部署单区域OSPF网络
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 172.16.20.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 172.16.30.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 172.16.20.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 172.16.30.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
查看OSPF的邻居状态
[AR1]display ospf peer
OSPF Process 1 with Router ID 172.16.1.254
Neighbors
Area 0.0.0.0 interface 172.16.20.1(GigabitEthernet0/0/1)'s neighbors
Router ID: 172.16.20.3 Address: 172.16.20.3
State: Full Mode:Nbr is Master Priority: 1
DR: 172.16.20.1 BDR: 172.16.20.3 MTU: 0
Dead timer due in 30 sec
Retrans timer interval: 5
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 172.16.10.1(GigabitEthernet0/0/0)'s neighbors
Router ID: 172.16.30.2 Address: 172.16.10.2
State: Full Mode:Nbr is Master Priority: 1
DR: 172.16.10.1 BDR: 172.16.10.2 MTU: 0
Dead timer due in 33 sec
Retrans timer interval: 5
Neighbor is up for 00:04:12
Authentication Sequence: [ 0 ]
查看OSPF路由表
[AR1]display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 3 Routes : 4
OSPF routing table status : <Active>
Destinations : 3 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.16.2.0/24 OSPF 10 2 D 172.16.10.2 GigabitEthernet
0/0/0
172.16.3.0/24 OSPF 10 2 D 172.16.20.3 GigabitEthernet
0/0/1
172.16.30.0/24 OSPF 10 2 D 172.16.10.2 GigabitEthernet
0/0/0
OSPF 10 2 D 172.16.20.3 GigabitEthernet
0/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
OSPF多区域配置
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 10.0.24.0 0.0.0.255
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255
[AR4]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255
[AR4-ospf-1-area-0.0.0.0]network 10.0.24.0 0.0.0.255
[AR4-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
可以正常通信,骨干区域路由器配置完成。
配置非骨干区域路由器,在分支路由器5上创建OSPf进程,创建并进入区域1,并通告分支A的相应网段。
[AR5]ospf 1
[AR5-ospf-1]area 1
[AR5-ospf-1-area-0.0.0.1]network 10.0.15.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.1]network 10.0.35.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.1]network 10.0.1.0 0.0.0.255
在R1和R3上也创建并进入区域1,将与R5相连的接口进行通告。
[AR1]ospf 1
[AR1-ospf-1]area 1
[AR1-ospf-1-area-0.0.0.1]network 10.0.15.0 0.0.0.255
[AR3]ospf 1
[AR3-ospf-1]area 1
[AR3-ospf-1-area-0.0.0.1]network 10.0.35.0 0.0.0.255
[AR5]display ospf peer
OSPF Process 1 with Router ID 10.0.15.5
Neighbors
Area 0.0.0.1 interface 10.0.15.5(GigabitEthernet0/0/0)'s neighbors
Router ID: 10.0.12.1 Address: 10.0.15.1
State: Full Mode:Nbr is Slave Priority: 1
DR: 10.0.15.5 BDR: 10.0.15.1 MTU: 0
Dead timer due in 40 sec
Retrans timer interval: 5
Neighbor is up for 00:03:24
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.1 interface 10.0.35.5(GigabitEthernet0/0/1)'s neighbors
Router ID: 10.0.34.3 Address: 10.0.35.3
State: Full Mode:Nbr is Master Priority: 1
DR: 10.0.35.5 BDR: 10.0.35.3 MTU: 0
Dead timer due in 30 sec
Retrans timer interval: 5
