路由双向渗透
基础配置
AR1
sys
sysn AR1
int g 0/0/0
ip add 10.0.12.1 24
int g 0/0/1
ip add 10.0.13.1 24
int loo0
ip add 1.1.1.1 32
int loo1
ip add 10.1.1.1 32
int loo2
ip add 20.1.1.1 32
int loo3
ip add 30.1.1.1 32
ospf rou 1.1.1.1
are 0
net 10.0.12.0 0.0.0.255
net 10.0.13.0 0.0.0.255
net 1.1.1.1 0.0.0.0
AR2
sys
sysn AR2
int g 0/0/0
ip add 10.0.12.2 24
int g 0/0/1
ip add 10.0.24.2 24
int loo0
ip add 2.2.2.2 32
ospf rou 2.2.2.2
are 0
net 10.0.12.0 0.0.0.255
net 2.2.2.2 0.0.0.0
isis
net 49.0001.0000.0000.0002.00
is-level level-2
int g 0/0/1
isis en
AR3
sys
sysn AR3
int g 0/0/1
ip add 10.0.13.3 24
int g 0/0/2
ip add 10.0.34.3 24
int loo0
ip add 3.3.3.3 32
ospf rou 3.3.3.3
are 0
net 10.0.13.0 0.0.0.255
isis
net 49.0001.0000.0000.0003.00
is-level level-2
int g 0/0/2
isis en
int loo0
isis en
AR4
sys
sysn AR4
int g 0/0/1
ip add 10.0.24.4 24
int g 0/0/2
ip add 10.0.34.4 24
int loo0
ip add 4.4.4.4 32
isis
net 49.0001.0000.0000.0004.00
is-level level-2
int g 0/0/2
isis en
int g 0/0/1
isis en
int loo0
isis en
路由引入
现在我们在AR1中有三个网段 只是我们只想引入20和30网段
首先配置ip ip-prefix
[AR1]ip ip-prefix 10 permit 10.1.1.1 32 匹配到10.1.1.1
配置acl匹配20和30
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 0.1.1.1 255.0.0.0
配置router-policy
[AR1]route-policy 10 deny node 10
Info: New Sequence of this List.
[AR1-route-policy]if-match ip-prefix 10
[AR1-route-policy]q
[AR1]route-policy 10 permit node 20
Info: New Sequence of this List.
[AR1-route-policy]if-match acl 2000
[AR1-ospf-1]import-route direct route-policy 10
这时在在路由表中查看只有20和30网段
我们先做将ospf路由引入到isis 我们只做20的引入
首先匹配20的
[AR2]ip ip-prefix 20 permit 20.1.1.1 32
默认剩下拒绝所有
[AR2-isis-1]filter-policy ip-prefix 20 export
这时我们在r4上查路由表
删除上方的引入 做全部引入
如果我们这是不想在r4上显示此20的路由则可以在ar4上做入方向的过滤
[AR4]ip ip-prefix 20 deny 20.1.1.1 32
[AR4]ip ip-prefix 20 permit 0.0.0.0 32
[AR4]isis
[AR4-isis-1]filter-policy ip-prefix 20 import此时我们查看路由
删除上述配置
我们在r2上配置双节点路由引入要求ospf发布到isis的路由打上tag100 isis发布到ospf的路由打上tag200并互相拒绝对应的tag
# AR2
[AR2]dis route-policy oti
Route-policy : oti
deny : 10 (matched counts: 15)
Match clauses :
if-match tag 100
permit : 20 (matched counts: 12)
Match clauses :
if-match acl 2000
Apply clauses :
apply tag 200
[AR2]dis route-policy ito
Route-policy : ito
deny : 10 (matched counts: 0)
Match clauses :
if-match tag 200
permit : 20 (matched counts: 4)
Apply clauses :
apply tag 100
[AR2]isis
[AR2-isis-1]dis th
[V200R003C00]
#
isis 1
is-level level-2
network-entity 49.0001.0000.0000.0002.00
import-route ospf 1 route-policy oti
[AR2-ospf-1]dis th
[V200R003C00]
#
ospf 1 router-id 2.2.2.2
import-route isis 1 route-policy ito
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.0.12.0 0.0.0.255
PBR
要求pc2访问10.0.23.2 走左边pc3访问10.0.23.3走右边
acl number 2000
rule 5 permit source 10.0.1.0 0.0.0.255
acl number 2001
#
acl number 3000
rule 5 deny ip source 10.0.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 10 permit ip source 10.0.2.0 0.0.0.255
识别感兴趣流量对于 pbr不能使用ip-prefix 对于左边只匹配了来自10.0.1.0 的流量对于右边拒绝了 识别其他流量
[Huawei-GigabitEthernet0/0/0]dis policy-based-route
policy-based-route : 1
Node 10 permit :
if-match acl 2000
apply
ip-address next-hop 10.0.12.2
Node 20 permit :
if-match acl 3000
apply ip-address next-hop 10.0.13.3
如果识别到acl2000则从10.0.12.2 经过 如果识别到acl3000则从10.0.13.3 经过 剩下全部拒绝
最后进入接口
interface GigabitEthernet 0/0/0
ip policy-based-route 1(模拟器不支持)
Comments NOTHING