配置OSPFv3引入外部路由及路由过滤实验
实验拓扑:
实验内容:
- 在 R1、R2、R3、R4 和 R5 上启用 OSPFv3 路由协议。
- R1 和 R2 处于 Area 0,R1 和R3 处于 Area 2,R1 和 R5 处于 Area 1,R2 和 R4 处于 Area3。分别建立 OSPFv3 邻居关系后,R1、R2、R3、R4、R5 可以互通。
- 在 R5、R6 和 R7 上启用 ISISv6 路由协议,R5 和 R6 是 Is-level-1-2,R7 是Level 1,建立邻居关系后,R5、R6 和 R7 可以互相通信。
- 在 R5 上进行 OSPFv3 和 ISISv6 相互路由重分发,在 R5 上对引入的路由进行过滤,使得研发二部所在的网段无法访问市场一部、研发一部和售后服务部所在的网段。
- 在 R3 上使用路由过滤功能,使得市场一部所在网段无法访问研发一部。
- 在 R4 上使用路由过滤功能,使得研发一部和售后服务部所在网段无法访问市场二部。
配置步骤:
1、在R1-R5上配置接口信息和OSPFv3协议
R1:
ipv6
ospfv3 1 //配置ospfv3(支持IPv6)
router-id 1.1.1.1
area 0
area 1
area 2
interface GigabitEthernet0/0/0
ipv6 enable //接口使能ipv6
ipv6 address 2012::1/64 //配置ipv6地址
ospfv3 1 area 0.0.0.0 //宣告ospfv3 进程1 区域0
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2013::1/64
ospfv3 1 area 0.0.0.2
interface GigabitEthernet0/0/2
ipv6 enable
ipv6 address 2015::1/64
ospfv3 1 area 0.0.0.1
interface LoopBack0
ipv6 enable
ipv6 address 1111::1/128
ospfv3 1 area 0.0.0.0
其他OSPFv3配置省略;
1.1、查看邻居建立情况以及路由学习情况
[R1]dis ospfv3 peer
OSPFv3 Process (1)
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
2.2.2.2 1 Full/DR 00:00:39 GE0/0/0 0
OSPFv3 Area (0.0.0.1)
Neighbor ID Pri State Dead Time Interface Instance ID
5.5.5.5 1 Full/Backup 00:00:33 GE0/0/2 0
OSPFv3 Area (0.0.0.2)
Neighbor ID Pri State Dead Time Interface Instance ID
3.3.3.3 1 Full/Backup 00:00:37 GE0/0/1 0
//邻居为full
//在R5查看路由学习情况
[R5]dis ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 1111::1/128 1
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2001::/64 3
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2003::/64 4
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2006::/64 4
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2012::/64 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2013::/64 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
2015::/64 1
directly connected, GigabitEthernet0/0/2
IA 2024::/64 3
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2222::2/128 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 3333::3/128 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 4444::44/128 3
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
//学习到了所有OSPF域里的路由
2、在R5、R6、R7上配置接口信息及ISIS配置
R5:
ipv6
isis 1
is-level level-2 //配配置IS-Level 2
network-entity 10.0000.0000.0005.00
ipv6 enable topology standard //使能isis的IPV6功能,拓扑类型为常规
interface GigabitEthernet0/0/1
ipv6 enable //接口使能ipv6
ipv6 address 2056::5/64 //接口配置ipv6地址
isis ipv6 enable 1 //接口使能ipv6 isis
R6:
ipv6
isis 1
network-entity 10.0000.0000.0006.00
ipv6 enable topology standard
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2056::6/64
isis ipv6 enable 1
interface GigabitEthernet0/0/2
ipv6 enable
ipv6 address 2067::6/64
isis ipv6 enable 1
R7:
ipv6
isis 1
is-level level-1 //配置isis Level1
network-entity 10.0000.0000.0007.00
ipv6 enable topology standard
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2004::1/64
isis ipv6 enable 1
#
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 2005::1/64
isis ipv6 enable 1
#
interface GigabitEthernet0/0/2
ipv6 enable
ipv6 address 2067::7/64
isis ipv6 enable 1
2.1、查看邻居建立情况以及路由学习情况
R6:
//查看isis邻居
[R6]dis isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI
-------------------------------------------------------------------------------
0000.0000.0005 GE0/0/1 0000.0000.0006.01 Up 20s L2 64
0000.0000.0007 GE0/0/2 0000.0000.0006.02 Up 20s L1 64
//查看路由学习情况
[R6]dis isis route
Route information for ISIS(1)
-----------------------------
ISIS(1) Level-1 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
-------------------------------------------------------------------------------
2005::/64 GE0/0/2 FE80::2E0:FCFF:FEB1:35A 20 A/L/-
2056::/64 GE0/0/1 Direct 10 D/L/-
2004::/64 GE0/0/2 FE80::2E0:FCFF:FEB1:35A 20 A/L/-
6666::6/128 Loop0 Direct 0 D/L/-
2067::/64 GE0/0/2 Direct 10 D/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
ISIS(1) Level-2 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
-------------------------------------------------------------------------------
5555::5/128 GE0/0/1 FE80::2E0:FCFF:FE35:3D91 10 A/-/-
2056::/64 GE0/0/1 Direct 10 D/L/-
6666::6/128 Loop0 Direct 0 D/L/-
2067::/64 GE0/0/2 Direct 10 D/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
3、在R5上isisv6和ospfv3相互引入路由,使其全互联;
R5:
isis 1
ipv6 import-route ospfv3 1 //在isisv6中引入ospfv3
ospfv3 1
import-route isis 1 //在ospfv3中引入isisv6
R6:
isis 1
ipv6 import-route isis level-2 into level-1 //将Level2引入到Level1里
3.1、在R7和R4上查看路由条目
R7:
[R7]dis isis route
ISIS(1) Level-1 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
-------------------------------------------------------------------------------
2005::/64 GE0/0/1 Direct 10 D/L/-
2013::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
5555::5/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2056::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/-
3333::3/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2004::/64 GE0/0/0 Direct 10 D/L/-
