在本案例学习的实验中,我们将模拟真实的JNCIP考试场景。并且,通过把上述的核心知识点整合在Juniper和Cisco设备的混合网络环境当中,应用你已经掌握的JUNOS和IOS的知识,能够在多厂家互联的网络环境中游刃有余的控制OPSF路由协议及各种策略。对于JNCIx备考人员来说,除了考试的难度以及陷阱以外,对配置的熟练性同时也是一大挑战之一。我们会把在前面的实验当中除接口配置以外所有的协议,策略以及跟踪调试配置删除,从头开始对案例需求的配置。完成本案例分析后,你应该进行计时训练,本实验计划达到的目标为在一个小时内完成全部配置。
实验目标
- 所有OSPF路由器使用环回接口地址作为RID,并且均能通过OSPF被其他路由器访问;
- 骨干区域内的环回接口地址应当以LSA-3的形式出现在非骨干区域内;
- R1/R2之间的10.0.5/24网段路由以外部路由的形式在区域0出现;
- 将10.0.5/24路由的初始Metric设置为10,贴上420标签。
同时所有OSPF会根据内部开销自动调节该路由在本地的Metric值; - 保证R1不会产生Network LSA(LSA-2);
- 区域0.0.0.1内不会出现LSA-3或者LSA-5;
- 区域0使用MD5加密认证,密码为“jnx”;
- 汇总所有的非骨干区域路由进入骨干区域,包括内部路由以及外部路由;
- 汇总来自RIP路由器的192.168.x/24路由,但不能修改该路由器上的配置;
- R6/R7必须将10.0.5/24路由通告给RIP路由器,同时R7上通告的RIP路由Metric应大于R6上的通告;
- 172.16.40/24网段以OSPF内部路由形式出现,该子网上不存在OSPF邻接;
- 除R5外,保证RIP路由器与10.0.5/24网段间通讯不会因为单点失效而中断;
- 基于带宽优化路由选择:保证所有快速以太网接口被自动分配Metric值为10,另外你需要手动调节Metric使R5到区域1的内部网段实现负载均衡;
- 不允许使用静态路由;
- RIP路由器能使用最优路径到达10.0.5/24网段;
后台JUNOS设备RIP路由器配置
与真实考试相同,后台设备RIP路由器预配置用于配合你的实验效果,因此,案例中你根据下面配置设置好后台设备以后,不应该再登录到RIP路由器上修改相关配置。
[edit logical-routers rip] [email protected]# show protocols rip group rip { export rip; neighbor fxp2.60; neighbor fxp2.70; } [edit logical-routers rip] [email protected]# show policy-options policy-statement rip term 1 { from protocol [ rip static ]; then accept; } [edit logical-routers rip] nigel@junos7.2# show interfaces lo0 unit 8 { family inet { address 192.168.0.1/32; address 192.168.1.1/32; address 192.168.2.1/32; address 192.168.3.1/32; address 192.168.4.1/32; } } [edit logical-routers rip] nigel@junos7.2# show routing-options static { route 192.168.0.0/24 receive; route 192.168.1.0/24 receive; route 192.168.2.0/24 receive; route 192.168.3.0/24 receive; route 192.168.4.0/24 receive; }JNCIP OSPF综合实验案例分析
我们将根据实验目标步骤,分成各部分并逐步实现与检测相关需求,对于明显需要在多个路由器上应用的类似配置,我们会使用高亮字体标出,同时应当被实现在全部关联路由器上。假如你在实验的过程中发现网络现象与我们的验证结果不符,可参照末尾附录的全部路由器的案例相关配置,核查是否在某些路由器上忽略了必要的配置。另外,为了得到更好的验证效果,在开始前我们先按照拓扑上的区域划分将路由器的接口在OSPF内发布。需要注意的是在JUNOS与IOS互联的时候由于百兆fxp接口默认MTU为 1496 bytes,与IOS上快速以太网接口默认的 1500 bytes不匹配,在建立OSPF邻居的时候会停留在Exchange/ExStart的状态,因此我们需要在IOS路由器上将与JUNOS相连的接口MUT值修改为与其匹配的1496 bytes。1. JUNOS与IOS OSPF路由协议互联
- 所有OSPF路由器使用环回接口地址作为RID,并且均能通过OSPF被其他路由器访问;
- 骨干区域内的环回接口地址应当以LSA-3的形式出现在非骨干区域内;
通过手动设置骨干区域ABR �C R3/R4/R5的RID,并且明确将其在OSPF区域0内通告满足以上需求。[edit logical-routers r5] [email protected]# show routing-options router-id 10.0.3.5; [edit logical-routers r5] [email protected]# show protocols ospf area 0.0.0.0 { interface lo0.5 { passive; } interface fxp2.45; interface fxp2.35; } area 0.0.0.20 { interface fxp1.56; interface fxp1.57; }r4#wr t ! interface Loopback0 ip address 10.0.3.4 255.255.255.255 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.24 encapsulation dot1Q 24 ip address 10.0.4.9 255.255.255.252 ip mtu 1496 ! interface FastEthernet0/0.34 encapsulation dot1Q 34 ip address 10.0.2.6 255.255.255.252 ip mtu 1496 ! interface FastEthernet0/0.45 encapsulation dot1Q 45 ip address 10.0.2.10 255.255.255.252 ip mtu 1496 ! ! router ospf 64 router-id 10.0.3.4 log-adjacency-changes network 10.0.2.4 0.0.0.3 area 0 network 10.0.2.8 0.0.0.3 area 0 network 10.0.3.4 0.0.0.0 area 0 network 10.0.4.8 0.0.0.3 area 1 !分别在JUNOS与IOS上确认OSPF邻居达到FULL状态,可以注意到JUNOS默认选举DR的优先级为 128,而IOS为 1;[email protected]# run show ospf neighbor logical-router r5 Address Interface State ID Pri Dead 10.0.2.2 fxp2.35 Full 10.0.3.3 128 38 10.0.2.10 fxp2.45 Full 10.0.3.4 1 35 10.0.8.5 fxp1.56 Full 10.0.9.6 128 36 10.0.8.10 fxp1.57 Full 10.0.9.7 1 32r4#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.3.3 128 FULL/BDR 00:00:34 10.0.2.5 Fa0/0.34 10.0.3.5 128 FULL/DR 00:00:36 10.0.2.9 Fa0/0.45 10.0.6.2 128 FULL/BDR 00:00:39 10.0.4.10 Fa0/0.24*注:由于篇幅所限,我将 FastEthernet缩写为 Fa并且查看R6/R7数据库,确认全部骨干区域的环回接口地址均以LSA-3的形式被注入区域20,并且确认数据库内LSA-3完全同步。