OSPF 虚链路
在前文中我们曾经提到过:OSPF采用由两层组成的分层结构,所以要求所有的非主干区域都必须直接与主干区域连接。Area1和Area 2中路由不能直接相连。区域中传输的数据必须经过主干区域 Area 0 。

今天我们要学习的虚链路,可以将不连续的区域0连接起来,还可以将区域通过中转区域连接到区域0。

虚链路是OSPF开放标准的组成部分,从10.0版本起,cisco IOS 软件就支持虚链路。虚链路类似于标准的OSPF邻接关系,但使用虚链路时,邻接路由器之间无需直接相连。

在虚链路上,Hello协议的工作方式与在标准链路上相同,即每隔10秒钟就发送一个hello分组。在虚链路上,LSA更新的运行方式是不同的。LSA通常每隔30分钟刷新一次,但通过虚链路获悉的LSA的DoNotAge (DNA)选项被配置,因此不会过期。为避免在虚链路上过度扩散,DNA技术是必不可少的。

好了,接下来我们来配置OSPF虚链路。试验拓扑图如下:
循序渐进 OSPF的详细剖析(四)_第1张图片
 试验环境介绍:
如上图所示,Area 2 和 Area 0 之间被Area1 隔开,为了使Area2和Area0 之间能够相互通讯,需要将Area1作为中转区域,在Area1中建立一条虚链路。

OSPF虚链路配置命令为:
area area-id virtual-link 虚链路另一端的路由器ID
 
Ok,开始工作了!
多区域的OSPF的基本配置在前文中已经提到过,在此就省略基本步骤了!
在完成OSPF的基本配置后,R1和 R4 是不会学到对方的信息的, pc1 和pc 2是不能相互通讯的。
分别查看R1 和 R4 的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, FastEthernet1/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:00:11, Serial0/0

R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.100.0 is directly connected, FastEthernet1/0
     40.0.0.0/24 is subnetted, 1 subnets
C       40.1.1.0 is directly connected, Loopback0
C    192.168.3.0/24 is directly connected, Serial0/0
既然R1 和 R4学不到对方的路由信息,那么pc1 和 pc2  不能ping通是必然的
VPCS 1 >ping 172.16.100.2
host (172.16.100.2) not reachable

为了能让他们之间相互通讯,在R2、R3上配置虚链路,配置命令如下:
r2(config-router)#area 1 virtual-link 30.1.1.1
r3(config-router)#area 1 virtual-link 20.1.1.1
 
配置完虚链路后,让我们再查看一下R1和R4的路由表信息。如下内容显示,R1和R4都学到了对方的信息。
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, FastEthernet1/0
O IA    172.16.100.0 [110/193] via 192.168.1.2, 00:01:37, Serial0/0
     40.0.0.0/32 is subnetted, 1 subnets
O IA    40.1.1.1 [110/193] via 192.168.1.2, 00:01:37, Serial0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:01:37, Serial0/0
O IA 192.168.3.0/24 [110/192] via 192.168.1.2, 00:01:37, Serial0/0
     30.0.0.0/32 is subnetted, 1 subnets
O IA    30.1.1.1 [110/129] via 192.168.1.2, 00:01:37, Serial0/0
 
R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     172.16.0.0/24 is subnetted, 2 subnets
O IA    172.16.1.0 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
C       172.16.100.0 is directly connected, FastEthernet1/0
     40.0.0.0/24 is subnetted, 1 subnets
C       40.1.1.0 is directly connected, Loopback0
     10.0.0.0/32 is subnetted, 1 subnets
O IA    10.1.1.1 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.1.0/24 [110/192] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.3.1, 00:01:55, Serial0/0
C    192.168.3.0/24 is directly connected, Serial0/0
     30.0.0.0/32 is subnetted, 1 subnets
O IA    30.1.1.1 [110/65] via 192.168.3.1, 00:01:56, Serial0/0
Pc1 ping  pc2,嘿嘿,现在能相互通讯了吧!
VPCS 1 >ping 172.16.100.2
172.16.100.2 icmp_seq=1 time=138.000 ms
172.16.100.2 icmp_seq=2 time=86.000 ms
172.16.100.2 icmp_seq=3 time=110.000 ms
172.16.100.2 icmp_seq=4 time=80.000 ms
172.16.100.2 icmp_seq=5 time=50.000 ms
 
我们来查看一下OSPF 虚链路的运行情况吧。
下面的内容告诉我们,ospf邻居以及连接该邻居的链路处于up状态以及一些其他信息。
r2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 30.1.1.1 is up
  Run as demand circuit
  DoNotAge LSA allowed.
  Transit area 1, via interface Serial0/1, Cost of using 64
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:05
    Adjacency State FULL (Hello suppressed)
    Index 2/3, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
 
总之,OSPF的虚链路配置成功并能正常工作了!

