H3C PBR 实验
实验拓扑
实验需求
- 按照图示配置 IP 地址,公司分别通过电信和联通线路接入互联网
- 公司内网配置 RIP 互通,公网配置 OSPF 互通,R6上配置默认路由指向 R1,内网使用路由器模拟 PC
- R1 分别在电信和联通出口上配置 EASY IP,允许
192.168.1.0/24 和192.168.2.0/24 网段访问互联网 - 在 R1 上配置 PBR,要求
192.168.1.0/24 网段访问互联网走电信出口,192.168.2.0/24 网段访问互联网走联通出口 - 全网开启 Tracert 功能,验证 PBR 效果
实验步骤
设备IP配置
R1 IP配置
[R1]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 202.1.1.1/24 -- --
GE0/1 up up 67.1.1.1/24 -- --
GE0/2 up up 10.1.1.1/24 -- --
R2 IP配置
[R2]display ip int brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 202.1.1.2/24 -- --
GE0/1 up up 100.1.1.2/24 -- --
GE0/2 up up 100.2.2.2/24 -- --
R3 IP配置
[R3]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 67.1.1.3/24 -- --
GE0/1 up up 100.1.1.3/24 -- --
GE0/2 up up 100.3.3.3/24 -- --
R4 IP配置
[R4]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 100.4.4.4/24 -- --
GE0/1 up up 100.2.2.4/24 -- --
Loop0 up up(s) 1.1.1.1/32 -- --
R5 IP配置
[R5]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 100.3.3.5/24 -- --
GE0/1 up up 100.4.4.5/24 -- --
Loop0 up up(s) 2.2.2.2/32 -- --
R6 IP配置
[R6]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 10.1.1.6/24 -- --
GE0/1 up up 192.168.1.6/24 -- --
GE0/2 up up 192.168.2.6/24 -- --
PC1 IP配置
[PC1]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 192.168.1.1/24 -- --
PC2 IP配置
[PC2]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 192.168.2.1/24 -- --
公司内网配置RIP
R6 配置RIP
#
rip 1
undo summary
version 2
network 10.0.0.0
network 192.168.1.0
network 192.168.2.0
silent-interface GigabitEthernet0/1
silent-interface GigabitEthernet0/2
R1 配置RIP
#
rip 1
undo summary
version 2
network 10.0.0.0
公网配置OSPF
R2 配置OSPF
#
ospf 1
silent-interface GigabitEthernet0/0
area 0.0.0.0
network 100.1.1.2 0.0.0.0
network 100.2.2.2 0.0.0.0
network 202.1.1.0 0.0.0.255
R3 配置OSPF
#
ospf 1
silent-interface GigabitEthernet0/0
area 0.0.0.0
network 67.1.1.0 0.0.0.255
network 100.1.1.3 0.0.0.0
network 100.3.3.3 0.0.0.0
R4 配置OSPF
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.2.2.4 0.0.0.0
network 100.4.4.4 0.0.0.0
R5 配置OSPF
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.3.3.5 0.0.0.0
network 100.4.4.5 0.0.0.0
配置EASY IP允许业务网段访问公网
R1 出口配置NAT,允许业务网段访问公网
#
acl basic 2000
description NAT
rule 0 permit source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.2.0 0.0.0.255
#
interface GigabitEthernet0/0
nat outbound 2000
#
interface GigabitEthernet0/1
nat outbound 2000
#
ip route-static 0.0.0.0 0 202.1.1.2
ip route-static 0.0.0.0 0 67.1.1.3
配置PBR
要求 192.168.1.0/24 网段访问互联网走电信出口,192.168.2.0/24 网段访问互联网走联通出口
在出口路由器(R1)上抓取192.168.1.0/24网段和192.168.2.0/24
#
acl basic 2001
description PBR-DX
rule 0 permit source 192.168.1.0 0.0.0.255
#
acl basic 2002
description PNBR-LT
rule 0 permit source 192.168.2.0 0.0.0.255
配置PBR策略
#
policy-based-route ZXXZ permit node 1
