实验需求:
1,全网启用ospf,使全网互通
2, 市场部不能访问财务部和研发部
3,公司总部不能访问研发部
实验拓扑:
配置IP
PC1
PC2
AR3
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR3
[AR3]un in en
Info: Information center is disabled.
[AR3]inter g0/0/0
[AR3-GigabitEthernet0/0/0]ip add 10.1.4.1 24
[AR3-GigabitEthernet0/0/0]inter g0/0/1
[AR3-GigabitEthernet0/0/1]ip add 1.1.1.1 24
AR4
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR4
[AR4]un in en
Info: Information center is disabled.
[AR4]inter g0/0/1
[AR4-GigabitEthernet0/0/1]ip add 10.1.5.1 24
[AR4-GigabitEthernet0/0/1]inter g0/0/0
[AR4-GigabitEthernet0/0/0]ip ad 2.2.2.1 24
AR2
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR2
[AR2]un in en
Info: Information center is disabled.
[AR2]inter g0/0/0
[AR2-GigabitEthernet0/0/0]ip add 1.1.1.2 24
[AR2-GigabitEthernet0/0/0]inter g0/0/1
[AR2-GigabitEthernet0/0/1]ip add 2.2.2.2 24
[AR2-GigabitEthernet0/0/1]inter g0/0/2
[AR2-GigabitEthernet0/0/2]ip add 3.3.3.1 24
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys AR1
[AR1]un in en
Info: Information center is disabled.
[AR1]inter g0/0/0
[AR1-GigabitEthernet0/0/0]ip add 3.3.3.2 24
[AR1-GigabitEthernet0/0/0]inte l 1
[AR1-LoopBack1]ip add 10.1.1.1 24
[AR1-LoopBack1]inte l 2
[AR1-LoopBack2]ip add 10.1.2.1 24
[AR1-LoopBack2]inte l 3
[AR1-LoopBack3]ip add 10.1.3.1 24
配置OSPF
AR1
AR1]ospf
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]net 3.3.3.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]qu
[AR1-ospf-1]import-route direct
AR2
[AR2]ospf
[AR2-ospf-1]are 0
[AR2-ospf-1-area-0.0.0.0]net 1.1.1.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]net 2.2.2.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]net 3.3.3.0 0.0.0.255
AR3
[AR3]ospf
[AR3-ospf-1]are 0
[AR3-ospf-1-area-0.0.0.0]net 10.1.4.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]net 1.1.1.0 0.0.0.255
AR4
[AR4]ospf
[AR4-ospf-1]are 0
[AR4-ospf-1-area-0.0.0.0]net 10.1.5.0 0.0.0.255
[AR4-ospf-1-area-0.0.0.0]net 2.2.2.0 0.0.0.255
现在全局都是可以ping通的
市场部不能访问财务部和研发部
需要在AR3上加路由策略
[AR3]acl number 2000
[AR3-acl-basic-2000]rule deny source 10.1.1.0 0.0.0.255
[AR3-acl-basic-2000]rule deny source 10.1.2.0 0.0.0.255
[AR3-acl-basic-2000]rule permit source any
[AR3-acl-basic-2000]q
[AR3]ospf
[AR3-ospf-1]filter-policy 2000 import
公司总部不能访问研发部
需要在AR4上加路由策略
[AR4]ip ip-prefix denyPC2 deny 10.1.2.0 24
[AR4]ospf
[AR4-ospf-1]filter-policy ip-prefix denyPC2 import
[AR4-ospf-1]qu
[AR4]ip ip-prefix denyPC2 index 20 permit 0.0.0.0 0 less-equal 32