在FMC管理的FTD上為雙ISP配置PBR的IP SLA
目錄
簡介
本檔案介紹如何在由(FMC)管理的FTD上設定PBR以及IP SLA。
作者:Daniel Perez Vertti Vazquez,思科TAC工程師。
必要條件
需求
思科建議您瞭解以下主題:
- 上的PBR配置
Cisco Adaptive Security Appliance (ASA) - FlexConfig on
Firepower - IP SLA
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco FTD版本7.0.0(內部版本94)
- Cisco FMC 7.0.0版(內部版本94)
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
本檔案將說明如何設定 Policy Based Routing (PBR) 以及 Internet Protocol Service Level Agreement (IP SLA) 在Cisco Firepower Threat Defense (FTD) 由思科Firepower管理中心(FMC)管理。
傳統路由僅基於目的IP地址做出轉發決策。PBR是路由協定和靜態路由的替代方案。
它提供對路由的更精細控制,因為它允許將來源IP位址或來源和目的地連線埠等引數用作除目的地IP位址之外的路由條件。
PBR的可能方案包括源敏感應用或專用鏈路上的流量。
可以與PBR一起實施IP SLA以確保下一跳的可用性。IP SLA是一種通過交換常規資料包來監控端到端連線的機制。
發佈時,PBR不直接通過FMC支援 Graphical User Interface (GUI) 中,該功能的配置要求使用FlexConfig策略。
另一方面,只有 Internet Control Message Protocol (ICMP) FTD支援SLA。
在此範例中,PBR用於透過主要路由器路由封包 Internet Service Provider (ISP) 基於源IP地址的電路。
同時,IP SLA會監控連通性,並在發生任何故障時強制回退到備用電路。
設定
網路圖表
在本例中,Cisco FTD有兩個外部介面:VLAN230和VLAN232。每個交換機都連線到不同的ISP。
來自內部網路VLAN2813的流量通過使用PBR的主要ISP路由。
PBR路由對映僅基於源IP地址作出轉發決策(從VLAN2813接收的所有內容都必須路由到VLAN230中的10.88.243.1),並且應用於FTD的介面GigabitEthernet 0/1。
同時,FTD使用IP SLA來監控與每個ISP閘道的連線。在VLAN230中發生任何故障時,FTD會故障切換到VLAN232上的備份電路。
組態
步驟1.配置PBR訪問清單
在PBR配置的第一步中,定義哪些資料包必須遵循路由策略。PBR利用路由對映和訪問清單來識別流量。
要定義匹配條件的訪問清單,請導航至 Objects > Object Management 並選取 Extended 在 Access List 目錄中的類別。
按一下 Add Extended Access List .在 New Extended Access List Object 視窗,為對象指定名稱,然後選擇 Add 按鈕以從訪問清單配置開始。
在 Add Extended Access List Entry 視窗中,選擇代表內部網路的對象,本例中為VLAN2813。
按一下 Add to Source 將其定義為訪問清單的源。
按一下 Add 建立條目。
按一下 Save .必須將對象新增到對象清單中。
步驟2.配置PBR路由對映
配置PBR訪問清單後,將其分配給路由對映。路由對映根據訪問清單中定義的match子句評估流量。
發生匹配後,路由對映會執行路由策略中定義的操作。
要定義路由對映,請導航至 Objects > Object Management 並選取 Route Map 目錄中的URL。
按一下 Add Route Map >。在 New Route Map Object 為對象指定名稱,然後按一下 Add 以建立新的路由對映條目。
在 Add Route Map Entry 視窗中,定義新條目的位置的序號。
導航至 IPv4 > Match Clauses 並在中選擇Extended Available Access List 下拉選單。
選擇在步驟1中建立的訪問清單對象。
按一下 Add 建立條目。
按一下 Save . 將對象新增到對象清單。
步驟3.配置FlexConfig文本對象
下一步涉及定義代表每個電路的預設網關的FlexConfig文本對象。這些文本對象稍後將用於將PBR與SLA關聯的FlexConfig對象的配置中。
要定義FlexConfig文本對象,請導航至 Objects > Object Management 並選取 Text Object 在 FlexConfig 目錄中的類別。
按一下 Add Text Object .在 Add Text Object 視窗中,為代表主網關的對象分配名稱,並指定此裝置的IPv4地址。
按一下 Save 以新增新對象。
按一下 Add Text Object 再次建立第二個對象,這次是備份電路上的Gateway。
使用適當的名稱和IP地址填充新對象,然後按一下 Save .
必須將兩個對象和預設對象一起新增到清單中。
步驟4.配置SLA監控器
要定義用於監控到每個網關連線的SLA對象,請導航至 Objects > Object Management 並選取 SLA Monitor 目錄中的URL。
選擇 Add SLA Monitor 對象。
在 New SLA Monitor 視窗中,定義名稱以及SLA操作的識別符號、必須監控的裝置的IP地址(在本例中為主網關),以及裝置可訪問的介面或區域。
此外,還可以調整超時和閾值。按一下 Save .
選擇 Add SLA Monitor 按鈕再次出現,以建立第二個對象,這次為網關上的備份電路。
使用適當資訊填充新對象,確保SLA ID與為主網關定義的不同,並儲存更改。
必須將兩個對象新增到清單中。
步驟4.使用路由跟蹤配置靜態路由
建立IP SLA對象後,為每個網關定義路由並將其與SLA關聯。
這些路由實際上並不提供從內部到外部的連線(所有路由都是通過PBR執行的),相反,它們需要通過SLA跟蹤到網關的連線。
要配置靜態路由,請導航至 Devices > Device Management 中,編輯手頭的FTD並選擇 Static Route 在目錄內 Routing 頁籤。
在 Add Static Route Configuration 視窗,在Interface下拉選單中,指定必須能夠訪問主網關的介面的名稱。
然後在中選擇目標網路和主網關 Gateway 下拉選單。
指定路由的度量並在 Route Track 下拉選單,並為步驟3中建立的主網關選擇SLA對象。
按一下OK新增新路由。
必須為備份網關配置第二個靜態路由。
按一下 Add Route 定義新的靜態路由。
填寫 Add Static Route Configuration 與備份網關的資訊匹配,並確保此路由的度量高於第一個路由中配置的度量。
必須將兩條路由新增到清單中。
步驟5.配置PBR FlexConfig對象
在用於PBR的路由對映下啟用SLA,並在FTD的介面中應用此路由對映。
到目前為止,路由對映只與定義匹配條件的訪問清單相關聯。但是,FMC GUI不支援最後的調整,因此需要FlexConfig對象。
要定義PBR FlexConfig對象,請導航至 Objects > Object Management 並選取 FlexConfig Object 在 FlexConfig 目錄中的類別。
選擇 Add FlexConfig Object 按鈕。在 Add FlexConfig Object 視窗分配名稱並導航至 Insert > Insert Policy Object > Route Map .
在 Insert Route Map Variable 視窗中,為變數指定一個名稱,並選擇在步驟2中建立的PBR對象。
按一下 Save 將路由對映新增為FlexConfig對象的一部分。
除了路由對映變數之外,我們還必須新增代表每個網關(在步驟3中定義)的FlexConfig文本對象。在 Add FlexConfig Object 視窗導航至 Insert > Insert Policy Object > Text Object .
