Policy-chain 实验
- 实验拓扑
vMX-3的lo0.0接口上连接着以下网段
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
10.1.1.0/24
10.2.1.0/24
172.16.0.0/24
- 配置需求
R3上面执行路由汇总:
192.168.0.0/16
10.0.0.0/8
172.16.0.0/16
要求:
R3只通告聚合路由192.168.0.0/16给R1
R3通告聚合路由192.168.0.0/16和10.0.0.0/16给R2(拒绝其他的路由)
- 配置案列
vMX-1配置
root@vMX-1# run show configuration
version 14.1R1.10;
system {
root-authentication {
encrypted-password "$1$a0zjPx7P$4Va9RcsxrIuHWJz.fhmrS0"; ## SECRET-DATA
}
interfaces {
ge-0/0/2 {
unit 0 {
family inet {
address 202.103.13.1/24;
}
}
}
}
routing-options {
autonomous-system 100;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.13.3 {
peer-as 300;
}
}
}
}
vMX-2配置
[edit]
root@vMX-2# run show configuration
version 14.1R1.10;
system {
host-name vMX-2;
root-authentication {
encrypted-password "$1$QsSbO49u$DmMrWquAJ739RmUFn3CLo1"; ## SECRET-DATA
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 202.103.23.2/24;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.23.3 {
peer-as 300;
}
}
}
}
vMX-3配置
root@vMX-3# run show configuration
version 14.1R1.10;
system {
host-name vMX-3;
root-authentication {
encrypted-password "$1$QYBXvplE$9SwS1OUd9MaGzBo0f3I760"; ## SECRET-DATA
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 202.103.23.3/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 202.103.13.3/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.3/24;
address 192.168.2.3/24;
address 192.168.3.3/24;
address 10.1.1.3/24;
address 10.2.1.3/24;
address 172.16.0.3/24;
}
}
}
}
routing-options {
aggregate {
route 192.168.0.0/16;
route 10.0.0.0/8;
route 172.16.0.0/16;
}
autonomous-system 300;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.23.2 {
export [ to-R1 to-R2 default-policy ];
peer-as 200;
}
neighbor 202.103.13.1 {
export [ to-R1 default-policy ];
peer-as 100;
}
}
}
}
policy-options {
policy-statement default-policy {
then reject;
}
policy-statement to-R1 {
from {
protocol aggregate;
route-filter 192.168.0.0/16 exact;
}
then accept;
}
policy-statement to-R2 {
from {
protocol aggregate;
route-filter 10.0.0.0/8 exact;
}
then accept;
}
}
查看vMX-1路由表
[edit]
root@vMX-1# run show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
192.168.0.0/16 *[BGP/170] 00:33:02, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.13.3 via ge-0/0/2.0
202.103.13.0/24 [Direct/0] 00:56:38
via ge-0/0/2.0
202.103.13.1/32 [Local/0] 00:56:38
Local via ge-0/0/2.0
查看vMX-2路由表
[edit]
root@vMX-2# run show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
10.0.0.0/8 *[BGP/170] 00:32:38, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.23.3 via ge-0/0/0.0
192.168.0.0/16 [BGP/170] 00:32:38, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.23.3 via ge-0/0/0.0
202.103.23.0/24 [Direct/0] 00:52:45
via ge-0/0/0.0
202.103.23.2/32 *[Local/0] 00:52:45
Local via ge-0/0/0.0
查看vMX-3路由表
[edit]
root@vMX-3# run show route
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
10.0.0.0/8 [Aggregate/130] 00:33:39
Reject
10.1.1.0/24 [Direct/0] 00:39:47
via lo0.0
10.1.1.3/32 [Local/0] 00:39:47
Local via lo0.0
10.2.1.0/24 [Direct/0] 00:39:47
via lo0.0
10.2.1.3/32 [Local/0] 00:39:47
Local via lo0.0
172.16.0.0/16 [Aggregate/130] 00:33:39
Reject
172.16.0.0/24 [Direct/0] 00:39:47
via lo0.0
172.16.0.3/32 [Local/0] 00:39:47
Local via lo0.0
192.168.0.0/16 [Aggregate/130] 00:33:39
Reject
192.168.1.0/24 [Direct/0] 00:40:36
via lo0.0
192.168.1.3/32 [Local/0] 00:40:36
Local via lo0.0
192.168.2.0/24 [Direct/0] 00:40:18
via lo0.0
192.168.2.3/32 [Local/0] 00:40:18
Local via lo0.0
192.168.3.0/24 [Direct/0] 00:39:47
via lo0.0
192.168.3.3/32 [Local/0] 00:39:47
Local via lo0.0
202.103.13.0/24 [Direct/0] 00:51:32
via ge-0/0/2.0
202.103.13.3/32 [Local/0] 00:51:32
Local via ge-0/0/2.0
202.103.23.0/24 [Direct/0] 00:51:32
via ge-0/0/0.0
202.103.23.3/32 *[Local/0] 00:51:32
Local via ge-0/0/0.0
root@vMX-3# run show route protocol aggregate
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
10.0.0.0/8 [Aggregate/130] 00:34:03
Reject
172.16.0.0/16 [Aggregate/130] 00:34:03
Reject
192.168.0.0/16 *[Aggregate/130] 00:34:03
Reject
vMX-3将192.168.0.0/16的路由通告给vMX-1,下一跳自己
[edit]
root@vMX-3# run show route advertising-protocol bgp 202.103.13.1
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
- 192.168.0.0/16 Self I
vMX-3将192.168.0.0/16、10.0.0.0/8的路由通告给vMX-2,下一跳自己
root@vMX-3# run show route advertising-protocol bgp 202.103.23.2
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
- 10.0.0.0/8 Self I
- 192.168.0.0/16 Self I
到此为止所有的需求已经实现。