Policy-chain實驗

原創 傑1992 2019-11-17 15:24

Policy-chain 實驗

  • 實驗拓撲

Policy-chain實驗

vMX-3的lo0.0接口上連接着以下網段
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
10.1.1.0/24
10.2.1.0/24
172.16.0.0/24

  • 配置需求
    R3上面執行路由彙總:
    192.168.0.0/16
    10.0.0.0/8
    172.16.0.0/16

要求:
R3只通告聚合路由192.168.0.0/16給R1
R3通告聚合路由192.168.0.0/16和10.0.0.0/16給R2(拒絕其他的路由)

  • 配置案列

vMX-1配置
root@vMX-1# run show configuration
version 14.1R1.10;
system {
root-authentication {
encrypted-password "$1$a0zjPx7P$4Va9RcsxrIuHWJz.fhmrS0"; ## SECRET-DATA
}
interfaces {
ge-0/0/2 {
unit 0 {
family inet {
address 202.103.13.1/24;
}
}
}
}
routing-options {
autonomous-system 100;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.13.3 {
peer-as 300;
}
}
}
}

vMX-2配置
[edit]
root@vMX-2# run show configuration
version 14.1R1.10;
system {
host-name vMX-2;
root-authentication {
encrypted-password "$1$QsSbO49u$DmMrWquAJ739RmUFn3CLo1"; ## SECRET-DATA
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 202.103.23.2/24;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.23.3 {
peer-as 300;
}
}
}
}

vMX-3配置
root@vMX-3# run show configuration
version 14.1R1.10;
system {
host-name vMX-3;
root-authentication {
encrypted-password "$1$QYBXvplE$9SwS1OUd9MaGzBo0f3I760"; ## SECRET-DATA
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 202.103.23.3/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 202.103.13.3/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.3/24;
address 192.168.2.3/24;
address 192.168.3.3/24;
address 10.1.1.3/24;
address 10.2.1.3/24;
address 172.16.0.3/24;
}
}
}
}
routing-options {
aggregate {
route 192.168.0.0/16;
route 10.0.0.0/8;
route 172.16.0.0/16;
}
autonomous-system 300;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.23.2 {
export [ to-R1 to-R2 default-policy ];
peer-as 200;
}
neighbor 202.103.13.1 {
export [ to-R1 default-policy ];
peer-as 100;
}
}
}
}
policy-options {
policy-statement default-policy {
then reject;
}
policy-statement to-R1 {
from {
protocol aggregate;
route-filter 192.168.0.0/16 exact;
}
then accept;
}
policy-statement to-R2 {
from {
protocol aggregate;
route-filter 10.0.0.0/8 exact;
}
then accept;
}
}

查看vMX-1路由表
[edit]
root@vMX-1# run show route

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

  • = Active Route, - = Last Active, * = Both

192.168.0.0/16 *[BGP/170] 00:33:02, localpref 100
AS path: 300 I, validation-state: unverified

to 202.103.13.3 via ge-0/0/2.0
202.103.13.0/24 [Direct/0] 00:56:38
via ge-0/0/2.0
202.103.13.1/32 [Local/0] 00:56:38
Local via ge-0/0/2.0

查看vMX-2路由表
[edit]
root@vMX-2# run show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

  • = Active Route, - = Last Active, * = Both

10.0.0.0/8 *[BGP/170] 00:32:38, localpref 100
AS path: 300 I, validation-state: unverified

to 202.103.23.3 via ge-0/0/0.0
192.168.0.0/16 [BGP/170] 00:32:38, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.23.3 via ge-0/0/0.0
202.103.23.0/24 [Direct/0] 00:52:45
via ge-0/0/0.0
202.103.23.2/32 *[Local/0] 00:52:45
Local via ge-0/0/0.0

查看vMX-3路由表
[edit]
root@vMX-3# run show route

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)

