distribute list(分配列表),配置中以紫色字体标识,用于路由过滤,用于DV routing protocol,或者是以路由条目明文作为路由信息的协议。比如RIP,EIGRP,OSPF的ABR(OSPF区域间路由类似于DV的原理),或者ASBR中的重分配。因为分配列表的作用就是过滤路由更新包(update packets)里面的具体条目,让目的路由器不了解该路由,所以若该更新包若不是以通告路由为目的的话,就失去了分配列表的作用。正如网上很多前辈所指出的,在LS routing protocol里,由于LSA(ISIS称为LSP)通告的是链路的状态,需要在整个area里同步,某一条链路要么为失效,要么为生效,不可能出现某台路由器知道,而另一台路由器不知道的情况。可以说,分配列表是利用了DV routing protocol的缺陷对目标路由器进行“欺骗”,对LS routing protocol不管用。
下面通过实验分析distribute-list的特性。
R1(S1/1)--(S1/0)R2(S1/1)--(S1/0)R3(S1/1)--(S1/0)R4
其中R1连接网段192.168.0.0,192.168.1.0,192.168.2.0,192.168.3.0,R4连接10.2.0.0,10.2.1.0,10.2.2.0,10.2.3.0。
R1#show run
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
interface Serial1/1
description DCE,EIGRP 10,connected to R2's S1/0,ip 10.1.1.2/30
ip address 10.1.1.1 255.255.255.252
clock rate 9600
!
description DCE,EIGRP 10,connected to R2's S1/0,ip 10.1.1.2/30
ip address 10.1.1.1 255.255.255.252
clock rate 9600
!
router eigrp 10
network 10.1.1.0 0.0.0.3
network 192.168.0.0 0.0.3.255
no auto-summary
!
network 10.1.1.0 0.0.0.3
network 192.168.0.0 0.0.3.255
no auto-summary
!
/////
R2#show run
interface Serial1/0
description DTE,EIGRP 10,connected to R1's S1/1,ip 10.1.1.1/30
ip address 10.1.1.2 255.255.255.252
!
interface Serial1/1
description DCE,OSPF area 0,connected to R3's S1/0,ip 10.1.1.6/30
ip address 10.1.1.5 255.255.255.252
clock rate 9600
!
description DTE,EIGRP 10,connected to R1's S1/1,ip 10.1.1.1/30
ip address 10.1.1.2 255.255.255.252
!
interface Serial1/1
description DCE,OSPF area 0,connected to R3's S1/0,ip 10.1.1.6/30
ip address 10.1.1.5 255.255.255.252
clock rate 9600
!
router eigrp 10
redistribute ospf 100 metric 200 100 0 1 1500
network 10.1.1.0 0.0.0.3
no auto-summary
!
router ospf 100
router-id 2.2.2.2
redistribute eigrp 10 metric 20 metric-type 1 subnets
network 10.1.1.4 0.0.0.3 area 0
distribute-list 1 out eigrp 10
!
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 deny 192.168.1.0 0.0.0.255
access-list 1 deny 192.168.2.0 0.0.0.255
access-list 1 permit any
!
redistribute ospf 100 metric 200 100 0 1 1500
network 10.1.1.0 0.0.0.3
no auto-summary
!
router ospf 100
router-id 2.2.2.2
redistribute eigrp 10 metric 20 metric-type 1 subnets
network 10.1.1.4 0.0.0.3 area 0
distribute-list 1 out eigrp 10
!
access-list 1 deny 192.168.0.0 0.0.0.255
access-list 1 deny 192.168.1.0 0.0.0.255
access-list 1 deny 192.168.2.0 0.0.0.255
access-list 1 permit any
!
/////
R3#show run
interface Serial1/0
description DTE,OSPF area 0,connected to R2's S1/1,ip 10.1.1.5/30
ip address 10.1.1.6 255.255.255.252
!
interface Serial1/1
description DCE,OSPF area 0,connected to R4's S1/0,ip 172.16.1.2/24
ip address 172.16.1.1 255.255.255.0
clock rate 9600
!
description DTE,OSPF area 0,connected to R2's S1/1,ip 10.1.1.5/30
ip address 10.1.1.6 255.255.255.252
!
interface Serial1/1
description DCE,OSPF area 0,connected to R4's S1/0,ip 172.16.1.2/24
ip address 172.16.1.1 255.255.255.0
clock rate 9600
!
router ospf 100
router-id 3.3.3.3
network 10.1.1.4 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
distribute-list 10 in
!
access-list 10 deny 10.2.0.0 0.0.0.255
access-list 10 deny 10.2.1.0 0.0.0.255
access-list 10 permit any
!
router-id 3.3.3.3
network 10.1.1.4 0.0.0.3 area 0
network 172.16.1.0 0.0.0.255 area 0
distribute-list 10 in
!
access-list 10 deny 10.2.0.0 0.0.0.255
access-list 10 deny 10.2.1.0 0.0.0.255
access-list 10 permit any
!
/////
R4#show run
interface Loopback0
ip address 10.2.0.1 255.255.255.0
!
interface Loopback1
ip address 10.2.1.1 255.255.255.0
!
interface Loopback2
ip address 10.2.2.1 255.255.255.0
!
interface Loopback3
ip address 10.2.3.1 255.255.255.0
!
ip address 10.2.0.1 255.255.255.0
!
interface Loopback1
ip address 10.2.1.1 255.255.255.0
!
interface Loopback2
ip address 10.2.2.1 255.255.255.0
!
interface Loopback3
ip address 10.2.3.1 255.255.255.0
!
interface Serial1/0
description DTE,OSPF area 0,connected to R3's S1/1,ip 172.16.1.1/24
ip address 172.16.1.2 255.255.255.0
!
description DTE,OSPF area 0,connected to R3's S1/1,ip 172.16.1.1/24
ip address 172.16.1.2 255.255.255.0
!
router ospf 100
router-id 4.4.4.4
network 10.2.0.0 0.0.3.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
router-id 4.4.4.4
network 10.2.0.0 0.0.3.255 area 0
network 172.16.1.0 0.0.0.255 area 0
!
