Policy-chain实验

原创

杰1992 2019-11-15 14:57:07 博主文章分类：JNCIS ©著作权

文章标签 Juniper JNCIS 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者杰1992的原创作品，请联系作者获取转载授权，否则将追究法律责任

Policy-chain 实验

实验拓扑

vMX-3的lo0.0接口上连接着以下网段 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 10.1.1.0/24 10.2.1.0/24 172.16.0.0/24

配置需求 R3上面执行路由汇总： 192.168.0.0/16 10.0.0.0/8 172.16.0.0/16

要求： R3只通告聚合路由192.168.0.0/16给R1 R3通告聚合路由192.168.0.0/16和10.0.0.0/16给R2(拒绝其他的路由)

配置案列

vMX-1配置 root@vMX-1# run show configuration version 14.1R1.10; system { root-authentication { encrypted-password "$1$a0zjPx7P$4Va9RcsxrIuHWJz.fhmrS0"; ## SECRET-DATA } interfaces { ge-0/0/2 { unit 0 { family inet { address 202.103.13.1/24; } } } } routing-options { autonomous-system 100; } protocols { bgp { group ebgp-peer { type external; log-updown; neighbor 202.103.13.3 { peer-as 300; } } } }

vMX-2配置 [edit] root@vMX-2# run show configuration version 14.1R1.10; system { host-name vMX-2; root-authentication { encrypted-password "$1$QsSbO49u$DmMrWquAJ739RmUFn3CLo1"; ## SECRET-DATA } interfaces { ge-0/0/0 { unit 0 { family inet {
address 202.103.23.2/24; } } } } routing-options { autonomous-system 200; } protocols { bgp { group ebgp-peer { type external; log-updown; neighbor 202.103.23.3 { peer-as 300; } } } }

vMX-3配置 root@vMX-3# run show configuration version 14.1R1.10; system { host-name vMX-3; root-authentication { encrypted-password "$1$QYBXvplE$9SwS1OUd9MaGzBo0f3I760"; ## SECRET-DATA } interfaces { ge-0/0/0 { unit 0 { family inet {
address 202.103.23.3/24; } } } ge-0/0/2 { unit 0 { family inet { address 202.103.13.3/24; } } } lo0 { unit 0 { family inet { address 192.168.1.3/24; address 192.168.2.3/24; address 192.168.3.3/24; address 10.1.1.3/24; address 10.2.1.3/24; address 172.16.0.3/24; } } }
} routing-options { aggregate { route 192.168.0.0/16; route 10.0.0.0/8; route 172.16.0.0/16; } autonomous-system 300; } protocols { bgp { group ebgp-peer { type external; log-updown; neighbor 202.103.23.2 { export [ to-R1 to-R2 default-policy ]; peer-as 200; } neighbor 202.103.13.1 { export [ to-R1 default-policy ]; peer-as 100; } }
} } policy-options { policy-statement default-policy { then reject; } policy-statement to-R1 { from { protocol aggregate; route-filter 192.168.0.0/16 exact; } then accept; } policy-statement to-R2 { from { protocol aggregate; route-filter 10.0.0.0/8 exact; } then accept; } }

查看vMX-1路由表 [edit] root@vMX-1# run show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

= Active Route, - = Last Active, * = Both

192.168.0.0/16 *[BGP/170] 00:33:02, localpref 100 AS path: 300 I, validation-state: unverified > to 202.103.13.3 via ge-0/0/2.0 202.103.13.0/24 *[Direct/0] 00:56:38 > via ge-0/0/2.0 202.103.13.1/32 *[Local/0] 00:56:38 Local via ge-0/0/2.0

查看vMX-2路由表 [edit] root@vMX-2# run show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

= Active Route, - = Last Active, * = Both

10.0.0.0/8 *[BGP/170] 00:32:38, localpref 100 AS path: 300 I, validation-state: unverified > to 202.103.23.3 via ge-0/0/0.0 192.168.0.0/16 *[BGP/170] 00:32:38, localpref 100 AS path: 300 I, validation-state: unverified > to 202.103.23.3 via ge-0/0/0.0 202.103.23.0/24 *[Direct/0] 00:52:45 > via ge-0/0/0.0 202.103.23.2/32 *[Local/0] 00:52:45 Local via ge-0/0/0.0

查看vMX-3路由表 [edit] root@vMX-3# run show route

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)

= Active Route, - = Last Active, * = Both

10.0.0.0/8 *[Aggregate/130] 00:33:39 Reject 10.1.1.0/24 *[Direct/0] 00:39:47 > via lo0.0 10.1.1.3/32 *[Local/0] 00:39:47 Local via lo0.0 10.2.1.0/24 *[Direct/0] 00:39:47 > via lo0.0 10.2.1.3/32 *[Local/0] 00:39:47 Local via lo0.0 172.16.0.0/16 *[Aggregate/130] 00:33:39 Reject 172.16.0.0/24 *[Direct/0] 00:39:47 > via lo0.0 172.16.0.3/32 *[Local/0] 00:39:47 Local via lo0.0 192.168.0.0/16 *[Aggregate/130] 00:33:39 Reject 192.168.1.0/24 *[Direct/0] 00:40:36 > via lo0.0
192.168.1.3/32 *[Local/0] 00:40:36 Local via lo0.0 192.168.2.0/24 *[Direct/0] 00:40:18 > via lo0.0 192.168.2.3/32 *[Local/0] 00:40:18 Local via lo0.0 192.168.3.0/24 *[Direct/0] 00:39:47 > via lo0.0 192.168.3.3/32 *[Local/0] 00:39:47 Local via lo0.0 202.103.13.0/24 *[Direct/0] 00:51:32 > via ge-0/0/2.0 202.103.13.3/32 *[Local/0] 00:51:32 Local via ge-0/0/2.0 202.103.23.0/24 *[Direct/0] 00:51:32 > via ge-0/0/0.0 202.103.23.3/32 *[Local/0] 00:51:32 Local via ge-0/0/0.0

root@vMX-3# run show route protocol aggregate

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)

= Active Route, - = Last Active, * = Both

10.0.0.0/8 *[Aggregate/130] 00:34:03 Reject 172.16.0.0/16 *[Aggregate/130] 00:34:03 Reject 192.168.0.0/16 *[Aggregate/130] 00:34:03 Reject

vMX-3将192.168.0.0/16的路由通告给vMX-1,下一跳自己 [edit] root@vMX-3# run show route advertising-protocol bgp 202.103.13.1

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path

192.168.0.0/16 Self I

vMX-3将192.168.0.0/16、10.0.0.0/8的路由通告给vMX-2,下一跳自己 root@vMX-3# run show route advertising-protocol bgp 202.103.23.2

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path

10.0.0.0/8 Self I
192.168.0.0/16 Self I

到此为止所有的需求已经实现。

上一篇：Citrix adc host id查看

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