  • = Active Route, - = Last Active, * = Both

10.0.0.0/8 [Aggregate/130] 00:33:39
Reject
10.1.1.0/24 [Direct/0] 00:39:47

via lo0.0
10.1.1.3/32 [Local/0] 00:39:47
Local via lo0.0
10.2.1.0/24 [Direct/0] 00:39:47
via lo0.0
10.2.1.3/32 [Local/0] 00:39:47
Local via lo0.0
172.16.0.0/16 [Aggregate/130] 00:33:39
Reject
172.16.0.0/24 [Direct/0] 00:39:47
via lo0.0
172.16.0.3/32 [Local/0] 00:39:47
Local via lo0.0
192.168.0.0/16 [Aggregate/130] 00:33:39
Reject
192.168.1.0/24 [Direct/0] 00:40:36
via lo0.0
192.168.1.3/32 [Local/0] 00:40:36
Local via lo0.0
192.168.2.0/24 [Direct/0] 00:40:18
via lo0.0
192.168.2.3/32 [Local/0] 00:40:18
Local via lo0.0
192.168.3.0/24 [Direct/0] 00:39:47
via lo0.0
192.168.3.3/32 [Local/0] 00:39:47
Local via lo0.0
202.103.13.0/24 [Direct/0] 00:51:32
via ge-0/0/2.0
202.103.13.3/32 [Local/0] 00:51:32
Local via ge-0/0/2.0
202.103.23.0/24 [Direct/0] 00:51:32
via ge-0/0/0.0
202.103.23.3/32 *[Local/0] 00:51:32
Local via ge-0/0/0.0

root@vMX-3# run show route protocol aggregate

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)

  • = Active Route, - = Last Active, * = Both

10.0.0.0/8 [Aggregate/130] 00:34:03
Reject
172.16.0.0/16 [Aggregate/130] 00:34:03
Reject
192.168.0.0/16 *[Aggregate/130] 00:34:03
Reject

vMX-3將192.168.0.0/16的路由通告給vMX-1,下一跳自己
[edit]
root@vMX-3# run show route advertising-protocol bgp 202.103.13.1

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path

  • 192.168.0.0/16 Self I

vMX-3將192.168.0.0/16、10.0.0.0/8的路由通告給vMX-2,下一跳自己
root@vMX-3# run show route advertising-protocol bgp 202.103.23.2

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path

  • 10.0.0.0/8 Self I
  • 192.168.0.0/16 Self I

到此爲止所有的需求已經實現。

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Juniper常用命令

juniper常用命令 Junos就是srx的系統名字,他是一個深度定製的linux/unix 一、模式介紹 1、root@%-----------------shell模式,這裏你可以使用一些linux的命令去做一些操作 roo

萌新包大人 2020-06-24 12:33:17

FreeBSD和JunOS安裝手冊

1、準備工作--1、PC配置要求:JunOS5.5以下:Pentium CPU/64M內存/1GB IDE硬盤/Intel EtherExpress Pro 10/100M 網卡JunOS5.5-6.2:Pentium CPU/128M內

steve6307 2020-06-23 20:24:08

Hillstone與Juniper之site-to-site ×××

mry1988 2020-05-31 22:17:04

Juniper SSL ×××主機檢查參數

風不停 2020-05-30 15:33:08

Juniper ISG1000防火牆光板卡擴容

huge888 2020-03-04 13:14:03

juniper VIP映射

mpd5956 2020-02-20 13:56:31

Juniper SRX系列防火牆 配置文檔

風不停 2019-11-16 14:22:15

Ansible配製Juniper設備

Ybj_314 2019-08-22 13:23:44

Juniper SRX550防火牆之基本配置

飛奔的魚兒 2019-08-05 14:38:41

Junos - 學習

廖馬兒 2019-08-01 13:22:41

Juniper - EX系列交換機

廖馬兒 2019-08-01 13:22:41

USB-串口 轉接頭

廖馬兒 2019-08-01 13:22:41

JNCIA

廖馬兒 2019-08-01 13:22:41

Juniper - 概念介紹

廖馬兒 2019-08-01 13:22:41

Juniper - Junosphere

廖馬兒 2019-08-01 13:22:40