一、实验拓扑图:
二、实验目的
1、在实验中应用到高级路由功能来操作路由更新,这些特性包括分发列表,默认路由,被动接口和路由重分布。
2、掌握高级路由特性来控制路由更新。
三、实验要求
1、公司的Guangzhou和Beijing之间的网络使用的RIPV2动态路由协议。
2、在Guangzhou上面连接了一个stub network 172.16.5.1/24,为了减少流量,过滤RIPv2更新流量在整个172.16.5.1/24网络发送。
3、在Beijing有Engineers和Managers部门,Managers网络并不想被Guangzhou所学习到。
4、有一条非常慢的19.2Kpbs的链路连接Beijing和Shanghai,为了减少这条链路的流量,我们要禁止动态路由更新通过这条链路
5、在满足上述条件的情况下,实现全网互通。
四、实验步骤
1、按照拓扑图中IP,配置好路由器接口IP地址。配置如下:
Router(config)#host GuangZhou
GuangZhou(config)#int s1/1
GuangZhou(config-if)#ip add 172.16.224.1 255.255.255.252
GuangZhou(config-if)#no shut
GuangZhou(config)#int loop 0
GuangZhou(config-if)#ip add 172.16.5.1 255.255.255.0
GuangZhou(config-if)#exit
BeiJing(config)#int s1/2
BeiJing(config-if)#ip add 172.16.240.1 255.255.255.252
BeiJing(config-if)#no shut
BeiJing(config-if)#exit
BeiJing(config)#int loop 0
BeiJing(config-if)#ip add 172.16.232.1 255.255.255.0
BeiJing(config-if)#description Engineers
BeiJing(config-if)#exit
BeiJing(config)#int loop 1
BeiJing(config-if)#ip add 172.16.236.1 255.255.255.0
BeiJing(config-if)#description Manager
BeiJing(config-if)#end
Router(config)#host ShangHai
ShangHai(config)#int s1/1
ShangHai(config-if)#ip add 172.16.240.2 255.255.255.252
ShangHai(config-if)#no shut
ShangHai(config)#int loop 0
ShangHai(config-if)#ip add 172.16.248.1 255.255.255.0
ShangHai(config-if)#end
配置完成后使用CDP 协议检查相邻设备的连通性,例如:
BeiJing#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
ShangHai Ser 1/2 177 R 7206VXR Ser 1/1
GuangZhou Ser 1/0 178 R 7206VXR Ser 1/1
2、在Guangzhou路由器上配置RIPv2协议通告物理直连的网络,配置如下:
GuangZhou(config)#router rip
GuangZhou(config-router)#vers
GuangZhou(config-router)#version 2
GuangZhou(config-router)#network 172.16.224.0
GuangZhou(config-router)#network 172.16.5.0
因为172.16.5.0是一个stub network,这个网络里没有路由器或者主机需要RIPv2协议的更新。.因此将Loopback0这个接口配置为被动接口,保证RIP协议更新不在这个接口上通告出去,并保证Beijing也能通过RIP协议学到这个网络配置如下:
GuangZhou(config)#router rip
GuangZhou(config-router)#passive-interface loop 0
这样,RIPv2将不会在loopback0接口上发送路由更新。
3、在Beijing上配置RIPv2协议,只通告Beijung路由器上的网络,配置如下:
BeiJing(config)#router rip
BeiJing(config-router)#version 2
BeiJing(config-router)#network 172.16.224.0
BeiJing(config-router)#exit
然后在Guangzhou上使用show ip route查看路由表信息
GuangZhou#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
R 172.16.240.0/30 [120/1] via 172.16.224.2, 00:00:12, Serial1/1
R 172.16.236.0/24 [120/1] via 172.16.224.2, 00:00:12, Serial1/1
R 172.16.232.0/24 [120/1] via 172.16.224.2, 00:00:12, Serial1/1
C 172.16.224.0/30 is directly connected, Serial1/1
C 172.16.5.0/24 is directly connected, Loopback0
已经通常自动汇总学习到了172.16.232.0/24、172.16.236.0/24这两个网络了。
4、现在问题是172.16.236.0/24这个网络并不想让 Guangzhou 学习到,如何来过滤这个路由更新呢?这个时候我们要使用分发列表来控制路由更新。配置如下:
BeiJing#conf t
BeiJing(config)#access-list 1 deny 172.16.236.0 0.0.0.255
BeiJing(config)#access-list 1 permit any
BeiJing(config)#router rip
BeiJing(config-router)#distribute-list 1 out s1/0
BeiJing(config-router)#exit
首先定义个ACL,拒绝172.16.236.0/24这个网络,然后使用分发列表在S1/0的出口方向上,也就是说Beijing不会在s1/0这个接口上发送关于172.16.236.0/24这个网络的更新。接下来我们到 Guangzhou上使用show ip route命令,显示如下:
GuangZhou#clear ip route *
GuangZhou#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
R 172.16.240.0/30 [120/1] via 172.16.224.2, 00:00:02, Serial1/1
R 172.16.232.0/24 [120/1] via 172.16.224.2, 00:00:02, Serial1/1
C 172.16.224.0/30 is directly connected, Serial1/1
C 172.16.5.0/24 is directly connected, Loopback0
这时我们发现172.16.236.0/24这个网络已经被过滤掉了。
5、由于要Shanghai是一个stub network,由于链路的带宽只有19.2Kbps所以我们使用一条默认路由来路由本地的流量,配置如下:
ShangHai#conf t
