在FMC管理的FTD上为双ISP配置PBR的IP SLA
目录
简介
本文档介绍如何在由(FMC)管理的FTD上配置PBR和IP SLA。
作者:Daniel Perez Vertti Vazquez,思科TAC工程师。
先决条件
要求
Cisco 建议您了解以下主题:
- 上的PBR配置
Cisco Adaptive Security Appliance (ASA) - FlexConfig开启
Firepower - IP SLA
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 思科FTD版本7.0.0(内部版本94)
- 思科FMC 7.0.0版(内部版本94)
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
本文档介绍如何配置 Policy Based Routing (PBR) 以及 Internet Protocol Service Level Agreement (IP SLA) 在思科 Firepower Threat Defense (FTD) 由思科Firepower管理中心(FMC)管理。
传统路由仅根据目的IP地址做出转发决策。PBR是路由协议和静态路由的替代方案。
它提供对路由的更精细控制,因为它允许使用源IP地址或源和目标端口等参数作为除目标IP地址以外的路由标准。
PBR的可能方案包括源敏感应用或专用链路上的流量。
与PBR一起,可以实施IP SLA以确保下一跳的可用性。IP SLA是一种通过交换常规数据包来监控端到端连接的机制。
在发布时,PBR不直接通过FMC支持 Graphical User Interface (GUI) ,配置功能需要使用FlexConfig策略。
另一方面,只有 Internet Control Message Protocol (ICMP) FTD支持SLA。
在本例中,PBR用于通过主路由器路由数据包 Internet Service Provider (ISP) 根据源IP地址的电路。
同时,IP SLA会监控连接性,并在出现任何故障时强制回退到备用电路。
配置
网络图
在本示例中,Cisco FTD有两个外部接口:VLAN230和VLAN232。每个交换机都连接到不同的ISP。
来自内部网络VLAN2813的流量通过使用PBR的主要ISP路由。
PBR路由映射仅根据源IP地址做出转发决策(从VLAN2813接收的所有内容都必须路由到VLAN230中的10.88.243.1),并且应用于FTD的接口GigabitEthernet 0/1。
同时,FTD使用IP SLA来监控与每个ISP网关的连接。如果VLAN230中发生任何故障,FTD会故障切换到备用电路VLAN232。
配置
步骤1:配置PBR访问列表
在PBR配置的第一步中,定义哪些数据包必须遵循路由策略。PBR使用路由映射和访问列表来识别流量。
要定义匹配条件的访问列表,请导航至 Objects > Object Management 并选择 Extended 在 Access List 目录中的类别。
点击 Add Extended Access List .如果 New Extended Access List Object 窗口中,为对象指定名称,然后选择 Add 按钮以从访问列表配置开始。
如果 Add Extended Access List Entry 窗口中,选择代表内部网络的对象,本例中为VLAN2813。
点击 Add to Source 将其定义为访问列表的源。
点击 Add 创建条目。
点击 Save .必须将对象添加到对象列表中。
第二步:配置PBR路由映射
配置PBR访问列表后,将其分配给路由映射。路由映射根据访问列表中定义的match子句评估流量。
匹配发生后,路由映射将执行路由策略中定义的操作。
要定义路由映射,请导航至 Objects > Object Management 并选择 Route Map 在目录下。
点击 Add Route Map >.如果 New Route Map Object 为对象指定名称,然后单击 Add 以创建新的路由映射条目。
如果 Add Route Map Entry 窗口中,定义新条目的位置的序列号。
导航至 IPv4 > Match Clauses 并在中选择Extended Available Access List 下拉菜单。
选择在第1步中创建的访问列表对象。
点击 Add 创建条目。
点击 Save . 将对象添加到对象列表。
第三步:配置FlexConfig文本对象
下一步涉及定义代表每个电路的默认网关的FlexConfig文本对象。这些文本对象稍后将用于将PBR与SLA关联的FlexConfig对象的配置中。
要定义FlexConfig文本对象,请导航至 Objects > Object Management 并选择 Text Object 在 FlexConfig 目录中的类别。
点击 Add Text Object .如果 Add Text Object 窗口中,为代表主网关的对象分配名称,并指定此设备的IPv4地址。
点击 Save 添加新对象。
点击 Add Text Object 再次创建第二个对象,这次用于备份电路上的网关。
使用适当的名称和IP地址填充新对象,然后单击 Save .
必须将这两个对象连同默认对象一起添加到列表中。
第四步:配置SLA监控器
要定义用于监控每个网关连接的SLA对象,请导航至 Objects > Object Management 并选择 SLA Monitor 在目录下。
选择 Add SLA Monitor 对象。
如果 New SLA Monitor 窗口中,定义名称以及SLA操作的标识符、必须监控的设备的IP地址(在本例中是主网关),以及可访问设备的接口或区域。
此外,还可以调整超时和阈值。点击 Save .
