问题命令:
route-map global_to_vrf permit 10
match ip address 1
match track 1
set vrf isp1
!
route-map global_to_vrf permit 20
match ip address 1
set vrf isp2
!
route-map global_to_vrf permit 30
match ip address 2
match track 2
set vrf isp2
!
route-map global_to_vrf permit 40
match ip address 2
set vrf isp1
其中sequence 10和sequence30,只要match ip address命中,不管track 是up还是down,结果都为真,从而导致pc1的数据流,R1->电信故障后切换不到R1->联通;pc2的数据流同理,R1->联通故障后切换不到R1->电信。
各位兄弟帮忙看看。
R1全部配置如下:
Internet_access_rout#show run
Building configuration...
Current configuration : 6902 bytes
!
! Last configuration change at 19:56:31 GMT Wed Sep 11 2019 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Internet_access_rout
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone GMT 8 0
!
!
!
!
!
ip vrf isp1
!
ip vrf isp2
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-3979959379
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3979959379
revocation-check none
rsakeypair TP-self-signed-3979959379
!
!
crypto pki certificate chain TP-self-signed-3979959379
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393739 39353933 3739301E 170D3136 30393031 32303134
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39373939
35393337 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2FC 44ABF39C 97C7BE1B 7A69478E B140A212 4D71F17C EA32E367 E64BE3D1
B3AD4DC7 03E751C1 353F8E7E 461019A4 A13DF038 493C1C02 6F7E0D21 564120DE
B91C8C8B 03E17F55 07B0571E 792F2ABD A787010E CE4FB322 F88C05C0 ED567E7E
DBF1B007 008C0313 8935CD9D 2C5C6F7D 007CD797 31ECF8CB 0419D2F7 038AE667
E91F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140E0808 2D5BC742 B7C7E1C7 51658E1C FB568397 8C301D06
03551D0E 04160414 0E08082D 5BC742B7 C7E1C751 658E1CFB 5683978C 300D0609
2A864886 F70D0101 05050003 8181008D CFCE4C33 9B182FB9 10291960 9B7953D4
581C5C8F D22E01C6 CD45C266 B32E04B7 5D5DDAFD BECB6D74 E122544F 2F8A3E04
2C463886 C7FA829A 075DE508 E3B5DCB0 8660B93A 82EB5D7E F96D30CC 763FB4C4
1A1E46CB 21FF357E 74658851 F92F2D9A 2520E50A 57B1750A 7445453D D1079008
068705A9 86F06111 FB20C7E7 738820
quit
license udi pid CISCO2911/K9 sn FGL203611LB
license boot module c2900 technology-package datak9
!
!
username admin privilege 15 password 7 09554613001C
!
redundancy
!
!
track 1 ip sla 1 reachability
delay down 5 up 1
!
track 2 ip sla 2 reachability
delay down 5 up 1
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.16.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map global_to_vrf
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip vrf forwarding isp1
ip address 100.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip policy route-map vrf_to_global
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip vrf forwarding isp2
ip address 200.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip policy route-map vrf_to_global
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
ip address 192.168.60.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map global_to_vrf
!
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 vrf isp1 overload
ip nat inside source list 2 interface GigabitEthernet0/1 vrf isp1 overload
ip nat inside source list 1 interface GigabitEthernet0/2 vrf isp2 overload
ip nat inside source list 2 interface GigabitEthernet0/2 vrf isp2 overload
ip route vrf isp1 0.0.0.0 0.0.0.0 100.1.1.1
ip route vrf isp2 0.0.0.0 0.0.0.0 200.1.1.1
!
ip sla 1
icmp-echo 172.16.66.3 source-ip 100.1.1.2
vrf isp1
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 172.16.66.3 source-ip 200.1.1.2
vrf isp2
frequency 10
ip sla schedule 2 life forever start-time now
!
route-map global_to_vrf permit 10
match ip address 1
match track 1
set vrf isp1
!
route-map global_to_vrf permit 20
match ip address 1
set vrf isp2
!
route-map global_to_vrf permit 30
match ip address 2
match track 2
set vrf isp2
!
route-map global_to_vrf permit 40
match ip address 2
set vrf isp1
!
route-map vrf_to_global permit 10
match ip address 3
set global
!
!
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 2 permit 192.168.60.0 0.0.0.255
access-list 3 permit any
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2019-9-11 20:49:44
置顶卡
喧嚣卡
变色卡
千斤顶
楼主