最近在学习OSPF的过虑,就写了这篇文章,包括了
1、OSPF路由的接收过滤
2、OSPF路由的进程间相互引入路由时的过滤
3、OSPF路由的发布过虑
同一种过滤用不同方法实现如下图:
下面用实验的形式来学习各种情况下OSPF的路由过滤
拓扑如下图:
用的设备是H3C模拟器
R1\R2\R4有OSPF进程1 R2和SW2上有OSPF 进程5,R4上有个50网段需与SW2的50网段互通。以此为基础拓扑作路由过虑的各种操作:
主要基础配置如下:
R1:
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack1
ip address 10.10.10.10 255.255.255.255
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.10.10 0.0.0.0
R2
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack1
ip address 10.10.20.10 255.255.255.255
#
interface LoopBack2
ip address 50.50.60.10 255.255.255.255
#
interface Vlan-interface2
ip address 172.16.1.6 255.255.255.252
acl number 2000 把50网段筛选出来
rule 0 permit source 50.50.70.10 0
rule 1 deny
#
#
route-policy 5YinRu1 permit node 10 创建route-policy 并与acl相绑定
if-match acl 2000
route-policy 1YinRu5 permit node 10 创建route-policy 并将之与名为test 的ip-prefix绑定
if-match ip-prefix test
#
ip ip-prefix test index 10 permit 50.50.50.50 32
ip ip-prefix test index 20 deny 0.0.0.0 0 less-equal 32 用两条ip-prefix命令将50.50.50.50 筛选出来
ospf 1 router-id 2.2.2.2
import-route ospf 5 route-policy 1YinRu5 应用在进程1下
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.20.10 0.0.0.0
network 172.16.1.8 0.0.0.3
#
ospf 5
import-route ospf 1 route-policy 5YinRu1 应用在进程5中
area 0.0.0.0
network 172.16.1.4 0.0.0.3
network 50.50.60.10 0.0.0.0
R4
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface LoopBack1
ip address 10.10.30.10 255.255.255.255
#
interface LoopBack2
ip address 50.50.70.10 255.255.255.255
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 172.16.1.8 0.0.0.3
network 10.10.30.10 0.0.0.0
network 50.50.70.10 0.0.0.0
#
SW2
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack1
ip address 50.50.50.50 255.255.255.255
#
interface Vlan-interface2
ip address 172.16.1.5 255.255.255.252
#
ospf 5 router-id 3.3.3.3
area 0.0.0.0
network 172.16.1.4 0.0.0.3
network 50.50.50.50 0.0.0.0
#
下面就开始做实验进行学习了,可能一些地方写得不够详细,欢迎大家拍砖
一、对OSPF引入路由进行过滤的三种方式
1、对接收的路由过滤包括对import-route引入的路由,也包括对区域内其他路由器发布的路由,使用filter policy+ACL实现。
R1上可见有两条50网段的路由
[R1-ospf-1]dis ip routing-table
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0
50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0 是外部引入的路由
50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 是区域内其他路由器发布的路由
作以下配置后
acl number 2003
rule 0 deny source 50.50.0.0 0.0.255.255
rule 5 permit
[R1-ospf-1]dis th
#
ospf 1 router-id 1.1.1.1
filter-policy 2003 import
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.10.10 0.0.0.0
#
return
[R1-ospf-1]dis ip ro
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
总结:对接收的路由过滤时可以同时对import-route引入的路由,也包括对区域内其他路由器发布的路由。
2、以上的实现方式是使用filter policy+ACL实现
也可以 使用filter policy+IP-PREFIX实现
未配置filter policy 前
[R1-ospf-1]dis ip ro
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0
50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
加入以下配置
ip ip-prefix test1 index 10 deny 50.50.0.0 16 greater-equal 16 less-equal 32 //将50.50网段的所有路由拒绝
ip ip-prefix test1 index 20 permit 0.0.0.0 0 less-equal 32 //匹配所有路由
ospf 1 router-id 1.1.1.1
filter-policy ip-prefix test1 import
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.10.10 0.0.0.0
此时的路由表为:
[R1]dis ip ro
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
路由表中已经没有50网段的路由。
补充说明:
ip ip-prefix
比如我们希望匹配
192.168.16.0 /24和192.168.18.0/24两条路由
那么我们的前缀列表应写为
ip prefix-list 1 permit 192.168.16.0/22 ge 24 le 24
以上命令的意思表示先把/24掩码的路由筛选出来,然后再按照mask值/22进行匹配
192.168.16.0/22 表示192.168.16.1--192.168.19.254
3、以上两种方式可以对接收的路由作精确的过滤,还有一种方式过滤方式可以过滤掉某个网关通告的路由filter-policy gateway 。
未加配置前的路由表如下:
[R1]dis ip ro
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
加入以下配置:
ip ip-prefix test2 index 10 deny 172.16.1.2 32
ip ip-prefix test2 index 20 permit 0.0.0.0 0 less-equal 32
ospf 1 router-id 1.1.1.1
filter-policy gateway test2 import
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.10.10 0.0.0.0
此时的路由表如下:
[R1-ospf-1]qu
[R1]dis ip ro
Routing Tables: Public
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
可以见到除了一条直连路由的下一跳是172.16.1.2外,其他由172.16.1.2发布的OSPF路由全部被过滤掉。
补充说明:
这种基于网关的过滤只有在引入路由时有效
[R1-ospf-1]filter-policy gateway test2 ?
