Cisco ASA防火墙PBR策略路由配置

1 FAQ

1.1 什么是PBR

全称policy-base routing （策略路由）

官方解释 ：
PBR is an alternative to routing protocols and allows you to configure a policy for unicast traffic flows,
which provides more control over routing than a routing protocol does and avoids the need to configure
interface-level traffic classification. PBR can route unicast traffic along a different path than a routing
protocol would use. PBR can provide:
• Equal access
• Protocol-sensitive routing
• Source-sensitive routing
• Routing based on interactive rather than batch traffic
简单来说就是数据包按我们指定的下一跳转发，比路由表优先。
算是特权吗？ yeah，特权

1.2 PBR能用于组播流量吗？

不能用于组播，只能用于单播流量。

1.3 PBR能调用在出向接口吗？

不能。 只能调用在入向接口

1.4 PBR能对交换机本地始发的流量生效吗?

可以。需要指定全局调用

1.5 PBR有啥缺点吗？

缺点那是一大堆。随便举2个

• CPU消耗大
• 不利于排错（排错时会因为有pbr而造成困扰，“你个球的不按套路出牌“）

2 配置步骤

2.1 创建ACL匹配流量

2.2 创建route-map，调用ACL，设置下一跳

2.3 接口下调用route-map

3 配置实例

3.1 define acl

access-list PBR-ACL extended permit ip host 192.168.1.2 any

3.2 define route-map

route-map PBR permit 10 
match ip address PBR-ACL <-- Specify the generated Access-List 
set ip next-hop 192.168.2.252 <-- Specify next-hop (IP of Router2)

3.3 apply to interface

interface GigabitEthernet0/0 

policy-route route-map PBR <-- Apply route-map to incoming Interface

验证命令

asav# show policy-route        <-- Check the presence of PBR (Set Route-map PBR on Interface GigabitEthernet0/0) 

Interface Route map 

GigabitEthernet0/0 PBR 

 

 

asav# show route-map           <-- Check Route-map (PBR-ACL Specify Next-hop 192.6.2.252) 

route-map PBR, permit, sequence 10 

  Match clauses: 

    ip address (access-lists): PBR-ACL 

 

  Set clauses: 

    ip next-hop 192.168.2.252 

 

 

asav# show access- list PBR-ACL      <-- Confirm packets matching PBR-ACL 

access-list PBR-ACL; 1 elements; name hash: 0x9e175fdb 

access-list PBR-ACL line 1 extended permit ip host 192.168.1.2  any (hitcnt =5) 0xddb23923

 

可以参考文档：
https://www.cisco.com/c/ja_jp/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/route-policy-based.html