路由策略&策略路由实验

---

一、实验概述

• 实验拓扑图：

（1）、实验要求

要求:

• ①.通过使用策略路由(MQC)的办法让PC1访问外部网络的流量走AR2,PC2的流量走AR3

  PC4走AR4, PC5走AR5

• ②.LSW1上使用traffic-filter,要求PC2和PC3不能互访

  LSW2上设置相同,要求PC4和PC5不能互访

• ③.在三层设备上配置路由策略保证PC1-PC2-PC3只能访问PC4

  PC4只能访问PC2

二、实验实施

（1）、路由器配置-AR1

• AR1

接口IP地址

[AR1]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              172.17.1.1/30        up         up        
GigabitEthernet0/0/1              10.0.12.1/24         up         up        
GigabitEthernet0/0/2              10.0.13.1/24         up         up        
LoopBack0                         1.1.1.1/32           up         up(s)     
NULL0                             unassigned           up         up(s)  

OSPF配置

[AR1]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  network 1.1.1.1 0.0.0.0 
  network 10.0.12.1 0.0.0.0 
  network 10.0.13.1 0.0.0.0 
  network 172.17.1.1 0.0.0.0 
#
return

策略路由

为了保证PC1和PC3之间互相访问的流量不被重定向下一跳,所以我们再加一条ACL3000.允许192.168.1.0/24网段访问192.168.3.0/24

并设置traffic classifier绑定ACL3000, traffic behavior 绑定动作设置为permit

[AR1]display current-configuration configuration acl-basic 
[V200R003C00]
#
acl number 2000  
 rule 5 permit source 192.168.10.0 0.0.0.255 
acl number 2001  
 rule 5 permit source 192.168.30.0 0.0.0.255

[AR1]display current-configuration configuration acl-adv 
[V200R003C00]
#
acl number 3000  
 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.2
55 
 rule 10 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.
255 
#
return

[AR1]display current-configuration configuration classifier 
[V200R003C00]
#
traffic classifier permit operator or
 if-match acl 3000
traffic classifier vlan10 operator or
 if-match acl 2000
traffic classifier vlan20 operator or
 if-match acl 2001
#
return
       
[AR1]display current-configuration configuration behavior 
[V200R003C00]
#
traffic behavior permit
traffic behavior vlan10
 redirect ip-nexthop 10.0.12.2
traffic behavior vlan20
 redirect ip-nexthop 10.0.13.3
#
return  

[AR1]display current-configuration configuration trafficpolicy
[V200R003C00]
#
traffic policy PBR
 classifier vlan10 behavior vlan10
 classifier vlan20 behavior vlan20
 classifier permit behavior permit
#
return

[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]traffic-policy PBR inbound

路由策略

[AR1]display acl 2002
Basic ACL 2002, 2 rules
Acl's step is 5'
 rule 5 deny source 192.168.50.0 0.0.0.255 (6 matches)
 rule 10 permit (87 matches)
 
 [AR1]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 1.1.1.1 
 filter-policy 2002 import

---

（2）、路由器配置-AR2

接口IP地址

• AR2

[AR2]display ip interfaces brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.12.2/24         up         up        
GigabitEthernet0/0/1              10.0.23.2/24         up         up        
GigabitEthernet0/0/2              unassigned           down       down      
LoopBack0                         2.2.2.2/32           up         up(s)     
NULL0                             unassigned           up         up(s)

OSPF配置

[AR2]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 2.2.2.2 
 area 0.0.0.0 
  network 2.2.2.2 0.0.0.0 
  network 10.0.12.2 0.0.0.0 
  network 10.0.23.2 0.0.0.0 
#
return

（3）、路由器配置-AR3

接口IP地址

[AR3]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.13.3/24         up         up        
GigabitEthernet0/0/1              10.0.23.3/24         up         up        
GigabitEthernet0/0/2              10.0.34.3/24         up         up        
LoopBack0                         3.3.3.3/32           up         up(s)     
NULL0                             unassigned           up         up(s)  

OSPF配置

[AR3]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 3.3.3.3 
 area 0.0.0.0 
  network 3.3.3.3 0.0.0.0 
  network 10.0.13.3 0.0.0.0 
  network 10.0.23.3 0.0.0.0 
  network 10.0.34.3 0.0.0.0 
#
return

（4）、路由器配置-AR4

接口IP地址

[AR4]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.34.4/24         up         up        
GigabitEthernet0/0/1              10.0.45.4/24         up         up        
GigabitEthernet0/0/2              10.0.46.4/24         up         up        
LoopBack0                         4.4.4.4/32           up         up(s)     
NULL0                             unassigned           up         up(s)

OSPF配置

[AR4]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 4.4.4.4 
 area 0.0.0.0 
  network 4.4.4.4 0.0.0.0 
  network 10.0.34.4 0.0.0.0 
  network 10.0.45.4 0.0.0.0 
  network 10.0.46.4 0.0.0.0 
#
return

（5）、路由器配置-AR5

接口IP地址

[AR5]display ip interfaces brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.45.5/24         up         up        
GigabitEthernet0/0/1              10.0.56.5/24         up         up        
GigabitEthernet0/0/2              unassigned           down       down      
LoopBack0                         5.5.5.5/32           up         up(s)     
NULL0                             unassigned           up         up(s) 

