华为直连PBR去往多个目的地址走不同路径互通

一组网说明

组网说明：

PC1、PC2、PC3属于不通的网段；

需求：

PC1、PC2、PC3三个网段回访需要经过上方的防火墙（现在使用路由器模拟），并且PC1访问PC2走1.1.1.1-1.1.1.2互联地址；PC2访问PC3走2.2.2.1-2.2.2.2互联地址，因为上面为防火墙，需要来回路径和接口要一致才行；

二设备配置

2.1 路由器配置

sysname R

interface GigabitEthernet0/0/0

ip address 1.1.1.2 255.255.255.252

interface Serial0/0/0

link-protocol ppp

ip address 11.1.1.2 255.255.255.252

interface GigabitEthernet0/0/1

ip address 2.2.2.2 255.255.255.252

interface GigabitEthernet0/0/2

ip address 3.3.3.2 255.255.255.252

ip route-static 192.168.1.0 255.255.255.0 1.1.1.1 //等价路由，默认会走到这里

ip route-static 192.168.1.0 255.255.255.0 11.1.1.1

ip route-static 192.168.2.0 255.255.255.0 2.2.2.1

ip route-static 192.168.3.0 255.255.255.0 3.3.3.1

2.2 核心交换机配置

sysname HX

acl number 3001

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3002

rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

acl number 3003

rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 10 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

acl number 3011

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

interface GigabitEthernet0/0/0

ip address 1.1.1.1 255.255.255.252

interface Serial0/0/1

link-protocol ppp

ip address 11.1.1.1 255.255.255.252

interface GigabitEthernet0/0/1

ip address 2.2.2.1 255.255.255.252

interface Ethernet0/0/0

ip address 3.3.3.1 255.255.255.252

interface GigabitEthernet0/0/2

ip address 192.168.1.254 255.255.255.0

ip policy-based-route 1

interface GigabitEthernet0/0/3

ip address 192.168.2.254 255.255.255.0

ip policy-based-route 2

interface Ethernet0/0/1

ip address 192.168.3.254 255.255.255.0

ip policy-based-route 3

policy-based-route 1 permit node 10

if-match acl 3001

apply ip-address next-hop 1.1.1.2

policy-based-route 1 permit node 20

if-match acl 3011

apply ip-address next-hop 11.1.1.2

policy-based-route 2 permit node 10

if-match acl 3002

apply ip-address next-hop 2.2.2.2

policy-based-route 3 permit node 10

if-match acl 3003

apply ip-address next-hop 3.3.3.2

三业务测试与问题

3.1 PC1测试

<PC1>tracert 192.168.2.1

traceroute to 192.168.2.1(192.168.2.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.1.254 30 ms 60 ms 50 ms

2 1.1.1.2 70 ms 70 ms 40 ms

3 2.2.2.1 70 ms 110 ms 70 ms

4 192.168.2.1 140 ms 130 ms 120 ms

<PC1>

<PC1>tracert 192.168.3.1 //PC1和PC3路径不一致了

traceroute to 192.168.3.1(192.168.3.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.1.254 40 ms 30 ms 40 ms

2 11.1.1.2 70 ms 40 ms 70 ms

3 3.3.3.1 40 ms 60 ms 70 ms

4 192.168.3.1 120 ms 140 ms 130 ms

<PC1>

<PC1>ping 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=252 time=110 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=252 time=120 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=252 time=90 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=252 time=110 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=252 time=110 ms

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 90/108/120 ms

<PC1>

<PC1>ping 192.168.3.1

PING 192.168.3.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=252 time=140 ms

Reply from 192.168.3.1: bytes=56 Sequence=2 ttl=252 time=130 ms

Reply from 192.168.3.1: bytes=56 Sequence=3 ttl=252 time=150 ms

Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=252 time=120 ms

Reply from 192.168.3.1: bytes=56 Sequence=5 ttl=252 time=100 ms

--- 192.168.3.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 100/128/150 ms

<PC1>

3.2 PC2测试

<PC2>tracert 192.168.1.1

traceroute to 192.168.1.1(192.168.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.2.254 30 ms 40 ms 70 ms

2 2.2.2.2 80 ms 60 ms 40 ms

3 1.1.1.1 70 ms 60 ms 60 ms

4 192.168.1.1 140 ms 100 ms 110 ms

<PC2>

<PC2>tracert 192.168.3.1

traceroute to 192.168.3.1(192.168.3.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.2.254 50 ms 50 ms 10 ms