if-match acl 2001 //凡是匹配ACL 2001的
apply next-hop 202.1.1.2 //流量下一跳为202.1.1.2
#
policy-based-route ZXXZ permit node 10
if-match acl 2002 //凡是匹配ACL 2002的
apply next-hop 67.1.1.3 //流量下一跳为202.1.1.2,其余按普通路由转发
出口路由器(R1)内网接口引用PBR
#
interface GigabitEthernet0/2
ip policy-based-route ZXXZ //引用PBR策略ZXZ
实验验证
流量走向验证
需求要求 192.168.1.0/24 网段访问互联网走电信出口,192.168.2.0/24 网段访问互联网走联通出口
未引用PBR时业务流量走向
PC1业务流量走向
[PC1]tracert 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.632 ms 0.408 ms 0.436 ms
2 10.1.1.1 (10.1.1.1) 0.975 ms 1.880 ms 0.701 ms
3 202.1.1.2 (202.1.1.2) 1.010 ms 1.295 ms 0.957 ms
4 100.2.2.4 (100.2.2.4) 2.011 ms 0.914 ms 0.720 ms
[PC1]tracert 2.2.2.2
traceroute to 2.2.2.2 (2.2.2.2), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.373 ms 0.423 ms 0.969 ms
2 10.1.1.1 (10.1.1.1) 0.397 ms 0.570 ms 0.677 ms
3 202.1.1.2 (202.1.1.2) 0.682 ms 0.926 ms 0.318 ms
4 100.2.2.4 (100.2.2.4) 1.724 ms 0.926 ms 0.942 ms
5 100.4.4.5 (100.4.4.5) 1.735 ms 0.562 ms 1.614 ms
[PC1]tracert 100.2.2.4
traceroute to 100.2.2.4 (100.2.2.4), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.724 ms 0.514 ms 0.449 ms
2 10.1.1.1 (10.1.1.1) 1.903 ms 1.183 ms 0.835 ms
3 67.1.1.3 (67.1.1.3) 1.018 ms 0.699 ms 0.580 ms
4 100.1.1.2 (100.1.1.2) 0.998 ms 0.957 ms 1.450 ms
5 100.2.2.4 (100.2.2.4) 1.495 ms 2.458 ms 1.275 ms
[PC1]tracert 100.3.3.5
traceroute to 100.3.3.5 (100.3.3.5), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.512 ms 0.290 ms 0.241 ms
2 10.1.1.1 (10.1.1.1) 0.518 ms 0.377 ms 0.276 ms
3 202.1.1.2 (202.1.1.2) 1.324 ms 0.890 ms 0.921 ms
4 100.1.1.3 (100.1.1.3) 1.604 ms 1.461 ms 0.438 ms
5 100.3.3.5 (100.3.3.5) 1.709 ms 1.017 ms 1.179 ms
PC2业务流量走向
[PC2]tracert 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.506 ms 0.233 ms 0.179 ms
2 10.1.1.1 (10.1.1.1) 1.073 ms 0.369 ms 0.260 ms
3 202.1.1.2 (202.1.1.2) 0.446 ms 1.029 ms 0.867 ms
4 100.2.2.4 (100.2.2.4) 1.558 ms 1.347 ms 1.056 ms
[PC2]tracert 2.2.2.2
traceroute to 2.2.2.2 (2.2.2.2), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.638 ms 0.493 ms 0.358 ms
2 10.1.1.1 (10.1.1.1) 0.915 ms 1.466 ms 0.772 ms
3 67.1.1.3 (67.1.1.3) 1.699 ms 0.889 ms 0.927 ms
4 100.3.3.5 (100.3.3.5) 0.976 ms 0.974 ms 0.526 ms
[PC2]tracert 100.2.2.4
traceroute to 100.2.2.4 (100.2.2.4), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.873 ms 0.496 ms 0.255 ms
2 10.1.1.1 (10.1.1.1) 0.825 ms 0.878 ms 1.364 ms
3 202.1.1.2 (202.1.1.2) 0.982 ms 1.339 ms 1.668 ms
4 100.2.2.4 (100.2.2.4) 3.633 ms 1.132 ms 0.965 ms
[PC2]tracert 100.3.3.5
traceroute to 100.3.3.5 (100.3.3.5), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.649 ms 0.301 ms 0.487 ms
2 10.1.1.1 (10.1.1.1) 1.282 ms 0.668 ms 0.321 ms
3 202.1.1.2 (202.1.1.2) 1.351 ms 1.320 ms 1.205 ms
4 100.1.1.3 (100.1.1.3) 0.799 ms 0.905 ms 0.747 ms
