1.1.1 关于本实验
ISIS协议是当今全球IP网络部署的主流IGP协议,随着IPV6的到来,ISIS协议因为其TLV的强扩展性越来越受到社会各界IP网络的青睐,本实验主要介绍ISIS协议的双栈分区域部署,并在此基础上部署相关的过滤策略和路由渗透技术。
1.1.2 实验目的
- 掌握双栈ISIS协议的分区域部署。
- 掌握ISIS协议的过滤策略部署。
- 掌握ISIS路由渗透技术。
- 掌握ISIS日常运维。
1.1.3 实验组网介绍
1.1.4 实验规划
RTA、RTB、RTC和RTD都运行双栈ISIS协议。其中RTA在Area 02里,RTB、RTC和RTD在Area 01里。RTA工作在L2,RTB、RTC工作在L12,RTD工作在L1。要求四台路由器IPv4和IPv6的路由全互通。RTB和RTC上部署ISIS路由渗透,RTA上存在两条路由100.1.1.1/32和200.1.1.1/32,要求部署策略实现RTA上只发布200.1.1.1/32。
1.2 实验任务配置
1.2.1 配置思路
1.配置每台路由器的IPv4和IPv6地址。
2.在每台路由器的全局和互连接口上开启ISIS协议,设置不同的NET和工作Level实现分区域部署配置。
3.在每台路由器的全局和互连接口上使能ISISv6,完成双栈ISISv6配置。
4.在RTB和RTC上部署IPv4路由渗透,让RTD能学习到明细路由。
5.在RTA上部署策略,实现RTA在引入的所有的静态路由中只引入200.1.1.1/32路由。
1.2.2 配置步骤
步骤 1 配置RTA、RTB、RTC和RTD的IPv4和IPv6地址。
# 配置RTA的IPv4和IPv6地址
system-view[Huawei]sysname RTA[RTA]ipv6[RTA]interface GigabitEthernet 0/0/1[RTA-GigabitEthernet0/0/1]ip address 10.1.1.1 255.255.255.252[RTA-GigabitEthernet0/0/1]ipv6 enable[RTA-GigabitEthernet0/0/1]ipv6 address 2000::1/64[RTA-GigabitEthernet0/0/1]quit[RTA]interface GigabitEthernet 0/0/2[RTA-GigabitEthernet0/0/2]ip address 10.1.2.1 24[RTA-GigabitEthernet0/0/2]ipv6 enable[RTA-GigabitEthernet0/0/2]ipv6 address 2001::1/64[RTA-GigabitEthernet0/0/2]quit[RTA]interface LoopBack 0[RTA-LoopBack0]ip address 1.1.1.1 32[RTA-LoopBack0]ipv6 enable[RTA-LoopBack0]ipv6 address 1111::1/128[RTA-LoopBack0]quit
# 配置RTB的IPv4和IPv6地址
system-view[Huawei]sysname RTB[RTB]ipv6[RTB]interface GigabitEthernet 0/0/0[RTB-GigabitEthernet0/0/0]ip address 10.1.1.2 30[RTB-GigabitEthernet0/0/0]ipv6 enable[RTB-GigabitEthernet0/0/0]ipv6 address 2000::2/64[RTB-GigabitEthernet0/0/0]quit[RTB]interface GigabitEthernet 0/0/1[RTB-GigabitEthernet0/0/1]ip address 10.2.1.1 24[RTB-GigabitEthernet0/0/1]ipv6 enable[RTB-GigabitEthernet0/0/1]ipv6 address 2003::1/64[RTB-GigabitEthernet0/0/1]quit[RTB]interface LoopBack 0[RTB-LoopBack0]ip address 2.2.2.2 32[RTB-LoopBack0]ipv6 enable[RTB-LoopBack0]ipv6 address 2222::2/128
# 配置RTC的IPv4和IPv6地址
system-view[Huawei]sysname RTC[RTC]ipv6[RTC]interface GigabitEthernet 0/0/0[RTC-GigabitEthernet0/0/0]ip address 10.1.3.2 30[RTC-GigabitEthernet0/0/0]ipv6 enable[RTC-GigabitEthernet0/0/0]ipv6 address 2002::2/64[RTC-GigabitEthernet0/0/0] quit[RTC]interface GigabitEthernet 0/0/1[RTC-GigabitEthernet0/0/1]ip address 10.1.3.2 30[RTC-GigabitEthernet0/0/1]ipv6 enable[RTC-GigabitEthernet0/0/1]ipv6 address 2002::2/64[RTC-GigabitEthernet0/0/1]quit[RTC]interface LoopBack 0[RTC-LoopBack0]ip address 3.3.3.3 32[RTC-LoopBack0]ipv6 enable[RTC-LoopBack0]ipv6 address 3333::3/128[RTC-LoopBack0]quit
