[Lab4] 路由控制

[Lab4] 路由控制

工具1: Distribute List 过滤路由

试验拓扑

试验目的: R1 过滤掉R3的环回口3.3.3.3

1-1 DL Use For RIP

R1/R2/R3跑 RIP 配置省略 R1的回环口1.1.1.1可以ping通R3的回环口3.3.3.3

目标在R1 上过滤掉3.3.3.3路由

我们在R2 上作distribute list

R2(config)#access-list 10 deny 3.3.3.0 0.0.0.255

R2(config)#access-list 10 permit any

R2(config-router)#distribute-list 10 in s0/1 <路由模式>

我们在S0/1 in 方向 上调用DL 那就意味R2和R3同时过滤掉3.3.3.3 （r2/r3都ping不通3.3.3.3）

如果我们在R2上配置如下：

R2(config-router)#no distribute-list 10 in s0/1

R2(config-router)#distribute-list 10 out s0/0

那么只有R1 ping不通3.3.3.3 而R2 可以ping通 3.3.3.3

1-2 DL Use For EIGRP

假设所有路由器跑eigrp

R2 configuration :

router eigrp 90

network 0.0.0.0

distribute-list 10 in \\如果没有接口 那么默认是应用在所有的接口上

no auto-summary

access-list 10 deny 3.3.3.0 0.0.0.255

access-list 10 permit any

如果我们采用in 方向R2/R1 都过滤掉了3.3.3.3

如果我们采用out方向的话

R2(config-router)#distribute-list 10 out

只有R1过滤掉了 3.3.3.3

总结：在DV路由协议中, DL具有方向性，且调用在不同接口和不同方向的效果不同.

调用in方向，那么router自己和下游邻居会过滤路由

调用out方向，只有下游邻居会过滤路由

1-3 DL Use For OSPF

假设所有路由器跑ospf

我们在接口得出方向调用distribute-list，结果发现报错，说明DL在OSPF环境中只能在接口的in方向

那么我们在R2 上作in方向配置

R2(config-router)#distribute-list 10 in s0/1

我们查看R2路由表

R2#sh ip route os

1.0.0.0/32 is subnetted, 1 subnets

O 1.1.1.1 [110/65] via 12.1.1.1, 00:00:02, Serial0/0

发现R2 过滤3.3.3.3成功

但R1 却没有过滤3.3.3.3成功

说明DL对OSPF只是本地有效 因为ospf邻居传递的是LSA，DL无法抓出路由

工具2-ACL

ACL也可以用于路由策略

标准ACL匹配路由前缀

扩展ACL匹配路由前缀和掩码

任务1：用ACL过滤奇数网段路由

计算过程：

11.11.11.11

11.11.12.11

11.11.13.11

11.11.14.11

=====转换成二进制====

X.X. 0.0.0.0 1.0.1.1 . XXXX XXXX

X.X. 0.0.0.0 1.1.0.0 . XXXX XXXX

X.X. 0.0.0.0 1.1.0.1 . XXXX XXXX

X.X. 0.0.0.0 1.1.1.0 . XXXX XXXX

======匹配===========

0.0. 0.0.0.0 0.1.1.0 . 1.1.1.1 1.1.1.1

=====转换成十进制====

11.11.11.1 0.0.6.255 或者 11.11.9.0 0.0.6.255 （一般系统会取起源网段）

R2 配置如下：

access-list 10 deny 11.11.9.0 0.0.6.255

access-list 10 permit any

R2#sh run | se router rip

router rip

version 2

network 0.0.0.0

distribute-list 10 in FastEthernet0/0

no auto-summary

在R2 上看到的结果为: (只有偶数路由过来了)

任务2：用ACL过滤偶数网段路由

R2上的配置:

R2#sh run | se access-list

access-list 10 deny 11.11.8.0 0.0.6.255

access-list 10 permit any

R2#sh run | se router rip

router rip

version 2

network 0.0.0.0

distribute-list 10 in FastEthernet0/0

no auto-summary

运行结果如下:

任务3: 用ACL匹配整除4的路由网段

R2(config)#access-list 10 permit 11.11.0.0 0.0.252.255

R2#sh run | se router rip

router rip

version 2

network 0.0.0.0

distribute-list 10 in FastEthernet0/0

no auto-summary

工具3-Offset List

使用offset list可以调节DV路由协议的距离矢量

3-1 Offset list use in RIP

(Lo 0 1.1.1.1) R1(s0/0)----(s0/0)R2(s0/1)-----(s0/1)R3

默认在R3上看1.1.1.1的跳数为2跳

现在要求在R3 到1.1.1.1的跳数为10跳

那么我们在R2 上来做这个offset list

R2(config-router)#offset-list 10 in 8 s0/0

R2#sh run | se access-list

access-list 10 permit 1.1.1.0 0.0.0.255

access-list 10 permit any

3-2 Offset list use in EIGRP

(Lo 0 1.1.1.1) R1(s0/0)----(s0/0)R2(s0/1)-----(s0/1)R3

1.0.0.0/24 is subnetted, 1 subnets

D 1.1.1.0 [90/2809856] via 23.1.1.2, 00:01:18, Serial0/1

现在我们要求在R3上看到1.1.1.0的metric值变为 2810000

R2(config-router)#offset-list 10 in 144 s0/0 或者

R2(config-router)#offset-list 10 out 144 s0/1 \\两条命令等价

工具4-Prefix List & Filter List

用它来过滤OSPF区域间LSA

Task任务:

在Area 0 内过滤掉 33.33.33.33主机路由

在Area 1内过滤掉 1.1.1.0 网段

R2#sh run | se router os

router ospf 110

router-id 0.0.0.2

log-adjacency-changes

area 0 filter-list prefix 20 in \\在传递进区域0调用prefix list 20

area 0 filter-list prefix 10 out \\传出区域0调用prefix list 10

network 12.1.1.0 0.0.0.255 area 0

network 23.1.1.0 0.0.0.255 area 1

ip prefix-list 10 seq 5 deny 1.1.1.0/24

ip prefix-list 10 seq 10 permit 0.0.0.0/0 le 32

!

ip prefix-list 20 seq 5 deny 33.33.33.33/32 //由于ospf传递loopback口是以32主机形式传递所以我们可以直接精确匹配

ip prefix-list 20 seq 10 permit 0.0.0.0/0 le 32

总结：Filter list主要用在ＡＢＲ上 用于隔离区域间ＬＳＡ的传递,且具有方向性．

而且filter list只能和prefix-list同时使用

Prefix-list用法

前缀/前缀固定位 [掩码下限] [掩码上限]

1-无GE无LE

默认: 掩码=前缀固定长度

2-有GE无LE

会隐式含条le 32

3-无GE有LE

192.168.1.0/24 le 27 等价于

192.168.1.0/24 +

192.168.1.0/24 GE 25 LE27

工具5-重分布Redistribute

5-1单点多向重分布

R4上的配置

router eigrp 90

redistribute rip metric 1540 1000 255 1 1500

network 24.0.0.0

no auto-summary

!

router ospf 110

router-id 0.0.0.4

log-adjacency-changes

redistribute eigrp 90 subnets

network 34.1.1.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 110 metric 2

