二、路由部分
1、S3、S4配置VPN实例隔离VLAN10与VLAN20的业务,VLAN10对应的VPN实例为VPN_A,VLAN20对应的VPN实例为VPN_B
#S3相应接口绑定VPN实例VPN_A、VPN_B
<S3>dis cu int
#
interface Vlanif1
#
interface Vlanif10
ip binding vpn-instance VPN_A
ip address 172.16.10.9 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.10.254
vrrp vrid 1 priority 120
#
interface Vlanif20
ip binding vpn-instance VPN_B
ip address 172.16.20.9 255.255.255.0
vrrp vrid 2 virtual-ip 172.16.20.254
#
interface Vlanif79
ip address 172.16.79.9 255.255.255.0
#
interface Vlanif89
ip address 172.16.89.9 255.255.255.0
#
interface Vlanif120
ip binding vpn-instance VPN_A
ip address 172.16.120.9 255.255.255.0
#
interface Vlanif121
ip address 172.16.121.9 255.255.255.0
#
interface Vlanif122
ip binding vpn-instance VPN_B
ip address 172.16.122.9 255.255.255.0
#
interface Vlanif123
ip address 172.16.123.9 255.255.255.0
#
interface Vlanif254
ip address 172.16.254.9 255.255.255.0
#
#S3相应接口绑定VPN实例VPN_A、VPN_B
[S4]dis cu int
#
interface Vlanif10
ip binding vpn-instance VPN_A
ip address 172.16.10.10 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.10.254
#
interface Vlanif20
ip binding vpn-instance VPN_B
ip address 172.16.20.10 255.255.255.0
vrrp vrid 2 virtual-ip 172.16.20.254
vrrp vrid 2 priority 120
#
interface Vlanif107
ip address 172.16.107.10 255.255.255.0
#
interface Vlanif108
ip address 172.16.108.10 255.255.255.0
#
interface Vlanif130
ip binding vpn-instance VPN_A
ip address 172.16.130.10 255.255.255.0
#
interface Vlanif131
ip address 172.16.131.10 255.255.255.0
#
interface Vlanif132
ip binding vpn-instance VPN_B
ip address 172.16.132.10 255.255.255.0
#
interface Vlanif133
ip address 172.16.133.10 255.255.255.0
#
interface Vlanif254
ip address 172.16.254.10 255.255.255.0
#
2、 S1、S2、S3、S4、R1、R2互联接口加入 OSPF 区域0,并启用MD5认证
[S3-ospf-100]di th
#
ospf 100 router-id 10.0.0.9
area 0.0.0.0
authentication-mode md5 1 plain huawei
network 172.16.79.9 0.0.0.0
network 172.16.89.9 0.0.0.0
#
[S4-ospf-100]di th
#
ospf 100 router-id 10.0.0.10
area 0.0.0.0
authentication-mode md5 1 plain huawei
network 172.16.108.10 0.0.0.0
network 172.16.107.10 0.0.0.0
#
[S1-ospf-100]di th
#
ospf 100 router-id 10.0.0.1
area 0.0.0.0
authentication-mode md5 1 plain huawei
network 172.16.79.7 0.0.0.0
network 172.16.107.7 0.0.0.0
network 172.16.78.7 0.0.0.0
network 172.16.17.7 0.0.0.0
#
[S2-ospf-100]di th
#
ospf 100 router-id 10.0.0.8
area 0.0.0.0
authentication-mode md5 1 plain huawei
network 172.16.78.8 0.0.0.0
network 172.16.89.8 0.0.0.0
network 172.16.108.8 0.0.0.0
network 172.16.28.8 0.0.0.0
