实验目的:
如下拓扑:
Area 10和Area 30都属于公司分部(Level-1),而Area 20属于公司总部(Level-2)。要求实现公司总部和分部之间的安全互通,且为路由性能考虑,因此要做好路由精简。
实验要求:
- 在R4->R1->R6之间做好IS-IS验证;
- 在R5和R7上做好路由汇聚;
- 针对各层,减少不必要的LSP报文。
实验代码:
R1代码:
[R1]int lo0
[R1-LoopBack0]ip add 1.1.1.1 32
[R1-LoopBack0]isis enable
[R1-LoopBack0]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.14.1 24
[R1-GigabitEthernet0/0/0]isis enable
[R1-GigabitEthernet0/0/0]isis circuit-level level-2 //该接口只发送Level 2的Hello消息
[R1-GigabitEthernet0/0/0]isis authentication-mode md5 test520 //设置接口md5验证
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.15.1 24
[R1-GigabitEthernet0/0/1]isis enable
[R1-GigabitEthernet0/0/1]isis circuit-level level-2
[R1-GigabitEthernet0/0/1]isis authentication-mode simple test520 //设置接口明文验证
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.16.1 24
[R1-GigabitEthernet0/0/2]isis enable
[R1-GigabitEthernet0/0/2]isis circuit-level level-2
[R1-GigabitEthernet0/0/2]isis authentication-mode keychain yyy //设置接口实验keychain验证
[R1]isis
[R1-isis-1]network-entity 20.0000.0000.0001.00
[R1-isis-1]is-name R1 //设置一个动态主机名
[R1-isis-1]is-level level-2 //修改R1为level 2路由器
[R1]keychain yyy mode absolute //Keychain名称为yyy,设置为绝对定时模式
[R1-keychain]receive-tolerance 100 //接收容忍100min
[R1-keychain]key-id 1 //建立一个新的key-id 1
[R1-keychain-keyid-1]algorithm hmac-md5
//配置key采用的认证算法为hmac-md5,目前isis仅支持该种加密方式
[R1-keychain-keyid-1]key-string test520 //key的密钥test520
[R1-keychain-keyid-1]send-time utc 00:00 2022-2-18 to 23:59 2022-2-28
//key的发送时间为2022-2-18到2022-2-28的00:00 to 23:59
[R1-keychain-keyid-1]receive-time utc 00:00 2022-2-18 to 23:59 2022-2-28
//key的接收时间为2022-2-18到2022-2-28的00:00 to 23:59
[R1-keychain-keyid-1]default send-key-id //将发送密钥id标记为默认发送密钥id
R4代码:
[R4]isis
[R4-isis-1]net 10.0000.0000.0004.00
[R4-isis-1]is-na R4
[R4-isis-1]int lo0
[R4-LoopBack0]ip add 4.4.4.4 32
[R4-LoopBack0]isis en
[R4-LoopBack0]int g0/0/0
[R4-GigabitEthernet0/0/0]ip add 192.168.14.4 24
[R4-GigabitEthernet0/0/0]isis ena
[R4-GigabitEthernet0/0/0]isis circu level-2
[R4-GigabitEthernet0/0/0]isis authentication-mode md5 test520
[R4-GigabitEthernet0/0/0]int g0/0/1
[R4-GigabitEthernet0/0/1]ip add 192.168.24.4 24
[R4-GigabitEthernet0/0/1]isis en
[R4-GigabitEthernet0/0/1]isis circu level-1
[R4-GigabitEthernet0/0/1]int g0/0/2
[R4-GigabitEthernet0/0/2]ip add 192.168.34.4 24
[R4-GigabitEthernet0/0/2]isis en
[R4-GigabitEthernet0/0/2]isis circu level-1
R5代码:
[R5]isis
[R5-isis-1]network-entity 20.0000.0000.0002.00
[R5-isis-1]is-level level-2
[R5-isis-1]is-name R5
[R5-isis-1]summary 172.16.0.0 255.255.248.0 level-2
//路由汇聚,以Level-2 LSP的形式传递聚合后的路由
[R5]int lo0
[R5-LoopBack0]ip add 5.5.5.5 32
//后面环回口不在赘述
[R5-LoopBack0]isis enable
[R5-LoopBack6]int g0/0/1
[R5-GigabitEthernet0/0/1]ip add 192.168.15.5 24
[R5-GigabitEthernet0/0/1]isis enable
[R5-GigabitEthernet0/0/1]isis circuit-level level-2
R6代码:
[R6]isis
[R6-isis-1]net 30.0000.0000.0006.00
[R6-isis-1]is-na R6
[R6-isis-1]int lo0
[R6-LoopBack0]ip add 6.6.6.6 32
[R6-LoopBack0]isis en
[R6-LoopBack0]int g0/0/0
[R6-GigabitEthernet0/0/0]ip add 192.168.67.6 24
[R6-GigabitEthernet0/0/0]isis ena
[R6-GigabitEthernet0/0/0]isis circu level-1
[R6-GigabitEthernet0/0/0]int g0/0/2
[R6-GigabitEthernet0/0/2]ip add 192.168.16.6 24
[R6-GigabitEthernet0/0/2]isis en
[R6-GigabitEthernet0/0/2]isis circu level-2
[R6-GigabitEthernet0/0/2]isis authentication-mode keychain ljw
[R6]keychain ljw mode absolute
[R6-keychain]receive-tolerance 100
[R6-keychain]key-id 1
[R6-keychain-keyid-1]algorithm hmac-md5
[R6-keychain-keyid-1]key-string test520
[R6-keychain-keyid-1]send-time utc 00:00 2022-2-18 to 23:59 2022-2-28
[R6-keychain-keyid-1]receive-time utc 00:00 2022-2-18 to 23:59 2022-2-28
[R6-keychain-keyid-1]default send-key-id
R7代码:
[R7]isis
[R7-isis-1]net 30.0000.0000.0007.00
[R7-isis-1]is-na R7
[R7-isis-1]is-le level-1
[R7-isis-1]summary 10.10.0.0 255.255.248.0 level-1
//路由汇聚,以Level-1 LSP的形式传递聚合后的路由
[R7-isis-1]int lo0
[R7-LoopBack0]ip add 7.7.7.7 32
//后面环回口不在赘述
[R7-LoopBack0]isis en
[R7-LoopBack5]int g0/0/0
[R7-GigabitEthernet0/0/0]ip add 192.168.67.7 24
[R7-GigabitEthernet0/0/0]isis ena
[R7-GigabitEthernet0/0/0]isis circu level-1
实验效果:
查看R1上路由表,可以看出,路由表已经过简化
查看R1的验证是否成功,可以看到,全都属于up状态
查看keychain
查看R1,R4,R6的LSDB
实验总结:
在IS-IS中使用keychain验证时,务必要使用hmac-md5加密方式,目前IS-IS仅支持该种加密,其他经过测试后发现验证老是不成功。汇聚的时候如果是level-1层的,务必要使用level-1 LSP声明,否则可能使用后可能没有效果。总的来说IS-IS同OSPF有相似的地方,但是也有自己的特色。收敛快速的设计相较于OSPF略胜一筹。