循序渐进 OSPF的详细剖析(四)
2009-04-10 12:22
411 查看
OSPF 虚链路
在前文中我们曾经提到过:OSPF采用由两层组成的分层结构,所以要求所有的非主干区域都必须直接与主干区域连接。Area1和Area 2中路由不能直接相连。区域中传输的数据必须经过主干区域 Area 0 。
今天我们要学习的虚链路,可以将不连续的区域0连接起来,还可以将区域通过中转区域连接到区域0。
虚链路是OSPF开放标准的组成部分,从10.0版本起,cisco IOS 软件就支持虚链路。虚链路类似于标准的OSPF邻接关系,但使用虚链路时,邻接路由器之间无需直接相连。
在虚链路上,Hello协议的工作方式与在标准链路上相同,即每隔10秒钟就发送一个hello分组。在虚链路上,LSA更新的运行方式是不同的。LSA通常每隔30分钟刷新一次,但通过虚链路获悉的LSA的DoNotAge (DNA)选项被配置,因此不会过期。为避免在虚链路上过度扩散,DNA技术是必不可少的。
好了,接下来我们来配置OSPF虚链路。试验拓扑图如下:
试验环境介绍:
如上图所示,Area 2 和 Area 0 之间被Area1 隔开,为了使Area2和Area0 之间能够相互通讯,需要将Area1作为中转区域,在Area1中建立一条虚链路。
OSPF虚链路配置命令为:
area area-id virtual-link 虚链路另一端的路由器ID
Ok,开始工作了!
多区域的OSPF的基本配置在前文中已经提到过,在此就省略基本步骤了!
在完成OSPF的基本配置后,R1和 R4 是不会学到对方的信息的, pc1 和pc 2是不能相互通讯的。
分别查看R1 和 R4 的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet1/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:00:11, Serial0/0
R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.100.0 is directly connected, FastEthernet1/0
40.0.0.0/24 is subnetted, 1 subnets
C 40.1.1.0 is directly connected, Loopback0
C 192.168.3.0/24 is directly connected, Serial0/0
既然R1 和 R4学不到对方的路由信息,那么pc1 和 pc2 不能ping通是必然的
VPCS 1 >ping 172.16.100.2
host (172.16.100.2) not reachable
为了能让他们之间相互通讯,在R2、R3上配置虚链路,配置命令如下:
r2(config-router)#area 1 virtual-link 30.1.1.1
r3(config-router)#area 1 virtual-link 20.1.1.1
配置完虚链路后,让我们再查看一下R1和R4的路由表信息。如下内容显示,R1和R4都学到了对方的信息。
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, FastEthernet1/0
O IA 172.16.100.0 [110/193] via 192.168.1.2, 00:01:37, Serial0/0
40.0.0.0/32 is subnetted, 1 subnets
O IA 40.1.1.1 [110/193] via 192.168.1.2, 00:01:37, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:01:37, Serial0/0
O IA 192.168.3.0/24 [110/192] via 192.168.1.2, 00:01:37, Serial0/0
30.0.0.0/32 is subnetted, 1 subnets
O IA 30.1.1.1 [110/129] via 192.168.1.2, 00:01:37, Serial0/0
R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O IA 172.16.1.0 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
C 172.16.100.0 is directly connected, FastEthernet1/0
40.0.0.0/24 is subnetted, 1 subnets
C 40.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O IA 10.1.1.1 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.1.0/24 [110/192] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.3.1, 00:01:55, Serial0/0
C 192.168.3.0/24 is directly connected, Serial0/0
30.0.0.0/32 is subnetted, 1 subnets
O IA 30.1.1.1 [110/65] via 192.168.3.1, 00:01:56, Serial0/0
Pc1 ping pc2,嘿嘿,现在能相互通讯了吧!
VPCS 1 >ping 172.16.100.2
172.16.100.2 icmp_seq=1 time=138.000 ms
172.16.100.2 icmp_seq=2 time=86.000 ms
172.16.100.2 icmp_seq=3 time=110.000 ms
172.16.100.2 icmp_seq=4 time=80.000 ms
172.16.100.2 icmp_seq=5 time=50.000 ms
我们来查看一下OSPF 虚链路的运行情况吧。
下面的内容告诉我们,ospf邻居以及连接该邻居的链路处于up状态以及一些其他信息。
r2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 30.1.1.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface Serial0/1, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Adjacency State FULL (Hello suppressed)
Index 2/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
总之,OSPF的虚链路配置成功并能正常工作了!