ShangHai(config)#ip route 0.0.0.0 0.0.0.0 172.16.240.1 210
接下来我们在 SanJose3上使用debug ip packet命令后,再回到Shanghai 使用ping 192.168.5.1这个IP地址。可以看到是可以PING 通的。 Debug命令的输出信息如下:
GuangZhou#
*Nov 26 22:51:44.419: IP: s=172.16.224.2 (Serial1/1), d=224.0.0.9, len 72, rcvd 2
*Nov 26 22:51:49.839: IP: s=172.16.224.1 (local), d=224.0.0.9 (Serial1/1), len 52, sending broad/multicast
*Nov 26 22:51:57.551: IP: tableid=0, s=172.16.240.2 (Serial1/1), d=172.16.5.1 (Loopback0), routed via RIB
*Nov 26 22:51:57.551: IP: s=172.16.240.2 (Serial1/1), d=172.16.5.1, len 100, rcvd 4
*Nov 26 22:51:57.555: IP: tableid=0, s=172.16.5.1 (local), d=172.16.240.2 (Serial1/1), routed via FIB
*Nov 26 22:51:57.559: IP: s=172.16.5.1 (local), d=172.16.240.2 (Serial1/1), len 100, sending
*Nov 26 22:51:57.607: IP: tableid=0, s=172.16.240.2 (Serial1/1), d=172.16.5.1 (Loopback0), routed via RIB
*Nov 26 22:51:57.607: IP: s=172.16.240.2 (Serial1/1), d=172.16.5.1, len 100, rcvd 4
*Nov 26 22:51:57.611: IP: tableid=0, s=172.16.5.1 (local), d=172.16.240.2 (Serial1/1), routed via FIB
*Nov 26 22:51:57.611: IP: s=172.16.5.1 (local), d=172.16.240.2 (Serial1/1), len 100, sending
*Nov 26 22:51:57.655: IP: tableid=0, s=172.16.240.2 (Serial1/1), d=172.16.5.1 (Loopback0), routed via RIB
然后我们继续在Shanghai上使用扩展的PING命令,如下:
ShangHai#ping
Protocol [ip]:
Target IP address: 172.16.5.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.248.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.5.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.248.1
.....
Success rate is 0 percent (0/5)
在Guangzhou上的 debug ip packet命令输出如下,可以看到无法PING通。
GuangZhou#
*Nov 26 23:03:15.727: IP: s=172.16.224.1 (local), d=224.0.0.9 (Serial1/1), len 52, sending broad/multicastconft
Translating "conft"...domain server (255.255.255.255)
*Nov 26 23:03:18.375: IP: s=172.16.224.1 (local), d=255.255.255.255 (Serial1/1), len 51, sending broad/multicast
*Nov 26 23:03:18.383: IP: s=172.16.5.1 (local), d=255.255.255.255 (Loopback0), len 51, sending broad/multicast
*Nov 26 23:03:18.387: IP: s=172.16.5.1 (Loopback0), d=255.255.255.255, len 51, unroutable
*Nov 26 23:03:21.383: IP: s=172.16.224.1 (local), d=255.255.255.255 (Serial1/1), len 51, sending broad/multicast
*Nov 26 23:03:21.387: IP: s=172.16.5.1 (local), d=255.255.255.255 (Loopback0), len 51, sending broad/multicast
*Nov 26 23:03:21.395: IP: s=172.16.5.1 (Loopback0), d=255.255.255.255, len 51, unroutable
不能通是因为在Shanghai上根本就没有通往172.16.5.1的路由。
6、为了使172.16.5.0/24和172.16.248.0/24能够互访我们需配置一条从shanghai直接的网段去往172.16.5.0网段的静态路由,并将其重分布到RIP协议中,配置如下:
BeiJing#conf t
BeiJing(config)#ip route 172.16.248.0 255.255.255.0 172.16.240.2 210
然后在将这条静态路由重分布到RIP协议中,配置如下:
Singapore(config)#router rip
Singapore(config-router)#redistribute static metric 2
7、最后在Guangzhou上使用 show ip route查看路由表,显示如下:
GuangZhou#sh ip route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
R 172.16.248.0/24 [120/2] via 172.16.224.2, 00:00:10, Serial1/1
R 172.16.240.0/30 [120/1] via 172.16.224.2, 00:00:10, Serial1/1
R 172.16.232.0/24 [120/1] via 172.16.224.2, 00:00:10, Serial1/1
C 172.16.224.0/30 is directly connected, Serial1/1
C 172.16.5.0/24 is directly connected, Loopback0
可以看到Guangzhou学习到了172.16.248.0/24这个网络的路由,使用扩展的PING命令
源地址使用172.16.5.1到目的地址172.16.248.1,检查能否ping 通。
Guangzhou#ping
Protocol [ip]:
Target IP address: 172.16.248.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.5.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.248.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/48 ms