OSPF實驗步驟及結果
1、拓撲node
2、需求
1. 按照拓撲所示配置OSPF多區域,另外R3與R6,R4與R6間配置RIPv2。R1,R2,R3,R4的環回接口0通告入Area 0,R5的通告入Area 1,R6的直鏈接口通告入RIP中;
2. R6上的公司內部業務網段192.168.10.0/24和192.168.20.0/24通告入RIP中,R5上的公司外部業務網段172.16.10.0/24和172.16.20.0/24引入OSPF中;
3. 在R3,R4上配置OSPF與RIP間的雙點雙向路由引入,將業務網段192.168.10.0/24和192.168.20.0/24引入到OSPF中;
4. 經過配置減小Area 2中維護的LSA條目數量,包括Type-3 LSA和Type-5 LSA;
5. 經過配置使得R5上的業務網段經過R1訪問192.168.10.0/24網段,經過R2訪問192.168.20.0/24網段,僅在R3上配置;
6. R1與R2間的物理鏈路狀態不穩定,嘗試經過適當配置以提升OSPF網絡的健壯性;
7. 經過配置解決當前OSPF網絡中存在的次優路徑問題;
8. 優化R5的OSPF路由表,減小其須要維護的LSA條目,並彙總R5上的兩條業務網段;
9. 根據R2與R4間的鏈路情況,適當調整OSPF相關計時器
10. 爲了提升OSPF網絡安全性,部署OSPF區域密文認證。
3、實驗步驟和結果。
1.按照拓撲所示配置OSPF多區域,另外R3與R6,R4與R6間配置RIPv2。R1,R2,R3,R4的環回接口0通告入Area 0,R5的通告入Area 1,R6的直鏈接口通告入RIP中;配置步驟爲,相關接口配置IP地址,啓用路由協議,通告網段,rip爲主類通告。以R3爲例
IP地址配置
[AR3]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.34.3/24 up up
GigabitEthernet0/0/1 10.0.13.3/24 up up
GigabitEthernet1/0/0 10.0.36.3/24 up up
LoopBack0 10.0.3.3/32 up up(s)
OSPF配置
[AR3]dis cu c ospf
[V200R003C00]
#
ospf 1 router-id 10.0.3.3
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
rip配置
[AR3]dis cu configuration rip
[V200R003C00]
#
rip 1
version 2
network 10.0.0.0
查看OSPF鄰居
[AR3]dis ospf pe br
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1
10.0.1.1 Full
0.0.0.2 GigabitEthernet0/0/0
10.0.4.4 Full
---------------------------------------------------------------------------
兩個full的鄰居狀態,分別是區域0的10.0.1.1(R1)和區域2的10.0.4.4(R4),查看rip的鄰居狀態以下
[AR3]dis rip 1 ne
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
10.0.34.4 GigabitEthernet0/0/0 RIP 0:0:7
Number of RIP routes : 3
10.0.36.6 GigabitEthernet1/0/0 RIP 0:0:18
Number of RIP routes : 2
兩個rip鄰居,分別是10.0.34.4(R4)和10.0.36.6(R6)
2. R6上的公司內部業務網段192.168.10.0/24和192.168.20.0/24通告入RIP中,R5上的公司外部業務網段172.16.10.0/24和172.16.20.0/24引入OSPF中;
R6上的直連網段宣告,R5上的業務網段引入,在引入時,只引入這兩個網段,不能引入其它網段,所以須要作引入的限制。在R5上建立一個172.16.30.0/24的網段用做測試。
在R5上建立一個lo30,地址172.16.30.5/24,用於引入測試
ospf 1 router-id 10.0.5.5
import-route direct 引入直連
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
引入後,全部直連網段都會被引入進ospf,也就是說多引入了其它的直連路由
dis ip routing-table pro ospf
172.16.10.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.20.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.30.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
所以須要在引入時作限制,只引入所需網段,在R5上,建立前綴列表,匹配路由,在route-policy裏匹配前綴列表,最後在引入時調用route-policy(方法不惟一),以下
[AR5]dis cu | be ip ip