OSPF 身份验证
使用OSPF 身份验证的原因:
通过对邻居路由器进行身份验证,可避免路由器收到伪造的路由更新。通过配置OSPF邻居身份验证,可以让路由器根据预定义的密码参与路由选择。
OSPF身份验证的有关知识:
在路由器上配置邻居路由器身份验证后,路由器将对收到的每个路由选择更新分组的信源进行身份验证,这是通过交换发送路由器和接收路由器都知道的身份验证密钥(密码)实现的。
默认情况下,OSPF使用身份验证方法null,即不对通过网络交换的路由选择信息进行身份验证。OSPF还支持其他两种身份验证方法:简单密码身份验证(明文身份验证)和MD5身份验证。
OSPF MD5身份验证在每个OSPF分组中加入一个不递减的序列号,以防范重放攻击。
今天我们来配置这两种身份验证.
首先是简单身份验证:
配置命令为(在接口模式下):
ip ospf authentication
ip ospf authentication-key 密码
试验配置简单身份验证,试验拓扑如下:
配置命令如下:(两个路由器都位于区域0,单区域的OSPF都是小菜了,在此不再复述)
首先,在配置完OSPF后,查看两个路由器的路由表,看其是否能相互学习到路由信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/65] via 192.168.1.2, 00:00:04, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/65] via 192.168.1.1, 00:01:29, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
如上内容所示,R1和R2都学习到了相互的路由信息。
验证是否能相互通讯,如下所示,通讯成功!
r1#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/92/268 ms
接下来,我们首先在R1上配置简单的身份验证。
r1(config)#int s0/0
r1(config-if)#ip ospf authentication
r1(config-if)#ip ospf authentication-key cisco
在R1上配置完身份验证后,查看R1 和R2 路由表信息,如下显示,两个路由器已经不能相互学到路由信息,这是由于我们只在R1上配置了身份验证。
R1
r1#show ip route
*Mar 1 00:06:29.315: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2要想与R1建立邻接关系,相互学习路由信息,必须也配置简单身份验证,而且密码必须相同。
好了,我们在R2上也配置简单身份验证:
r2(config)#int s0/0
r2(config-if)#ip ospf authentication
r2(config-if)#ip ospf authentication-key cisco
在两个路由器上都正确配置完简单身份验证后,让我们再来查看路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/65] via 192.168.1.2, 00:00:51, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/65] via 192.168.1.1, 00:01:21, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
OK,简单身份验证配置成功!
接下来我们来配置MD5身份验证。试验拓扑还和配置简单身份验证时一样。
要使用OSPF MD5身份验证,需要在每台路由器上配置密钥ID和密钥。
配置命令如下(同样是在接口模式下):
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 密码
必须在两个路由器上都配置MD5身份验证,不然就会出现上面的现象(两个路由器之间不能通讯)。
R1
r1(config)#int s0/0
r1(config-if)#ip ospf authentication message-digest
r1(config-if)#ip ospf message-digest-key 1 md5 cisco
R2
r2(config)#int s0/0
r2(config-if)#ip ospf authentication message-digest
r2(config-if)#ip ospf message-digest-key 1 md5 cisco
在两个路由器上都配置完MD5身份验证后,R1和R2之间就能正常通信了,不信我们查看一下两个路由器的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/65] via 192.168.1.2, 00:00:52, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/65] via 192.168.1.1, 00:00:43, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
嘿嘿,两种身份验证方法我们都成功完成!
在OSPF身份验证配置完成后,密钥字符串将以明文方式存储在路由器配置中。为了保护密码不被别人知道。使用命令:services password-encryption 可以给明文加密,使密码更安全!
试验完成后,让我们总结一下在配置身份验证的时候需要注意那些内容:
1. 必须在两个路由器的串行接口上同时配置身份验证;
2. 配置的密码必须相同;
在前文中我们曾经提到过:OSPF采用由两层组成的分层结构,所以要求所有的非主干区域都必须直接与主干区域连接。Area1和Area 2中路由不能直接相连。区域中传输的数据必须经过主干区域 Area 0 。
今天我们要学习的虚链路,可以将不连续的区域0连接起来,还可以将区域通过中转区域连接到区域0。
虚链路是OSPF开放标准的组成部分,从10.0版本起,cisco IOS 软件就支持虚链路。虚链路类似于标准的OSPF邻接关系,但使用虚链路时,邻接路由器之间无需直接相连。
在虚链路上,Hello协议的工作方式与在标准链路上相同,即每隔10秒钟就发送一个hello分组。在虚链路上,LSA更新的运行方式是不同的。LSA通常每隔30分钟刷新一次,但通过虚链路获悉的LSA的DoNotAge (DNA)选项被配置,因此不会过期。为避免在虚链路上过度扩散,DNA技术是必不可少的。
好了,接下来我们来配置OSPF虚链路。试验拓扑图如下:
试验环境介绍:
如上图所示,Area 2 和 Area 0 之间被Area1 隔开,为了使Area2和Area0 之间能够相互通讯,需要将Area1作为中转区域,在Area1中建立一条虚链路。
OSPF虚链路配置命令为:
area area-id virtual-link 虚链路另一端的路由器ID
Ok,开始工作了!