[email protected]# run show ospf database logical-router r6 netsummary | match summary Summary 10.0.2.0 10.0.3.5 0x8000000d 571 0x2 0x2510 28 Summary 10.0.2.4 10.0.3.5 0x8000000b 529 0x2 0xb27 28 Summary 10.0.2.8 10.0.3.5 0x80000011 399 0x2 0xcc5c 28 Summary 10.0.3.3 10.0.3.5 0x80000007 271 0x2 0x1a1a 28 Summary 10.0.3.4 10.0.3.5 0x80000009 229 0x2 0x161a 28 Summary 10.0.3.5 10.0.3.5 0x8000000a 99 0x2 0xf53a 28 Summary 10.0.4.0 10.0.3.5 0x80000006 2329 0x2 0x2712 28 Summary 10.0.4.4 10.0.3.5 0x80000006 2199 0x2 0x92b 28 Summary 10.0.4.8 10.0.3.5 0x80000008 1429 0x2 0xdc51 28 Summary 10.0.4.12 10.0.3.5 0x80000006 2071 0x2 0xae7e 28 Summary 10.0.6.1 10.0.3.5 0x80000006 2029 0x2 0x191a 28 Summary 10.0.6.2 10.0.3.5 0x80000006 1299 0x2 0xf23 28r7#show ip ospf database summary | include summary Link State ID: 10.0.2.0 (summary Network Number) Link State ID: 10.0.2.4 (summary Network Number) Link State ID: 10.0.2.8 (summary Network Number) Link State ID: 10.0.3.3 (summary Network Number) Link State ID: 10.0.3.4 (summary Network Number) Link State ID: 10.0.3.5 (summary Network Number) Link State ID: 10.0.4.0 (summary Network Number) Link State ID: 10.0.4.4 (summary Network Number) Link State ID: 10.0.4.8 (summary Network Number) Link State ID: 10.0.4.12 (summary Network Number) Link State ID: 10.0.6.1 (summary Network Number) Link State ID: 10.0.6.2 (summary Network NumberJUNOS与IOS OSPF路由策略及数据库信息交互
- R1/R2之间的10.0.5/24网段路由以外部路由的形式在区域0出现;
- 将10.0.5/24路由的初始Metric设置为10,贴上420标签,同时所有OSPF会根据内部开销自动调节该路由在本地的Metric值;
- 保证R1不会产生Network LSA(LSA-2);
通过在R1/R2上设置OSPF导出策略,指定初始化Metric,标签,并且将其外部路由类型设置为类型1,以便在路由转发的过程中通过累链路开销而自动调节Metric值。我们很容易的使他们的直连网段10.0.5/24以外部路由的形式进入骨干区域。因为该网段直接从直连路由注入OSPF,我们没有必要将该接口在区域1内通告。另外,将R1上所有OSPF接口的优先级设置为0,强迫其退出DR/BDR选举,因此R1将不会产生只能由DR/BDR通告的LSA-2。[email protected]# show r1 protocols ospf export external; area 0.0.0.1 { interface lo0.1; interface fxp1.13 { priority 0; } interface fxp1.12 { priority 0; } } [edit logical-routers] [email protected]# show r1 policy-options policy-statement external { term 1 { from { protocol direct; route-filter 10.0.5.0/24 exact; } then { metric 10; tag 420; external { type 1; } accept; } } term 2 { then reject; } }查看R1接口状态,我们可以确认R1退出OSPF的DR/BDR选举,而其状态显示为DRother。[email protected]# run show ospf interface logical-router r1 Interface State Area DR ID BDR ID Nbrs fxp1.12 DRother 0.0.0.1 10.0.6.2 0.0.0.0 1 fxp1.13 DRother 0.0.0.1 10.0.3.3 0.0.0.0 1 lo0.1 DR 0.0.0.1 10.0.6.1 0.0.0.0 0继续查看R4/R5的OSPF数据库,验证通过 external策略设置的10.0.5/24外部路由的各项属性,包括LSA类型,外部路由类型,初始化Metric以及Tag,均能够被JUNOS以及IOS的OSPF数据库识别。并查看路由表进一步确认该路由的Metric值在初始为10的基础上被不断累加。留意在JUNOS的OSPF数据库中Tag使用IP分段格式显示,0.0.1.164 = 256+164,得出结果同样为420。[email protected]# run show ospf database logical-router r5 extern advertising-router 10.0.6.1 detail OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 10.0.5.0 10.0.6.1 0x80000002 2565 0x2 0x2260 36 mask 255.255.255.0 Type 1, TOS 0x0, metric 10, fwd addr 0.0.0.0, tag 0.0.1.164r4#show ip ospf database external 10.0.5.0 adv-router 10.0.6.1 OSPF Router with ID (10.0.3.4) (Process ID 64) Type-5 AS External Link States LS age: 2230 Options: (No TOS-capability, No DC) LS Type: AS External Link Link State ID: 10.0.5.0 (External Network Number ) Advertising Router: 10.0.6.1 LS Seq Number: 80000002 Checksum: 0x2260 Length: 36 Network Mask: /24 Metric Type: 1 (Comparable directly to link state metric) TOS: 0 Metric: 10 Forward Address: 0.0.0.0 External Route Tag: 420[email protected]# run show route logical-router r5 10.0.5/24 inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.5.0/24 *[OSPF/150] 00:15:30, metric 12, tag 420 > to 10.0.2.2 via fxp2.35 to 10.0.2.10 via fxp2.45r4#sh ip route ospf 10.0.0.0/8 is variably subnetted, 18 subnets,3 masks <!-- Output omitted --> O E1 10.0.5.0/24 [110/20] via 10.0.4.10, 00:00:01, FastEthernet0/0.24查看两者的路由表可以确认Metric在初始为10的基础上被不断累加。有趣的地方在于IOS对于OSPF的外部路由与内部路由在管理距离上并没有区分,均为110;而JUNOS则对OSPF的内部路由与外部路由分别设置了不同的Preference 10与150。尽管如此,IOS的路由表内通过“O E1”标识出该路由为类型1的外部路由,同时虽然采用相同的管理距离,IOS内部的选路机制也存在针对域内、域间、域外路由的优先区分。对于不习惯看Preference的工程师来说这种标识更为明确。而其实JUNOS也提供类似的输出命令,个人觉得还是IOS更为直观,习惯问题。人必有痴,而后有成。[email protected]# run show ospf route extern logical-router r5 Prefix Path Route NH Metric NextHop Nexthop Type Type Type Interface addr/label 10.0.5.0/24 Ext1 Network IP 12 fxp2.35 10.0.2.2 area 0.0.0.0, origin 10.0.6.2相应的,对于上面在R1/R2将直连网段注入OSPF并且设置相关路由属性信息的策略,在IOS上也能够得到反映。我们在R4上新增测试接口fa0/0.47,将该测试接口的IP网段172.16.47.0/30使用相同的属性注入OSPF。r4#wr t ! router ospf 64 router-id 10.0.3.4 log-adjacency-changes redistribute connected subnets route-map external network 10.0.2.4 0.0.0.3 area 0 network 10.0.2.8 0.0.0.3 area 0 network 10.0.3.4 0.0.0.0 area 0 network 10.0.4.8 0.0.0.3 area 1 ! access-list 1 permit 172.16.47.0 0.0.0.3 ! route-map external permit 10 match ip address 1 set metric 10 set metric-type type-1 set tag 420 !LSA进入JUNOS的OSPF数据库中,同样的属性也能够被显示出来。相比较而言,似乎JUNOS的Policy设置更为简便,无需先制定 access-list后再绑定到 route-map里面去。而实际上是JUNOS的 route-filter机制带来简便的体验,假如无需对特定的路由进行过滤,IOS可以直接使用redistribute命令捆绑相关注入路由属性:Metric值,Metric类型,tag等而无需引用 route-map。[email protected]# run show ospf database logical-router r5 lsa-id 172.16.47.0 detail OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 172.16.47.0 10.0.3.4 0x80000001 31 0x2 0x7e0d 36 mask 255.255.255.252 Type 1, TOS 0x0, metric 10, fwd addr 0.0.0.0, tag 0.0.1.164. JUNOS与IOS OSPF NSSA设置及区域认证:
- 区域0.0.0.1内不会出现LSA-3或者LSA-5;
- 区域0.0.0.0使用MD5加密认证,密码为“jnx”;
根据区域1对LSA类型的过滤要求,我们需要将区域1设置为TNSSA,在ABR R3/R4上除了要在设置NSSA的同时加入 no-summary参数并向NSSA注入默认路由以外;还需要保证被注入的默认路由以LSA-7的形式出现。在R3上JUNOS配置我们在之前的实验中已经演示过。[email protected]# show r3 protocols ospf area 1 nssa { default-lsa { default-metric 1; type-7; } no-summaries; }在R3上采用正确的策略,不难将LSA3/4/5全部过滤掉。应用策略后,查看R1/R2的OSPF数据库,均确认在NSSA 1内没有通过R3接收到以上三类LSA。[email protected]# run show ospf database logical-router r1 advertising-router 10.0.3.3 OSPF link state database, area 0.0.0.1 Type ID Adv Rtr Seq Age Opt Cksum Len Router 10.0.3.3 10.0.3.3 0x80000009 749 0x0 0x14b0 48 Network 10.0.4.13 10.0.3.3 0x80000004 444 0x0 0x1ff0 32 NSSA 0.0.0.0 10.0.3.3 0x80000004 660 0x0 0xe35b 36 [email protected]# run show ospf database logical-router r2 netsummary advertising-router 10.0.3.3 | count Count: 0 lines然而另一挑战则来自于从IOS将LSA3/4/5从区域1内完全过滤掉。在IOS中,为保障NSSA内部路由器到域间及域外网段的连通性,ABR会在不同的情况下产生两种类型的缺省路由LSA。当我们需要过滤域间LSA-3的时候,ABR将以LSA-3的形式向NSSA注入默认路由。此时,尽管其他域间LSA-3被全部过滤掉,却依然留下默认路由为LSA-3的痕迹。无论通过查看R2的OSPF数据库,还是路由表中OSPF的Preference值均能确认这一点。r4(config-router)#area 1 nssa no-summary [email protected]# run show ospf database logical-router r2 netsummary advertising-router 10.0.3.3 OSPF link state database, area 0.0.0.1 Type ID Adv Rtr Seq Age Opt Cksum Len Summary 0.0.0.0 10.0.3.4 0x80000001 235 0x2 0xb173 28 [email protected]# run show route logical-router r2 0.0.0.0 inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[OSPF/10] 00:09:36, metric 2 > to 10.0.4.9 via fxp2.24而假如我们希望接收LSA-7形式的默认路由,则可以将 no-summary参数改为 no-redistribution,该参数主要用于避免同时充当ASBR的NSSA ABR路由器将其本地重分布进入OSPF域内的外部路由以LSA-5注入骨干区域的同时,以LSA-7的方式注入NSSA内部。JUNOS在更新的版本上使用 no-nssa-abr命令达到类似的目的。此时IOS将把默认路由以LSA-7的形式注入NSSA内部。不幸的是,当我们成功避免了默认路由以LSA-3出现的时候,却无法过滤源自于OSPF的域间路由LSA-3。结果更多的LSA-3被引入区域1。r4(config-router)#no area 47 nssa r4(config-router)#are 1 nssa no-redistribution default-information-originate [email protected]# run show route logical-router r2 0.0.0.0 inet.0: 23 destinations, 24 routes (23 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[OSPF/150] 00:45:37, metric 2, tag 0 > to 10.0.4.1 via fxp2.23 [email protected]# run show ospf database logical-router r2 netsummary | count Count: 13 lines由于IOS本身并没有提供如JUNOS那样转换缺省路由LSA类型的设置,即便我们将两个参数结合在一起使用,ABR将同时产生两条0.0.0.0默认路由,分别以LSA-3与LSA-7同时注入NSSA。由于两者在JUNOS上Preference的差异以及IOS优选域间LSA甚于外部LSA,Juniper与Cisco两者均无法在数据库内摒除LSA-3并且路由表优选其成为活跃的默认路由。r4(config-router)#area 1 nssa no-summary no-redistribution default-information-originate [email protected]# run show ospf database logical-router r2 lsa-id 0.0.0.0 OSPF link state database, area 0.0.0.1 Type ID Adv Rtr Seq Age Opt Cksum Len Summary 0.0.0.0 10.0.3.4 0x80000002 660 0x2 0xaf74 28 NSSA 0.0.0.0 10.0.3.3 0x8000000b 1263 0x0 0xd562 36 NSSA 0.0.0.0 10.0.3.4 0x80000001 660 0x2 0xa6e2 36单纯依靠IOS的NSSA功能无法达成实验目标,我们需要考虑新的思路。由于NSSA内一旦使用 no-summary对LSA-3进行过滤,产生的默认路由必然是LSA-3。因此我们只能抛弃采用 no-summary参数过滤域间LSA-3,而选择 no-redistribution保证NSSA域内的默认路由LSA类型为LSA-7。然后再通过另外的途径过滤其余的域间路由。我们引用IOS域间基于 prefix-list的路由过滤特征来达到这个目的,通过定义 prefix-list,仅允许默认路由进入区域1,从而将其他域间路由全部过滤掉,因此在设置前缀列表的时候应该将它设置在区域1的 in方向。结合这NSSA和前缀列表两种过滤功能,分别实现对LSA-5以及LSA-3的过滤,而由于R4上并没有域外路由被重分布进入OSPF, no-redistribution在这里仅仅充当产生LSA-7默认路由的功能。完成配置后,我们终于可以看到区域1内已经不存在任何LSA-3及LSA-5,并且默认路由以LSA-7的形式被安装进入OSPF数据库内。r4(config-router)#area 1 nssa no-redistribution default-information-originate r4(config-router)#area 1 filter-list prefix only-default-route in [email protected]# run show ospf database logical-router r2 netsummary | count Count: 0 lines [email protected]# run show ospf database logical-router r2 extern | count Count: 0 lines [email protected]# run show ospf database logical-router r2 lsa-id 0.0.0.0 OSPF link state database, area 0.0.0.1 Type ID Adv Rtr Seq Age Opt Cksum Len NSSA 0.0.0.0 10.0.3.3 0x80000010 228 0x0 0xcb67 36 NSSA 0.0.0.0 10.0.3.4 0x80000001 427 0x2 0xa6e2 36接下来的认证比较简单,只需要在骨干区域路由器上启用区域认证并且在骨干区域接口内输入相同的Key ID以及密码即可完成认证配置,我们仅把关键配置摘录下来。[edit logical-routers] [email protected]# show r5 protocols ospf area 0 authentication-type md5; interface lo0.5; interface fxp2.45 { authentication { md5 10 key "$9$IBIhyKsYoaUH"; ## SECRET-DATA } } interface fxp2.35 { authentication { md5 10 key "$9$j8kmTOBEhrv"; ## SECRET-DATA } } r4#wr t ! interface FastEthernet0/0.34 encapsulation dot1Q 134 ip address 10.0.2.6 255.255.255.252 ip mtu 1496 ip ospf message-digest-key 10 md5 jnx ! interface FastEthernet0/0.45 encapsulation dot1Q 145 ip address 10.0.2.10 255.255.255.252 ip mtu 1496 ip ospf message-digest-key 10 md5 jnx ! router ospf 64 router-id 10.0.3.4 log-adjacency-changes area 0 authentication message-digest area 1 nssa no-redistribution default-information-originate area 1 filter-list prefix only-default-route in !验证骨干区域认证配置正常的最快方式可以在R5上查看区域0内的两给邻居R3/R4是否已经达到FULL状态,并且任选在R3/R4上使用环回接口互相 traceroute,确认彼此环回接口之间使用最短路径访问及回访即可。r4#traceroute 10.0.3.3 source 10.0.3.4 Type escape sequence to abort. Tracing the route to 10.0.3.3 1 10.0.3.3 20 msec 24 msec 8 msecJUNOS与IOS OSPF域间及域外地址汇总
- 汇总所有的非骨干区域路由进入骨干区域,包括内部路由以及外部路由;
- 汇总来自RIP路由器的192.168.x/24路由,但你不能修改RIP路由器上的配置;