ip ip-prefix lan172 index 10 permit 172.16.10.0 24 前綴列表
ip ip-prefix lan172 index 20 permit 172.16.20.0 24
[AR5]dis cu c route-policy
[V200R003C00]
#
route-policy lan172 permit node 10 建立route-policy
if-match ip-prefix lan172 匹配前綴列表
ospf 1 router-id 10.0.5.5
import-route direct route-policy lan172
area 0.0.0.1
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
ospf下引入時調用route-policy,這樣引入時就只引入172.16.10和172.16.20網段的路由
dis ip routing-table pro ospf
172.16.10.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
172.16.20.0/24 O_ASE 150 1 D 10.0.13.1 GigabitEthernet
0/0/1
R6上的網段用宣告的方式宣告進rip
rip 1
version 2
network 10.0.0.0
network 192.168.10.0
network 192.168.20.0
整個網絡只有R3和R4有全網路由,172網段從ospf學到,192網段從rip學到
dis ip routing-table
172.16.10.0/24
O_ASE 150 1 D 10.0.13.1
172.16.20.0/24
O_ASE 150 1 D 10.0.13.1
192.168.10.0/24
RIP 100 1 D 10.0.36.6
192.168.20.0/24
RIP 100 1 D 10.0.36.6
3.在R3,R4上配置OSPF與RIP間的雙點雙向路由引入,將業務網段192.168.10.0/24和192.168.20.0/24引入到OSPF中;
R3和R4上運行着兩個路由協議,分別學不一樣網段的路由,爲了ospf域內也有rip學到的路由,同時R6也要學到ospf的路由,因此須要在R3和R4上作雙點雙向重分佈,不rip引入進ospf,把ospf引入進rip。以R3爲例
把rip引入進ospf,讓ospf能夠學到rip學習到的路由
ospf 1 router-id 10.0.3.3
import-route rip 1
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
把ospf引入進rip,讓rip能夠學到ospf學習到的路由
rip 1
version 2
network 10.0.0.0
import-route ospf 1
在R5和R6上查看是否學到了路由
dis ip routing-table pro ospf
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1
dis ip rou pro rip
172.16.10.0/24 RIP 100 1 D 10.0.46.4
172.16.20.0/24 RIP 100 1 D 10.0.46.4
R5經過ospf學到了192網段的路由,R6經過rip學到了172網段的路由,可是這樣引入會存在一個次優路徑的問題,rip的metric爲100,ospf引入的metric爲150,那麼在R3和R4上,把172網段引入到rip後,metric變爲了100,成了rip的路由,而後R3或者R4上就能夠經過rip學習到172網段的路由,若是R3先作的重分佈,那麼R4上就會從有兩條172網段的路由,分別從ospf和rip學到,從ospf學到的路由metric爲150,從rip學到的路由metric爲100,因此R4就會選擇metric爲100的路由,相反,若是是R4先作的重分佈,R3就會選擇metric爲100的路由。
在R3上看路由表以下
172.16.10.0/24 RIP 100 1 D 10.0.34.4 GigabitEthernet
0/0/0
172.16.20.0/24 RIP 100 1 D 10.0.34.4 GigabitEthernet
0/0/0
192.168.10.0/24 RIP 100 1 D 10.0.36.6 GigabitEthernet
1/0/0
192.168.20.0/24 RIP 100 1 D 10.0.36.6 GigabitEthernet
1/0/0
能夠看出172網段是經過rip學習到的,下一跳是R4,原本R3到172網段只須要走R1--R5的,如今卻要走R4--R2--R5,而對於R3而言,這條路徑明顯不是最優的路徑
tracert 172.16.10.5
traceroute to 172.16.10.5(172.16.10.5), max hops: 30 ,packet length: 40,press
CTRL_C to break
1
10.0.34.4 50 ms 20 ms 10 ms
2 10.0.24.2 30 ms 30 ms 20 ms
3 10.0.25.5 40 ms 30 ms 30 ms
因此對R3和R4而言,在rip學習路由的時候過濾掉這條路由,以R3爲例(方法不惟一)