import Filtering incoming routing updates
在输入命令时也只有import方向可用。
二、对引入路由进行过滤
1、方法一:使用route-policy+ACL实现
在进程5中引入进程1的50网段的路由
acl number 2000 把50网段筛选出来
rule 0 permit source 50.50.70.10 0
rule 1 deny
#
ospf 5
import-route ospf 1 route-policy 5YinRu1 应用在进程5中
area 0.0.0.0
network 172.16.1.4 0.0.0.3
network 50.50.60.10 0.0.0.0
#
route-policy 5YinRu1 permit node 10 创建route-policy 并与acl相绑定
if-match acl 2000
如果配置正确,则在SW2中可以看到 50.50.70.10 的路由,而没有进程1的10网段的路由
请看路 由表
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost NextHop Interface
3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0
50.50.50.50/32 Direct 0 0 127.0.0.1 InLoop0
50.50.60.10/32 OSPF 10 1 172.16.1.6 Vlan2
50.50.70.10/32 O_ASE 150 1 172.16.1.6 Vlan2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.4/30 Direct 0 0 172.16.1.5 Vlan2
172.16.1.5/32 Direct 0 0 127.0.0.1 InLoop0
经验证,配置正确
2、方法二:使用route-policy+IP-PREFIX实现
ip ip-prefix test index 10 permit 50.50.50.50 32
ip ip-prefix test index 20 deny 0.0.0.0 0 less-equal 32 用两条ip-prefix命令将50.50.50.50 筛选出来
route-policy 1YinRu5 permit node 10 创建route-policy 并将之与名为test 的ip-prefix绑定
if-match ip-prefix test
#
ospf 1 router-id 2.2.2.2
import-route ospf 5 route-policy 1YinRu5 应用在进程1下
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.20.10 0.0.0.0
network 172.16.1.8 0.0.0.3
#
如果配置正确,则在R4上可以看到50.50.50.50 网段的路由,并且没有进程5的其他50网段的路由
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
4.4.4.4/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 OSPF 10 3124 172.16.1.9 S0/6/1
10.10.20.10/32 OSPF 10 1562 172.16.1.9 S0/6/1
10.10.30.10/32 Direct 0 0 127.0.0.1 InLoop0
50.50.50.50/32 O_ASE 150 1 172.16.1.9 S0/6/1
50.50.70.10/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 OSPF 10 3124 172.16.1.9 S0/6/1
172.16.1.8/30 Direct 0 0 172.16.1.10 S0/6/1
172.16.1.9/32 Direct 0 0 172.16.1.9 S0/6/1
172.16.1.10/32 Direct 0 0 127.0.0.1 InLoop0
经验证,配置正确。
经过上面两个进程间的互相引入,两个进程间引入的网段应当可以互通:
PING 50.50.50.50: 56 data bytes, press CTRL_C to break
Reply from 50.50.50.50: bytes=56 Sequence=1 ttl=254 time=15 ms
Reply from 50.50.50.50: bytes=56 Sequence=2 ttl=254 time=15 ms
Reply from 50.50.50.50: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 50.50.50.50: bytes=56 Sequence=4 ttl=254 time=35 ms
Reply from 50.50.50.50: bytes=56 Sequence=5 ttl=254 time=36 ms
--- 50.50.50.50 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/26/36 ms
三、对发布的路由进行过滤
Filter-policy export
ASBR路由器对引入到OSPF的外部路由进行过滤
该命令只对ASBR路由器有效。
只对本机使用import-route引入的路由起作用,对于其它路由器引入的路由不起作用。
我们同样以实验的方式来说明
1、我们在上面个实验中将进程5中的50.50.50.50引入到了进程1中,进程1中的R1和R4都没到了50.50.50.50的路由,但是只需要R4和SW2通信就可以了,所以R1不需要学到到50.50.50.50的路由,同时也不需要学到50.50.70.10的路由,这时我们想在R2上作对发布路由的过滤,可以实现吗?
请看以下配置:
配置前R1的路由表
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.50.50/32 O_ASE 150 1 172.16.1.2 S0/6/0
50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
acl number 2004
rule 1 deny source 50.50.0.0 0.0.255.255
rule 5 permit
#
ospf 1 router-id 2.2.2.2
filter-policy 2004 export // 用filter-policy 过滤发布的路由
import-route ospf 5 route-policy 1YinRu5
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.20.10 0.0.0.0
network 172.16.1.8 0.0.0.3
#
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0 此时可见有一条被过滤了,但有一条50.50.70.10未被过滤
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
由此可见,Filter-policy export只对本机使用import-route引入的路由起作用,对于其它路由器引入的路由不起作用。50.50.70.10不是import-route 的路由,而是区域内发布的路由,所以无法过滤
2、方法二:使用filter policy+IP-PREFIX实现
ospf 1 router-id 2.2.2.2
filter-policy ip-prefix test3 export
import-route ospf 5 route-policy 1YinRu5
area 0.0.0.0
network 172.16.1.0 0.0.0.3
network 10.10.20.10 0.0.0.0
network 172.16.1.8 0.0.0.3
#
#
ip ip-prefix test3 index 10 deny 50.50.50.50 32
ip ip-prefix test3 index 20 deny 50.50.70.10 32
ip ip-prefix test3 index 30 permit 0.0.0.0 0 less-equal 32
配置完成后
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.10.10.10/32 Direct 0 0 127.0.0.1 InLoop0
10.10.20.10/32 OSPF 10 1562 172.16.1.2 S0/6/0
10.10.30.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
50.50.70.10/32 OSPF 10 3124 172.16.1.2 S0/6/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.0/30 Direct 0 0 172.16.1.1 S0/6/0
172.16.1.1/32 Direct 0 0 127.0.0.1 InLoop0
172.16.1.2/32 Direct 0 0 172.16.1.2 S0/6/0
172.16.1.8/30 OSPF 10 3124 172.16.1.2 S0/6/0
由上表可见,在R1上仍然有一条50网段的路由,再次证明了Filter-policy export只对本机使用import-route引入的路由起作用,对于其它路由器引入的路由不起作用。