# 配置RTD的IPv4和IPv6地址
system-view[Huawei]sysname RTD[RTD]ipv6[RTD]interface GigabitEthernet 0/0/1[RTD-GigabitEthernet0/0/1]ip address 10.2.1.2 30[RTD-GigabitEthernet0/0/1]ipv6 enable[RTD-GigabitEthernet0/0/1]ipv6 address 2003::2/64[RTD-GigabitEthernet0/0/1]quit[RTD]interface GigabitEthernet 0/0/2[RTD-GigabitEthernet0/0/2]ip address 10.2.2.2 30[RTD-GigabitEthernet0/0/2]ipv6 enable[RTD-GigabitEthernet0/0/2]ipv6 address 2004::2/64[RTD-GigabitEthernet0/0/2]quit
步骤 2 配置RTA、RTB、RTC和RTD的双栈ISIS协议,保证路由全互通。
# 配置RTA的双栈ISIS
[RTA]isis 1[RTA-isis-1]network-entity 02.0000.0000.0001.00[RTA-isis-1]is-level level-2[RTA-isis-1]ipv6 enable topology ipv6[RTA-isis-1]qut[RTA]interface GigabitEthernet 0/0/1[RTA-GigabitEthernet0/0/1]isis enable 1[RTA-GigabitEthernet0/0/1]isis circuit-level level-2[RTA-GigabitEthernet0/0/1]isis ipv6 enable 1[RTA-GigabitEthernet0/0/1]quit[RTA]interface GigabitEthernet 0/0/2[RTA-GigabitEthernet0/0/2]isis enable 1[RTA-GigabitEthernet0/0/2]isis circuit-level level-2[RTA-GigabitEthernet0/0/2]isis ipv6 enable 1[RTA-GigabitEthernet0/0/2]quit[RTA]interface LoopBack 0[RTA-LoopBack0]isis enable 1[RTA-LoopBack0]isis circuit-level level-2[RTA-LoopBack0]isis ipv6 enable 1[RTA-LoopBack0]quit
# 配置RTB的双栈ISIS
[RTB]isis 1[RTB-isis-1]network-entity 01.0000.0000.0002.00[RTB-isis-1]ipv6 enable topology ipv6[RTB-isis-1]quit[RTB]interface GigabitEthernet 0/0/0[RTB-GigabitEthernet0/0/0]isis enable 1[RTB-GigabitEthernet0/0/0]isis circuit-level level-2[RTB-GigabitEthernet0/0/0]isis ipv6 enable 1[RTB-GigabitEthernet0/0/0]quit[RTB]interface GigabitEthernet 0/0/1[RTB-GigabitEthernet0/0/1]isis enable 1[RTB-GigabitEthernet0/0/1]isis circuit-level level-1[RTB-GigabitEthernet0/0/1]isis ipv6 enable 1[RTB-GigabitEthernet0/0/1]quit[RTB]interface GigabitEthernet 0/0/2[RTB-GigabitEthernet0/0/2]isis enable 1[RTB-GigabitEthernet0/0/2]isis ipv6 enable 1[RTB-GigabitEthernet0/0/2]quit[RTB]interface LoopBack 0[RTB-LoopBack0]isis enable 1[RTB-LoopBack0]isis circuit-level level-2[RTB-LoopBack0]isis ipv6 enable 1[RTB-LoopBack0]quit
# 配置RTC的双栈ISIS
[RTC]isis 1[RTC-isis-1]network-entity 01.0000.0000.0003.00[RTC-isis-1]ipv6 enable topology ipv6[RTC-isis-1]quit[RTC]interface GigabitEthernet 0/0/0[RTC-GigabitEthernet0/0/0]isis enable 1[RTC-GigabitEthernet0/0/0]isis ipv6 enable 1[RTC-GigabitEthernet0/0/0]quit[RTC]interface GigabitEthernet 0/0/1[RTC-GigabitEthernet0/0/1]isis enable 1[RTC-GigabitEthernet0/0/1]isis circuit-level level-1[RTC-GigabitEthernet0/0/1]isis ipv6 enable 1[RTC-GigabitEthernet0/0/1]quit[RTC]interface GigabitEthernet 0/0/2[RTC-GigabitEthernet0/0/2]isis enable 1[RTC-GigabitEthernet0/0/2]isis circuit-level level-2[RTC-GigabitEthernet0/0/2]isis ipv6 enable 1[RTC-GigabitEthernet0/0/2]quit[RTC]interface LoopBack 0[RTC-LoopBack0]isis enable 1[RTC-LoopBack0]isis circuit-level level-2[RTC-LoopBack0]isis ipv6 enable 1RTC-LoopBack0]quit