[AR3]dis cu | be ip ip
ip ip-prefix lan172 index 10 deny 172.16.10.0 24
ip ip-prefix lan172 index 20 deny 172.16.20.0 24
ip ip-prefix lan172 index 30 permit 0.0.0.0 0 less-equal 32
建立前綴列表,把172.16.10.0/24和172.16.20.0/24這兩條路由deny了。其它路由放行
rip 1
version 2
network 10.0.0.0
filter-policy ip-prefix lan172 import
import-route ospf 1
在rip進程下啓用過濾,匹配ip-prefix
效果以下,R3路由表
[AR3]dis ip routing-table
172.16.10.0/24
O_ASE 150 1 D 10.0.13.1
172.16.20.0/24
O_ASE 150 1 D 10.0.13.1
192.168.10.0/24 RIP 100 1 D 10.0.36.6
192.168.20.0/24 RIP 100 1 D 10.0.36.6
R4路由表
[AR4]dis ip routing-table
172.16.10.0/24
O_ASE 150 1 D 10.0.24.2
172.16.20.0/24
O_ASE 150 1 D 10.0.24.2
192.168.10.0/24 RIP 100 1 D 10.0.46.6
192.168.20.0/24 RIP 100 1 D 10.0.46.6
4.經過配置減小Area 2中維護的LSA條目數量,包括Type-3 LSA和Type-5 LSA;
區域2中要減小LSA維護條目,能夠利用徹底stub和徹底nssa區域的特性,在區域2下
輸入 nssa no-summary,把區域定義爲徹底nssa區域便可,看區域2的lsdb狀況以下
Area: 0.0.0.2
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.3.3 10.0.3.3 30 36 80000005 1
Router 10.0.4.4 10.0.4.4 25 36 80000005 1
Network 10.0.34.4 10.0.4.4 25 32 80000002 0
Sum-Net 0.0.0.0 10.0.4.4 68 28 80000001 1
Sum-Net 0.0.0.0 10.0.3.3 78 28 80000001 1
NSSA 0.0.0.0 10.0.4.4 68 36 80000001 1
NSSA 10.0.6.6 10.0.4.4 68 36 80000001 1
NSSA 10.0.4.4 10.0.4.4 68 36 80000001 1
NSSA 10.0.36.0 10.0.4.4 68 36 80000002 1
NSSA 10.0.34.0 10.0.4.4 68 36 80000002 1
NSSA 10.0.46.0 10.0.4.4 68 36 80000001 1
NSSA 192.168.10.0 10.0.4.4 68 36 80000001 1
NSSA 192.168.20.0 10.0.4.4 68 36 80000001 1
NSSA 10.0.24.0 10.0.4.4 68 36 80000001 1
NSSA 0.0.0.0 10.0.3.3 78 36 80000001 1
NSSA 10.0.6.6 10.0.3.3 78 36 80000001 1
NSSA 10.0.3.3 10.0.3.3 78 36 80000001 1
NSSA 10.0.36.0 10.0.3.3 78 36 80000001 1
NSSA 10.0.34.0 10.0.3.3 78 36 80000002 1
NSSA 10.0.13.0 10.0.3.3 78 36 80000001 1
NSSA 192.168.10.0 10.0.3.3 78 36 80000001 1
NSSA 192.168.20.0 10.0.3.3 78 36 80000001 1
5.經過配置使得R5上的業務網段經過R1訪問192.168.10.0/24網段,經過R2訪問192.168.20.0/24網段,僅在R3上配置;
R5上查看路由表和業務網段訪問狀況
查看到192.168網段的路由表
192.168.10.0/24 O_ASE 150 1 D
10.0.15.1
192.168.20.0/24 O_ASE 150 1 D
10.0.15.1
能夠看出到192.168網段均是走R1出去,跟蹤能夠知道
tracert -a 172.16.10.5
192.168.10.6
traceroute to 192.168.10.6(192.168.1
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 20 ms 10 ms 10 ms
2 10.0.13.3 30 ms 20 ms 30 ms
3 10.0.36.6 20 ms 30 ms 10 ms
tracert -a 172.16.10.5
192.168.20.6
traceroute to 192.168.20.6(192.168.2