多区域的OSPF的基本配置在前文中已经提到过,在此就省略基本步骤了!
在完成OSPF的基本配置后,R1和 R4 是不会学到对方的信息的, pc1 和pc 2是不能相互通讯的。
分别查看R1 和 R4 的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet1/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:00:11, Serial0/0
R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.100.0 is directly connected, FastEthernet1/0
40.0.0.0/24 is subnetted, 1 subnets
C 40.1.1.0 is directly connected, Loopback0
C 192.168.3.0/24 is directly connected, Serial0/0
既然R1 和 R4学不到对方的路由信息,那么pc1 和 pc2 不能ping通是必然的
VPCS 1 >ping 172.16.100.2
host (172.16.100.2) not reachable
为了能让他们之间相互通讯,在R2、R3上配置虚链路,配置命令如下:
r2(config-router)#area 1 virtual-link 30.1.1.1
r3(config-router)#area 1 virtual-link 20.1.1.1
配置完虚链路后,让我们再查看一下R1和R4的路由表信息。如下内容显示,R1和R4都学到了对方的信息。
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, FastEthernet1/0
O IA 172.16.100.0 [110/193] via 192.168.1.2, 00:01:37, Serial0/0
40.0.0.0/32 is subnetted, 1 subnets
O IA 40.1.1.1 [110/193] via 192.168.1.2, 00:01:37, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:01:37, Serial0/0
O IA 192.168.3.0/24 [110/192] via 192.168.1.2, 00:01:37, Serial0/0
30.0.0.0/32 is subnetted, 1 subnets
O IA 30.1.1.1 [110/129] via 192.168.1.2, 00:01:37, Serial0/0
R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
O IA 172.16.1.0 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
C 172.16.100.0 is directly connected, FastEthernet1/0
40.0.0.0/24 is subnetted, 1 subnets
C 40.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O IA 10.1.1.1 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.1.0/24 [110/192] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.3.1, 00:01:55, Serial0/0
C 192.168.3.0/24 is directly connected, Serial0/0
30.0.0.0/32 is subnetted, 1 subnets
O IA 30.1.1.1 [110/65] via 192.168.3.1, 00:01:56, Serial0/0
Pc1 ping pc2,嘿嘿,现在能相互通讯了吧!
VPCS 1 >ping 172.16.100.2
172.16.100.2 icmp_seq=1 time=138.000 ms
172.16.100.2 icmp_seq=2 time=86.000 ms
172.16.100.2 icmp_seq=3 time=110.000 ms
172.16.100.2 icmp_seq=4 time=80.000 ms
172.16.100.2 icmp_seq=5 time=50.000 ms
我们来查看一下OSPF 虚链路的运行情况吧。
下面的内容告诉我们,ospf邻居以及连接该邻居的链路处于up状态以及一些其他信息。
r2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 30.1.1.1 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 1, via interface Serial0/1, Cost of using 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Adjacency State FULL (Hello suppressed)
Index 2/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
总之,OSPF的虚链路配置成功并能正常工作了!
OSPF 身份验证
使用OSPF 身份验证的原因:
通过对邻居路由器进行身份验证,可避免路由器收到伪造的路由更新。通过配置OSPF邻居身份验证,可以让路由器根据预定义的密码参与路由选择。
OSPF身份验证的有关知识:
在路由器上配置邻居路由器身份验证后,路由器将对收到的每个路由选择更新分组的信源进行身份验证,这是通过交换发送路由器和接收路由器都知道的身份验证密钥(密码)实现的。
默认情况下,OSPF使用身份验证方法null,即不对通过网络交换的路由选择信息进行身份验证。OSPF还支持其他两种身份验证方法:简单密码身份验证(明文身份验证)和MD5身份验证。
OSPF MD5身份验证在每个OSPF分组中加入一个不递减的序列号,以防范重放攻击。
今天我们来配置这两种身份验证.
