ACL和Route-Map中permit，deny对路由过滤的动作

最新推荐文章于 2024-04-19 17:57:43 发布

weixin_33978016

最新推荐文章于 2024-04-19 17:57:43 发布

阅读量2.7k

点赞数

原文链接：http://blog.51cto.com/690027732/1392710

版权

此实验讨论route-map中acl permit和any动作对路由过滤影响。

拓扑如图：

验证一.

access-list 10 permit 192.168.4.0 0.0.0.255

access-list 10 permit 192.168.6.0 0.0.0.255

route-map kk permit 10

match ip address 10

router eigrp 90

redistribute ospf 110 metric 10000 100 255 1 1500 route-map kk

network 23.1.1.2 0.0.0.0

no auto-summary

eigrp router-id 1.1.1.1

R3#sh ip route

Gateway of last resort is not set

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, FastEthernet0/1

192.168.4.0/32 is subnetted, 1 subnets

D EX 192.168.4.1 [170/307200] via 23.1.1.2, 01:24:13, FastEthernet0/1

192.168.6.0/32 is subnetted, 1 subnets

D EX 192.168.6.1 [170/307200] via 23.1.1.2, 01:23:50, FastEthernet0/1

从R3的路由表可知，Route-map 仅仅重分发了192.168.4.0/24和192.168.6.0/24的路由，过滤了其他的路由。 Route-map 末尾有一条隐含的deny any子句，这个子句拒绝了其他的路由，并不是acl 的隐含deny any 拒绝掉的。

验证二.

access-list 10 deny 192.168.4.0 0.0.0.255

access-list 10 permit any

route-map kk permit 10

match ip address 10

router eigrp 90

redistribute ospf 110 metric 10000 100 255 1 1500 route-map kk

network 23.1.1.2 0.0.0.0

no auto-summary

eigrp router-id 1.1.1.1

R3#sh ip route

Gateway of last resort is not set

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, FastEthernet0/1

192.168.5.0/32 is subnetted, 1 subnets

D EX 192.168.5.1 [170/307200] via 23.1.1.2, 00:00:03, FastEthernet0/1

192.168.6.0/32 is subnetted, 1 subnets

D EX 192.168.6.1 [170/307200] via 23.1.1.2, 00:00:03, FastEthernet0/1

192.168.7.0/32 is subnetted, 1 subnets

D EX 192.168.7.1 [170/307200] via 23.1.1.2, 00:00:03, FastEthernet0/1

12.0.0.0/24 is subnetted, 1 subnets

D EX 12.1.1.0 [170/307200] via 23.1.1.2, 00:00:05, FastEthernet0/1

从R3的路由表可知，R2的acl由两条语句构成，实际上是由permit子句匹配了192.168.5.0/24和192.168.6.0/24，192.168.7.0/24,12.1.1.0/24四条路由。所以仅仅重分发acl permit所匹配的路由。

