数) * 256 = 1657856DLY = 20000/10 * 256 + 5000/10 * 256 =640000Metric = 640000 + 1657856 = 2297856
DUAL扩散更新算法几个术语:1.后继路由器2.可行距离(FD)3.可行后继路由器(FS)4.通告距离(AD)5.可行条件,或称可行性条件(FC)
EIGRP基本配置1.基本配置Router(config)# router eigrpautonomous-systemRouter(config-router)# networknetwork-number
例子:Router(config)# router eigrp 90Router(config-router)# network 192.168.10.00.0.0.2552.查看EIGRP的运行情况Router# show ip eigrp neighborsRouter# show ip eigrp topologyRouter# show ip route eigrpRouter# show ip protocolsRouter# show ip eigrp trafficRouter# show ip eigrp interfacePassive-interface配置1.被动接口配置Router(config-router)#passive-interface {type number} | default
例:Router(config-router)#passive-interface defaultRouter(config-router)#passive-interface S1/0EIGRP默认路由1.将路由表中某个网络宣告为缺省网络Router(config)# Ip default-network network-number例:Router(config)# Ip default-network 192.168.20.02.将指定的网络号通告给其他的路由器Router(config-router)# network network-number例:Router(config-router)# network192.168.20.0
EIGRP路由汇总1.关闭自动汇总Router(config-router)# no auto-summary2.配置手工汇总Router(config-if)#ip summary-address eigrp as-number address mask例:Router(config-if)#ip summary-address eigrp 90 172.16.0.0255.255.248.0 20注:ip summary-address eigrp进行汇总的路由默认AD=5图:
EIGRP负载均衡1. 等价负载均衡1)配置最大等价路径Router(config-router)# Maximum-paths maximum-path例:Router(config-router)# Maximum-paths 10注:默认为4条等价路径之间均衡IP负载,最大可为16条2.非等价负载均衡1)配置Variance倍数实现非等价负载均衡Router(config-router)# Variance multiplier例:Router(config-router)# Variance 4
注:multiplier默认值为1,范围1~128 路由必须是无环的。(即AD<FD min),FD<= FD min x multiplier图:
EIGRP认证1.路由器使用两种身份验证方式1)简单密码身份验证IS-IS,OSPF,RIPv22)MD5身份验证OSPF,BGP,EIGRP,RIPv22.EIGRP MD5身份验证配置1)定义key chainkey chain name-of-chainkey key-idkey-string textaccept-lifetime start-time {infinite |end-time | duration seconds}send-lifetime start-time {infinite |end-time | duration seconds}例:Router1(config)#key chain kcRouter1(config-keychain)#key 1Router1(config-keychain-key)#key-string1234562)关联key chainip authenticationkey-chain eigrp autonomous-system name-of-chain例:Router1(config-if)# ip authenticationkey-chain eigrp 90 kc3)启用认证ip authentication mode eigrpautonomous-system md5例:ip authentication mode eigrp 90 md5优化EIGRP实施1.设置末节EIGRP路由器Router(config-router)# Eigrp stub [ receive-only | connected| static | summary | redistributed ]例:Router(config-router)# Eigrp stub eigrp stub static redistributed
多区域OSPF的概念及部署OSPF基础知识回顾OSPF协议包直接封装于IP,协议号89。组播地址:所有OSPF路由器——224.0.0.5;DRBDR——224.0.0.6OSPF路由协议的管理距离:110DR、BDR1.DR选举比较顺序:1)接口优先级数字越大越优2)Router ID越大越好3)非抢占2.三层以太网接口运行OSPF,通过配置OSPF网络类型来跳过DR、BDR选举Switch(config-if)#ip ospf network point-to-pointOSPF Cost1.OSPF接口COST=参考带宽(10的8次方)/ 接口带宽2.修改参考带宽Router(config-router)#auto-cost reference-bandwidth <参考带宽以Mbits为单位>例:Router(config-router)#auto-cost reference-bandwidth 10003.手动修改接口CostRouter(config-if)# ip ospf cost 1004.修改接口带宽,以修改CostRouter(config-if)#bandwidth 1000005.查看接口OSPF CostRouter#sh ip ospf interface S1/0OSPF多区域1.OSPF进程及网络宣告Router(config)#router ospf process-id Router(config-router)#router-id ip-addressRouter(config-router)# network ip-address wildcard-mask area area-id例:Router(config)#router ospf 110Router(config-router)#router-id 2.2.2.2Router(config-router)# network 10.0.12.0 0.0.0.255 area 02.OSPF配置验证Router#show ip ospf 显示OSPF路由器ID,OSPF定时器以及LSA信息Router#show ip ospf interface S1/0 显示各种定时器和邻接关系Router#show ip route ospf 显示路由器学习到的OSPF路由Router#show ip protocols 显示IP路由协议参数