# 配置RTD的双栈ISIS
[RTD]isis 1[RTD-isis-1]network-entity 01.0000.0000.0004.00[RTD-isis-1]is-level level-1[RTD-isis-1]ipv6 enable topology ipv6[RTD-isis-1]quit[RTD]interface GigabitEthernet 0/0/1[RTD-GigabitEthernet0/0/1]isis enable 1[RTD-GigabitEthernet0/0/1]isis circuit-level level-1[RTD-GigabitEthernet0/0/1]isis ipv6 enable 1[RTD-GigabitEthernet0/0/1]quit[RTD]interface GigabitEthernet 0/0/2[RTD-GigabitEthernet0/0/2]isis enable 1[RTD-GigabitEthernet0/0/2]isis circuit-level level-1[RTD-GigabitEthernet0/0/2]isis ipv6 enable 1[RTD-GigabitEthernet0/0/2]quit[RTD]interface LoopBack 0[RTD-LoopBack0]isis enable 1[RTD-LoopBack0]isis circuit-level level-1[RTD-LoopBack0]isis ipv6 enable 1[RTD-LoopBack0]quit
步骤 3 在RTB和RTC上部署路由渗透。
# 配置RTB的ISIS路由渗透
[RTB]isis 1[RTB-isis-1]import-route isis level-2 into level-1
# 配置RTC的ISIS路由渗透
[RTC]isis 1[RTC-isis-1]import-route isis level-2 into level-1
步骤 4 在RTA上配置路由策略过滤,只发送200.1.1.1的静态路由
# 在RTA上配置两条静态路由
[RTA]ip route-static 100.1.1.1 255.255.255.255 NULL0[RTA]ip route-static 200.1.1.1 255.255.255.255 NULL0
# 在RTA上配置路由策略
[RTA]ip ip-prefix 200 index 10 permit 200.1.1.1 32[RTA]route-policy 200 permit node 10[RTA-route-policy]if-match ip-prefix 200[RTA-route-policy]quit
# 在RTA上引入静态路由,调用路由策略
[RTA]isis 1[RTA-isis-1]import-route static route-policy 200#
1.3 结果验证
1.3.1 检查配置结果
在网络计算稳定后,执行以下操作,验证配置结果。
# 在RTA上执行display isis peer命令,查看邻居状态,结果如下:
[RTA]dis isis peer Peer information for ISIS(1) System Id Interface Circuit Id State HoldTime Type PRI-------------------------------------------------------------------------------0000.0000.0002* GE0/0/1 0000.0000.0002.01 Up 8s L2 640000.0000.0003* GE0/0/2 0000.0000.0001.02 Up 22s L2 64Total Peer(s): 2
在RTB、RTC、RTD上做相同的操作,邻居状态都是UP。
# 在RTD上执行dis ip routing-table protocol isis命令,结果如下:
dis ip routing-table protocol isisRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Public routing table : ISIS Destinations : 8 Routes : 12 ISIS routing table status : Destinations : 8 Routes : 12 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 ISIS-L1 15 10 D 10.2.2.1 GigabitEthernet0/0/2 ISIS-L1 15 10 D 10.2.1.1 GigabitEthernet0/0/1 1.1.1.1/32 ISIS-L1 15 20 D 10.2.2.1 GigabitEthernet0/0/2 ISIS-L1 15 20 D 10.2.1.1 GigabitEthernet0/0/1 2.2.2.2/32 ISIS-L1 15 10 D 10.2.1.1 GigabitEthernet0/0/1 3.3.3.3/32 ISIS-L1 15 10 D 10.2.2.1 GigabitEthernet0/0/2 10.1.1.0/30 ISIS-L1 15 20 D 10.2.1.1 GigabitEthernet0/0/1 10.1.2.0/30 ISIS-L1 15 20 D 10.2.2.1 GigabitEthernet0/0/2 10.1.3.0/30 ISIS-L1 15 20 D 10.2.2.1 GigabitEthernet0/0/2 ISIS-L1 15 20 D 10.2.1.1 GigabitEthernet0/0/1 200.1.1.1/32 ISIS-L1 15 84 D 10.2.2.1 GigabitEthernet0/0/2 ISIS-L1 15 84 D 10.2.1.1 GigabitEthernet0/0/1 ISIS routing table status : Destinations : 0 Routes : 0
