双出口组网策略路由不生效

发布时间:  2014-09-12 浏览次数:  351 下载次数:  0
问题描述
usg5150 v100r005c00spc500
客户内网有两个网段(10.85.199.0和10.85.194.0);分别走电信(10.157.230.227)和网通(183.220.237.254);用策略路由和默认路由的方式实现;但是配置好策略路由后,10.85.199.0网段还是走默认路由出去;
告警信息
处理过程
配置:
acl number 3030
rule 5 permit ip source 10.85.199.222 0

policy-based-route aa permit node 5
  if-match acl 3030
  apply ip-address next-hop 10.157.230.254

interface Vlanif10
ip address 192.168.0.254 255.255.255.0
ip policy-based-route aa

通过此命令发现:10.85.199.222没走策略路由
[USG5100]dis firewall session table verbose  source inside  10.85.199.222
17:04:00  2013/03/29
Current Total Sessions : 34
  dns  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:02:00  Left: 00:00:17
  Interface: GigabitEthernet0/0/0  NextHop: 183.220.237.1  MAC: 28-6e-d4-46-9e-52
  <--packets:1 bytes:88   -->packets:1 bytes:72
  10.85.199.222:57354[183.220.237.252:63102]-->211.137.96.205:53

此命令说明:策略路由有转发数据
[USG5100]dis  ip policy-based-route statistics  interface  Vlanif 10
17:01:53  2013/03/29
Interface Vlanif10 policy based routing information:
policy-based-route: aa
   permit node 5
     apply ip-address next-hop 10.157.230.254
       Denied: 0,
       Forwarded: 249
Total denied: 0, forwarded: 249


删除配置:
undo ip-link 3 destination 10.157.230.254 mode icmp

用此命令查看
[USG5100]dis firewall session table verbose  source inside  10.85.199.222
17:08:27  2013/03/29
Current Total Sessions : 21
  http  VPN:public --> public
  Zone: trust--> unstrust2  TTL: 00:00:05  Left: 00:00:03
  Interface: GigabitEthernet0/0/2  NextHop: 10.157.230.254  MAC: 00-16-4d-26-e7-26
  <--packets:0 bytes:0   -->packets:2 bytes:104
  10.85.199.222:51021[10.157.230.227:2073]-->173.208.214.233:80
根因
配置问题
建议与总结
V100r005的版本,策略路由和ip-link 自动关联。配置时需注意;

END