在 Insert Text Object Variable 視窗為變數指定名稱,並選擇代表步驟3中定義的主網關的文本對象。
按一下 Save 按鈕將其新增到FlexConfig對象。
對備份網關重複上述最後步驟。在過程結束時,必須將這兩個變數附加到FlexConfig對象。
PBR配置的語法必須與Cisco ASA中的語法相同。路由對映的序列號必須與步驟2中配置的序列號(本例中為10)以及SLA ID匹配。
要配置PBR以檢查下一跳的可用性,請 set ip next-hop verify-availability 必須使用command。
必須將路由對映應用於內部介面,本例中為VLAN2813。使用 policy-route route-map 命令。
按一下 Save 配置完成後。
必須將FlexConfig對象新增到清單中。
步驟6.將PBR FlexConfig對象分配到FlexConfig策略
導航至 Devices > FlexConfig 並編輯手頭的FlexConfig策略。
選擇中的PBR FlexConfig對象 Available FlexConfig 目錄、儲存變更和部署變更至FTD。
驗證
部署完成後,FTD必須定期向受監控裝置傳送ICMP回應請求,以確保連線能力。同時,必須將到達主網關的跟蹤路由新增到路由表中。
firepower# show route-map
route-map PBR_RouteMap, permit, sequence 10
Match clauses:
ip address (access-lists): PBR_ACL
Set clauses:
ip next-hop verify-availability 10.88.243.1 1 track 2 [up]
ip next-hop verify-availability 10.31.124.1 2 track 1 [up]
firepower# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 10.88.243.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.88.243.1, VLAN230
C 10.31.124.0 255.255.255.0 is directly connected, VLAN232
L 10.31.124.25 255.255.255.255 is directly connected, VLAN232
C 10.88.243.0 255.255.255.0 is directly connected, VLAN230
L 10.88.243.60 255.255.255.255 is directly connected, VLAN230
C 192.168.13.0 255.255.255.0 is directly connected, VLAN2813
L 192.168.13.1 255.255.255.255 is directly connected, VLAN2813由於與主網關的連線已開啟,因此來自內部子網(VLAN2813)的流量必須通過主ISP電路轉發。
firepower# packet-tracer input vlan2813 icmp 192.168.13.2 8 0 8.8.8.8 detailed
Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR_RouteMap permit 10
match ip address PBR_ACL
set ip next-hop verify-availability 10.88.243.1 1 track 2
set ip next-hop verify-availability 10.31.124.1 2 track 1
Additional Information:
Matched route-map PBR_RouteMap, sequence 10, permit
Found next-hop 10.88.243.1 using egress ifc VLAN230
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176701, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168893, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188129, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 8
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168893, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188129, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 12
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 13
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 14
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168894, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188129, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 17
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 18
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 19
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168894, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 20
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188130, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 21
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176710, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 22
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172250, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 23
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=176702, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 24
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN230) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170013860, priority=6, domain=nat, deny=false
hits=168894, user_data=0x1461af306540, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN230(vrfid:0)
Phase: 25
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188130, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 26
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=176711, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=anyError: not enough buffer space to print ASP rule
Result:
input-interface: VLAN2813(vrfid:0)
input-status: up
input-line-status: up
output-interface: VLAN230(vrfid:0)
output-status: up
output-line-status: up
Action: allow
如果FTD在SLA監控器對象中指定的閾值計時器內沒有收到來自主閘道的回應回覆,則認為主機無法連線且被標籤為關閉。指向主網關的跟蹤路由也將被指向備份對等體的跟蹤路由取代。
firepower# show route-map
route-map PBR_RouteMap, permit, sequence 10
Match clauses:
ip address (access-lists): PBR_ACL
Set clauses:
ip next-hop verify-availability 10.88.243.1 1 track 2 [down]
ip next-hop verify-availability 10.31.124.1 2 track 1 [up]
firepower# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 10.31.124.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [2/0] via 10.31.124.1, VLAN232
C 10.31.124.0 255.255.255.0 is directly connected, VLAN232
L 10.31.124.25 255.255.255.255 is directly connected, VLAN232
C 192.168.13.0 255.255.255.0 is directly connected, VLAN2813
L 192.168.13.1 255.255.255.255 is directly connected, VLAN2813
每次FTD都會產生資訊性訊息622001,從路由表中新增或移除追蹤的路由。
firepower# show logg | i 622001