Neighbor is up for 00:01:05
Authentication Sequence: [ 0 ]
可以观察到,现在R5与R1和R3的OSPF邻居关系建立正常,都为Full状态
使用display ip routing-table protocol ospf 命令查看R5路由表中的OSPF路由条目
[AR5]display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 6 Routes : 8
OSPF routing table status : <Active>
Destinations : 6 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.3.0/24 OSPF 10 2 D 10.0.35.3 GigabitEthernet
0/0/1
10.0.4.0/24 OSPF 10 3 D 10.0.35.3 GigabitEthernet
0/0/1
10.0.12.0/24 OSPF 10 2 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.13.0/24 OSPF 10 2 D 10.0.15.1 GigabitEthernet
0/0/0
OSPF 10 2 D 10.0.35.3 GigabitEthernet
0/0/1
10.0.24.0/24 OSPF 10 3 D 10.0.15.1 GigabitEthernet
0/0/0
OSPF 10 3 D 10.0.35.3 GigabitEthernet
0/0/1
10.0.34.0/24 OSPF 10 2 D 10.0.35.3 GigabitEthernet
0/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
可以观察到,除OSPF区域2内的路由外,相关OSPF路由条目都已经获得。在拓扑中,R1和R3这两台连接不同区域的路由器称之为ABR,即区域边界路由器,该类路由器设备可以同时属于两个以上的区域,但其中至少一个端口必须在骨干区域内。ABR是用来连接骨干区域和非骨干区域的,其与骨干区域之间既可以是物理连接,也可以是逻辑上的连接。 使用display ofps lsdb 命令查看R5的ospf链路状态数据库信息
[AR5]display ospf lsdb
OSPF Process 1 with Router ID 10.0.15.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.12.1 10.0.12.1 1149 36 80000003 1
Router 10.0.34.3 10.0.34.3 14 36 80000007 1
Router 10.0.15.5 10.0.15.5 21 60 80000010 1
Network 10.0.35.3 10.0.34.3 14 32 80000002 0
Network 10.0.15.5 10.0.15.5 1144 32 80000002 0
Sum-Net 10.0.34.0 10.0.12.1 482 28 80000005 2
Sum-Net 10.0.34.0 10.0.34.3 1011 28 80000001 1
Sum-Net 10.0.13.0 10.0.12.1 1156 28 80000001 1
Sum-Net 10.0.13.0 10.0.34.3 486 28 80000005 1
Sum-Net 10.0.24.0 10.0.12.1 1148 28 80000003 2
Sum-Net 10.0.24.0 10.0.34.3 1011 28 80000001 2
Sum-Net 10.0.12.0 10.0.12.1 1156 28 80000001 1
Sum-Net 10.0.12.0 10.0.34.3 483 28 80000005 2
Sum-Net 10.0.3.0 10.0.12.1 482 28 80000005 2
Sum-Net 10.0.3.0 10.0.34.3 1011 28 80000001 1
Sum-Net 10.0.4.0 10.0.12.1 1156 28 80000001 3
Sum-Net 10.0.4.0 10.0.34.3 1011 28 80000001 2
可以观察到,关于其他区域的路由条目都是通过SUM-Net 这类LSA获得,而这类LSA是不参与本区域的SPF算法运算的。
对公司另一分部B的路由器R6,和相应ABR设备R2、R4也做相同的配置。
[AR6]ospf 1
[AR6-ospf-1]area 2
[AR6-ospf-1-area-0.0.0.2]network 10.0.26.0 0.0.0.255
[AR6-ospf-1-area-0.0.0.2]network 10.0.46.0 0.0.0.255
[AR6-ospf-1-area-0.0.0.2]network 10.0.2.0 0.0.0.255
[AR2]ospf 1
[AR2-ospf-1]area 2
[AR2-ospf-1-area-0.0.0.2]network 10.0.26.0 0.0.0.255
[AR4]ospf 1
[AR4-ospf-1]area 2
[AR4-ospf-1-area-0.0.0.2]network 10.0.46.0 0.0.0.255
配置完成,查看R6的ospf路由条目
[AR6]display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 9 Routes : 12
OSPF routing table status : <Active>
Destinations : 9 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.0/24 OSPF 10 4 D 10.0.26.2 GigabitEthernet
0/0/0
OSPF 10 4 D 10.0.46.4 GigabitEthernet
0/0/1
10.0.3.0/24 OSPF 10 3 D 10.0.46.4 GigabitEthernet
0/0/1
10.0.4.0/24 OSPF 10 2 D 10.0.46.4 GigabitEthernet
0/0/1
10.0.12.0/24 OSPF 10 2 D 10.0.26.2 GigabitEthernet
0/0/0
10.0.13.0/24 OSPF 10 3 D 10.0.26.2 GigabitEthernet