Router#debug ip ospf events 显示OSPF相关事件Router#debug ip ospf adj 跟踪邻接关系的建立和终止Router#debug ip ospf packet 查看正在传输的OSPF分组3. DR及BDR选举的控制,配置接口优先级Router(config-if)#ip ospf priority 10OSPF网络类型1. OSPF网络类型包括以下几种点到点广播非广播NBMA (RFC)P2MP (RFC)P2MP nonbroadcast(CISCO)Broadcast(CISCO)P2P(CISCO)2.NBMA网络选择OSPF的模式1)在帧中继多点子接口上,默认的OSPF模式为非广播2)在点到点帧中继子接口上,默认的OSPF模式为点到点3)在帧中继多点子接口上,默认的OSPF模式为非广播3.配置OSPF网络模式Router(config-if)#iip ospf network [{broadcast | non-broadcast | point-to-multipoint | point-to-point}]例:Router(config-if)#iip ospf network point-to-point4.NBMA网络下OSPF的运行(需要完善)1)方式1
R2(config)#interface serial 0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#ip ospf network broadcast2)方式2
R2(config)#interface serial 0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#ip ospf network non-broadcast
R2(config)#router ospf 110 R2(config-router)#network 202.101.100.0 0.0.0.255 area 0 R2(config-router))#neighbor 202.101.100.1 priority 0R2(config-router)#neighbor 202.101.100.33)方式3
R2(config)#interface Serial0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#ip ospf network point-to-multipoint
R2(config)#router ospf 100 R2(config-router)#network 202.101.100.0 0.0.0.255 area 0
R3(config)#interface Serial0/0 R3(config-if)#encapsulation frame-relay R3(config-if)#ip ospf network point-to-multipoint R3(config-if)#ip ospf priority 0
OSPF综合实验
OSPF LSA及特殊区域详解LSA类型及详解1.查看LSDB:Router#show ip ospf databaseOSPF区域类型与LSA泛洪范围
OSPF特殊区域配置1.STUB区域配置
R2(config-router)#area 1 stubR1(config-router)#area 1 stub2. Totally Stub区域配置
R2(config-router)#area 1 stub no-summaryR2(config-router)#area 1 default-cost 10R1(config-router)#area 1 stub3.Nssa区域配置
R2(config-router)#area 1 nssa default-information-originateR1(config-router)# area 1 nssa 注:nssa配置部自动提供默认路由,需添加default-information-originate关键字4.Totally Nssa区域配置
R2(config-router)#area 1 nssa no-summaryR1(config-router)# area 1 nssa //注:Totally Nssa配置自动提供默认路由5.查看ospf区域信息Router1#sh ip ospf 110 database ?adv-router AdvertisingRouter link statesasbr-summary ASBRsummary link statesdatabase-summary Summaryof databaseexternal Externallink statesnetwork Networklink statesnssa-external NSSAExternal link statesopaque-area OpaqueArea link statesopaque-as OpaqueAS link statesopaque-link OpaqueLink-Local link statesrouter Routerlink statesself-originate Self-originatedlink statessummary Networksummary link states| Output modifiers6.查看OSPF信息Router#sh ip ospfOSPF高级特性及配置Passive-interface1.passive-interface配置Router(config-router)#passive-interface defaultRouter(config-router)#no passive-interface S1/0OSPF默认路由的注入Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.12.2Router(config-router)#default-information originate注:需要有一条有效的默认路由也可以加always关键字忽略前一条限制default-information originate alwaysOSPF路由汇总1.区域内路由汇总
R3(config-router)# area 2 range 172.16.0.0 255.255.0.0 cost 150002.外部路由汇总
R1(config-router)# summary-address 10.1.0.0 255.255.0.0Virtual-link 虚链路1.建立虚链路