/////
察看R1的路由表
R1#show ip route
172.16.0.0/24 is subnetted, 1 subnets
D EX 172.16.1.0 [170/13337600] via 10.1.1.2, 00:23:50, Serial1/1
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D EX 10.2.1.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX 10.2.0.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX 10.2.3.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
C 10.1.1.0/30 is directly connected, Serial1/1
D EX 10.2.2.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX 10.1.1.4/30 [170/13337600] via 10.1.1.2, 00:24:56, Serial1/1
C 192.168.0.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Loopback1
C 192.168.2.0/24 is directly connected, Loopback2
C 192.168.3.0/24 is directly connected, Loopback3
172.16.0.0/24 is subnetted, 1 subnets
D EX 172.16.1.0 [170/13337600] via 10.1.1.2, 00:23:50, Serial1/1
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D EX 10.2.1.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX 10.2.0.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX 10.2.3.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
C 10.1.1.0/30 is directly connected, Serial1/1
D EX 10.2.2.1/32 [170/13337600] via 10.1.1.2, 00:14:04, Serial1/1
D EX 10.1.1.4/30 [170/13337600] via 10.1.1.2, 00:24:56, Serial1/1
C 192.168.0.0/24 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Loopback1
C 192.168.2.0/24 is directly connected, Loopback2
C 192.168.3.0/24 is directly connected, Loopback3
还有R4的
R4#show ip route
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial1/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.2.0.0/24 is directly connected, Loopback0
C 10.2.1.0/24 is directly connected, Loopback1
C 10.2.2.0/24 is directly connected, Loopback2
O E1 10.1.1.0/30 [110/148] via 172.16.1.1, 00:14:56, Serial1/0
C 10.2.3.0/24 is directly connected, Loopback3
O 10.1.1.4/30 [110/128] via 172.16.1.1, 00:14:56, Serial1/0
O E1 192.168.3.0/24 [110/148] via 172.16.1.1, 00:14:56, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial1/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.2.0.0/24 is directly connected, Loopback0
C 10.2.1.0/24 is directly connected, Loopback1
C 10.2.2.0/24 is directly connected, Loopback2
O E1 10.1.1.0/30 [110/148] via 172.16.1.1, 00:14:56, Serial1/0
C 10.2.3.0/24 is directly connected, Loopback3
O 10.1.1.4/30 [110/128] via 172.16.1.1, 00:14:56, Serial1/0
O E1 192.168.3.0/24 [110/148] via 172.16.1.1, 00:14:56, Serial1/0
明显的R4的路由表中,没有了R2的distribute-list中指明的路由;但是R1中还是有R3的distribute-list中指明的路由。
难道说distribute-list根本没有作用?
R1#ping 10.2.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:
U.U.U //目标不可达
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 10.2.1.1, timeout is 2 seconds:
U.U.U //目标不可达
Success rate is 0 percent (0/5)
看看根源
R3# show ip route
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial1/1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.2.3.1/32 [110/65] via 172.16.1.2, 00:20:15, Serial1/1
O E1 10.1.1.0/30 [110/84] via 10.1.1.5, 00:20:15, Serial1/0
O 10.2.2.1/32 [110/65] via 172.16.1.2, 00:20:15, Serial1/1
C 10.1.1.4/30 is directly connected, Serial1/0
O E1 192.168.3.0/24 [110/84] via 10.1.1.5, 00:20:15, Serial1/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial1/1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.2.3.1/32 [110/65] via 172.16.1.2, 00:20:15, Serial1/1
O E1 10.1.1.0/30 [110/84] via 10.1.1.5, 00:20:15, Serial1/0
O 10.2.2.1/32 [110/65] via 172.16.1.2, 00:20:15, Serial1/1
C 10.1.1.4/30 is directly connected, Serial1/0
O E1 192.168.3.0/24 [110/84] via 10.1.1.5, 00:20:15, Serial1/0
R3#show ip ospf data router 4.4.4.4
--output omitted--
Link connected to: a Stub Network
(Link ID) Network/subnet number: 10.2.1.1
(Link Data) Network Mask: 255.255.255.255
Number of TOS metrics: 0
TOS 0 Metrics: 1
(Link ID) Network/subnet number: 10.2.1.1
(Link Data) Network Mask: 255.255.255.255
Number of TOS metrics: 0
TOS 0 Metrics: 1
Link connected to: a Stub Network
(Link ID) Network/subnet number: 10.2.0.1
(Link Data) Network Mask: 255.255.255.255
Number of TOS metrics: 0
TOS 0 Metrics: 1
(Link ID) Network/subnet number: 10.2.0.1
(Link Data) Network Mask: 255.255.255.255
Number of TOS metrics: 0
TOS 0 Metrics: 1
--output omitted--
原因在哪?上面引用IOS reference的片段已经说明了。OSPF中,distribute-list仅仅把所在路由器上的路由表中相关条目去掉,并不影响链路状态的收敛。从R3的数据库中可以看出,R3的OSPF数据库里有这两条路由的数据,只有路由表没有。导致的结果是,整个OSPF area0 都知道该链路是生效的,就只有R3“不知道”该链路;而R3又正好是通往该目的地得唯一路径。因此R1发往R4的路由包只好被R3的ICMP返回“目标不可达”。同时,R3的路由表与其数据库不同步。证明了分配列表直接作用在了路由表上。