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 30 ms 20 ms 20 ms
2 10.0.13.3 20 ms 10 ms 20 ms
3 10.0.36.6 30 ms 30 ms 20 ms
都是走R1出去,要求經過R1訪問192.168.10網段,經過R2訪問192.168.20網段,僅在R3上操做,那麼就須要在引入路由的時候有區分對待,對於192.168.10.0網段,保持原樣引入,對於192.168.20.0網段,在引入的時候把開銷設置大一些,這樣R5上學到192.168.20.0網段的路由就不同,同一網段,引入metric都是150,可是從R1學到的開銷值比R2學到的開銷值略大,因此優選R2的路由(方法不惟一)
在R3上建立訪問控制列表,分別匹配192.168.10和192.168.20網段
[AR3]dis cu | be acl
acl number 2010
rule 5 permit source 192.168.10.0 0.0.0.255
acl number 2020
rule 5 permit source 192.168.20.0 0.0.0.255
在route-policy下,匹配ACL
route-policy lan192 permit node 10
if-match acl 2010
#
route-policy lan192 permit node 20
if-match acl 2020
apply cost 10
在引入時調用route-policy
ospf 1 router-id 10.0.3.3
import-route rip 1 route-policy lan192
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
area 0.0.0.2
network 10.0.34.3 0.0.0.0
nssa no-summary
這樣當192.168.20段引入時,就會把cost改成10,而在R5上,接收到兩條192.168.20網段的路由,一條cost爲10,下一跳R1,一條cost爲1,下一跳R2,因此R2的這一條路由會被放入路由表。
192.168.10.0/24 O_ASE 150 1 D
10.0.15.1
192.168.20.0/24 O_ASE 150 1 D
10.0.25.2
跟蹤路由走向以下
tracert -a 172.16.10.5
192.168.10.6
traceroute to 192.168.10.6(192.168.1
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.15.1 20 ms 20 ms 20 ms
2 10.0.13.3 30 ms 20 ms 20 ms
3 10.0.36.6 30 ms 40 ms 20 ms
tracert -a 172.16.10.5
192.168.20.6
traceroute to 192.168.20.6(192.168.2
0.6), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.0.25.2 20 ms 10 ms 10 ms
2 10.0.24.4 30 ms 20 ms 20 ms
3 * 10.0.46.6 30 ms 50 ms
6.R1與R2間的物理鏈路狀態不穩定,嘗試經過適當配置以提升OSPF網絡的健壯性;
R1R2之間須要保證穩定,若是R1和R2之間的鏈路down後,骨幹區域就會被分割開,這是不被容許的,當區域0被分割後,R1R2學習不到彼此的路由,網絡出現故障。
[AR1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.15.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet1/0/0 10.0.12.1/24 *down down
LoopBack0 10.0.1.1/32 up up(s)
查看路由表,沒有R2的路由
[AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.3.3/32 OSPF 10 1 D 10.0.13.3 GigabitEthernet
0/0/1
10.0.5.5/32 OSPF 10 1 D 10.0.15.5 GigabitEthernet
0/0/0
10.0.13.0/24 Direct 0 0 D 10.0.13.1 GigabitEthernet
測試連通性,網絡斷開
[AR1]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
所以此處爲了網絡的健壯性,可用虛連接,虛連接的做用是網絡在設計的時候因爲沒有規範性設計,使網絡的其它區域與骨幹區域不能直接相連,這時可用虛連接使網絡在邏輯上相連,此處能夠選擇在區域1和區域2上建立虛連接,由於區域2已經作nssa區域,虛連接不能穿越stub和nssa區域,因此只能選擇在區域1上作,以下,以R1爲例
在區域1建立vlink
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
network 10.0.15.1 0.0.0.0
vlink-peer 10.0.2.2
查看vlink狀態。
[AR1]dis ospf vlink ?
