最近为了应付CCNA的认证考试,在学习OSPF的过虑的一些基础知识,就写了这篇学习笔记,包括了下面三个主要内容: 1、OSPF路由的接收过滤。 2、OSPF路由的进程间相互引入路由时的过滤。 3、OSPF路由的发布过虑。 同一种过滤用不同方法实现如下图:
下面用实验的形式来学习各种情况下OSPF的路由过滤。 拓扑如下图:
用的设备是H3C模拟器 R1R2R4有OSPF进程1 R2和SW2上有OSPF 进程5,R4上有个50网段需与SW2的50网段互通。以此为基础拓扑作路由过虑的各种操作: 主要基础配置如下: R1: interface LoopBack0 ip address 1.1.1.1 255.255.255.255 # interface LoopBack1 ip address 10.10.10.10 255.255.255.255 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.10.10 0.0.0.0 R2 interface LoopBack0 ip address 2.2.2.2 255.255.255.255 # interface LoopBack1 ip address 10.10.20.10 255.255.255.255 # interface LoopBack2 ip address 50.50.60.10 255.255.255.255 # interface Vlan-interface2 ip address 172.16.1.6 255.255.255.252
acl number 2000 把50网段筛选出来 rule 0 permit source 50.50.70.10 0 rule 1 deny # # route-policy 5YinRu1 permit node 10 创建route-policy 并与acl相绑定 if-match acl 2000
route-policy 1YinRu5 permit node 10 创建route-policy 并将之与名为test 的ip-prefix绑定 if-match ip-prefix test # ip ip-prefix test index 10 permit 50.50.50.50 32 ip ip-prefix test index 20 deny 0.0.0.0 0 less-equal 32 用两条ip-prefix命令将50.50.50.50 筛选出来 ospf 1 router-id 2.2.2.2 import-route ospf 5 route-policy 1YinRu5 应用在进程1下 area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.20.10 0.0.0.0 network 172.16.1.8 0.0.0.3
#
ospf 5 import-route ospf 1 route-policy 5YinRu1 应用在进程5中 area 0.0.0.0 network 172.16.1.4 0.0.0.3 network 50.50.60.10 0.0.0.0
R4 interface LoopBack0 ip address 4.4.4.4 255.255.255.255 # interface LoopBack1 ip address 10.10.30.10 255.255.255.255 # interface LoopBack2 ip address 50.50.70.10 255.255.255.255 ospf 1 router-id 4.4.4.4 area 0.0.0.0 network 172.16.1.8 0.0.0.3 network 10.10.30.10 0.0.0.0 network 50.50.70.10 0.0.0.0 # SW2 interface LoopBack0 ip address 3.3.3.3 255.255.255.255 # interface LoopBack1 ip address 50.50.50.50 255.255.255.255 # interface Vlan-interface2 ip address 172.16.1.5 255.255.255.252 # ospf 5 router-id 3.3.3.3 area 0.0.0.0 network 172.16.1.4 0.0.0.3 network 50.50.50.50 0.0.0.0 # 下面就开始做实验进行学习了,可能一些地方写得不够详细,欢迎大家拍砖。
一、对OSPF引入路由进行过滤的三种方式 1、对接收的路由过滤包括对import-route引入的路由,也包括对区域内其他路由器发布的路由,使用filter policy+ACL实现。 R1上可见有两条50网段的路由 [R1-ospf-1]dis ip routing-table Routing Tables: Public Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0 50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0 是外部引入的路由 50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 是区域内其他路由器发布的路由
作以下配置后 acl number 2003 rule 0 deny source 50.50.0.0 0.0.255.255 rule 5 permit [R1-ospf-1]dis th # ospf 1 router-id 1.1.1.1 filter-policy 2003 import area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.10.10 0.0.0.0 # return [R1-ospf-1]dis ip ro Routing Tables: Public Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0 总结:对接收的路由过滤时可以同时对import-route引入的路由,也包括对区域内其他路由器发布的路由。 2、以上的实现方式是使用filter policy+ACL实现
也可以 使用filter policy+IP-PREFIX实现
未配置filter policy 前
[R1-ospf-1]dis ip ro Routing Tables: Public Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0 50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0 加入以下配置 ip ip-prefix test1 index 10 deny 50.50.0.0 16 greater-equal 16 less-equal 32 //将50.50网段的所有路由拒绝 ip ip-prefix test1 index 20 permit 0.0.0.0 0 less-equal 32 //匹配所有路由 ospf 1 router-id 1.1.1.1 filter-policy ip-prefix test1 import area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.10.10 0.0.0.0 此时的路由表为: [R1]dis ip ro Routing Tables: Public Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
路由表中已经没有50网段的路由。 补充说明:
ip ip-prefix
比如我们希望匹配 192.168.16.0 /24和192.168.18.0/24两条路由 那么我们的前缀列表应写为 ip prefix-list 1 permit 192.168.16.0/22 ge 24 le 24
以上命令的意思表示先把/24掩码的路由筛选出来,然后再按照mask值/22进行匹配
192.168.16.0/22 表示192.168.16.1--192.168.19.254
3、以上两种方式可以对接收的路由作精确的过滤,还有一种方式过滤方式可以过滤掉某个网关通告的路由filter-policy gateway 。
未加配置前的路由表如下:
[R1]dis ip ro Routing Tables: Public Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
加入以下配置:
ip ip-prefix test2 index 10 deny 172.16.1.2 32 ip ip-prefix test2 index 20 permit 0.0.0.0 0 less-equal 32
ospf 1 router-id 1.1.1.1 filter-policy gateway test2 import area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.10.10 0.0.0.0
此时的路由表如下:
[R1-ospf-1]qu [R1]dis ip ro Routing Tables: Public Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
可以见到除了一条直连路由的下一跳是172.16.1.2外,其他由172.16.1.2发布的OSPF路由全部被过滤掉。
补充说明: 这种基于网关的过滤只有在引入路由时有效
[R1-ospf-1]filter-policy gateway test2 ? import Filtering incoming routing updates 在输入命令时也只有import方向可用。
二、对引入路由进行过滤
1、方法一:使用route-policy+ACL实现 在进程5中引入进程1的50网段的路由
acl number 2000 把50网段筛选出来 rule 0 permit source 50.50.70.10 0 rule 1 deny
# ospf 5 import-route ospf 1 route-policy 5YinRu1 应用在进程5中 area 0.0.0.0 network 172.16.1.4 0.0.0.3 network 50.50.60.10 0.0.0.0 # route-policy 5YinRu1 permit node 10 创建route-policy 并与acl相绑定 if-match acl 2000
如果配置正确,则在SW2中可以看到 50.50.70.10 的路由,而没有进程1的10网段的路由
请看路 由表
<sw2>dis ip ro Routing Tables: Public Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost NextHop Interface
3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0 50.50.50.50/32 Direct 0 0 127.0.0.1 InLoop0 50.50.60.10/32 OSPF 10 1 172.16.1.6 Vlan2 50.50.70.10/32 O_ASE 150 1 172.16.1.6 Vlan2 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.4/30 Direct 0 0 172.16.1.5 Vlan2 172.16.1.5/32 Direct 0 0 127.0.0.1 InLoop0
经验证,配置正确
2、方法二:使用route-policy+IP-PREFIX实现
ip ip-prefix test index 10 permit 50.50.50.50 32 ip ip-prefix test index 20 deny 0.0.0.0 0 less-equal 32 用两条ip-prefix命令将50.50.50.50 筛选出来
route-policy 1YinRu5 permit node 10 创建route-policy 并将之与名为test 的ip-prefix绑定 if-match ip-prefix test #
ospf 1 router-id 2.2.2.2 import-route ospf 5 route-policy 1YinRu5 应用在进程1下 area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.20.10 0.0.0.0 network 172.16.1.8 0.0.0.3 # 如果配置正确,则在R4上可以看到50.50.50.50 网段的路由,并且没有进程5的其他50网段的路由 <R4>dis ip ro Routing Tables: Public Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
4.4.4.4/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 OSPF 10 3124 172.16.1.9 S0/6/1 10.10.20.10/32 OSPF 10 1562 172.16.1.9 S0/6/1 10.10.30.10/32 Direct 0 0 127.0.0.1 InLoop0 50.50.50.50/32 O_ASE 150 1 172.16.1.9 S0/6/1 50.50.70.10/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 OSPF 10 3124 172.16.1.9 S0/6/1 172.16.1.8/30 Direct 0 0 172.16.1.10 S0/6/1 172.16.1.9/32 Direct 0 0 172.16.1.9 S0/6/1 172.16.1.10/32 Direct 0 0 127.0.0.1 InLoop0 经验证,配置正确。 经过上面两个进程间的互相引入,两个进程间引入的网段应当可以互通: <R4> ping -a 50.50.70.10 50.50.50.50 PING 50.50.50.50: 56 data bytes, press CTRL_C to break Reply from 50.50.50.50: bytes=56 Sequence=1 ttl=254 time=15 ms Reply from 50.50.50.50: bytes=56 Sequence=2 ttl=254 time=15 ms Reply from 50.50.50.50: bytes=56 Sequence=3 ttl=254 time=30 ms Reply from 50.50.50.50: bytes=56 Sequence=4 ttl=254 time=35 ms Reply from 50.50.50.50: bytes=56 Sequence=5 ttl=254 time=36 ms http://www.luyouqiwang.com/15272/ --- 50.50.50.50 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/26/36 ms 三、对发布的路由进行过滤 Filter-policy export ASBR路由器对引入到OSPF的外部路由进行过滤 该命令只对ASBR路由器有效。 只对本机使用import-route引入的路由起作用,对于其它路由器引入的路由不起作用。 我们同样以实验的方式来说明: 1、我们在上面个实验中将进程5中的50.50.50.50引入到了进程1中,进程1中的R1和R4都没到了50.50.50.50的路由,但是只需要R4和SW2通信就可以了,所以R1不需要学到到50.50.50.50的路由,同时也不需要学到50.50.70.10的路由,这时我们想在R2上作对发布路由的过滤,可以实现吗? 请看以下配置: 配置前R1的路由表 <R1>dis ip ro Routing Tables: Public Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0 50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
acl number 2004 rule 1 deny source 50.50.0.0 0.0.255.255 rule 5 permit
# ospf 1 router-id 2.2.2.2 filter-policy 2004 export // 用filter-policy 过滤发布的路由 import-route ospf 5 route-policy 1YinRu5 area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.20.10 0.0.0.0 network 172.16.1.8 0.0.0.3 #
<R1>dis ip ro Routing Tables: Public Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 此时可见有一条被过滤了,但有一条50.50.70.10未被过滤 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
由此可见,Filter-policy export只对本机使用import-route引入的路由起作用,对于其它路由器引入的路由不起作用。50.50.70.10不是import-route 的路由,而是区域内发布的路由,所以无法过滤
2、方法二:使用filter policy+IP-PREFIX实现
ospf 1 router-id 2.2.2.2 filter-policy ip-prefix test3 export import-route ospf 5 route-policy 1YinRu5 area 0.0.0.0 network 172.16.1.0 0.0.0.3 network 10.10.20.10 0.0.0.0 network 172.16.1.8 0.0.0.3 #
# ip ip-prefix test3 index 10 deny 50.50.50.50 32 ip ip-prefix test3 index 20 deny 50.50.70.10 32 ip ip-prefix test3 index 30 permit 0.0.0.0 0 less-equal 32
配置完成后 <R1>dis ip ro Routing Tables: Public Destinations : 11 Routes : 11 Destination/Mask Proto Pre Cost NextHop Interface 1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0 10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0 10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0 172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0 172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0 172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
由上表可见,在R1上仍然有一条50网段的路由,再次证明了Filter-policy export只对本机使用import-route引入的路由起作用,对于其它路由器引入的路由不起作用。 |
不良信息举报Q:2000617|Archiver|ROS软路由论坛 ROSABC.com 网络方案网络工程交流
GMT+8, 2025-11-6 01:00 , Processed in 0.032159 second(s), 15 queries .
Powered by Discuz! X3.4
Copyright © 2001-2021, Tencent Cloud.
