对接收和发布的路由进行过滤
组网需求
如图1,运行OSPF协议的网络中,RouterA从Internet网络接收路由,并为OSPF网络提供了Internet路由。要求OSPF网络中只能访问172.16.17.0/24、172.16.18.0/24和172.16.19.0/24三个网段的网络,其中RouterC连接的网络只能访问172.16.18.0/24网段的网络。
图1 配置对接收和发布的路由过滤组网图
配置思路
采用如下的思路配置对路由进行过滤:
- 在RouterA上配置路由策略,在路由发布时运用路由策略,使RouterA仅提供路由172.16.17.0/24、172.16.18.0/24、172.16.19.0/24给RouterB,实现OSPF网络中只能访问172.16.17.0/24、172.16.18.0/24和172.16.19.0/24三个网段的网络。
- 在RouterC上配置路由策略,在路由引入时运用路由策略,使RouterC仅接收路由172.16.18.0/24,实现RouterC连接的网络只能访问172.16.18.0/24网段的网络。
操作步骤
- 配置各接口的IP地址 # 配置RouterA的各接口的IP地址。 <Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit RouterB、RouterC和RouterD的配置同RouterA此处略。- 配置OSPF基本功能
1. # RouterA的配置 [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # RouterB的配置 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit # RouterC的配置 [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # RouterD的配置 [RouterD] ospf [RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit- 在RouterA上配置5条静态路由,并在将这些静态路由引入到OSPF协议中 [RouterA] ip route-static
1. 172.16.16.0 24 NULL 0 [RouterA] ip route-static 172.16.17.0 24 NULL 0 [RouterA] ip route-static 172.16.18.0 24 NULL 0 [RouterA] ip route-static 172.16.19.0 24 NULL 0 [RouterA] ip route-static 172.16.20.0 24 NULL 0 [RouterA] ospf [RouterA-ospf-1] import-route static [RouterA-ospf-1] quit # 在RouterB上查看IP路由表,可以看到OSPF引入的5条静态路由。 [RouterB] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.16.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
172.16.17.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
172.16.18.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
172.16.19.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
172.16.20.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.2 GigabitEthernet1/0/0
192.168.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet3/0/0
192.168.2.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.168.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet3/0/0
192.168.3.0/24 Direct 0 0 D 192.168.3.1 GigabitEthernet2/0/0
192.168.3.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
192.168.3.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet2/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0- 配置路由发布策略 # 在RouterA上配置地址前缀列表a2b。 [RouterA] ip ip-prefix a2b index 10 permit 172.16.17.0 24 [RouterA] ip ip-prefix a2b index 20 permit 172.16.18.0 24 [RouterA] ip ip-prefix a2b index 30 permit 172.16.19.0 24 # 在RouterA上配置发布策略,引用地址前缀列表a2b进行过滤。 [RouterA] ospf [RouterA-ospf-1] filter-policy ip-prefix a2b export static # 在RouterB上查看IP路由表,可以看到RouterB仅接收到列表a2b中定义的3条路由。
1. [RouterB] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.17.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
172.16.18.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
172.16.19.0/24 O_ASE 150 1 D 192.168.1.1 GigabitEthernet1/0/0
192.168.1.0/24 Direct 0 0 D 192.168.1.2 GigabitEthernet1/0/0
192.168.1.1/32 Direct 0 0 D 192.168.1.1 GigabitEthernet1/0/0
192.168.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet3/0/0
192.168.2.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.2.2/32 Direct 0 0 D 192.168.2.2 GigabitEthernet3/0/0
192.168.3.0/24 Direct 0 0 D 192.168.3.1 GigabitEthernet2/0/0
192.168.3.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.3.2/32 Direct 0 0 D 192.168.3.2 GigabitEthernet2/0/0- 配置路由接收策略 # 在RouterC上配置地址前缀列表in。 [RouterC] ip ip-prefix in index 10 permit 172.16.18.0 24 # 在RouterC上配置接收策略,引用地址前缀列表in进行过滤。 [RouterC] ospf [RouterC-ospf-1] filter-policy ip-prefix in import # 查看RouterC的IP路由表,可以看到RouterC的本地核心路由表中,仅接收了列表in定义的1条路由。
[RouterC] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.18.0/24 O_ASE 150 1 D 192.168.2.1 GigabitEthernet1/0/0
192.168.2.0/24 Direct 0 0 D 192.168.2.2 GigabitEthernet1/0/0
192.168.2.1/32 Direct 0 0 D 192.168.2.1 GigabitEthernet1/0/0
192.168.2.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 #- 查看RouterD的IP路由表,可以看到RouterD的本地核心路由表中,接收了RouterB发送的所有路由。
[RouterD] display ip routing-table Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.17.0/24 O_ASE 150 1 D 192.168.3.1 GigabitEthernet1/0/0
172.16.18.0/24 O_ASE 150 1 D 192.168.3.1 GigabitEthernet1/0/0
172.16.19.0/24 O_ASE 150 1 D 192.168.3.1 GigabitEthernet1/0/0
192.168.1.0/24 OSPF 10 1 D 192.168.3.1 GigabitEthernet1/0/0
192.168.2.0/24 OSPF 10 1 D 192.168.3.1 GigabitEthernet1/0/0
192.168.3.0/24 Direct 0 0 D 192.168.3.2 GigabitEthernet1/0/0
192.168.3.1/32 Direct 0 0 D 192.168.3.1 GigabitEthernet1/0/0
192.168.3.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0 #- 查看RouterC的OSPF路由表,可以看到OSPF路由表中接收到3条列表a2b中定义的路由。因为在链路状态协议中,filter-policy import命令用于过滤从协议路由表加入本地核心路由表的路由。
5. [RouterC] display ospf routing OSPF Process 1 with Router ID 192.168.2.2
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
192.168.2.0/24 1 Stub 192.168.2.2 192.168.2.2 0.0.0.0
192.168.1.0/24 2 Stub 192.168.2.1 192.168.2.1 0.0.0.0
192.168.3.0/24 2 Stub 192.168.2.1 192.168.2.1 0.0.0.0
Routing for ASEs
Destination Cost Type Tag NextHop AdvRouter
172.16.17.0/24 1 Type2 1 192.168.2.1 192.168.1.1
172.16.18.0/24 1 Type2 1 192.168.2.1 192.168.1.1
172.16.19.0/24 1 Type2 1 192.168.2.1 192.168.1.1
Total Nets: 6
Intra Area: 3 Inter Area: 0 ASE: 3 NSSA: 0配置文件
- RouterA的配置文件 #
• sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 192.168.1.1 255.255.255.0
#
ospf 1
filter-policy ip-prefix a2b export static
import-route static
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip ip-prefix a2b index 10 permit 172.16.17.0 24
ip ip-prefix a2b index 20 permit 172.16.18.0 24
ip ip-prefix a2b index 30 permit 172.16.19.0 24
#
ip route-static 172.16.16.0 255.255.255.0 NULL0
ip route-static 172.16.17.0 255.255.255.0 NULL0
ip route-static 172.16.18.0 255.255.255.0 NULL0
ip route-static 172.16.19.0 255.255.255.0 NULL0
ip route-static 172.16.20.0 255.255.255.0 NULL0
#
return- RouterB的配置文件 #
• sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet3/0/0
ip address 192.168.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return- RouterC的配置文件 #
• sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 192.168.2.2 255.255.255.0
#
ospf 1
filter-policy ip-prefix in import
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
ip ip-prefix in index 10 permit 172.16.18.0 24
#
return- RouterD的配置文件 #
• sysname RouterD
#
interface GigabitEthernet1/0/0
ip address 192.168.3.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
#
return