在RTD的路由表中发现只能学习到200.1.1.1的路由。
# 在RTD上执行dis ipv6 routing-table protocol isis命令,结果如下:
dis ipv6 routing-table protocol isisPublic Routing Table : ISISSummary Count : 4 ISIS Routing Table's Status : < Active >Summary Count : 4 Destination : :: PrefixLength : 0 NextHop : FE80::2E0:FCFF:FE37:2098 Preference : 15 Cost : 10 Protocol : ISIS-L1 RelayNextHop : :: TunnelID : 0x0 Interface : GigabitEthernet0/0/2 Flags : D Destination : :: PrefixLength : 0 NextHop : FE80::2E0:FCFF:FEF1:59A Preference : 15 Cost : 10 Protocol : ISIS-L1 RelayNextHop : :: TunnelID : 0x0 Interface : GigabitEthernet0/0/1 Flags : D Destination : 2002:: PrefixLength : 64 NextHop : FE80::2E0:FCFF:FE37:2098 Preference : 15 Cost : 20 Protocol : ISIS-L1 RelayNextHop : :: TunnelID : 0x0 Interface : GigabitEthernet0/0/2 Flags : D Destination : 2002:: PrefixLength : 64 NextHop : FE80::2E0:FCFF:FEF1:59A Preference : 15 Cost : 20 Protocol : ISIS-L1 RelayNextHop : :: TunnelID : 0x0 Interface : GigabitEthernet0/0/1 Flags : D ISIS Routing Table's Status : < Inactive >Summary Count : 0
在RTD的路由表中发现只能学习到::/0的缺省路由
# 在RTD上执行display isis lsdb 0000.0000.0002.00-00 verbose命令,结果如下:
display isis lsdb 0000.0000.0002.00-00 verbose Database information for ISIS(1) -------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL-------------------------------------------------------------------------------0000.0000.0002.00-00 0x00000021 0x53d8 746 284 1/0/0 SOURCE 0000.0000.0002.00 NLPID IPV4 NLPID IPV6 AREA ADDR 01 INTF ADDR 2.2.2.2 INTF ADDR 10.1.1.2 INTF ADDR 10.1.3.1 INTF ADDR 10.2.1.1 INTF ADDR V6 2222::2 INTF ADDR V6 2000::2 INTF ADDR V6 2002::1 INTF ADDR V6 2003::1 Topology Standard, IPV6(ATT) NBR ID 0000.0000.0002.03 COST: 10 NBR ID 0000.0000.0002.02 COST: 10 +MT NBR ID 0000.0000.0002.03 COST: 10 MT: 2 (IPV6)+MT NBR ID 0000.0000.0002.02 COST: 10 MT: 2 (IPV6) IP-Internal 2.2.2.2 255.255.255.255 COST: 0 IP-Internal 10.1.1.0 255.255.255.252 COST: 10 IP-Internal 10.1.3.0 255.255.255.252 COST: 10 IP-Internal* 1.1.1.1 255.255.255.255 COST: 10 IP-Internal 10.2.1.0 255.255.255.252 COST: 10 IP-External* 200.1.1.1 255.255.255.255 COST: 74 IPV6 2002::/64 COST: 10 MT: 2 IPV6 2003::/64 COST: 10 MT: 2 Total LSP(s): 1 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload
RTD的LSP里只发现200.1.1.1的路由信息。
1.4 配置参考
1.4.1 RTA的配置
