路由策略和策略路由是路由业务中经常用到的术语,它们有什么区别呢?
路由策略:
主体是路由,是对符合条件的路由通过修改路由属性来执行相应的策略动作(如允许通过/拒绝通过/接收/引入),使通过这些路由的数据报文按照规定的策略转发;
策略路由:
主体是数据报文,对符合条件的数据报文(如,源地址和报文长度)按照策略规定的动作转发,如设置出接口,下一跳,设置报文的缺省出接口和下一跳等,然后转发,转发失败后按路由表转发;(企业中流量引流,常作用于防火墙内网准入等设备)
路由策略实验网络拓补
实验需求:
1:上述网段都是192.168.X.X/24,除总部静态路由
2:A分部拒绝接收192.168.5.0 /24 的路由,C分部拒绝引入172.16.1.0 /24 的路由;
3:西安总部引入静态路由时修改开销值为10,且只发布下面4条静态路由时,只172.16.1.0/24,172.16.2.0/24网段;
ip route-static 172.16.1.0 255.255.255.0 NULL0
ip route-static 172.16.2.0 255.255.255.0 NULL0
ip route-static 172.16.3.0 255.255.255.0 NULL0
ip route-static 172.16.4.0 255.255.255.0 NULL0
实验步骤
1:各个接口配置IP,修改接口类型,并且在区域0内宣告路由,四台路由器相似;
#
interface GigabitEthernet0/0/0 //进入0/0/0接口
ip address 192.168.1.1 255.255.255.0 //配置IP地址和子网掩码
ospf network-type p2p //修改接口类型为OSPF P2P ,更快速收敛
#
interface GigabitEthernet0/0/1
ip address 192.168.4.2 255.255.255.0
ospf network-type p2p
#
ospf 1 //创建OSPF进程
area 0.0.0.0 //进入area0骨干区域
network 192.168.1.0 0.0.0.255 //宣告发布的路由,以及配置反掩码
network 192.168.4.0 0.0.0.255
#
2:查看各个路由器路由表和OSPF状态,以AR1为例,ping测试;
[AR1]dis ospf peer
OSPF Process 1 with Router ID 192.168.4.2
Neighbors
Area 0.0.0.0 interface 192.168.4.2(GigabitEthernet0/0/1)'s neighbors
Router ID: 192.168.3.2 Address: 192.168.4.1
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 35 sec
Retrans timer interval: 0
Neighbor is up for 01:22:33
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 192.168.1.1(GigabitEthernet0/0/0)'s neighbors
Router ID: 192.168.1.2 Address: 192.168.1.2
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 37 sec
Retrans timer interval: 0
Neighbor is up for 01:23:34
Authentication Sequence: [ 0 ]
[AR1]
[AR1]
[AR1]
[AR1]dis ip rou
[AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet
0/0/0
192.168.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.168.2.0/24 OSPF 10 2 D 192.168.1.2 GigabitEthernet
0/0/0
192.168.3.0/24 OSPF 10 2 D 192.168.4.1 GigabitEthernet
0/0/1
192.168.4.0/24 Direct 0 0 D 192.168.4.2 GigabitEthernet
0/0/1
192.168.4.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.4.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.168.5.0/24 OSPF 10 2 D 192.168.1.2 GigabitEthernet
0/0/0
OSPF 10 2 D 192.168.4.1 GigabitEthernet
0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[AR1]
[AR1]ping 192.168.3.1
PING 192.168.3.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.3.1: bytes=56 Sequence=1 ttl=254 time=80 ms
Reply from 192.168.3.1: bytes=56 Sequence=4 ttl=254 time=20 ms
[AR1]ping 192.168.5.1
PING 192.168.5.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.5.1: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 192.168.5.1: bytes=56 Sequence=5 ttl=255 time=50 ms
[AR1]
3:在西安总部路由引入静态路由修改开销为10;
#
ospf 1
import-route static cost 10
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
4:各个分部路由器查看是否已经有了这条静态路由,以AR1为例;
[AR1]dis ip routing-table 172.16.1.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.16.1.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet
0/0/0
[AR1] //可以看到开销值已经被修改为10
5:我们创建ip-prefix 地址前缀列表GM,然后在OSPF中使用路由策略,使得A分部拒绝接收192.168.5.0 /24 的路由;C分部拒绝引入172.16.1.0 /24 的路由;
A分部
//调用策略路由器,可以看到此时,AR1路由器是由去往192.168.5.0的路由的,且它们开销,优先级一致,可以负载均衡。
[AR1]dis ip routing-table 192.168.5.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.5.0/24 OSPF 10 2 D 192.168.1.2 GigabitEthernet
0/0/0
OSPF 10 2 D 192.168.4.1 GigabitEthernet
0/0/1
[AR1]
[AR1]ip ip-prefix gm index 10 deny 192.168.5.0 24 //过滤192.168.5.0/24路由
[AR1]ip ip-prefix gm index 20 permit 0.0.0.0 0 less-equal 32//允许所有
[AR1]ospf 1
[AR1-ospf-1]filter-policy ip-prefix gm import //在引入路由时,应用过滤器"gm"
[AR1]dis ip routing-table 192.168.5.1 //查询去往192.168.5.0 /24的路由,此时发现没有了5.0的路由。
[AR1]
C分部
[AR4]dis ip routing-table 172.16.1.2
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.16.1.0/24 O_ASE 150 10 D 192.168.2.1 GigabitEthernet
0/0/0
[AR4]ip ip-prefix gm index 10 deny 172.16.1.0 24
[AR4]ip ip-prefix gm index 20 permit 0.0.0.0 0 less-equal 32
[AR4]ospf 1
[AR4-ospf-1]filter-policy ip-prefix gm import
[AR4-ospf-1]quit
[AR4]dis ip routing-table 172.16.1.2 //此时C分部已经没有了去往172.16.1.0的路由;
[AR4]
需求3:总部只发布相应172.16.1.0和2.0的路由,其他被过滤掉;
1://未过滤前,我们可以看到AR1分部学到了所有的静态路由;
=========================================================================================
<AR1>dis ip routing-table | in 172.16
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 16
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.16.1.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet0/0/0
172.16.2.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet0/0/0
172.16.3.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet0/0/0
172.16.4.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet0/0/0
<AR1>
=========================================================================================
2:总部路由器创建GK地址前缀列表,在OSPF进程中发布引入的静态路由时,调用“gk”过滤器
[AR2]ip ip-prefix gk index 10 permit 172.16.1.0 24 //
[AR2]ip ip-prefix gk index 20 permit 172.16.2.0 24
[AR2]ospf 1
[AR2-ospf-1]filter-policy ip-prefix gk export static
[AR2-ospf-1]quit
=========================================================================================
3:分部AR1测试,我们可以清楚的看到路由表只有去往172.16.1.0和2.0的路由,其他被过滤掉;
<AR1>dis ip routing-table | in 172.16
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.16.1.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet0/0/0
172.16.2.0/24 O_ASE 150 10 D 192.168.1.2 GigabitEthernet0/0/0