JNCIP案例分析 – Juniper/Cisco OSPF互操作 Part6

5. JUNOS与IOS OSPF/RIP重分布及路由策略协调

kangaroo

  1. R6/R7必须将10.0.5/24路由通告给RIP路由器,同时R7上通告的RIP路由Metric应大于R6上的通告;
  2. 172.16.40/24网段以OSPF内部路由的形式出现,该子网上不应存在OSPF邻接;

默认情况下,JUNOS会将直接重分布进入RIP的路由Metric值设置为1,而IOS则将来自任何协议重分布进RIP的Metric统一设置为16跳不可达Metric,在IOS上进行入向RIP重分布的时候总需要手动指定Metric值。由于之前的分解实验中已经讨论过JUNOS上从OSPF到RIP的重分布方式,这里仅快速列出R6上的相关配置。

[edit logical-routers]
nigel@itaa7.2# show r6 policy-options policy-statement
ospf-rip

term 1 {
    from {
        protocol ospf;
        route-filter 10.0.5.0/24 exact;
    }
    then accept;
}

[edit logical-routers]
nigel@itaa7.2# show r6 protocols rip
group rip {
    export ospf-rip;
    neighbor fxp1.60;
}
nigel@itaa7.2# run show route advertising-protocol rip
172.16.40.2 logical-router r6    

inet.0: 25 destinations, 26 routes (25 active,
0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.5.0/24        *[OSPF/150] 00:22:02, metric 14, tag 
                    420
                    > to 10.0.8.6 via fxp2.56

从R6通告给RIP的路由中顺带可以看到,作为转换LSA-7到LSA-5的NSSA ABR R4,IOS并没有将其本地外部路由的Metric带入骨干区域,而是保留了其初始的Metric值10,与JUNOS 8.5版本的行为相似。由于该外部路由的ASBR地址10.0.6.2经过域间汇总至10.0.4/22内,R3通告10.0.4/22汇总路由的Metric为2,因此在R6上的Metric值为10+2+2=14。同时,从IOS路由器R7将10.0.5/24网段重分布进入RIP的流程稍显复杂,为了验证RIP路由器同时从R6/R7上同时收到该段路由,我们要求R7向RIP注入Metric值同样为1的路由。

!
router rip
 version 2
 redistribute ospf 64 route-map ospf-rip
 network 172.16.0.0
!
access-list 2 permit 10.0.5.0 0.0.0.255
!
route-map ospf-rip permit 10
 match ip address 2
 set metric 1
!

而我们查看RIP路由器上的路由表的时候,却并没有发现同时出现两条10.0.5/24的条目,仅存在由R6通告过来的信息。而且我们在R1上采用默认的traceroute访问192.168.x/24网段能够返回成功的信息。由于我们并没有将除10.0.5/24以外的其他OSPF路由重分布到RIP里面,R1应当使用10.0.5.1作为traceroute源地址方能正常访问192.168.x/24网段。

nigel@itaa7.2# run show route logical-router rip
10.0.5/24    

inet.0: 17 destinations, 17 routes (17 active,
0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.5.0/24        *[RIP/100] 00:03:04, metric 2, tag 420
                    > to 172.16.40.2 via fxp2.60

nigel@itaa7.2# run traceroute 192.168.2.1 logical-router
r1

traceroute to 192.168.2.1 (192.168.2.1), 30 hops max,
40 byte packets

 1  10.0.4.13 (10.0.4.13)  1.168 ms  0.844 ms  1.150 ms
 2  10.0.2.1 (10.0.2.1)  1.094 ms  1.182 ms  1.160 ms
 3  10.0.8.5 (10.0.8.5)  1.314 ms  1.867 ms  1.747 ms
 4  192.168.2.1 (192.168.2.1)  5.232 ms  3.682 ms
     3.841 ms

在不存在其他后门链路的情况下,唯一能够解析的原因在于RIP路由器上存在10.0.5/24子网的汇总路由,R1发送到RIP路由器上的traceroute正是匹配了该汇总路由才能被返回。在172.16/16与10/8网络边缘,IOS路由器R7执行了自动汇总,10.0.5/24路由于是被自动汇总成为10.0.0.0/8主网路由,然后被通告到RIP路由器上面。我们通过查看RIP路由表能确认这点。

nigel@itaa7.2# run show route logical-router rip 10/8 

inet.0: 17 destinations, 17 routes (17 active,
0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/8         *[RIP/100] 00:08:31, metric 2, tag 0
                    > to 172.16.40.6 via fxp2.70
10.0.5.0/24        *[RIP/100] 00:09:21, metric 2, tag 420
                    > to 172.16.40.2 via fxp2.60

正是由于需要RIP支持无类路由,因此我们开始设置R7上RIP的时候便直接启用Version 2的RIP。关闭R7上的自动汇总,同时由于实验目标要求R7注入RIP的路由应该包含更大的Metric值,在route-map中我们将其调节为2。

!
router rip
 version 2
 redistribute ospf 64 route-map ospf-rip
 network 172.16.0.0
 no auto-summary
!
access-list 2 permit 10.0.5.0 0.0.0.255
!
route-map ospf-rip permit 10
 match ip address 2
 set metric 2
!