验证三

access-list 10 deny 192.168.4.0 0.0.0.255

route-map kk permit 10 | route-map kk deny 10 结果一样

match ip address 10

route-map kk permit 15

router eigrp 90

redistribute ospf 110 metric 10000 100 255 1 1500 route-map kk

network 23.1.1.2 0.0.0.0

no auto-summary

eigrp router-id 1.1.1.1

R3#sh ip route

Gateway of last resort is not set

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, FastEthernet0/1

192.168.4.0/32 is subnetted, 1 subnets

D EX 192.168.4.1 [170/307200] via 23.1.1.2, 00:00:04, FastEthernet0/1

192.168.5.0/32 is subnetted, 1 subnets

D EX 192.168.5.1 [170/307200] via 23.1.1.2, 00:00:04, FastEthernet0/1

192.168.6.0/32 is subnetted, 1 subnets

D EX 192.168.6.1 [170/307200] via 23.1.1.2, 00:00:04, FastEthernet0/1

192.168.7.0/32 is subnetted, 1 subnets

D EX 192.168.7.1 [170/307200] via 23.1.1.2, 00:00:05, FastEthernet0/1

12.0.0.0/24 is subnetted, 1 subnets

D EX 12.1.1.0 [170/307200] via 23.1.1.2, 00:00:05, FastEthernet0/1

从R3的路由表可知，R2中的acl拒绝了192.168.4.0/24的路由,但是R3学习到了所有的路由，

即没有路由被过滤。可见在route-map中acl的 deny子句并没有起到作用，匹配失败。

也就是说在Route-map中acl 的 deny子句单独使用不起到匹配路由的作用。由LAB2可以看出和permit any子句一起使用时将可以起到作用。

验证四：

access-list 10 deny 192.168.4.0 0.0.0.255

access-list 10 permit 192.168.6.0 0.0.0.255

route-map kk permit 10

match ip address 10

route-map kk permit 15

router eigrp 90

redistribute ospf 110 metric 10000 100 255 1 1500 route-map kk

network 23.1.1.2 0.0.0.0

no auto-summary

eigrp router-id 1.1.1.1

R3#sh ip route

Gateway of last resort is not set

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, FastEthernet0/1

192.168.4.0/32 is subnetted, 1 subnets

D EX 192.168.4.1 [170/307200] via 23.1.1.2, 00:16:37, FastEthernet0/1

192.168.5.0/32 is subnetted, 1 subnets

D EX 192.168.5.1 [170/307200] via 23.1.1.2, 00:16:37, FastEthernet0/1

192.168.6.0/32 is subnetted, 1 subnets

D EX 192.168.6.1 [170/307200] via 23.1.1.2, 00:16:37, FastEthernet0/1

192.168.7.0/32 is subnetted, 1 subnets

D EX 192.168.7.1 [170/307200] via 23.1.1.2, 00:16:38, FastEthernet0/1

12.0.0.0/24 is subnetted, 1 subnets

D EX 12.1.1.0 [170/307200] via 23.1.1.2, 00:16:38, FastEthernet0/1

从R3的路由表可知，R2的acl 1虽然deny 了192.168.4.0/24，但是R3却学习到了所有的路由，可以由LAB3 LAB4得出结论，acl 的deny子句在Route-map中不会起到任何的作用，仅仅当deny 和permit any一起使用时，才有效果

验证五

access-list 10 deny 192.168.4.0 0.0.0.255

access-list 10 permit 192.168.6.0 0.0.0.255

route-map kk deny 10

match ip address 10

route-map kk permit 15

router eigrp 90

redistribute ospf 110 metric 10000 100 255 1 1500 route-map kk

network 23.1.1.2 0.0.0.0

no auto-summary

eigrp router-id 1.1.1.1

R3#sh ip route

Gateway of last resort is not set

23.0.0.0/24 is subnetted, 1 subnets

C 23.1.1.0 is directly connected, FastEthernet0/1

192.168.4.0/32 is subnetted, 1 subnets

D EX 192.168.4.1 [170/307200] via 23.1.1.2, 00:00:02, FastEthernet0/1

192.168.5.0/32 is subnetted, 1 subnets

D EX 192.168.5.1 [170/307200] via 23.1.1.2, 00:00:02, FastEthernet0/1

192.168.7.0/32 is subnetted, 1 subnets

D EX 192.168.7.1 [170/307200] via 23.1.1.2, 00:00:02, FastEthernet0/1

12.0.0.0/24 is subnetted, 1 subnets

D EX 12.1.1.0 [170/307200] via 23.1.1.2, 00:00:03, FastEthernet0/1

从R3的路由表可知，R2上的Route-map a 10的动作从permit改为了deny，结果是192.168.6.0/24的网络没有被重分发，可以再次验证上面实验得出的结果：acl 的deny子句在Route-map中不会起到任何的作用，仅仅当deny 和permit any一起使用时，才有效果。

从以上实验可得出结论如下:

1.在route-map中acl的 deny子句并没有起到过滤路由的作用，实际上在Route-map中acl的deny单独使用不起到匹配路由的作用，只是不参与匹配到的match的route-map,但会与下一个route-map继续进行匹配，直至结束

2.由LAB2可以看出和permit any子句一起使用时将可以起到作用。只有ACL的permit子句会起到匹配路由的作用

3.Route-map的permit,any动作是决定路由过滤的关键， ACL permit只是起到匹配路由的作用,没有过滤功能。

转载于:https://blog.51cto.com/690027732/1392710

weixin_33978016

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
ACL和Route-Map中permit，deny对路由过滤的动作

此实验讨论route-map中acl permit和any动作对路由过滤影响。拓扑如图：验证一.R2access-list 10 permit 192.168.4.0 0.0.0.255access-list 10 permit 192.168.6.0 0.0.0.255!route-map kk permit 10 match ip address 10!router ei...
复制链接

扫一扫