网络工程 - 过滤到下游路由器的标记路由 - 吾爱随笔录

过滤到下游路由器的标记路由

网络工程思科思科-ios ospf eigrp 再分配

2022-02-23 15:26:21

我想将重新分配的路由从 EIGRP 过滤到 OSPF 到 AREA2 和 AREA34 中的所有路由器。我在 Tampa 路由器上用标签 90 标记了路由 10.90.100.0/24，它在芝加哥路由器上重新分配到 OSPF，我使用分发列表拒绝用 90 标记的路由。该路由不存在于芝加哥路由器，但达拉斯和亚利桑那州仍然可以访问重新分配的 EIGRP 网络。理想情况下，如果可能的话，我想在上游路由器之一上拒绝它一次。

坦帕配置：

TampaRTR#show running-config
Building configuration...

Current configuration : 3561 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TampaRTR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/0
 description WAN
 ip address 10.101.100.253 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description WAN
 ip address 10.90.100.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
!
router eigrp 1
 network 4.4.4.4 0.0.0.0
 network 10.90.100.0 0.0.0.255
 redistribute ospf 1 metric 1000 100 250 100 1500
!
router ospf 1
 area 1 nssa
 redistribute eigrp 1 metric 20 metric-type 1 subnets route-map RMAPTAGEIGRP
 network 4.4.4.4 0.0.0.0 area 1
 network 10.101.100.0 0.0.0.255 area 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
route-map RMAPTAGEIGRP permit 10
 set tag 90
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

TampaRTR#

NewYorkRTR 配置

NewYorkRTR#show run
Building configuration...

Current configuration : 3348 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NewYorkRTR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 description WAN
 ip address 10.100.100.253 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 10.101.100.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
 area 1 nssa no-summary
 network 2.2.2.2 0.0.0.0 area 0
 network 10.100.100.0 0.0.0.255 area 0
 network 10.101.100.0 0.0.0.255 area 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

NewYorkRTR#

ChicagoRTR 配置

ChicagoRTR#show run
Building configuration...

Current configuration : 3498 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ChicagoRTR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet0/0
 description WAN
 ip address 10.100.100.252 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description WAN
 ip address 10.102.100.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
 area 2 virtual-link 5.5.5.5
 network 3.3.3.3 0.0.0.0 area 0
 network 10.100.100.0 0.0.0.255 area 0
 network 10.102.100.0 0.0.0.255 area 2
 distribute-list route-map RMAPDENYEIGRP in
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
route-map RMAPDENYEIGRP deny 10
 match tag 90
!
route-map RMAPDENYEIGRP permit 20
!
!
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

ChicagoRTR#

达拉斯RTR配置：

DallasRTR#show run
Building configuration...

Current configuration : 3353 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DallasRTR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 5.5.5.5 255.255.255.255
!
interface GigabitEthernet0/0
 description WAN
 ip address 10.102.100.253 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 10.134.100.254 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
 area 2 virtual-link 3.3.3.3
 network 5.5.5.5 0.0.0.0 area 2
 network 10.102.100.0 0.0.0.255 area 2
 network 10.134.100.0 0.0.0.255 area 34
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

DallasRTR#

拓扑图供参考。

1个回答

您尝试在 ABR 上进行过滤是正确的

router ospf 1
 ...
 distribute-list route-map RMAPDENYEIGRP in

上面的distribute-list 命令不会停止OSPF LSA 在您的网络中的传播。它只会阻止在路由表中安装路由。如果您查看您的 OSPF 数据库，您将看到 LSA 仍然存在并发送到其他路由器（然后使用 LSA 设置它们的路由表）。

OSPF 与 BGP 不同。在 BGP 中，仅考虑安装在路由表中的路由进行传播。在 OSPF 中，除非 LSA 在 ABR 上过滤，否则 LSA 会被传播。

可以使用前缀列表并使用 filter-list 命令在 ABR 过滤 OSPF 路由，但这不会基于 OSPF 标记进行过滤。

这是我的示例，其中我阻止特定 /32 在 ABR 上的区域之间传播。

ip prefix-list bob deny 172.16.7.1/32
ip prefix-list bob permit 0.0.0.0/0 le 32
router ospf 1
 ...
 area 0 filter-list prefix bob out

在https://www.cisco.com/c/dam/en_us/training-events/le31/le46/cln/promo/share_the_wealth_contest/finalists/Susan_Mansfield_FILTERING_WITH_OSPF_-_Technical_Overview.pdf进行了很好的讨论

但这是一个带有糟糕讨论的 Cisco 链接。它显示了如何使用路由映射过滤 OSPF，但没有告诉您它只是过滤路由安装，而不是 LSA 的传播： https ://www.cisco.com/c/en/us/td/docs/ios-xml /ios/iproute_ospf/configuration/xe-16-6/iro-xe-16-6-book/iro-inbound.html

我在旧的“Cisco Hands on Training Video Podcast”中演示了 OSPF 分发列表和使用前缀列表过滤器的问题。

OSPF 分发列表问题（14 分钟）： https ://www.youtube.com/watch?v=SQ2jGzm4cNM

OSPF 路由过滤和区域边界路由器（16 分钟）： https ://www.youtube.com/watch?v=Doa9Ns57PXA

遗憾的是，我当时使用的路由器不支持使用路由映射来过滤 LSA 进出一个区域。只是进出路由表。我认为这没有改变。

其它你可能感兴趣的问题

上一篇802.1X 与 802.11 标准之间的差异下一篇接收或发送或两者皆有时，SFP 端口指示灯是否亮起