一、拓扑
二、需求
1. 按照拓扑所示配置OSPF多区域,另外R3与R6,R4与R6间配置RIPv2。R1,R2,R3,R4的环回接口0通告入Area 0,R5的通告入Area 1,R6的直连接口通告入RIP中;
2. R6上的公司内部业务网段192.168.10.0/24和192.168.20.0/24通告入RIP中,R5上的公司外部业务网段172.16.10.0/24和172.16.20.0/24引入OSPF中;
3. 在R3,R4上配置OSPF与RIP间的双点双向路由引入,将业务网段192.168.10.0/24和192.168.20.0/24引入到OSPF中;
4. 通过配置减少Area 2中维护的LSA条目数量,包括Type-3 LSA和Type-5 LSA;
5. 通过配置使得R5上的业务网段通过R1访问192.168.10.0/24网段,通过R2访问192.168.20.0/24网段,仅在R3上配置;
6. R1与R2间的物理链路状态不稳定,尝试通过适当配置以提高OSPF网络的健壮性;
7. 通过配置解决当前OSPF网络中存在的次优路径问题;
8. 优化R5的OSPF路由表,减少其需要维护的LSA条目,并汇总R5上的两条业务网段;
9. 根据R2与R4间的链路状况,适当调整OSPF相关计时器
10. 为了提高OSPF网络安全性,部署OSPF区域密文认证。
三、实验步骤和结果。
1.按照拓扑所示配置OSPF多区域,另外R3与R6,R4与R6间配置RIPv2。R1,R2,R3,R4的环回接口0通告入Area 0,R5的通告入Area 1,R6的直连接口通告入RIP中;配置步骤为,相关接口配置IP地址,启用路由协议,通告网段,rip为主类通告。以R3为例
IP地址配置
[AR3]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.34.3/24 up up
GigabitEthernet0/0/1 10.0.13.3/24 up up
GigabitEthernet1/0/0 10.0.36.3/24 up up
LoopBack0 10.0.3.3/32 up up(s)
OSPF配置
[AR3]dis cu c ospf
[V200R003C00]
#
ospf 1 router-id 10.0.3.3
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
rip配置
[AR3]dis cu configuration rip
[V200R003C00]
#
rip 1
version 2
network 10.0.0.0
查看OSPF邻居
[AR3]dis ospf pe br
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 10.0.1.1
0.0.0.2 GigabitEthernet0/0/0 10.0.4.4
---------------------------------------------------------------------------
两个full的邻居状态,分别是区域0的10.0.1.1(R1)和区域2的10.0.4.4(R4),查看rip的邻居状态如下
[AR3]dis rip 1 ne
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
10.0.34.4
Number of RIP routes : 3
10.0.36.6
Number of RIP routes : 2
两个rip邻居,分别是10.0.34.4(R4)和10.0.36.6(R6)
2. R6上的公司内部业务网段192.168.10.0/24和192.168.20.0/24通告入RIP中,R5上的公司外部业务网段172.16.10.0/24和172.16.20.0/24引入OSPF中;
R6上的直连网段宣告,R5上的业务网段引入,在引入时,只引入这两个网段,不能引入其它网段,因此需要做引入的限制。在R5上创建一个172.16.30.0/24的网段用作测试。
在R5上创建一个lo30,地址172.16.30.5/24,用于引入测试
ospf 1 router-id 10.0.5.5
import-route direct 引入直连
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
引入后,所有直连网段都会被引入进ospf,也就是说多引入了其它的直连路由
dis ip routing-table pro ospf
172.16.10.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.20.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.30.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
因此需要在引入时做限制,只引入所需网段,在R5上,创建前缀列表,匹配路由,在route-policy里匹配前缀列表,最后在引入时调用route-policy(方法不唯一),如下
[AR5]dis cu | be ip ip
ip ip-prefix lan172 index 10 permit 172.16.10.0 24 前缀列表
ip ip-prefix lan172 index 20 permit 172.16.20.0 24
[AR5]dis cu c route-policy
[V200R003C00]
#
route-policy lan172 permit node 10 创建route-policy
if-match ip-prefix lan172 匹配前缀列表
ospf 1 router-id 10.0.5.5
import-route direct route-policy lan172
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
ospf下引入时调用route-policy,这样引入时就只引入172.16.10和172.16.20网段的路由
dis ip routing-table pro ospf
172.16.10.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.20.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
R6上的网段用宣告的方式宣告进rip
rip 1
version 2
