分析分配控制列表 distribute-list

distribute-list in (IP)
To filter networks received in updates, use the distribute-list in command in address family or router configuration mode. To change or cancel the filter, use the no form of this command.

Page 778

 

OSPF routes cannot be filtered from entering the OSPF database. If you use this command for OSPF, it only filters routes from the routing table; it does not prevent link-state packets from being propagated.

Page 779

 

distribute-list out (IP)
To suppress networks from being advertised in updates, use the distribute-list out command in address family or router configuration mode. To cancel this function, use the no form of this command.

Page 780

 

When networks are redistributed, a routing process name can be specified as an optional trailing argument to the distribute-list command. Specifying this option causes the access list to be applied to only those routes derived from the specified routing process. After the process-specific access list is applied, any access list specified by a distribute-list command without a process name argument will be applied. Addresses not specified in the distribute-list command will not be advertised in outgoing routing updates.

Page 780

--《Cisco IOS IP Routing Protocols Command Reference》

 

distribute list（分配列表），配置中以紫色字体标识，用于路由过滤，用于DV routing protocol，或者是以路由条目明文作为路由信息的协议。比如RIP，EIGRP，OSPF的ABR（OSPF区域间路由类似于DV的原理），或者ASBR中的重分配。因为分配列表的作用就是过滤路由更新包（update packets）里面的具体条目，让目的路由器不了解该路由，所以若该更新包若不是以通告路由为目的的话，就失去了分配列表的作用。正如网上很多前辈所指出的，在LS routing protocol里，由于LSA（ISIS称为LSP）通告的是链路的状态，需要在整个area里同步，某一条链路要么为失效，要么为生效，不可能出现某台路由器知道，而另一台路由器不知道的情况。可以说，分配列表是利用了DV routing protocol的缺陷对目标路由器进行“欺骗”，对LS routing protocol不管用。

 

下面通过实验分析distribute-list的特性。

R1(S1/1)--(S1/0)R2(S1/1)--(S1/0)R3(S1/1)--(S1/0)R4

其中R1连接网段192.168.0.0，192.168.1.0，192.168.2.0，192.168.3.0，R4连接10.2.0.0，10.2.1.0，10.2.2.0，10.2.3.0。

 

R1#show run

interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!

interface Serial1/1
 description DCE,EIGRP 10,connected to R2's S1/0,ip 10.1.1.2/30
 ip address 10.1.1.1 255.255.255.252
 clock rate 9600
!

router eigrp 10
 network 10.1.1.0 0.0.0.3
 network 192.168.0.0 0.0.3.255
 no auto-summary
!

/////

 

R2#show run

interface Serial1/0
 description DTE,EIGRP 10,connected to R1's S1/1,ip 10.1.1.1/30
 ip address 10.1.1.2 255.255.255.252
!
interface Serial1/1
 description DCE,OSPF area 0,connected to R3's S1/0,ip 10.1.1.6/30
 ip address 10.1.1.5 255.255.255.252
 clock rate 9600
!

router eigrp 10
 redistribute ospf 100 metric 200 100 0 1 1500
 network 10.1.1.0 0.0.0.3
 no auto-summary
!
router ospf 100
 router-id 2.2.2.2
 redistribute eigrp 10 metric 20 metric-type 1 subnets
 network 10.1.1.4 0.0.0.3 area 0
  distribute-list 1 out eigrp 10
!
access-list 1 deny   192.168.0.0 0.0.0.255
access-list 1 deny   192.168.1.0 0.0.0.255
access-list 1 deny   192.168.2.0 0.0.0.255
access-list 1 permit any
!

/////

 

R3#show run

interface Serial1/0
 description DTE,OSPF area 0,connected to R2's S1/1,ip 10.1.1.5/30
 ip address 10.1.1.6 255.255.255.252
!         
interface Serial1/1
 description DCE,OSPF area 0,connected to R4's S1/0,ip 172.16.1.2/24
 ip address 172.16.1.1 255.255.255.0
 clock rate 9600
!

router ospf 100
 router-id 3.3.3.3
 network 10.1.1.4 0.0.0.3 area 0
 network 172.16.1.0 0.0.0.255 area 0
 distribute-list 10 in
!
access-list 10 deny   10.2.0.0 0.0.0.255
access-list 10 deny   10.2.1.0 0.0.0.255
access-list 10 permit any
!

/////

 

R4#show run

interface Loopback0
 ip address 10.2.0.1 255.255.255.0
!
interface Loopback1
 ip address 10.2.1.1 255.255.255.0
!
interface Loopback2
 ip address 10.2.2.1 255.255.255.0
!
interface Loopback3
 ip address 10.2.3.1 255.255.255.0
!

interface Serial1/0
 description DTE,OSPF area 0,connected to R3's S1/1,ip 172.16.1.1/24
 ip address 172.16.1.2 255.255.255.0
!

router ospf 100
 router-id 4.4.4.4
 network 10.2.0.0 0.0.3.255 area 0
 network 172.16.1.0 0.0.0.255 area 0
!

/////

 

察看R1的路由表

R1#show ip route
     172.16.0.0/24 is subnetted, 1 subnets
D EX    172.16.1.0 [170/13337600] via 10.1.1.2, 00:23:50, Serial1/1
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D EX    10.2.1.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX    10.2.0.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX    10.2.3.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
C       10.1.1.0/30 is directly connected, Serial1/1
D EX    10.2.2.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX    10.1.1.4/30 [170/13337600] via 10.1.1.2, 00:24:56, Serial1/1
C    192.168.0.0/24 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Loopback1
C    192.168.2.0/24 is directly connected, Loopback2
C    192.168.3.0/24 is directly connected, Loopback3

还有R4的

R4#show ip route
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Serial1/0
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C       10.2.0.0/24 is directly connected, Loopback0
C       10.2.1.0/24 is directly connected, Loopback1
C       10.2.2.0/24 is directly connected, Loopback2
O E1    10.1.1.0/30 [110/148] via 172.16.1.1, 00:14:56, Serial1/0
C       10.2.3.0/24 is directly connected, Loopback3
O       10.1.1.4/30 [110/128] via 172.16.1.1, 00:14:56, Serial1/0
O E1 192.168.3.0/24 [110/148] via 172.16.1.1, 00:14:56, Serial1/0

明显的R4的路由表中，没有了R2的distribute-list中指明的路由；但是R1中还是有R3的distribute-list中指明的路由。

 

难道说distribute-list根本没有作用？

R1#ping 10.2.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:
U.U.U      //目标不可达
Success rate is 0 percent (0/5)

 

看看根源

R3# show ip route
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Serial1/1
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O       10.2.3.1/32 [110/65] via 172.16.1.2, 00:20:15, Serial1/1
O E1    10.1.1.0/30 [110/84] via 10.1.1.5, 00:20:15, Serial1/0
O       10.2.2.1/32 [110/65] via 172.16.1.2, 00:20:15, Serial1/1
C       10.1.1.4/30 is directly connected, Serial1/0
O E1 192.168.3.0/24 [110/84] via 10.1.1.5, 00:20:15, Serial1/0

 

R3#show ip ospf data router 4.4.4.4

--output omitted--

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 10.2.1.1
     (Link Data) Network Mask: 255.255.255.255
      Number of TOS metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 10.2.0.1
     (Link Data) Network Mask: 255.255.255.255
      Number of TOS metrics: 0
       TOS 0 Metrics: 1

 

原因在哪？上面引用IOS reference的片段已经说明了。OSPF中，distribute-list仅仅把所在路由器上的路由表中相关条目去掉，并不影响链路状态的收敛。从R3的数据库中可以看出，R3的OSPF数据库里有这两条路由的数据，只有路由表没有。导致的结果是，整个OSPF area0 都知道该链路是生效的，就只有R3“不知道”该链路；而R3又正好是通往该目的地得唯一路径。因此R1发往R4的路由包只好被R3的ICMP返回“目标不可达”。同时，R3的路由表与其数据库不同步。证明了分配列表直接作用在了路由表上。

本文转自 gole_huang 51CTO博客，原文链接:http://blog.51cto.com/golehuang/76314