一、问题描述
- 客户环境大致如上所示,有多个出口,针对内网网段2.2.2.2做了策略路由,下一跳为电信出口,为防止在RT1内网接口G0/0/0上配置策略路由后导致内网2.2.2.2访问3.3.3.3时数据包也丢到公网侧,故在写感兴趣数据流时将源2.2.2.2到目的3.3.3.3的流量deny掉了,其他的访问外网流量正常丢到公网侧。但是配置后却发现源2.2.2.2到目的3.3.3.3还是不通,这是什么原因导致的呢?客户还在路由器RT1侧配置了dhcp中继,中继到下挂的内网dhcp服务器(RT3),内网RT2侧主机dhcp无法拿到ip地址,但是在定义策略路由时将目的地址为广播的流量匹配上,地址就可以拿到了,想到这里,估计应该可以猜出是策略路由在作怪
二、组网环境
拓扑:(这里的拓扑和客户实际环境有些区别,客户是交换机外接两个出口路由器,这里测试是路由器外接两个路由器)
三、原因分析
- 分析:1)问题一:内网网段间无法访问。首先;在配置策略路由时,策略路由中所调用的acl只是用来匹配感兴趣数据流的,本身并不带允许或者deny动作,如果想要放通内网流量可以单独写一个acl去匹配内网流量,该acl在策略路由中调用时不写具体的apply动作,缺省就可以,另外在写一个acl,该acl可以写permit ip sou any,针对第二个acl感兴趣数据流主要是当第一个内网网段不匹配时,所执行的动作。根据该图客户的需求即其他流量要丢向电信侧,所以需要针对第二个acl写apply动作,下一跳为电信地址。2)问题二:dhcp客户端无法拿到ip地址。实际上,策略路由针对dhcp发生的广播包流量也会匹配按照策略路由转发的,所以导致dhcp请求包时间都丢给了公网侧,内网服务器侧无法收到请求包,故客户端获取不到地址
四、设备配置及测试过程:
RT1出口设备配置:
<RT1>dis cu
#
version 5.20, Release H3C
#
sysname RT1
#
undo voice vlan mac-address 00e0-bb00-0000
#
dhcp relay server-group 10 ip 10.1.13.3
#
domain default enable system
#
rpr mac-address timer aging 100
#
acl number 3000
rule 0 permit ip source 2.2.2.2 0 destination 3.3.3.3 0
rule 5 permit ip destination 255.255.255.255 0
acl number 3001
rule 0 permit ip
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
ip address 10.1.12.1 255.255.255.0
dhcp select relay
dhcp relay server-select 10
ip policy-based-route celue
#
interface GigabitEthernet0/0/1
port link-mode route
ip address 10.1.13.1 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-mode route
nat outbound
ip address 10.1.14.1 255.255.255.0
#
interface GigabitEthernet0/0/3
port link-mode route
nat outbound
ip address 10.1.15.1 255.255.255.0
#
policy-based-route celue permit node 10
if-match acl 3000
policy-based-route celue permit node 20
if-match acl 3001
apply ip-address next-hop 10.1.14.4
#
ip route-static 0.0.0.0 0.0.0.0 10.1.14.4
ip route-static 0.0.0.0 0.0.0.0 10.1.15.5
ip route-static 2.2.2.2 255.255.255.255 10.1.12.2
ip route-static 3.3.3.3 255.255.255.255 10.1.13.3
#
dhcp enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
Return
RT2配置:
<RT2>dis cu
#
version 5.20, Release H3C
#
sysname RT2
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
rpr mac-address timer aging 100
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet0/0/1
port link-mode route
ip address dhcp-alloc
#
interface GigabitEthernet0/0/2
port link-mode route
#
interface GigabitEthernet0/0/3
port link-mode route
#
ip route-static 0.0.0.0 0.0.0.0 10.1.12.1
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
Return
RT3配置:
<RT3>dis cu
#
version 5.20, Release H3C
#
sysname RT3
#
undo voice vlan mac-address 00e0-bb00-0000
#
domain default enable system
#
rpr mac-address timer aging 100
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
dhcp server ip-pool 10
network 10.1.12.0 mask 255.255.255.0
gateway-list 10.1.12.1
#
user-group system
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
attack-defense policy 1
#
interface Serial0/1/0
link-protocol ppp
#
interface Serial0/1/1
link-protocol ppp
#
interface Serial0/1/2
link-protocol ppp
#
interface Serial0/1/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
interface GigabitEthernet0/0/0
port link-mode route
#
interface GigabitEthernet0/0/1
port link-mode route
ip address 10.1.13.3 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-mode route
#
interface GigabitEthernet0/0/3
port link-mode route
#
ip route-static 0.0.0.0 0.0.0.0 10.1.13.1
#
dhcp enable
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
测试过程:
RT1上策略路由配置方法:
acl number 3000
rule 0 permit ip source 2.2.2.2 0 destination 3.3.3.3 0
rule 5 permit ip destination 255.255.255.255 0
acl number 3001
rule 0 permit ip
dhcp relay server-group 10 ip 10.1.13.3
interface GigabitEthernet0/0/0
port link-mode route
ip address 10.1.12.1 255.255.255.0
dhcp select relay
dhcp relay server-select 10
ip policy-based-route celue
清空RT1上的acl统计数目,在RT2上ping测试看是否有包匹配到:
可以清晰的看到有包匹配到,内网将互访没有问题
Dhcp测试分析:
RT2接口地址改为自动获取:(配置为自动获取地址前先清空下acl统计数目,看广播流量是否匹配到)
在RT1上可以清晰看到广播流量也被匹配到了,这也就是dhcp客户端为什么拿不到地址的原因了
五、注意事项
- 特别注意策略路由中的acl只是用来匹配流量使用,其acl中的动作并没有实际意义。可以理解为和MQC中acl的作用一致。
- 策略路由优先于路由表,虽然可以手动来干预路由的转发,但是需要注意,他有时也会带来问题,需要结合客户现网环境做灵活部署。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作