到目前为止,我们需要汇总进入OSPF骨干区域的内部路由包括区域1与区域20内的网段,而外部路由仅包括从R1/R2重分布进OSPF的直连网段10.0.5/24网段路由。来自NSSA的外部路由仅有10.0.5/24一条,因此对于这条路由我们不需要对该网段进行汇总。我们可以将汇总的焦点放在两边非骨干区的OSPF内部地址汇总上,在之前的OSPF地址汇总实验中我们已经计算出两边网段的汇总地址分别是10.0.4/22及10.0.8/23;我们在3台ABR上分别应用汇总配置。值得借鉴的是,我们可以在JUNOS上通过应用 area-range命令的 restrict参数批量过滤OSPF域间路由,相应的在IOS上同样可以在该命令后应用 not-advertise达到相同的效果。而在IOS中,对于域间汇总路由的Metric计算直接采用ABR所在汇总区域接口的开销值,另外我们也能通过 cost参数进行定义。[edit logical-routers] [email protected]# show r5 protocols ospf area 20 area-range 10.0.8.0/23; [edit logical-routers] [email protected]# show r3 protocols ospf area 1 nssa { default-lsa { default-metric 1; type-7; } no-summaries; } area-range 10.0.4.0/22;r4#conf t Enter configuration commands, one per line. End with CNTL/Z. r4(config-router)#area 1 range 10.0.4.0 255.255.252.0 r4(config-router)#area 1 range 10.0.4.0 255.255.252.0 ? advertise Advertise this range (default) cost User specified metric for this range not-advertise DoNotAdvertise this range <cr>同样,可以在骨干区域路由器上查看两边非骨干区域的明细网段是否仅匹配路由表内的汇总路由,从而确认地址汇总被成功配置。我们将查询两边区域内的直连网段路由及各路由器的环回接口网段:在R4上分别查询10.0.8.0与10.0.9.0两个网段,均匹配10.0.8/23路由;另一方面,我们在R5上分别查询10.0.4.0及10.0.6.0两个网段,均匹配10.0.4/22路由。r4#show ip route 10.0.8.0 Routing entry for 10.0.8.0/23 Known via "ospf 64", distance 110, metric 12, type inter area Last update from 10.0.2.9 on FastEthernet0/0.45, 00:27:09 ago Routing Descriptor Blocks: * 10.0.2.9, from 10.0.3.5, 00:27:09 ago, via FastEthernet0/0.45 Route metric is 12, traffic share count is 1 r4#show ip route 10.0.9.0 Routing entry for 10.0.8.0/23 Known via "ospf 64", distance 110, metric 12, type inter area Last update from 10.0.2.9 on FastEthernet0/0.45, 00:27:16 ago Routing Descriptor Blocks: * 10.0.2.9, from 10.0.3.5, 00:27:16 ago, via FastEthernet0/0.45 Route metric is 12, traffic share count is 1[email protected]# run show route logical-router r5 10.0.6.0 inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.4.0/22 *[OSPF/10] 00:17:42, metric 3 > to 10.0.2.2 via fxp2.35 [email protected]# run show route logical-router r5 10.0.4.0 inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.4.0/22 *[OSPF/10] 00:17:44, metric 3 > to 10.0.2.2 via fxp2.35需要注意的是尽管对于区域1的地址汇总,尽管10.0.4/22包含10.0.5/24网段,然而由于10.0.5/24网段采用域外路由的形式注入OSPF,作为域间路由汇总的 area-range并不会将域外及域间路由混合在同一条汇总路由内通告,因此在R5上我们仍然能够接收到10.0.5/24网段路由,而且其依然保留域外路由的Preference。[email protected]# run show route logical-router r5 10.0.5.0 inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.5.0/24 *[OSPF/150] 00:19:40, metric 13, tag 420 > to 10.0.2.2 via fxp2.35下一步我们开始对来自RIP的192.168.x/24域外路由进行汇总,在实验目标中明确提出不允许通过修改RIP路由器的配置来实现路由汇总,我们需要在R6与R7上通过RIP接收全部明细路由后再汇总重分布进入OSPF域内。先在JUNOS路由器R6和IOS路由器R7上完成RIP的基本配置,并确认两者RIP路由表同步。[edit logical-routers r6] [email protected]# show protocols rip group rip { neighbor fxp1.60; }r7#wr t ! router rip version 2 network 172.16.0.0 ![email protected]# run show route logical-router r6 protocol rip inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.0.0/24 *[RIP/100] 00:22:22, metric 2, tag 0 > to 172.16.40.1 via fxp1.60 192.168.1.0/24 *[RIP/100] 00:22:22, metric 2, tag 0 > to 172.16.40.1 via fxp1.60 192.168.2.0/24 *[RIP/100] 00:22:22, metric 2, tag 0 > to 172.16.40.1 via fxp1.60 192.168.3.0/24 *[RIP/100] 00:22:22, metric 2, tag 0 > to 172.16.40.1 via fxp1.60 192.168.4.0/24 *[RIP/100] 00:22:22, metric 2, tag 0 > to 172.16.40.1 via fxp1.60 224.0.0.9/32 *[RIP/100] 00:22:32, metric 1 MultiRecv r7# show ip route rip R 192.168.4.0/24 [120/1] via 172.16.40.5,0:34,Fa0/0.70 R 192.168.0.0/24 [120/1] via 172.16.40.5,0:34,Fa0/0.70 R 192.168.1.0/24 [120/1] via 172.16.40.5,0:34,Fa0/0.70 R 192.168.2.0/24 [120/1] via 172.16.40.5,0:34,Fa0/0.70 R 192.168.3.0/24 [120/1] via 172.16.40.5,0:34,Fa0/0.70此时我们有机会比较JUNOS与IOS在对OSPF域外路由汇总上采取的不同的路径,JUNOS先将RIP明细路由通过Aggregate进行汇总,在把汇总后的Aggregate路由通过策略重分布进入OSPF;而IOS则直接将RIP明细路由重发布进入OSPF内,下一步使用 summary-address将域外路由在OSPF协议内部进行汇总。