PBR 未按预期工作

网络工程 思科 路由 纳特 ipsec pbr
2022-02-25 21:21:51

编辑:添加了完整的路由器配置 我有一个 cisco 2921。它使用 EIGRP 来学习它的路由表,并且没有设置静态默认路由。我想保持这种状态。默认路由(从 EIGRP 学习)是我网络上通过 Metro ENS 链路的另一台设备。当这个特定的路由器接收到来自主机 192.168.2.5 的流量时,我希望给它一个默认路由,从这个路由器的 ISP 连接(3.3.3.1)。它不起作用,有谁知道为什么这个路线图不起作用?

来自我的主机的流量到达接口 GigabitEthernet0/1。我希望它使用 ISP 输出接口 GigabitEthernet0/0(路由映射中的 IP 是我的 ISP 提供的默认网关)。接口 gi0/0 还为我的主站点配置了一个 vpn 隧道,它更像是一个备份链接,但我不认为这是一个问题(或者它是一个问题?)。

我已经验证接口 gig0/0 上的访问列表没有阻止该主机的任何流量。

我跑了debug ip policydebug ip packet什么也没出现。这告诉我,每当我尝试从 Internet 访问此设备时,它根本不会访问接口 gi0/1。我可以看到流量达到 gig0/0,但从来没有 gig0/1。

也许我有 NAT 问题? 

version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname name
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.155-3.M7.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 58192
enable secret 
enable password 
!
aaa new-model
!
!
aaa authentication 
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
process cpu threshold type total rising 75 interval 5
process cpu statistics limit entry-percentage 100 size 50000
clock timezone EST -5 0
clock summer-time EDT recurring
no network-clock-participate wic 0 
!
!
!
!         
!
!
no ip source-route
ip options drop
!
!
!
!
!
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip flow-cache timeout active 1
no ip bootp server
ip domain name 
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint ssssssssssssssssssssss
 enrollment selfsigned
 subject-name sssssssssssssssssssssssssssssssssssssss
 revocation-check none
 rsakeypair ssssssssssssssssssssssssss
!
!
crypto pki certificate chain TP-self-signed-sssssssssssssss
 certificate self-signed 01
  jjjjjjjjjjjj
  ddddddddddd
  eeeeeeeeeee
        quit
license udi pid CISCO2921/K9 sn FGL171511XH
!
!
memory reserve critical 10024
memory free low-watermark processor 599187
memory free low-watermark IO 599187
!
redundancy
!
!
!
!
!
controller T1 0/0/0
 cablelength long 0db
 channel-group 0 timeslots 1-24
!         
controller T1 0/0/1
 cablelength long 0db
 channel-group 0 timeslots 1-24
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
track 3 ip sla 3 reachability
!
track 100 list boolean or
 object 1
 object 2
 object 3
!
! 
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key KEY address 1.1.1.1 
crypto isakmp key KEY address 2.2.2.2 
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set ESP-AES-128-SHA1 esp-aes esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROF-1
 set transform-set ESP-AES-256-SHA 
!
!
!
crypto map HA_SERVICES 1 ipsec-isakmp 
 set peer 2.2.2.2
 set transform-set ESP-AES-128-SHA1 
 set pfs group2
 match address HASERVICES_DR
!
!
!
!
!
interface Loopback0
 description Management Int
 ip address 
!
interface Tunnel1
 ip address 10.254.254.2 255.255.255.252
 tunnel source 3.3.3.2
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile IPSEC-PROF-1
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Internet
 ip address 3.3.3.2 255.255.255.248
 ip access-group BLOCKEDIN in
 no ip redirects
 no ip unreachables
 ip directed-broadcast 100
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default
 duplex auto
 speed auto
 no lldp transmit
 no lldp receive
 crypto map HA_SERVICES
!
interface GigabitEthernet0/1
 ip address 172.31.2.7 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 ip policy route-map NVR
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface Serial0/0/0:0
 no ip address
 encapsulation ppp
 shutdown
 ppp multilink
!
interface Serial0/0/1:0
 no ip address
 encapsulation ppp
 shutdown
 ppp multilink
!
!
router eigrp 100
 distribute-list Tunnel-Out out Tunnel1
 network 10.2.2.22 0.0.0.0
 network 10.254.254.0 0.0.0.3
 network 172.31.2.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.2.5 3.3.3.4
ip route 10.0.0.0 255.248.0.0 172.31.2.1 200
ip route 10.1.1.39 255.255.255.255 172.31.2.1
ip route 10.1.1.73 255.255.255.255 172.31.2.1
ip route 1.1.1.1 255.255.255.255 3.3.3.1
ip route 172.31.0.0 255.255.248.0 172.31.2.1 200
ip route 192.168.0.0 255.255.248.0 172.31.2.1 200
ip ssh time-out 60
ip ssh version 2
!
ip access-list standard Tunnel-Out
 permit 10.2.2.2
 permit 10.2.2.22
 permit 10.2.200.0 0.0.0.255
 permit 172.31.2.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
!
ip access-list extended BLOCKEDIN
 deny   tcp any any fragments
 deny   udp any any fragments
 deny   icmp any any fragments
 deny   ip any any fragments
 deny   tcp any any eq ftp
 deny   ip any any option any-options
 deny   tcp any any eq 22
 deny   tcp any any eq telnet
 permit tcp any host 3.3.3.4 eq www
 permit tcp any host 3.3.3.4 eq 5445
 deny   tcp any any eq www
 deny   tcp any any eq 2002
 deny   tcp any any eq 4002
 deny   tcp any any eq 6002
 deny   tcp any any eq 9002
 permit ip any any
ip access-list extended HASERVICES_DR
 permit ip 172.31.2.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 10.2.100.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended NAT_ACL
 permit ip 10.2.200.0 0.0.0.255 any
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 10.2.100.0 0.0.0.255 any
 permit ip 172.31.2.0 0.0.0.255 any
 permit ip 192.168.2.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/1 
ip sla auto discovery
ip sla 1
 icmp-echo 8.19.112.154
 threshold 3000
 timeout 3000
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 8.19.112.193
 threshold 3000
 timeout 3000
 frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 8.19.203.193
 threshold 3000
 timeout 3000
 frequency 5
ip sla schedule 3 life forever start-time now

