一、拓撲
二、需求
1. 按照拓撲所示配置OSPF多區域,另外R3與R6,R4與R6間配置RIPv2。R1,R2,R3,R4的環回接口0通告入Area 0,R5的通告入Area 1,R6的直連接口通告入RIP中;
2. R6上的公司內部業務網段192.168.10.0/24和192.168.20.0/24通告入RIP中,R5上的公司外部業務網段172.16.10.0/24和172.16.20.0/24引入OSPF中;
3. 在R3,R4上配置OSPF與RIP間的雙點雙向路由引入,將業務網段192.168.10.0/24和192.168.20.0/24引入到OSPF中;
4. 通過配置減少Area 2中維護的LSA條目數量,包括Type-3 LSA和Type-5 LSA;
5. 通過配置使得R5上的業務網段通過R1訪問192.168.10.0/24網段,通過R2訪問192.168.20.0/24網段,僅在R3上配置;
6. R1與R2間的物理鏈路狀態不穩定,嘗試通過適當配置以提高OSPF網絡的健壯性;
7. 通過配置解決當前OSPF網絡中存在的次優路徑問題;
8. 優化R5的OSPF路由表,減少其需要維護的LSA條目,並匯總R5上的兩條業務網段;
9. 根據R2與R4間的鏈路狀況,適當調整OSPF相關計時器
10. 為了提高OSPF網絡安全性,部署OSPF區域密文認證。
三、實驗步驟和結果。
1.按照拓撲所示配置OSPF多區域,另外R3與R6,R4與R6間配置RIPv2。R1,R2,R3,R4的環回接口0通告入Area 0,R5的通告入Area 1,R6的直連接口通告入RIP中;配置步驟為,相關接口配置IP地址,啟用路由協議,通告網段,rip為主類通告。以R3為例
IP地址配置
[AR3]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.34.3/24 up up
GigabitEthernet0/0/1 10.0.13.3/24 up up
GigabitEthernet1/0/0 10.0.36.3/24 up up
LoopBack0 10.0.3.3/32 up up(s)
OSPF配置
[AR3]dis cu c ospf
[V200R003C00]
#
ospf 1 router-id 10.0.3.3
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
rip配置
[AR3]dis cu configuration rip
[V200R003C00]
#
rip 1
version 2
network 10.0.0.0
查看OSPF鄰居
[AR3]dis ospf pe br
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1
10.0.1.1 Full
0.0.0.2 GigabitEthernet0/0/0
10.0.4.4 Full
---------------------------------------------------------------------------
兩個full的鄰居狀態,分別是區域0的10.0.1.1(R1)和區域2的10.0.4.4(R4),查看rip的鄰居狀態如下
[AR3]dis rip 1 ne
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
10.0.34.4 GigabitEthernet0/0/0 RIP 0:0:7
Number of RIP routes : 3
10.0.36.6 GigabitEthernet1/0/0 RIP 0:0:18
Number of RIP routes : 2
兩個rip鄰居,分別是10.0.34.4(R4)和10.0.36.6(R6)
2. R6上的公司內部業務網段192.168.10.0/24和192.168.20.0/24通告入RIP中,R5上的公司外部業務網段172.16.10.0/24和172.16.20.0/24引入OSPF中;
R6上的直連網段宣告,R5上的業務網段引入,在引入時,只引入這兩個網段,不能引入其它網段,因此需要做引入的限制。在R5上創建一個172.16.30.0/24的網段用作測試。
在R5上創建一個lo30,地址172.16.30.5/24,用於引入測試
ospf 1 router-id 10.0.5.5
import-route direct 引入直連
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
引入后,所有直連網段都會被引入進ospf,也就是說多引入了其它的直連路由
dis ip routing-table pro ospf
172.16.10.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.20.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.30.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
因此需要在引入時做限制,只引入所需網段,在R5上,創建前綴列表,匹配路由,在route-policy里匹配前綴列表,最后在引入時調用route-policy(方法不唯一),如下
[AR5]dis cu | be ip ip
