前文:在上篇博文:路由双向引入引发的环路与次优路径及解决方案 的基础上再次升级,继承上篇博文配置
验证理论:
1.利用开销造环
2.理由优先级破环
3.四标签破环
4.策略路由
接口级策略路由对本地始发的报文无效,仅对经过设备的报文有效
系统级策略路由对经过设备的报文无效,仅对本地始发的报文有效
实验拓扑:
初始配置:
在上篇博文的最后的配置的基础之上,删除防次优路径配置,增加AR3-AR4的连线,互连接口即加入OSP也加入到ISIS中
初始结果:
路由先到了AR4
[AR3]dis ip routing-table 150.1.1.1
150.1.1.1/32 ISIS-L2 15 22 D 155.1.34.4 GigabitEthernet2/0/0
[AR4]dis ip routing-table 150.1.1.1
150.1.1.1/32 O_ASE 150 12 D 155.1.24.2 GigabitEthernet0/0/2
[AR3]tracert -a 150.1.3.3 150.1.1.1
traceroute to 150.1.1.1(150.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.34.4 40 ms 20 ms 20 ms
2 155.1.24.2 40 ms 20 ms 20 ms
3 155.1.12.1 30 ms 30 ms 30 ms
所以当前AR3去往150.1.1.1的路径是:AR3->4->2->1
分析:
下图中,黑色为数据包的方向,紫色为OSPF的方向,黄色为ISIS的方向
150.1.1.1优先传递到了AR4,由于AR4上配置了路由双向引入,所以打上tag 4 引入到ISIS中,从g2/0/0和g0/0/1口发出。AR3收到之后对比AR4->AR3,AR4->AR5->AR3,在ISIS协议内比开销,所以优选AR4->AR3的ISIS路由,因为有tag4被匹配上了路由策略不再引入OSPF,此时相比较于AR1->AR2->AR3传过来的的150.1.1.1/32的协议优先级150的ospf路由,AR3会将AR4->AR3的ISIS路由收入路由表
所以AR3去往AR1的路径为:3->4->2->1
一.再次造环
AR1有如上图所示两条OSPF路径将150.1.1.1的路由传入到AR4中。此时将AR4的g0/0/2口开销更改为10,那么AR4计算去往150.1.1.1/32的开销,会认为路径:AR4->3->2->1优于AR4->2->1.然而由于我在初始结果中说道的,AR4上路由引入之后,AR3学习AR4->AR3的ISIS路由会打败从AR1->2->3过来的外部OSPF路由,所以AR3会认为去往150.1.1.1下一跳为AR4为最优选择,由此出现AR3与AR4之间单线环路
配置:
[AR4-GigabitEthernet0/0/2]ospf cost 10
验证:
[AR4]DIS IP routing-table 150.1.1.1
150.1.1.1/32 O_ASE 150 4 D 155.1.34.3 GigabitEthernet0/0/0
[AR3]dis ip routing-table 150.1.1.1
150.1.1.1/32 ISIS-L2 15 74 D 155.1.34.4 GigabitEthernet0/0/0
[AR3]tracert -a 150.1.3.3 150.1.1.1
traceroute to 150.1.1.1(150.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.34.4 30 ms 30 ms 30 ms
2 155.1.34.3 10 ms 20 ms 10 ms
3 155.1.34.4 30 ms 30 ms 30 ms
4 155.1.34.3 20 ms 30 ms 20 ms
5 155.1.34.4 30 ms 40 ms 30 ms
6 155.1.34.3 20 ms 20 ms 10 ms
7 155.1.34.4 50 ms 40 ms 30 ms
二.优先级破环
在AR3上设置通过ISIS过来的150.1.1.1/32路由优先级为151>150即可
设置完成后:
[AR3]dis ip routing-table 150.1.1.1
150.1.1.1/32 O_ASE 150 3 D 155.1.23.2 GigabitEthernet0/0/1
[AR4]dis ip routing-table 150.1.1.1
150.1.1.1/32 ISIS-L2 15 74 D 155.1.34.3 GigabitEthernet0/0/0
因为此时路由又先到了AR3,AR3上同样配置了路由双向引入,所以又把路由从AR3->AR4,此时AR4上又优选了优先级15的ISIS路由。
此时AR4去往150.1.1.1是AR4->3->2->1,另外如果配置AR3上的接口0/0/1的开销为20就又会产生环路
[AR3]tracert -a 150.1.3.3 150.1.1.1
traceroute to 150.1.1.1(150.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.34.4 30 ms 30 ms 10 ms
2 155.1.34.3 10 ms 10 ms 20 ms
3 155.1.34.4 30 ms 20 ms 20 ms
4 155.1.34.3 20 ms 20 ms 20 ms
5 155.1.34.4 50 ms 30 ms 30 ms
6 155.1.34.3 20 ms 40 ms 40 ms
删除AR3上G0/0/1口的开销,在AR4上同样更改优先级,配置完成后
[AR3]dis ip routing-table 150.1.1.1
150.1.1.1/32 O_ASE 150 3 D 155.1.23.2 GigabitEthernet0/0/1
[AR4]dis ip routing-table 150.1.1.1
150.1.1.1/32 O_ASE 150 4 D 155.1.34.3 GigabitEthernet0/0/0
三.四标签破环
先删除前面的更改优先级配置,恢复环路
[AR3]tracert -a 150.1.3.3 150.1.1.1
traceroute to 150.1.1.1(150.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.34.4 30 ms 10 ms 20 ms
2 155.1.34.3 20 ms 20 ms 10 ms
3 155.1.34.4 40 ms 20 ms 20 ms