| Matching output
Please press ENTER to execute command
[AR1]dis ospf vlink
OSPF Process 1 with Router ID 10.0.1.1
Virtual Links
Virtual-link Neighbor-id -> 10.0.2.2, Neighbor-State: Full
Interface: 10.0.15.1 (GigabitEthernet0/0/0)
Cost: 2 State: P-2-P Type: Virtual
Transit Area: 0.0.0.1
Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1
GR State: Normal
查看接口狀態
[AR1]dis ip int b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.15.1/24 up up
GigabitEthernet0/0/1 10.0.13.1/24 up up
GigabitEthernet1/0/0 10.0.12.1/24 *down down
LoopBack0 10.0.1.1/32 up up(s)
此時R1和R2之間的鏈路狀態爲down,查看路由
AR1]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 25 Routes : 25
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 10 2 D 10.0.15.5 GigabitEthernet
也能學到路由,邏輯上兩個區域仍是連在一塊兒的,測試連通性
[AR1]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=30 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=20 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=20 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=20 ms
7.經過配置解決當前OSPF網絡中存在的次優路徑問題;
網絡中,R2與R4之間是使用串口鏈接的,帶寬較低,所以但願R4的流量優先走帶寬較高的鏈路訪問出去,而對於ospf而言,區域內的路由優先於區域間的路由,對於R3和R4的lo接口,宣告在區域0之中的,而R3與R4之間的直連是屬於區域2,因此對於lo接口,流量不會直接從區域2的鏈接轉發,而是走區域0,形成次優路徑,能夠在R3和R4之間創建隧道解決。以下
tracert -a 10.0.3.3
10.0.4.4
traceroute to 10.0.4.4(10.0.4.4), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 10.0.13.1 30 ms 20 ms 20 ms
2 10.0.12.2 20 ms 30 ms 20 ms
3 10.0.24.4 30 ms 30 ms 30 ms
10.0.3.3到10.0.4.4能夠直接經過接口到達的,但因爲選路問題,使得流量走次優路徑,所以在R3和R4之間創建隧道鏈接,以R3爲例,以下(方法不惟一)
interface Tunnel0/0/0
ip address 202.101.34.3 255.255.255.0
tunnel-protocol gre
source 10.0.34.3
destination 10.0.34.4
ospf cost 1
ospf network-type broadcast
而後把接口宣告進ospf區域0中,以下
ospf 1 router-id 10.0.3.3
import-route rip 1 route-policy lan192
area 0.0.0.0
network 10.0.3.3 0.0.0.0
network 10.0.13.3 0.0.0.0
network 202.101.34.3 0.0.0.0
查看ospf鄰居,tunnel口鄰居已創建,狀態full
[AR3]dis ospf pe br
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 10.0.1.1 Full
0.0.0.0 Tunnel0/0/0 10.0.4.4 Full
0.0.0.2 GigabitEthernet0/0/0 10.0.4.4 Full
----------------------------------------------------------------------------
查看路由表
[AR3]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 31 Routes : 32
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 OSPF 10 1 D 10.0.13.1
10.0.2.2/32 OSPF 10 2 D 10.0.13.1
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.4.4/32 OSPF 10 1 D 202.101.34.4 Tunnel0/0/0
到10.0.4.4的路由下一跳變成了tunnel口,跟蹤路由
[AR3]tracert -a 10.0.3.3
10.0.4.4
traceroute to 10.0.4.4(10.0.4.4), max hops: 30 ,packet length: 40,press CTRL_C
to break
1 202.101.34.4 10 ms 10 ms 1 ms