#
[R1-ospf-100]di th
#
ospf 100 router-id 10.1.1.1
area 0.0.0.0
authentication-mode md5 1 plain huawei
network 10.1.1.1 0.0.0.0
network 172.16.12.1 0.0.0.0
network 172.16.17.1 0.0.0.0
#
[R2-ospf-100-area-0.0.0.0]di th
#
area 0.0.0.0
authentication-mode md5 1 plain huawei
network 10.1.2.2 0.0.0.0
network 172.16.12.2 0.0.0.0
network 172.16.28.2 0.0.0.0
#
3、S3,S4的业务VLAN10,VLAN20分别加入区域1,区域2,但这些接口不能转发OSPF报文
[S3-ospf-1]di th
#
ospf 1 vpn-instance VPN_A
silent-interface Vlanif10
#禁止路由环路检测,直接进行路由计算
vpn-instance-capability simple
area 0.0.0.1
network 172.16.0.0 0.0.255.255
#
[S3-ospf-2]di th
#
ospf 2 vpn-instance VPN_B
silent-interface Vlanif20
#禁止路由环路检测,直接进行路由计算
vpn-instance-capability simple
area 0.0.0.2
network 172.16.0.0 0.0.255.255
#
[S4-ospf-1]di th
#
ospf 1 vpn-instance VPN_A
silent-interface Vlanif10
#禁止路由环路检测,直接进行路由计算
vpn-instance-capability simple
area 0.0.0.1
network 172.16.0.0 0.0.255.255
#
[S4-ospf-2]di th
#
ospf 2 vpn-instance VPN_B
silent-interface Vlanif20
#禁止路由环路检测,直接进行路由计算
vpn-instance-capability simple
area 0.0.0.2
network 172.16.0.0 0.0.255.255
#
4、S3,S4执行路由汇总,针对区域0中的172.16.XY.0/24汇总为172.0.0.0/16,同时要求区域1与区域2中仅包含汇总路由与互联网段
在执行路由汇总前,可以看到OSPF 区域1 和区域2中存在大量的type-3 LSA:
#路由汇总
[S3-ospf-100-area-0.0.0.0]di th
#
area 0.0.0.0
abr-summary 172.0.0.0 255.0.0.0
[S4-ospf-100-area-0.0.0.0]di th
#
area 0.0.0.0
abr-summary 172.0.0.0 255.0.0.0
在执行路由汇总后:
4、S3,S4互联接口加入到区域3,并部署Vlink防止S1和S2互联链路故障导致骨干区域被分割
S3:
ospf 100 router-id 10.0.0.9
area 0.0.0.3
network 172.16.254.9 0.0.0.0
vlink-peer 10.0.0.10 authentication-null
#
ospf 100 router-id 10.0.0.10
area 0.0.0.3
network 172.16.254.10 0.0.0.0
vlink-peer 10.0.0.9 authentication-null
#
6、S3,S4部署type-3 LSA过滤,对于VPN_A、VPN_B分别过滤 type-3 LSA 172.16.20.0/24和172.16.10.0/24
S3、S4:#创建ip-prefix匹配相应网段
ip ip-prefix deny10 index 10 deny 172.16.10.0 24
ip ip-prefix deny10 index 20 permit 0.0.0.0 0 less-equal 32
ip ip-prefix deny20 index 10 deny 172.16.20.0 24
ip ip-prefix deny20 index 20 permit 0.0.0.0 0 less-equal 32
#
#使用filter 命令执行过滤
[S3-ospf-100-area-0.0.0.1]di th
#
area 0.0.0.1
filter ip-prefix deny20 import
network 172.16.121.9 0.0.0.0
#
area 0.0.0.2
filter ip-prefix deny10 import
network 172.16.123.9 0.0.0.0
#
[S4-ospf-100-area-0.0.0.1]di th
#
area 0.0.0.1
filter ip-prefix deny20 import
network 172.16.121.9 0.0.0.0
#
area 0.0.0.2
filter ip-prefix deny10 import
network 172.16.123.9 0.0.0.0
#
执行完过滤后,在FW-1的VPN_A实例路由表中已不存在172.16.20.0/24网段的路由:
同理,FW-1的VPN_B实例路由表中不存在172.16.10.0/24网段的路由:
FW2的现象亦如上所示
7、OSPF 区域0中不包含type-2 LSA
#在OSPF 区域0的互联链路上输入以下命令:
ospf network-type p2p