network 14.0.0.0

no auto-summary

试验结果下来 R1/2/3的环回口不可以相互PING通的

R1#sh ip route rip

34.0.0.0/24 is subnetted, 1 subnets

R 34.1.1.0 [120/2] via 14.1.1.4, 00:00:02, Serial1/0

3.0.0.0/32 is subnetted, 1 subnets

R 3.3.3.3 [120/2] via 14.1.1.4, 00:00:02, Serial1/0

R1只学习到了 R4 重分布 R4学习到的 ospf 路由

R2#sh ip route ei

1.0.0.0/24 is subnetted, 1 subnets

D EX 1.1.1.0 [170/2430208] via 24.1.1.4, 00:10:55, Serial1/0

14.0.0.0/24 is subnetted, 1 subnets

D EX 14.1.1.0 [170/2430208] via 24.1.1.4, 00:10:55, Serial1/0

R2只学习到了 R4 重分布 R4学习到的 EIGRP 路由

R3#sh ip route ospf

2.0.0.0/24 is subnetted, 1 subnets

O E2 2.2.2.0 [110/20] via 34.1.1.4, 00:00:29, Serial1/0

24.0.0.0/24 is subnetted, 1 subnets

O E2 24.1.1.0 [110/20] via 34.1.1.4, 00:00:29, Serial1/0

R3只学习到了 R4 重分布 R4学习到的 ospf 路由

R4# sh ip route

34.0.0.0/24 is subnetted, 1 subnets

C 34.1.1.0 is directly connected, Serial1/3

1.0.0.0/24 is subnetted, 1 subnets

R 1.1.1.0 [120/1] via 14.1.1.1, 00:00:09, Serial1/1

2.0.0.0/24 is subnetted, 1 subnets

D 2.2.2.0 [90/2297856] via 24.1.1.2, 00:18:18, Serial1/2

3.0.0.0/32 is subnetted, 1 subnets

O 3.3.3.3 [110/65] via 34.1.1.3, 00:17:22, Serial1/3

24.0.0.0/24 is subnetted, 1 subnets

C 24.1.1.0 is directly connected, Serial1/2

14.0.0.0/24 is subnetted, 1 subnets

C 14.1.1.0 is directly connected, Serial1/1

总结:

1 在重分布的设备(R4)上会抑制重分布后的条目在本机加表

2 路由必须在出现在重分布的设备(R4)路由表才可以重分布

5-2双点单向重分布

R1有回环口

R1-R2-R3 通过以太网跑rip

R2-R3通过serial 口跑 ospf

在R2上把rip重分布进ospf

在R3上把ospf重分布进rip,且metric值改为2

R2#sh run | se router rip

router rip

version 2

offset-list 10 in 5 Ethernet0/0

network 12.0.0.0

network 23.0.0.0

no auto-summary

R2#sh run | se router ospf

router ospf 110

log-adjacency-changes

redistribute rip subnets

network 32.1.1.0 0.0.0.255 area 0

R3#sh run | se router rip

router rip

version 2

redistribute ospf 110 metric 2

network 13.0.0.0

network 23.0.0.0

no auto-summary

R3#sh run | se router ospf

router ospf 110

log-adjacency-changes

network 32.1.1.0 0.0.0.255 area 0

由于ospf的AD值比rip低,所以,在R3上加表1.1.1.0的下一跳为32.1.1.2,在R2看来去1.1.1.0的下一条为23.1.1.2,这样环路就出现了.

在R2/3 traceroute 1.1.1.1 就会出现环路

那么出现了这个环路问题怎么解决呢?

我们可以标记tag同时过滤掉.

R2#sh run | se route-map

redistribute rip subnets route-map rip2ospf

route-map rip2ospf deny 10

match tag 200

route-map rip2ospf permit 20

set tag 100

R3#sh run | se route-map

redistribute ospf 110 metric 2 route-map ospf2rip

route-map ospf2rip deny 10

match tag 100

route-map ospf2rip permit 20

set tag 200

再到R2上traceroute 1.1.1.1环路问题解决了

5-3 双点双向重分布

双点双向重分布会带来次优路径和环路等未知问题，最好的解决办法不仅是需要更改AD值而且需要标记TAG作过滤

R3与R4作双点双向重分布

R3:

router ospf 110

router-id 0.0.0.3

log-adjacency-changes

redistribute rip subnets

network 2.1.35.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 110 metric 5

network 1.0.0.0

no auto-summary

R4:

router ospf 110

router-id 0.0.0.4

log-adjacency-changes

redistribute rip subnets

network 2.1.45.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 110 metric 5