重新启动RIP路由器的路由进程,而问题却依然没有得到彻底解决,当RIP路由器收到来自R7的10.0.5/24明细路由后,原本从R6接收到的路由却消失掉。

nigel@itaa7.2# run restart routing logical-router rip
rip started, pid 4830

可能你已经能猜到,我们又回到了在R6上OSPF外部路由150与RIP 100的Preference冲突上。继续修正R6上的RIP导入策略。完成后为了尽快实现路由收敛,你可能需要清空R7的路由表以及重启R6/RIP的路由进程。制定策略的时候由于我们需要过滤从RIP路由更新注入同样为RIP路由协议的信息,此时默认策略为accept,因此我们需要增加term 2,将除192.168.x/24以外的其他路由明确拒绝掉。而对于IOS路由器R7,由于OSPF内部及外部路由的管理距离均为110,小于RIP的120,暂时不需要应用distribut-list in进行入向RIP路由过滤。

[edit logical-routers r6]
nigel@itaa7.2# show policy-options policy-statement
rip-ospf

term 1 {
    from {
        protocol rip;
        route-filter 192.168.0.0/21 orlonger;
    }
    then accept;
}

policy-statement rip-import {
    term 1 {
        from {
            protocol rip;
            route-filter 192.168.0.0/21 orlonger;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

最后我们确定仅有10.0.5/24网段路由被注入RIP内部,在R1上分别使用10.0.5.1以及默认接口作为源地址对192.168.x/24网段进行traceroute,仅有当10.0.5.1作为源地址的时候traceroute才能成功。

nigel@itaa7.2# run traceroute 192.168.1.1 logical-router
 r1

traceroute to 192.168.1.1 (192.168.1.1), 30 hops max,
40 byte packets
 1  10.0.4.13 (10.0.4.13)  5.114 ms  1.243 ms  1.498 ms
 2  10.0.2.1 (10.0.2.1)  1.839 ms  2.311 ms  1.471 ms
 3  10.0.8.5 (10.0.8.5)  1.972 ms  2.019 ms  1.756 ms
 4  * * *
 8  *^C

nigel@itaa7.2# run traceroute 192.168.1.1 logical-router
r1 source 10.0.5.1

traceroute to 192.168.1.1 (192.168.1.1) from 10.0.5.1,
30 hops max, 40 byte packets
 1  10.0.4.13 (10.0.4.13)  1.414 ms  0.955 ms  1.458 ms
 2  10.0.2.1 (10.0.2.1)  1.378 ms  1.740 ms  1.786 ms
 3  10.0.8.5 (10.0.8.5)  1.916 ms  1.834 ms  1.877 ms
 4  192.168.1.1 (192.168.1.1)  2.527 ms  2.221 ms
     2.048 ms

相对而言,对于172.16.40.x网段的通告配置比较简单,利用JUNOS对OSPF内外路由的区分,最后在R5上通过检查两条路由的Preference确认为域内路由。

[edit logical-routers r6]
nigel@itaa7.2# set protocols ospf area 20 interface
fxp1.60 passive 

!
router ospf 64
 passive-interface FastEthernet0/0.70
 network 172.16.40.4 0.0.0.3 area 20
!

nigel@itaa7.2# run show route logical-router r5 172.16/16 

inet.0: 22 destinations, 22 routes (22 active,
0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.40.0/30     *[OSPF/10] 00:01:50, metric 2
                    > to 10.0.8.5 via fxp1.56
172.16.40.4/30     *[OSPF/10] 00:01:50, metric 11
                    > to 10.0.8.10 via fxp1.57
r7# show ip ospf interface fa0/0.70
FastEthernet0/0.70 is up, line protocol is up
  Internet Address 172.16.40.6/30, Area 20
  Process ID 64, Router ID 10.0.9.7, Network Type
  BROADCAST, Cost: 10
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.0.9.7, Interface address
  172.16.40.6
  No backup designated router on this network
  Timer intervals configured, Hello 10, Dead 40,
  Wait 40, Retransmit 5
    oob-resync timeout 40
    No Hellos (Passive interface
Advertisements

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s