Experimental topology:
The basic information of the network node configuration has been configured. The network segment not marked on the figure is uniformly 10.1.XX/24, and the internal network RID address is uniformly configured as 10.0.0.Y. For example, the RID of R6 is 10.0.0.6.
Experiment requirements:
- According to the topology prompts, enable the OSPF routing protocol for each route and divide the corresponding area, and verify the neighbor relationship and database information, so as to ensure the interoperability of the intranet.
- The company needs to access the Internet. Please configure NAT according to the situation to achieve interoperability across the entire network (only R6 is configured).
- The Area 2 area newly added to the company network has certain access security risks and requires virtual links to be authenticated.
- Due to the abundance of services in Area 2, try to reduce the routing entries that exist on R8.
- As R6 belongs to the company's earlier purchase of core equipment, and its performance is insufficient, please reduce the routing entries on R6.
- Since R3 is the border route connected to the company branch (not marked here), it carries too much routing entry information. To improve the performance of R3, please reduce the routing entries of R3.
- It is precisely because of the heavy load of R3 that all data traffic from the R7 host to the external network goes to the external network through R4.
step one:
According to the topology prompts, enable the OSPF routing protocol for each route and divide the corresponding area, and verify the neighbor relationship and database information, so as to ensure the interoperability of the intranet.
Configure OSPF on the internal router: On
R2:
ospf 1 //ospf process 1
area 0.0.0.0 //Enter area 0
network 10.1.1.2 0.0.0.0 //Accurately advertise the corresponding network segment to enter ospf, because it is reverse The mask is therefore 0.0.0.0, and finally notice that there is no need to notify the access of the external network. On
network 10.1.2.2 0.0.0.0
R3:
ospf 1
area 0.0.0.0
network 10.1.1.3 0.0.0.0
network 10.1.3.3 0.0.0.0
R4 :
Ospf 1
area 0.0.0.0 //Enter area 0 and announce the corresponding network segment
network 10.1.2.4 0.0.0.0
area 0.0.0.1 //Enter area 1 and announce the corresponding network segment
network 10.1.4.4 0.0.0.0
network 10.1.5.4 0.0 .0.0 On
R5:
ospf 1
area 0.0.0.0
network 10.1.3.5 0.0.0.0
area 0.0.0.1
network 10.1.4.5 0.0.0.0
network 10.1.6.5 0.0.0.0
R6:
area 0.0.0.1
network 10.1.5.6 0.0.0.0
network 10.1.7.6 0.0.0.0
network 172.16.0.0 0.0.255.255
R7:
ospf 1
area 0.0.0.1
network 10.1.5.7 0.0. 0.0
network 10.1.7.7 0.0.0.0
area 0.0.0.2
network 10.1.8.7 0.0.0.0 On
R8:
ospf 1
area 0.0.0.2
network 10.1.8.8 0.0.0.0
network 192.168.1.1 0.0.0.0
network 192.168.2.1 0.0.0.0
network
After the configuration of 192.168.3.1 0.0.0.0 is completed, check whether the establishment of the neighbor relationship of ospf is completed through dis ospf peer:
Here is an example of the PPP link of R4:
The information inside is its own RID in ospf process 1, the RID and address of the neighbor of the interface (the physical interface of the other party), the priority of the interface, and the state with the neighbor. There is no DR and BDR because it is a point-to-point link. There will be no elections for DR and BDR.
Take the Ethernet link of R3 as an example:
Here we will see the elected DR and BDR.
Now we check in the routing table of area 1 to observe whether we can learn the routing strips of all intranet networks:
[R6]dis ip routing-table protocol ospf //in The ospf routing entries in
the routing table in advance. At this time, we found that we learned the ospf routing entries of area 0 and area 1. This is because the two areas connected by R7 are area 1 and area 2, and there is no area 0, so it does not belong to ABR, only ABR can convert Type 1 Type 2 LSA to Type 3 LSA and send it to Area 0 and then flood to other areas through Area 0. So in order to make R7 an ABR, there must be an interface belonging to Area 0 in it, that is Virtual link connection is needed (the virtual interface connected by the virtual link belongs to area 0), so here we need to configure the virtual link in the process of opening up the two routers R7 and R5 of the area to be opened, select R5 and The reason for R7 is that R5 is in area 0 and area 1, and R7 is in area 1 and area 2. They are both in the same area and in two areas that are not directly connected, so you can choose both of them, and you can also choose R4 here. And R7. Pay special attention to the vlink technology that cannot span two regions in sequence, and can only be used in adjacent regions.
On R5:
ospf 1
area 0.0.0.1 //Enter the area to be transparently transmitted
vlink-peer 10.0.0.7 //Configure the RID of the other party
on R7:
ospf 1
area 0.0.0.1
vlink-peer 10.0.0.5
Now view on R6 Can you learn the routing entries of area 2: After
successfully learning the routing entries of area 2, we check the OSPF database:
It can be found that area 2 and area 1 can exchange LSAs with each other, and area 0 and area 1 can still exchange LSAs through Type 3 LSA.
Finally, we check whether the internal network is interoperable, and use R2pingR8 to detect:
successful, we have realized the interconnection of the internal network through the virtual link.
Step two:
Now that we have intercommunicated with the internal network and need to communicate with the external network, the egress gateway R2 will be the most NAT to convert the internal address. Here is the simplest easy ip technology:
first define an acl , To match all internal entries:
acl number 2000 //Define a basic ACL to match the source address to
rule 5 permit //match all
and then use it on the outbound interface:
interface Serial4/0/0 //Enter the corresponding interface
nat outbound 2000 //Call ACL for easy ip address translation
Configure the default static route:
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1 //The next hop points to R1, and the internal traffic is forwarded to the external network. After
configuring these, In fact, the internal and external networks still cannot communicate, because the internal network has no routing entries for the external network. At this time, a more clumsy method is to configure a default route on all internal routers, and the next hop points to the interface address of the previous route. Finally, the next hop of the router directly connected to R2 is the address of the interface directly connected to R2. But this method is too cumbersome. In fact, we only need to configure a command default-route-advertise in the OSPF process on R2. After using this command, R2 will send a message to all routers in the OSPF area and point to itself. The default route, why is it final? It is because the next hop of this default route is changing, but it will all be sent to R2 to receive in the end.
Let's take the view on R7 as an example:
there is an external default route introduced by OSPF (type 5, administrative distance is 150, cost is the default type 2, no overlay, the default cost is always 1)
Command: default-route-advertise type 1 Modify the type of the decentralized ospf routing entry. Here we'd better modify it to a class 1 address, which means that the internal routing cost value needs to be accumulated.
In addition, if you add an always keyword after the default-route-advertise command, it means that regardless of whether there is a default route pointing to the outside on R2, it will send a default route that will eventually point to itself to the area inside OSPF, but In case one day the line between R2 and R1 is broken, the default route will disappear, but the default route still exists in the routers inside OSPF, which will cause failure (if you do not add always, the internal routes in the ospf area will also Will disappear) so it is best not to add the keyword always.
Finally we carry out the corresponding test:
View the learned routing entries on R8:
Cost is superimposed, indicating that the routing entries of type 1 in the 5 categories are decentralized, and then we use R4ping to test the loopback port of the external network: successful access to the external network:
Step three:
On R5: Enter area 1:
vlink-peer 10.0.0.7 simple cipher 123 //Use plain text transmission, the keyword cipher means cipher text when stored locally, if the keyword is plain means the storage format is cipher, this When the configuration is completed, because there is authentication on one side and no authentication on the other, the OSPF neighbor relationship will be disconnected. Now we configure authentication
on R7 : On R7: Enter area 1:
vlink-peer 10.0.0.5 simple cipher 123 //Configuration is complete After that, the OSPF neighbor relationship will be re-established.
Let’s now take a look at what authentication methods are available for virtual links:
Simple: simple authentication mode
md5: use md5 authentication type, by default the password type is cipher, you can modify
hmac- md5: Use hmac-md5 authentication type. By default, the password and password type is cipher. You can modify it.
hmac-sha256: Use hmac-sha256 authentication type. By default, the password and password type is cipher. You can modify
authentication-null: not used. Authentication
keychain: adopts the keychai authentication mode.
There are many virtual link configurations, but most of them are optional. For example, with so many authentication methods, we can only choose one of them for authentication.
Step 4:
To reduce routing entries on R8, you need to first analyze which methods can be used to reduce entries, and then find the most suitable, easiest, and best method based on the area where R8 is located. We can use ospf route filtering, ospf route summarization, special area division and other operations. Here, area 2 is referred to as the border area, with only one ABR, and no ASBR to import external routes to meet the stub area conditions. Here we divide it into complete The stub area is
enough : corresponding configuration, first enter the router belonging to area 2 (we changed area 2 to a completely stub area), enter area 2 of the ospf process, and configure: stub no-summary.