首先是简单身份验证:
配置命令为(在接口模式下):
ip ospf authentication
ip ospf authentication-key 密码
试验配置简单身份验证,试验拓扑如下:
配置命令如下:(两个路由器都位于区域0,单区域的OSPF都是小菜了,在此不再复述)
首先,在配置完OSPF后,查看两个路由器的路由表,看其是否能相互学习到路由信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/65] via 192.168.1.2, 00:00:04, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/65] via 192.168.1.1, 00:01:29, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
如上内容所示,R1和R2都学习到了相互的路由信息。
验证是否能相互通讯,如下所示,通讯成功!
r1#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/92/268 ms
接下来,我们首先在R1上配置简单的身份验证。
r1(config)#int s0/0
r1(config-if)#ip ospf authentication
r1(config-if)#ip ospf authentication-key cisco
在R1上配置完身份验证后,查看R1 和R2 路由表信息,如下显示,两个路由器已经不能相互学到路由信息,这是由于我们只在R1上配置了身份验证。
R1
r1#show ip route
*Mar 1 00:06:29.315: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2要想与R1建立邻接关系,相互学习路由信息,必须也配置简单身份验证,而且密码必须相同。
好了,我们在R2上也配置简单身份验证:
r2(config)#int s0/0
r2(config-if)#ip ospf authentication
r2(config-if)#ip ospf authentication-key cisco
在两个路由器上都正确配置完简单身份验证后,让我们再来查看路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/65] via 192.168.1.2, 00:00:51, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/65] via 192.168.1.1, 00:01:21, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
OK,简单身份验证配置成功!
接下来我们来配置MD5身份验证。试验拓扑还和配置简单身份验证时一样。
要使用OSPF MD5身份验证,需要在每台路由器上配置密钥ID和密钥。
配置命令如下(同样是在接口模式下):
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 密码
必须在两个路由器上都配置MD5身份验证,不然就会出现上面的现象(两个路由器之间不能通讯)。
R1
r1(config)#int s0/0
r1(config-if)#ip ospf authentication message-digest
r1(config-if)#ip ospf message-digest-key 1 md5 cisco
R2
r2(config)#int s0/0
r2(config-if)#ip ospf authentication message-digest
r2(config-if)#ip ospf message-digest-key 1 md5 cisco
在两个路由器上都配置完MD5身份验证后,R1和R2之间就能正常通信了,不信我们查看一下两个路由器的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/32 is subnetted, 1 subnets
O 20.1.1.1 [110/65] via 192.168.1.2, 00:00:52, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Serial0/0
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Loopback0
10.0.0.0/32 is subnetted, 1 subnets
O 10.1.1.1 [110/65] via 192.168.1.1, 00:00:43, Serial0/0
C 192.168.1.0/24 is directly connected, Serial0/0
嘿嘿,两种身份验证方法我们都成功完成!
在OSPF身份验证配置完成后,密钥字符串将以明文方式存储在路由器配置中。为了保护密码不被别人知道。使用命令:services password-encryption 可以给明文加密,使密码更安全!
试验完成后,让我们总结一下在配置身份验证的时候需要注意那些内容:
1. 必须在两个路由器的串行接口上同时配置身份验证;
2. 配置的密码必须相同;
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 循序渐进 OSPF的详细剖析(二)
- 循序渐进 OSPF的详细剖析(一)
- 循序渐进 OSPF的详细剖析(三) 推荐
- stl源码剖析 详细学习笔记priority_queue slist
- Android自定义属性详细剖析(二)
- 详细的思维导图:OSPF稳定性管理
- 详细剖析Linux进程调度时机
- NameNode启动过程详细剖析
- 玩转Android之Activity详细剖析
- JDK中常用包及其类和功能详细剖析
- 安卓View的加载流程详细剖析
- 泛型dao 详细剖析 泛型DAO类设计模式(2)
- USB枚举详细过程剖析
- OSPF区域间、外部路由汇总(配图)+详细验证过程
- 子域部署Exchange服务器详细攻略及故障剖析:Exchange2003系列之十二
- OpenCV学习:Mat类详细解析+源码剖析(三)遍历矩阵中元素
- [转] C语言**位运算**终极剖析 分析的很详细
- 手把手教你读懂源码,View的Touch事件传递流程详细剖析
- 内存数据库内核开发 工作日志(innodb的原理,算法详细剖析)(九)
- 【Android游戏开发之十】(优化处理)详细剖析Android Traceview效率检视工具,分析程序运行速度!并讲解两种创建SDcard方式!