# sysname RTA#ipv6#isis 1 is-level level-2 network-entity 02.0000.0000.0001.00 import-route static route-policy 200 # ipv6 enable topology ipv6 ##interface GigabitEthernet0/0/0#interface GigabitEthernet0/0/1 ipv6 enable ip address 10.1.1.1 255.255.255.252 ipv6 address 2000::1/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#interface GigabitEthernet0/0/2 ipv6 enable ip address 10.1.2.1 255.255.255.252 ipv6 address 2001::1/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#interface NULL0#interface LoopBack0 ipv6 enable ip address 1.1.1.1 255.255.255.255 ipv6 address 1111::1/128 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#route-policy 200 permit node 10 if-match ip-prefix 200#ip ip-prefix 200 index 10 permit 200.1.1.1 32#ip route-static 100.1.1.1 255.255.255.255 NULL0ip route-static 200.1.1.1 255.255.255.255 NULL0#return
1.4.2 RTB的配置
# sysname RTB#ipv6#isis 1 network-entity 01.0000.0000.0002.00 import-route isis level-2 into level-1 # ipv6 enable topology ipv6 ##interface GigabitEthernet0/0/0 ipv6 enable ip address 10.1.1.2 255.255.255.252 ipv6 address 2000::2/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#interface GigabitEthernet0/0/1 ipv6 enable ip address 10.2.1.1 255.255.255.252 ipv6 address 2003::1/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-1#interface GigabitEthernet0/0/2 ipv6 enable ip address 10.1.3.1 255.255.255.252 ipv6 address 2002::1/64 isis enable 1 isis ipv6 enable 1#interface NULL0#interface LoopBack0 ipv6 enable ip address 2.2.2.2 255.255.255.255 ipv6 address 2222::2/128 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#return
1.4.3 RTC的配置
# sysname RTC#isis 1 network-entity 01.0000.0000.0003.00 import-route isis level-2 into level-1 # ipv6 enable topology ipv6 ##interface GigabitEthernet0/0/0 ipv6 enable ip address 10.1.3.2 255.255.255.252 ipv6 address 2002::2/64 isis enable 1 isis ipv6 enable 1#interface GigabitEthernet0/0/1 ipv6 enable ip address 10.2.2.1 255.255.255.252 ipv6 address 2004::1/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-1#interface GigabitEthernet0/0/2 ipv6 enable ip address 10.1.2.2 255.255.255.252 ipv6 address 2001::2/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#interface NULL0#interface LoopBack0 ipv6 enable ip address 3.3.3.3 255.255.255.255 ipv6 address 3333::3/128 isis enable 1 isis ipv6 enable 1 isis circuit-level level-2#return
1.4.4 RTD的配置
# sysname RTD#isis 1 is-level level-1 network-entity 01.0000.0000.0004.00 # ipv6 enable topology ipv6 ##interface GigabitEthernet0/0/0#interface GigabitEthernet0/0/1 ipv6 enable ip address 10.2.1.2 255.255.255.252 ipv6 address 2003::2/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-1#interface GigabitEthernet0/0/2 ipv6 enable ip address 10.2.2.2 255.255.255.252 ipv6 address 2004::2/64 isis enable 1 isis ipv6 enable 1 isis circuit-level level-1#interface NULL0#interface LoopBack0 ipv6 enable ip address 4.4.4.4 255.255.255.255 ipv6 address 4444::4/128 isis enable 1 isis ipv6 enable 1 isis circuit-level level-1#return