我们通常习惯使用连续的子网掩码(形如11111111.11111111.11111111.00000000),而对于不连续的子网掩码(形如11111111.11111111.00000000.00001111)基本上没有去关注过。
实际上,有时候巧妙地使用不连续的子网掩码,还能解决一些常规方法不容易搞定的问题。
例如,某个公司的网络及对网络配置的要求如下图所示,对于图示的情况,我们就可以用不连续子网掩码加路由策略来解决。
第一步:定义3条ACL,分别匹配上面三类客户端:
cj-3560G#sh ip access-lStandard IP access list acl_linux 10 permit 172.16.0.3, wildcard bits 0.0.255.252Standard IP access list acl_isa 10 permit 172.16.0.2, wildcard bits 0.0.255.252Standard IP access list acl_router 10 permit 172.16.0.1, wildcard bits 0.0.255.252 20 permit 172.16.0.0, wildcard bits 0.0.255.252解释:
反向掩码:0 .0 .255 .2520000 0000.0000 0000.1111 1111.1111 1100 (不连续反向子网掩码)正向掩码: 1111 1111 .1111 1111. 0000 0000.0000 0011 (不连续子网掩码)IP地址: 172 .16 .0 .0000 0011 172 .16 .0.3可以看出来,只要IP地址为172. 16. x. xxxxxx11(x表示0或者1当中的任何一个), 即以二进制表示的IP地址的最右边两位为11,就匹配ACL acl_linux,其它两个ACL的解释与此类似。第二步:定义路由策略
cj-3560G#sh route-map rm-select-gwroute-map rm-select-gw, permit, sequence 10 Match clauses: ip address (access-lists): acl-router Set clauses: ip next-hop 172.16.0.1 Policy routing matches: 0 packets, 0 bytesroute-map rm-select-gw, permit, sequence 20 Match clauses: ip address (access-lists): acl-isa Set clauses: ip next-hop 172.16.0.2 Policy routing matches: 0 packets, 0 bytesroute-map rm-select-gw, permit, sequence 30 Match clauses: ip address (access-lists): acl-linux Set clauses: ip next-hop 172.16.0.3 Policy routing matches: 0 packets, 0 bytes第三步:应用定义的路由策略到每一个SVI,例如:
cj-3560G#sh run int vlan1interface Vlan1ip address 172.16.0.254 255.255.255.0ip policy route-map rm-select-gwend
【巧用不连续子网掩码解决非常规问题】相关文章: