华为防火墙技术漫谈_针对OSPF协议…

FW配置(USG600v)

firewall zone untrust

 set priority 5

 add interface GigabitEthernet1/0/0

 

ospf 1

 area 0.0.0.1

  network 192.168.0.0 0.0.0.255

 

 

R1配置

ospf 1 

 area 0.0.0.1 

  network 192.168.0.0 0.0.0.255 

  network 192.168.1.0 0.0.0.255 

 

R2配置

ospf 1 

 area 0.0.0.1 

  network 192.168.1.0 0.0.0.255 

[FW]display ospf peer 

OSPF Process 1 with Router ID 192.168.0.1

Neighbors 

 

 Area 0.0.0.1 interface 192.168.0.1(GigabitEthernet1/0/0)'s neighbors

 Router ID: 192.168.0.2      Address: 192.168.0.2     

   State: ExStart  Mode:Nbr is  Slave  Priority: 1

   DR: 192.168.0.2  BDR: 192.168.0.1  MTU: 0    

   Dead timer due in 39  sec 

   Retrans timer interval: 0 

   Neighbor is up for 00:00:00     

   Authentication Sequence: [ 0 ] 

 

display  ospf peer

 

OSPF Process 1 with Router ID 192.168.0.2

Neighbors 

 

 Area 0.0.0.1 interface 192.168.0.2(GigabitEthernet0/0/1)'s neighbors

 Router ID: 192.168.0.1      Address: 192.168.0.1     

   State: ExStart  Mode:Nbr is  Slave  Priority: 1

   DR: 192.168.0.2  BDR: 192.168.0.1  MTU: 0    

   Dead timer due in 33  sec 

   Retrans timer interval: 0 

   Neighbor is up for 00:00:00     

   Authentication Sequence: [ 0 ] 

 

Neighbors 

 

 Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet0/0/2)'s neighbors

 Router ID: 192.168.1.2      Address: 192.168.1.2     

   State: Full  Mode:Nbr is  Master  Priority: 1

   DR: 192.168.1.1  BDR: 192.168.1.2  MTU: 0    

   Dead timer due in 32  sec 

   Retrans timer interval: 5 

   Neighbor is up for 04:01:10     

   Authentication Sequence: [ 0 ] 

 

 

[FW]display firewall statistic system discard 

 Discard statistic information:

   PACKET DEFAULT FILTER                     :192  //一直在增加

   L3 PROTOCOL DOWN                          :5

   INVALID RECEIVE ZONE                      :4

   INVALID SEND ZONE                         :5

security-policy

 rule name ospf

  source-zone local

  destination-zone untrust

  action permit

允许local区域到untrust区域流量

 

display ospf peer 

 

OSPF Process 1 with Router ID 192.168.0.1

Neighbors 

 

 Area 0.0.0.1 interface 192.168.0.1(GigabitEthernet1/0/0)'s neighbors

 Router ID: 192.168.0.2      Address: 192.168.0.2     

   State: Full  Mode:Nbr is  Master  Priority: 1

   DR: 192.168.0.2  BDR: 192.168.0.1  MTU: 0    

   Dead timer due in 35  sec 

   Retrans timer interval: 5 

   Neighbor is up for 00:33:11     

   Authentication Sequence: [ 0 ] 

状态已变为Full,

 

display ip routing-table 

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 5        Routes : 5        

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.0.0/24  Direct  0    0           D   192.168.0.1     GigabitEthernet

1/0/0

    192.168.0.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet

1/0/0

    192.168.1.0/24  OSPF    10   2           D   192.168.0.2     GigabitEthernet

1/0/0

查看路由表，已192.168.1.0/24网段的路由。