No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using Basic ACLs to Filter OSPF Routes

Example for Using Basic ACLs to Filter OSPF Routes

Networking Requirements

Figure 5-15 shows how on an OSPF network, RouterA receives routes from the Internet and provides these routes for the OSPF network. A user wants devices on the OSPF network to access only the network segments 172.16.17.0/24, 172.16.18.0/24, and 172.16.19.0/24, and RouterC to access only the network segment 172.16.18.0/24.

Figure 5-15  Networking diagram for filtering received and advertised routes

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:

  1. Configure an ACL on RouterA so that RouterA advertises only the 172.16.17.0/24, 172.16.18.0/24, and 172.16.19.0/24 routes to RouterB. In this situation, the OSPF network can access only 172.16.17.0/24, 172.16.18.0/24, and 172.16.19.0/24.

  2. Configure an ACL on RouterC so that RouterC receives only the 172.16.18.0/24 routes. In this situation, the network connected to RouterC can access only the network segments 172.16.18.0/24.

Procedure

  1. Assign an IP address to each interface.

    # Configure IP addresses for all interfaces of RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit

    The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.

  2. Configure basic OSPF functions.

    # Configure RouterA.

    [RouterA] ospf
    [RouterA-ospf-1] area 0
    [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [RouterA-ospf-1-area-0.0.0.0] quit
    [RouterA-ospf-1] quit

    # Configure RouterB.

    [RouterB] ospf
    [RouterB-ospf-1] area 0
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] quit

    # Configure RouterC.

    [RouterC] ospf
    [RouterC-ospf-1] area 0
    [RouterC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.0] quit
    [RouterC-ospf-1] quit

    # Configure RouterD.

    [RouterD] ospf
    [RouterD-ospf-1] area 0
    [RouterD-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
    [RouterD-ospf-1-area-0.0.0.0] quit

  3. Configure five static routes on RouterA and import these routes into OSPF.

    [RouterA] ip route-static 172.16.16.0 24 NULL 0
    [RouterA] ip route-static 172.16.17.0 24 NULL 0
    [RouterA] ip route-static 172.16.18.0 24 NULL 0
    [RouterA] ip route-static 172.16.19.0 24 NULL 0
    [RouterA] ip route-static 172.16.20.0 24 NULL 0
    [RouterA] ospf
    [RouterA-ospf-1] import-route static
    [RouterA-ospf-1] quit

    # Check the IP routing table on RouterB. You can see that the five static routes are imported into OSPF.

    [RouterB] display ip routing-table
    Route Flags:
    R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 18       Routes : 18       
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
         172.16.16.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.16.17.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.16.18.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.16.19.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.16.20.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
        192.168.1.0/24  Direct  0    0           D   192.168.1.2     GigabitEthernet1/0/0
        192.168.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
      192.168.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
        192.168.2.0/24  Direct  0    0           D   192.168.2.1     GigabitEthernet3/0/0
        192.168.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
      192.168.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
        192.168.3.0/24  Direct  0    0           D   192.168.3.1     GigabitEthernet2/0/0
        192.168.3.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
      192.168.3.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

  4. Configure a route advertisement policy.

    # Configure ACL 2002 on RouterA to allow only 172.16.17.0/24, 172.16.18.0/24, and 172.16.19.0/24 to pass.

    [RouterA] acl number 2002
    [RouterA-acl-basic-2002] rule permit source 172.16.17.0 0.0.0.255
    [RouterA-acl-basic-2002] rule permit source 172.16.18.0 0.0.0.255
    [RouterA-acl-basic-2002] rule permit source 172.16.19.0 0.0.0.255
    [RouterA-acl-basic-2002] quit
    

    # Configure a route advertisement policy on RouterA and associate ACL 2002 with the policy to filter routes.

    [RouterA] ospf
    [RouterA-ospf-1] filter-policy 2002 export static
    [RouterA-ospf-1] quit

    # View the IP routing table on RouterB. RouterB has received only the three routes defined in ACL 2002.

    [RouterB] display ip routing-table
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 16       Routes : 16       
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
        172.16.17.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
        172.16.18.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
        172.16.19.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
        192.168.1.0/24  Direct  0    0           D   192.168.1.2     GigabitEthernet1/0/0
        192.168.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
      192.168.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
        192.168.2.0/24  Direct  0    0           D   192.168.2.1     GigabitEthernet3/0/0
        192.168.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
      192.168.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
        192.168.3.0/24  Direct  0    0           D   192.168.3.1     GigabitEthernet2/0/0
        192.168.3.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
      192.168.3.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    

  5. Configure a route receiving policy.

    # Configure ACL 2003 on RouterC to allow only 172.16.18.0/24 to pass.

    [RouterC] acl number 2003
    [RouterC-acl-basic-2003] rule permit source 172.16.18.0 0.0.0.255
    [RouterC-acl-basic-2003] quit

    # Configure a route receiving policy on RouterC and associate ACL 2003 with the policy to filter routes.

    [RouterC] ospf
    [RouterC-ospf-1] filter-policy 2003 import
    [RouterC-ospf-1] quit

    # View the IP routing table on RouterC. RouterC has received only the route defined in ACL 2003.

    [RouterC] display ip routing-table
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 8        Routes : 8        
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
        172.16.18.0/24  O_ASE   150  1           D   192.168.2.1     GigabitEthernet1/0/0
        192.168.2.0/24  Direct  0    0           D   192.168.2.2     GigabitEthernet1/0/0
        192.168.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
      192.168.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

Configuration Files

  • RouterA configuration file

    #
    sysname RouterA 
    #
    acl number 2002                                                                 
     rule 5 permit source 172.16.17.0 0.0.0.255                                      
     rule 10 permit source 172.16.18.0 0.0.0.255                                     
     rule 15 permit source 172.16.19.0 0.0.0.255                                     
    #                                                                               
    interface GigabitEthernet1/0/0                                                  
     ip address 192.168.1.1 255.255.255.0  
    #
    ospf 1
     filter-policy 2002 export static 
     import-route static
     area 0.0.0.0
      network 192.168.1.0 0.0.0.255
    #
    ip route-static 172.16.16.0 255.255.255.0 NULL0
    ip route-static 172.16.17.0 255.255.255.0 NULL0
    ip route-static 172.16.18.0 255.255.255.0 NULL0
    ip route-static 172.16.19.0 255.255.255.0 NULL0
    ip route-static 172.16.20.0 255.255.255.0 NULL0
    #
    return
  • RouterB configuration file

    #
    sysname RouterB 
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.2 255.255.255.0
    #
    interface GigabitEthernet2/0/0
     ip address 192.168.3.1 255.255.255.0
    #
    interface GigabitEthernet3/0/0
     ip address 192.168.2.1 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.1.0 0.0.0.255
      network 192.168.2.0 0.0.0.255
      network 192.168.3.0 0.0.0.255
    #
    return
  • RouterC configuration file

    #
    sysname RouterC
    #
    acl number 2003  
     rule 5 permit source 172.16.18.0 0.0.0.255
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.2.2 255.255.255.0
    #
    ospf 1
     filter-policy 2003 import
     area 0.0.0.0
      network 192.168.2.0 0.0.0.255
    #
     ip ip-prefix in index 10 permit 172.16.18.0 24
    #
    return
  • RouterD configuration file

    #
     sysname RouterD
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.3.2 255.255.255.0
    #
    ospf 1
     area 0.0.0.0
      network 192.168.3.0 0.0.0.255
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 134808

Downloads: 242

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next