ip ip-prefix lan172 index 10 permit 172.16.10.0 24 前綴列表
ip ip-prefix lan172 index 20 permit 172.16.20.0 24
[AR5]dis cu c route-policy
[V200R003C00]
#
route-policy lan172 permit node 10 創建route-policy
if-match ip-prefix lan172 匹配前綴列表
ospf 1 router-id 10.0.5.5
import-route direct route-policy lan172
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
ospf下引入時調用route-policy,這樣引入時就只引入172.16.10和172.16.20網段的路由
dis ip routing-table pro ospf
172.16.10.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.20.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
R6上的網段用宣告的方式宣告進rip
rip 1
version 2
network 10.0.0.0
network 192.168.10.0
network 192.168.20.0
整個網絡只有R3和R4有全網路由,172網段從ospf學到,192網段從rip學到
dis ip routing-table
172.16.10.0/24
O_ASE 150 1 D 10.0.13.1
172.16.20.0/24
O_ASE 150 1 D 10.0.13.1
192.168.10.0/24
RIP 100 1 D 10.0.36.6
192.168.20.0/24
RIP 100 1 D 10.0.36.6
3.在R3,R4上配置OSPF與RIP間的雙點雙向路由引入,將業務網段192.168.10.0/24和192.168.20.0/24引入到OSPF中;
R3和R4上運行着兩個路由協議,分別學不同網段的路由,為了ospf域內也有rip學到的路由,同時R6也要學到ospf的路由,所以需要在R3和R4上做雙點雙向重分布,不rip引入進ospf,把ospf引入進rip。以R3為例
把rip引入進ospf,讓ospf可以學到rip學習到的路由
ospf 1 router-id 10.0.3.3
import-route rip 1
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
把ospf引入進rip,讓rip可以學到ospf學習到的路由
rip 1
version 2
network 10.0.0.0
import-route ospf 1
在R5和R6上查看是否學到了路由
dis ip routing-table pro ospf
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1
dis ip rou pro rip
172.16.10.0/24 RIP 100 1 D 10.0.46.4
172.16.20.0/24 RIP 100 1 D 10.0.46.4
R5通過ospf學到了192網段的路由,R6通過rip學到了172網段的路由,但是這樣引入會存在一個次優路徑的問題,rip的metric為100,ospf引入的metric為150,那么在R3和R4上,把172網段引入到rip后,metric變為了100,成了rip的路由,然后R3或者R4上就可以通過rip學習到172網段的路由,如果R3先做的重分布,那么R4上就會從有兩條172網段的路由,分別從ospf和rip學到,從ospf學到的路由metric為150,從rip學到的路由metric為100,所以R4就會選擇metric為100的路由,相反,如果是R4先做的重分布,R3就會選擇metric為100的路由。
在R3上看路由表如下
172.16.10.0/24 RIP 100 1 D 10.0.34.4 GigabitEthernet
0/0/0
172.16.20.0/24 RIP 100 1 D 10.0.34.4 GigabitEthernet
0/0/0
192.168.10.0/24 RIP 100 1 D 10.0.36.6 GigabitEthernet
1/0/0
192.168.20.0/24 RIP 100 1 D 10.0.36.6 GigabitEthernet
1/0/0
可以看出172網段是通過rip學習到的,下一跳是R4,本來R3到172網段只需要走R1--R5的,現在卻要走R4--R2--R5,而對於R3而言,這條路徑明顯不是最優的路徑
tracert 172.16.10.5
traceroute to 172.16.10.5(172.16.10.5), max hops: 30 ,packet length: 40,press
CTRL_C to break
1
10.0.34.4 50 ms 20 ms 10 ms
2 10.0.24.2 30 ms 30 ms 20 ms
3 10.0.25.5 40 ms 30 ms 30 ms
所以對R3和R4而言,在rip學習路由的時候過濾掉這條路由,以R3為例(方法不唯一)
[AR3]dis cu | be ip ip
ip ip-prefix lan172 index 10 deny 172.16.10.0 24
ip ip-prefix lan172 index 20 deny 172.16.20.0 24
ip ip-prefix lan172 index 30 permit 0.0.0.0 0 less-equal 32
創建前綴列表,把172.16.10.0/24和172.16.20.0/24這兩條路由deny了。其它路由放行
rip 1
version 2
network 10.0.0.0
filter-policy ip-prefix lan172 import
import-route ospf 1
在rip進程下啟用過濾,匹配ip-prefix
效果如下,R3路由表
[AR3]dis ip routing-table
172.16.10.0/24
O_ASE 150 1 D 10.0.13.1
172.16.20.0/24
O_ASE 150 1 D 10.0.13.1
192.168.10.0/24 RIP 100 1 D 10.0.36.6
192.168.20.0/24 RIP 100 1 D 10.0.36.6
R4路由表
[AR4]dis ip routing-table
172.16.10.0/24
O_ASE 150 1 D 10.0.24.2
172.16.20.0/24
O_ASE 150 1 D 10.0.24.2
192.168.10.0/24 RIP 100 1 D 10.0.46.6
192.168.20.0/24 RIP 100 1 D 10.0.46.6
4.通過配置減少Area 2中維護的LSA條目數量,包括Type-3 LSA和Type-5 LSA;
區域2中要減少LSA維護條目,可以利用完全stub和完全nssa區域的特性,在區域2下
輸入 nssa no-summary,把區域定義為完全nssa區域即可,看區域2的lsdb情況如下
Area: 0.0.0.2
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.3.3 10.0.3.3 30 36 80000005 1
Router 10.0.4.4 10.0.4.4 25 36 80000005 1
Network 10.0.34.4 10.0.4.4 25 32 80000002 0
Sum-Net 0.0.0.0 10.0.4.4 68 28 80000001 1
Sum-Net 0.0.0.0 10.0.3.3 78 28 80000001 1
NSSA 0.0.0.0 10.0.4.4 68 36 80000001 1
NSSA 10.0.6.6 10.0.4.4 68 36 80000001 1
NSSA 10.0.4.4 10.0.4.4 68 36 80000001 1
NSSA 10.0.36.0 10.0.4.4 68 36 80000002 1
NSSA 10.0.34.0 10.0.4.4 68 36 80000002 1
NSSA 10.0.46.0 10.0.4.4 68 36 80000001 1
NSSA 192.168.10.0 10.0.4.4 68 36 80000001 1
NSSA 192.168.20.0 10.0.4.4 68 36 80000001 1
NSSA 10.0.24.0 10.0.4.4 68 36 80000001 1
NSSA 0.0.0.0 10.0.3.3 78 36 80000001 1
NSSA 10.0.6.6 10.0.3.3 78 36 80000001 1
NSSA 10.0.3.3 10.0.3.3 78 36 80000001 1
NSSA 10.0.36.0 10.0.3.3 78 36 80000001 1
NSSA 10.0.34.0 10.0.3.3 78 36 80000002 1
NSSA 10.0.13.0 10.0.3.3 78 36 80000001 1
NSSA 192.168.10.0 10.0.3.3 78 36 80000001 1
NSSA 192.168.20.0 10.0.3.3 78 36 80000001 1
5.通過配置使得R5上的業務網段通過R1訪問192.168.10.0/24網段,通過R2訪問192.168.20.0/24網段,僅在R3上配置;
R5上查看路由表和業務網段訪問情況
查看到192.168網段的路由表
192.168.10.0/24 O_ASE 150 1 D
10.0.15.1
192.168.20.0/24 O_ASE 150 1 D
10.0.15.1
可以看出到192.168網段均是走R1出去,跟蹤可以知道
tracert -a 172.16.10.5
192.168.10.6
traceroute to 192.168.10.6(192.168.1
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 20 ms 10 ms 10 ms
2 10.0.13.3 30 ms 20 ms 30 ms
3 10.0.36.6 20 ms 30 ms 10 ms
tracert -a 172.16.10.5
192.168.20.6
traceroute to 192.168.20.6(192.168.2
