实验要求:
如图搭建好拓扑,导进预配,对以下列出错误进行排查。
1、    R4无法学习到R5上挂的主机条目;
2、    R6与R7之间的EIGRP邻居起不来;
3、    R4无法与R2及R3形成OSPF邻居;
4、    R7无法与R8及R9形成EIGRP邻居;
5、    R5上的主机无法ping R9上的主机;
6、    确保R5上的主机前往R9上的主机IP优先级为1的报文在OSPF环境下优先级为2,在EIGRP环境中为5;
7、    用户CISCO采用密码ADMIN从R3 TELNET到R6无法执行show run命令,以及执行conf t。
实验拓扑:
clip_image002
实验步骤:
1、R1无法学习到R5上的主机条目
分别对R4的S0/1和51的S0/0进行show run:
R4:
Username R4 password 0 CISCOR4
interface Serial0/1
ip address 172.16.45.1 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp authentication chap
ppp chap hostname R4
ppp chap password 0 CISCOR4
R5:
Username R5 password 0 CISCOR5
interface Serial0/0
ip address 172.16.45.2 255.255.255.252
encapsulation ppp
serial restart-delay 0
ppp authentication chap
ppp chap hostname R5
ppp chap password 0 CISCOR5
R4和R5既做了PPP认证的客户端,又做了服务端,从而导致无法建立连接。
解决方法:
将R4改为PPP认证服务端,R5改为PPP认证客户端。
r4(config)#int s0/1
r4(config-if)#no ppp chap hostname R4
r4(config-if)#no ppp chap password 0 CISCOR4
r5(config)#int s0/0
r5(config)#no username R5 password CISCOR5
r5(config-if)#no ppp authentication chap
r5(config-if)#ppp chap hostname R4
r5(config-if)#ppp chap password 0 CISCOR4

2、R6和R7之间的EIGRP邻居起不来
分别对R6、R7进行show key chain:
r6#show key chain
Key-chain sovand:
    key 1 -- text "cisco"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]
r7#show key chain
Key-chain cisco:
    key 1 -- text "cisc0"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now
从以上命令可以看出双方的EIGRP认证密码是不匹配的,因此不能建立邻居关系。
解决方法:
修改双方的EIGRP验证密码为一致。
r7(config)#key chain cisco
r7(config-keychain)#key 1
r7(config-keychain-key)#key-string cisco
r7(config-keychain-key)#end

3、R4无法与R2及R3形成OSPF邻居
对FR1、R4的S0/2和S0/0接口进行show run:
FR1:
interface Serial0/2
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 402 interface Serial0/0 204
frame-relay route 403 interface Serial0/1 304
R4:
interface Serial0/0
ip address 172.16.234.40 255.255.255.224
encapsulation frame-relay
ip ospf network broadcast
serial restart-delay 0
no arp frame-relay
frame-relay map ip 172.16.234.30 403 broadcast
frame-relay map ip 172.16.234.20 402 broadcast
no frame-relay inverse-arp
frame-relay lmi-type ansi
可以发现R4和FR1封装了不同的帧中继协议,因此无法建立帧中继连接。
解决方法:
修改R4封装的帧中继协议为cisco。
r4(config)#int s0/0
r4(config-if)#frame-relay lmi-type cisco
查看帧中继邻接建立情况:
*Mar  1 00:28:30.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
FR1#show frame-relay rou
Input Intf      Input Dlci      Output Intf     Output Dlci     Status
Serial0/0       203             Serial0/1       302             active
Serial0/0       204             Serial0/2       402             active
Serial0/1       302             Serial0/0       203             active
Serial0/1       304             Serial0/2       403             active
Serial0/2       402             Serial0/0       204             active
Serial0/2       403             Serial0/1       304             active
帧中继邻接已经完全建立了,但是OSPF邻居依然没有起来,继续查找原因,在R4上对OSPF邻接进行debug。
r4#debug ip ospf adj 
OSPF adjacency events debugging is on
r4#
*Mar  1 01:23:31.639: OSPF: Rcv pkt from 172.16.234.30, Serial0/0, area 0.0.0.0 : src not on the same network
*Mar  1 01:23:31.639: OSPF: Rcv pkt from 172.16.234.30, Serial0/0, area 0.0.0.0 : src not on the same network
*Mar  1 01:23:31.639: OSPF: Rcv pkt from 172.16.234.30, Serial0/0, area 0.0.0.0 : src not on the same network
原来R4的接口IP地址未与R2、R3在同一网段,因此不能建立邻居。
解决方法:
将R2、R3、R4的接口地址修改为同一网段,掩码设为255.255.255.192。.
r2(config)#int s0/0
r2(config-if)#ip address 172.16.234.20 255.255.255.192
r3(config)#int s0/0
r3(config-if)#ip address 172.16.234.30 255.255.255.192
r4(config)#int s0/0
r4(config-if)#ip address 172.16.234.40 255.255.255.192
邻接完全建立:
r2#
*Mar  1 00:24:19.367: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.30 on Serial0/0 from LOADING to FULL, Loading Done
*Mar  1 00:29:17.451: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.40 on Serial0/0 from LOADING to FULL, Loading Done
r3#
*Mar  1 00:24:20.083: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.20 on Serial0/0 from LOADING to FULL, Loading Done
*Mar  1 00:29:11.151: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.40 on Serial0/0 from LOADING to FULL, Loading Done
r4#
*Mar  1 00:29:10.943: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.30 on Serial0/0 from LOADING to FULL, Loading Done
*Mar  1 00:29:18.099: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.234.20 on Serial0/0 from LOADING to FULL, Loading Done