相比之下,JUNOS的配置量似乎大得多,其实情况不一定正如看上去那么完美。[edit logical-routers r6] [email protected]# show routing-options aggregate { route 192.168.0.0/21; } [edit logical-routers r6] [email protected]# show policy-options policy-statement rip-ospf { term 1 { from { protocol aggregate; route-filter 192.168.0.0/21 exact; } then accept; } } r7(config-router)#router ospf 64 r7(config-router)#redistribute rip subnets r7(config-router)#summary-address 192.168.0.0 255.255.248.0查看R5上的OSPF数据库,同时从R6/R7上均收到汇总后的192.168/21域外LSA-5,似乎与我们设想中的结果吻合。而当我们进一步查看R5上的全部域外LSA的时候,却发现从R7上注入了172.16.40.4/30这条额外的LSA,在下一个实验目标中明确规定该网段应当以域内路由的形式出现在OSPF内。由于我们在IOS上进行RIP到OSPF重分布的时候并没有做任何地址限制,因此172.16.40.4/30作为R7上RIP数据库内的路由随同192.168.x/24路由被重分布进OSPF内。[email protected]# run show ospf database logical-router r5 lsa-id 192.168.0.0 OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 192.168.0.0 10.0.9.6 0x80000001 50 0x2 0x5007 36 Extern 192.168.0.0 10.0.9.7 0x80000005 109 0x2 0x47d8 36 [email protected]# run show ospf database logical-router r5 extern OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 10.0.5.0 10.0.3.4 0x80000005 887 0x2 0x341b 36 Extern 172.16.40.4 10.0.9.7 0x80000001 366 0x2 0xaaf5 36 Extern 192.168.0.0 10.0.9.6 0x80000001 147 0x2 0x5007 36 Extern 192.168.0.0 10.0.9.7 0x80000005 206 0x2 0x47d8 36 r7#show ip rip database 172.16.0.0/16 auto-summary 172.16.40.4/30 directly connected, Fa0/0.70显然我们还需要对IOS追加地址过滤的配置,其目的不单纯为了满足实验目标的需求,更重要的是防止在多点双向重分布的网络中形成路由倒灌而产生环路的潜在危险,详见前面的章节。而最简单快速的方式便是 access-list与 route-map组合在一起,然后将 route-map绑定到 redistribute命令中。下面的 route-map写得不太直观,然而只要你对IOS策略路由的逻辑是否关系有清晰的了解,应该不会感到疑惑。重新应用 redistribut,R5上已经不存在172.16.40.4/30的外部LSA-5。! access-list 1 permit 172.16.40.4 0.0.0.3 ! route-map rip-import deny 10 match ip address 1 ! route-map rip-import permit 20 ! r7(config-router)#redistribute rip subnets route-map rip-import [email protected]# run show ospf database logical-router r5 extern OSPF AS SCOPE link state database Type ID Adv Rtr Seq Age Opt Cksum Len Extern 10.0.5.0 10.0.3.4 0x80000006 960 0x2 0x321c 36 Extern 192.168.0.0 10.0.9.6 0x80000002 372 0x2 0x4e08 36 Extern 192.168.0.0 10.0.9.7 0x80000006 368 0x2 0x45d9 36标签: ccie, cisco, Interoperability, ios, juniper, junos, labs5. JUNOS与IOS OSPF/RIP重分布及路由策略协调
- R6/R7必须将10.0.5/24路由通告给RIP路由器,同时R7上通告的RIP路由Metric应大于R6上的通告;
- 172.16.40/24网段以OSPF内部路由的形式出现,该子网上不应存在OSPF邻接;
默认情况下,JUNOS会将直接重分布进入RIP的路由Metric值设置为1,而IOS则将来自任何协议重分布进RIP的Metric统一设置为16跳不可达Metric,在IOS上进行入向RIP重分布的时候总需要手动指定Metric值。由于之前的分解实验中已经讨论过JUNOS上从OSPF到RIP的重分布方式,这里仅快速列出R6上的相关配置。[edit logical-routers] [email protected]# show r6 policy-options policy-statement ospf-rip term 1 { from { protocol ospf; route-filter 10.0.5.0/24 exact; } then accept; } [edit logical-routers] [email protected]# show r6 protocols rip group rip { export ospf-rip; neighbor fxp1.60; } [email protected]# run show route advertising-protocol rip 172.16.40.2 logical-router r6 inet.0: 25 destinations, 26 routes (25 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.5.0/24 *[OSPF/150] 00:22:02, metric 14, tag 420 > to 10.0.8.6 via fxp2.56从R6通告给RIP的路由中顺带可以看到,作为转换LSA-7到LSA-5的NSSA ABR R4,IOS并没有将其本地外部路由的Metric带入骨干区域,而是保留了其初始的Metric值10,与JUNOS 8.5版本的行为相似。