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 30 ms 20 ms 20 ms
2 10.0.13.3 20 ms 10 ms 20 ms
3 10.0.36.6 30 ms 30 ms 20 ms
都是走R1出去,要求通過R1訪問192.168.10網段,通過R2訪問192.168.20網段,僅在R3上操作,那么就需要在引入路由的時候有區分對待,對於192.168.10.0網段,保持原樣引入,對於192.168.20.0網段,在引入的時候把開銷設置大一些,這樣R5上學到192.168.20.0網段的路由就不一樣,同一網段,引入metric都是150,但是從R1學到的開銷值比R2學到的開銷值略大,所以優選R2的路由(方法不唯一)
在R3上創建訪問控制列表,分別匹配192.168.10和192.168.20網段
[AR3]dis cu | be acl
acl number 2010
rule 5 permit source 192.168.10.0 0.0.0.255
acl number 2020
rule 5 permit source 192.168.20.0 0.0.0.255
在route-policy下,匹配ACL
route-policy lan192 permit node 10
if-match acl 2010
#
route-policy lan192 permit node 20
if-match acl 2020
apply cost 10
在引入時調用route-policy
ospf 1 router-id 10.0.3.3
import-route rip 1 route-policy lan192
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
nssa no-summary
這樣當192.168.20段引入時,就會把cost改為10,而在R5上,接收到兩條192.168.20網段的路由,一條cost為10,下一跳R1,一條cost為1,下一跳R2,所以R2的這一條路由會被放入路由表。
192.168.10.0/24 O_ASE 150 1 D
10.0.15.1
192.168.20.0/24 O_ASE 150 1 D
10.0.25.2
跟蹤路由走向如下
tracert -a 172.16.10.5
192.168.10.6
traceroute to 192.168.10.6(192.168.1
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 20 ms 20 ms 20 ms
2 10.0.13.3 30 ms 20 ms 20 ms
3 10.0.36.6 30 ms 40 ms 20 ms
tracert -a 172.16.10.5
192.168.20.6
traceroute to 192.168.20.6(192.168.2
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.25.2 20 ms 10 ms 10 ms
2 10.0.24.4 30 ms 20 ms 20 ms
3 * 10.0.46.6 30 ms 50 ms
6.R1與R2間的物理鏈路狀態不穩定,嘗試通過適當配置以提高OSPF網絡的健壯性;
R1R2之間需要保證穩定,如果R1和R2之間的鏈路down后,骨干區域就會被分割開,這是不被允許的,當區域0被分割后,R1R2學習不到彼此的路由,網絡出現故障。
[AR1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.15.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet1/0/0 10.0.12.1/24 *down down
LoopBack0 10.0.1.1/32 up up(s)
查看路由表,沒有R2的路由
[AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.3.3/32 OSPF 10 1 D 10.0.13.3 GigabitEthernet
0/0/1
10.0.5.5/32 OSPF 10 1 D 10.0.15.5 GigabitEthernet
0/0/0
10.0.13.0/24 Direct 0 0 D 10.0.13.1 GigabitEthernet
測試連通性,網絡斷開
[AR1]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
因此此處為了網絡的健壯性,可用虛鏈接,虛鏈接的作用是網絡在設計的時候由於沒有規范性設計,使網絡的其它區域與骨干區域不能直接相連,這時可用虛鏈接使網絡在邏輯上相連,此處可以選擇在區域1和區域2上創建虛鏈接,因為區域2已經做nssa區域,虛鏈接不能穿越stub和nssa區域,所以只能選擇在區域1上做,如下,以R1為例
在區域1創建vlink
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
network 10.0.15.1 0.0.0.0
vlink-peer 10.0.2.2
查看vlink狀態。
[AR1]dis ospf vlink ?
