ISIS路由泄漏(route leaking)
本文共 6541 字,大约阅读时间需要 21 分钟。
当一台L1/L2路由器发送L1 LSP到一个区域时,它会通过在LSP中设置ATT位来通知其他L1路由器能够达到另一个域。当需要转发数据包到区域外时,L1路由器会将数据包转发到最近的L2路由器(到设置了ATT位的路由器具有最小代价的路径)
考虑到此图,在区域1中,R2和R3都为L1/L2 路由器,它们都是在L1的更新包中设置了ATT位,并发送到路由器R5,并且R5为L1路由器,下面是R5的IS数据库
r5#sh isis database
IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL r2.00-00 0x0000000F 0x7474 789 1/0/0r3.00-00 0x0000000A 0x09DB 465 1/0/0 r5.00-00 * 0x0000000B 0x6374 1133 0/0/0 r5.01-00 * 0x00000005 0xE631 367 0/0/0
查看路由表:
r5#sh ip route Gateway of last resort is 192.168.35.3 to network 0.0.0.0
i L1 192.168.12.0/24 [115/20] via 192.168.25.2, FastEthernet0/0 C 192.168.25.0/24 is directly connected, FastEthernet0/0 5.0.0.0/24 is subnetted, 1 subnets C 5.5.5.0 is directly connected, Loopback0 i L1 192.168.23.0/24 [115/20] via 192.168.35.3, Serial1/1 [115/20] via 192.168.25.2, FastEthernet0/0 C 192.168.35.0/24 is directly connected, Serial1/1 i*L1 0.0.0.0/0 [115/10] via 192.168.35.3, Serial1/1 [115/10] via 192.168.25.2, FastEthernet0/0
可以看到一条通往外部的缺省路由将在R2和R3之间实现负载
因为R2和R3都是离R5最近的L1/L2路由器
测试:
r5#ping Protocol [ip]: Target IP address: 1.1.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: r Number of hops [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[RV]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet has IP options: Total option bytes= 39, padded length=40 Record route: <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0)
Reply to request 0 (500 ms). Received packet has options Total option bytes= 40, padded length=40 Record route: (192.168.25.5) (192.168.12.2) (1.1.1.1) (192.168.12.1) (192.168.25.2) (192.168.25.5) <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) End of list
Reply to request 1 (412 ms). Received packet has options Total option bytes= 40, padded length=40 Record route: (192.168.35.5) (192.168.23.3) (192.168.12.2) (1.1.1.1) (192.168.12.1) (192.168.25.2) (192.168.35.5) <*> (0.0.0.0) (0.0.0.0) 可以清楚的看到以往1.1.1.1的数据包在R2和R3之间负载
很显然,对于R5来说去往外面最近的路径是经过R2,而不是经R3再经R2出去
通过将1.1.1.0通知到区域1的L1路由器,可以控制从R5到外部业务流量,这个把L2路由通告能L1路由器的做法就叫做路由泄漏(route leaking)
实现方法:
在R2上:
access-list 100 permit ip host 1.1.1.0 any
router isis net 49.0001.1111.1111.1112.00 redistribute isis ip level-2 into level-1 distribute-list 100
就这么简单,查看路由表:
r5#sh ip route
Gateway of last resort is 192.168.35.3 to network 0.0.0.0
i L1 192.168.12.0/24 [115/20] via 192.168.25.2, FastEthernet0/0 1.0.0.0/24 is subnetted, 1 subnets i ia 1.1.1.0 [115/158] via 192.168.25.2, FastEthernet0/0 //外部路由进入了L1 ,并标识为ia C 192.168.25.0/24 is directly connected, FastEthernet0/0 5.0.0.0/24 is subnetted, 1 subnets C 5.5.5.0 is directly connected, Loopback0 i L1 192.168.23.0/24 [115/20] via 192.168.35.3, Serial1/1 [115/20] via 192.168.25.2, FastEthernet0/0 C 192.168.35.0/24 is directly connected, Serial1/1 i*L1 0.0.0.0/0 [115/10] via 192.168.35.3, Serial1/1 [115/10] via 192.168.25.2, FastEthernet0/0 在R5上测试:
r5#ping Protocol [ip]: Target IP address: 1.1.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: r Number of hops [ 9 ]: Loose, Strict, Record, Timestamp, Verbose[RV]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet has IP options: Total option bytes= 39, padded length=40 Record route: <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0) (0.0.0.0)
Reply to request 0 (220 ms). Received packet has options Total option bytes= 40, padded length=40 Record route: (192.168.25.5) (192.168.12.2) (1.1.1.1) (192.168.12.1) (192.168.25.2) (192.168.25.5) <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) End of list
Reply to request 1 (268 ms). Received packet has options Total option bytes= 40, padded length=40 Record route: ( 192.168.25.5) (192.168.12.2) (1.1.1.1) (192.168.12.1) (192.168.25.2) (192.168.25.5) <*> (0.0.0.0) (0.0.0.0) (0.0.0.0) End of list
可以看到,数据包仅通过R2发送,实验结束!
