1、掌握基于 IPv6 的 OSPF 配置方法。
2、掌握基于 IPsec 的 OSPF 的认证配置。
拓扑图:
配置各台路由器的 IPv6 地址,并且使用 ping 命令确认直连接口的互通性。
在 R1,R2 和 R3 路由器上配置 OSPFv3 路由协议:
R1(config)#ipv6 router ospf 20 ---->全局启用OSPF路由协议,进程号20
R1(config-rtr)#
*Apr 17 11:46:03.675: %OSPFv3-4-NORTRID: OSPFv3 process 20 could not pick a router-id,
please configure manually ---->由于OSPFv3虽然用于IPv6网络,但是其router-id还是32位的,启用OSPFv3时,会自动
R1(config-rtr)#router-id 1.1.1.1 寻找本地是否配置IPv4地址以作为router-id使用,如果本地没有配置,就要手工建一个
R1(config-rtr)#exit
R1(config)#int s1/0
R1(config-if)#ipv6 ospf 20 a 0 ----->把接口加入到OSPF进程中,指定区域是0
R1(config-if)#exit
R1(config)#int lo0
R1(config-if)#ipv6 ospf 20 a 0
R1(config-if)#ipv6 ospf network point-to-point ---->配置环回口网络型为点到点,以避免向外通告/128的主机路由
R1(config-if)#exit
R2(config)#ipv6 router ospf 20
R2(config-rtr)#route
*Apr 17 11:54:07.507: %OSPFv3-4-NORTRID: OSPFv3 process 20 could not pick a router-id,
please configure manually
R2(config-rtr)#router-id 2.2.2.2
R2(config-rtr)#exit
R2(config)#int s1/0
R2(config-if)#ipv6 ospf 20 a 0
*Apr 17 11:54:34.191: %OSPFv3-5-ADJCHG: Process 20, Nbr 1.1.1.1 on Serial1/0 from LOADING to FULL, Loading Done
R2(config-if)#exit ------->邻居成功创建,加载路由信息成功
R2(config)#int s1/1
R2(config-if)#ipv6 ospf 20 a 0
R2(config-if)#exit
R3(config)#ipv6 router ospf 20
*Apr 17 11:56:39.315: %OSPFv3-4-NORTRID: OSPFv3 process 20 could not pick a router-id,
please configure manually
R3(config-rtr)#router-id 3.3.3.3
R3(config-rtr)#exit
R3(config)#int s1/0
R3(config-if)#ipv6 ospf 20 a 0
R3(config-if)#exit
R3(config)#
*Apr 17 11:57:21.319: %OSPFv3-5-ADJCHG: Process 20, Nbr 2.2.2.2 on Serial1/0 from LOADING to FULL, Loading Done
R3(config)#int lo0
R3(config-if)#ipv6 ospf 20 a 0
R3(config-if)#ipv6 ospf network point-to-point
R3(config-if)#exit
在R2上查看OSPF的邻居关系:
R2#show ipv6 ospf nei
Neighbor ID Pri State Dead Time Interface ID Interface
3.3.3.3 1 FULL/ - 00:00:30 5 Serial1/1
---->因为这里用的是serial接口连接所以连接类型默认是P2P类型,不选举DR和BDR
1.1.1.1 1 FULL/ - 00:00:32 5 Serial1/0
在R2上查看OSPF数据库:
R2#show ipv6 ospf database
OSPFv3 Router with ID (2.2.2.2) (Process ID 20)
Router Link States (Area 0) ---->LSA 0X2001 此类型的 LSA 只用于描述区
域内链路上的邻居信息,会在区域内泛洪
ADV Router Age Seq# Fragment ID Link count Bits
1.1.1.1 1286 0x80000006 0 1 None
2.2.2.2 1264 0x80000005 0 2 None
3.3.3.3 1164 0x80000005 0 1 None
Link (Type-8) Link States (Area 0) ---->LSA 0X2008 此类型的LSA只用于描述直连路由器邻居
间链路上的IPv6的前缀信息,泛洪范围限制在本地链路上
ADV Router Age Seq# Link ID Interface
2.2.2.2 1264 0x80000003 6 Se1/1
3.3.3.3 1164 0x80000003 5 Se1/1
1.1.1.1 1784 0x80000003 5 Se1/0
2.2.2.2 1264 0x80000003 5 Se1/0
Intra Area Prefix Link States (Area 0) ---->LSA 0X2009 此类型的LSA用于提供拓扑信息,类似
于IPv4的OSPFv2的LSA 1,用于通告已知的IPv6前
ADV Router Age Seq# Link ID Ref-lstype Ref-LSID 缀信息,泛洪范围是区域内。
1.1.1.1 1784 0x80000005 0 0x2001 0
2.2.2.2 1264 0x80000004 0 0x2001 0
3.3.3.3 1164 0x80000005 0 0x2001 0
查看R3路由表:
R3#show ipv6 route
IPv6 Routing Table - 10 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route, M - MIPv6
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
O 2001:AB1:0:2::/64 [110/128]
via FE80::C801:7FF:FE80:0, Serial1/0
C 2001:AB1:0:3::/64 [0/0]
via ::, Serial1/0
L 2001:AB1:0:3::2/128 [0/0]
via ::, Serial1/0
C 2001:AB1:0:4::/64 [0/0]
via ::, Loopback0
L 2001:AB1:0:4::1/128 [0/0]
via ::, Loopback0
O 2001:AB1:0:8::/64 [110/129]
via FE80::C801:7FF:FE80:0, Serial1/0
O 2001:AB1:0:9::/64 [110/129]
via FE80::C801:7FF:FE80:0, Serial1/0
O 2001:AB1:0:A::/64 [110/129]
via FE80::C801:7FF:FE80:0, Serial1/0
O 2001:AB1:0:B::/64 [110/129]
via FE80::C801:7FF:FE80:0, Serial1/0 ---->和IPv4一样的管理距离,110
L FF00::/8 [0/0]
via ::, Null0
测试一下:
R3#ping 2001:ab1:0:8::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:AB1:0:8::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/38/104 ms
R3#ping 2001:ab1:0:9::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:AB1:0:9::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/43/128 ms ---->正常
可以配置区域认证,确保OSPFv3的安全性:
R3(config)#ipv6 router ospf 20
R3(config-rtr)#area 0 auth ipsec spi 600 md5 12345678901234567890123456789012
R3(config-rtr)#exit
配置基于IPsec的OSPF的区域认证,SPI号为安全关联索引值,MD5为加密算法,其后追加为密钥值,32位。