1111::1/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2012::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2003::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
6666::6/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 10 A/-/-
2024::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
4444::44/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2067::/64 GE0/0/2 Direct 10 D/L/-
2015::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2222::2/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2006::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2001::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
//路由学习情况正常
R4:
[R4]dis ospfv3 routing
Codes : E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area,
N - NSSA, U - Uninstalled
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 1111::1/128 2
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2001::/64 4
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
2003::/64 1
directly connected, GigabitEthernet0/0/2
E2 2004::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
E2 2005::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
2006::/64 1
directly connected, GigabitEthernet0/0/0
IA 2012::/64 2
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2013::/64 3
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2015::/64 3
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
2024::/64 1
directly connected, GigabitEthernet0/0/1
E2 2056::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
E2 2067::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2222::2/128 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 3333::3/128 3
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
4444::44/128 0
directly connected, LoopBack0
E2 5555::5/128 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
E2 6666::6/128 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
//路由学习情况正常
4、在R5上ISIS引入OSPf时,过滤掉研发二部的路由
R5:
ip ipv6-prefix deny_list index 10 permit 2005:: 64 //使用前缀列表匹配研发二部的网段
route-policy deny deny node 10 //使用route-map拒绝 前缀列表匹配的内容
if-match ipv6 address prefix-list deny_list
route-policy deny permit node 20 //没有被前缀列表匹配到的全部放行
ospfv3 1
import-route isis 1 route-policy deny //在路由引入时调用route-policy
4.1、验证:
[R1]dis ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
1111::1/128 0
directly connected, LoopBack0
2001::/64 2
via FE80::2E0:FCFF:FEB7:4E02, GigabitEthernet0/0/1
IA 2003::/64 3
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
E2 2004::/64 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
IA 2006::/64 3
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
2012::/64 1
directly connected, GigabitEthernet0/0/0
2013::/64 1
directly connected, GigabitEthernet0/0/1
2015::/64 1
directly connected, GigabitEthernet0/0/2
IA 2024::/64 2
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
E2 2056::/64 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
E2 2067::/64 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
2222::2/128 1
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
3333::3/128 1
via FE80::2E0:FCFF:FEB7:4E02, GigabitEthernet0/0/1
IA 4444::44/128 2
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
E2 5555::5/128 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
E2 6666::6/128 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
//研发二部的网段被过滤掉了
研发二部:
PC>ping 2001::2
Ping 2001::2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
--- 2001::2 ping statistics ---
2 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>ping 2006::2
Ping 2006::2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
--- 2006::2 ping statistics ---
2 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>ping 2003::2
Ping 2003::2: 32 data bytes, Press Ctrl_C to break
Request timeout!
--- 2003::2 ping statistics ---
2 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//研发二部无法访问市场一部、研发一部、售后服务器
5、在R3上过滤,使用filter-policy过滤2006::0的路由
acl ipv6 number 2000
rule 5 deny source 2006::/64 //定义ACl拒绝2006::的路由
rule 10 permit
ospfv3 1
router-id 3.3.3.3
filter-policy 2000 import //在OSPFv3进程中调用在入方向(链路状态协议无法再出方向调用策略)
5.1、验证:
市场一部:
PC>ping 2006::2
Ping 2006::2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
--- 2006::2 ping statistics ---
3 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//市场一部无法ping通研发一部
6、在R4上过滤市场二部的路由
R4:
acl ipv6 number 2000
rule 5 deny source 2004::/64 //定义ACl拒绝2004::的路由
rule 10 permit
ospfv3 1
router-id 4.4.4.4
filter-policy 2000 import //在OSPFv3进程中调用在入方向(链路状态协议无法再出方向调用策略)
6.1、验证:
PC>ping 2003::2
Ping 2003::2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
--- 2003::2 ping statistics ---
2 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>ping 2006::2
Ping 2006::2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
--- 2006::2 ping statistics ---
2 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//市场二部无法ping通研发一部和售后服务器