ROS软路由论坛 ROSABC.com 网络方案网络工程交流 › 首页 ›路由器› 路由器网未分类 › 查看内容

技术文：FW的路由模式和透明模式下，OSPF的解析

2014-4-14 18:26| 发布者: admin| 查看: 801| 评论: 0

摘要: 穿过透明模式的ospf注意：透明模式下，防火墙只允许使用两个接口。防火墙需配管理地址，地址在全局模式下配即可。需要和建ospf邻居的直连在一个网段。防火墙的两边都要放通ospf流量：access－list nn permit ospf a ...

穿过透明模式的ospf注意：透明模式下，防火墙只允许使用两个接口。防火墙需配管理地址，地址在全局模式下配即可。需要和建ospf邻居的直连在一个网段。
防火墙的两边都要放通ospf流量：access－list nn permit ospf any any
两边路由器的接口类型支持点到点和广播（DR和BDR）。
广播类型下的邻居。
RT1
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:31    192.168.1.3     Ethernet0/0
RT2
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:30    192.168.1.2     Ethernet0/0

在RT2上debug ip ospf adj
rt2#
*Mar 1 00:12:12.247: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xCE7 opt 0x52 flag 0x7 len 32 mtu 1500 state INIT
*Mar 1 00:12:12.247: OSPF: 2 Way Communication to 1.1.1.1 on Ethernet0/0, state 2WAY
*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0
*Mar 1 00:12:12.251: OSPF: DR/BDR election on Ethernet0/0
*Mar 1 00:12:12.251: OSPF: Elect BDR 0.0.0.0
*Mar 1 00:12:12.251: OSPF: Elect DR 2.2.2.2
*Mar 1 00:12:12.251:        DR: 2.2.2.2 (Id)   BDR: none
*Mar 1 00:12:12.251: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3C opt 0x52 flag 0x7 len 32
*Mar 1 00:12:12.251: OSPF: First DBD and we are not SLAVE
*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0
*Mar 1 00:12:12.251: OSPF: DR/BDR election on Ethernet0/0
*Mar 1 00:12:12.251: OSPF: Elect BDR 1.1.1.1
*Mar 1 00:12:12.251: OSPF: Elect DR 2.2.2.2
*Mar 1 00:12:12.251:        DR: 2.2.2.2 (Id)   BDR: 1.1.1.1 (Id)
*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0
*Mar 1 00:12:12.255: OSPF: DR/BDR election on Ethernet0/0
*Mar 1 00:12:12.255: OSPF: Elect BDR 1.1.1.1
*Mar 1 00:12:12.259: OSPF: Elect DR 2.2.2.2
*Mar 1 00:12:12.259:        DR: 2.2.2.2 (Id)   BDR: 1.1.1.1 (Id)
*Mar 1 00:12:12.267: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3C opt 0x52 flag 0x2 len 52 mtu 1500 state EXSTART
*Mar 1 00:12:12.267: OSPF: NBR Negotiation Done. We are the MASTER
*Mar 1 00:12:12.267: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3D opt 0x52 flag 0x3 len 52
*Mar 1 00:12:12.279: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3D opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 00:12:12.283: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3E opt 0x52 flag 0x1 len 32
*Mar 1 00:12:12.287: OSPF: Send LS REQ to 1.1.1.1 length 12 LSA count 1

*Mar 1 00:12:12.303: OSPF: Rcv LS REQ from 1.1.1.1 on Ethernet0/0 length 36 LSA count 1
*Mar 1 00:12:12.307: OSPF: Send UPD to 192.168.1.2 on Ethernet0/0 length 64 LSA count 1
*Mar 1 00:12:12.311: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3E opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 00:12:12.311: OSPF: Exchange Done with 1.1.1.1 on Ethernet0/0
*Mar 1 00:12:12.351: OSPF: Rcv LS UPD from 1.1.1.1 on Ethernet0/0 length 88 LSA count 1
*Mar 1 00:12:12.351: OSPF: Synchronized with 1.1.1.1 on Ethernet0/0, state FULL
*Mar 1 00:12:12.355: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/0 from LOADING to FULL, Loading Done
*Mar 1 00:12:12.679: OSPF: Rcv LS UPD from 1.1.1.1 on Ethernet0/0 length 88 LSA count 1
*Mar 1 00:12:12.767: OSPF: Build router LSA for area 0, router ID 2.2.2.2, seq 0x80000004
*Mar 1 00:12:12.855: OSPF: Build network LSA for Ethernet0/0, router ID 2.2.2.2
*Mar 1 00:12:12.859: OSPF: Build network LSA for Ethernet0/0, router ID 2.2.2.2

透明模式下做NAT没成功。
静态路由，不能递归查到直连路由的路由不进全局路由表？

路由模式下的ospf：
路由模式下，和防火墙建ospf邻居，因为无流量穿过，不需要放通。防火墙为DR，RT1，RT2为BDR。
默认的接口类型为广播，可以改成点对点非广播类型。

Pix路由模式下做NAT ，即使没开启nat－control ，也一定要做排除nat，排除私网的地址，不然会导致私网不通。（nat命令只是匹配触发的流量）

Ctp步骤：抓取触发流量
Aaa authenticate match acclist interfacename LOCAL/AAA SERVER

Ssl vpn 没做。

（作者：Melody）

收藏邀请

上一篇：IT强，则国强――对中国科技领域的失望和追求下一篇：新手搭建网站服务器(Ubuntu+LAMP

		自动登录	找回密码
密码			会员注册

技术文：FW的路由模式和透明模式下，OSPF的解析

相关分类