全部配置如下:
R1
nterface Loopback0 ip address 1.1.1.1 255.255.255.0 ip router isis ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface Serial1/0 ip address 192.168.12.1 255.255.255.0 ip router isis serial restart-delay 0 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! router isis net 49.0002.1111.1111.1111.00
R2
interface Loopback0 ip address 2.2.2.2 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.25.2 255.255.255.0 ip router isis duplex half ! interface Serial1/0 ip address 192.168.23.2 255.255.255.0 ip router isis serial restart-delay 0 ! interface Serial1/1 ip address 192.168.12.2 255.255.255.0 ip router isis serial restart-delay 0 ! interface Serial1/2 ip address 192.168.24.2 255.255.255.0 serial restart-delay 0 ! router isis net 49.0001.1111.1111.1112.00 redistribute isis ip level-2 into level-1 distribute-list 100 ! access-list 100 permit ip host 1.1.1.0 any ! R3 interface Loopback0 ip address 3.3.3.3 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface Serial1/0 ip address 192.168.35.3 255.255.255.0 ip router isis serial restart-delay 0 ! interface Serial1/1 ip address 192.168.23.3 255.255.255.0 ip router isis serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! router isis net 49.0001.1111.1111.1113.00 !
R5
interface Loopback0 ip address 5.5.5.5 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.25.5 255.255.255.0 ip router isis duplex half ! interface Serial1/0 ip address 192.168.57.5 255.255.255.0 serial restart-delay 0 ! interface Serial1/1 ip address 192.168.35.5 255.255.255.0 ip router isis serial restart-delay 0 ! interface Serial1/2 ip address 192.168.45.5 255.255.255.0 serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! router isis net 49.0001.1111.1111.1115.00 is-type level-1
本文转自hexianguo 51CTO博客,原文链接:http://blog.51cto.com/xghe110/106469 ,如需转载请自行联系原作者
你可能感兴趣的文章
中关村硬科技孵化器首次合作建科技成果转化创新平台
查看>>
广州外援斯贝茨被CBA公司停赛4场 罚款10万元
查看>>
福利!给所有需要找工作的小伙伴分享让我印象深刻的的开发面试题(第二部分),朋友们收好哦...
查看>>
React 折腾记 - (5) 记录用React开发项目过程遇到的问题(Webpack4/React16/antd等)
查看>>
Angular 6 + 折腾记 :(11) 写一个挺不靠谱的多少秒/分/时/天前的管道
查看>>
掘金翻译计划周报 — 2018 年 9 月第 2 期
查看>>
整合登录界面与管理系统
查看>>
PyCon2018 回顾 (Part 1)
查看>>
vuex
查看>>
平时自己项目中用到的 CSS
查看>>
微信小程序5月带给我们的惊喜
查看>>
如何实现类似易企秀的可视化 H5 编辑器?
查看>>
[译] 游戏即服务的五条建议,提升游戏变现能力
查看>>
数据结构:链表
查看>>
gitlab迁移到docker并升级大版本到10.1.1和汉化
查看>>
多线程知识梳理(2) synchronized 三部曲之基本使用
查看>>
Xcode9 自动上传Fir
查看>>
JavaScript异步流程控制的前世今生
查看>>
通过static关键词来实现late static binding(静态调用绑定)
查看>>
Android小知识-OkHttp的两种请求方式
查看>>