使用分發列表加ACL控制路由更新

拓撲說明：

    R1和R2運行eigrp,R2和R3及R4運行ospf,進行雙向重分發路由

 

實驗目的：使用分發列表控制路由更新

熟悉ACL的permit和Deny在路由重分發中的做用

Distribute-list in/out 接口/路由協議

1、基本重分發，每臺路由器學習到全部的路由

R2:

Ospf:redistribute eigrp 90 subnets

Eigrp:redistribute ospf 110 metric 1544 100 255 1 1500

在R1上看路由表：

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

34.0.0.0/24 is subnetted, 1 subnets

D EX 34.1.1.0 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

3.0.0.0/32 is subnetted, 1 subnets

D EX 3.3.3.3 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

2、路由過濾

要求R1上不容許有34.1.1.0/24的路由以及3.3.3.3/32的路由

使用ACL完成

R2作ACL拒絕這兩條路由經過，分別用out接口和路由協議完成

方法1、R2使用out 接口完成

access-list 10 deny 3.3.3.3

access-list 10 deny 34.1.1.0 0.0.0.255

access-list 10 permit any

!

router eigrp 90

redistribute ospf 110 metric 1544 100 255 1 1500

network 12.1.1.0 0.0.0.255

distribute-list 10 out Serial0/0

no auto-summary

查看R1的路由表，是否有被過濾的兩條路由

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:09:53, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:01:26, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:09:53, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

R1#ping 4.4.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/172/280 ms

方法2、在R2上使用out 路由協議完成

distribute-list 10 out ospf 110

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:01:16, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:01:16, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:01:16, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

路由被過濾

方法3、在R1上使用in接口來過濾此兩條路由

先在R2上清除分發列表以及訪問列表

此時，R1已經恢復此兩條路由，有所有路由

在R1上定義訪問列表，並用分發列表 in接口來過濾

配置：

router eigrp 90

network 1.1.1.0 0.0.0.255

network 12.1.1.0 0.0.0.255

distribute-list 10 in Serial0/0

no auto-summary

!

!

!

!

access-list 10 permit 4.4.4.4

access-list 10 permit 23.1.1.0 0.0.0.255

access-list 10 permit 2.2.2.0 0.0.0.255

R1#show access-lists

Standard IP access list 10

30 permit 4.4.4.4 (2 matches)

10 permit 23.1.1.0, wildcard bits 0.0.0.255 (2 matches)

20 permit 2.2.2.0, wildcard bits 0.0.0.255 (1 match)

R1#show ip rou

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:00:17, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:07:08, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:07:08, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

結論：

在路由重分佈時，使用分發列表控制路由的重分發

1. 在作重分發的路由器上能夠使用out 接口或者out路由協議來完成

注意：使用out協議來作時，out後面跟的協議是要被重分佈的協議

2. 在要過濾路由的路由器上使用in接口來完成

3. 使用訪問控制列表來抓路由，用標準訪問控制列表便可，建議使用命名的，方便no掉一條語句，而不會no掉整個訪問控制列表

4. 使用訪問控制列表來抓路由時，若是控制列表使用permit參數，那麼匹配的路由條目將會被重分佈，若是使用的是deny參數，那麼匹配的路由將不會被重分佈，且deny後面要跟一條permit any 的條目來容許其餘路由被重分佈

5. 使用訪問控制列表抓路由，不須要使用反掩碼，只需匹配路由前綴便可，若是使用反掩碼，可能形成路由控制不許確。