network 10.0.0.0
network 192.168.10.0
network 192.168.20.0
整个网络只有R3和R4有全网路由,172网段从ospf学到,192网段从rip学到
dis ip routing-table
O_ASE
O_ASE
RIP
RIP
3.在R3,R4上配置OSPF与RIP间的双点双向路由引入,将业务网段192.168.10.0/24和192.168.20.0/24引入到OSPF中;
R3和R4上运行着两个路由协议,分别学不同网段的路由,为了ospf域内也有rip学到的路由,同时R6也要学到ospf的路由,所以需要在R3和R4上做双点双向重分布,不rip引入进ospf,把ospf引入进rip。以R3为例
把rip引入进ospf,让ospf可以学到rip学习到的路由
ospf 1 router-id 10.0.3.3
import-route rip 1
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
把ospf引入进rip,让rip可以学到ospf学习到的路由
rip 1
version 2
network 10.0.0.0
import-route ospf 1
在R5和R6上查看是否学到了路由
dis ip routing-table pro ospf
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1
dis ip rou pro rip
172.16.10.0/24 RIP 100 1 D 10.0.46.4
172.16.20.0/24 RIP 100 1 D 10.0.46.4
R5通过ospf学到了192网段的路由,R6通过rip学到了172网段的路由,但是这样引入会存在一个次优路径的问题,rip的metric为100,ospf引入的metric为150,那么在R3和R4上,把172网段引入到rip后,metric变为了100,成了rip的路由,然后R3或者R4上就可以通过rip学习到172网段的路由,如果R3先做的重分布,那么R4上就会从有两条172网段的路由,分别从ospf和rip学到,从ospf学到的路由metric为150,从rip学到的路由metric为100,所以R4就会选择metric为100的路由,相反,如果是R4先做的重分布,R3就会选择metric为100的路由。
在R3上看路由表如下
172.16.10.0/24 RIP 100 1
0/0/0
172.16.20.0/24 RIP 100 1
0/0/0
192.168.10.0/24 RIP 100 1 D 10.0.36.6 GigabitEthernet
1/0/0
192.168.20.0/24 RIP 100 1 D 10.0.36.6 GigabitEthernet
1/0/0
可以看出172网段是通过rip学习到的,下一跳是R4,本来R3到172网段只需要走R1--R5的,现在却要走R4--R2--R5,而对于R3而言,这条路径明显不是最优的路径
tracert 172.16.10.5
traceroute to 172.16.10.5(172.16.10.5), max hops: 30 ,packet length: 40,press
CTRL_C to break
10.0.34.4
2 10.0.24.2 30 ms 30 ms 20 ms
3 10.0.25.5 40 ms 30 ms 30 ms
所以对R3和R4而言,在rip学习路由的时候过滤掉这条路由,以R3为例(方法不唯一)
[AR3]dis cu | be ip ip
ip ip-prefix lan172 index 10 deny 172.16.10.0 24
ip ip-prefix lan172 index 20 deny 172.16.20.0 24
ip ip-prefix lan172 index 30 permit 0.0.0.0 0 less-equal 32
创建前缀列表,把172.16.10.0/24和172.16.20.0/24这两条路由deny了。其它路由放行
rip 1
version 2
network 10.0.0.0
filter-policy ip-prefix lan172 import
import-route ospf 1
在rip进程下启用过滤,匹配ip-prefix
效果如下,R3路由表
[AR3]dis ip routing-table
O_ASE
O_ASE
192.168.10.0/24 RIP 100 1 D 10.0.36.6
192.168.20.0/24 RIP 100 1 D 10.0.36.6
R4路由表
[AR4]dis ip routing-table
O_ASE
O_ASE
192.168.10.0/24 RIP 100 1 D 10.0.46.6
192.168.20.0/24 RIP 100 1 D 10.0.46.6
4.通过配置减少Area 2中维护的LSA条目数量,包括Type-3 LSA和Type-5 LSA;
区域2中要减少LSA维护条目,可以利用完全stub和完全nssa区域的特性,在区域2下
输入 nssa no-summary,把区域定义为完全nssa区域即可,看区域2的lsdb情况如下
Area: 0.0.0.2
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.3.3 10.0.3.3 30 36 80000005 1
Router 10.0.4.4 10.0.4.4 25 36 80000005 1
Network 10.0.34.4 10.0.4.4 25 32 80000002 0
Sum-Net 0.0.0.0 10.0.4.4 68 28 80000001 1
Sum-Net 0.0.0.0 10.0.3.3 78 28 80000001 1
NSSA 0.0.0.0 10.0.4.4 68 36 80000001 1
NSSA 10.0.6.6 10.0.4.4 68 36 80000001 1
NSSA 10.0.4.4 10.0.4.4 68 36 80000001 1
NSSA 10.0.36.0 10.0.4.4 68 36 80000002 1
NSSA 10.0.34.0 10.0.4.4 68 36 80000002 1
NSSA 10.0.46.0 10.0.4.4 68 36 80000001 1
NSSA 192.168.10.0 10.0.4.4 68 36 80000001 1
NSSA 192.168.20.0 10.0.4.4 68 36 80000001 1