R3(config-router)# area area-id virtual-link router-id] [ | ]例:R2(config-router)#area 2 virtual-link 3.3.3.3R3(config-router)#area 2 virtual-link 2.2.2.22.验证虚链路Router#show ip ospf virtual-linkRouter#show ip ospf neighborRouter#show ip ospf databaseRouter#debug ip ospf adjOSPF身份验证1.OSPF身份验证(明文)1)接口认证Router(config-if)# ip ospf authentication-key 123456Router(config-if)# ip ospf authentication2)区域认证Router(config-if)# ip ospf authentication-key 123456Router(config-router)# area 1 authentication2.OSPF身份验证(密文)1)接口认证Router(config-if)# ip ospf message-digest-key key-id md5 keyRouter(config-if)# Ip ospf authentication message-digest例:Router(config-if)# ip ospf message-digest-key 1 md5 abcdefghRouter(config-if)# Ip ospf authentication message-digest2)区域认证Router(config-if)# ip ospf message-digest-key key-id md5 keyRouter(config-router)# area 0 authentication messae-digest例:Router(config-if)# ip ospf message-digest-key 1 md5 abcdefghRouter(config-router)# area 0 authentication messae-digest3.OSPF虚链路身份认证(明文)
R1(config-router)# area 0 authenticationR1(config-router)# area 1 virtual-link 3.3.3.3 authentication-key 123456
R3(config-router)# area 0 authenticationR3(config-router)# area 1 virtual-link 1.1.1.1 authentication-key 1234564.查看验证OSPF身份验证Router#show ip ospf neighborRouter#show ip ospf interface
Router#debug ip ospf objRouter#debug ip ospf adjOSPF Process ID小知识点位于同一台路由器上的不同OSPF进程之间不会自动共享路由信息,需要彼此路由重发布。路由重发布Redistribute Routing Protocols路由重发布的基本概念
路由重发布实施要点1.路由反馈 feedback-产生次优路径
2.各种路由Metric值
将路由重分发到该协议默认种子度量值
RIP0,视为无穷大
IGRP/EIGRP0,视为无穷大
OSPFBGP为1,其他路由为20,OSPF之间度量值保持不变
IS-IS0
BGPBGP度量值被设置为IGP度量值
注:路由重发布到RIP/EIGRP后,默认的度量值为0,视为无穷大。这意味着无效的路由。需要手动设置一个非0的Metric值,以确保其正常转发。路由重发布的实现1.OSPF到RIP的路由重发布Router(config)#router ripRouter(config-router)#redistribute ospf 110 metric 32. OSPF到EIGRP的重发布Router(config)#router eigrp 90Router(config-router)#redistribute ospf 110 metric 100000 1000 255 115003. EIGRP到OSPF的重发布Router(config)#router ospf 1Router(config-router)#redistribute eigrp 100 subnets注:subnets是包括子网,不加subnets关键字只重发布主网络172.16.0.0之类路由策略 Routing PolicyPassive-interface1.Passive-interface在各种路由的表现RIP/IGRP——在指定接口不向外发送路由更新,但是接收路由更新EIGRP——在指定接口不向外发送Hello消息,而且通过这个接口不与其他路由器建立邻接关系,不发送其他EIGRP的数据流OSPF——在指定接口不向外发送Hello消息,而且通过这个接口不与其他路由器建立邻接关系,不发送和接收路由信息。(有些IOS版本中,OSPF在被动接口上发送Hello和DBD分组,但是不发送LSU。)2. Passive-interface的配置1)将某个接口配置为被动接口Router(config-router)# passive-interface int-type int-num例:Router(config-router)# passive-interface f0/12)将所有接口配置为被动接口,并手动激活特定接口Router(config-router)# passive-interface default Router(config-router)# no passive-interface int-type int-num例:Router(config-router)# passive-interface default Router(config-router)# nopassive-interface S1/03)passive-interface在RIP单播更新中的应用
R1(config) router ripR1(config-router)# passive-interface fast 0/0R1(config-router)# neighbor 192.168.123.2
R2(config) router ripR2(config-router)# passive-interface fast 0/0R2(config-router)# neighbor 192.168.123.14)passive-interface在EIGRP单播更新中的应用(实际上并无需也不能应用于EIGRP的单播更新中)如果是EIGRP环境,需实现单播更新,那么路由更新接口不能被PASSIVE(这与RIP不一样),而是直接使用neighbor命令去指定邻居即可。如果接口一旦被PASSIVE,则即使手工指定了neighbor,也是无法正常建立EIGRP邻居关系。控制管理距离AD1.修改OSPF的AD值Router(config-router)# distance AD ip-src(router-id)wildmask access-list例:Router(config-router)# distance 150 2.2.2.2 0.0.0.0 1
