H3C OSPF 外部路由引入实验
实验拓扑
实验需求
- 按照图示配置 IP 地址
- R1,R2,R3 运行 OSPF 使内网互通,所有接口(公网接口除外)全部宣告进 Area 0;要求使用环回口作为 Router-id
- 业务网段不允许出现协议报文
- R4 模拟互联网,内网通过 R2 连接互联网,在 R2 上配置默认路由并引入到 OSPF
- R2 上配置 EASY IP,只允许业务网段访问互联网
- 要求业务网段访问互联网流量经过 R3,R1,R2
实验步骤
设备IP地址配置
R1 IP地址配置
[R1]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 10.1.1.1/24 -- --
GE0/1 up up 10.3.3.1/24 -- --
GE0/2 down down -- -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 1.1.1.1/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
R2 IP地址配置
[R2]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 10.1.1.2/24 -- --
GE0/1 up up 10.2.2.2/24 -- --
GE0/2 up up 202.1.1.2/24 -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 2.2.2.2/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
R3 IP地址配置
[R3]display ip interface brief
*down: administratively down
(s): spoofing (l): loopback
Interface Physical Protocol IP address/Mask VPN instance Description
GE0/0 up up 192.168.1.3/24 -- --
GE0/1 up up 10.3.3.3/24 -- --
GE0/2 up up 10.2.2.3/24 -- --
GE5/0 down down -- -- --
GE5/1 down down -- -- --
GE6/0 down down -- -- --
GE6/1 down down -- -- --
Loop0 up up(s) 3.3.3.3/32 -- --
Ser1/0 down down -- -- --
Ser2/0 down down -- -- --
Ser3/0 down down -- -- --
Ser4/0 down down -- -- --
R4 IP地址配置
[R4]display interface brief
Brief information on interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
GE0/0 UP UP 202.1.1.4
GE0/1 DOWN DOWN --
GE0/2 DOWN DOWN --
GE5/0 DOWN DOWN --
GE5/1 DOWN DOWN --
GE6/0 DOWN DOWN --
GE6/1 DOWN DOWN --
InLoop0 UP UP(s) --
Loop0 UP UP(s) 100.1.1.1
NULL0 UP UP(s) --
REG0 UP -- --
Ser1/0 DOWN DOWN --
Ser2/0 DOWN DOWN --
Ser3/0 DOWN DOWN --
Ser4/0 DOWN DOWN --
PC1 IP地址配置
OSPF基本配置
R1 OSPF基本配置
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.3.3.1 0.0.0.0
R2 OSPF基本配置
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.2 0.0.0.0
network 10.2.2.2 0.0.0.0
R3 OSPF基本配置
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.3 0.0.0.0
network 10.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
业务网段不允许出现协议报文
R3 OSPF配置静默接口
#
ospf 1 router-id 3.3.3.3
silent-interface GigabitEthernet0/0
模拟互联网,仅业务网段访问
R2 配置Easy IP
#
acl basic 2000
rule 0 permit source 192.168.1.0 0.0.0.255
#
interface GigabitEthernet0/2
nat outbound 2000
默认路由引入
R2 默认路由引入
#
ip route-static 0.0.0.0 0 202.1.1.4
#
ospf 1 router-id 2.2.2.2
default-route-advertise
将默认路由引入后,R1和R3上会各自收到一条来自R2产生的Type5 LSA的默认路由条目
R1 上查看 OSPF LSDB
[R1]display ospf lsdb
OSPF Process 1 with Router ID 1.1.1.1
Link State Database
Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 3.3.3.3 3.3.3.3 154 72 8000000A 0
Router 1.1.1.1 1.1.1.1 151 60 80000008 0
Router 2.2.2.2 2.2.2.2 154 60 80000008 0
Network 10.3.3.3 3.3.3.3 152 32 80000001 0
Network 10.2.2.3 3.3.3.3 154 32 80000001 0
Network 10.1.1.2 2.2.2.2 158 32 80000001 0
AS External Database
Type LinkState ID AdvRouter Age Len Sequence Metric
External 0.0.0.0 2.2.2.2 178 36 80000001 1
R3 上查看 OSPF LSDB
[R3]display ospf lsdb
OSPF Process 1 with Router ID 3.3.3.3
Link State Database
Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 3.3.3.3 3.3.3.3 191 72 8000000A 0
Router 1.1.1.1 1.1.1.1 192 60 80000008 0
Router 2.2.2.2 2.2.2.2 193 60 80000008 0
Network 10.3.3.3 3.3.3.3 191 32 80000001 0
Network 10.2.2.3 3.3.3.3 192 32 80000001 0
Network 10.1.1.2 2.2.2.2 198 32 80000001 0
AS External Database
Type LinkState ID AdvRouter Age Len Sequence Metric
External 0.0.0.0 2.2.2.2 218 36 80000001 1
重选业务网段访问互联网路径
依据OSPF的选路原则,cost值小的优先;所以但业务网段访问互联网时,所经过的线路,R3-R2 cost值总和要大于R3-R1-R2总和,且为了保证来回路径一致,R3与R2之间所连接的端口Cost值都需要修改。
R2 G0/1 Cost值增大
#
interface GigabitEthernet0/1
ospf cost 1000
R3 G0/2 Cost值增大
#
interface GigabitEthernet0/2
ospf cost 1000
实验验证
业务网段访问互联网流量经过 R3,R1,R2
查看R3路由表
业务网段访问互联网,走默认路由,下一跳R1
[R3]display ip routing-table
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 O_ASE2 150 1 10.3.3.1 GE0/1
查看R1路由表
当流量到达R1,业务访问互联网,走默认路由,下一跳R2
[R1]dis ip routing-table
Destinations : 19 Routes : 20
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 O_ASE2 150 1 10.1.1.2 GE0/0
192.168.1.0/24 O_INTRA 10 2 10.3.3.3 GE0/1
查看R2路由表和NAT转换表
当流量到达R2,业务访问互联网,走默认路由访问,将业务网段IP转换为出接口IP访问互联网,且回程路由下一跳是去往R1
由此证明业务网段访问互联网经过R3,R1,R2,并且来回路径一致。
[R2]display ip routing-table
Destinations : 22 Routes : 22
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 202.1.1.4 GE0/2
192.168.1.0/24 O_INTRA 10 3 10.1.1.1 GE0/0
[R2]display nat session
Slot 0:
Initiator:
Source IP/port: 192.168.1.1/168
Destination IP/port: 100.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet0/0
Total sessions found: 1
在PC1上tracert 100.1.1.1,路径符合实验需求
<H3C>tracert 100.1.1.1
traceroute to 100.1.1.1 (100.1.1.1), 30 hops at most, 40 bytes each packet, press CTRL_C to break
1 192.168.1.3 (192.168.1.3) 0.574 ms 0.249 ms 0.251 ms
2 10.3.3.1 (10.3.3.1) 0.446 ms 0.495 ms 0.463 ms
3 10.1.1.2 (10.1.1.2) 0.959 ms 1.224 ms 1.004 ms
4 202.1.1.4 (202.1.1.4) 1.833 ms 1.243 ms 1.670 ms
是否只允许业务网段访问互联网
在R3上使用非业务网段访问互联网
非业务网段无法访问互联网
[R3]ping -a 3.3.3.3 100.1.1.1
Ping 100.1.1.1 (100.1.1.1) from 3.3.3.3: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 100.1.1.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R3]%Feb 27 11:31:15:510 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 100.1.1.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
在R3上使用业务网段访问互联网
仅业务网段可访问互联网
[R3]ping -a 192.168.1.3 100.1.1.1
Ping 100.1.1.1 (100.1.1.1) from 192.168.1.3: 56 data bytes, press CTRL+C to break
56 bytes from 100.1.1.1: icmp_seq=0 ttl=253 time=0.989 ms
56 bytes from 100.1.1.1: icmp_seq=1 ttl=253 time=1.087 ms
56 bytes from 100.1.1.1: icmp_seq=2 ttl=253 time=0.971 ms
56 bytes from 100.1.1.1: icmp_seq=3 ttl=253 time=0.795 ms
56 bytes from 100.1.1.1: icmp_seq=4 ttl=253 time=0.881 ms
--- Ping statistics for 100.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.795/0.945/1.087/0.099 ms
[R3]%Feb 27 11:31:29:508 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 100.1.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.795/0.945/1.087/0.099 ms.
业务网段是否出现OSPF报文
抓包R3 G0/0接口,在未开启静默接口配置时,OSPF Hello包 每隔10发送1次
开启静默接口配置(silent-interface GigabitEthernet0/0)后,后续抓包可看到业务侧无OSPF报文
实验附件