由于该外部路由的ASBR地址10.0.6.2经过域间汇总至10.0.4/22内,R3通告10.0.4/22汇总路由的Metric为2,因此在R6上的Metric值为10+2+2=14。同时,从IOS路由器R7将10.0.5/24网段重分布进入RIP的流程稍显复杂,为了验证RIP路由器同时从R6/R7上同时收到该段路由,我们要求R7向RIP注入Metric值同样为1的路由。! router rip version 2 redistribute ospf 64 route-map ospf-rip network 172.16.0.0 ! access-list 2 permit 10.0.5.0 0.0.0.255 ! route-map ospf-rip permit 10 match ip address 2 set metric 1 !而我们查看RIP路由器上的路由表的时候,却并没有发现同时出现两条10.0.5/24的条目,仅存在由R6通告过来的信息。而且我们在R1上采用默认的 traceroute访问192.168.x/24网段能够返回成功的信息。由于我们并没有将除10.0.5/24以外的其他OSPF路由重分布到RIP里面,R1应当使用10.0.5.1作为 traceroute源地址方能正常访问192.168.x/24网段。[email protected]# run show route logical-router rip 10.0.5/24 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.5.0/24 *[RIP/100] 00:03:04, metric 2, tag 420 > to 172.16.40.2 via fxp2.60 [email protected]# run traceroute 192.168.2.1 logical-router r1 traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 40 byte packets 1 10.0.4.13 (10.0.4.13) 1.168 ms 0.844 ms 1.150 ms 2 10.0.2.1 (10.0.2.1) 1.094 ms 1.182 ms 1.160 ms 3 10.0.8.5 (10.0.8.5) 1.314 ms 1.867 ms 1.747 ms 4 192.168.2.1 (192.168.2.1) 5.232 ms 3.682 ms 3.841 ms在不存在其他后门链路的情况下,唯一能够解析的原因在于RIP路由器上存在10.0.5/24子网的汇总路由,R1发送到RIP路由器上的 traceroute正是匹配了该汇总路由才能被返回。在172.16/16与10/8网络边缘,IOS路由器R7执行了自动汇总,10.0.5/24路由于是被自动汇总成为10.0.0.0/8主网路由,然后被通告到RIP路由器上面。我们通过查看RIP路由表能确认这点。[email protected]# run show route logical-router rip 10/8 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.0.0/8 *[RIP/100] 00:08:31, metric 2, tag 0 > to 172.16.40.6 via fxp2.70 10.0.5.0/24 *[RIP/100] 00:09:21, metric 2, tag 420 > to 172.16.40.2 via fxp2.60正是由于需要RIP支持无类路由,因此我们开始设置R7上RIP的时候便直接启用Version 2的RIP。关闭R7上的自动汇总,同时由于实验目标要求R7注入RIP的路由应该包含更大的Metric值,在 route-map中我们将其调节为2。! router rip version 2 redistribute ospf 64 route-map ospf-rip network 172.16.0.0 no auto-summary ! access-list 2 permit 10.0.5.0 0.0.0.255 ! route-map ospf-rip permit 10 match ip address 2 set metric 2 !重新启动RIP路由器的路由进程,而问题却依然没有得到彻底解决,当RIP路由器收到来自R7的10.0.5/24明细路由后,原本从R6接收到的路由却消失掉。[email protected]# run restart routing logical-router rip rip started, pid 4830可能你已经能猜到,我们又回到了在R6上OSPF外部路由150与RIP 100的Preference冲突上。继续修正R6上的RIP导入策略。完成后为了尽快实现路由收敛,你可能需要清空R7的路由表以及重启R6/RIP的路由进程。制定策略的时候由于我们需要过滤从RIP路由更新注入同样为RIP路由协议的信息,此时默认策略为 accept,因此我们需要增加 term 2,将除192.168.x/24以外的其他路由明确拒绝掉。而对于IOS路由器R7,由于OSPF内部及外部路由的管理距离均为110,小于RIP的120,暂时不需要应用 distribut-list in进行入向RIP路由过滤。[edit logical-routers r6] [email protected]# show policy-options policy-statement rip-ospf term 1 { from { protocol rip; route-filter 192.168.0.0/21 orlonger; } then accept; } policy-statement rip-import { term 1 { from { protocol rip; route-filter 192.168.0.0/21 orlonger; } then accept; } term 2 { then reject; } }最后我们确定仅有10.0.5/24网段路由被注入RIP内部,在R1上分别使用10.0.5.1以及默认接口作为源地址对192.168.x/24网段进行 traceroute,仅有当10.0.5.1作为源地址的时候 traceroute才能成功。[email protected]# run traceroute 192.168.1.1 logical-router r1 traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 40 byte packets 1 10.0.4.13 (10.0.4.13) 5.114 ms 1.243 ms 1.498 ms 2 10.0.2.1 (10.0.2.1) 1.839 ms 2.311 ms 1.471 ms 3 10.0.8.5 (10.0.8.5) 1.972 ms 2.019 ms 1.756 ms 4 * * * 8 *^C [email protected]# run traceroute 192.168.1.1 logical-router r1 source 10.0.5.1 traceroute to 192.168.1.1 (192.168.1.1) from 10.0.5.1, 30 hops max, 40 byte packets 1 10.0.4.13 (10.0.4.13) 1.414 ms 0.955 ms 1.458 ms 2 10.0.2.1 (10.0.2.1) 1.378 ms 1.740 ms 1.786 ms 3 10.0.8.5 (10.0.8.5) 1.916 ms 1.834 ms 1.877 ms 4 192.168.1.1 (192.168.1.1) 2.527 ms 2.221 ms 2.048 ms相对而言,对于172.16.40.x网段的通告配置比较简单,利用JUNOS对OSPF内外路由的区分,最后在R5上通过检查两条路由的Preference确认为域内路由。