CLI方式：在OSPF中引入IS-IS路由时应用路由策略典型配置

配置步骤

配置各接口的IP地址（略）
根据组网图中规划的信息，将Device B的各接口加入对应的安全域。
<DeviceB> system-view
[DeviceB] security-zone name ospf
[DeviceB-security-zone-ospf] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-ospf] quit
[DeviceB] security-zone name isis
[DeviceB-security-zone-isis] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-isis] quit
配置安全策略
1. 配置安全策略放行ospf与Local安全域之间的流量，用于Device A与Device B之间建立OSPF会话。
  # 配置名称为ospflocalin的安全策略规则，使Device B可以接收来自Device A的OSPF协议报文。
  [DeviceB] security-policy ip
  [DeviceB-security-policy-ip] rule name ospflocalin
  [DeviceB-security-policy-ip-0-ospflocalin] source-zone ospf
  [DeviceB-security-policy-ip-0-ospflocalin] destination-zone local
  [DeviceB-security-policy-ip-0-ospflocalin] service ospf
  [DeviceB-security-policy-ip-0-ospflocalin] action pass
  [DeviceB-security-policy-ip-0-ospflocalin] quit
  # 配置名称为ospflocalout的安全策略规则，使Device B可以向Device A发送OSPF协议报文。
  [DeviceB-security-policy-ip] rule name ospflocalout
  [DeviceB-security-policy-ip-1-ospflocalout] source-zone local
  [DeviceB-security-policy-ip-1-ospflocalout] destination-zone ospf
  [DeviceB-security-policy-ip-1-ospflocalout] service ospf
  [DeviceB-security-policy-ip-1-ospflocalout] action pass
  [DeviceB-security-policy-ip-1-ospflocalout] quit
2. 配置安全策略放行Local与isis安全域之间的流量，用于Device B与Device C之间建立IS-IS会话。
  # 配置名称为isislocalout的安全策略规则，使Device B可以向Device C发送IS-IS协议的报文。
  [DeviceB-security-policy-ip] rule name isislocalout
  [DeviceB-security-policy-ip-2-isislocalout] source-zone local
  [DeviceB-security-policy-ip-2-isislocalout] destination-zone isis
  [DeviceB-security-policy-ip-2-isislocalout] action pass
  [DeviceB-security-policy-ip-2-isislocalout] quit
  # 配置名称为isislocalin的安全策略规则，使Device B可以接收来自Device C的IS-IS协议的报文。
  [DeviceB-security-policy-ip] rule name isislocalin
  [DeviceB-security-policy-ip-3-isislocalin] source-zone isis
  [DeviceB-security-policy-ip-3-isislocalin] destination-zone local
  [DeviceB-security-policy-ip-3-isislocalin] action pass
  [DeviceB-security-policy-ip-3-isislocalin] quit
3. 配置安全策略放行ospf与isis安全域之间的流量，使得Device A可以访问Device B的直连网段172.17.1.0/24、172.17.2.0/24和172.17.3.0/24。
  [DeviceB-security-policy-ip] rule name ospf-isis
  [DeviceB-security-policy-ip-4-ospf-isis] source-zone ospf
  [DeviceB-security-policy-ip-4-ospf-isis] destination-zone isis
  [DeviceB-security-policy-ip-4-ospf-isis] source-ip-subnet 192.168.1.0 24
  [DeviceB-security-policy-ip-4-ospf-isis] destination-ip-subnet 172.17.1.0 24
  [DeviceB-security-policy-ip-4-ospf-isis] destination-ip-subnet 172.17.2.0 24
  [DeviceB-security-policy-ip-4-ospf-isis] destination-ip-subnet 172.17.3.0 24
  [DeviceB-security-policy-ip-4-ospf-isis] action pass
  [DeviceB-security-policy-ip-4-ospf-isis] quit
  [DeviceB-security-policy-ip] quit
配置IS-IS路由协议
# 配置Device C。
<DeviceC> system-view
[DeviceC] isis
[DeviceC-isis-1] is-level level-2
[DeviceC-isis-1] network-entity 10.0000.0000.0001.00
[DeviceC-isis-1] quit
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] isis enable
[DeviceC-GigabitEthernet1/0/1] quit
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] isis enable
[DeviceC-GigabitEthernet1/0/2] quit
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] isis enable
[DeviceC-GigabitEthernet1/0/3] quit
[DeviceC] interface gigabitethernet 1/0/4
[DeviceC-GigabitEthernet1/0/4] isis enable
[DeviceC-GigabitEthernet1/0/4] quit
# 配置Device B。
<DeviceB> system-view
[DeviceB] isis
[DeviceB-isis-1] is-level level-2
[DeviceB-isis-1] network-entity 10.0000.0000.0002.00
[DeviceB-isis-1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] isis enable
[DeviceB-GigabitEthernet1/0/2] quit
配置OSPF路由协议及路由引入
# 配置Device A，启动OSPF。
<DeviceA> system-view
[DeviceA] ospf
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# 配置DeviceB，启动OSPF，并引入IS-IS路由。
[DeviceB] ospf
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] import-route isis 1
[DeviceB-ospf-1] quit
# 查看Device A的OSPF路由表，可以看到引入的路由。
[DeviceA] display ospf routing