Router(config-router)# distance ospf external(5类) ad1 inter-area(3类) ad2 intra-area(1类) ad3例:Router(config-router)# distance ospf external 200 inter-area 150intra-area 1002.修改EIGRP的AD值Router(config-router)# distance AD ip-src wildmask access-list 例:Router(config-router)# distance 150 10.1.12.2 0.0.0.0 1Router(config-router)# distance eigrp internal-distanceexternal-distance例:Router(config-router)# distance eigrp 100 2003.修改RIP的AD值Router(config-router)# distance AD ip-src wildmask access-list 例:Router(config-router)# distance 150 10.1.12.2 0.0.0.0 14.调整路由协议的AD值控制路由的示例
5.调整AD值解决双点双向重分发的次优路径和feedback问题(后期需要完善)
R3(config)#access-list 10 permit 192.168.35.0R3(config)#access-list 10 permit 192.168.45.0R3(config)#access-list 10 permit 5.5.5.0
R3(config)#router ospf 110R3(config-router)#distance 125 1.1.1.1 0.0.0.0 10
R4(config)#access-list 10 permit 192.168.35.0R4(config)#access-list 10 permit 192.168.45.0R4(config)#access-list 10 permit 5.5.5.0
R4(config)#router ospf 110R4(config-router)#distance 125 1.1.1.1 0.0.0.0 10
Route-map1.Route-map的配置1)可用的match语句match ip address 匹配访问列表或前缀列表match length 根据分组的第三层长度进行匹配match interface 匹配下一跳出接口为指定接口之一的路由match ip next-hop 匹配下一跳地址为特定访问列表中被允许的那些路由match metric 匹配具有指定度量值的路由match route-type 匹配指定类型的路由match community 匹配BGP共同体match tag 根据路由的标记进行匹配2)可用的set语句set metric 设置路由协议的度量值set metric-type 设置目标路由协议的度量值类型set default interface 指定如何发送这样的分组set interface 指定如何发送这样的分组set ip default next-hop指定转发的下一跳set ip next-hop 指定转发的下一跳
set next-hop 指定下一跳的地址,指定BGP的下一跳set as-pathset communityset local-preferenceset weightset originset tag注:default 关键字优先级低于明细路由3)Route-map配置的语法
4)Route-map配置示例重发布时设置metric值
R2(config)#access-list 1 permit 192.168.1.0R2(config)#access-list 1 permit 192.168.2.0R2(config)#access-list 2 permit 192.168.3.0
R2(config)#route-map test permit 10R2(config-route-map)#match ip address 1R2(config-route-map)#set metric 2R2(config)#route-map test permit 20R2(config-route-map)#match ip address 2R2(config-route-map)#set metric 3
R2(config)#router ripR2(config-router)#redistribute ospf 110 route-map test5)Route-map配置示例2在重发布静态路由时设置metric值以实现路由选择,从而按目的地址分流
R1配置R1(config)#Ip route 10.1.1.0 255.255.255.0 10.1.254.1R1(config)#Ip route 10.1.2.0 255.255.255.0 10.1.254.1!R1(config)#access-list 1 permit 10.1.1.0R1(config)#access-list 2 permit 10.1.2.0!R1(config)#route-map miucat permit 10R1(config-route-map)#match ip address 1R1(config-route-map)#set metric 10R1(config)#route-map miucat permit 20R1(config-route-map)#match ip address 2R1(config-route-map)#set metric 20!R1(config-router)#router ospf 110R1(config-router)#redis static route-map miucat
R2配置R2(config)#Ip route 10.1.1.0 255.255.255.0 10.1.254.5R2(config)#Ip route 10.1.2.0 255.255.255.0 10.1.254.5!R2(config)#access-list 1 permit 10.1.1.0R2(config)#access-list 2 permit 10.1.2.0!R2(config)#route-map miucat permit 10R2(config-route-map)#match ip address 1R2(config-route-map)#set metric 20R2(config)#route-map miucat permit 20R2(config-route-map)#match ip address 2R2(config-route-map)#set metric 10!R2(config-router)#router ospf 110R2(config-router)#redis static route-map miucat6)Route-map配置示例3Route-map解决双点双向重分发feedback及次优路径问题