[edit logical-routers r6] [email protected]# set protocols ospf area 20 interface fxp1.60 passive ! router ospf 64 passive-interface FastEthernet0/0.70 network 172.16.40.4 0.0.0.3 area 20 ! [email protected]# run show route logical-router r5 172.16/16 inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.16.40.0/30 *[OSPF/10] 00:01:50, metric 2 > to 10.0.8.5 via fxp1.56 172.16.40.4/30 *[OSPF/10] 00:01:50, metric 11 > to 10.0.8.10 via fxp1.57r7# show ip ospf interface fa0/0.70 FastEthernet0/0.70 is up, line protocol is up Internet Address 172.16.40.6/30, Area 20 Process ID 64, Router ID 10.0.9.7, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.0.9.7, Interface address 172.16.40.6 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40
- 基于带宽优化路由选择:保证所有快速以太网接口被自动分配Metric值为10,另外你需要手动调节Metric使R5到区域1的内部网段实现负载均衡;
我们先把第 13个实验目标提前分析,JUNOS与IOS的OSPF参考带宽同为100Mbps,在之前的实验过程中IOS对于快速以太网接口开销值定义为10仅仅因为fa0/0接口与实验台交换机自动协商带宽为10Mbps,可以在接口下修复该配置,以下以R4为例,包含环回接口在内的4个OSPF接口当前开销值均被修改为1。! interface FastEthernet0/0.34 bandwidth 100000 encapsulation dot1Q 134 ip address 10.0.2.6 255.255.255.252 ip mtu 1496 ip ospf message-digest-key 10 md5 jnx ! r4#show ip ospf interface | include Cost Process ID 64, Router ID 10.0.3.4, Network Type LOOPBACK, Cost: 1 Process ID 64, Router ID 10.0.3.4, Network TypeBROADCAST, Cost: 1 Process ID 64, Router ID 10.0.3.4, Network TypeBROADCAST, Cost: 1 Process ID 64, Router ID 10.0.3.4, Network TypeBROADCAST, Cost: 1通过在所有OSPF路由器上修改参考带宽能够在全局修改链路开销值,除环回接口保持默认开销值,JUNOS环回接口默认开销为0;而IOS环回接口默认开销为1。所有快速以太网接口的开销值均设置为10,假如你使用输出导出符精确定位信息,注意JUNOS与IOS对大小写的区分行为。[edit logical-routers] [email protected]# set r1 protocols ospf reference-bandwidth 1g [email protected]#run show ospf interface logical-router r5 detail | match cost Type: LAN, Address: 10.0.2.1, Mask: 255.255.255.252, MTU: 1496, Cost: 10 Type: LAN, Address: 10.0.2.9, Mask: 255.255.255.252, MTU: 1496, Cost: 10 Type: LAN, Address: 10.0.3.5, Mask: 255.255.255.255, MTU: 65535, Cost: 0 Type: LAN, Address: 10.0.8.6, Mask: 255.255.255.252, MTU: 1496, Cost: 10 Type: LAN, Address: 10.0.8.9, Mask: 255.255.255.252, MTU: 1496, Cost: 10 r4(config)#router ospf 64 r4(config-router)#auto-cost reference-bandwidth 1000 % OSPF: Reference bandwidth is changed. Please ensure reference bandwidth is consistentacross all routers. r4#show ip ospf interface | include Cost Process ID 64, Router ID 10.0.3.4, Network TypeLOOPBACK, Cost: 1 Process ID 64, Router ID 10.0.3.4, Network TypeBROADCAST, Cost: 10 Process ID 64, Router ID 10.0.3.4, Network TypeBROADCAST, Cost: 10 Process ID 64, Router ID 10.0.3.4, Network TypeBROADCAST, Cost: 10为了使R5能通过R3/R4实现进入区域1流量的负载均衡,我们需要手动调整R3/R4通告的10.0.4/22汇总LSA-3的Metric值。在R5的OSPF数据库内对比两者的LSA,由于JUNOS与IOS默认对汇总路由的Metric计算方式的差异,使得R5当前优选R4作为流量进入区域1的ABR。[email protected]# run show ospf database logical-router r5 lsa-id 10.0.4.0 detail OSPF link state database, area 0.0.0.0 Type ID Adv Rtr Seq Age Opt Cksum Len Summary 10.0.4.0 10.0.3.3 0x80000019 493 0x2 0xc451 28 mask 255.255.252.0 TOS 0x0, metric 20 Summary 10.0.4.0 10.0.3.4 0x8000001d 444 0x22 0x708a 28 mask 255.255.252.0 TOS 0x0, metric 10有多种方式能够实现调整汇总路由Metric以达到负载均衡的目的,给出JUNOS与IOS各自最直接覆盖默认汇总路由开销值的解决方案。[edit logical-routers] [email protected]# show r3 protocols ospf area 0.0.0.1 { area-range 10.0.4.0/22 override-metric 30; } r4(config-router)#area 1 range 10.0.4.0 255.255.252.0 cost 30 [email protected]# run show route logical-router r5 10.0.4/22 exact inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.4.0/22 *[OSPF/10] 00:00:27, metric 40 > to 10.0.2.2 via fxp2.35 to 10.0.2.10 via fxp2.45