4、R7无法与R8及R9形成EIGRP邻居
对FR2的S0/0口进行show run int s0/0:
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
clock rate 64000
frame-relay route 708 interface Serial0/1 807
frame-relay route 709 interface Serial0/2 907
!
发现未配置FR2的S0/0口为DCE,因此无法建立帧中继连接。
解决方法:
将FR2的S0/0设为DCE。
FR2(config)#int s0/0
FR2(config-if)# frame-relay intf-type dce
帧中继起来了,但是EIGRP邻居断断续续:
08:39:28: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 10.2.99.1 (FastEthernet0/24) is down: retry limit exceeded
08:39:33: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 10.2.99.1 (FastEthernet0/24) is up: new adjacency
查看R8和R9的接口配置:
R8:
interface Serial0/0
ip address 172.16.100.8 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
no arp frame-relay
frame-relay map ip 172.16.100.7 807
no frame-relay inverse-arp
R9:
interface Serial0/0
ip address 172.16.100.9 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
no arp frame-relay
frame-relay map ip 172.16.100.7 907
no frame-relay inverse-arp
!
R8和R9的帧中继静态映射中未配置broadcast参数,因此不能发送EIGRP组播消息通告给对方。
解决方法:
在帧中继静态映射后加上broadcast参数。
R8(config-if)#int s0/0
R8(config-if)#frame-relay map ip 172.16.100.7 807 broadcast
R9(config-if)#int s0/0
R9(config-if)#frame-relay map ip 172.16.100.7 907 broadcast
邻接完全建立:
r7#
*Mar  1 00:41:19.659: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.9 (Serial0/0) is up: new adjacency
*Mar  1 00:41:19.847: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.8 (Serial0/0) is up: new adjacency
r8#
*Mar  1 00:41:20.799: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.7 (Serial0/0) is up: new adjacency
R9#
*Mar  1 00:41:20.735: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.7 (Serial0/0) is up: new adjacency

5、R5主机无法ping R9上的主机
由于各个路由协议的故障以及排除,但R5无法ping到R9,可能是因为重分发的原因。对R4和R6分别进行show run | section route。
R6:
router eigrp 1
redistribute ospf 1
network 172.16.67.6 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
redistribute eigrp 1
network 172.16.36.6 0.0.0.0 area 0