只需一跳便可。
8.優化R5的OSPF路由表,減小其須要維護的LSA條目,並彙總R5上的兩條業務網段;
R5上查看LSA維護的條目
dis ospf lsdb
OSPF Process 1 with Router ID 10.0.5.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.5.5 10.0.5.5 396 60 8000001B 1
Router 10.0.2.2 10.0.2.2 1270 36 80000009 1
Router 10.0.1.1 10.0.1.1 1270 36 80000008 1
Network 10.0.15.5 10.0.5.5 885 32 80000007 0
Network 10.0.25.5 10.0.5.5 859 32 80000007 0
Sum-Net 202.101.34.0 10.0.1.1 252 28 80000002 2
Sum-Net 202.101.34.0 10.0.2.2 252 28 80000003 3
Sum-Net 10.0.34.0 10.0.1.1 6 28 80000008 2
Sum-Net 10.0.34.0 10.0.2.2 989 28 80000001 3
Sum-Net 10.0.13.0 10.0.1.1 893 28 80000006 1
Sum-Net 10.0.13.0 10.0.2.2 989 28 80000001 2
Sum-Net 10.0.24.0 10.0.2.2 911 28 80000006 48
Sum-Net 10.0.24.0 10.0.1.1 989 28 80000001 49
Sum-Net 10.0.12.0 10.0.2.2 1029 28 80000001 1
Sum-Net 10.0.12.0 10.0.1.1 1028 28 80000001 1
Sum-Net 10.0.3.3 10.0.1.1 802 28 80000006 1
Sum-Net 10.0.3.3 10.0.2.2 989 28 80000001 2
Sum-Net 10.0.2.2 10.0.2.2 892 28 80000006 0
Sum-Net 10.0.2.2 10.0.1.1 989 28 80000001 1
Sum-Net 10.0.1.1 10.0.1.1 893 28 80000006 0
Sum-Net 10.0.1.1 10.0.2.2 989 28 80000001 1
Sum-Net 10.0.4.4 10.0.2.2 252 28 80000007 3
Sum-Net 10.0.4.4 10.0.1.1 252 28 80000002 2
Sum-Asbr 10.0.4.4 10.0.2.2 252 28 80000006 3
Sum-Asbr 10.0.4.4 10.0.1.1 252 28 80000002 2
Sum-Asbr 10.0.3.3 10.0.1.1 459 28 80000005 1
Sum-Asbr 10.0.3.3 10.0.2.2 990 28 80000001 2
1類2類傳遞的是鏈路狀態,而三類傳輸的是路由信息,對於ospf而言,有鏈路狀態即可以計算出路由信息,因此能夠把lsa3類過濾掉,在R1和R2上操做,以R1爲例(方法不惟一)
acl number 2000
rule 1 permit source 10.0.1.0 0.0.0.255
rule 2 permit source 10.0.2.0 0.0.0.255
rule 3 permit source 10.0.3.0 0.0.0.255
rule 4 permit source 10.0.4.0 0.0.0.255
rule 5 permit source 10.0.12.0 0.0.0.255
rule 6 permit source 10.0.13.0 0.0.0.255
rule 7 permit source 10.0.24.0 0.0.0.255
rule 8 permit source 10.0.34.0 0.0.0.255
rule 9 permit source 202.101.34.0 0.0.0.255
建立route-policy,匹配acl後deny
route-policy lsa deny node 10
if-match acl 2000
在ospf的區域1下過濾
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
filter route-policy lsa import
network 10.0.15.1 0.0.0.0
效果以下
dis ospf lsdb
OSPF Process 1 with Router ID 10.0.5.5
Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.0.5.5 10.0.5.5 189 60 8000001E 1
Router 10.0.2.2 10.0.2.2 1096 36 8000000C 1
Router 10.0.1.1 10.0.1.1 1062 36 8000000B 1
Network 10.0.15.5 10.0.5.5 678 32 8000000A 0
Network 10.0.25.5 10.0.5.5 652 32 8000000A 0
Sum-Asbr 10.0.4.4 10.0.2.2 77 28 80000009 3
Sum-Asbr 10.0.4.4 10.0.1.1 44 28 80000005 2
Sum-Asbr 10.0.3.3 10.0.1.1 250 28 80000008 1
Sum-Asbr 10.0.3.3 10.0.2.2 815 28 80000004 2
過濾了3類lsa,路由以下