| Matching output
Please press ENTER to execute command
[AR1]dis ospf vlink
OSPF Process 1 with Router ID 10.0.1.1
Virtual Links
Virtual-link Neighbor-id -> 10.0.2.2, Neighbor-State: Full
Interface: 10.0.15.1 (GigabitEthernet0/0/0)
Cost: 2 State: P-2-P Type: Virtual
Transit Area: 0.0.0.1
Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1
GR State: Normal
查看接口狀態
[AR1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.15.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet1/0/0 10.0.12.1/24 *down down
LoopBack0 10.0.1.1/32 up up(s)
此時R1和R2之間的鏈路狀態為down,查看路由
AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 25 Routes : 25
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 10 2 D 10.0.15.5 GigabitEthernet
也能學到路由,邏輯上兩個區域還是連在一起的,測試連通性
[AR1]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=20 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=20 ms
7.通過配置解決當前OSPF網絡中存在的次優路徑問題;
網絡中,R2與R4之間是使用串口連接的,帶寬較低,因此希望R4的流量優先走帶寬較高的鏈路訪問出去,而對於ospf而言,區域內的路由優先於區域間的路由,對於R3和R4的lo接口,宣告在區域0之中的,而R3與R4之間的直連是屬於區域2,所以對於lo接口,流量不會直接從區域2的連接轉發,而是走區域0,造成次優路徑,可以在R3和R4之間建立隧道解決。如下
tracert -a 10.0.3.3
10.0.4.4
traceroute to 10.0.4.4(10.0.4.4), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 10.0.13.1 30 ms 20 ms 20 ms
2 10.0.12.2 20 ms 30 ms 20 ms
3 10.0.24.4 30 ms 30 ms 30 ms
10.0.3.3到10.0.4.4可以直接通過接口到達的,但由於選路問題,使得流量走次優路徑,因此在R3和R4之間建立隧道連接,以R3為例,如下(方法不唯一)
interface Tunnel0/0/0
ip address 202.101.34.3 255.255.255.0
tunnel-protocol gre
source 10.0.34.3
destination 10.0.34.4
ospf cost 1
ospf network-type broadcast
然后把接口宣告進ospf區域0中,如下
ospf 1 router-id 10.0.3.3
import-route rip 1 route-policy lan192
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
network 202.101.34.3 0.0.0.0
查看ospf鄰居,tunnel口鄰居已建立,狀態full
[AR3]dis ospf pe br
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 10.0.1.1 Full
0.0.0.0 Tunnel0/0/0 10.0.4.4 Full
0.0.0.2 GigabitEthernet0/0/0 10.0.4.4 Full
----------------------------------------------------------------------------
查看路由表
[AR3]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 31 Routes : 32
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 OSPF 10 1 D 10.0.13.1
10.0.2.2/32 OSPF 10 2 D 10.0.13.1
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.4.4/32 OSPF 10 1 D 202.101.34.4 Tunnel0/0/0
到10.0.4.4的路由下一跳變成了tunnel口,跟蹤路由
[AR3]tracert -a 10.0.3.3
10.0.4.4
traceroute to 10.0.4.4(10.0.4.4), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 202.101.34.4 10 ms 10 ms 1 ms
只需一跳即可。
8.優化R5的OSPF路由表,減少其需要維護的LSA條目,並匯總R5上的兩條業務網段;
R5上查看LSA維護的條目
dis ospf lsdb
OSPF Process 1 with Router ID 10.0.5.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.5.5 10.0.5.5 396 60 8000001B 1
Router 10.0.2.2 10.0.2.2 1270 36 80000009 1
Router 10.0.1.1 10.0.1.1 1270 36 80000008 1
Network 10.0.15.5 10.0.5.5 885 32 80000007 0
Network 10.0.25.5 10.0.5.5 859 32 80000007 0
Sum-Net 202.101.34.0 10.0.1.1 252 28 80000002 2
