部署单区域OSPF网络[AR1]ospf 1[AR1-ospf-1]area 0[AR1-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255[AR1-o
.
部署单区域OSPF网络[AR1]ospf 1[AR1-ospf-1]area 0[AR1-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255[AR1-ospf-1-area-0.0.0.0]network 172.16.20.0 0.0.0.255[AR1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255[AR2]ospf 1[AR2-ospf-1]area 0 [AR2-ospf-1-area-0.0.0.0]network 172.16.10.0 0.0.0.255[AR2-ospf-1-area-0.0.0.0]network 172.16.30.0 0.0.0.255[AR2-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255[AR3]ospf 1[AR3-ospf-1]area 0[AR3-ospf-1-area-0.0.0.0]network 172.16.20.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 172.16.30.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255查看OSPF的邻居状态[AR1]display ospf peer OSPF Process 1 with Router ID 172.16.1.254 Neighbors Area 0.0.0.0 interface 172.16.20.1(GigabitEthernet0/0/1)'s neighbors Router ID: 172.16.20.3 Address: 172.16.20.3 State: Full Mode:Nbr is Master Priority: 1 DR: 172.16.20.1 BDR: 172.16.20.3 MTU: 0 Dead timer due in 30 sec Retrans timer interval: 5 Neighbor is up for 00:02:44 Authentication Sequence: [ 0 ] Neighbors Area 0.0.0.0 interface 172.16.10.1(GigabitEthernet0/0/0)'s neighbors Router ID: 172.16.30.2 Address: 172.16.10.2 State: Full Mode:Nbr is Master Priority: 1 DR: 172.16.10.1 BDR: 172.16.10.2 MTU: 0 Dead timer due in 33 sec Retrans timer interval: 5 Neighbor is up for 00:04:12 Authentication Sequence: [ 0 ] 查看OSPF路由表[AR1]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Public routing table : OSPF Destinations : 3 Routes : 4 OSPF routing table status : <Active> Destinations : 3 Routes : 4Destination/Mask Proto Pre Cost Flags NextHop Interface 172.16.2.0/24 OSPF 10 2 D 172.16.10.2 GigabitEthernet0/0/0 172.16.3.0/24 OSPF 10 2 D 172.16.20.3 GigabitEthernet0/0/1 172.16.30.0/24 OSPF 10 2 D 172.16.10.2 GigabitEthernet0/0/0 OSPF 10 2 D 172.16.20.3 GigabitEthernet0/0/1OSPF routing table status : <Inactive> Destinations : 0 Routes : 0
OSPF多区域配置
[AR1]ospf 1 [AR1-ospf-1]area 0[AR1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255[AR1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255[AR2]ospf 1[AR2-ospf-1]area 0[AR2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255[AR2-ospf-1-area-0.0.0.0]network 10.0.24.0 0.0.0.255[AR3]ospf 1[AR3-ospf-1]area 0[AR3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255[AR4]ospf 1[AR4-ospf-1]area 0[AR4-ospf-1-area-0.0.0.0]network 10.0.34.0 0.0.0.255[AR4-ospf-1-area-0.0.0.0]network 10.0.24.0 0.0.0.255[AR4-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
可以正常通信,骨干区域路由器配置完成。