network 1.0.0.0

no auto-summary

R3#sh ip route

1.0.0.0/24 is subnetted, 3 subnets

O E2 1.1.12.0 [110/20] via 2.1.35.5, 00:12:28, FastEthernet0/1

O E2 1.1.14.0 [110/20] via 2.1.35.5, 00:12:28, FastEthernet0/1

C 1.1.23.0 is directly connected, FastEthernet0/0

2.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

O E2 2.1.35.0/32 [110/20] via 2.1.35.5, 00:12:28, FastEthernet0/1

C 2.1.35.0/24 is directly connected, FastEthernet0/1

O 2.1.45.0/24 [110/65] via 2.1.35.5, 00:12:28, FastEthernet0/1

R4#sh ip route

1.0.0.0/24 is subnetted, 3 subnets

R 1.1.12.0 [120/1] via 1.1.14.1, 00:00:02, FastEthernet0/0

C 1.1.14.0 is directly connected, FastEthernet0/0

O E2 1.1.23.0 [110/20] via 2.1.45.5, 00:12:43, Serial1/0

2.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

R 2.1.35.0/32 [120/7] via 1.1.14.1, 00:00:02, FastEthernet0/0

O 2.1.35.0/24 [110/65] via 2.1.45.5, 00:13:40, Serial1/0

C 2.1.45.0/24 is directly connected, Serial1/0

说明在R3/4上都出现了次优路由其主要的原因是ospf的AD值比rip的低，加表的时候选择AD值较小的.

为了解决这个次优路径的问题，我们可以更改RIP AD值

如果更改管理距离的话，务必必须在RIP域中所有的路由器都更改掉 (R1/2/3/4都改掉AD值)

R1/2/3/4(config-router)#distance 105

再次看R3/4的路由表：

发现R4 又出现了OSPF次优路由，虽然解决Rip次优路径，但又出现了新次优路径问题。

所以这就是双点双向带来比较复杂的情况

所以我我们再次把rip域中的router AD再改回到120

我们在R3/4做如下配置

R3/4(config)# access-list 10 permit 1.1.0.0 0.0.255.255   
R3(config-router)#distance 105 1.1.23.2 0.0.0.0 10

R4(config-router)#distance 105 1.1.14.1 0.0.0.0 10

\\rip协议中

\\命令的意思就是从1.1.23.2过来的Rip路由更改AD值

运行后的结果：

R3#sh ip route

1.0.0.0/24 is subnetted, 3 subnets

R 1.1.12.0 [105/1] via 1.1.23.2, 00:00:01, FastEthernet0/0

R 1.1.14.0 [105/2] via 1.1.23.2, 00:00:01, FastEthernet0/0

C 1.1.23.0 is directly connected, FastEthernet0/0

2.0.0.0/24 is subnetted, 2 subnets

C 2.1.35.0 is directly connected, FastEthernet0/1

O 2.1.45.0 [110/65] via 2.1.35.5, 00:08:04, FastEthernet0/1

R4#sh ip route

1.0.0.0/24 is subnetted, 3 subnets

R 1.1.12.0 [105/1] via 1.1.14.1, 00:00:25, FastEthernet0/0

C 1.1.14.0 is directly connected, FastEthernet0/0

R 1.1.23.0 [105/2] via 1.1.14.1, 00:00:25, FastEthernet0/0

2.0.0.0/24 is subnetted, 2 subnets

O 2.1.35.0 [110/65] via 2.1.45.5, 00:04:03, Serial1/0

C 2.1.45.0 is directly connected, Serial1/0

但更多的时候双点双向重分布会带来路由环路的问题，解决的办法是标记TAG做过滤

试验环境基于上面的试验环境

解决办法：

就是在R3上：

当把rip路由重分布进ospf时候，把本属于ospf域中的路由给过滤掉

<为rip域路由打上100tag,同时用低序列号优先block掉tag 200的路由>

当把ospf路由重分布进rip时候，把本属于rip域中的路由给过滤掉

<为ospf域路由打上200tag,同时用低序列号优先先block掉tag 100的路由>

R4 同理

R3/R4:

route-map riptoospf deny 10

match tag 200

route-map riptoospf permit 20

set tag 100

route-map ospftorip deny 10

match tag 100

route-map ospftorip permit 20

set tag 200

=========================================================

R3#sh route-map

route-map riptoospf, deny, sequence 10

Match clauses:

tag 200

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map riptoospf, permit, sequence 20

