47. Configuring OSPFv3 and Area Authentication

1、掌握基于 IPv6 的 OSPF 配置方法。

2、掌握基于 IPsec 的 OSPF 的认证配置。 

 

拓扑图:

image.png


配置各台路由器的 IPv6 地址,并且使用 ping 命令确认直连接口的互通性。

 

在 R1,R2 和 R3 路由器上配置 OSPFv3 路由协议:

R1(config)#ipv6 router ospf 20  ---->全局启用OSPF路由协议,进程号20

R1(config-rtr)#

*Apr 17 11:46:03.675: %OSPFv3-4-NORTRID: OSPFv3 process 20 could not pick a router-id,

please configure manually       ---->由于OSPFv3虽然用于IPv6网络,但是其router-id还是32位的,启用OSPFv3时,会自动

R1(config-rtr)#router-id 1.1.1.1     寻找本地是否配置IPv4地址以作为router-id使用,如果本地没有配置,就要手工建一个

R1(config-rtr)#exit

R1(config)#int s1/0

R1(config-if)#ipv6 ospf 20 a 0   ----->把接口加入到OSPF进程中,指定区域是0

R1(config-if)#exit

R1(config)#int lo0

R1(config-if)#ipv6 ospf 20 a 0

R1(config-if)#ipv6 ospf network point-to-point   ---->配置环回口网络型为点到点,以避免向外通告/128的主机路由

R1(config-if)#exit

 

R2(config)#ipv6 router ospf 20

R2(config-rtr)#route

*Apr 17 11:54:07.507: %OSPFv3-4-NORTRID: OSPFv3 process 20 could not pick a router-id,

please configure manually

R2(config-rtr)#router-id 2.2.2.2

R2(config-rtr)#exit

R2(config)#int s1/0

R2(config-if)#ipv6 ospf 20 a 0

*Apr 17 11:54:34.191: %OSPFv3-5-ADJCHG: Process 20, Nbr 1.1.1.1 on Serial1/0 from LOADING to FULL, Loading Done

R2(config-if)#exit                             ------->邻居成功创建,加载路由信息成功

R2(config)#int s1/1

R2(config-if)#ipv6 ospf 20 a 0

R2(config-if)#exit

 

R3(config)#ipv6 router ospf 20

*Apr 17 11:56:39.315: %OSPFv3-4-NORTRID: OSPFv3 process 20 could not pick a router-id,

please configure manually

R3(config-rtr)#router-id 3.3.3.3

R3(config-rtr)#exit

R3(config)#int s1/0

R3(config-if)#ipv6 ospf 20 a 0

R3(config-if)#exit

R3(config)#

*Apr 17 11:57:21.319: %OSPFv3-5-ADJCHG: Process 20, Nbr 2.2.2.2 on Serial1/0 from LOADING to FULL, Loading Done

R3(config)#int lo0

R3(config-if)#ipv6 ospf 20 a 0

R3(config-if)#ipv6 ospf network point-to-point

R3(config-if)#exit

 

在R2上查看OSPF的邻居关系:

R2#show ipv6 ospf nei

 

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface

3.3.3.3           1   FULL/  -        00:00:30    5               Serial1/1

   ---->因为这里用的是serial接口连接所以连接类型默认是P2P类型,不选举DR和BDR

1.1.1.1           1   FULL/  -        00:00:32    5               Serial1/0

 

在R2上查看OSPF数据库:

R2#show ipv6 ospf database

 

            OSPFv3 Router with ID (2.2.2.2) (Process ID 20)

 

                Router Link States (Area 0)            ---->LSA 0X2001 此类型的 LSA 只用于描述区

                                                       域内链路上的邻居信息,会在区域内泛洪

ADV Router      Age         Seq#        Fragment ID  Link count  Bits

1.1.1.1         1286        0x80000006  0            1           None

2.2.2.2         1264        0x80000005  0            2           None

3.3.3.3         1164        0x80000005  0            1           None

 

                Link (Type-8) Link States (Area 0)     ---->LSA 0X2008 此类型的LSA只用于描述直连路由器邻居

                                                  间链路上的IPv6的前缀信息,泛洪范围限制在本地链路上

ADV Router      Age         Seq#        Link ID    Interface

2.2.2.2         1264        0x80000003  6          Se1/1

3.3.3.3         1164        0x80000003  5          Se1/1

1.1.1.1         1784        0x80000003  5          Se1/0

2.2.2.2         1264        0x80000003  5          Se1/0

 

                Intra Area Prefix Link States (Area 0) ---->LSA 0X2009 此类型的LSA用于提供拓扑信息,类似

                                                于IPv4的OSPFv2的LSA 1,用于通告已知的IPv6前

ADV Router      Age         Seq#        Link ID    Ref-lstype  Ref-LSID   缀信息,泛洪范围是区域内。

1.1.1.1         1784        0x80000005  0          0x2001      0

2.2.2.2         1264        0x80000004  0          0x2001      0

3.3.3.3         1164        0x80000005  0          0x2001      0

 

查看R3路由表:

R3#show ipv6 route

IPv6 Routing Table - 10 entries

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP

       U - Per-user Static route, M - MIPv6

       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary

       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

       D - EIGRP, EX - EIGRP external

O   2001:AB1:0:2::/64 [110/128]

     via FE80::C801:7FF:FE80:0, Serial1/0

C   2001:AB1:0:3::/64 [0/0]

     via ::, Serial1/0

L   2001:AB1:0:3::2/128 [0/0]

     via ::, Serial1/0

C   2001:AB1:0:4::/64 [0/0]

     via ::, Loopback0

L   2001:AB1:0:4::1/128 [0/0]

     via ::, Loopback0

O   2001:AB1:0:8::/64 [110/129]

     via FE80::C801:7FF:FE80:0, Serial1/0

O   2001:AB1:0:9::/64 [110/129]

     via FE80::C801:7FF:FE80:0, Serial1/0

O   2001:AB1:0:A::/64 [110/129]

     via FE80::C801:7FF:FE80:0, Serial1/0

O   2001:AB1:0:B::/64 [110/129]

     via FE80::C801:7FF:FE80:0, Serial1/0       ---->和IPv4一样的管理距离,110

L   FF00::/8 [0/0]

     via ::, Null0

 

测试一下:

R3#ping 2001:ab1:0:8::1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:AB1:0:8::1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/38/104 ms

R3#ping 2001:ab1:0:9::1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:AB1:0:9::1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/43/128 ms   ---->正常

 

可以配置区域认证,确保OSPFv3的安全性:

R3(config)#ipv6 router ospf 20

R3(config-rtr)#area 0 auth ipsec spi 600 md5 12345678901234567890123456789012

R3(config-rtr)#exit

配置基于IPsec的OSPF的区域认证,SPI号为安全关联索引值,MD5为加密算法,其后追加为密钥值,32位。

 

 


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

桂ICP备19000498号-3