选择 Add SLA Monitor 按钮,以创建第二个对象,此时间用于备用电路上的网关。
使用适当信息填充新对象,确保SLA ID不同于为主网关定义的SLA ID,并保存更改。
必须将这两个对象添加到列表中。
第四步:使用路由跟踪配置静态路由
创建IP SLA对象后,为每个网关定义路由并将它们与SLA关联。
这些路由实际上并不提供从内部到外部的连接(所有路由都通过PBR执行),而是需要它们通过SLA跟踪到网关的连接。
要配置静态路由,请导航至 Devices > Device Management ,编辑手头的FTD并选择 Static Route 在目录内 Routing 选项卡。
如果 Add Static Route Configuration 窗口中,在Interface下拉列表中,指定必须通过其到达主网关的接口的名称。
然后在列表中选择目标网络和主网关 Gateway 下拉列表。
指定路由的度量,并在 Route Track 下拉列表,并为第3步中创建的主网关选择SLA对象。
单击OK添加新路由。
必须为备用网关配置另一条静态路由。
点击 Add Route 定义新的静态路由。
填写 Add Static Route Configuration 和备份网关的信息,并确保此路由的度量高于第一个路由中配置的度量。
必须将这两条路由添加到列表中。
第五步:配置PBR FlexConfig对象
在用于PBR的路由映射下启用SLA,并在FTD的接口中应用此路由映射。
到目前为止,路由映射只与定义匹配条件的访问列表相关联。但是,FMC GUI不支持最后的调整,因此需要一个FlexConfig对象。
要定义PBR FlexConfig对象,请导航至 Objects > Object Management 并选择 FlexConfig Object 在 FlexConfig 目录中的类别。
选择 Add FlexConfig Object 按钮。如果 Add FlexConfig Object 窗口指定名称并导航至 Insert > Insert Policy Object > Route Map .
如果 Insert Route Map Variable 窗口中,为变量指定名称,并选择在步骤2中创建的PBR对象。
点击 Save 添加路由映射作为FlexConfig对象的一部分。
除了路由映射变量之外,我们还必须添加代表每个网关的FlexConfig文本对象(在步骤3中定义)。如果 Add FlexConfig Object 窗口导航至 Insert > Insert Policy Object > Text Object .
如果 Insert Text Object Variable 窗口为变量指定名称,并选择代表步骤3中定义的主网关的文本对象。
点击 Save 按钮将其添加到FlexConfig对象。
对备用网关重复上述最后步骤。在过程结束时,必须将这两个变量附加到FlexConfig对象中。
PBR配置的语法必须与思科ASA中的语法相同。路由映射的序列号必须与步骤2中配置的序列号(本例中为10)以及SLA ID匹配。
要配置PBR以检查下一跳的可用性,请 set ip next-hop verify-availability 命令。
路由映射必须应用于内部接口,本例中为VLAN2813。使用 policy-route route-map 命令。
点击 Save 配置完成后。
必须将FlexConfig对象添加到列表中。
第六步:将PBR FlexConfig对象分配到FlexConfig策略
导航至 Devices > FlexConfig 并编辑手头的FlexConfig策略。
选择中的PBR FlexConfig对象 Available FlexConfig 目录、保存更改并将更改部署到FTD。
验证
部署完成后,FTD必须定期向受监控设备发送ICMP回应请求,以确保可达性。同时,必须将到达主网关的跟踪路由添加到路由表中。
firepower# show route-map
route-map PBR_RouteMap, permit, sequence 10
Match clauses:
ip address (access-lists): PBR_ACL
Set clauses:
ip next-hop verify-availability 10.88.243.1 1 track 2 [up]
ip next-hop verify-availability 10.31.124.1 2 track 1 [up]
firepower# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 10.88.243.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.88.243.1, VLAN230
C 10.31.124.0 255.255.255.0 is directly connected, VLAN232
L 10.31.124.25 255.255.255.255 is directly connected, VLAN232
C 10.88.243.0 255.255.255.0 is directly connected, VLAN230
L 10.88.243.60 255.255.255.255 is directly connected, VLAN230
C 192.168.13.0 255.255.255.0 is directly connected, VLAN2813
L 192.168.13.1 255.255.255.255 is directly connected, VLAN2813由于与主网关的连接已建立,因此必须通过主ISP电路转发来自内部子网(VLAN2813)的流量。
firepower# packet-tracer input vlan2813 icmp 192.168.13.2 8 0 8.8.8.8 detailed
Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR_RouteMap permit 10
match ip address PBR_ACL
set ip next-hop verify-availability 10.88.243.1 1 track 2
set ip next-hop verify-availability 10.31.124.1 2 track 1
Additional Information:
Matched route-map PBR_RouteMap, sequence 10, permit
Found next-hop 10.88.243.1 using egress ifc VLAN230
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176701, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168893, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188129, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 8
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168893, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188129, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 12
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 13
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 14
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168894, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188129, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 17
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 18
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 19
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168894, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 20
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188130, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 21
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 22
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 23
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 24
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168894, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 25
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188130, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 26
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176711, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=anyError: not enough buffer space to print ASP rule
Result:
input-interface: VLAN2813(vrfid:0)
input-status: up
input-line-status: up
output-interface: VLAN230(vrfid:0)