5 100.3.3.5 (100.3.3.5) 1.401 ms 1.003 ms 1.001 ms
引用PBR时业务流量走向
在PC1上tracertr任意公网IP,跟踪路由得知,在出口路由器上,所有流量转发皆是走电信地址202.1.1.2
[PC1]tracert 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.416 ms 0.242 ms 0.200 ms
2 10.1.1.1 (10.1.1.1) 0.277 ms 1.255 ms 0.596 ms
3 202.1.1.2 (202.1.1.2) 0.658 ms 1.460 ms 0.372 ms
4 100.2.2.4 (100.2.2.4) 0.689 ms 0.780 ms 1.978 ms
[PC1]tracert 2.2.2.2
traceroute to 2.2.2.2 (2.2.2.2), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.364 ms 0.302 ms 0.415 ms
2 10.1.1.1 (10.1.1.1) 1.264 ms 0.724 ms 0.415 ms
3 202.1.1.2 (202.1.1.2) 1.286 ms 0.952 ms 1.758 ms
4 100.2.2.4 (100.2.2.4) 0.924 ms 1.632 ms 0.908 ms
5 100.4.4.5 (100.4.4.5) 1.498 ms 2.652 ms 2.072 ms
[PC1]tracert 100.2.2.4
traceroute to 100.2.2.4 (100.2.2.4), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.417 ms 0.468 ms 0.569 ms
2 10.1.1.1 (10.1.1.1) 1.208 ms 0.527 ms 1.376 ms
3 202.1.1.2 (202.1.1.2) 1.190 ms 0.997 ms 1.765 ms
4 100.2.2.4 (100.2.2.4) 1.048 ms 0.955 ms 0.962 ms
[PC1]tracert 100.3.3.5
traceroute to 100.3.3.5 (100.3.3.5), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.1.6 (192.168.1.6) 0.798 ms 0.227 ms 0.393 ms
2 10.1.1.1 (10.1.1.1) 0.720 ms 0.684 ms 0.900 ms
3 202.1.1.2 (202.1.1.2) 1.159 ms 1.302 ms 0.608 ms
4 100.1.1.3 (100.1.1.3) 1.028 ms 0.903 ms 1.435 ms
5 100.3.3.5 (100.3.3.5) 2.368 ms 2.579 ms 1.427 ms
在PC2上tracertr任意公网IP,跟踪路由得知,在出口路由器上,所有流量转发皆是走联通地址67.1.1.3
[PC2]tracert 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.620 ms 0.437 ms 0.352 ms
2 10.1.1.1 (10.1.1.1) 0.378 ms 2.649 ms 0.557 ms
3 67.1.1.3 (67.1.1.3) 0.581 ms 0.914 ms 0.954 ms
4 100.3.3.5 (100.3.3.5) 1.372 ms 1.606 ms 1.014 ms
5 100.4.4.4 (100.4.4.4) 1.285 ms 1.874 ms 1.408 ms
[PC2]tracert 2.2.2.2
traceroute to 2.2.2.2 (2.2.2.2), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 1.191 ms 0.413 ms 0.243 ms
2 10.1.1.1 (10.1.1.1) 0.440 ms 0.451 ms 1.378 ms
3 67.1.1.3 (67.1.1.3) 0.543 ms 0.866 ms 1.081 ms
4 100.3.3.5 (100.3.3.5) 1.763 ms 1.071 ms 0.774 ms
[PC2]tracert 100.2.2.4
traceroute to 100.2.2.4 (100.2.2.4), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.722 ms 0.390 ms 0.271 ms
2 10.1.1.1 (10.1.1.1) 0.809 ms 0.759 ms 1.084 ms
3 67.1.1.3 (67.1.1.3) 1.162 ms 0.818 ms 1.285 ms
4 100.1.1.2 (100.1.1.2) 1.614 ms 0.729 ms 1.294 ms
5 100.2.2.4 (100.2.2.4) 1.068 ms 1.133 ms 1.036 ms
[PC2]tracert 100.3.3.5
traceroute to 100.3.3.5 (100.3.3.5), 30 hops at most, 40 bytes each packet, press CTRL+C to break
1 192.168.2.6 (192.168.2.6) 0.600 ms 0.361 ms 0.382 ms
2 10.1.1.1 (10.1.1.1) 0.533 ms 0.434 ms 0.423 ms
3 67.1.1.3 (67.1.1.3) 1.418 ms 1.650 ms 0.808 ms
4 100.3.3.5 (100.3.3.5) 0.951 ms 1.030 ms 1.616 ms
注意
H3C 路由器默认关闭tracert,为了解决这个问题,需要在H3C设备的系统模式下输入两条命令:
ip ttl-expires enable 和 ip unreachables enable
实验附件