OSPF配置

[AR5]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 5.5.5.5 
 area 0.0.0.0 
  network 5.5.5.5 0.0.0.0 
  network 10.0.45.5 0.0.0.0 
  network 10.0.56.5 0.0.0.0 
#
return

（6）、路由器配置-AR6

接口IP地址

[AR6]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.46.6/24         up         up        
GigabitEthernet0/0/1              10.0.56.6/24         up         up        
GigabitEthernet0/0/2              172.16.1.1/30        up         up        
LoopBack0                         6.6.6.6/32           up         up(s)     
NULL0                             unassigned           up         up(s) 

OSPF配置

[AR6]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 6.6.6.6 
 area 0.0.0.0 
  network 6.6.6.6 0.0.0.0 
  network 10.0.46.6 0.0.0.0 
  network 10.0.56.6 0.0.0.0 
  network 172.16.1.1 0.0.0.0 
#
return

策略路由

[AR6]display current-configuration configuration acl
[V200R003C00]
#
acl number 2000  
 rule 5 permit source 192.168.40.0 0.0.0.255 
#
acl number 2002  
 rule 5 permit source 192.168.50.0 0.0.0.255 
#
return

[AR6]display current-configuration configuration classifier 
[V200R003C00]
#
traffic classifier vlan40 operator or
 if-match acl 2000
traffic classifier vlan50 operator or
 if-match acl 2002
#
return
       
[AR6]display current-configuration configuration behavior 
[V200R003C00]
#
traffic behavior vlan40
 redirect ip-nexthop 10.0.46.4
traffic behavior vlan50
 redirect ip-nexthop 10.0.56.5
#
return

[AR6]display current-configuration configuration trafficpolicy 
[V200R003C00]
#
traffic policy PBR
 classifier vlan40 behavior vlan40
 classifier vlan50 behavior vlan50
#
return

[AR6]int g0/0/2
[AR6-GigabitEthernet0/0/2]traffic-policy PBR inbound

路由策略

[AR6]display acl 2001
Basic ACL 2001, 3 rules
Acl's step is 5'
 rule 15 deny source 192.168.10.0 0.0.0.255 (8 matches)
 rule 20 deny source 192.168.30.0 0.0.0.255 (21 matches)
 rule 25 permit (68 matches)
 
 [AR6]display current-configuration configuration ospf
[V200R003C00]
#
ospf 1 router-id 6.6.6.6 
 filter-policy 2001 import

（7）、LSW1

基础配置

[LSW1]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           down       down      
Vlanif10                          192.168.10.254/24    up         up        
Vlanif17                          172.17.1.2/30        up         up        
Vlanif20                          192.168.20.254/24    up         up        
Vlanif30                          192.168.30.254/24    up         up    

OSPF配置

[LSW1]display current-configuration configuration ospf
#
ospf 1
 area 0.0.0.0
  network 192.168.10.0 0.0.0.255
  network 192.168.20.0 0.0.0.255
  network 192.168.30.0 0.0.0.255
  network 172.17.1.2 0.0.0.0
#
return

traffic-filter

[LSW1]display acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5'
 rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

 rule 10 permit ip 

[LSW1]traffic-filter inbound acl 3000

路由策略

[LSW1]display acl 2000
Basic ACL 2000, 2 rules
Acl's step is 5'
 rule 5 deny source 192.168.50.0 0.0.0.255
 rule 10 permit

 [LSW1]display current-configuration configuration ospf
#
ospf 1
 filter-policy 2000 import

（8）、LSW2

基础配置

[LSW2]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           down       down      
Vlanif16                          172.16.1.2/30        up         up        
Vlanif40                          192.168.40.254/24    up         up        
Vlanif50                          192.168.50.254/24    up         up  

OSPF配置

[LSW2]display current-configuration configuration ospf
#
ospf 1
 area 0.0.0.0
  network 172.16.1.2 0.0.0.0
  network 192.168.40.0 0.0.0.255
  network 192.168.50.0 0.0.0.255
#
return

traffic-filter

[LSW2]display acl 3000
Advanced ACL 3000, 2 rules
Acl's step is 5'
 rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.50.0 0.0.0.255
 
 rule 10 permit ip 

[LSW2]traffic-filter inbound acl 3000

路由策略

[LSW2]display acl 2000
Basic ACL 2000, 3 rules
Acl's step is 5'
 rule 5 deny source 192.168.10.0 0.0.0.255 
 rule 10 deny source 192.168.30.0 0.0.0.255 
 rule 15 permit 
 
 [LSW2]display current-configuration configuration ospf
#
ospf 1
 filter-policy 2000 import

---

三、验证

（1）、路由检查

• AR1

[AR1]display ip routing-table 192.168.50.0

• LSW1

[LSW1]display ip routing-table 192.168.50.0

• AR6

[AR6]display ip routing-table 192.168.10.0
[AR6]display ip routing-table 192.168.30.0

• LSW2

[LSW2]display ip routing-table 192.168.10.0
[LSW2]display ip routing-table 192.168.30.0

（2）、路由策略检查

PC1-PC2-PC3只能访问PC4

• PC1

• PC2

• PC3

PC4只能访问PC2

• PC4

（3）、traffic-filter

PC2不能访问PC3

PC4不能访问PC5

（4）、策略路由验证

PC1访问外网走AR2,PC3访问外网走AR3

PC4访问外网走AR4,PC5访问外网走AR5