4 155.1.34.3 20 ms 20 ms 20 ms
然后为了避免应该走OSPF的路由走了ISIS,将所有OSPF外部引入的路由优先级更改为14
[AR3-ospf-1]preference ase 14
[AR4-ospf-1]preference ase 14
[AR3]dis ip routing-table 150.1.1.1
150.1.1.1/32 O_ASE 14 3 D 155.1.23.2 GigabitEthernet0/0/1
[AR4]dis ip routing-table 150.1.1.1
150.1.1.1/32 O_ASE 14 4 D 155.1.34.3 GigabitEthernet0/0/0
此时确实没有环路了,但是通过某种方式可以造出一个环路,具体方式老师还没讲,后面知道了再补充,先假设有一个OSPF->ISIS又回到OSPF的环路
设置标签使得AR3上OSPF->ISIS打上标签3,ISIS->OSPF丢弃标签4,接收其他路由;AR4上OSPF->ISIS打上标签4,ISIS->OSPF丢弃标签3,接收其他路由
[AR3]dis route-policy
Route-policy : OSPF->ISIS
permit : 10 (matched counts: 0)
Match clauses :
if-match ip-prefix NET150
Apply clauses :
apply tag 3
Route-policy : ISIS->OSPF
deny : 10 (matched counts: 0)
Match clauses :
if-match tag 4
permit : 20 (matched counts: 0)
[AR4]DIS route-policy
Route-policy : OSPF->ISIS
permit : 10 (matched counts: 0)
Match clauses :
if-match ip-prefix NET150
Apply clauses :
apply tag 4
Route-policy : ISIS->OSPF
deny : 10 (matched counts: 0)
Match clauses :
if-match tag 3
permit : 20 (matched counts: 0)
此时可以保证,从OSPF传进ISIS的150.1.0.0/16的路由不会再传回来,但是仍然存在一个问题
但是因为此时OSPF内不管是内部的路由还是外部引入的路由都是小于ISIS的优先级,所以当AR3学习到了150.1.5.5之后,将150.1.5.5引入到OSPF中,AR4学习到了来自OSPF的优先级为14的150.1.5.5和来自ISIS的优先级为15的150.1.1.1,所以路由表优选OSPF学到的,由此造成了次优路径
[AR4]dis ip routing-table 150.1.5.5
150.1.5.5/32 O_ASE 14 1 D 155.1.34.3 GigabitEthernet0/0/0
[AR4]tracert 150.1.5.5
traceroute to 150.1.5.5(150.1.5.5), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.34.3 30 ms 30 ms 20 ms
2 155.1.35.5 50 ms 30 ms 40 ms
ISIS->OSPF环路解决方法:
再次设置标签,在AR3上设置从ISIS->OSPF的150.1.5.5的路由打上tag 30,在OSPF->ISIS方向上拒绝tag 40 允许其他路由。在AR4上设置从ISIS->OSPF的150.1.5.5的路由打上tag 40,在OSPF->ISIS方向上拒绝tag 30,允许其他路由。配置时匹配顺序(node)需要额外注意
至此要消除次优路径就很简单了,抓取标签修改优先级即可
[AR3]dis route-policy
Route-policy : SET-PRI
permit : 10 (matched counts: 0)
Match clauses :
if-match tag 40
Apply clauses :
apply preference 16
Route-policy : ISIS->OSPF
permit : 10 (matched counts: 6)
Match clauses :
if-match ip-prefix NET5
Apply clauses :
apply tag 30
[AR3-ospf-1]dis this
[V200R003C00]
#
ospf 1
import-route isis 1 route-policy ISIS->OSPF
preference route-policy SET-PRI 10
area 0.0.0.0
#
[AR4]dis route-policy
Route-policy : SET-PRI
permit : 10 (matched counts: 0)
Match clauses :
if-match tag 30
Apply clauses :
apply preference 16
Route-policy : ISIS->OSPF
permit : 10 (matched counts: 15)
Match clauses :
if-match ip-prefix NET5
Apply clauses :
apply tag 40
[AR4-ospf-1]dis this
[V200R003C00]
#
ospf 1
import-route isis 1 route-policy ISIS->OSPF
preference route-policy SET-PRI 10
area 0.0.0.0
#
[AR3]dis ip routing-table 150.1.5.5
150.1.5.5/32 ISIS-L2 15 10 D 155.1.35.5 GigabitEthernet0/0/2
[AR4]dis ip routing-table 150.1.5.5
150.1.5.5/32 ISIS-L2 15 10 D 155.1.45.5 GigabitEthernet0/0/1
四.策略路由
接口级策略路由对本地始发的报文无效,仅对经过设备的报文有效
系统级策略路由对经过设备的报文无效,仅对本地始发的报文有效
路由针对的对象是前缀信息;策略路由针对的对象是数据包,策略路由和路由没有任何关系
预设场景:AR2策略路由甩给AR3,4到达AR5,AR5路由回到AR2
首先在AR3.4上过滤OSPF的流量,使得仅剩150.1.0.0/16,让AR2没有去往150.1.5.5的路由