On R7:
area 0.0 .0.2 //Enter area 2
stub no-summary //Configure as a complete stub area. If no-summary means a normal stub area, the same is true for the nsaa area.
On R8: the same configuration is performed
area 0.0.0.2
stub no -summary
Now check the routing table on R8: there is only one OSPF default route (Type 3 LSAs delegated by ABR).
Check the OSPF database: display ospf lsdb
Sum-Net means it is a type 3 LSA.
At this time, we go to ping the external network to check whether the corresponding purpose has been achieved: success, indicating that we have achieved the same communication effect with the reduced routing entries.
Step Five:
As R6 belongs to the company's earlier purchase of core equipment, and its performance is insufficient, please reduce the routing entries on R6.
First of all, we observe that R6 belongs to area 1. This area is traversed by virtual links and cannot be configured as a special area. There are two ways to choose, area entry summary and entry filtering. There are corresponding regulations here: The summary entries in the backbone area will not be allowed to appear in the transmission area of the virtraul-link (the reason is in the extension), so we choose to filter the entries in area 0 and summarize the entries in area 2, so that, in area 1, The number of entries is naturally reduced, that is, the number of entries on R6 is reduced.
Area 0 entry filtering:
Why can we filter area 0 entries, or what unnecessary area 0 entries can we filter out? First we check the routing entries on
R6 : [R6]dis ip routing-table protocol ospf
These items belong to area 0. If we filter them out, they can still reach area 0 through the default route to reduce routing entries. Filtering ospf routing entries is to filter Type 3 LSAs. We only need to directly contact Area-connected ABRs, that is, area 0 of R4 and R5 perform type 3 LSA filtering (no filtering is required on R7, because R4 and R5 do not issue type 3 LSAs, and other routers cannot obtain their LSAs. Corresponding entries (the only source of Type 3 LSAs), first configure ACLs on the two devices to match the routing entries that need to be filtered:
acl number 2000
rule 5 deny source 10.1.0.0 0.0.255.255 //Match the routing entries in area 0 , The action needs to be set to deny to take effect,
and then use
area 0.0.0.0 in area 0 //Enter area 0
filter 2000 export //Use acl to filter in the outgoing direction of the area. Type 3 LSA and
finally view it on R6 Routing information, observe whether the filtering can be successful:
there are no routing entries in area 0, the filtering is successful, now check to observe whether it can communicate with area 0: use R6pingR2, the result is successful:
indicating that the filtering is successful and the intranet can be performed normally Communication.
Summarize the area 2 entries:
First, we check the route entries of area 2 before the summary in R6:
only need to enter the area 2 ABR (R7) on the area 2 process to configure the summary: after analysis, you can The entries are summarized. After analyzing 192.168.1.1, 192.168.2.1, and 192.168.3.1, the three entries can be accurately summarized into 192.168.0.0/22. The subnet mask of the summary entry must be smaller than the number of bits before the summary.
Configuration:
[R7-ospf-1-area-0.0.0.2] abr-summary 192.168.0.0 255.255.252.0 After the
configuration is complete, we check the entries on R6: we
find that the entries are summarized successfully, and now perform the corresponding test: (summary successful, No problem with communication)
Step Six:
Since R3 is the border route connected to the company branch (not marked here), it carries too much routing entry information. To improve the performance of R3, please reduce the routing entries of R3.
R3 belongs to area 0. We can summarize the entries of area 1 and area 2. The reason why the entries of area 0 and area 2 cannot be filtered here is that if this route is filtered, the default route on area 0 is towards The external network, so once the internal routing entries are filtered out, internal communication cannot be carried out. The meaning of summarization is to summarize the items generated locally when they are sent out, and there are no other changes locally.
Because the area 2 was summarized in the previous step, now check whether the entries for area 2 on R3 have been summarized: the
summary is successful, and the area 1 entries are summarized. Before summarizing, first check the routing entries of area 1 on R3:
here you need to pay attention There are three ABRs belonging to area 1, except that the two routers directly connected to area 0 are ABRs. Because of the virtual link, R7 connected to area 2 is also an ABR (there is a virtual interface of area 0, R7 will generate area 0 The entries of the 3 types of LSAs must also be summarized, otherwise it is also detailed to pass to area 0), so we need to summarize routing entries on area 1 of these three devices. The summary entry analysis: 10.1.XX The entries of /24 can be aggregated into 10.1.4.0/22, and the entries of 172.16.XX/24 can be aggregated into 172.16.0.0/22.