NSSA 10.0.24.0 10.0.4.4 68 36 80000001 1
NSSA 0.0.0.0 10.0.3.3 78 36 80000001 1
NSSA 10.0.6.6 10.0.3.3 78 36 80000001 1
NSSA 10.0.3.3 10.0.3.3 78 36 80000001 1
NSSA 10.0.36.0 10.0.3.3 78 36 80000001 1
NSSA 10.0.34.0 10.0.3.3 78 36 80000002 1
NSSA 10.0.13.0 10.0.3.3 78 36 80000001 1
NSSA 192.168.10.0 10.0.3.3 78 36 80000001 1
NSSA 192.168.20.0 10.0.3.3 78 36 80000001 1
5.通过配置使得R5上的业务网段通过R1访问192.168.10.0/24网段,通过R2访问192.168.20.0/24网段,仅在R3上配置;
R5上查看路由表和业务网段访问情况
查看到192.168网段的路由表
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1
可以看出到192.168网段均是走R1出去,跟踪可以知道
tracert -a 172.16.10.5 192.168.10.6
traceroute to 192.168.10.6(192.168.1
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 20 ms 10 ms 10 ms
2 10.0.13.3 30 ms 20 ms 30 ms
3 10.0.36.6 20 ms 30 ms 10 ms
tracert -a 172.16.10.5 192.168.20.6
traceroute to 192.168.20.6(192.168.2
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 30 ms 20 ms 20 ms
2 10.0.13.3 20 ms 10 ms 20 ms
3 10.0.36.6 30 ms 30 ms 20 ms
都是走R1出去,要求通过R1访问192.168.10网段,通过R2访问192.168.20网段,仅在R3上操作,那么就需要在引入路由的时候有区分对待,对于192.168.10.0网段,保持原样引入,对于192.168.20.0网段,在引入的时候把开销设置大一些,这样R5上学到192.168.20.0网段的路由就不一样,同一网段,引入metric都是150,但是从R1学到的开销值比R2学到的开销值略大,所以优选R2的路由(方法不唯一)
在R3上创建访问控制列表,分别匹配192.168.10和192.168.20网段
[AR3]dis cu | be acl
acl number 2010
rule 5 permit source 192.168.10.0 0.0.0.255
acl number 2020
rule 5 permit source 192.168.20.0 0.0.0.255
在route-policy下,匹配ACL
route-policy lan192 permit node 10
if-match acl 2010
#
route-policy lan192 permit node 20
if-match acl 2020
apply cost 10
在引入时调用route-policy
ospf 1 router-id 10.0.3.3
import-route rip 1 route-policy lan192
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
nssa no-summary
这样当192.168.20段引入时,就会把cost改为10,而在R5上,接收到两条192.168.20网段的路由,一条cost为10,下一跳R1,一条cost为1,下一跳R2,所以R2的这一条路由会被放入路由表。
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1
192.168.20.0/24 O_ASE 150 1 D 10.0.25.2
跟踪路由走向如下
192.168.10.6
traceroute to 192.168.10.6(192.168.1
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 20 ms 20 ms 20 ms
2 10.0.13.3 30 ms 20 ms 20 ms
3 10.0.36.6 30 ms 40 ms 20 ms
tracert -a 172.16.10.5 192.168.20.6
traceroute to 192.168.20.6(192.168.2
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.25.2 20 ms 10 ms 10 ms
2 10.0.24.4 30 ms 20 ms 20 ms
3 * 10.0.46.6 30 ms 50 ms
6.R1与R2间的物理链路状态不稳定,尝试通过适当配置以提高OSPF网络的健壮性;
R1R2之间需要保证稳定,如果R1和R2之间的链路down后,骨干区域就会被分割开,这是不被允许的,当区域0被分割后,R1R2学习不到彼此的路由,网络出现故障。
[AR1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.15.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet1/0/0 10.0.12.1/24 *down down
LoopBack0 10.0.1.1/32 up up(s)
查看路由表,没有R2的路由
[AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.3.3/32 OSPF 10 1 D 10.0.13.3 GigabitEthernet
0/0/1
10.0.5.5/32 OSPF 10 1 D 10.0.15.5 GigabitEthernet
0/0/0
10.0.13.0/24 Direct 0 0 D 10.0.13.1 GigabitEthernet
测试连通性,网络断开
[AR1]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