Match clauses:

Set clauses:

tag 100

Policy routing matches: 0 packets, 0 bytes

route-map ospftorip, deny, sequence 10

Match clauses:

tag 100

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map ospftorip, permit, sequence 20

Match clauses:

Set clauses:

tag 200

Policy routing matches: 0 packets, 0 bytes

router ospf 110

router-id 0.0.0.3

log-adjacency-changes

redistribute rip subnets route-map riptoospf

network 2.1.35.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 110 metric 5 route-map ospftorip

network 1.0.0.0

no auto-summary

========================================================

R4#sh route-map

route-map riptoospf, deny, sequence 10

Match clauses:

tag 200

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map riptoospf, permit, sequence 20

Match clauses:

Set clauses:

tag 100

Policy routing matches: 0 packets, 0 bytes

route-map ospftorip, deny, sequence 10

Match clauses:

tag 100

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map ospftorip, permit, sequence 20

Match clauses:

Set clauses:

tag 200

Policy routing matches: 0 packets, 0 bytes

router ospf 110

router-id 0.0.0.4

log-adjacency-changes

redistribute rip subnets route-map riptoospf

network 2.1.45.0 0.0.0.255 area 0

!

router rip

version 2

redistribute ospf 110 metric 5 route-map ospftorip

network 1.0.0.0

no auto-summary

==================================================

R5#sh ip route 1.1.12.0

Routing entry for 1.1.12.0/24

Known via "ospf 110", distance 110, metric 20

Tag 100, type extern 2, forward metric 1

Last update from 2.1.35.3 on FastEthernet0/0, 00:11:15 ago

Routing Descriptor Blocks:

* 2.1.35.3, from 0.0.0.3, 00:11:15 ago, via FastEthernet0/0

Route metric is 20, traffic share count is 1

Route tag 100

R1#sh ip route 2.1.45.0

Routing entry for 2.1.45.0/24

Known via "rip", distance 120, metric 5

Tag 200

Redistributing via rip

Last update from 1.1.14.4 on FastEthernet0/1, 00:00:08 ago

Routing Descriptor Blocks:

* 1.1.14.4, from 1.1.14.4, 00:00:08 ago, via FastEthernet0/1

Route metric is 5, traffic share count is 1

Route tag 200

工具6-PBR

6-1 基于源的PBR

默认走向是: R1--->R2--->R3|3.3.3.3

现在我们用PBR来控制走向R1->R2->R4->R3-|3.3.3.3

R2上配置:

interface FastEthernet0/0

ip address 12.1.1.2 255.255.255.0

ip policy route-map PBR1 \\调用在接口下

duplex auto

speed auto

access-list 10 permit 12.1.1.0 0.0.0.255

route-map PBR1 permit 10

match ip address 10

set ip next-hop 24.1.1.4

注意:如果定义的下一条不可达的话 PBR就会失效

6-2基于包大小的PBR

还是延续上图试验拓扑

要求：

全网跑RIP,R3有环回口,用PBR控制R1去R3环回口的走向

如果包大小超过1000,则走R4 到3.3.3.3

如果包大小小于1000,则走R3 到3.3.3.3

route-map ccna permit 10

match length 1000 20000000

set ip next-hop 24.1.1.4

interface FastEthernet0/0

ip address 12.1.1.2 255.255.255.0

ip policy route-map ccna

在R1上扩展PING定义包大小。

R2#sh route-map

route-map ccna, permit, sequence 10

Match clauses:

length 1000 20000000

Set clauses:

ip next-hop 24.1.1.4

Policy routing matches: 27 packets, 37338 bytes

在R2 上开启debug ip policy

*Jul 8 11:30:36.855: IP: s=12.1.1.1 (FastEthernet0/0), d=3.3.3.3, g=24.1.1.4, len 1500, FIB policy routed