Corresponding configuration: (the same configuration on the three devices)
on R4:
ospf 1 //Enter the OSPF process
area 0.0.0.1 //Enter the area to be summarized
abr-summary 172.16.0.0 255.255.252.0 //entry to be summarized
abr-summary 10.1.4.0 255.255.252.0
When we only summarize on one router: it is found that summarized entries are generated, but other ABRs will still be sent. The entries that are not summarized result in both summarized entries and no summary on R3 The entry
on R5:
ospf 1 //Enter the OSPF process
area 0.0.0.1 //Enter the area to be summarized
abr-summary 172.16.0.0 255.255.252.0 //The summary entry
abr-summary 10.1.4.0 255.255.252.0
On R7:
ospf 1 //Enter the OSPF process
area 0.0.0.1 //Enter the area to be summarized
abr-summary 172.16.0.0 255.255.252.0 //The entries to be summarized
abr-summary 10.1.4.0 255.255.252.0
Check after the summary is completed:
For area 1 and 2, there are only two summarized entries. Now check the devices in area 1 and area 2 with R3 ping, and observe whether the summarized items can play a corresponding role: the
summary and communication are successful.
Step Seven:
It is precisely because of the heavy load of R3 that all data traffic from the R8 host to the external network goes to the external network through R4. (R8 here corresponds to R7 in the original picture)
We need to first check how the R8 host goes to the external network. The easiest way is to use the [R8]tracert -a 192.168.1.1 200.1.1.1 command to check how the current traffic is running:
According to the information, we know R8 Passed R7, R5, R3, R2 to reach the external network, according to the requirements of the problem, we need to reach the external network through R7, R5, R4, R2, the simplest way to use here is to modify the cost value of the OSPF interface.
First, we check the cost of the serial port, the cost value is 48.
Check the cost of port G, and the cost value is 1.
Note: Modifying the cost value of a routing entry is only valid when the device receives the corresponding LSA or the device sends traffic based on the interface modification of the routing entry. For example, if R7 reaches R2, the cost value of the corresponding entry can only be modified in g0 of R7. /0/0, g0/0/1, R6's S4/0/0 upper-level interface, but can not be modified from R6's g0/0/0 interface, this will not play a corresponding role.
Now according to the topology analysis, we must reach R2 before reaching the external network, so only the path before reaching R2 is different. If you reach R2 through R4 and then go to the external network, there are 2 serial ports from R5 to R4 to R2, cost1 is 48+48= 96.
If you reach R2 through R3 and then go to the external network, there are 2 G ports from R5 to R3 to R2, and the cost2 is 1+1=2.
In order to make cost2 greater than cost1, we need to modify the OSPF cost of R5 interface g0/0/0 to be larger. The size needs to meet the need to reach the external network through R4, enter g0/0/0, and enter the command [R5-GigabitEthernet0/0/0 ]ospf cost 100, now check the cost of the interface to confirm that the cost value has become 100.
Now theoretically cost2 is 100+1=101>96, and the R8 host goes to the external network through the R4 router.
Finally, test on R8: It was
found that R7, R5, and R2 passed, and the purpose of the modification was completed.
Up to now, we have successfully modified the outgoing traffic. In the same way, we can also modify the backhaul traffic. However, it should be noted that this modification will not succeed because of the virtual link problem, R8 Only the corresponding LSA will be passed to R5, R5 to R3 and then to R2, so no matter how it is changed, only this route can be returned. (Unicast transmission on virtual link)
Now carry out the corresponding test:
the way to select the interface is the same, you must select the outgoing interface of the return traffic, now first look at the cost of the routing strip to R8 on R2: the cost value is 4 (R1 is not used for testing because R1 cannot take the initiative To access R8, you can only use R2 to replace the experimental operation)
Then use the tracert command to follow the hops to R8, which are R2, R3, R5, R7, R8.
Now according to the requirements of the subject, we need to go back to R8 through R2, R4, R6, R7, R8, here we modify the cost of the ospf of the g0/0/0 interface of
R2 to 150: [R2-GigabitEthernet0/0/0] ospf cost 150
and now review the routing table on R2: the cost of the route has increased to 153, indicating that g0/0/0 is still going.
Use the tracert command: there is no change, indicating that the inference is successful.