配置非骨干区域路由器,在分支路由器5上创建OSPf进程,创建并进入区域1,并通告分支A的相应网段。[AR5]ospf 1[AR5-ospf-1]area 1[AR5-ospf-1-area-0.0.0.1]network 10.0.15.0 0.0.0.255[AR5-ospf-1-area-0.0.0.1]network 10.0.35.0 0.0.0.255[AR5-ospf-1-area-0.0.0.1]network 10.0.1.0 0.0.0.255在R1和R3上也创建并进入区域1,将与R5相连的接口进行通告。[AR1]ospf 1[AR1-ospf-1]area 1[AR1-ospf-1-area-0.0.0.1]network 10.0.15.0 0.0.0.255[AR3]ospf 1[AR3-ospf-1]area 1[AR3-ospf-1-area-0.0.0.1]network 10.0.35.0 0.0.0.255[AR5]display ospf peer OSPF Process 1 with Router ID 10.0.15.5 Neighbors Area 0.0.0.1 interface 10.0.15.5(GigabitEthernet0/0/0)'s neighbors Router ID: 10.0.12.1 Address: 10.0.15.1 State: Full Mode:Nbr is Slave Priority: 1 DR: 10.0.15.5 BDR: 10.0.15.1 MTU: 0 Dead timer due in 40 sec Retrans timer interval: 5 Neighbor is up for 00:03:24 Authentication Sequence: [ 0 ] Neighbors Area 0.0.0.1 interface 10.0.35.5(GigabitEthernet0/0/1)'s neighbors Router ID: 10.0.34.3 Address: 10.0.35.3 State: Full Mode:Nbr is Master Priority: 1 DR: 10.0.35.5 BDR: 10.0.35.3 MTU: 0 Dead timer due in 30 sec Retrans timer interval: 5 Neighbor is up for 00:01:05 Authentication Sequence: [ 0 ] 可以观察到,现在R5与R1和R3的OSPF邻居关系建立正常,都为Full状态使用display ip routing-table protocol ospf 命令查看R5路由表中的OSPF路由条目[AR5]display ip routing-table protocol ospf Route Flags: R - relay, D - download to fib------------------------------------------------------------------------------Public routing table : OSPF Destinations : 6 Routes : 8 OSPF routing table status : <Active> Destinations : 6 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 10.0.3.0/24 OSPF 10 2 D 10.0.35.3 GigabitEthernet0/0/1 10.0.4.0/24 OSPF 10 3 D 10.0.35.3 GigabitEthernet0/0/1 10.0.12.0/24 OSPF 10 2 D 10.0.15.1 GigabitEthernet0/0/0 10.0.13.0/24 OSPF 10 2 D 10.0.15.1 GigabitEthernet0/0/0 OSPF 10 2 D 10.0.35.3 GigabitEthernet0/0/1 10.0.24.0/24 OSPF 10 3 D 10.0.15.1 GigabitEthernet0/0/0 OSPF 10 3 D 10.0.35.3 GigabitEthernet0/0/1 10.0.34.0/24 OSPF 10 2 D 10.0.35.3 GigabitEthernet0/0/1OSPF routing table status : <Inactive> Destinations : 0 Routes : 0可以观察到,除OSPF区域2内的路由外,相关OSPF路由条目都已经获得。在拓扑中,R1和R3这两台连接不同区域的路由器称之为ABR,即区域边界路由器,该类路由器设备可以同时属于两个以上的区域,但其中至少一个端口必须在骨干区域内。ABR是用来连接骨干区域和非骨干区域的,其与骨干区域之间既可以是物理连接,也可以是逻辑上的连接。
使用display ofps lsdb 命令查看R5的ospf链路状态数据库信息
[AR5]display ospf lsdb OSPF Process 1 with Router ID 10.0.15.5 Link State Database Area: 0.0.0.1 Type LinkState ID AdvRouter Age Len Sequence Metric Router 10.0.12.1 10.0.12.1 1149 36 80000003 1 Router 10.0.34.3 10.0.34.3 14 36 80000007 1 Router 10.0.15.5 10.0.15.5 21 60 80000010 1 Network 10.0.35.3 10.0.34.3 14 32 80000002 0 Network 10.0.15.5 10.0.15.5 1144 32 80000002 0 Sum-Net 10.0.34.0 10.0.12.1 482 28 80000005 