IP : 开放最短路径优先 (OSPF)

大型 OSPF 网络可扩展的 ISDN备用策略

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

此技术说明描述大型OSPF网络的一个可扩展的ISDN备用策略。以前,投入在一个OSPF区域边界路由器(ABR)的一个ISDN接口是必要的要求备份的各个领域的。意味着的这是否有需要备份,您将要求50个ISDN接口可能在多个备用的ABR间跨过的50个OSPF区域。为我们的讨论的目的,终止ISDN链路建立的ABR备用是ABR,当主链路发生故障时。请查看有在ABR备用的一个专用ISDN接口为什么各个领域是必要的。

此限制由事实带来接口能每次只属于一个区域。因为ISDN传统上使用传统按需拨号路由(DDR)代码和所有B信道在一条物理ISDN电路附加对呼叫拨号接口的一个单个网络网络层点对多点实体。因此,即使a主速率接口有23 B信道,在此物理ISDN电路的所有信道属于同一个网络层接口, SerialX:23,并且此接口能只属于一个OSPF区域。事实我们能物理的终止从23个独立站点的呼叫此PRI的浪费,因为所有信道必须共享同一个网络层配置。因此,我们有各个领域要求备份必须有在ABR备用的一个专用ISDN接口的限制。

先决条件

要求

本文档没有任何特定的前提条件。

使用的组件

本文档不限于特定的软件和硬件版本。

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您是在真实网络上操作,请确保您在使用任何命令前已经了解其潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

Cisco IOS ï ¿  ½版本11.2介绍呼叫拨号配置文件的功能。其中一传统DDR和拨号配置文件之间的根本区别是事实物理ISDN电路不再连接对同一个网络层接口。反而,我们有功能定义是与一些相关的DDR参数的网络层实体的多个Dialer Profile。当呼入呼叫在ISDN电路到达,我们将动态地绑定呼叫对根据认证的用户名的适当的拨号配置文件或caller-id。您比您在您的ISDN呼叫能定义许多拨号配置文件统计复用有物理ISDN电路,从而允许您过度预定,并且,实质上,取决于。

这似乎是我们的OSPF备份策略的突破。因为每拨号配置文件有其自己相关的IP地址(并且OSPF区域),如果我们有备份50个的OSPF区域,我们能配置在ABR备用的50不同拨号配置文件。我们不再需要50个不同的ISDN接口,我们能根据我们在我们的备用网络能处理的级别超量预订使用少量。当呼入呼叫在ABR备用时到达,我们绑定从断开适当的拨号配置文件在同一个区域的区域的呼叫。

不幸地,有与拨号配置文件的一些问题。拨号配置文件的预配置放置在各自区域内的每拨号配置文件备份的区域属于。这导致:

  • 将生成的额外的LSA,一个每拨号配置文件。

  • 自动地变得的区域间断,因为拨号配置文件变为残余部分链路到区域。(拨号接口从未去在下,因此OSPF创建在路由器配置的每拨号接口的一条残余部分链路)。

  • 每拨号配置文件介绍一额外路由到区域,可能是不理想的,当执行汇总时。

  • 在LSA数据库(链路抖动上的所有变化任何地方在网络)导致一次ISDN呼叫生成。

  • 因为区域LSA被充斥保证LSA数据库的同步的每30分钟在自治系统间的, ISDN呼叫生成对各个领域,当泛滥发生时。

注意: 如果在IOS 11.2,使用OSPF根据要求功能避免最后方案是可能的。然而,每个备用路由器在每个区域必须升级到11.2在邻接关系形成时了解需求电路(DC)选项。

虚拟配置文件功能在思科11.3中解决所有上述问题。虚拟配置文件根据拨号配置文件,那么再,我们有网络层接口的分离从物理ISDN电路的。然而,虚拟配置文件通过允许动态接口配置扩大拨号配置文件,当呼入呼叫被做时。接口配置在中央服务器存储(在我们的方案,支持TACACS+或RADIUS协议)的AAA服务器并且下载到路由器根据要求。当区域拨号回到ABR时,物理ISDN电路一定对呼叫虚拟访问接口的动态接口。虚拟访问接口的配置来源从虚拟模板,并且,最重要,从AAA服务器。我们存储虚拟配置文件的IP地址在AAA服务器的,并且应用对虚拟访问接口物理ISDN电路一定。当ISDN链路被断开时,虚拟配置文件(或虚拟访问接口区域连接对)毁坏, ISDN链路为下次ISDN呼叫准备好。