RouterA配置RouterA(config)#access-list 1 permit 192.168.1.0 0.0.0.255RouterA(config)#route-map OSPF_into_RIP deny 10RouterA(config-route-map)#match ip address 1RouterA(config)#route-map OSPF_into_RIP permit 20RouterA(config)#router ripRouterA(config-router)#redistribute ospf 110 route-map OSPF_into_RIPRouterA(config)#router ospf 110RouterA(config-router)#redistribute rip subnets
RouterB配置RouterB(config)#access-list 1 permit 192.168.1.0 0.0.0.255RouterB(config)#route-map OSPF_into_RIP deny 10RouterB(config-route-map)#match ip address 1RouterB(config)#route-map OSPF_into_RIP permit 20RouterB(config)#router ripRouterB(config-router)#redistribute ospf 110 route-map OSPF_into_RIPRouterB(config)#router ospf 110RouterB(config-router)#redistribute rip subnetsDistribute-list 分发控制列表1. distribute-list的配置1)Out方向的分发列表Router(config-router)#distribute-list {access–list-number | name}out ]例:Router(config-router)#distribute-list 1 out f0/12)in方向的分发列表Router(config-router)# distribute-list | in ]例:Router(config-router)#distribute-list 1 in f0/03)配置示例1(单一路由协议环境下-RIP)out方向
R2(config)# access-list 1 deny 192.168.3.0R2(config)# access-list 1 permit anyR2(config)# router ripR2(config-router)# distribute-list 1 out fa 1/04)配置示例2(单一路由协议环境下-RIP)in方向
R2(config)# access-list 1 deny 192.168.3.0R2(config)# access-list 1 permit anyR2(config)# router ripR2(config-router)# distribute-list 1 in fa0/03)配置示例3(单一路由协议环境下-OSPF)in方向
R2(config)# access-list 1 deny 192.168.3.0R2(config)# access-list 1 permit anyR2(config)# router ospf 110R2(config-router)# distribute-list 1 in fa0/0注:由于OSPF路由之间传递的时LSA,所以,虽然distribute-list能拦截R2的192.168.3.0的路由,但并不会影响R3从LSA获取此路由信息。4)配置示例4(单一路由协议环境下-OSPF)out方向
R2(config)# access-list 1 deny 192.168.3.0 R2(config)# access-list 1 permit any R2(config)# router ospf 1 R2(config-router)# distribute-list 1 out注:并不能阻止R3通过LSA获取路由条目,而且在OSPF上使用out方向的distribute-list并不能指定出接口。但是,可以拦截由本地重发布进来的外部路由5)配置示例5(单一路由协议环境下-OSPF)out方向,阻止外部路由
R1(config)# access-list 1 deny 192.168.3.0R1(config)# access-list 1 permit any
R1(config)# router ospf 110R1(config-router)# redistribute connected subnetsR1(config-router)# network 192.168.12.1 0.0.0.0 area 0R1(config-router)# distribute-list 1 out注:可以拦截由本地重发布进来的外部路由6)配置示例6(重发布时部署分发列表)
R2(config)#access-list 1 permit 1.1.1.0R2(config)#router ospf 110R2(config-router)#redistribute connected subnetsR2(config-router)#redistribute rip metric 10 subnetsR2(config-router)#distribute-list 1 out rip注:我用distribute-list阻挡从rip重发布过来的路由,并不会阻挡从直连接口重发布过来的路由Prefix-list1.使用扩展ACL匹配路由及掩码192.168.8.0/24192.168.9.0/24192.168.10.0/24192.168.11.0/24
access-list 100 permit ip 192.168.8.0 0.0.3.0 255.255.255.0 0.0.0.02.prefix-list的配置Router(config)# ip prefix-list {list-name {deny |permit} network/length Router(config)# ip prefix-list miucat permit 192.168.8.0/22 ge 24 le243.prefix-list常见示例匹配某条特定路由:192.168.1.0/24 ipprefix-list pxlist 192.168.1.0/24匹配默认路由 ipprefix-list pxlist permit 0.0.0.0/0匹配所有主机路由 ipprefix-list pxlist permit 0.0.0.0/0 ge 32匹配所有路由(any) ipprefix-list pxlist permit 0.0.0.0/0 le 324. R1(config)# ip prefix-list list1 deny 172.16.32.0/21R1(config)# ip prefix-list list1 permit 0.0.0.0/0 le 32R1(config)# route-map test permit 10R1(config-route-map)# match ip address prefix-list list1Path ControlOffset-list 偏移列表注:可用于RIP/EIGRP1.Office-list配置router(config-router)#offset-list {access–list-number | name}{in|out} offset 例:router(config-router)#offset-list 1 out 2 f0/12. offset-list的示例1(RIP)