R4:
router rip
version 2
redistribute ospf 1
passive-interface Serial0/0
network 172.16.0.0
no auto-summary
在R6中,OSPF被重分发进EIGRP时没有设置度量值,EIGRP被重分发进OSPF时没有加上子网参数;在R4中,OSPF重分发进RIP时未设置跳数,因此重分发是不成功的。
解决方法:
重分发进EIGRP加上度量,重分发进OSPF时加上子网参数,重分发进RIP时加上跳数。
r6(config)#router ospf 1
r6(config-router)#redistribute eigrp 1 subnets
r6(config)#router eigrp 1
r6(config-router)#redistribute ospf 1 metric 1000 33 255 1 1500
r4(config)#router rip
r4(config-router)#redistribute ospf 1 metric 3
配置完成后,查看路由表,R5已经获取的R9的接口地址:
r5#show ip rou rip 
     172.16.0.0/16 is variably subnetted, 7 subnets, 4 masks
R       172.16.234.0/26 [120/1] via 172.16.45.1, 00:00:19, Serial0/0
R       172.16.36.0/24 [120/3] via 172.16.45.1, 00:00:19, Serial0/0
R       172.16.100.0/24 [120/3] via 172.16.45.1, 00:00:19, Serial0/0
R       172.16.67.0/24 [120/3] via 172.16.45.1, 00:00:19, Serial0/0

6、确保R5上的主机前往R9上的主机的IP优先级
在每个路由协议的边界路由器上配置PBR入站流量策略,重分发出去时修改为相应的IP优先级。
解决方法:
r4(config)#access-list 101 permit ip host 172.16.5.1 host 1.1.1.1  //建立ACL,匹配R5和R9的主机
r4(config)#route-map sovand permit 10   //建立路由图
r4(config-route-map)#match ip add 101   //匹配101号控制列表
r4(config-route-map)#set ip precedence 2   //对匹配的数据设置优先级为2
r4(config)#int s0/1
r4(config-if)#ip policy route-map sovand   //在入口调用PBR

r6(config)#access-list 101 permit ip host 172.16.5.1 host 1.1.1.1 precedence 2  
r6(config)#route-map sovand permit 10
r6(config-route-map)#match ip add 101
r6(config-route-map)#set ip precedence 5
r6(config)#int e0/0
r6(config-if)#ip policy route-map sovand
进行测试:
r5#ping 1.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 188/282/380 ms

r9(config)#access-list 101 permit ip any any precedence 5
r9#debug ip packet 101
r9#
*Mar  1 01:20:35.383: IP: tableid=0, s=1.1.1.1 (local), d=172.16.5.1 (Serial0/0), routed via FIB
*Mar  1 01:20:35.383: IP: s=1.1.1.1 (local), d=172.16.5.1 (Serial0/0), len 100, sending
*Mar  1 01:20:35.707: IP: tableid=0, s=172.16.5.1 (Serial0/0), d=1.1.1.1 (Loopback0), routed via RIB
*Mar  1 01:20:35.707: IP: s=172.16.5.1 (Serial0/0), d=1.1.1.1, len 100, rcvd 4
*Mar  1 01:20:35.711: IP: tableid=0, s=1.1.1.1 (local), d=172.16.5.1 (Serial0/0), routed via FIB
*Mar  1 01:20:35.711: IP: s=1.1.1.1 (local), d=172.16.5.1 (Serial0/0), len 100, sending
R9成功收到优先级为5的报文,证明配置是成功的。

7、R3 telnet到R6没有相应权限执行命令
对R6进行show run,发现telnet的用户权限是0,没有使用show run和conf t的权限:
r3#telnet 172.16.36.6
Trying 172.16.36.6 ... Open

User Access Verification

Username: CISCO
Password:
r6#show run
         ^
% Invalid input detected at '^' marker.
解决方法:
将用户权限改为15:
r6(config)#no username CISCO password 0 ADMIN
r6(config)#username CISCO privilege 15 password ADMIN
再次通过R3对R6进行telnet:
r3#telnet 172.16.36.6
Trying 172.16.36.6 ... Open

User Access Verification

Username: CISCO
Password:
r6#show run
Building configuration...
r6#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r6(config)#