2 2.2.2.2 100 ms 70 ms 50 ms

3 3.3.3.1 90 ms 80 ms 80 ms

4 192.168.3.1 130 ms 100 ms 100 ms

<PC2>

<PC2>ping 192.168.1.1

PING 192.168.1.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=252 time=100 ms

Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=252 time=100 ms

Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=252 time=110 ms

Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=252 time=130 ms

Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=252 time=110 ms

--- 192.168.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 100/110/130 ms

<PC2>

<PC2>ping 192.168.3.1

PING 192.168.3.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=252 time=110 ms

Reply from 192.168.3.1: bytes=56 Sequence=2 ttl=252 time=130 ms

Reply from 192.168.3.1: bytes=56 Sequence=3 ttl=252 time=70 ms

Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=252 time=90 ms

Reply from 192.168.3.1: bytes=56 Sequence=5 ttl=252 time=100 ms

--- 192.168.3.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/100/130 ms

<PC2>

3.3 PC3测试

<PC3>tracert 192.168.1.1

traceroute to 192.168.1.1(192.168.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.3.254 30 ms 70 ms 40 ms //PC1和PC3路径不一致了

2 3.3.3.2 100 ms 80 ms 40 ms

3 1.1.1.1 100 ms 70 ms 50 ms

4 192.168.1.1 140 ms 130 ms 140 ms

<PC3>

<PC3>tracert 192.168.2.1

traceroute to 192.168.2.1(192.168.2.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.3.254 30 ms 70 ms 40 ms

2 3.3.3.2 70 ms 60 ms 30 ms

3 2.2.2.1 80 ms 80 ms 110 ms

4 192.168.2.1 140 ms 90 ms 130 ms

<PC3>

<PC3>ping 192.168.1.1

PING 192.168.1.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=252 time=140 ms

Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=252 time=120 ms

Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=252 time=140 ms

Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=252 time=110 ms

Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=252 time=110 ms

--- 192.168.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 110/124/140 ms

<PC3>ping 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=252 time=160 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=252 time=150 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=252 time=110 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=252 time=110 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=252 time=80 ms

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 80/122/160 ms

<PC3>

四当前的问题-防火墙异步路由

PC1访问PC3走的是11.1.1.1的路径

<PC1>tracert 192.168.3.1

traceroute to 192.168.3.1(192.168.3.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.1.254 40 ms 30 ms 40 ms

2 11.1.1.2 70 ms 40 ms 70 ms

3 3.3.3.1 40 ms 60 ms 70 ms

4 192.168.3.1 120 ms 140 ms 130 ms

<PC1>

但是PC3访问PC1走的是1.1.1.的路径

<PC3>tracert 192.168.1.1

traceroute to 192.168.1.1(192.168.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.3.254 30 ms 70 ms 40 ms

2 3.3.3.2 100 ms 80 ms 40 ms

3 1.1.1.1 100 ms 70 ms 50 ms

4 192.168.1.1 140 ms 130 ms 140 ms

<PC3>

总结：因为路由器上去往192.168.1.0/24网段有2条路径，默认会走第一条路径；但是这对于防火墙造成了接口的相同设备不同接口异步路由，对与路由器没有问题，但是对于安全设备就出现来回路径不一致，最终造成业务不通。

五解法配置与最终测试

5.1 解法配置-路由器配置PBR

sysname R

acl number 3003

rule 5 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

policy-based-route 1 permit node 10

apply ip-address next-hop 11.1.1.1

if-match acl 3003

interface GigabitEthernet0/0/2

ip address 3.3.3.2 255.255.255.252

ip policy-based-route 1

5.2 再次测试-路径和接口一致了

5.2.1 PC1测试:

<PC1>tracert 192.168.2.1

traceroute to 192.168.2.1(192.168.2.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.1.254 30 ms 60 ms 50 ms

2 1.1.1.2 80 ms 80 ms 90 ms

3 2.2.2.1 60 ms 80 ms 80 ms

4 192.168.2.1 120 ms 100 ms 110 ms

<PC1>

<PC1>tracert 192.168.3.1

traceroute to 192.168.3.1(192.168.3.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.1.254 30 ms 30 ms 30 ms //PC1和PC3路径一致了

