OSPF路由控制
实验拓扑
实验需求
公司A使用OSPF路由协议实现公司设备全网互通,后来公司A扩张兼并了公司B,要求将公司B采用的IS-IS路由协议与公司A的OSPF协议互相引入,使得相应部门可以实现互通。
Router_3和Router_4作为公司核心设备负责各个部门间的通信。由于业务需要,现要求通过下列措施控制并调整网络中的路由信息:
- 在Router_2上对引入的路由信息进行过滤,使得工程二部所在网段无法访问市场一部、工程一部和财务部所在网段。
- 在Router_3上使用路由信息的过滤功能,使得市场一部所在网段无法访问工程一部。
- 在Router_6上使用路由信息的过滤功能,使得工程一部和财务部所在网段无法访问市场二部
实验步骤
1.配置IP地址及环回口
2.公司B配置ISIS,实验互通
R1
[Huawei]isis 1
[Huawei-isis-1]is-level level-2
[Huawei-isis-1]network-entity 49.0001.0000.0001.00
[Huawei-isis-1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]isis enable
[Huawei-GigabitEthernet0/0/2]int g0/0/1
[Huawei-GigabitEthernet0/0/1]isis enable
[Huawei-GigabitEthernet0/0/1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]isis enable
R2
[Huawei]isis 1
[Huawei-isis-1]network-entity 49.0001.0000.0002.00
[Huawei-isis-1]is-level level-2
[Huawei-isis-1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]isis enable
3.公司A运行OSPF,配置相关区域
R2
[Huawei]ospf 1
[Huawei-ospf-1]A 3
[Huawei-ospf-1-area-0.0.0.3]NE
[Huawei-ospf-1-area-0.0.0.3]network 192.168.6.0 0.0.0.255
R3
[Huawei]OSPF 1
[Huawei-ospf-1]A 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.7.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]A 2
[Huawei-ospf-1-area-0.0.0.2]NET 192.168.8.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]A 3
[Huawei-ospf-1-area-0.0.0.3]NE 192.168.6.0 0.0.0.255
R4
[Huawei]ospf 1
[Huawei-ospf-1]a 0
[Huawei-ospf-1-area-0.0.0.0]network 192.168.7.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]a 1
[Huawei-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
R5
[Huawei]OSPF 1
[Huawei-ospf-1]A 2
[Huawei-ospf-1-area-0.0.0.2]network 192.168.8.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]NET 192.168.3.0 0.0.0.255
R6
[Huawei]OSPF
[Huawei-ospf-1]A 1
[Huawei-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.4.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.5.0 0.0.0.255
在R2上ISIS和OSPF相互引入
[Huawei]ISIS 1
[Huawei-isis-1]import-route ospf 1
[Huawei]ospf
[Huawei-ospf-1]import-route isis 1
4. 在R2上对引入的路由信息进行过滤,使得工程二部所在网段无法访问市场一部、工程一部和财务部所在网段。
R2
[Huawei]ACL 2000
[Huawei-acl-basic-2000]rule permit source 192.168.2.0 0.0.0.255
[Huawei]route-policy 4 deny node 10
[Huawei-route-policy]if-match acl 2000
[Huawei]route-policy 4 permit node 20
[Huawei]ospf 1
[Huawei-ospf-1]import-route isis 1 route-policy 4
5. 在R2上查看协议路由表
[Huawei-ospf-1]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 6 Routes : 6
OSPF routing table status : <Active>
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.3.0/24 OSPF 10 3 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.4.0/24 OSPF 10 4 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.5.0/24 OSPF 10 4 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.7.0/24 OSPF 10 2 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.8.0/24 OSPF 10 2 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.10.0/24 OSPF 10 3 D 192.168.6.2 GigabitEthernet
0/0/1
6. R2上查看OSPF协议路由表,工程二部网段已被过滤掉
[Huawei]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 6 Routes : 6
OSPF routing table status : <Active>
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.3.0/24 OSPF 10 3 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.4.0/24 OSPF 10 4 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.5.0/24 OSPF 10 4 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.7.0/24 OSPF 10 2 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.8.0/24 OSPF 10 2 D 192.168.6.2 GigabitEthernet
0/0/1
192.168.10.0/24 OSPF 10 3 D 192.168.6.2 GigabitEthernet
0/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
7. 在R3上使用路由信息的过滤功能,使得市场一部所在网段无法访问工程一部。
R3
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 permit source 192.168.4.0 0.0.0.255
[Huawei]route-policy 5 deny node 10
[Huawei-route-policy]if-match acl 2000
[Huawei]route-policy 5 permit node 20
[Huawei]ospf
[Huawei-ospf-1]a 2
[Huawei-ospf-1-area-0.0.0.2]filter route-policy 5 import
8. R5上OSPF协议路由表上,工程一部网段已被过滤
[Huawei]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 6 Routes : 6
OSPF routing table status : <Active>
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.1.0/24 O_ASE 150 1 D 192.168.8.2 GigabitEthernet
0/0/0
192.168.5.0/24 OSPF 10 4 D 192.168.8.2 GigabitEthernet
0/0/0
192.168.6.0/24 OSPF 10 2 D 192.168.8.2 GigabitEthernet
0/0/0
192.168.7.0/24 OSPF 10 2 D 192.168.8.2 GigabitEthernet
0/0/0
192.168.9.0/24 O_ASE 150 1 D 192.168.8.2 GigabitEthernet
0/0/0
192.168.10.0/24 OSPF 10 3 D 192.168.8.2 GigabitEthernet
0/0/0
9.市场一部PING 工程一部
PC>ping 192.68.4.10
Ping 192.68.4.10: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.68.4.10 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet los
10. 在R6上使用路由信息的过滤功能,使得工程一部和财务部所在网段无法访问市场二部
R6
[Huawei]ACL 2000
[Huawei-acl-basic-2000] rule 5 permit source 192.168.1.0 0.0.0.255
[Huawei]route-policy 77 deny node 10
[Huawei-route-policy]if-match acl 2000
[Huawei]route-policy 77 permit node 20
[Huawei-ospf-1]filter-policy route-policy 77 import
11.R6上查看OSPF协议路由表,市场二部的路由条目已过滤
[Huawei-ospf-1]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 5 Routes : 5
OSPF routing table status : <Active>
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.3.0/24 OSPF 10 4 D 192.168.10.2 GigabitEthernet
0/0/0
192.168.6.0/24 OSPF 10 3 D 192.168.10.2 GigabitEthernet
0/0/0
192.168.7.0/24 OSPF 10 2 D 192.168.10.2 GigabitEthernet
0/0/0
192.168.8.0/24 OSPF 10 3 D 192.168.10.2 GigabitEthernet
0/0/0
192.168.9.0/24 O_ASE 150 1 D 192.168.10.2 GigabitEthernet
0/0/0
12.工程一部不能访问市场二部
PC>ping 192.168.1.1
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
13.财务部不能访问市场二部
PC>ping 192.168.1.1
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss