CLI方式:OSPF典型配置

使用版本

本举例是在F1090R8660P33版本上进行配置和验证的。

组网需求

如下图所示,所有的设备都运行OSPF,并将整个自治系统划分为3个区域,其中Device ADevice B作为ABR来转发区域之间的路由。配置完成后,每台路由器都应学到AS内的到所有网段的路由。

图-1 安全策略保证OSPF邻接关系建立配置组网图

配置步骤

配置Device A

  1. 配置接口信息

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] ip address 2.2.2.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/2] quit

  1. 配置接口加入安全域

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

  1. 配置安全策略

  1. 配置安全策略放行UntrustLocal安全域之间的流量,用于设备之间可以建立OSPF邻居关系。

# 配置名称为ospflocalin的安全策略规则,使Device A可以接收Device B发送的OSPF协议报文,具体配置步骤如下。

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name ospflocalin

[DeviceA-security-policy-ip-0-ospflocalin] source-zone untrust

[DeviceA-security-policy-ip-0-ospflocalin] destination-zone local

[DeviceA-security-policy-ip-0-ospflocalin] service ospf

[DeviceA-security-policy-ip-0-ospflocalin] action pass

[DeviceA-security-policy-ip-0-ospflocalin] quit

# 配置名称为ospflocalout的安全策略规则,使Device A可以向Device B发送OSPF协议报文,具体配置步骤如下。

[DeviceA-security-policy-ip] rule name ospflocalout

[DeviceA-security-policy-ip-1-ospflocalout] source-zone local

[DeviceA-security-policy-ip-1-ospflocalout] destination-zone untrust

[DeviceA-security-policy-ip-1-ospflocalout] service ospf

[DeviceA-security-policy-ip-1-ospflocalout] action pass

[DeviceA-security-policy-ip-1-ospflocalout] quit

  1. 配置安全策略放行UntrustTrust安全域之间的流量,放行Area1Area2之间的流量。

# 配置名称为trust-untrust的安全策略规则,使Trust安全域到Untrust安全域的报文可通,具体配置步骤如下。

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-2-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-2-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-2-trust-untrust] source-ip-subnet 2.2.2.0 24

[DeviceA-security-policy-ip-2-trust-untrust] destination-ip-subnet 3.3.3.0 24

[DeviceA-security-policy-ip-2-trust-untrust] action pass

[DeviceA-security-policy-ip-2-trust-untrust] quit

# 配置名称为untrust-trust的安全策略规则,使Untrust安全域到Trust安全域的报文可通,具体配置步骤如下。

[DeviceA-security-policy-ip] rule name untrust-trust

[DeviceA-security-policy-ip-3-untrust-trust] source-zone untrust

[DeviceA-security-policy-ip-3-untrust-trust] destination-zone trust

[DeviceA-security-policy-ip-3-untrust-trust] source-ip-subnet 3.3.3.0 24

[DeviceA-security-policy-ip-3-untrust-trust] destination-ip-subnet 2.2.2.0 24

[DeviceA-security-policy-ip-3-untrust-trust] action pass

[DeviceA-security-policy-ip-3-untrust-trust] quit

[DeviceA-security-policy-ip] quit

  1. 配置OSPF基本功能

[DeviceA] router id 2.2.2.1

[DeviceA] ospf

[DeviceA-ospf-1] area 0

[DeviceA-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] quit

[DeviceA-ospf-1] area 1

[DeviceA-ospf-1-area-0.0.0.1] network 2.2.2.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.1] quit

[DeviceA-ospf-1] quit

配置Device B

  1. 配置接口IP地址

# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 1.1.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-Gigabitethernet1/0/2] ip address 3.3.3.1 255.255.255.0

[DeviceB-Gigabitethernet1/0/2] quit

  1. 配置接口加入安全域

# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitEthernet1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitEthernet1/0/2

[DeviceB-security-zone-Trust] quit

  1. 配置安全策略

  1. 配置安全策略放行UntrustLocal安全域之间的流量,用于设备之间可以建立OSPF邻居关系。

# 配置名称为ospflocalin的安全策略规则,使Device B可以接收Device A发送的OSPF协议报文,具体配置步骤如下。

[DeviceB] security-policy ip

[DeviceB-security-policy-ip] rule name ospflocalin

[DeviceB-security-policy-ip-0-ospflocalin] source-zone untrust

[DeviceB-security-policy-ip-0-ospflocalin] destination-zone local

[DeviceB-security-policy-ip-0-ospflocalin] service ospf

[DeviceB-security-policy-ip-0-ospflocalin] action pass

[DeviceB-security-policy-ip-0-ospflocalin] quit

# 配置名称为ospflocalout的安全策略规则,使Device B可以向Device A发送OSPF协议报文,具体配置步骤如下。

[DeviceB-security-policy-ip] rule name ospflocalout

[DeviceB-security-policy-ip-1-ospflocalout] source-zone local

[DeviceB-security-policy-ip-1-ospflocalout] destination-zone untrust

[DeviceB-security-policy-ip-1-ospflocalout] service ospf

[DeviceB-security-policy-ip-1-ospflocalout] action pass

[DeviceB-security-policy-ip-1-ospflocalout] quit

  1. 配置安全策略放行UntrustTrust安全域之间的流量,放行Area1Area2之间的流量。

# 配置名称为trust-untrust的安全策略规则,使Trust安全域和Untrust安全域之间的报文互通,具体配置步骤如下。

[DeviceB-security-policy-ip] rule name trust-untrust

[DeviceB-security-policy-ip-2-trust-untrust] source-zone trust

[DeviceB-security-policy-ip-2-trust-untrust] destination-zone untrust

[DeviceB-security-policy-ip-2-trust-untrust] source-ip-subnet 3.3.3.0 24

[DeviceB-security-policy-ip-2-trust-untrust] destination-ip-subnet 2.2.2.0 24

[DeviceB-security-policy-ip-2-trust-untrust] action pass

[DeviceB-security-policy-ip-2-trust-untrust] quit

# 配置名称为untrust-trust的安全策略规则,使Untrust安全域到Trust安全域的报文可通,具体配置步骤如下。

[DeviceB-security-policy-ip] rule name untrust-trust

[DeviceB-security-policy-ip-3-untrust-trust] source-zone untrust

[DeviceB-security-policy-ip-3-untrust-trust] destination-zone trust

[DeviceB-security-policy-ip-3-untrust-trust] source-ip-subnet 2.2.2.0 24

[DeviceB-security-policy-ip-3-untrust-trust] destination-ip-subnet 3.3.3.0 24

[DeviceB-security-policy-ip-3-untrust-trust] action pass

[DeviceB-security-policy-ip-3-untrust-trust] quit

[DeviceB-security-policy-ip] quit

  1. 配置OSPF基本功能

[DeviceB] router id 3.3.3.1

[DeviceB] ospf

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] area 2

[DeviceB-ospf-1-area-0.0.0.2] network 3.3.3.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.2] quit

[DeviceB-ospf-1] quit

验证配置

# 查看Device AOSPF邻居详细信息。

[DeviceA] display ospf peer verbose

 

         OSPF Process 1 with Router ID 2.2.2.1

                 Neighbors

 

 Area 0.0.0.0 interface 1.1.1.1(GigabitEthernet1/0/1)'s neighbors

 Router ID: 3.3.3.1          Address: 1.1.1.2          GR State: Normal

   State: Full  Mode: Nbr is master  Priority: 1

   DR: 1.1.1.1  BDR: 1.1.1.2  MTU: 0

   Options is 0x42 (-|O|-|-|-|-|E|-)

   Dead timer due in 32  sec

   Neighbor is up for 00:07:08

   Authentication Sequence: [ 0 ]

   Neighbor state change count: 5

   BFD status: Disabled

# 查看Device AOSPF路由信息。

[DeviceA] display ospf routing

 

         OSPF Process 1 with Router ID 2.2.2.1

                  Routing Table

 

 Routing for network

 Destination        Cost     Type    NextHop         AdvRouter       Area

 3.3.3.0/24         2        Inter   1.1.1.2         3.3.3.1         0.0.0.0

 2.2.2.0/24         1        Stub    0.0.0.0         2.2.2.1         0.0.0.1

 1.1.1.0/24         1        Transit 0.0.0.0         2.2.2.1         0.0.0.0

 

 Total nets: 3

 Intra area: 2  Inter area: 1  ASE: 0  NSSA: 0

# Area 1中的主机与Area 2中的主机可以互相Ping通。

配置文件

Device A

#

 router id 2.2.2.1

#

ospf 1

 area 0.0.0.0

  network 1.1.1.0 0.0.0.255

 area 0.0.0.1

  network 2.2.2.0 0.0.0.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip address 1.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 2.2.2.1 255.255.255.0

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-policy ip

 rule 0 name ospflocalin

  action pass

  source-zone untrust

  destination-zone local

  service ospf

 rule 1 name ospflocalout

  action pass

  source-zone local

  destination-zone untrust

  service ospf

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 2.2.2.0 255.255.255.0

  destination-ip-subnet 3.3.3.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 3.3.3.0 255.255.255.0

  destination-ip-subnet 2.2.2.0 255.255.255.0

#

Device B

#

 router id 3.3.3.1

#

ospf 1

 area 0.0.0.0

  network 1.1.1.0 0.0.0.255

 area 0.0.0.2

  network 3.3.3.0 0.0.0.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip address 1.1.1.2 255.255.255.0

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 3.3.3.1 255.255.255.0

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-policy ip

 rule 0 name ospflocalin

  action pass

  source-zone untrust

  destination-zone local

  service ospf

 rule 1 name ospflocalout

  action pass

  source-zone local

  destination-zone untrust

  service ospf

 rule 2 name trust-untrust

  action pass

  source-zone trust

  destination-zone untrust

  source-ip-subnet 3.3.3.0 255.255.255.0

  destination-ip-subnet 2.2.2.0 255.255.255.0

 rule 3 name untrust-trust

  action pass

  source-zone untrust

  destination-zone trust

  source-ip-subnet 2.2.2.0 255.255.255.0

  destination-ip-subnet 3.3.3.0 255.255.255.0

#