路由策略实验

稚 发布于 2024-08-26 30 次阅读


路由双向渗透

img

基础配置

AR1

sys
sysn AR1
int g 0/0/0
ip add 10.0.12.1 24 
int g 0/0/1
ip add 10.0.13.1 24
int loo0
ip add 1.1.1.1 32 
int loo1
ip add 10.1.1.1 32 

int loo2
ip add 20.1.1.1 32 

int loo3
ip add 30.1.1.1 32 
ospf  rou 1.1.1.1
are 0
net 10.0.12.0 0.0.0.255
net 10.0.13.0 0.0.0.255
net 1.1.1.1 0.0.0.0

AR2

sys
sysn AR2
int g 0/0/0
ip add 10.0.12.2 24 
int g 0/0/1
ip add 10.0.24.2 24
int loo0
ip add 2.2.2.2 32 
ospf  rou 2.2.2.2
are 0
net 10.0.12.0 0.0.0.255
net 2.2.2.2 0.0.0.0
isis 
net 49.0001.0000.0000.0002.00
is-level level-2
int g 0/0/1
isis en

AR3

sys
sysn AR3
int g 0/0/1
ip add 10.0.13.3 24 
int g 0/0/2
ip add 10.0.34.3 24
int loo0
ip add 3.3.3.3 32 
ospf  rou 3.3.3.3
are 0
net 10.0.13.0 0.0.0.255
isis 
net 49.0001.0000.0000.0003.00
is-level level-2
int g 0/0/2
isis en
int loo0 
isis en 

AR4

sys
sysn AR4
int g 0/0/1
ip add 10.0.24.4 24 
int g 0/0/2
ip add 10.0.34.4 24
int loo0
ip add 4.4.4.4 32 
isis 
net 49.0001.0000.0000.0004.00
is-level level-2
int g 0/0/2
isis en
int g 0/0/1
isis en
int loo0 
isis en 

路由引入

现在我们在AR1中有三个网段 只是我们只想引入20和30网段

首先配置ip ip-prefix 
[AR1]ip ip-prefix 10 permit 10.1.1.1 32 匹配到10.1.1.1
配置acl匹配20和30
[AR1]acl 2000
[AR1-acl-basic-2000]rule  permit source 0.1.1.1 255.0.0.0
配置router-policy
[AR1]route-policy 10 deny node 10
Info: New Sequence of this List.
[AR1-route-policy]if-match ip-prefix 10
[AR1-route-policy]q
[AR1]route-policy 10 permit node 20
Info: New Sequence of this List.      
[AR1-route-policy]if-match acl 2000
[AR1-ospf-1]import-route direct route-policy 10

这时在在路由表中查看只有20和30网段

img

我们先做将ospf路由引入到isis 我们只做20的引入

首先匹配20的
[AR2]ip ip-prefix 20 permit 20.1.1.1 32
默认剩下拒绝所有
[AR2-isis-1]filter-policy ip-prefix 20 export 

这时我们在r4上查路由表

img

删除上方的引入 做全部引入

如果我们这是不想在r4上显示此20的路由则可以在ar4上做入方向的过滤

[AR4]ip ip-prefix 20 deny 20.1.1.1 32
[AR4]ip ip-prefix 20 permit 0.0.0.0 32
[AR4]isis
[AR4-isis-1]filter-policy ip-prefix 20 import

此时我们查看路由

img

删除上述配置

我们在r2上配置双节点路由引入要求ospf发布到isis的路由打上tag100 isis发布到ospf的路由打上tag200并互相拒绝对应的tag

# AR2
[AR2]dis route-policy oti
Route-policy : oti
  deny : 10 (matched counts: 15)
    Match clauses : 
      if-match tag 100
  permit : 20 (matched counts: 12)
    Match clauses : 
      if-match acl 2000
    Apply clauses : 
      apply tag 200     
[AR2]dis route-policy ito
Route-policy : ito
  deny : 10 (matched counts: 0)
    Match clauses : 
      if-match tag 200
  permit : 20 (matched counts: 4)
    Apply clauses : 
      apply tag 100
[AR2]isis
[AR2-isis-1]dis th
[V200R003C00]
#
isis 1
 is-level level-2
 network-entity 49.0001.0000.0000.0002.00
 import-route ospf 1 route-policy oti 
[AR2-ospf-1]dis th
[V200R003C00]
#
ospf 1 router-id 2.2.2.2 
 import-route isis 1 route-policy ito
 area 0.0.0.0 
  network 2.2.2.2 0.0.0.0 
  network 10.0.12.0 0.0.0.255 

img

img

PBR

img

要求pc2访问10.0.23.2 走左边pc3访问10.0.23.3走右边

acl number 2000  
 rule 5 permit source 10.0.1.0 0.0.0.255 
acl number 2001  
#
acl number 3000  
 rule 5 deny ip source 10.0.2.0 0.0.0.255 destination 192.168.0.0 0.0.0.255 
 rule 10 permit ip source 10.0.2.0 0.0.0.255 
识别感兴趣流量对于 pbr不能使用ip-prefix 对于左边只匹配了来自10.0.1.0 的流量对于右边拒绝了 识别其他流量
[Huawei-GigabitEthernet0/0/0]dis policy-based-route
 policy-based-route : 1
Node  10  permit :

    if-match acl 2000

    apply 
ip-address next-hop 10.0.12.2  

  Node  20  permit :

    if-match acl 3000

  apply ip-address next-hop 10.0.13.3 
如果识别到acl2000则从10.0.12.2 经过 如果识别到acl3000则从10.0.13.3 经过 剩下全部拒绝
最后进入接口
interface GigabitEthernet 0/0/0
 ip policy-based-route  1(模拟器不支持)