Sum-Net 202.101.34.0 10.0.2.2 252 28 80000003 3
Sum-Net 10.0.34.0 10.0.1.1 6 28 80000008 2
Sum-Net 10.0.34.0 10.0.2.2 989 28 80000001 3
Sum-Net 10.0.13.0 10.0.1.1 893 28 80000006 1
Sum-Net 10.0.13.0 10.0.2.2 989 28 80000001 2
Sum-Net 10.0.24.0 10.0.2.2 911 28 80000006 48
Sum-Net 10.0.24.0 10.0.1.1 989 28 80000001 49
Sum-Net 10.0.12.0 10.0.2.2 1029 28 80000001 1
Sum-Net 10.0.12.0 10.0.1.1 1028 28 80000001 1
Sum-Net 10.0.3.3 10.0.1.1 802 28 80000006 1
Sum-Net 10.0.3.3 10.0.2.2 989 28 80000001 2
Sum-Net 10.0.2.2 10.0.2.2 892 28 80000006 0
Sum-Net 10.0.2.2 10.0.1.1 989 28 80000001 1
Sum-Net 10.0.1.1 10.0.1.1 893 28 80000006 0
Sum-Net 10.0.1.1 10.0.2.2 989 28 80000001 1
Sum-Net 10.0.4.4 10.0.2.2 252 28 80000007 3
Sum-Net 10.0.4.4 10.0.1.1 252 28 80000002 2
Sum-Asbr 10.0.4.4 10.0.2.2 252 28 80000006 3
Sum-Asbr 10.0.4.4 10.0.1.1 252 28 80000002 2
Sum-Asbr 10.0.3.3 10.0.1.1 459 28 80000005 1
Sum-Asbr 10.0.3.3 10.0.2.2 990 28 80000001 2
1類2類傳遞的是鏈路狀態,而三類傳輸的是路由信息,對於ospf而言,有鏈路狀態便可以計算出路由信息,所以可以把lsa3類過濾掉,在R1和R2上操作,以R1為例(方法不唯一)
acl number 2000
rule 1 permit source 10.0.1.0 0.0.0.255
rule 2 permit source 10.0.2.0 0.0.0.255
rule 3 permit source 10.0.3.0 0.0.0.255
rule 4 permit source 10.0.4.0 0.0.0.255
rule 5 permit source 10.0.12.0 0.0.0.255
rule 6 permit source 10.0.13.0 0.0.0.255
rule 7 permit source 10.0.24.0 0.0.0.255
rule 8 permit source 10.0.34.0 0.0.0.255
rule 9 permit source 202.101.34.0 0.0.0.255
創建route-policy,匹配acl后deny
route-policy lsa deny node 10
if-match acl 2000
在ospf的區域1下過濾
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
filter route-policy lsa import
network 10.0.15.1 0.0.0.0
效果如下
dis ospf lsdb
OSPF Process 1 with Router ID 10.0.5.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.5.5 10.0.5.5 189 60 8000001E 1
Router 10.0.2.2 10.0.2.2 1096 36 8000000C 1
Router 10.0.1.1 10.0.1.1 1062 36 8000000B 1
Network 10.0.15.5 10.0.5.5 678 32 8000000A 0
Network 10.0.25.5 10.0.5.5 652 32 8000000A 0
Sum-Asbr 10.0.4.4 10.0.2.2 77 28 80000009 3
Sum-Asbr 10.0.4.4 10.0.1.1 44 28 80000005 2
Sum-Asbr 10.0.3.3 10.0.1.1 250 28 80000008 1
Sum-Asbr 10.0.3.3 10.0.2.2 815 28 80000004 2
過濾了3類lsa,路由如下
dis ip routing-table pro ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 8 Routes : 8
OSPF routing table status :
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.4.4/32 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.6.6/32 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.24.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.34.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.36.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.46.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
9.根據R2與R4間的鏈路狀況,適當調整OSPF相關計時器
R2和R4之間使用串口連接,帶寬較小,ospf默認hello時間為10秒,為了減少帶寬的浪費,可以把串口的hello時間做一下調整,如下,以R4為例
dis ospf inter se1/0/0
OSPF Process 1 with Router ID 10.0.4.4
Interfaces
