CCNP之OSPF实验案例.doc

CCNP之OSPF实验案例实验要求： 1、 总部和分部之间通过帧中继实现互访，协议要求采用OSPF。要求帧中继不能动态获取映射，也不能静态配置映射2、 配置好OSPF协议，验证邻居建立3、 确保整个内网全网可达4、 确保骨干区域高安全性5、 尽量减少网关路由表条目6、 R1、R3、R9性能不足，尽量减少其路由条目7、 确保总部和分部都只通过自己的ISP上网8、 不能出现主机路由实验拓扑： 实验步骤： 1、 帧中继的配置：由于不能配置帧中继动态和静态映射，所以只能采用点对点子接口模式进行配置，在接口下声明自己的DLCI。其中R5的Route-ID是1.1.1.1，R6的Route-ID是2.2.2.2。由于是点对点连接，所以不存在DR和BDR。FR-SW：FR-SW(config)#frame-relay switchingFR-SW(config)#int s0/0FR-SW(config)#no shutFR-SW(config-if)#encapsulation frame-relayFR-SW(config-if)#clock rate 64000FR-SW(config-if)#frame-relay intf-type dceFR-SW(config-if)#frame-relay route 102 int s0/1 201FR-SW(config)#int s0/1FR-SW(config)#no shutFR-SW(config-if)#encapsulation frame-relayFR-SW(config-if)#clock rate 64000FR-SW(config-if)#frame-relay intf-type dceFR-SW(config-if)#frame-relay route 201 int s0/0 102R5：R5(config)#int s2/1R5(config-if)#no shutR5(config-if)#encapsulation frame-relayR5(config)#int s2/1.1 point-to-pointR5(config-subif)#ip add 172.16.10.1 255.255.255.0R5(config-subif)#frame-relay int-dlci 102R5(config-subif)#no frame-relay inverse-arpR6：R6(config)#int s1/1R6(config-if)#no shutR6(config-if)#encapsulation frame-relayR6(config-if)#ip add 172.16.10.2 255.255.255.0R6(config-if)# frame-relay int-dlci 201R6(config-if)#no frame-relay inverse-arp测试帧中继连接情况：FR-SW#show frame-relay rouInput Intf Input Dlci Output Intf Output Dlci Status Serial0/0 102 Serial0/1 201 active Serial0/1 201 Serial0/0 102 active R6#show ip ospf intSerial1/1.1 is up, line protocol is up Internet Address 172.16.10.2/24, Area 0 Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:09 Supports Link-local Signaling (LLS) Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 6 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 1.1.1.1Suppress hello for 0 neighbor(s) R5#show ip os nei detail Neighbor 2.2.2.2, interface address 172.16.10.2 In the area 0 via interface Serial2/1.1Neighbor priority is 0, State is FULL, 12 state changes DR is 0.0.0.0 BDR is 0.0.0.0Options is 0x52 LLS Options is 0x1 (LR) Dead timer due in 00:00:35 Neighbor is up for 00:35:14 Index 2/2, retransmission queue length 0, number of retransmission 3 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec 2、全网启用 OSPF 协议（配置端口 IP 和环回口步骤省略）R1：R1(config)#router ospf 1R1(config-router)#net 172.16.1.1 0.0.0.0 a 1R1(config-router)#net 172.16.2.1 0.0.0.0 a 1R1(config-router)#net 172.16.3.2 0.0.0.0 a 1R1(config-router)#area 1 stub /配置区域 1 为末节路由 R2：R2(config)#router ospf 1R2(config-router)#net 172.16.3.1 0.0.0.0 a 1R2(config-router)#net 172.16.8.2 0.0.0.0 a 0R2(config-router)#area 1 stubR3：R3(config)#router ospf 1R3(config-router)#net 172.16.4.1 0.0.0.0 a 2R3(config-router)#net 172.16.5.1 0.0.0.0 a 2R3(config-router)#net 172.16.6.2 0.0.0.0 a 2R3(config-router)#area 2 stub /配置区域 2 为末节路由 R4：R4(config)#router ospf 1R4(config-router)#net 172.16.6.1 0.0.0.0 a 2R4(config-router)#net 172.16.9.2 0.0.0.0 a 0R4(config-router)#area 2 stubR5：R5(config)#router ospf 1R5(config-router)#net 172.16.8.1 0.0.0.0 a 0R5(config-router)#net 172.16.9.1 0.0.0.0 a 0R5(config-router)#net 172.16.10.1 0.0.0.0 a 0R5(config-router)#default-information originate /启用OSPF默认路由R6：R6(config)#router ospf 1R6(config-router)#net 172.16.10.2 0.0.0.0 a 0R6(config-router)#net 10.1.1.1 0.0.0.0 a 3R6(config-router)#default-information originate /启用OSPF默认路由R7：R7(config)#router ospf 1R7(config-router)#net 10.1.1.2 