%FTD-6-622001: Removing tracked route 0.0.0.0 0.0.0.0 10.31.124.1, distance 2, table default, on interface VLAN232%FTD-6-305012: Teardown dynamic UDP translation from VLAN2813:192.168.13.5/49641 to VLAN230:10.88.243.60/49641 duration 0:02:10現在,所有來自VLAN2813的流量都必須通過備用ISP電路轉發。
firepower# packet-tracer input vlan2813 icmp 192.168.13.2 8 0 8.8.8.8 detailed
Phase: 1
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map PBR_RouteMap permit 10
match ip address PBR_ACL
set ip next-hop verify-availability 10.88.243.1 1 track 2
set ip next-hop verify-availability 10.31.124.1 2 track 1
Additional Information:
Matched route-map PBR_RouteMap, sequence 10, permit
Found next-hop 10.31.124.1 using egress ifc VLAN232
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177180, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8251, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 8
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8251, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 12
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 13
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 14
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8252, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 17
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 18
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 19
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8252, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 20
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188613, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 21
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 22
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip ifc VLAN2813 object VLAN2813 any rule-id 268437505 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268437505: PREFILTER POLICY: ftdvha-dperezve
access-list CSM_FW_ACL_ remark rule-id 268437505: RULE: Internet_Traffic
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461708f7a90, priority=12, domain=permit, trust
hits=172729, user_data=0x146183cf8380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any, ifc=VLAN2813(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 23
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170d472a0, priority=7, domain=conn-set, deny=false
hits=177181, user_data=0x146170d413f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Phase: 24
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (VLAN2813,VLAN232) after-auto source dynamic VLAN2813 interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x146170032540, priority=6, domain=nat, deny=false
hits=8252, user_data=0x1461af306740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=VLAN232(vrfid:0)
Phase: 25
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461af9c3320, priority=0, domain=nat-per-session, deny=true
hits=188613, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
Phase: 26
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1461aff02da0, priority=0, domain=inspect-ip-options, deny=true
hits=177190, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=VLAN2813(vrfid:0), output_ifc=any
Result:
input-interface: VLAN2813(vrfid:0)
input-status: up
input-line-status: up
output-interface: VLAN232(vrfid:0)
output-status: up
output-line-status: up
Action: allow
疑難排解
為了驗證在中強制執行哪個PBR條目 interesting traffic ,運行命令debug policy-route。
firepower# debug policy-route
debug policy-route enabled at level 1
firepower# pbr: policy based route lookup called for 192.168.13.5/45951 to 208.67.220.220/53 proto 17 sub_proto 0 received on interface VLAN2813, NSGs, nsg_id=none
pbr: First matching rule from ACL(2)
pbr: route map PBR_RouteMap, sequence 10, permit; proceed with policy routing
pbr: evaluating verified next-hop 10.88.243.1
pbr: policy based routing applied; egress_ifc = VLAN230 : next_hop = 10.88.243.1
pbr: policy based route lookup called for 192.168.13.5/56099 to 208.67.220.220/53 proto 17 sub_proto 0 received on interface VLAN2813, NSGs, nsg_id=none
pbr: First matching rule from ACL(2)
pbr: route map PBR_RouteMap, sequence 10, permit; proceed with policy routing
pbr: evaluating verified next-hop 10.88.243.1
pbr: policy based routing applied; egress_ifc = VLAN230 : next_hop = 10.88.243.1
pbr: policy based route lookup called for 192.168.13.2/24 to 8.8.8.8/0 proto 1 sub_proto 8 received on interface VLAN2813, NSGs, nsg_id=none
pbr: First matching rule from ACL(2)
pbr: route map PBR_RouteMap, sequence 10, permit; proceed with policy routing
pbr: evaluating verified next-hop 10.88.243.1
pbr: policy based routing applied; egress_ifc = VLAN230 : next_hop = 10.88.243.1
pbr: policy based route lookup called for 192.168.13.5/40669 to 208.67.220.220/53 proto 17 sub_proto 0 received on interface VLAN2813, NSGs, nsg_id=none
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
29-Nov-2021 |
初始版本 |
意見