路由過(guò)濾命令詳解route-map
發(fā)布時(shí)間:2021-08-02 22:37
來(lái)源:網(wǎng)絡(luò )整理
閱讀:61
作者:comquer
欄目: 云計算
歡迎投稿:712375056
關(guān)于路由協(xié)議:
Distance Vector Routing Protocol: Route Filtering可以控制其通告/接收的路由條目�����,及重分布的路由條目�����。
總結:
————————————————————————————————————————
注:
ip prefix-list list-name description textCase Study: Configuration Examplerouter bgp 3 no synchronization neighbor 172.16.1.2 remote-as 3 neighbor 172.16.20.1 remote-as 1 neighbor 172.16.29.1 prefix-list 1 out no auto-summary!ip prefix-list 1 seq 5 deny 192.68.10.0/24ip prefix-list 1 seq 10 permit 0.0.0.0/32(四) ip as-path access-list 功能:
根據BGP的AS-PATH屬性過(guò)濾BGP的分發(fā)路由條目���。
它們都是很靈活的東西���,運用的好��,它會(huì )有很大的作用��;運用得不好�,也有可能會(huì )有反作用的�����。
Route Maps如果沒(méi)有指定Action及Sequence Number屬性�,默認:
EIGRP external route TLVs: 支持32-bit tags 表示為十進(jìn)制:0 ~ 4294967295
與ACL相比�����,具有相對較強的靈活性���。在掩碼匹配上��,也比較容易理解��。
<5> ip prefix-list不能與Route Maps的match ip next-hop語(yǔ)句聯(lián)用�;只以與match ip address語(yǔ)句聯(lián)用�����。
Case Study: Filtering Specific Routesrouter rip version 2 network 192.168.75.0 distribute-list 1 in Serial1!ip cla
sslessaccess 1 permit 0.0.0.0Case Study: Route Filtering and Redistribution 注:
distribute-list 命令用于Link-State Routing Protocol時(shí):
ip as-path access-list 1 permit .*
用途:
<1> ip prefix-list使用最長(cháng)匹配規則�����。
<2> 建立一個(gè)"route firewall"
<4> length < ge-length < le-length <= 32
prefix-list�����,distribute-list->filter-list-> route-map
ip as-path access-list 1 deny (_64[6-9][0-9][0-9]_|_65[0-9][0-9][0-9]_)
Action: permit
注:Precedence和TOS的配置既可使用Number字段�����,也可以使用Keyword.
配置說(shuō)明:
set ip precedence-------------------------------------Bits Number Keyword000 0 routine001 1 priority010 2 immediate011 3 flash100 4 flash-override101 5 critical110 6 internet111 7 network-------------------------------------set ip tos-------------------------------------Bits Number Keyword0000 0 normal0001 1 min-monetary-cost0010 2 max-reliability0100 4 max-throughput1000 8 min-delay-------------------------------------interface Serial0 ip address 10.1.18.67 255.255.255.252 ip policy route-map sense!interface Serial1 ip address 10.34.16.83.255.255.255.252 ip policy route-map sense!access-list 1 permit 172.16.0.0 0.0.255.255access-list 110 permit tcp any eq www any!route-map sense permit 10 match ip address 1 110 set ip precedence critical!route-map sense permit 20 set ip tos 10 set ip precedence priorityCase Study: Route Tagging 用途:
用于雙向重分布時(shí)標識特定Domain的路由��,以防路由被重分布回起源Domain.
Case Study:Policy Routing
interface Serial 0 ip address 172.16.5.1 255.255.255.0 ip policy route-map sense!access-list 1 permit 172.16.6.0 0.0.0.255access-list 2 permit 172.16.7.0 0.0.0.255!route-map sense permit 10 match ip address 1 set ip next-hop 172.16.4.2!route-map sense permit 20 match ip address 2 set ip next-hop 172.16.4.3
Policy Routing: 特定的Packets不會(huì )按策略路由轉發(fā)�����,但會(huì )梗概正常的路由表條目轉發(fā)����。
與接口聯(lián)用: 只能使用in參數
<4> Router's Packets
interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map sense!ip local policy route-map sense!access-list 120 permit ip any 172.16.1.0 0.0.0.255access-list 120 permit ospf any any!route-map sense permit 10 match ip address 120!route-map sense permit 20 match length 1000 1600 set ip next-hop 172.16.2.1!route-map sense permit 30 match length 0 400 set ip next-hop 172.16.3.1
<3> Length of the Packets
interface Ethernet0 ip address 172.16.1.4 255.255.255.0 ip policy route-map sense!route-map sense permit 10 match length 1000 1600 set ip next-hop 172.16.2.1!route-map sense permit 20 match length 0 400 set ip next-hop 172.16.3.1
Packets Format:
prefix-list��,distribute-list用于鄰居在一個(gè)方向上每次只能用其中的一個(gè)
?�。?)全局配置ip local policy route-map sense可將策略路由應用于Router本身發(fā)送的Packets.
一) Route Maps 特性:
Route Maps類(lèi)似于access lists�,不同之處在于Route Maps可以改變Packets/Routes的部分屬性���。
所以說(shuō)�,在配置這些過(guò)濾命令的時(shí)候�,要仔細的斟酌��。每一個(gè)過(guò)濾都要思考一下�,當安放到現有的網(wǎng)絡(luò )會(huì )有什么樣的效用���,這樣才不至于等到安放到路由器上以后才認識到過(guò)濾的漏洞�����,才不至于引發(fā)安全隱患�。