0.0.0.0 a 3R7(config-router)#net 10.1.2.1 0.0.0.0 a 3R7(config-router)#net 10.1.3.1 0.0.0.0 a 3R8：R8(config)#router ospf 1R8(config-router)#net 10.1.3.2 0.0.0.0 a 3R8(config-router)#net 10.1.4.1 0.0.0.0 a 4R8(config-router)#area 4 stub /配置区域4为末节路由R9：R9(config)#router ospf 1R9(config-router)#net 10.1.4.2 0.0.0.0 a 4R9(config-router)#net 10.1.5.1 0.0.0.0 a 4R9(config-router)#area 4 stub因为不能出现主机路由，所以必须在每个环回口下配置OSPF点对点模式:(config-if)#ip ospf network point-to-point验证末节路由：R1#show ip ospfArea 1Number of interfaces in this area is 3It is a stub areaArea has no authenticationSPF algorithm last executed 01:08:53.436 ago SPF algorithm executed 6 times Area ranges are Number of LSA 8. Checksum Sum 0x048879 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 R3#show ip ospfArea 2 Number of interfaces in this area is 3 It is a stub area Area has no authentication SPF algorithm last executed 01:28:33.156 ago SPF algorithm executed 4 times Area ranges are Number of LSA 8. Checksum Sum 0x04C421 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 R5#show ip ospfArea BACKBONE(0) Number of interfaces in this area is 3 Area has no authentication SPF algorithm last executed 00:46:27.944 ago SPF algorithm executed 21 times Area ranges are Number of LSA 13. Checksum Sum 0x07169E Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 4 Flood list length 0 R9#show ip ospfArea 4 Number of interfaces in this area is 2 It is a stub area Area has no authentication SPF algorithm last executed 00:47:24.176 ago SPF algorithm executed 16 times Area ranges are Number of LSA 8. Checksum Sum 0x041E9E Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 R7#show ip ospfArea 3 Number of interfaces in this area is 3 This area has transit capability Area has no authentication SPF algorithm last executed 00:47:41.596 ago SPF algorithm executed 12 times Area ranges are Number of LSA 14. Checksum Sum 0x0D84E8 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 3、启用OSPF区域汇总：因为R1、R3、R9性能不足，以及为了减少网关的路由条目，所以有必要在每个区域的ABR上进行汇总。R2属于Area 0和Area 1的ABR，R4属于Area 0和Area 2的ABR,R6属于Area 0和Area 3的ABR，R8属于Area 3、Area 4以及Area 0（通过虚链路相连）的ABR。R2(config-router)#area 1 range 172.16.0.0 255.255.252.0R2(config-router)#area 0 range 172.16.8.0 255.255.252.0R4(config-router)#area 2 range 172.16.4.0 255.255.252.0R4(config-router)#area 0 range 172.16.8.0 255.255.252.0R6(config-router)#area 3 range 10.1.0.0 255.255.252.0R6(config-router)#area 0 range 172.16.8.0 255.255.252.0R8(config-router)#area 3 range 10.1.0.0 255.255.252.0R8(config-router)#area 4 range 10.1.4.0 255.255.254.0R8(config-router)#area 0 range 172.16.8.0 255.255.252.0查看末节路由表：R1#show ip route os172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks O IA 172.16.8.0/22 110/2 via 172.16.3.1, 00:47:12, FastEthernet0/0 O IA 172.16.4.0/22 110/4 via 172.16.3.1, 00:44:53, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O IA 10.1.0.0/22 110/67 via 172.16.3.1, 00:26:21, FastEthernet0/0 O IA 10.1.4.0/23 110/69 via 172.16.3.1, 00:23:28, FastEthernet0/0 O*IA 0.0.0.0/0 110/2 via 172.16.3.1, 00:47:12, FastEthernet0/0 R3#show ip rou os172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks O IA 172.16.8.0/22 110/2 via 172.16.6.1, 00:56:56, FastEthernet0/0 O IA 172.16.0.0/22 110/4 via 172.16.6.1, 00:46:05, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O IA 10.1.0.0/22 110/67 via 172.16.6.1, 00:27:43, FastEthernet0/0 