[AR3-ospf-1]filter-policy ip-prefix NET150 export
[AR4-ospf-1]filter-policy ip-prefix NET150 export
结果:
[AR2]dis ip routing-table 150.1.5.5
[AR2]
[AR5]dis ip routing-table 150.1.2.2
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
150.1.2.2/32 ISIS-L2 15 74 D 155.1.45.4 GigabitEthernet0/0/1
ISIS-L2 15 74 D 155.1.35.3 GigabitEthernet0/0/2
[AR5]
在AR2上配置系统级的策略路由,ENSP上仅router上可以配置基于接口级的策略路由
模拟器上仅支持基于ACL和包长进行抓取感兴趣流
[AR2-policy-based-route-1-10]if-match ?
acl Access control list
packet-length Match packet length
配置:
acl number 2000
rule 5 permit source 150.1.2.2 0
acl number 2001
rule 5 permit source 155.1.12.2 0
policy-based-route 1 permit node 10
if-match acl 2000
apply ip-address next-hop 155.1.23.3
policy-based-route 1 permit node 20
if-match acl 2001
apply ip-address next-hop 155.1.24.4
[AR2]ip local policy-based-route 1
结果:
[AR2]tracert -q 1 -a 150.1.2.2 150.1.5.5
traceroute to 150.1.5.5(150.1.5.5), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.23.3 60 ms
2 155.1.35.5 30 ms
[AR2]tra
[AR2]traffic
[AR2]tracert -q 1 -a 155.1.12.2 150.1.5.5
traceroute to 150.1.5.5(150.1.5.5), max hops: 30 ,packet length: 40,press CTRL_C to break
1 155.1.24.4 30 ms
2 155.1.45.5 40 ms
[AR2]
[AR2]dis ip policy-based-route statistics local
Local policy based routing information:
policy-based-route: 1
permit node 10
apply ip-address next-hop 155.1.23.3
Denied: 0,
Forwarded: 24
permit node 20
apply ip-address next-hop 155.1.24.4
Denied: 0,
Forwarded: 2
Total denied: 0, forwarded: 26
[AR2]
在AR1上增加一条默认路由到AR2,但是还是Ping不通5.5,因为系统级策略路由仅对本地始发的流量有效
为了对转发的报文起作用,需要配置接口策略路由,将AR2删除,用router代替,配置基于包长的策略路由
配置:
[Huawei-GigabitEthernet0/0/0]ip policy-based-route pbr
[Huawei]dis policy-based-route
policy-based-route : pbr
Node 10 permit :
if-match packet-length 1 1000
apply ip-address next-hop 155.1.23.3
Node 20 permit :
if-match packet-length 1001 1500
apply ip-address next-hop 155.1.24.4
应用策略之后AR1就可以ping通150.1.5.5了
[AR]ping 150.1.5.5
PING 150.1.5.5: 56 data bytes, press CTRL_C to break
Reply from 150.1.5.5: bytes=56 Sequence=1 ttl=253 time=70 ms
Reply from 150.1.5.5: bytes=56 Sequence=2 ttl=253 time=40 ms
而且可以看到存在大小不一样的分片,走了两条路径
[Huawei]dis ip policy-based-route statistics interface GigabitEthernet 0/0/0
Interface GigabitEthernet0/0/0 policy based routing information:
policy-based-route: pbr
permit node 10
apply ip-address next-hop 155.1.23.3
Denied: 0,
Forwarded: 4
permit node 20
apply ip-address next-hop 155.1.24.4
Denied: 0,
Forwarded: 0
Total denied: 0, forwarded: 4
[Huawei]
更改设置,让node 10匹配1501到3000,然后发送指定大小为500的包
[Huawei]dis policy-based-route
policy-based-route : pbr
Node 10 permit :
if-match packet-length 1501 3000
Node 20 permit :
if-match packet-length 3000 3500
apply ip-address next-hop 155.1.24.4
再Ping因为匹配不到默认路由,再AR2上就没有路走了,所以ping不通了
[AR]ping 150.1.5.5
PING 150.1.5.5: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
另外,此时AR2本身也是无法Ping通150.1.5.5的,因为接口级的策略路由对本地始发的报文无效