因此此处为了网络的健壮性,可用虚链接,虚链接的作用是网络在设计的时候由于没有规范性设计,使网络的其它区域与骨干区域不能直接相连,这时可用虚链接使网络在逻辑上相连,此处可以选择在区域1和区域2上创建虚链接,因为区域2已经做nssa区域,虚链接不能穿越stub和nssa区域,所以只能选择在区域1上做,如下,以R1为例
在区域1创建vlink
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
network 10.0.15.1 0.0.0.0
vlink-peer 10.0.2.2
查看vlink状态。
[AR1]dis ospf vlink ?
| Matching output
Please press ENTER to execute command
[AR1]dis ospf vlink
OSPF Process 1 with Router ID 10.0.1.1
Virtual Links
Virtual-link Neighbor-id -> 10.0.2.2, Neighbor-State: Full
Interface: 10.0.15.1 (GigabitEthernet0/0/0)
Cost: 2 State: P-2-P Type: Virtual
Transit Area: 0.0.0.1
Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1
GR State: Normal
查看接口状态
[AR1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.15.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet1/0/0 10.0.12.1/24 *down down
LoopBack0 10.0.1.1/32 up up(s)
此时R1和R2之间的链路状态为down,查看路由
AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 25 Routes : 25
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 10 2 D 10.0.15.5 GigabitEthernet
也能学到路由,逻辑上两个区域还是连在一起的,测试连通性
[AR1]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=20 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=20 ms
7.通过配置解决当前OSPF网络中存在的次优路径问题;
网络中,R2与R4之间是使用串口连接的,带宽较低,因此希望R4的流量优先走带宽较高的链路访问出去,而对于ospf而言,区域内的路由优先于区域间的路由,对于R3和R4的lo接口,宣告在区域0之中的,而R3与R4之间的直连是属于区域2,所以对于lo接口,流量不会直接从区域2的连接转发,而是走区域0,造成次优路径,可以在R3和R4之间建立隧道解决。如下
tracert -a 10.0.3.3 10.0.4.4
traceroute to 10.0.4.4(10.0.4.4), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 10.0.13.1 30 ms 20 ms 20 ms
2 10.0.12.2 20 ms 30 ms 20 ms
3 10.0.24.4 30 ms 30 ms 30 ms
10.0.3.3到10.0.4.4可以直接通过接口到达的,但由于选路问题,使得流量走次优路径,因此在R3和R4之间建立隧道连接,以R3为例,如下(方法不唯一)
interface Tunnel0/0/0
ip address 202.101.34.3 255.255.255.0
tunnel-protocol gre
source 10.0.34.3
destination 10.0.34.4
ospf cost 1
ospf network-type broadcast
然后把接口宣告进ospf区域0中,如下
ospf 1 router-id 10.0.3.3
import-route rip 1 route-policy lan192
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
network 202.101.34.3 0.0.0.0
查看ospf邻居,tunnel口邻居已建立,状态full
[AR3]dis ospf pe br
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 10.0.1.1 Full
0.0.0.0 Tunnel0/0/0 10.0.4.4 Full
0.0.0.2 GigabitEthernet0/0/0 10.0.4.4 Full
----------------------------------------------------------------------------
查看路由表
[AR3]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 31 Routes : 32
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 OSPF 10 1 D 10.0.13.1
10.0.2.2/32 OSPF 10 2 D 10.0.13.1
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.4.4/32 OSPF 10 1 D 202.101.34.4 Tunnel0/0/0
到10.0.4.4的路由下一跳变成了tunnel口,跟踪路由
[AR3]tracert -a 10.0.3.3 10.0.4.4
traceroute to 10.0.4.4(10.0.4.4), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 202.101.34.4 10 ms 10 ms 1 ms
只需一跳即可。
8.优化R5的OSPF路由表,减少其需要维护的LSA条目,并汇总R5上的两条业务网段;
R5上查看LSA维护的条目
dis ospf lsdb
