Configuring OSPFv3 to import external routes and route filtering experiment
Experimental topology:
Experimental content:
- Enable OSPFv3 routing protocol on R1, R2, R3, R4, and R5.
- R1 and R2 are in Area 0, R1 and R3 are in Area 2, R1 and R5 are in Area 1, and R2 and R4 are in Area3. After establishing OSPFv3 neighbor relationships respectively, R1, R2, R3, R4, and R5 can communicate with each other.
- Enable the ISISv6 routing protocol on R5, R6, and R7. R5 and R6 are Is-level-1-2, and R7 is Level 1. After establishing neighbor relationships, R5, R6, and R7 can communicate with each other.
- OSPFv3 and ISISv6 routes are redistributed on R5, and imported routes are filtered on R5 so that the network segment where the R&D Department 2 is located cannot access the network segments where the Marketing Department 1, R&D Department 1, and After-Sales Service Department are located.
- Use the route filtering function on R3 to prevent the network segment where the market department is located from accessing the R&D department.
- Using the route filtering function on R4, the network segment where the R&D Department 1 and After-sales Service Department are located cannot access the Marketing Department 2.
Configuration steps:
1. Configure interface information and OSPFv3 protocol on R1-R5
R1:
ipv6 ospfv3 1 //Configure ospfv3 (support IPv6) router-id 1.1.1.1 area 0 area 1 area 2 interface GigabitEthernet0/0/0 ipv6 enable //Enable ipv6 on the interface ipv6 address 2012::1/64 //Configure ipv6 address ospfv3 1 area 0.0.0.0 //Declare ospfv3 process 1 area 0 interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2013::1/64 ospfv3 1 area 0.0.0.2 interface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2015::1/64 ospfv3 1 area 0.0.0.1 interfaceLoopBack0 ipv6 enable ipv6 address 1111::1/128 ospfv3 1 area 0.0.0.0
Other OSPFv3 configurations are omitted;
1.1. Check neighbor establishment status and route learning status
[R1]dis ospfv3 peer
OSPFv3 Process (1)
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
2.2.2.2 1 Full/DR 00:00:39 GE0/0/0 0
OSPFv3 Area (0.0.0.1)
Neighbor ID Pri State Dead Time Interface Instance ID
5.5.5.5 1 Full/Backup 00:00:33 GE0/0/2 0
OSPFv3 Area (0.0.0.2)
Neighbor ID Pri State Dead Time Interface Instance ID
3.3.3.3 1 Full/Backup 00:00:37 GE0/0/1 0
//The neighbor is full
//View route learning status in R5
[R5]dis ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 1111::1/128 1
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2001::/64 3
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2003::/64 4
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2006::/64 4
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2012::/64 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2013::/64 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
2015::/64 1
directly connected, GigabitEthernet0/0/2
IA 2024::/64 3
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 2222::2/128 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 3333::3/128 2
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
IA 4444::44/128 3
via FE80::2E0:FCFF:FEE1:3E6F, GigabitEthernet0/0/2
//Learned all routes in the OSPF domain
2. Configure interface information and ISIS configuration on R5, R6, and R7
R5:
ipv6 isis 1 is-level level-2 //Configure IS-Level 2 network-entity 10.0000.0000.0005.00 ipv6 enable topology standard //Enable the IPV6 function of isis, the topology type is regular interface GigabitEthernet0/0/1 ipv6 enable //Enable ipv6 on the interface ipv6 address 2056::5/64 //Interface configuration ipv6 address isis ipv6 enable 1 //Enable ipv6 isis on the interface
R6:
ipv6 isis 1 network-entity 10.0000.0000.0006.00 ipv6 enable topology standard interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2056::6/64 isisipv6 enable 1 interface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2067::6/64 isis ipv6 enable 1
R7:
ipv6 isis 1 is-level level-1 //Configure isis Level1 network-entity 10.0000.0000.0007.00 ipv6 enable topology standard firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2004::1/64 isisipv6 enable 1 # interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2005::1/64 isisipv6 enable 1 # interface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2067::7/64 isisipv6 enable 1
2.1. Check neighbor establishment status and route learning status
R6:
//View isis neighbors
[R6]dis isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI
-------------------------------------------------- --------------------------
0000.0000.0005 GE0/0/1 0000.0000.0006.01 Up 20s L2 64
0000.0000.0007 GE0/0/2 0000.0000.0006.02 Up 20s L1 64
//View route learning status
[R6]dis isis route
Route information for ISIS(1)
--------------------------
ISIS(1) Level-1 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
-------------------------------------------------- --------------------------
2005::/64 GE0/0/2 FE80::2E0:FCFF:FEB1:35A 20 A/L/-
2056::/64 GE0/0/1 Direct 10 D/L/-
2004::/64 GE0/0/2 FE80::2E0:FCFF:FEB1:35A 20 A/L/-
6666::6/128 Loop0 Direct 0 D/L/-
2067::/64 GE0/0/2 Direct 10 D/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
ISIS(1) Level-2 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
-------------------------------------------------- --------------------------
5555::5/128 GE0/0/1 FE80::2E0:FCFF:FE35:3D91 10 A/-/-
2056::/64 GE0/0/1 Direct 10 D/L/-
6666::6/128 Loop0 Direct 0 D/L/-
2067::/64 GE0/0/2 Direct 10 D/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
3. On R5, introduce routes to isisv6 and ospfv3 to each other to make them fully interconnected;
R5:
isis 1 ipv6 import-route ospfv3 1 //Introduce ospfv3 into isisv6 ospfv3 1 import-route isis 1 //Introduce isisv6 into ospfv3
R6:
isis 1 ipv6 import-route isis level-2 into level-1 //Introduce Level2 into Level1
3.1. View routing entries on R7 and R4
R7:
[R7]dis isis route
ISIS(1) Level-1 Forwarding Table
--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags
-------------------------------------------------- --------------------------
2005::/64 GE0/0/1 Direct 10 D/L/-
2013::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
5555::5/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2056::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/-
3333::3/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2004::/64 GE0/0/0 Direct 10 D/L/-
1111::1/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2012::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2003::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
6666::6/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 10 A/-/-
2024::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
4444::44/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2067::/64 GE0/0/2 Direct 10 D/L/-
2015::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2222::2/128 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2006::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
2001::/64 GE0/0/2 FE80::2E0:FCFF:FEBF:80F3 20 A/-/U
//The routing learning situation is normal
R4:
[R4]dis ospfv3 routing
Codes: E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area,
N - NSSA, U - Uninstalled
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 1111::1/128 2
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2001::/64 4
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
2003::/64 1
directly connected, GigabitEthernet0/0/2
E2 2004::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
E2 2005::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
2006::/64 1
directly connected, GigabitEthernet0/0/0
IA 2012::/64 2
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2013::/64 3
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2015::/64 3
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
2024::/64 1
directly connected, GigabitEthernet0/0/1
E2 2056::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
E2 2067::/64 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 2222::2/128 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
IA 3333::3/128 3
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
4444::44/128 0
directly connected, LoopBack0
E2 5555::5/128 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
E2 6666::6/128 1
via FE80::2E0:FCFF:FEFA:615E, GigabitEthernet0/0/1
//The routing learning situation is normal
4. When ISIS introduces OSPf on R5, filter out the routes of R&D 2
R5:
ip ipv6-prefix deny_list index 10 permit 2005:: 64 //Use the prefix list to match the network segment of R&D 2 route-policy deny deny node 10 //Use route-map to deny content matching the prefix list if-match ipv6 address prefix-list deny_list route-policy deny permit node 20 //All permissions that are not matched by the prefix list are allowed ospfv3 1 import-route isis 1 route-policy deny //Call route-policy when importing routes
4.1, Verification:
[R1]dis ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
1111::1/128 0
directly connected, LoopBack0
2001::/64 2
via FE80::2E0:FCFF:FEB7:4E02, GigabitEthernet0/0/1
IA 2003::/64 3
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
E2 2004::/64 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
IA 2006::/64 3
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
2012::/64 1
directly connected, GigabitEthernet0/0/0
2013::/64 1
directly connected, GigabitEthernet0/0/1
2015::/64 1
directly connected, GigabitEthernet0/0/2
IA 2024::/64 2
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
E2 2056::/64 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
E2 2067::/64 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
2222::2/128 1
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
3333::3/128 1
via FE80::2E0:FCFF:FEB7:4E02, GigabitEthernet0/0/1
IA 4444::44/128 2
via FE80::2E0:FCFF:FEFA:615D, GigabitEthernet0/0/0
E2 5555::5/128 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
E2 6666::6/128 1
via FE80::2E0:FCFF:FE35:3D92, GigabitEthernet0/0/2
//The network segment of R&D 2 was filtered out
R&D Department 2:
PC>ping 2001::2 Ping 2001::2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! --- 2001::2 ping statistics --- 2 packet(s) transmitted 0 packet(s) received 100.00% packet loss PC>ping 2006::2 Ping 2006::2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! --- 2006::2 ping statistics --- 2 packet(s) transmitted 0 packet(s) received 100.00% packet loss PC>ping 2003::2 Ping 2003::2: 32 data bytes, Press Ctrl_C to break Request timeout! --- 2003::2 ping statistics --- 2 packet(s) transmitted 0 packet(s) received 100.00% packet loss //R&D 2 cannot access Market 1, R&D 1, and after-sales servers
5. Filter on R3 and use filter-policy to filter the route of 2006::0
acl ipv6 number 2000 rule 5 deny source 2006::/64 //Define ACl to deny the route of 2006:: rule 10 permit ospfv3 1 router-id 3.3.3.3 filter-policy 2000 import //Call in the inbound direction in the OSPFv3 process (the link state protocol cannot call the policy in the outbound direction)
5.1, Verification:
Market Department:
PC>ping 2006::2 Ping 2006::2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! --- 2006::2 ping statistics --- 3 packet(s) transmitted 0 packet(s) received 100.00% packet loss //Market one cannot ping R&D one
6. Filter the route of Market Department 2 on R4
R4:
acl ipv6 number 2000 rule 5 deny source 2004::/64 //Define ACl to deny the route of 2004:: rule 10 permit ospfv3 1 router-id 4.4.4.4 filter-policy 2000 import //Call in the inbound direction in the OSPFv3 process (the link state protocol cannot call the policy in the outbound direction)
6.1, Verification:
PC>ping 2003::2 Ping 2003::2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! --- 2003::2 ping statistics --- 2 packet(s) transmitted 0 packet(s) received 100.00% packet loss PC>ping 2006::2 Ping 2006::2: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! --- 2006::2 ping statistics --- 2 packet(s) transmitted 0 packet(s) received 100.00% packet loss //Market Department 2 cannot ping R&D Department 1 and the after-sales server