0/0/0
OSPF 10 3 D 10.0.46.4 GigabitEthernet
0/0/1
10.0.15.0/24 OSPF 10 3 D 10.0.26.2 GigabitEthernet
0/0/0
10.0.24.0/24 OSPF 10 2 D 10.0.26.2 GigabitEthernet
0/0/0
OSPF 10 2 D 10.0.46.4 GigabitEthernet
0/0/1
10.0.34.0/24 OSPF 10 2 D 10.0.46.4 GigabitEthernet
0/0/1
10.0.35.0/24 OSPF 10 3 D 10.0.46.4 GigabitEthernet
0/0/1
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
测试PC1和PC2的连通性
至此,OSPF多区域配置完成
[AR1]ospf 1
[AR1-ospf-1]area 1
[AR1-ospf-1-area-0.0.0.1]network 10.0.12.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.1]network 1.1.1.1 0.0.0.0
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]quit
[AR2-ospf-1]area 1
[AR2-ospf-1-area-0.0.0.1]network 10.0.12.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.1]network 10.0.24.0 0.0.0.255
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 10.0.36.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0
[AR4]ospf 1
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]network 10.0.24.0 0.0.0.255
[AR4-ospf-1-area-0.0.0.1]network 4.4.4.4 0.0.0.0
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0
[AR6]ospf 1
[AR6-ospf-1]area 0
[AR6-ospf-1-area-0.0.0.0]network 10.0.36.0 0.0.0.255
[AR6-ospf-1-area-0.0.0.0]network 6.6.6.6 0.0.0.0
配置公司分部OSPF区域明文认证,网络管理员在公司分部的OSPF区域1中配置区域明文认证。
在R1上OSPF的区域1视图下使用authentication-mode命令指定该区域使用认证模式为simple,即简单验证模式,配置口令为huawei,并配置plain参数。 配置plain参数后,可以使得在查看配置文件是,口令均以明文方式显示。如果不设置该参数的话,在查看配置文件是,默认会议密文方式显示口令,即无法查看到所配置的口令原文,这可以是非管理员用户在登陆设备后无法查看到口令原文,从而提高安全性。
[AR1]ospf 1
[AR1-ospf-1]area 1
[AR1-ospf-1-area-0.0.0.1]authentication-mode simple plain huawei
[AR1-ospf-1-area-0.0.0.1]display this
#
area 0.0.0.1
authentication-mode simple plain huawei
network 10.0.12.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
return
此时以明文方式显示口令
在R1上重新配置区域认证命令,并查看配置
[AR1-ospf-1-area-0.0.0.1]authentication-mode simple huawei
[AR1-ospf-1-area-0.0.0.1]di
[AR1-ospf-1-area-0.0.0.1]display thi
[AR1-ospf-1-area-0.0.0.1]display this
#
area 0.0.0.1
authentication-mode simple plain huawei
network 10.0.12.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
return
[AR1-ospf-1-area-0.0.0.1]authentication-mode simple cipher huawei
[AR1-ospf-1-area-0.0.0.1]display this
#
area 0.0.0.1
authentication-mode simple cipher 7OH"-8bP(#ECB7Ie7'/)Xa$#
network 10.0.12.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
return
[AR1]display ospf peer brief
OSPF Process 1 with Router ID 10.0.12.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
----------------------------------------------------------------------------
可以观察到,现在R1与R2邻居关系中断了,原因是目前仅仅在R1上配置了认证,导致R1和R2间的OSPf认证不匹配。继续配置该区域的另一台设备R2,必须要保证验证模式一致,口令也一致。
[AR2]ospf 1
[AR2-ospf-1]area 1
[AR2-ospf-1-area-0.0.0.1]authentication-mode simple huawei
配置完成后,等待一段时间,再次观察两者的邻居关系
[AR1]display ospf peer brief
OSPF Process 1 with Router ID 10.0.12.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
