ISIS路由泄漏(route leaking)
当一台L1/L2路由器发送L1 LSP到一个区域时,它会通过在LSP中设置ATT位来通知其他L1路由器能够达到另一个域。当需要转发数据包到区域外时,L1路由器会将数据包转发到最近的L2路由器(到设置了ATT位的路由器具有最小代价的路径)
考虑到此图,在区域1中,R2和R3都为L1/L2 路由器,它们都是在L1的更新包中设置了ATT位,并发送到路由器R5,并且R5为L1路由器,下面是R5的IS数据库
r5#sh isis database
IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
r2.00-00 0x0000000F 0x7474 789 1/0/0
r3.00-00 0x0000000A 0x09DB 465 1/0/0
r5.00-00 * 0x0000000B 0x6374 1133 0/0/0
r5.01-00 * 0x00000005 0xE631 367 0/0/0
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
r2.00-00 0x0000000F 0x7474 789 1/0/0
r3.00-00 0x0000000A 0x09DB 465 1/0/0
r5.00-00 * 0x0000000B 0x6374 1133 0/0/0
r5.01-00 * 0x00000005 0xE631 367 0/0/0
查看路由表:
r5#sh ip route
Gateway of last resort is 192.168.35.3 to network 0.0.0.0
Gateway of last resort is 192.168.35.3 to network 0.0.0.0
i L1 192.168.12.0/24 [115/20] via 192.168.25.2, FastEthernet0/0
C 192.168.25.0/24 is directly connected, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
i L1 192.168.23.0/24 [115/20] via 192.168.35.3, Serial1/1
[115/20] via 192.168.25.2, FastEthernet0/0
C 192.168.35.0/24 is directly connected, Serial1/1
i*L1 0.0.0.0/0 [115/10] via 192.168.35.3, Serial1/1
[115/10] via 192.168.25.2, FastEthernet0/0
C 192.168.25.0/24 is directly connected, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
i L1 192.168.23.0/24 [115/20] via 192.168.35.3, Serial1/1
[115/20] via 192.168.25.2, FastEthernet0/0
C 192.168.35.0/24 is directly connected, Serial1/1
i*L1 0.0.0.0/0 [115/10] via 192.168.35.3, Serial1/1
[115/10] via 192.168.25.2, FastEthernet0/0
可以看到一条通往外部的缺省路由将在R2和R3之间实现负载
因为R2和R3都是离R5最近的L1/L2路由器
测试:
r5#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Reply to request 0 (500 ms). Received packet has options
Total option bytes= 40, padded length=40
Record route:
(192.168.25.5)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.25.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Total option bytes= 40, padded length=40
Record route:
(192.168.25.5)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.25.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 1 (412 ms). Received packet has options
Total option bytes= 40, padded length=40
Record route:
(192.168.35.5)
(192.168.23.3)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.35.5) <*>
(0.0.0.0)
(0.0.0.0)
可以清楚的看到以往1.1.1.1的数据包在R2和R3之间负载
Total option bytes= 40, padded length=40
Record route:
(192.168.35.5)
(192.168.23.3)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.35.5) <*>
(0.0.0.0)
(0.0.0.0)
可以清楚的看到以往1.1.1.1的数据包在R2和R3之间负载
很显然,对于R5来说去往外面最近的路径是经过R2,而不是经R3再经R2出去
通过将1.1.1.0通知到区域1的L1路由器,可以控制从R5到外部业务流量,这个把L2路由通告能L1路由器的做法就叫做路由泄漏(route leaking)
实现方法:
在R2上:
access-list 100 permit ip host 1.1.1.0 any
router isis
net 49.0001.1111.1111.1112.00
redistribute isis ip level-2 into level-1 distribute-list 100
net 49.0001.1111.1111.1112.00
redistribute isis ip level-2 into level-1 distribute-list 100
就这么简单,查看路由表:
r5#sh ip route
Gateway of last resort is 192.168.35.3 to network 0.0.0.0
i L1 192.168.12.0/24 [115/20] via 192.168.25.2, FastEthernet0/0
1.0.0.0/24 is subnetted, 1 subnets
i ia 1.1.1.0 [115/158] via 192.168.25.2, FastEthernet0/0 //外部路由进入了L1 ,并标识为ia
C 192.168.25.0/24 is directly connected, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
i L1 192.168.23.0/24 [115/20] via 192.168.35.3, Serial1/1
[115/20] via 192.168.25.2, FastEthernet0/0
C 192.168.35.0/24 is directly connected, Serial1/1
i*L1 0.0.0.0/0 [115/10] via 192.168.35.3, Serial1/1
[115/10] via 192.168.25.2, FastEthernet0/0
在R5上测试:
1.0.0.0/24 is subnetted, 1 subnets
i ia 1.1.1.0 [115/158] via 192.168.25.2, FastEthernet0/0 //外部路由进入了L1 ,并标识为ia
C 192.168.25.0/24 is directly connected, FastEthernet0/0
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback0
i L1 192.168.23.0/24 [115/20] via 192.168.35.3, Serial1/1