output-status: up
output-line-status: up
Action: allow
如果FTD在SLA监控器对象中指定的阈值计时器内没有收到来自主网关的回应应答,则认为主机不可达,并标记为关闭。通向主网关的跟踪路由也将被通向备用对等体的跟踪路由取代。
firepower# show route-map
route-map PBR_RouteMap, permit, sequence 10
Match clauses:
ip address (access-lists): PBR_ACL
Set clauses:
ip next-hop verify-availability 10.88.243.1 1 track 2 [down]
ip next-hop verify-availability 10.31.124.1 2 track 1 [up]
firepower# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 10.31.124.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [2/0] via 10.31.124.1, VLAN232
C 10.31.124.0 255.255.255.0 is directly connected, VLAN232
L 10.31.124.25 255.255.255.255 is directly connected, VLAN232
C 192.168.13.0 255.255.255.0 is directly connected, VLAN2813
L 192.168.13.1 255.255.255.255 is directly connected, VLAN2813
每次FTD都会生成参考消息622001,以便从路由表中添加或删除跟踪的路由。
firepower# show logg | i 622001
%FTD-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.31.124.1, distance 2, table default, on interface VLAN232%FTD-6-305012: Teardown dynamic UDP translation from VLAN2813:192.168.13.5/49641 to VLAN230:10.88.243.60/49641 duration 0:02:10现在,所有来自VLAN2813的流量必须通过备用ISP电路转发。
firepower# packet-tracer input vlan2813 icmp 192.168.13.2 8 0 8.8.8.8 detailed
Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR_RouteMap permit 10
match ip address PBR_ACL
set ip next-hop verify-availability 10.88.243.1 1 track 2
set ip next-hop verify-availability 10.31.124.1 2 track 1
Additional Information:
Matched route-map PBR_RouteMap, sequence 10, permit
Found next-hop 10.31.124.1 using egress ifc VLAN232
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177180, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8251, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 8
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8251, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 12
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 13
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 14
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8252, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 17
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 18
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 19
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8252, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 20
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188613, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 21
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 22
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 23
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 24
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8252, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 25
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188613, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 26
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177190, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Result:
input-interface: VLAN2813(vrfid:0)
input-status: up
input-line-status: up
output-interface: VLAN232(vrfid:0)
output-status: up
output-line-status: up
Action: allow
故障排除
为了验证在中实施哪个PBR条目 interesting traffic ,运行命令debug policy-route。
firepower# debug policy-route
debug policy-route enabled at level 1
firepower# pbr: policy based route lookup called for 192.168.13.5/45951 to 208.67.220.220/53 proto 17 sub_proto 0 received on interface VLAN2813, NSGs, nsg_id=none
pbr: First matching rule from ACL(2)
pbr: route map PBR_RouteMap, sequence 10, permit; proceed with policy routing
pbr: evaluating verified next-hop 10.88.243.1
pbr: policy based routing applied; egress_ifc = VLAN230 : next_hop = 10.88.243.1
pbr: policy based route lookup called for 192.168.13.5/56099 to 208.67.220.220/53 proto 17 sub_proto 0 received on interface VLAN2813, NSGs, nsg_id=none
pbr: First matching rule from ACL(2)
pbr: route map PBR_RouteMap, sequence 10, permit; proceed with policy routing
pbr: evaluating verified next-hop 10.88.243.1
pbr: policy based routing applied; egress_ifc = VLAN230 : next_hop = 10.88.243.1
pbr: policy based route lookup called for 192.168.13.2/24 to 8.8.8.8/0 proto 1 sub_proto 8 received on interface VLAN2813, NSGs, nsg_id=none
pbr: First matching rule from ACL(2)
pbr: route map PBR_RouteMap, sequence 10, permit; proceed with policy routing
pbr: evaluating verified next-hop 10.88.243.1
pbr: policy based routing applied; egress_ifc = VLAN230 : next_hop = 10.88.243.1
pbr: policy based route lookup called for 192.168.13.5/40669 to 208.67.220.220/53 proto 17 sub_proto 0 received on interface VLAN2813, NSGs, nsg_id=none
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
29-Nov-2021 |
初始版本 |
反馈