2 11.1.1.2 60 ms 50 ms 80 ms

3 3.3.3.1 90 ms 80 ms 80 ms

4 192.168.3.1 120 ms 110 ms 130 ms

<PC1>

<PC1>ping 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=252 time=110 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=252 time=90 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=252 time=140 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=252 time=90 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=252 time=140 ms

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 90/114/140 ms

<PC1>

<PC1>ping 192.168.3.1

PING 192.168.3.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=252 time=110 ms

Reply from 192.168.3.1: bytes=56 Sequence=2 ttl=252 time=80 ms

Reply from 192.168.3.1: bytes=56 Sequence=3 ttl=252 time=90 ms

Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=252 time=130 ms

Reply from 192.168.3.1: bytes=56 Sequence=5 ttl=252 time=100 ms

--- 192.168.3.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 80/102/130 ms

<PC1>

5.2.2 PC2测试:

<PC2>

<PC2>tracert 192.168.1.1

traceroute to 192.168.1.1(192.168.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.2.254 40 ms 40 ms 70 ms

2 2.2.2.2 40 ms 50 ms 60 ms

3 1.1.1.1 80 ms 60 ms 60 ms

4 192.168.1.1 150 ms 90 ms 80 ms

<PC2>

<PC2>tracert 192.168.3.1

traceroute to 192.168.3.1(192.168.3.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.2.254 30 ms 50 ms 40 ms

2 2.2.2.2 80 ms 60 ms 80 ms

3 3.3.3.1 50 ms 110 ms 60 ms

4 192.168.3.1 120 ms 130 ms 90 ms

<PC2>

<PC2>ping 192.168.1.1

PING 192.168.1.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=252 time=130 ms

Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=252 time=90 ms

Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=252 time=140 ms

Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=252 time=110 ms

Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=252 time=50 ms

--- 192.168.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 50/104/140 ms

<PC2>

<PC2>ping 192.168.3.1

PING 192.168.3.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=252 time=120 ms

Reply from 192.168.3.1: bytes=56 Sequence=2 ttl=252 time=110 ms

Reply from 192.168.3.1: bytes=56 Sequence=3 ttl=252 time=130 ms

Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=252 time=90 ms

Reply from 192.168.3.1: bytes=56 Sequence=5 ttl=252 time=90 ms

--- 192.168.3.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 90/108/130 ms

<PC2>

5.2.3 PC3测试:

<PC3>tracert 192.168.1.1

traceroute to 192.168.1.1(192.168.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break

1 192.168.3.254 40 ms 70 ms 40 ms //PC1和PC3路径一致了

2 3.3.3.2 80 ms 60 ms 50 ms

3 11.1.1.1 100 ms 70 ms 110 ms

4 192.168.1.1 130 ms 120 ms 110 ms

<PC3>

<PC3>tracert 192.168.2.1

traceroute to 192.168.2.1(192.168.2.1), max hops: 30 ,packet length: 40,pres

s CTRL_C to break

1 192.168.3.254 30 ms 20 ms 30 ms

2 3.3.3.2 90 ms 80 ms 80 ms

3 2.2.2.1 60 ms 50 ms 70 ms

4 192.168.2.1 150 ms 100 ms 150 ms

<PC3>

<PC3>ping 192.168.1.1

PING 192.168.1.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=252 time=130 ms

Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=252 time=130 ms

Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=252 time=140 ms

Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=252 time=90 ms

Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=252 time=130 ms

--- 192.168.1.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 90/124/140 ms

<PC3>

<PC3>ping 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break

Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=252 time=110 ms

Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=252 time=120 ms

Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=252 time=90 ms

Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=252 time=120 ms

Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=252 time=60 ms

--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 60/100/120 ms

<PC3>

华为直连PBR去往多个目的地址走不同路径互通

一 组网说明

二 设备配置

2.1 路由器配置

2.2 核心交换机配置

三 业务测试与问题

3.1 PC1测试

3.2 PC2测试

3.3 PC3测试

四 当前的问题-防火墙异步路由

五 解法配置与最终测试

5.1 解法配置-路由器配置PBR

5.2 再次测试-路径和接口一致了

5.2.1 PC1测试:

5.2.2 PC2测试:

5.2.3 PC3测试:

一组网说明

二设备配置

三业务测试与问题

四当前的问题-防火墙异步路由

五解法配置与最终测试