[115/20] via 192.168.25.2, FastEthernet0/0
C 192.168.35.0/24 is directly connected, Serial1/1
i*L1 0.0.0.0/0 [115/10] via 192.168.35.3, Serial1/1
[115/10] via 192.168.25.2, FastEthernet0/0
在R5上测试:
r5#ping
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Protocol [ip]:
Target IP address: 1.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
Reply to request 0 (220 ms). Received packet has options
Total option bytes= 40, padded length=40
Record route:
(192.168.25.5)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.25.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Total option bytes= 40, padded length=40
Record route:
(192.168.25.5)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.25.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Reply to request 1 (268 ms). Received packet has options
Total option bytes= 40, padded length=40
Record route:
( 192.168.25.5)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.25.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
Total option bytes= 40, padded length=40
Record route:
( 192.168.25.5)
(192.168.12.2)
(1.1.1.1)
(192.168.12.1)
(192.168.25.2)
(192.168.25.5) <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
End of list
可以看到,数据包仅通过R2发送,实验结束!
全部配置如下:
R1
nterface Loopback0
ip address 1.1.1.1 255.255.255.0
ip router isis
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.12.1 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 49.0002.1111.1111.1111.00
ip address 1.1.1.1 255.255.255.0
ip router isis
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.12.1 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 49.0002.1111.1111.1111.00
R2
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.25.2 255.255.255.0
ip router isis
duplex half
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.12.2 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.24.2 255.255.255.0
serial restart-delay 0
!
router isis
net 49.0001.1111.1111.1112.00
redistribute isis ip level-2 into level-1 distribute-list 100
!
access-list 100 permit ip host 1.1.1.0 any
!
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.35.3 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.23.3 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 49.0001.1111.1111.1113.00
!
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.25.2 255.255.255.0
ip router isis
duplex half
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.12.2 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.24.2 255.255.255.0
serial restart-delay 0
!
router isis
net 49.0001.1111.1111.1112.00
redistribute isis ip level-2 into level-1 distribute-list 100
!
access-list 100 permit ip host 1.1.1.0 any
!
R3
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
ip address 192.168.35.3 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.23.3 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 49.0001.1111.1111.1113.00
!
R5
interface Loopback0
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.25.5 255.255.255.0
ip router isis
duplex half
!
interface Serial1/0
ip address 192.168.57.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.35.5 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.45.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 49.0001.1111.1111.1115.00
is-type level-1
ip address 5.5.5.5 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.25.5 255.255.255.0
ip router isis
duplex half
!
interface Serial1/0
ip address 192.168.57.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.35.5 255.255.255.0
ip router isis
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.45.5 255.255.255.0
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router isis
net 49.0001.1111.1111.1115.00
is-type level-1
转载于:https://blog.51cto.com/xghe110/106469