2 Sum-Net 10.0.34.0 10.0.34.3 1011 28 80000001 1 Sum-Net 10.0.13.0 10.0.12.1 1156 28 80000001 1 Sum-Net 10.0.13.0 10.0.34.3 486 28 80000005 1 Sum-Net 10.0.24.0 10.0.12.1 1148 28 80000003 2 Sum-Net 10.0.24.0 10.0.34.3 1011 28 80000001 2 Sum-Net 10.0.12.0 10.0.12.1 1156 28 80000001 1 Sum-Net 10.0.12.0 10.0.34.3 483 28 80000005 2 Sum-Net 10.0.3.0 10.0.12.1 482 28 80000005 2 Sum-Net 10.0.3.0 10.0.34.3 1011 28 80000001 1 Sum-Net 10.0.4.0 10.0.12.1 1156 28 80000001 3 Sum-Net 10.0.4.0 10.0.34.3 1011 28 80000001 2可以观察到,关于其他区域的路由条目都是通过SUM-Net 这类LSA获得,而这类LSA是不参与本区域的SPF算法运算的。对公司另一分部B的路由器R6,和相应ABR设备R2、R4也做相同的配置。[AR6]ospf 1[AR6-ospf-1]area 2[AR6-ospf-1-area-0.0.0.2]network 10.0.26.0 0.0.0.255[AR6-ospf-1-area-0.0.0.2]network 10.0.46.0 0.0.0.255[AR6-ospf-1-area-0.0.0.2]network 10.0.2.0 0.0.0.255[AR2]ospf 1[AR2-ospf-1]area 2[AR2-ospf-1-area-0.0.0.2]network 10.0.26.0 0.0.0.255[AR4]ospf 1[AR4-ospf-1]area 2[AR4-ospf-1-area-0.0.0.2]network 10.0.46.0 0.0.0.255配置完成,查看R6的ospf路由条目[AR6]display ip routing-table protocol ospfRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Public routing table : OSPF Destinations : 9 Routes : 12 OSPF routing table status : <Active> Destinations : 9 Routes : 12Destination/Mask Proto Pre Cost Flags NextHop Interface 10.0.1.0/24 OSPF 10 4 D 10.0.26.2 GigabitEthernet0/0/0 OSPF 10 4 D 10.0.46.4 GigabitEthernet0/0/1 10.0.3.0/24 OSPF 10 3 D 10.0.46.4 GigabitEthernet0/0/1 10.0.4.0/24 OSPF 10 2 D 10.0.46.4 GigabitEthernet0/0/1 10.0.12.0/24 OSPF 10 2 D 10.0.26.2 GigabitEthernet0/0/0 10.0.13.0/24 OSPF 10 3 D 10.0.26.2 GigabitEthernet0/0/0 OSPF 10 3 D 10.0.46.4 GigabitEthernet0/0/1 10.0.15.0/24 OSPF 10 3 D 10.0.26.2 GigabitEthernet0/0/0 10.0.24.0/24 OSPF 10 2 D 10.0.26.2 GigabitEthernet0/0/0 OSPF 10 2 D 10.0.46.4 GigabitEthernet0/0/1 10.0.34.0/24 OSPF 10 2 D 10.0.46.4 GigabitEthernet0/0/1 10.0.35.0/24 OSPF 10 3 D 10.0.46.4 GigabitEthernet0/0/1OSPF routing table status : <Inactive> Destinations : 0 Routes : 0测试PC1和PC2的连通性
至此,OSPF多区域配置完成
[AR1]ospf 1[AR1-ospf-1]area 1[AR1-ospf-1-area-0.0.0.1]network 10.0.12.0 0.0.0.255[AR1-ospf-1-area-0.0.0.1]network 1.1.1.1 0.0.0.0[AR2]ospf 1[AR2-ospf-1]area 0[AR2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255[AR2-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0[AR2-ospf-1-area-0.0.0.0]quit [AR2-ospf-1]area 1[AR2-ospf-1-area-0.0.0.1]network 10.0.12.0 0.0.0.255[AR2-ospf-1-area-0.0.0.1]network 10.0.24.0 0.0.0.255[AR3]ospf 1 [AR3-ospf-1]area 0[AR3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 10.0.36.0 0.0.0.255[AR3-ospf-1-area-0.0.0.0]network 3.3.3.3 0.0.0.0[AR4]ospf 1 [AR4-ospf-1]area 1[AR4-ospf-1-area-0.0.0.1]network 10.0.24.0 0.0.0.255[AR4-ospf-1-area-0.0.0.1]network 4.4.4.4 0.0.0.0[AR5]ospf 1 [AR5-ospf-1]area 0 [AR5-ospf-1-area-0.0.0.0]network 10.0.35.0 0.0.0.255[AR5-ospf-1-area-0.0.0.0]network 5.5.5.5 0.0.0.0[AR6]ospf 1[AR6-ospf-1]area 0[AR6-ospf-1-area-0.0.0.0]network 10.0.36.0 0.0.0.255[AR6-ospf-1-area-0.0.0.0]network 6.6.6.6 0.0.0.0
配置公司分部OSPF区域明文认证,网络管理员在公司分部的OSPF区域1中配置区域明文认证。 在R1上OSPF的区域1视图下使用authentication-mode命令指定该区域使用认证模式为simple,即简单验证模式,配置口令为huawei,并配置plain参数。
配置plain参数后,可以使得在查看配置文件是,口令均以明文方式显示。如果不设置该参数的话,在查看配置文件是,默认会议密文方式显示口令,即无法查看到所配置的口令原文,这可以是非管理员用户在登陆设备后无法查看到口令原文,从而提高安全性。
[AR1]ospf 1[AR1-ospf-1]area 1[AR1-ospf-1-area-0.0.0.1]authentication-mode simple plain huawei [AR1-ospf-1-area-0.0.0.1]display this# area 0.0.0.1 authentication-mode simple plain huawei network 10.0.12.0 0.0.0.255 network 1.1.1.1 0.0.0.0#return此时以明文方式显示口令在R1上重新配置区域认证命令,并查看配置[AR1-ospf-1-area-0.0.0.1]authentication-mode simple huawei[AR1-ospf-1-area-0.0.0.1]di [AR1-ospf-1-area-0.0.0.1]display thi [AR1-ospf-1-area-0.0.0.1]display this # area 0.0.0.1 authentication-mode simple plain huawei network 10.0.12.0 0.0.0.255 network 1.1.1.1 0.0.0.0#return[AR1-ospf-1-area-0.0.0.1]authentication-mode simple cipher huawei [AR1-ospf-1-area-0.0.0.1]display this# area 0.0.0.1 authentication-mode simple cipher 7OH"-8bP(#ECB7Ie7'/)Xa$# network 10.0.12.0 0.0.0.255 network 1.1.1.1 0.0.0.0#return[AR1]display ospf peer brief OSPF Process 1 with Router ID 10.0.12.1 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State ----------------------------------------------------------------------------可以观察到,现在R1与R2邻居关系中断了,原因是目前仅仅在R1上配置了认证,导致R1和R2间的OSPf认证不匹配。继续配置该区域的另一台设备R2,必须要保证验证模式一致,口令也一致。
[AR2]ospf 1 [AR2-ospf-1]area 1[AR2-ospf-1-area-0.0.0.1]authentication-mode simple huawei配置完成后,等待一段时间,再次观察两者的邻居关系[AR1]display ospf peer brief OSPF Process 1 with Router ID 10.0.12.1 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State ----------------------------------------------------------------------------[AR1]display ospf peer brief OSPF Process 1 with Router ID 10.0.12.1 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.1 GigabitEthernet0/0/0现在AR1和AR2的邻居关系状态恢复正常在AR4上也做相同配置[AR4]ospf 1[AR4-ospf-1]area 1[AR4-ospf-1-area-0.0.0.1]authentication-mode simple huawei配置完后,在AR2上查看OSPF邻居关系[AR2]display ospf peer brief OSPF Process 1 with Router ID 10.0.12.2 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 GigabitEthernet0/0/2 10.0.23.3 Full 0.0.0.1 GigabitEthernet0/0/0 10.0.12.1 Full 0.0.0.1 GigabitEthernet0/0/1 10.0.24.4 Full ----------------------------------------------------------------------------现在区域1的邻居关系都建立正常配置公司总部ospf区域密文认证
在R2上配置OSPF Area0区域认证,使用验证模式为md5,即MD5验证模式,验证字符标识符为1,配置口令为huawei1
[AR2]ospf 1[AR2-ospf-1]area 0 [AR2-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1继续在其他骨干路由器上做相同配置。注意,密文认证必须保证验证字标识符和口令完全一致认证才能通过。[AR3]ospf 1[AR3-ospf-1]area 0[AR3-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1[AR5]ospf 1[AR5-ospf-1]area 0[AR5-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1[AR6]ospf 1[AR6-ospf-1]area 0[AR6-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei1配置完成后,查看AR3的ospf邻居状态[AR3]display ospf peer brief OSPF Process 1 with Router ID 10.0.23.3 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 GigabitEthernet0/0/2 10.0.12.2 Full 0.0.0.0 GigabitEthernet0/0/0 10.0.35.5 Full 0.0.0.0 GigabitEthernet0/0/1 10.0.36.6 Full ----------------------------------------------------------------------------可以观察到,OSPF邻居状态建立正常。配置OSPF链路认证
在上面两个步骤中,使用了OSPF的区域认证方式配置了OSPF认证,使用链路认证方式配置可以达到同样的效果。如果采用链路认证的方式,就需要在同一ospf的链路接口下都配置链路认证的命令,设置验证模式和口令等参数;而采用区域认证的方式时,在同一区域中,仅需在OSPF进程下的相应区域视图下配置一条命令来设备验证模式和口令即可,大大省了配置量,所以在同一区域中如果有多台ospf设备需要配置认证,建议选用区域认证的方式进行配置。目前公司分部的OSPf区域中配置了简单模式的区域认证,为了进一步提升AR2与AR4之间的OSPF网络安全性,网络管理员需要在两台设备之间部署MD5验证模式的OSPF链路认证。
在AR2的GE0/0/1接口下使用ospf authentication-mode命令配置链路认证,配置使用md5验证模式,验证字标识符为1,口令为huawei5[AR2-GigabitEthernet0/0/1]ospf authentication-mode md5 1 huawei5[AR2-GigabitEthernet0/0/1]display ospf peer brief OSPF Process 1 with Router ID 10.0.12.2 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 GigabitEthernet0/0/2 10.0.23.3 Full 0.0.0.1 GigabitEthernet0/0/0 10.0.12.1 Full 0.0.0.1 GigabitEthernet0/0/1 10.0.24.4 Full ----------------------------------------------------------------------------[AR2-GigabitEthernet0/0/1]display ospf peer brief OSPF Process 1 with Router ID 10.0.12.2 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.0 GigabitEthernet0/0/2 10.0.23.3 Full 0.0.0.1 GigabitEthernet0/0/0 10.0.12.1 Full ---------------------------------------------------------------------------发现AR2与AR4间的ospf邻居关系已经消失。虽然已经配置好区域认证,但是如果同时配置了接口认证和区域认证时,会优先使用接口验证建立OSPF邻居。所以AR4在没有配置链路认证之前,AR2与AR4的邻居关系会因为认证不匹配而无法建立。同样的AR4上配置链路,注意,验证模式、标识符、口令都需要一致。[AR4]interface GigabitEthernet 0/0/0[AR4-GigabitEthernet0/0/0]ospf authentication-mode md5 1 huawei5 [AR4-GigabitEthernet0/0/0]display ospf peer brief OSPF Process 1 with Router ID 10.0.24.4 Peer Statistic Information ---------------------------------------------------------------------------- Area Id Interface Neighbor id State 0.0.0.1 GigabitEthernet0/0/0 10.0.12.2 Full ----------------------------------------------------------------------------可以观察到邻居关系已经恢复正常,至此OSPF链路认证配置完成。