----------------------------------------------------------------------------
[AR1]display ospf peer brief
OSPF Process 1 with Router ID 10.0.12.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/0
现在AR1和AR2的邻居关系状态恢复正常
在AR4上也做相同配置
[AR4]ospf 1
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]authentication-mode simple huawei
配置完后,在AR2上查看OSPF邻居关系
[AR2]display ospf peer brief
OSPF Process 1 with Router ID 10.0.12.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 10.0.23.3 Full
0.0.0.1 GigabitEthernet0/0/0 10.0.12.1 Full
0.0.0.1 GigabitEthernet0/0/1 10.0.24.4 Full
----------------------------------------------------------------------------
现在区域1的邻居关系都建立正常
配置公司总部ospf区域密文认证 在R2上配置OSPF Area0区域认证,使用验证模式为md5,即MD5验证模式,验证字符标识符为1,配置口令为huawei1
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1
继续在其他骨干路由器上做相同配置。注意,密文认证必须保证验证字标识符和口令完全一致认证才能通过。
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1
[AR6]ospf 1
[AR6-ospf-1]area 0
[AR6-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1
配置完成后,查看AR3的ospf邻居状态
[AR3]display ospf peer brief
OSPF Process 1 with Router ID 10.0.23.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 10.0.12.2 Full
0.0.0.0 GigabitEthernet0/0/0 10.0.35.5 Full
0.0.0.0 GigabitEthernet0/0/1 10.0.36.6 Full
----------------------------------------------------------------------------
可以观察到,OSPF邻居状态建立正常。
配置OSPF链路认证
在上面两个步骤中,使用了OSPF的区域认证方式配置了OSPF认证,使用链路认证方式配置可以达到同样的效果。如果采用链路认证的方式,就需要在同一ospf的链路接口下都配置链路认证的命令,设置验证模式和口令等参数;而采用区域认证的方式时,在同一区域中,仅需在OSPF进程下的相应区域视图下配置一条命令来设备验证模式和口令即可,大大省了配置量,所以在同一区域中如果有多台ospf设备需要配置认证,建议选用区域认证的方式进行配置。
目前公司分部的OSPf区域中配置了简单模式的区域认证,为了进一步提升AR2与AR4之间的OSPF网络安全性,网络管理员需要在两台设备之间部署MD5验证模式的OSPF链路认证。
在AR2的GE0/0/1接口下使用ospf authentication-mode命令配置链路认证,配置使用md5验证模式,验证字标识符为1,口令为huawei5
[AR2-GigabitEthernet0/0/1]ospf authentication-mode md5 1 huawei5
[AR2-GigabitEthernet0/0/1]display ospf peer brief
OSPF Process 1 with Router ID 10.0.12.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 10.0.23.3 Full
0.0.0.1 GigabitEthernet0/0/0 10.0.12.1 Full
0.0.0.1 GigabitEthernet0/0/1 10.0.24.4 Full
----------------------------------------------------------------------------
[AR2-GigabitEthernet0/0/1]display ospf peer brief
OSPF Process 1 with Router ID 10.0.12.2
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/2 10.0.23.3 Full
0.0.0.1 GigabitEthernet0/0/0 10.0.12.1 Full
---------------------------------------------------------------------------
发现AR2与AR4间的ospf邻居关系已经消失。虽然已经配置好区域认证,但是如果同时配置了接口认证和区域认证时,会优先使用接口验证建立OSPF邻居。所以AR4在没有配置链路认证之前,AR2与AR4的邻居关系会因为认证不匹配而无法建立。同样的AR4上配置链路,注意,验证模式、标识符、口令都需要一致。
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]ospf authentication-mode md5 1 huawei5
[AR4-GigabitEthernet0/0/0]display ospf peer brief
OSPF Process 1 with Router ID 10.0.24.4
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/0 10.0.12.2 Full
----------------------------------------------------------------------------
可以观察到邻居关系已经恢复正常,至此OSPF链路认证配置完成。
