AR路由器通过tracert方式进行路由跟踪发现策略路由不生效

发布时间:  2015-10-23 浏览次数:  304 下载次数:  0
问题描述
组网图:S7700-----AR1-----AR2------PC
两台AR间是两条线路互连,两台路由器的都使用E3/0/0和E4/0/0相连,启用了OSPF并做了策略路由,AR间有两条等价路由,AR1--AR2出去是根据源地址来做的策略路由,AR2---AR1 是对应源来写的目标IP做策略路由,并且绑定NQA。
处理过程
设备相关配置如下:
AR1:
acl number 3001 
description <50
rule 0 permit ip source 10.3.0.0 0.0.0.255
rule 1 permit ip source 10.3.1.0 0.0.0.255
acl number 3002 
description >50
rule 51 permit ip source 10.3.51.0 0.0.0.255
rule 52 permit ip source 10.3.52.0 0.0.0.255
#
traffic classifier 51-130 operator or
if-match acl 3002
traffic classifier 1-50 operator or
if-match acl 3001
#
traffic behavior Line-LianTong
redirect ip-nexthop 192.168.24.1 track nqa admin LianTong
statistic enable
traffic behavior Line-DianXin
redirect ip-nexthop 192.168.23.1 track nqa admin DianXin
statistic enable
#
traffic policy 3
classifier 1-50 behavior Line-DianXin
classifier 51-130 behavior Line-LianTong
#
interface GigabitEthernet0/0/1
ip address 10.3.134.9 255.255.255.252
traffic-policy 3 inbound
combo-port fiber

AR2:
acl number 3001 
rule 1 permit ip destination 10.3.1.0 0.0.0.255
rule 2 permit ip destination 10.3.2.0 0.0.0.255
acl number 3002 
rule 51 permit ip destination 10.3.51.0 0.0.0.255
rule 52 permit ip destination 10.3.52.0 0.0.0.255
#
traffic classifier 1-50 operator or
if-match acl 3001
traffic classifier 50-130 operator or
if-match acl 3002
#
traffic behavior Line-LianTong
redirect ip-nexthop 192.168.24.2 track nqa admin LianTong
statistic enable
traffic behavior Line-DianXin
statistic enable
redirect ip-nexthop 192.168.23.2 track nqa admin DianXin
#                                        
traffic policy 3
classifier 1-50 behavior Line-DianXin
classifier 50-130 behavior Line-LianTong
#
interface GigabitEthernet0/0/0
ip address 10.1.1.254 255.255.255.0
traffic-policy 3 inbound

从以上配置来看,1-50网段的走下一跳192.168.23.1,50以上网段走192.168.24.1,在S7700上通过源地址trace PC通过跳数如下:

[S7703-A]tracert -a 10.3.21.253 10.1.1.1
traceroute to 10.1.1.1(10.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.3.134.5 15 ms 6 ms 6 ms
2 192.168.24.1 10 ms 192.168.23.1 24 ms 192.168.24.1 11 ms
3 10.1.1.1 8 ms 7 ms 7 ms
[S7703-A]tracert -a 10.3.22.253 10.1.1.1
traceroute to 10.1.1.1(10.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.3.134.5 8 ms 16 ms 9 ms
2 192.168.23.1 6 ms 192.168.24.1 6 ms 192.168.23.1 33 ms
3 10.1.1.1 10 ms 24 ms 10 ms
[S7703-A]tracert -a 10.3.23.253 10.1.1.1
traceroute to 10.1.1.1(10.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.3.134.5 22 ms 9 ms 11 ms
2 192.168.24.1 25 ms 192.168.23.1 11 ms 192.168.24.1 24 ms
3 10.1.1.1 13 ms 8 ms 9 ms
[S7703-A]tracert -a 10.3.24.253 10.1.1.1
traceroute to 10.1.1.1(10.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.3.134.5 13 ms 6 ms 5 ms
2 192.168.23.1 8 ms 192.168.24.1 6 ms 192.168.23.1 6 ms
3 10.1.1.1 11 ms 9 ms 7 ms

通过以上trace信息看出比较有规律,源是单数的相同,源是偶数的相同。根据我们配置的策略路由,这几网段IP地址的下一跳应该是192.168.23.1,为何第二跳回复的有几个IP。
根因
经确认,因为按照tracert的概念,他每一台设备收到trace报文后会回送报文,回送的话他是路由本身发起的,回复的主机报文,是不经过策略的。所以不能匹配策略路由。
解决方案
如果要测试策略是否生效,可通过在S7700下面接一终端与PC进行数据通信,查看接口流量统计结果来确认。

END