*Jul 8 11:30:36.867: IP: s=12.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 1120, FIB policy match

*Jul 8 11:30:36.867: IP: s=12.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 1120, PBR Counted

6-3 基于应用的PBR

要求：只要当R1telnet 3.3.3.3 时 流量是走下R4去往3.3.3.3

R2 配置如下：

route-map ccnp permit 10

match ip address TEL

set ip next-hop 24.1.1.4

ip access-list extended TEL

permit tcp any any eq telnet

interface FastEthernet0/0

ip address 12.1.1.2 255.255.255.0

ip policy route-map ccnp

打开debug ip policy, 在R1 上telnet 3.3.3.3

可以在R2 上看是否有命中的条目

R2#sh route-map

route-map ccnp, permit, sequence 10

Match clauses:

ip address (access-lists): TEL

Set clauses:

ip next-hop 24.1.1.4

Policy routing matches: 36 packets, 2166 bytes

6-4 基于远程地址可达性的PBR

依旧是使用上面的试验拓扑，要求写在图片里了

R2上的配置如下：

[Step1 定义route-map]   
R2(config)#access-list 10 per

R2(config)#access-list 10 permit 12.1.1.0 0.0.0.255

R2#sh run | se route-map

route-map ccie permit 10

match ip address 10

set ip next-hop verify-availability 24.1.1.4 1 track 1

\\第一个1表示：<1-65535> Sequence to insert into next-hop list

\\第二个1表示：<1-500> tracked object number

\\其意思指：要走下一条为24.1.1.4的话， track 1必须是up状态

[Step 2定义track] R2(config)#track 1 ip sla 1 reachability

要sla 1条件为可达状态，Track 1的状态才会UP

[Step3 定义sla]

ip sla 1

icmp-echo 4.4.4.4 \\ping通4.4.4.4 默认从本地接口为源

frequency 5

R2(config)#ip sla schedule 1 life forever start-time now \\定义sla一直生效

[Step 4 调用route-map到接口]

interface FastEthernet0/0

ip address 12.1.1.2 255.255.255.0

ip policy route-map ccie

最后在R4上把4.4.4.4宣告进RIP

我们在R2 上察看route-map,可以看到是up状态

测试实验结果：

在R2 上启用 debug ip policy,可以看到试验结果

在R1 上ping 3.3.3.3

R2#

*Jul 8 14:08:44.282: IP: s=12.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy match

*Jul 8 14:08:44.286: IP: s=12.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 100, PBR Counted

*Jul 8 14:08:44.286: IP: s=12.1.1.1 (FastEthernet0/0), d=3.3.3.3, g=24.1.1.4, len 100, FIB policy routed

如果在R4上no掉 4.4.4.4，等收敛好，在R2 在看现象

7-试验下载

双点单向重分布试验文件下载: http://pan.baidu.com/s/1kTEebcV

双点双向重分布试验文件下载: http://pan.baidu.com/s/1o6FtNMM

基于远程地址可达性的PBR下载：http://pan.baidu.com/s/1mgnDD6C

8-路由控制命令汇总

show ip policy 查看策略路由及作用的接口

show route-map 查看定义的所有路由策略及路由策略匹

配的情况

debug ip policy 动态查看策略路由的匹配情况

passive-interface 配置被动接口

distribute-list 配置分布控制列表

route-map 定义路由策略

match 定义匹配的条件

set 定义对符合匹配条件的语句采取的行为

ip policy route-map 应用路由策略

ip local policy route-map 本地应用路由策略