ospf多区域常见配置
要求
1.完成ip的基础配置
2.进行多区域设计,宣告ospf(完成的标志是各路由器邻接关系形成)
3.在出口设备注入默认路由(完成的标志是每台路由器学习到默认路由)
4.ABR上对用户网段进行汇总精简核心设备路由表(汇总前核心及出口能看到明细用户路由,汇总后则只看到汇总用户路由
5.将末梢区域设置为完全stub区域,精简边缘设备路由表(设置前边缘路由器能看到区间路由信息及E2 的默认路由 设置后看不到区间路由默认路由变成IA)
6.修改cost值,实现数据合理分流,来回路径一致(修改前两条线路等价负载均衡,修改后只走主线路,且宿舍1区和宿舍2区的主线路分开)
7.修改接口网络类型为点到点,加快收敛速度(修改前建立邻居后要选举dr,花费40s时间,修改后不用选举dr快速收敛)
8.配置出口NAT
9.配置安全增强策略(可选)
9.1将连接用户的接口配置为被动接口(设置前,用户接口连接路由设备开启ospf可以建立邻居,设置后无法建立)
9.2 开启ospf验证,并采用md5算法对密码进行加密
1.配置ip
略
2.宣告ospf
AR1
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]net 10.10.12.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]net 10.10.13.0 0.0.0.255
AR2
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]net 0.0.0.0 0.0.0.0
AR3
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]net 0.0.0.0 0.0.0.0
AR4
[AR4]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]net 10.10.24.0 0.0.0.255
[AR4-ospf-1-area-0.0.0.1]net 10.10.34.0 0.0.0.255
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]net 11.10.46.0 0.0.0.255
AR5
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]net 10.10.35.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]net 10.10.25.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]area 2
[AR5-ospf-1-area-0.0.0.2]net 12.10.57.0 0.0.0.255
AR6
[AR6]ospf 1
[AR6-ospf-1]area 1
[AR6-ospf-1-area-0.0.0.1]net 11.10.46.0 0.0.0.255
[AR6-ospf-1-area-0.0.0.1]net 192.168.0.0 0.0.255.255
AR7
[AR7]ospf 1
[AR7-ospf-1]area 2
[AR7-ospf-1-area-0.0.0.2]net 12.10.57.0 0.0.0.255
[AR7-ospf-1-area-0.0.0.2]net 172.16.0.0 0.0.255.255
3.引入默认路由
AR1
[AR1]ip route-static 0.0.0.0 0 64.1.1.6
[AR1]ospf 1
[AR1-ospf-1]default-route-advertise always
验证(各设备均看到默认路由)
AR2
<AR2>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 25 Routes : 28
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.10.12.1 GigabitEthernet
0/0/1
4.路由汇总
测试
AR5
<AR5>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 24 Routes : 29
.................
192.168.0.1/32 OSPF 10 3 D 10.10.35.3 GigabitEthernet
0/0/0
OSPF 10 3 D 10.10.25.2 GigabitEthernet
0/0/2
192.168.1.1/32 OSPF 10 3 D 10.10.35.3 GigabitEthernet
0/0/0
AR4
[AR4]ospf 1
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]abr-summary 192.168.0.0 255.255.0.0
验证
<AR5>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 24 Routes : 29
.................
192.168.0.0/16 OSPF 10 3 D 10.10.35.3 GigabitEthernet
0/0/0
AR5
[AR5]ospf 1
[AR5-ospf-1]area 2
[AR5-ospf-1-area-0.0.0.2]abr-summary 172.16.0.0 255.255.0.0
5.配置完全stub区域
OSPF STUB区域是一个末梢区域,当一个OSPF区域处于整个自治系统边界时,而又不含其他路由协议,这时就可以配置OSPF Stub区域。
当配置OSPF Stub区域后,Stub区域中的路由器会增加一条至ABR的默认路由条目,当在ABR上配置了完全末梢区域后,末梢区域的其他路由器的路由条目除了直连的路由条目外,只有一条到达ABR的路由条目默认路由,不会学习其他区域的路由条目,到其他区域的数据包通过ABR转发。这样减少了末梢区域其他路由器的路由条目和路由传递的数量,提高路由器的性能。
AR4
[AR4]ospf 1
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.1]stub no
[AR4-ospf-1-area-0.0.0.1]stub no-summary
AR6
[AR6]ospf 1
[AR6-ospf-1]area 1
[AR6-ospf-1-area-0.0.0.1]stub
[AR6-ospf-1-area-0.0.0.1]stub no
[AR6-ospf-1-area-0.0.0.1]stub no-summary
验证
<AR6>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 OSPF 10 2 D 11.10.46.4 GigabitEthernet
0/0/2
11.10.46.0/24 Direct 0 0 D 11.10.46.6 GigabitEthernet
0/0/2
11.10.46.6/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
11.10.46.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.0.0/24 Direct 0 0 D 192.168.0.1 LoopBack1
192.168.0.1/32 Direct 0 0 D 127.0.0.1 LoopBack1
192.168.0.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
192.168.1.0/24 Direct 0 0 D 192.168.1.1 LoopBack2
192.168.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack2
192.168.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
6.修改接口cost实现合理分流,且来回路径一致
AR4
[AR4]int g0/0/1
[AR4-GigabitEthernet0/0/1]ospf cost 1000
AR5
[AR5]int g0/0/2
[AR5-GigabitEthernet0/0/2]ospf cost 1000
AR2
[AR2]int g0/0/2
[AR2-GigabitEthernet0/0/1]ospf cost 1000
AR3
[AR3]int g0/0/1
[AR3-GigabitEthernet0/0/2]ospf cost 1000
验证
<AR1>dis ip routing-table 192.168.0.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.0.0/16 OSPF 10 3 D 10.10.12.2 GigabitEthernet
0/0/1
<AR1>
7.修改网络类型,加快收敛
AR4
[AR4]int g0/0/2
[AR4-GigabitEthernet0/0/2]ospf network-type p2p
AR6
[AR6]int g0/0/2
[AR6-GigabitEthernet0/0/2]ospf network-type p2p
验证
[AR4]dis ospf peer | include DR
OSPF Process 1 with Router ID 10.10.24.4
Neighbors
Area 0.0.0.0 interface 10.10.24.4(GigabitEthernet0/0/0)'s neighbors
DR: 10.10.24.2 BDR: 10.10.24.4 MTU: 0
Neighbors
Area 0.0.0.0 interface 10.10.34.4(GigabitEthernet0/0/1)'s neighbors
DR: 10.10.34.3 BDR: 10.10.34.4 MTU: 0
Neighbors
Area 0.0.0.1 interface 11.10.46.4(GigabitEthernet0/0/2)'s neighbors
DR: None BDR: None MTU: 0
8.配置nat接口,实现外网通信
AR1
[AR1]ip route-static 0.0.0.0 0 64.1.1.6
[AR1]acl 2000
[AR1-acl-basic-2000]rule permit source 192.168.0.0 0.0.255.255
[AR1-acl-basic-2000]rule permit source 172.16.0.0 0.0.255.255
[AR1]nat address-group 1 64.1.1.2 64.1.1.3
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]nat o
[AR1-GigabitEthernet0/0/0]nat outbound 2000 ad
[AR1-GigabitEthernet0/0/0]nat outbound 2000 address-group 1
验证
AR6
[AR6]ping -a 192.168.0.1 8.8.8.8
PING 8.8.8.8: 56 data bytes, press CTRL_C to break
Request time out
Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=252 time=60 ms
Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=252 time=40 ms
Reply from 8.8.8.8: bytes=56 Sequence=4 ttl=252 time=30 ms
Reply from 8.8.8.8: bytes=56 Sequence=5 ttl=252 time=30 ms
--- 8.8.8.8 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 30/40/60 ms
9.安全性增强
第一种方式 在接口上面做认证
AR4
[AR4]int g0/0/2
[AR4-GigabitEthernet0/0/2]ospf authentication-mode md5 1 huawei
AR6
[AR6]int g0/0/2
[AR6-GigabitEthernet0/0/2]ospf authentication-mode md5 1 huawei
第二种方式 在ospf中
AR4
[AR4]ospf
[AR4-ospf-1]area 1
[AR4-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei
AR6
[AR6]ospf
[AR6-ospf-1]area 1
[AR6-ospf-1-area-0.0.0.0]authentication-mode md5 1 huawei