实验拓扑
这是我的实验拓扑以及它的地址划分情况
实验要求
1.R4为ISP,其上只能配置IP地址;R4与其他的所有直连设备间使用公有IP
2R3—R5/6/7为MGRE环境,R3为中心站点
3.整个OSPF环境IP地址为192.16.0.0/16
4.所有设备均可以访问R4的环回
5.减少LSA的更新量,加快收敛,保障使用安全
6.全网可达
实验内容
实验思路:
1、子网划分
a)按照区域(6个)划分
b)区域内自由划分
2、配置–IP地址
3、缺省路由+NAT
4、MGRE环境配置
5、OSPF协议
6、重发步
7、域间路由汇总、域外路由汇总
8、空接口防环路由
9、特殊区域
10、更改hello时间
11、OSPF认证
12、测试全网可达
实验开始
首先,开始给每个路由器上配置IP地址
R1
r1]int lo0
[r1-LoopBack0]ip add 192.16.8.1 21
[r1-LoopBack0]int g0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.16.0.1 21
R2
[Huawei]sys r2
[r2]int lo0
[r2-LoopBack0]ip add 192.16.16.1 21
[r2-LoopBack0]int g0/0/0
[r2-GigabitEthernet0/0/0]ip add 192.16.0.2 21
R3上
interface GigabitEthernet0/0/0
ip address 192.16.0.3 255.255.248.0
#
interface GigabitEthernet0/0/1
ip address 192.16.36.1 255.255.252.0
nat outbound 2000
#
interface GigabitEthernet0/0/2
interface LoopBack0
ip address 192.16.24.1 255.255.248.0
R4上
interface GigabitEthernet0/0/0
ip address 192.16.36.2 255.255.252.0
#
interface GigabitEthernet0/0/1
ip address 192.16.48.1 255.255.252.0
#
interface GigabitEthernet0/0/2
ip address 192.16.40.1 255.255.252.0
#
interface GigabitEthernet4/0/0
ip address 192.16.44.1 255.255.252.0
#
interface GigabitEthernet4/0/1
#
interface GigabitEthernet4/0/2
#
interface GigabitEthernet4/0/3
interface LoopBack0
ip address 192.16.52.1 255.255.252.0
R5上
interface GigabitEthernet0/0/0
ip address 192.16.40.2 255.255.252.0
nat outbound 2000
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.56.1 255.255.252.0
R6上
interface GigabitEthernet0/0/0
ip address 192.16.44.2 255.255.252.0
#
interface GigabitEthernet0/0/1
ip address 192.16.136.1 255.255.248.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.60.1 255.255.252.0
R7
interface GigabitEthernet0/0/0
ip address 192.16.48.2 255.255.252.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.64.1 255.255.252.0
R8上
interface GigabitEthernet0/0/0
ip address 192.16.64.2 255.255.248.0
#
interface GigabitEthernet0/0/1
ip address 192.16.72.1 255.255.248.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.80.1 255.255.248.0
R9
interface GigabitEthernet0/0/0
ip address 192.16.72.2 255.255.248.0
#
interface GigabitEthernet0/0/1
ip address 192.16.96.1 255.255.248.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.104.1 255.255.248.0
R10
#
interface GigabitEthernet0/0/0
ip address 192.16.96.2 255.255.248.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.112.1 255.255.248.0
R11
#
interface GigabitEthernet0/0/0
ip address 192.16.136.2 255.255.248.0
#
interface GigabitEthernet0/0/1
ip address 192.16.144.1 255.255.248.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.152.1 255.255.248.0
R12
interface GigabitEthernet0/0/0
ip address 192.16.144.2 255.255.248.0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
interface LoopBack0
ip address 192.16.160.1 255.255.240.0
#
interface LoopBack1
ip address 192.16.176.1 255.255.240.0
接着就是写缺省和写nat
在R1/2/3/5/6/7/8/9/10/11/12上写指向公网R4的缺省
以及在R3/5/6/7上写nat进行地址间的转换
R1上
ip route-static 0.0.0.0 0.0.0.0 192.16.0.3
R2
ip route-static 0.0.0.0 0.0.0.0 192.16.0.3
R3
ip route-static 0.0.0.0 0 192.16.36.2
R5上
ip route-static 0.0.0.0 0 192.16.40.1
R9
ip route-static 0.0.0.0 0.0.0.0 192.16.72.1
R10
ip route-static 0.0.0.0 0.0.0.0 192.16.96.1
R11
ip route-static 0.0.0.0 0.0.0.0 192.16.136.1
其他的都相同,找准下一跳即可
在写策略nat
R3
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source any
interface GigabitEthernet0/0/1
nat outbound 2000
R5
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source any
interface GigabitEthernet0/0/0
nat outbound 2000
R6
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source any
interface GigabitEthernet0/0/0
nat outbound 2000
R7
[r3]acl 2000
[r3-acl-basic-2000]rule 1 permit source any
