使用分发列表加ACL控制路由更新

拓扑说明：

    R1和R2运行eigrp,R2和R3及R4运行ospf,进行双向重分发路由

 

实验目的：使用分发列表控制路由更新

熟悉ACL的permit和Deny在路由重分发中的做用

Distribute-list in/out 接口/路由协议

1、基本重分发，每台路由器学习到全部的路由

R2:

Ospf:redistribute eigrp 90 subnets

Eigrp:redistribute ospf 110 metric 1544 100 255 1 1500

在R1上看路由表：

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

34.0.0.0/24 is subnetted, 1 subnets

D EX 34.1.1.0 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

3.0.0.0/32 is subnetted, 1 subnets

D EX 3.3.3.3 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:00:23, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

2、路由过滤

要求R1上不容许有34.1.1.0/24的路由以及3.3.3.3/32的路由

使用ACL完成

R2作ACL拒绝这两条路由经过，分别用out接口和路由协议完成

方法1、R2使用out 接口完成

access-list 10 deny 3.3.3.3

access-list 10 deny 34.1.1.0 0.0.0.255

access-list 10 permit any

!

router eigrp 90

redistribute ospf 110 metric 1544 100 255 1 1500

network 12.1.1.0 0.0.0.255

distribute-list 10 out Serial0/0

no auto-summary

查看R1的路由表，是否有被过滤的两条路由

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:09:53, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:01:26, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:09:53, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

R1#ping 4.4.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/172/280 ms

方法2、在R2上使用out 路由协议完成

distribute-list 10 out ospf 110

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:01:16, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:01:16, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:01:16, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

路由被过滤

方法3、在R1上使用in接口来过滤此两条路由

先在R2上清除分发列表以及访问列表

此时，R1已经恢复此两条路由，有所有路由

在R1上定义访问列表，并用分发列表 in接口来过滤

配置：

router eigrp 90

network 1.1.1.0 0.0.0.255

network 12.1.1.0 0.0.0.255

distribute-list 10 in Serial0/0

no auto-summary

!

!

!

!

access-list 10 permit 4.4.4.4

access-list 10 permit 23.1.1.0 0.0.0.255

access-list 10 permit 2.2.2.0 0.0.0.255

R1#show access-lists

Standard IP access list 10

30 permit 4.4.4.4 (2 matches)

10 permit 23.1.1.0, wildcard bits 0.0.0.255 (2 matches)

20 permit 2.2.2.0, wildcard bits 0.0.0.255 (1 match)

R1#show ip rou

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

2.0.0.0/24 is subnetted, 1 subnets

D EX 2.2.2.0 [170/2195456] via 12.1.1.2, 00:00:17, Serial0/0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/2195456] via 12.1.1.2, 00:07:08, Serial0/0

23.0.0.0/24 is subnetted, 1 subnets

D EX 23.1.1.0 [170/2195456] via 12.1.1.2, 00:07:08, Serial0/0

12.0.0.0/24 is subnetted, 1 subnets

C 12.1.1.0 is directly connected, Serial0/0

结论：

在路由重分布时，使用分发列表控制路由的重分发

1. 在作重分发的路由器上能够使用out 接口或者out路由协议来完成

注意：使用out协议来作时，out后面跟的协议是要被重分布的协议

2. 在要过滤路由的路由器上使用in接口来完成

3. 使用访问控制列表来抓路由，用标准访问控制列表便可，建议使用命名的，方便no掉一条语句，而不会no掉整个访问控制列表

4. 使用访问控制列表来抓路由时，若是控制列表使用permit参数，那么匹配的路由条目将会被重分布，若是使用的是deny参数，那么匹配的路由将不会被重分布，且deny后面要跟一条permit any 的条目来容许其余路由被重分布

5. 使用访问控制列表抓路由，不须要使用反掩码，只需匹配路由前缀便可，若是使用反掩码，可能形成路由控制不许确。