OSPF 身份验证
使用OSPF 身份验证的原因:
通过对邻居路由器进行身份验证,可避免路由器收到伪造的路由更新。通过配置OSPF邻居身份验证,可以让路由器根据预定义的密码参与路由选择。
 
OSPF身份验证的有关知识:
在路由器上配置邻居路由器身份验证后,路由器将对收到的每个路由选择更新分组的信源进行身份验证,这是通过交换发送路由器和接收路由器都知道的身份验证密钥(密码)实现的。
 
默认情况下,OSPF使用身份验证方法null,即不对通过网络交换的路由选择信息进行身份验证。OSPF还支持其他两种身份验证方法:简单密码身份验证(明文身份验证)和MD5身份验证。
OSPF MD5身份验证在每个OSPF分组中加入一个不递减的序列号,以防范重放***。
 
今天我们来配置这两种身份验证.
 
首先是简单身份验证:
配置命令为(在接口模式下):
ip ospf authentication
ip ospf authentication-key 密码
试验配置简单身份验证,试验拓扑如下:
循序渐进 OSPF的详细剖析(四)_第2张图片
 
配置命令如下:(两个路由器都位于区域0,单区域的OSPF都是小菜了,在此不再复述)
首先,在配置完OSPF后,查看两个路由器的路由表,看其是否能相互学习到路由信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/32 is subnetted, 1 subnets
O       20.1.1.1 [110/65] via 192.168.1.2, 00:00:04, Serial0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0

 
 
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/24 is subnetted, 1 subnets
C       20.1.1.0 is directly connected, Loopback0
     10.0.0.0/32 is subnetted, 1 subnets
O       10.1.1.1 [110/65] via 192.168.1.1, 00:01:29, Serial0/0
C    192.168.1.0/24 is directly connected, Serial0/0
 
如上内容所示,R1和R2都学习到了相互的路由信息。
验证是否能相互通讯,如下所示,通讯成功!
r1#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/92/268 ms
 
接下来,我们首先在R1上配置简单的身份验证
r1(config)#int s0/0
r1(config-if)#ip ospf authentication
r1(config-if)#ip ospf authentication-key cisco

在R1上配置完身份验证后,查看R1 和R2 路由表信息,如下显示,两个路由器已经不能相互学到路由信息,这是由于我们只在R1上配置了身份验证。
R1
r1#show ip route
*Mar  1 00:06:29.315: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0
 
 
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/24 is subnetted, 1 subnets
C       20.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0
 
R2要想与R1建立邻接关系,相互学习路由信息,必须也配置简单身份验证,而且密码必须相同。
好了,我们在R2上也配置简单身份验证:
r2(config)#int s0/0
r2(config-if)#ip ospf authentication
r2(config-if)#ip ospf authentication-key cisco
 
在两个路由器上都正确配置完简单身份验证后,让我们再来查看路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/32 is subnetted, 1 subnets
O       20.1.1.1 [110/65] via 192.168.1.2, 00:00:51, Serial0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0
 
 
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/24 is subnetted, 1 subnets
C       20.1.1.0 is directly connected, Loopback0
     10.0.0.0/32 is subnetted, 1 subnets
O       10.1.1.1 [110/65] via 192.168.1.1, 00:01:21, Serial0/0
C    192.168.1.0/24 is directly connected, Serial0/0
 
OK,简单身份验证配置成功!
 
接下来我们来配置MD5身份验证。试验拓扑还和配置简单身份验证时一样。
要使用OSPF MD5身份验证,需要在每台路由器上配置密钥ID和密钥。
配置命令如下(同样是在接口模式下):
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 密码
 
必须在两个路由器上都配置MD5身份验证,不然就会出现上面的现象(两个路由器之间不能通讯)。
R1
r1(config)#int s0/0
r1(config-if)#ip ospf authentication message-digest
r1(config-if)#ip ospf message-digest-key 1 md5 cisco
 
R2
r2(config)#int s0/0
r2(config-if)#ip ospf authentication message-digest
r2(config-if)#ip ospf message-digest-key 1 md5 cisco

在两个路由器上都配置完MD5身份验证后,R1和R2之间就能正常通信了,不信我们查看一下两个路由器的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/32 is subnetted, 1 subnets
O       20.1.1.1 [110/65] via 192.168.1.2, 00:00:52, Serial0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Loopback0
C    192.168.1.0/24 is directly connected, Serial0/0
 
 
R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     20.0.0.0/24 is subnetted, 1 subnets
C       20.1.1.0 is directly connected, Loopback0
     10.0.0.0/32 is subnetted, 1 subnets
O       10.1.1.1 [110/65] via 192.168.1.1, 00:00:43, Serial0/0
C    192.168.1.0/24 is directly connected, Serial0/0
 
嘿嘿,两种身份验证方法我们都成功完成!
 
在OSPF身份验证配置完成后,密钥字符串将以明文方式存储在路由器配置中。为了保护密码不被别人知道。使用命令:services password-encryption  可以给明文加密,使密码更安全!
 
试验完成后,让我们总结一下在配置身份验证的时候需要注意那些内容:
1. 必须在两个路由器的串行接口上同时配置身份验证;
2. 配置的密码必须相同;