RouterD(config)#access-list 1 permit 3.3.3.0 RouterD(config-router)#router rip RouterD(config-router)#offset-list 1 out 2 serial 0/03.offset-list示例2(EIGRP)
R2(config)#access-list 1 permit 192.168.12.0 R2(config)#router rip R2(config-router)#offset-list 1 out 10000 fastEthernet 1/04.Offset-list实施案例
Policy-based routing 策略路由1.可配合的match1)PBR可以配合匹配数据包大小的match使用Router(config)# route-map rp-name Router(config-route-map)# match ipaddress {access-list-number|name} […access-list-number|name]|prefix-listprefix-list-name […prefix-list-name] 例:Router(config)#access-list1 permit 192.168.1.0 0.0.0.255Router(config)#route-map test permit 10Router(config-route-map)# match ip address12)PBR可以配合匹配数据包IPaccess-list、prefix-list的route-map使用Router(config-route-map)# match length min max例:Router(config)#route-map test permit 10Router(config-route-map)# match length10000 1000002.可配合的set语句1)设定分组的下一跳IP(必须为直连IP)set ip next-hop ip-address […ip-address]例:Router(config-route-map)#set ip next-hop 202.101.100.22)设定分组的出接口set interface type number […type number]例:Router(config-route-map)#set interface s1/03.1)应用PBR(对进入接口的数据流量生效,本地始发的流量无效)Router(config-if)# ip policy route-map test2)应用PBR(针对本地始发的流量生效)Router(config)# ip local policy route-map test4.PBR示例1(根据access-list决定下一跳)
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255Router(config)#access-list 2 permit 192.168.2.0 0.0.0.255Router(config)#route-map test permit 10Router(config-route-map)#match ip address 1Router(config-route-map)#set ip next-hop 202.101.100.2 Router(config)#route-map test permit 20Router(config-route-map)#match ip address 2Router(config-route-map)#set ip next-hop 202.101.99.2Router(config)#int f0/0Router(config)#ip policy route-map test5)PBR示例2(set ipnext-hop可设置多个下一跳)
GW(config)#access-list 1 permit anyGW(config)#route-map PBR permit 10GW(config-route-map)#match ip address 1GW(config-route-map)#set ip next-hop 10.1.1.2 10.2.2.2GW(config)#int f0/0GW(config-if)# ip policy route-map PBR注:当ISP1宕机时,也许会由于GW和ISP1之间的透明设备,使得GW并不能知道ISP1已经宕机了6)PBR示例3(思科私有的需借助CDP的verify-availability参数)
GW(config)#access-list 1 permit anyGW(config)#route-map PBR permit 10GW(config-route-map)#match ip address 1GW(config-route-map)#set ip next-hop 10.1.1.2 10.2.2.2GW(config-route-map)#set ip next-hop verify-availabilityGW(config)#int f0/0GW(config-if)# ip policy route-map PBR7)PBR示例4(远端状态监控ip sla)
GW(config)#ip sla monitor responder GW(config)#ip sla monitor 1 GW(config)#type echo protocol ipIcmpEcho 10.1.1.2 source-ipaddr10.1.1.1 frequency 10 GW(config)#ip sla monitor schedule 1 life forever start-time now GW(config)#track 1 rtr 1 reachability