OSPF Process 1 with Router ID 10.0.5.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.5.5 10.0.5.5 396 60 8000001B 1
Router 10.0.2.2 10.0.2.2 1270 36 80000009 1
Router 10.0.1.1 10.0.1.1 1270 36 80000008 1
Network 10.0.15.5 10.0.5.5 885 32 80000007 0
Network 10.0.25.5 10.0.5.5 859 32 80000007 0
Sum-Net 202.101.34.0 10.0.1.1 252 28 80000002 2
Sum-Net 202.101.34.0 10.0.2.2 252 28 80000003 3
Sum-Net 10.0.34.0 10.0.1.1 6 28 80000008 2
Sum-Net 10.0.34.0 10.0.2.2 989 28 80000001 3
Sum-Net 10.0.13.0 10.0.1.1 893 28 80000006 1
Sum-Net 10.0.13.0 10.0.2.2 989 28 80000001 2
Sum-Net 10.0.24.0 10.0.2.2 911 28 80000006 48
Sum-Net 10.0.24.0 10.0.1.1 989 28 80000001 49
Sum-Net 10.0.12.0 10.0.2.2 1029 28 80000001 1
Sum-Net 10.0.12.0 10.0.1.1 1028 28 80000001 1
Sum-Net 10.0.3.3 10.0.1.1 802 28 80000006 1
Sum-Net 10.0.3.3 10.0.2.2 989 28 80000001 2
Sum-Net 10.0.2.2 10.0.2.2 892 28 80000006 0
Sum-Net 10.0.2.2 10.0.1.1 989 28 80000001 1
Sum-Net 10.0.1.1 10.0.1.1 893 28 80000006 0
Sum-Net 10.0.1.1 10.0.2.2 989 28 80000001 1
Sum-Net 10.0.4.4 10.0.2.2 252 28 80000007 3
Sum-Net 10.0.4.4 10.0.1.1 252 28 80000002 2
Sum-Asbr 10.0.4.4 10.0.2.2 252 28 80000006 3
Sum-Asbr 10.0.4.4 10.0.1.1 252 28 80000002 2
Sum-Asbr 10.0.3.3 10.0.1.1 459 28 80000005 1
Sum-Asbr 10.0.3.3 10.0.2.2 990 28 80000001 2
1类2类传递的是链路状态,而三类传输的是路由信息,对于ospf而言,有链路状态便可以计算出路由信息,所以可以把lsa3类过滤掉,在R1和R2上操作,以R1为例(方法不唯一)
acl number 2000
rule 1 permit source 10.0.1.0 0.0.0.255
rule 2 permit source 10.0.2.0 0.0.0.255
rule 3 permit source 10.0.3.0 0.0.0.255
rule 4 permit source 10.0.4.0 0.0.0.255
rule 5 permit source 10.0.12.0 0.0.0.255
rule 6 permit source 10.0.13.0 0.0.0.255
rule 7 permit source 10.0.24.0 0.0.0.255
rule 8 permit source 10.0.34.0 0.0.0.255
rule 9 permit source 202.101.34.0 0.0.0.255
创建route-policy,匹配acl后deny
route-policy lsa deny node 10
if-match acl 2000
在ospf的区域1下过滤
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
filter route-policy lsa import
network 10.0.15.1 0.0.0.0
效果如下
dis ospf lsdb
OSPF Process 1 with Router ID 10.0.5.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.5.5 10.0.5.5 189 60 8000001E 1
Router 10.0.2.2 10.0.2.2 1096 36 8000000C 1
Router 10.0.1.1 10.0.1.1 1062 36 8000000B 1
Network 10.0.15.5 10.0.5.5 678 32 8000000A 0
Network 10.0.25.5 10.0.5.5 652 32 8000000A 0
Sum-Asbr 10.0.4.4 10.0.2.2 77 28 80000009 3
Sum-Asbr 10.0.4.4 10.0.1.1 44 28 80000005 2
Sum-Asbr 10.0.3.3 10.0.1.1 250 28 80000008 1
Sum-Asbr 10.0.3.3 10.0.2.2 815 28 80000004 2
过滤了3类lsa,路由如下
dis ip routing-table pro ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 8 Routes : 8
OSPF routing table status :
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.4.4/32 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.6.6/32 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.24.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.34.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.36.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.46.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