dis ip routing-table pro ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 8 Routes : 8
OSPF routing table status :
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.4.4/32 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.6.6/32 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.24.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.34.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.36.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
10.0.46.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
192.168.10.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
192.168.20.0/24 O_ASE 150 1 D 10.0.15.1 GigabitEthernet
0/0/0
9.根據R2與R4間的鏈路情況,適當調整OSPF相關計時器
R2和R4之間使用串口鏈接,帶寬較小,ospf默認hello時間爲10秒,爲了減小帶寬的浪費,能夠把串口的hello時間作一下調整,以下,以R4爲例
dis ospf inter se1/0/0
OSPF Process 1 with Router ID 10.0.4.4
Interfaces
Interface: 10.0.24.4 (Serial1/0/0) --> 10.0.24.2
Cost: 48 State: P-2-P Type: P2P MTU: 1500
Timers:
Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
調整後以下
[AR4]dis ospf inter se1/0/0
OSPF Process 1 with Router ID 10.0.4.4
Interfaces
Interface: 10.0.24.4 (Serial1/0/0) --> 10.0.24.2
Cost: 48 State: P-2-P Type: P2P MTU: 1500
Timers:
Hello 60 , Dead 240 , Poll 120 , Retransmit 5 , Transmit Delay 1
10.爲了提升OSPF網絡安全性,部署OSPF區域密文認證。
在接口下配置的認證優先於在ospf區域下配置的認證,當ospf配置認證後,配置認證的一方發送的hello裏面便帶有認證信息,另外一方若是沒有配置認證,或者認證不一致,鄰居便創建不起來,若是區域下和接口下都配置了認證,則優先使用接口下的認證,好比說區域的認證不一致,而接口下配置的認證一致,認證也能夠經過,鄰居正常創建。以R1和R5爲例
在R5的區域下啓用認證後,R5發送的hello帶有認證信息,而R1下的hello沒有帶認證
R5發送的hello帶認證信息
R1發送的hello不帶認證信息
此時認證不一致,致使的是鄰居關係down
[AR5-ospf-1-area-0.0.0.1]
Apr 20 2018 13:44:30-08:00 AR5 %OSPF/3/NBR_CHG_DOWN(l)[12]:Neighbor event:nei
ghbor state changed to Down. (ProcessId=256, NeighborAddress=1.1.0.10, NeighborE
vent=InactivityTimer, NeighborPreviousState=Full, NeighborCurrentState=Down)
鄰居關係以下
dis ospf peer br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
----------------------------------------------------------------------------
沒有鄰居。
測試接口認證優先,在R1區域1下啓用認證,密碼和R5的不一致,查看相關信息
R5上面,ospf的認證信息以下,認證密碼huawei
ospf 1 router-id 10.0.5.5
import-route direct route-policy lan172
area 0.0.0.1
authentication-mode md5 1 plain
huawei
network 10.0.5.5 0.0.0.0
network 10.0.15.5 0.0.0.0
network 10.0.25.5 0.0.0.0
R1上面,ospf的認證信息以下,認證密碼huawei1
ospf 1 router-id 10.0.1.1
area 0.0.0.0
network 10.0.1.1 0.0.0.0
network 10.0.12.1 0.0.0.0
network 10.0.13.1 0.0.0.0
area 0.0.0.1
authentication-mode md5 1 plain
huawei1
filter route-policy lsa import
network 10.0.15.1 0.0.0.0
vlink-peer 10.0.2.2
認證密碼不一致,認證不經過,因此在R5上查看鄰居以下
[AR5]dis ospf pe br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/1 10.0.2.2 Full