interface GigabitEthernet0/0/0
nat outbound 2000
配置MGRE环境
在中心R3上
#
interface Tunnel0/0/0
ip address 10.1.1.1 255.255.255.0
tunnel-protocol gre p2mp
source 192.16.36.1
ospf network-type broadcast
nhrp entry multicast dynamic
nhrp network-id 100
#
R5
#
interface Tunnel0/0/0
ip address 10.1.1.5 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type broadcast
nhrp network-id 100
nhrp entry 10.1.1.1 192.16.36.1 register
R6
#
interface Tunnel0/0/0
ip address 10.1.1.6 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type broadcast
nhrp network-id 100
nhrp entry 10.1.1.1 192.16.36.1 register
#
R7
#
interface Tunnel0/0/0
ip address 10.1.1.7 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/0
ospf network-type broadcast
nhrp network-id 100
nhrp entry 10.1.1.1 192.16.36.1 register
#
可以简单的测试一下所建立的隧道通不通
用10.1.1.1 ping 10.1.1.7
[r3]ping 10.1.1.7
PING 10.1.1.7: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.7: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.1.1.7: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 10.1.1.7: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 10.1.1.7: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 10.1.1.7: bytes=56 Sequence=5 ttl=255 time=30 ms
--- 10.1.1.7 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/32/50 ms
可以发现隧道是通的。
接着开始启用OSPF协议,以及R12两个环回所在的Rip协议
R1
#
ospf 1 router-id 1.1.1.1
area 0.0.0.1
network 192.16.0.0 0.0.255.255
#
R2
#
ospf 1 router-id 2.2.2.2
area 0.0.0.1
network 192.16.0.0 0.0.255.255
#
R3
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 10.1.1.0 0.0.0.255
area 0.0.0.1
network 192.16.0.3 0.0.0.0
network 192.16.24.1 0.0.0.0
#
R5上
#
ospf 1 router-id 5.5.5.5
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.16.56.1 0.0.0.0
#
R6
#
ospf 1 router-id 6.6.6.6
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.16.60.1 0.0.0.0
area 0.0.0.2
abr-summary 192.16.128.0 255.255.224.0
network 192.16.136.1 0.0.0.0
#
R7
#
ospf 1 router-id 7.7.7.7
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.16.64.0 0.0.0.255
area 0.0.0.3
network 192.16.64.1 0.0.0.0
#
R8
#
ospf 1 router-id 8.8.8.8
area 0.0.0.3
network 192.16.0.0 0.0.255.255
#
R9
#
ospf 1 router-id 9.9.9.9
area 0.0.0.3
network 192.16.72.2 0.0.0.0
[r9]ospf 2
[r9-ospf-2]net
[r9-ospf-2]a
[r9-ospf-2]area 0
[r9-ospf-2-area-0.0.0.0]net
[r9-ospf-2-area-0.0.0.0]network 192.16.104.1 0.0.0.0
[r9-ospf-2-area-0.0.0.0]net
[r9-ospf-2-area-0.0.0.0]network 192.16.96.1 0.0.0.0
#
R10
[r10]ospf 2 router-id 10.10.10.10
[r10-ospf-2]area 0
[r10-ospf-2-area-0.0.0.0]net
[r10-ospf-2-area-0.0.0.0]network 192.16.0.0 0.0.255.255
R11
#
ospf 1 router-id 11.11.11.11
area 0.0.0.2
network 192.16.0.0 0.0.255.255
#
R12
ospf 1
asbr-summary 192.16.160.0 255.255.224.0
import-route rip 1
area 0.0.0.2
network 192.16.144.2 0.0.0.0
#
rip 1
version 2
network 192.16.160.0
network 192.16.176.0
#
进行重发布
R9上
[r9]ospf 1
[r9-ospf-1]net
[r9-ospf-1]imp
[r9-ospf-1]import-route ospf 2
[r9]ospf 2
[r9-ospf-2]import-route ospf 1
R12上
[r12]ospf 1
[r12-ospf-1]imp
[r12-ospf-1]import-route rip 1
[r12-ospf-1]rip 1
[r12-rip-1]imp
[r12-rip-1]import-route ospf 1
可以查看R11的路由表
[r11]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 17 Routes : 17
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 192.16.136.1 GigabitEthernet
0/0/0
10.1.1.0/24 OSPF 10 1563 D 192.16.136.1 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.16.60.1/32 OSPF 10 1 D 192.16.136.1 GigabitEthernet
0/0/0
192.16.136.0/21 Direct 0 0 D 192.16.136.2 GigabitEthernet
0/0/0
192.16.136.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.16.143.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
192.16.144.0/21 Direct 0 0 D 192.16.144.1 GigabitEthernet
0/0/1
