Table of contents
IS-IS Experiment 9: IS-IS Route Filtering
IS-IS Experiment 9: IS-IS Route Filtering
On an IS-IS network, it is sometimes necessary to use the filter-policy tool to filter IS-IS routes. The filtering mentioned here refers to the process that the router incorporates some IS-IS routes in its own IS-IS routing table into its own IP routing table. in the routing table.
It should be noted that the filter-policy does not filter the LSPs that generate those IS-IS routes, so after the filter-policy performs route filtering, the IS-IS link state database and IS-IS routing table in the router will not be affected in any way.
All routers are level-2 routers
基本配置
R1:
undo ter mo
sys
sysname R1
user-interface console 0
idle-timeout 0 0
int loop 0
ip add 1.1.1.1 24
int g0/0/0
ip add 192.168.12.1 24
int g0/0/1
ip add 192.168.14.1 24
q
R2:
undo ter mo
sys
sysname R2
user-interface console 0
idle-timeout 0 0
int loop 0
ip add 2.2.2.2 24
int g0/0/0
ip add 192.168.12.2 24
int g0/0/1
ip add 192.168.23.2 24
q
R3:
undo ter mo
sys
sysname R3
user-interface console 0
idle-timeout 0 0
int loop 1
ip add 172.16.1.1 24
int loop 2
ip add 172.16.2.1 24
int g0/0/1
ip add 192.168.23.3 24
int g0/0/2
ip add 192.168.34.3 24
q
R4:
undo ter mo
sys
sysname R4
user-interface console 0
idle-timeout 0 0
int loop 0
ip add 4.4.4.4 24
int g0/0/1
ip add 192.168.14.4 24
int g0/0/2
ip add 192.168.34.4 24
q
Configure IS-IS protocol, all routers are Level-2 routers
R1:
isis
network-entity 10.0000.0000.0001.00
is-name R1 is
-level level-2
int loo 0
isis enable
int g0/0/0
isis enable
int g0 /0/1
isis enable
q
R2:
isis
network-entity 10.0000.0000.0002.00
is-name R2
is-level level-2
int loo 0
isis enable
int g0/0/0
isis enable
int g0/0/1
isis enable
q
R3:
isis
network-entity 20.0000.0000.0003.00
is-name R3
is-level level-2
int loo 1
isis enable
int loo 2
isis enable
int g0/0/1
isis enable
int g0/0/2
isis enable
q
R4:
isis
network-entity 10.0000.0000.0004.00
is-name R4
is-level level-2
int loo 0
isis enable
int g0/0/1
isis enable
int g0/0/2
isis enable
q
After the configuration is complete, check the establishment of neighbors, and
the learning of the routing table is also normal.
========
Use filter-policy to implement route filtering
R1 can only access loopback 1 of R3 via R2
R1 can only access loopback 2 of R3 via R4
Filter out the loopback 2 of R3 on R2
R2:
acl 2000
rule deny source 172.16.2.0 0.0.0.255
rule permit source any
isis
filter-policy 2000 import
<R2>display ip routing-table
172.16.2.0 is gone, only 1.0,
but in the IS-IS routing table, there is still
display isis route
The route entries that are filtered out cannot enter the IP routing table, but the LSPs that generate these routes are not filtered.
Filter out the loopback of R3 on R4 1
R4:
acl 2000
rule deny source 172.16.1.0 0.0.0.255
rule permit source any
isis
filter-policy 2000 import
Check, there is no route for 172.16.1.0 in the routing table of R4
=========
Use filter-policy and route-policy together
Viewing the routing table on R1, there are still two next hops. The filtering on R2 and R4 does not work for R1, and the LSPs of these two routes continue to flood.
When performing route filtering on R1, not only the prefix of the route, but also the next hop of the route should be considered.
R1:
Define ACL 2012 to match route next hop 192.168.12.2
Define ACL 2014 to match route next hop 192.168.14.4
Define ACL 2001 to match route prefix 172.16.1.0/24
Define ACL 2002 to match route prefix 172.16.2.0/24
R1:
acl 2001
rule permit source 172.16.1.0 0.0.0.255
acl 2002
rule permit source 172.16.2.0 0.0.0.255
acl 2012
rule permit source 192.168.12.2 0
acl 2014
rule permit source 192.168.14.4 0
route-policy 10 deny node 1
if-match ip next-hop acl 2012
if-match acl 2002
route-policy 10 deny node 2
if-match ip next-hop acl 2014
if-match acl 2001
route-policy 10 permit node 3
isis
filter-policy route-policy 10 import
=======
You can also permit to release
R1:
route-policy 10 permit node 1
if-match ip next-hop acl 2012
if-match acl 2001
route-policy 10 permit node 2
if-match ip next-hop acl 2014
if-match acl 2002
After the configuration is complete, check the routing table of R1
Complete the requirements now.