OSPF Process 1 with Device ID 192.168.1.1
Routing Tables

Routing for Network
Destination Cost Type NextHop AdvDevice Area
192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0

Routing for ASEs
Destination Cost Type Tag NextHop AdvDevice
172.17.1.0/24 1 Type2 1 192.168.1.2 192.168.2.2
172.17.2.0/24 1 Type2 1 192.168.1.2 192.168.2.2
172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.2.2

Total Nets: 4
Intra Area: 1 Inter Area: 0 ASE: 3 NSSA: 0
配置过滤列表
# 配置编号为2002的基本ACL，允许172.17.2.0/24的路由通过。
[DeviceB] acl basic 2002
[DeviceB-acl-ipv4-basic-2002] rule permit source 172.17.2.0 0.0.0.255
[DeviceB-acl-ipv4-basic-2002] quit
# 配置名为prefix-a的地址前缀列表，允许172.17.1.0/24的路由通过。
[DeviceB] ip prefix-list prefix-a index 10 permit 172.17.1.0 24
配置路由策略
[DeviceB] route-policy isis2ospf permit node 10
[DeviceB-route-policy-isis2ospf-10] if-match ip address prefix-list prefix-a
[DeviceB-route-policy-isis2ospf-10] apply cost 100
[DeviceB-route-policy-isis2ospf-10] quit
[DeviceB] route-policy isis2ospf permit node 20
[DeviceB-route-policy-isis2ospf-20] if-match ip address acl 2002
[DeviceB-route-policy-isis2ospf-20] apply tag 20
[DeviceB-route-policy-isis2ospf-20] quit
[DeviceB] route-policy isis2ospf permit node 30
[DeviceB-route-policy-isis2ospf-30] quit
在路由引入时应用路由策略
# 配置Device B，设置在路由引入时应用路由策略。
[DeviceB] ospf
[DeviceB-ospf-1] import-route isis 1 route-policy isis2ospf
[DeviceB-ospf-1] quit
# 查看Device A的OSPF路由表，可以看到目的地址为172.17.1.0/24的路由的开销为100，目的地址为172.17.2.0/24的路由的标记域（Tag）为20，而其他外部路由没有变化。
[DeviceA] display ospf routing

OSPF Process 1 with Device ID 192.168.1.1
Routing Tables

Routing for Network
Destination Cost Type NextHop AdvDevice Area
192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0

Routing for ASEs
Destination Cost Type Tag NextHop AdvDevice
172.17.1.0/24 100 Type2 1 192.168.1.2 192.168.2.2
172.17.2.0/24 1 Type2 20 192.168.1.2 192.168.2.2
172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.2.2

Total Nets: 4
Intra Area: 1 Inter Area: 0 ASE: 3 NSSA: 0

Device B

interface GigabitEthernet1/0/1

ip address 192.168.1.2 255.255.255.0

interface GigabitEthernet1/0/2

ip address 192.168.2.2 255.255.255.0

isis enable 1

security-zone name ospf

import interface GigabitEthernet1/0/1

security-zone name isis

import interface GigabitEthernet1/0/2

security-policy ip

rule 0 name ospflocalin

action pass

source-zone ospf

destination-zone local

service ospf

rule 1 name ospflocalout

action pass

source-zone local

destination-zone ospf

service ospf

rule 2 name isislocalout

action pass

source-zone local

destination-zone isis

rule 3 name isislocalin

action pass

source-zone isis

destination-zone local

rule 4 name ospf-isis

action pass

source-zone ospf

destination-zone isis

source-ip-subnet 192.168.1.0 255.255.255.0

destination-ip-subnet 172.17.1.0 255.255.255.0

destination-ip-subnet 172.17.2.0 255.255.255.0

destination-ip-subnet 172.17.3.0 255.255.255.0

isis 1

is-level level-2

network-entity 10.0000.0000.0002.00

ospf 1

import-route isis 1 route-policy isis2ospf

area 0.0.0.0

network 192.168.1.0 0.0.0.255

acl basic 2002

rule 0 permit source 172.17.2.0 0.0.0.255

ip prefix-list prefix-a index 10 permit 172.17.1.0 24

route-policy isis2ospf permit node 10

if-match ip address prefix-list prefix-a

apply cost 100

route-policy isis2ospf permit node 20

if-match ip address acl 2002

apply tag 20

route-policy isis2ospf permit node 30

CLI方式：在OSPF中引入IS-IS路由时应用路由策略典型配置

使用版本

组网需求

配置步骤

配置文件

Device A

Device B

Device C