!
route-map NVR permit 10
 match ip address 5
 set ip default next-hop 3.3.3.1
!
route-map BGP-Community permit 10
 set community 13697114
!
!
access-list 5 permit 192.168.2.5
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.1.4.0 0.0.0.255
access-list 23 deny   any log
!
radius server 
 address ipv4  auth-port 1645 acct-port 1646
 timeout 30
 key 
!
!
!
control-plane
!
!
no vstack
!
line con 0
 exec-timeout 5 0
 authorization exec CONSOLE
 logging synchronous
 login authentication CONSOLE
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 4 59
 privilege level 15
 password 7 13353701181B54382F
 logging synchronous
 login authentication VTYLOGIN
 transport input ssh
 transport output ssh
line vty 5 15
 access-class 23 in
 exec-timeout 4 59
 privilege level 15
 password 7 01232617481C561D25
 logging synchronous
 login authentication VTYLOGIN
 transport input ssh
 transport output ssh
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 5
scheduler allocate 20000 1000
ntp server  prefer
!
end

我使用 ip default next-hop 因为我希望它首先查看路由表(用于与 DNS、AD、本地访问的内部通信),然后作为最后的手段使用此路由来访问 Internet。为了测试,我添加了一个静态路由 0.0.0.0/0 ab.ac.ab.ax,一切都很好。但我不希望通过此路由器发送流量的任何其他设备知道有通往互联网的出路。我只希望这个特定的主机能够使用这个本地 ISP 链接。这就是我使用 PBR 的原因。命中此路由器的所有其他内容都将从 gi0/0 上配置的 vpn 隧道到另一个位置。

1个回答

如果您从 EIGRP 学习其他站点的网络,那么 PBR 是要避免的。

到不在路由表中的目的地的数据包将被丢弃。默认路由将匹配其他任何内容。如果您没有默认路由,那么流向未知的 Internet 网络的流量将被丢弃。如果您正在通过 EIGRP 学习默认路由,那么您需要在本地路由器中设置更好的默认路由。那将需要静态配置。

与消费级路由器不同,企业级路由器需要为 Internet 流量配置默认路由。企业级路由器不会自动假定路由器正在连接到公共互联网。

其它你可能感兴趣的问题
上一篇从不同 VLAN 连接同一交换机上的两个接入端口 下一篇思科 ASA DH 组和第 2 阶段的生命周期