192.16.144.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.16.151.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
192.16.152.0/21 Direct 0 0 D 192.16.152.1 LoopBack0
192.16.152.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
192.16.159.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
192.16.160.0/19 O_ASE 150 2 D 192.16.144.2 GigabitEthernet
0/0/1
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
发现Rip协议成功发布进去了
然后进行域间路由和域外路由进行汇总
R3上
area 0.0.0.1
abr-summary 192.16.0.0 255.255.224.0
R6上
area 0.0.0.2
abr-summary 192.16.128.0 255.255.224.0
R7上
area 0.0.0.3
abr-summary 192.16.64.0 255.255.224.0
一般的汇总都做在ABR,ASBR上。
做了汇总,可能会出现路由黑洞,我们则需要做空接口防环路由
R3上
ip route-static 192.16.0.0 255.255.224.0 NULL0
R6
ip route-static 192.16.128.0 255.255.224.0 NULL0
R7
ip route-static 192.16.64.0 255.255.224.0 NULL0
然后就是做特殊区域
首先我们要观察,哪些可以被作为特殊区域
Area1可以作为末梢区域
Area3和Area2可以作为nssa区域
做特殊区域的作用是减少LSA的更新量
R3
[r3]ospf 1
[r3-ospf-1]ar
[r3-ospf-1]area 1
[r3-ospf-1-area-0.0.0.1]stub no-summary
R1和R2
[r1]ospf 1
[r1-ospf-1]area 1
[r1-ospf-1-area-0.0.0.1]stub
[r2]ospf 1
[r2-ospf-1]area 1
[r2-ospf-1-area-0.0.0.1]stub
这里演示做nssa区域的Area3
R7
[r7]ospf 1
[r7-ospf-1]a
[r7-ospf-1]area 3
[r7-ospf-1-area-0.0.0.3]nssa
[r7-ospf-1-area-0.0.0.3]nssa no-summary
R8
[r8]ospf 1
[r8-ospf-1]ar
[r8-ospf-1]area 3
[r8-ospf-1-area-0.0.0.3]nssa
R9
[r9-ospf-1]area 3
[r9-ospf-1-area-0.0.0.3]n
[r9-ospf-1-area-0.0.0.3]nssa
接着就是加快收敛
更改hello时间
AR3
[r3]int t0/0/0
[r3-Tunnel0/0/0]ospf timer hello 10
AR5
[r5]int t0/0/0
[r5-Tunnel0/0/0]ospf timer hello 10
AR6
[r6]int t0/0/0
[r6-Tunnel0/0/0]ospf timer hello 10
AR7
[r7]int t0/0/0
[r7-Tunnel0/0/0]ospf timer hello 10
接着在区域内做认证,保障更新安全
在R1上
[r1]ospf 1
[r1-ospf-1]ar 1
[r1-ospf-1-area-0.0.0.1]au
[r1-ospf-1-area-0.0.0.1]authentication-mode ?
hmac-md5 Use HMAC-MD5 algorithm
keychain Keychain authentication mode
md5 Use MD5 algorithm
simple Simple authentication mode
[r1-ospf-1-area-0.0.0.1]authentication-mode md5 ?
INTEGER<1-255> Key ID
<cr> Please press ENTER to execute command
[r1-ospf-1-area-0.0.0.1]authentication-mode md5 1 ?
STRING<1-255>/<20-392> The password (key)
cipher Encryption type (Cryptogram)
plain Encryption type (Plain text)
[r1-ospf-1-area-0.0.0.1]authentication-mode md5 1 ci
[r1-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher 12345
R2
[r2]ospf 1
[r2-ospf-1]a 1
[r2-ospf-1-area-0.0.0.1]au
[r2-ospf-1-area-0.0.0.1]authentication-mode md5 1 ci
[r2-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher 12345
R3
[r2]ospf 1
[r2-ospf-1]a 1
[r2-ospf-1-area-0.0.0.1]au
[r2-ospf-1-area-0.0.0.1]authentication-mode md5 1 ci
[r2-ospf-1-area-0.0.0.1]authentication-mode md5 1 cipher 12345
然后进行简单的测试是否全网可达
用R1pingR4的环回
[r1]ping 192.16.52.1
PING 192.16.52.1: 56 data bytes, press CTRL_C to break
Reply from 192.16.52.1: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 192.16.52.1: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 192.16.52.1: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 192.16.52.1: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 192.16.52.1: bytes=56 Sequence=5 ttl=254 time=50 ms
--- 192.16.52.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/50/60 ms
<r12>ping 192.16.52.1
PING 192.16.52.1: 56 data bytes, press CTRL_C to break
Reply from 192.16.52.1: bytes=56 Sequence=1 ttl=253 time=60 ms
Reply from 192.16.52.1: bytes=56 Sequence=2 ttl=253 time=20 ms
Reply from 192.16.52.1: bytes=56 Sequence=3 ttl=253 time=30 ms
Reply from 192.16.52.1: bytes=56 Sequence=4 ttl=253 time=40 ms
Reply from 192.16.52.1: bytes=56 Sequence=5 ttl=253 time=30 ms
--- 192.16.52.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/36/60 ms
实验结束。
2861
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