Interface: 10.0.24.4 (Serial1/0/0) --> 10.0.24.2
Cost: 48 State: P-2-P Type: P2P MTU: 1500
Timers:
Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
調整后如下
[AR4]dis ospf inter se1/0/0
OSPF Process 1 with Router ID 10.0.4.4
Interfaces
Interface: 10.0.24.4 (Serial1/0/0) --> 10.0.24.2
Cost: 48 State: P-2-P Type: P2P MTU: 1500
Timers:
Hello 60 , Dead 240 , Poll 120 , Retransmit 5 , Transmit Delay 1
10.為了提高OSPF網絡安全性,部署OSPF區域密文認證。
在接口下配置的認證優先於在ospf區域下配置的認證,當ospf配置認證后,配置認證的一方發送的hello里面便帶有認證信息,另一方如果沒有配置認證,或者認證不一致,鄰居便建立不起來,如果區域下和接口下都配置了認證,則優先使用接口下的認證,比如說區域的認證不一致,而接口下配置的認證一致,認證也可以通過,鄰居正常建立。以R1和R5為例
在R5的區域下啟用認證后,R5發送的hello帶有認證信息,而R1下的hello沒有帶認證
R5發送的hello帶認證信息
R1發送的hello不帶認證信息
此時認證不一致,導致的是鄰居關系down
[AR5-ospf-1-area-0.0.0.1]
Apr 20 2018 13:44:30-08:00 AR5 %OSPF/3/NBR_CHG_DOWN(l)[12]:Neighbor event:nei
ghbor state changed to Down. (ProcessId=256, NeighborAddress=1.1.0.10, NeighborE
vent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)
鄰居關系如下
dis ospf peer br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
----------------------------------------------------------------------------
沒有鄰居。
測試接口認證優先,在R1區域1下啟用認證,密碼和R5的不一致,查看相關信息
R5上面,ospf的認證信息如下,認證密碼huawei
ospf 1 router-id 10.0.5.5
import-route direct route-policy lan172
area 0.0.0.1
authentication-mode md5 1 plain
huawei
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
R1上面,ospf的認證信息如下,認證密碼huawei1
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
authentication-mode md5 1 plain
huawei1
filter route-policy lsa import
network 10.0.15.1 0.0.0.0
vlink-peer 10.0.2.2
認證密碼不一致,認證不通過,所以在R5上查看鄰居如下
[AR5]dis ospf pe br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/1 10.0.2.2 Full
----------------------------------------------------------------------------
在R5上與R2正常建立鄰居,與R1無法建立鄰居,保持R1區域下的認證不變,在G0/0/0口下啟用認證,查看認證情況,如果是區域認證優先,認證依然無法通過,如果是接口認證優先,認證可以通過,鄰居建立正常。如下
R1的接口下配置認證
interface GigabitEthernet0/0/0
ip address 10.0.15.1 255.255.255.0
ospf authentication-mode md5 1 plain
huawei
配置后發現
Apr 20 2018 14:00:42-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[10]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Init)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[11]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=ExStart)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[12]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentState=Exc
hange)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[13]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState=Loadi
ng)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[14]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=
Full)
鄰居起來了,所以接口認證優先於區域認證,R5上查看鄰居如下
[AR5]dis ospf pe br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/0 10.0.1.1 Full
0.0.0.1 GigabitEthernet0/0/1 10.0.2.2 Full
----------------------------------------------------------------------------
鄰居正常建立
注:雙點雙向重分布會導致次優路徑和路由環路,如何避免?