9.4 OSPF被动接口配置
9.4.1 原理概述
OSPF被动接口也称抑制接口,成为被动接口后,将不会接收和发送OSPF报文。如果要使OSPF路由信息不被某一网络中的路由器获得且使本地路由器不接收网络中其他路由器发布的路由更新信息,即已运行在OSPF协议进程中的接口不与本链路上其余路由器建立邻居关系时,可通过配置被动接口来禁止此接口接收和发送OSPF报文。
9.4.2 实验内容
本实验模拟企业网络场景。有路由器R1、R2、R4与R5分属不同部门的网关设备,每台设备都连接着各部门的员工终端,公司整网运行OSPF协议,并都处于区域0中。员工终端上经常收到路由器发送的OSPF数据报文,而该报文对终端而言毫无用处,还占用了一定的链路带宽资源,并有可能引起安全风险,比如非法接入路由器做路由欺骗。现通告配置被动接口来实现阻隔OSPF报文,优化公司网络。
9.4.3 实验拓扑
9.4.4 实验编址
| 设备 | 接口 | IP地址 | 子网掩码 | 默认网关 |
|---|---|---|---|---|
| AR1(AR2220) | GE 0/0/0 | 172.16.1.1 | 255.255.255.0 | N/A |
| AR1(AR2220) | GE 0/0/2 | 192.168.30.254 | 255.255.255.0 | N/A |
| AR2(AR2220) | GE 0/0/1 | 172.16.2.1 | 255.255.255.0 | N/A |
| AR2(AR2220) | GE 0/0/2 | 192.168.40.254 | 255.255.255.0 | N/A |
| AR3(AR2220) | GE 0/0/0 | 172.16.1.2 | 255.255.255.0 | N/A |
| AR3(AR2220) | GE 0/0/1 | 172.16.2.2 | 255.255.255.0 | N/A |
| AR3(AR2220) | GE 0/0/2 | 172.16.3.2 | 255.255.255.0 | N/A |
| AR4(AR2220) | GE 0/0/1 | 172.16.3.1 | 255.255.255.0 | N/A |
| AR4(AR2220) | GE 0/0/2 | 192.168.10.254 | 255.255.255.0 | N/A |
| AR5(AR2220) | GE 0/0/0 | 172.16.3.3 | 255.255.255.0 | N/A |
| AR5(AR2220) | GE 0/0/2 | 192.168.20.254 | 255.255.255.0 | N/A |
| PC1 | Ethernet 0/0/1 | 192.168.10.1 | 255.255.255.0 | 192.168.10.254 |
| PC2 | Ethernet 0/0/1 | 192.168.20.1 | 255.255.255.0 | 192.168.20.254 |
| PC3 | Ethernet 0/0/1 | 192.168.30.1 | 255.255.255.0 | 192.168.30.254 |
| PC4 | Ethernet 0/0/1 | 192.168.40.1 | 255.255.255.0 | 192.168.40.254 |
9.4.5 实验步骤
1、基本配置并搭建OSPF网络
根据实验编址表进行基本的配置和配置OSPF网络,并进行连通性测试。
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 172.16.1.1 24
[AR1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.30.254 24
[AR1-GigabitEthernet0/0/2]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 172.16.30.0 0.0.0.255
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]ip address 172.16.2.1 24
[AR2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[AR2-GigabitEthernet0/0/2]ip address 192.168.40.254 24
[AR2-GigabitEthernet0/0/2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.40.0 0.0.0.255
[AR3]interface GigabitEthernet 0/0/0
[AR3-GigabitEthernet0/0/0]ip address 172.16.1.2 24
[AR3-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[AR3-GigabitEthernet0/0/1]ip address 172.16.2.2 24
[AR3-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[AR3-GigabitEthernet0/0/2]ip address 172.16.3.2 24
[AR3-GigabitEthernet0/0/2]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 172.16.2.0 0.0.0.255
[AR3-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[AR4]interface GigabitEthernet 0/0/1
[AR4-GigabitEthernet0/0/1]ip address 172.16.3.1 24
[AR4-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[AR4-GigabitEthernet0/0/2]ip address 192.168.10.254 24
[AR4-GigabitEthernet0/0/2]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[AR4-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[AR5]interface GigabitEthernet 0/0/0
[AR5-GigabitEthernet0/0/0]ip address 172.16.3.3 24
[AR5-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/2
[AR5-GigabitEthernet0/0/2]ip address 192.168.20.254 24
[AR5-GigabitEthernet0/0/2]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[AR5-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
PC1>ping 192.168.40.1
Ping 192.168.40.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.40.1: bytes=32 seq=2 ttl=125 time=78 ms
From 192.168.40.1: bytes=32 seq=3 ttl=125 time=32 ms
From 192.168.40.1: bytes=32 seq=4 ttl=125 time=47 ms
From 192.168.40.1: bytes=32 seq=5 ttl=125 time=46 ms
--- 192.168.40.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/50/78 ms
2、配置被动接口
现在通过配置被动接口来优化连接终端的网络,使终端不在收到任何OSPF报文,在R4的OSPF进程中,使用silent-interface命令禁止接口接收和转发OSPF报文。
[AR1]ospf 1
[AR1-ospf-1]silent-interface GigabitEthernet 0/0/2
[AR2]ospf 1
[AR2-ospf-1]silent-interface GigabitEthernet 0/0/2
[AR4]ospf 1
[AR4-ospf-1]silent-interface GigabitEthernet 0/0/2
[AR5]ospf 1
[AR5-ospf-1]silent-interface GigabitEthernet 0/0/2
3、验证被动接口
配置被动接口,该接口会禁止接收和发送OSPF报文,固在两台路由器间OSPF链路的接口上做该配置,会导致OSPF邻居无法建立。
在R1上面使用display ip routing-table命令查看其他路由器上面的被动接口的网段路由条目是否获取到。
[AR1]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 15
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.1.0/24 Direct 0 0 D 172.16.1.1 GigabitEthernet0/0/0
172.16.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
172.16.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
172.16.2.0/24 OSPF 10 2 D 172.16.1.2 GigabitEthernet0/0/0
172.16.3.0/24 OSPF 10 2 D 172.16.1.2 GigabitEthernet0/0/0
192.168.10.0/24 OSPF 10 3 D 172.16.1.2 GigabitEthernet0/0/0
192.168.20.0/24 OSPF 10 3 D 172.16.1.2 GigabitEthernet0/0/0
192.168.30.0/24 Direct 0 0 D 192.168.30.254 GigabitEthernet0/0/2
192.168.30.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
192.168.30.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/2
192.168.40.0/24 OSPF 10 3 D 172.16.1.2 GigabitEthernet0/0/0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
可以观察到,此时其他邻居路由器任然可以收到该网段的路由条目,被动接口的特性只是不在收发任何OSPF报文,但是被动接口所在网段的直连路由条目如果已经在OSPF中通告,那么也会被其他的OSPF邻居路由器接收到。测试pc1和pc4的连通性,可以看到可以正常通信。
PC1>ping 192.168.40.1
Ping 192.168.40.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.40.1: bytes=32 seq=2 ttl=125 time=47 ms
From 192.168.40.1: bytes=32 seq=3 ttl=125 time=32 ms
From 192.168.40.1: bytes=32 seq=4 ttl=125 time=46 ms
From 192.168.40.1: bytes=32 seq=5 ttl=125 time=47 ms
--- 192.168.40.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/43/47 ms