O IA 10.1.4.0/23 110/69 via 172.16.6.1, 00:24:50, FastEthernet0/0 O*IA 0.0.0.0/0 110/2 via 172.16.6.1, 01:07:33, FastEthernet0/0 R9#show ip route os172.16.0.0/22 is subnetted, 3 subnets O IA 172.16.8.0 110/67 via 10.1.4.1, 00:25:23, FastEthernet0/0 O IA 172.16.4.0 110/69 via 10.1.4.1, 00:25:23, FastEthernet0/0 O IA 172.16.0.0 110/69 via 10.1.4.1, 00:25:23, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O IA 10.1.0.0/22 110/2 via 10.1.4.1, 00:25:29, FastEthernet0/0 O*IA 0.0.0.0/0 110/2 via 10.1.4.1, 00:25:29, FastEthernet0/0 查看网关路由表：R5#show ip rou os172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks O IA 172.16.4.0/22 110/2 via 172.16.9.2, 00:25:35, FastEthernet1/0 O IA 172.16.0.0/22 110/2 via 172.16.8.2, 00:25:35, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O IA 10.1.0.0/22 110/65 via 172.16.10.2, 00:25:35, Serial2/1.1 O IA 10.1.4.0/23 110/67 via 172.16.10.2, 00:25:35, Serial2/1.1 R6#show ip rou os172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks O 172.16.8.0/24 110/65 via 172.16.10.1, 00:26:07, Serial1/1.1 O 172.16.8.0/22 is a summary, 00:26:07, Null0 O 172.16.9.0/24 110/65 via 172.16.10.1, 00:26:07, Serial1/1.1 O IA 172.16.4.0/22 110/66 via 172.16.10.1, 00:26:07, Serial1/1.1 O IA 172.16.0.0/22 110/66 via 172.16.10.1, 00:26:07, Serial1/1.1 10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks O 10.1.3.0/24 110/2 via 10.1.1.2, 00:26:07, FastEthernet0/0 O 10.1.2.0/24 110/2 via 10.1.1.2, 00:26:07, FastEthernet0/0 O 10.1.0.0/22 is a summary, 00:26:07, Null0 O IA 10.1.4.0/23 110/3 via 10.1.1.2, 00:26:07, FastEthernet0/0 由于虚链路的影响，R6和R7无法学到Area 0的汇总路由，只能学到详细路由。4、配置Area 4与Area 0的虚链路由于Area 4与Area 0未直接相连，所以必须依靠虚链路来学习路由，在虚链路两端进行配置(R8的Route-ID设为10.10.10.10)。R6(config-router)#area 3 virtual-link 10.10.10.10R8(config-router)#area 3 virtual-link 2.2.2.2配置虚链路MD5身份验证：R6(config-router)#area 3 virtual-link 10.10.10.10 authentication message-digest message-digest-key 1 md5 ciscoR8(config-router)#area 3 virtual-link 2.2.2.2 authentication message-digest message-digest-key 1 md5 cisco验证虚链路：R6#show ip ospf virtual-linksVirtual Link OSPF_VL0 to router 10.10.10.10 is upRun as demand circuit DoNotAge LSA allowed. Transit area 3, via interface FastEthernet0/0, Cost of using 2 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:01 Adjacency State FULL (Hello suppressed) Index 2/3, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec Message digest authentication enabled Youngest key id is 1 R8#show ip ospf virVirtual Link OSPF_VL0 to router 2.2.2.2 is upRun as demand circuit DoNotAge LSA allowed. Transit area 3, via interface FastEthernet1/0, Cost of using 2 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Adjacency State FULL (Hello suppressed) Index 1/3, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec Message digest authentication enabled Youngest key id is 1 5、配置OSPF的MD5身份验证在每个启用了OSPF的路由器接口上配置一下命令：ip ospf authentication message-digestip ospf message-digest-key (num) md5 (key-value)6、在总部和分部网关上启用PATR5(config)#access-list 1 permit 172.16.0.0 0.0.15.255R5(config)#ip nat inside source list 1 int s2/0 overloadR5(config)#ip route 0.0.0.0 0.0.0.0 s2/0R5(config)#int s2/0R5(config-if)#ip nat outside在R5的f0/0、f1/0上配置R5(config-if)#ip nat inside查看外网ping通情况：R5#show ip nat trPro Inside global Inside local Outside local Outside global icmp 200.1.1.1:4 172.16.3.2:4 210.1.1.1:4 210