9.根据R2与R4间的链路状况,适当调整OSPF相关计时器
R2和R4之间使用串口连接,带宽较小,ospf默认hello时间为10秒,为了减少带宽的浪费,可以把串口的hello时间做一下调整,如下,以R4为例
dis ospf inter se1/0/0
OSPF Process 1 with Router ID 10.0.4.4
Interfaces
Interface: 10.0.24.4 (Serial1/0/0) --> 10.0.24.2
Cost: 48 State: P-2-P Type: P2P MTU: 1500
Hello 10
调整后如下
[AR4]dis ospf inter se1/0/0
OSPF Process 1 with Router ID 10.0.4.4
Interfaces
Interface: 10.0.24.4 (Serial1/0/0) --> 10.0.24.2
Cost: 48 State: P-2-P Type: P2P MTU: 1500
Hello 60
10.为了提高OSPF网络安全性,部署OSPF区域密文认证。
在接口下配置的认证优先于在ospf区域下配置的认证,当ospf配置认证后,配置认证的一方发送的hello里面便带有认证信息,另一方如果没有配置认证,或者认证不一致,邻居便建立不起来,如果区域下和接口下都配置了认证,则优先使用接口下的认证,比如说区域的认证不一致,而接口下配置的认证一致,认证也可以通过,邻居正常建立。以R1和R5为例
在R5的区域下启用认证后,R5发送的hello带有认证信息,而R1下的hello没有带认证
R5发送的hello带认证信息
R1发送的hello不带认证信息
此时认证不一致,导致的是邻居关系down
[AR5-ospf-1-area-0.0.0.1]
Apr 20 2018 13:44:30-08:00 AR5 %OSPF/3/NBR_CHG_DOWN(l)[12]:Neighbor event:nei
ghbor state changed to Down. (ProcessId=256, NeighborAddress=1.1.0.10, NeighborE
vent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)
邻居关系如下
dis ospf peer br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
----------------------------------------------------------------------------
没有邻居。
测试接口认证优先,在R1区域1下启用认证,密码和R5的不一致,查看相关信息
R5上面,ospf的认证信息如下,认证密码huawei
ospf 1 router-id 10.0.5.5
import-route direct route-policy lan172
area 0.0.0.1
huawei
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
R1上面,ospf的认证信息如下,认证密码huawei1
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
huawei1
filter route-policy lsa import
network 10.0.15.1 0.0.0.0
vlink-peer 10.0.2.2
认证密码不一致,认证不通过,所以在R5上查看邻居如下
[AR5]dis ospf pe br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/1 10.0.2.2 Full
----------------------------------------------------------------------------
在R5上与R2正常建立邻居,与R1无法建立邻居,保持R1区域下的认证不变,在G0/0/0口下启用认证,查看认证情况,如果是区域认证优先,认证依然无法通过,如果是接口认证优先,认证可以通过,邻居建立正常。如下
R1的接口下配置认证
interface GigabitEthernet0/0/0
ip address 10.0.15.1 255.255.255.0
huawei
配置后发现
Apr 20 2018 14:00:42-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[10]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Init)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[11]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=ExStart)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[12]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentState=Exc
hange)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[13]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState=Loadi
ng)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[14]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=Full)
邻居起来了,所以接口认证优先于区域认证,R5上查看邻居如下
[AR5]dis ospf pe br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/0 10.0.1.1 Full
0.0.0.1 GigabitEthernet0/0/1 10.0.2.2 Full
----------------------------------------------------------------------------
邻居正常建立
注:双点双向重分布会导致次优路径和路由环路,如何避免?
