Cisco Policy Based Routing (PBR)

Cisco Policy Based Routing (PBR)

Cisco Policy Based Routing(PBR)

再一次測試PBR
都是由PC1到R4的lo1 192.168.5.1

PC1

no ip domain-lookup
no ip routing
ip default-gateway 10.0.0.1
int e0/0
no shut
ip add 10.0.0.10 255.255.255.0

R1

int e0/0
no shut
ip add 12.0.0.1 255.255.255.0
int e0/1
no shut
ip add 13.0.0.1 255.255.255.0
int e0/2
no shut
ip add 10.0.0.1 255.255.255.0
int e0/3
no shut
ip add 15.0.0.1 255.255.255.0
router eigrp 1
no auto
network 12.0.0.0 0.0.0.255
network 13.0.0.0 0.0.0.255
network 10.0.0.1 0.0.0.255
network 15.0.0.1 0.0.0.255

R2

int e0/0
no shut
ip add 12.0.0.2 255.255.255.0
ip add 12.0.0.22 255.255.255.0 sec
int e0/1
no shut
ip add 24.0.0.2 255.255.255.0
router eigrp 1
no auto
network 12.0.0.0 0.0.0.255
network 24.0.0.0 0.0.0.255

R3

int e0/0
no shut
ip add 13.0.0.3 255.255.255.0
int e0/1
no shut
ip add 34.0.0.3 255.255.255.0
router eigrp 1
no auto
network 13.0.0.0 0.0.0.255
network 34.0.0.0 0.0.0.255

R4

int e0/0
no shut
ip add 24.0.0.4 255.255.255.0
int e0/1
no shut
ip add 34.0.0.4 255.255.255.0
int e0/2
no shut
ip add 54.0.0.4 255.255.255.0
int lo1
ip add 192.168.5.1 255.255.255.0
router eigrp 1
no auto
network 24.0.0.0 0.0.0.255
network 34.0.0.0 0.0.0.255
network 54.0.0.0 0.0.0.255
network 192.168.5.0 0.0.0.255

R5

int e0/0
no shut
ip add 15.0.0.5 255.255.255.0
int e0/1
no shut
ip add 54.0.0.5 255.255.255.0
router eigrp 1
no auto
network 15.0.0.0 0.0.0.255
network 54.0.0.0 0.0.0.255

所有都設定好後, 在PC1先測試一下traceroute 192.168.5.1

在圖中可以看到是經過R3到達目的地

測試1, 更改為經由R2

ip access-list extended PC1toServer1
permit ip host 10.0.0.10 host 192.168.5.1

route-map PC1toServer1 permit 10
match ip address PC1toServer1
set ip next-hop 12.0.0.2
int e0/2
ip policy route-map PC1toServer1

測試2, 增加多一個policy

ip access-list extended newPC1toServer1
permit ip host 10.0.0.10 host 192.168.5.1

route-map PC1toServer1 permit 5
match ip address newPC1toServer1
set ip next-hop 15.0.0.5

因為route-map 新加入的sequence 5比10更高, 所以第一個就中了

測試3, access-list的permit改成deny

ip access-list extended newPC1toServer1
no permit ip host 10.0.0.10 host 192.168.5.1
deny ip host 10.0.0.10 host 192.168.5.1

因為中了deny, 跳到下一個sequence 10

測試4, access-list沒有permit和deny

ip access-list extended newPC1toServer1
no deny ip host 10.0.0.10 host 192.168.5.1

因為access-list default是permit ip any any, 所以全中, 直接使用第一個sequence 5

測試5, 特登設成第一個sequence 5不中

ip access-list extended newPC1toServer1
permit ip host 10.0.0.12 host 192.168.5.1

完全預計得到, 下一個sequence 10中

測試6, 第二句sequence 10都不中的話

ip access-list extended PC1toServer1
no permit ip host 10.0.0.10 host 192.168.5.1
permit ip host 10.0.0.12 host 192.168.5.1

所以跳過了, 使用default

測試7, 我看到有公司是這樣的, 沒有next-hop和match的ip

route-map PC1toServer1 permit 30

這個結果可有可無, 當成統計數

測試8, 為了測試9還原到第一個sequence 5中

ip access-list extended newPC1toServer1
permit ip host 10.0.0.10 host 192.168.5.1

測試9, 有match ip沒有next-hop

route-map PC1toServer1 permit 5
no set ip next-hop 15.0.0.5

sequence 5已中了, 不會執行sequence 10, 因為沒有next-hop, 所以bypass, 使用原來的13.0.0.3