----------------------------------------------------------------------------
在R5上與R2正常創建鄰居,與R1沒法創建鄰居,保持R1區域下的認證不變,在G0/0/0口下啓用認證,查看認證狀況,若是是區域認證優先,認證依然沒法經過,若是是接口認證優先,認證能夠經過,鄰居創建正常。以下
R1的接口下配置認證
interface GigabitEthernet0/0/0
ip address 10.0.15.1 255.255.255.0
ospf authentication-mode md5 1 plain
huawei
配置後發現
Apr 20 2018 14:00:42-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[10]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=HelloReceived, NeighborPreviousState=Down, NeighborCurrentState=Init)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[11]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=2WayReceived, NeighborPreviousState=Init, NeighborCurrentState=ExStart)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[12]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=NegotiationDone, NeighborPreviousState=ExStart, NeighborCurrentState=Exc
hange)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[13]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=ExchangeDone, NeighborPreviousState=Exchange, NeighborCurrentState=Loadi
ng)
[AR1-GigabitEthernet0/0/0]
Apr 20 2018 14:00:46-08:00 AR1 %OSPF/4/NBR_CHANGE_E(l)[14]:Neighbor changes e
vent: neighbor status changed. (ProcessId=256, NeighborAddress=5.15.0.10, Neighb
orEvent=LoadingDone, NeighborPreviousState=Loading, NeighborCurrentState=
Full)
鄰居起來了,因此接口認證優先於區域認證,R5上查看鄰居以下
[AR5]dis ospf pe br
OSPF Process 1 with Router ID 10.0.5.5
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.1 GigabitEthernet0/0/0 10.0.1.1 Full
0.0.0.1 GigabitEthernet0/0/1 10.0.2.2 Full
----------------------------------------------------------------------------
鄰居正常創建
注:雙點雙向重分佈會致使次優路徑和路由環路,如何避免?
相關文章
- 1. 8-14網絡管理FTP實驗步驟、NFS實驗步驟
- 2. RIP協議 實驗步驟
- 3. SNAT實驗步驟詳解
- 4. OSPF路由彙總及OSPF驗證實驗
- 5. OSPF實驗
- 6. HCIA---OSPF實驗
- 7. ospf實驗
- 8. OSPF 實驗
- 9. CCNP OSPF實驗
- 10. OSPF大實驗
- 更多相關文章...
- • MySQL下載步驟詳解 - MySQL教程
- • Spring整合Redis詳細步驟 - Redis教程
- • Flink 數據傳輸及反壓詳解
- • 算法總結-雙指針
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 安裝cuda+cuDNN
- 2. GitHub的使用說明
- 3. phpDocumentor使用教程【安裝PHPDocumentor】
- 4. yarn run build報錯Component is not found in path 「npm/taro-ui/dist/weapp/components/rate/index「
- 5. 精講Haproxy搭建Web集羣
- 6. 安全測試基礎之MySQL
- 7. C/C++編程筆記:C語言中的複雜聲明分析,用實例帶你完全讀懂
- 8. Python3教程(1)----搭建Python環境
- 9. 李宏毅機器學習課程筆記2:Classification、Logistic Regression、Brief Introduction of Deep Learning
- 10. 阿里雲ECS配置速記
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 8-14網絡管理FTP實驗步驟、NFS實驗步驟
- 2. RIP協議 實驗步驟
- 3. SNAT實驗步驟詳解
- 4. OSPF路由彙總及OSPF驗證實驗
- 5. OSPF實驗
- 6. HCIA---OSPF實驗
- 7. ospf實驗
- 8. OSPF 實驗
- 9. CCNP OSPF實驗
- 10. OSPF大實驗