GW(config)#access-list 1 permit anyGW(config)#route-map PBR permit 10GW(config-route-map)#match ip address 1GW(config-route-map)#set ip next-hop verify-availability 10.1.1.2 10track 1GW(config-route-map)#set ip next-hop verify-availability 10.2.2.2 20track 28)PBR示例5(ip next-hop的recursive关键字,无需直连)
GW(config)#access-list 1 permit any GW(config)#route-map PBR permit 10 GW(config-route-map)#match ip address 1 GW(config-route-map)#set ip next-hop 10.2.2.2 GW(config-route-map)#set ip next-hop recursive 10.1.12.2
GW(config)#ip route 10.1.12.0 255.255.255.0 10.1.1.2 GW(config)#ip route 0.0.0.0 0.0.0.0 serial s0/29)PBR示例6(根据源IP access-list决定下一跳)
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255Router(config)#access-list 2 permit 192.168.2.0 0.0.0.255
Router(config)#route-map test permit 10Router(config-route-map)#match ip address 1Router(config-route-map)#set ip next-hop 10.1.1.2
Router(config)#route-map test permit 40Router(config-route-map)#match ip address 2Router(config-route-map)#set ip next-hop 10.2.2.2
Router(config)#int f0/0Router(config-if)#ip policy route-map testRouter(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2Router(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2 1010)PBR示例7(ip next-hop的优先级高于默认路由)
R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
R1(config)#route-map PBR permit 10 R1(config-route-map)#match ip address 1 R1(config-route-map)#set ip next-hop 10.1.13.3
R1(config)#int f0/0 R1(config-if)#ip policy route-map PBR
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.12.211)PBR示例8(ip default next-hop的优先级低于静态路由)
R1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
R1(config)#route-map PBR permit 10 R1(config-route-map)#match ip address 1 R1(config-route-map)#set ip default next-hop 10.1.13.3
R1(config)#int f0/0 R1(config-if)#ip policy route-map PBR
R1(config)#ip route 10.1.23.0 255.255.255.0 10.1.12.212)PBR示例9(PBR配合nat指定出口运营商实现分流)
GW(config)#access-list 1 permit 192.168.1.0 0.0.0.255 GW(config)#access-list 2 permit 192.168.2.0 0.0.0.255
GW(config)#route-map PBR permit 10 GW(config-route-map)#match ip address 1 GW(config-route-map)#set ip next-hop 11.1.1.2
GW(config)#route-map PBR permit 20 GW(config-route-map)#match ip address 2 GW(config-route-map)#set ip next-hop 22.2.2.2
GW(config)#route-map nat1 permit 10 GW(config-route-map)#match ip address 1 GW(config-route-map)#match interface serial0/0
GW(config)#route-map nat2 permit 10 GW(config-route-map)#match ip address 1
GW(config)#route-map nat3 permit 10 GW(config-route-map)#match ip address 2 GW(config-route-map)#match interface serial0/1
GW(config)#route-map nat4 permit 10 GW(config-route-map)#match ip address 2
GW(config)#ip nat inside source route-map nat1 interface serial0/0overload GW(config)#ip nat inside source route-map nat2 interface serial0/1overload GW(config)#ip nat inside source route-map nat3 interface serial0/1overload GW(config)#ip nat inside source route-map nat4 interface serial0/0overload13)思考题
14)PBR的验证Router#show ip policyRouter#show route-map map-name综合实验========================================加图就超大小了,大家直接下载附件吧
謝謝樓主分享! Thanks for sharing Rhanks Nice! 666666666666666 666666666666666 666666666666666 666666666666666 666666666666666 666666666666666 666666666666666 666666666666666 666666666666666 666666666666666