使用PRI,我们有立即支持23呼叫的功能从同样或不同的站点。当PPP多链路启用在ABR备用,当一新的呼叫到达时,我们比较与那的认证的用户名现有虚拟配置文件。如果找到匹配(于同一个区域发起的呼叫),我们一起捆绑链路到允许物理ISDN电路起源于相同地点共享同一个网络层接口的多链路捆绑(虚拟配置文件)。起源于不同的区域(认证的用户名与已经创建的虚拟配置文件有所不同)的物理ISDN电路一定对新的虚拟配置文件和新的虚拟访问接口创建与从AAA服务器下载的他们的配置。

因为我们不再预先配置在ABR备用的拨号配置文件,我们不遇到以上所列的Dialer Profile问题。缺乏预配置也允许ABR备用在多个机箱间容易地扩展,并且排除冗余高架管理。

在ABR备用,您,然而,需要预先配置连结子网与特定区域的OSPF网络语句。

网络图

在如下所示的示例中,我们有两路由器在area 0、isdn2-1和isdn2-2。isdn2-1有主链路对isdn1-7,在区域100。isdn1-5是区域的100 ABR并且拨号到isdn2-2,是备用会聚路由器。isdn1-4是另一个路由器在区域我们能运行追踪途径监控IP数据流路径的100。isdn1-5有OSPF根据要求运行;它最初同步至isdn2-2和因而有区域间路由丰富知识,包括汇总路由。然而,开销是高在备份接口,因而首选路径仍然是通过isdn1-7。

/image/gif/paws/13695/23a.gif

配置

请查看路由器的当前配置以上示例的。

isdn2-1
interface Loopback0
  ip address 10.0.1.1 255.255.255.0
 !
 interface Loopback1
  ip address 10.0.2.2 255.255.255.0
 !
 interface Loopback2
  ip address 10.0.3.3 255.255.255.0
 !
 interface Tunnel0
  ip address 10.100.100.2 255.255.255.0
  ip ospf cost 100
  tunnel source Ethernet2/0
  tunnel destination 172.16.25.9
  tunnel key 1234
 !
 interface Ethernet2/0
  ip address 172.16.25.51 255.255.255.240
 !
 router ospf 10
  redistribute static subnets route-map cisco_summary
  network 10.0.0.0 0.0.255.255 area 0
  network 172.16.25.48 0.0.0.15 area 0
  network 10.100.100.0 0.0.0.255 area 100
  default-metric 100
 !
 ip default-gateway 172.16.25.49
 ip classless
 ip route 171.68.0.0 255.254.0.0 172.16.25.49
 ip route 172.16.25.9 255.255.255.255 172.16.25.49
 no logging buffered
 access-list 101 permit ip 171.68.0.0 0.0.255.255 255.254.0.0 0.0.255.255
 route-map cisco_summary permit 10
  match ip address 101
  set metric 200

isdn2-2
aaa new-model
aaa authentication login default none
aaa authentication ppp default if-needed tacacs+
aaa authorization network tacacs+
aaa accounting network start-stop tacacs
!
interface Ethernet0
ip address 172.16.25.52 255.255.255.240
!
interface Virtual-Template1
no ip address
ppp authentication chap
!
interface Serial0:23
no ip address
encapsulation ppp
dialer-group 1
isdn incoming-voice modem
no peer default ip address
ppp authentication chap
!
interface Group-Async1
ip unnumbered Ethernet0
ip tcp header-compression passive
encapsulation ppp
async mode interactive
peer default ip address pool default
ppp authentication chap
group-range 1 24
!
router ospf 10
network 10.0.0.0 0.0.255.255 area 0
network 10.200.0.0 0.0.255.255 area 200
network 172.16.25.48 0.0.0.15 area 0
network 10.100.200.0 0.0.0.255 area 100
!
ip local pool default 172.16.25.59 172.16.25.62
virtual-profile virtual-template 1
virtual-profile aaa
dialer-list 1 protocol ip permit
tacacs-server host 171.68.207.32
tacacs-server key cisco

isdn1-5
interface Ethernet0
  ip address 172.16.25.5 255.255.255.240
 !
 interface BRI0
  ip address 10.100.200.1 255.255.255.0
  encapsulation ppp
  ip ospf cost 1500
  ip ospf demand-circuit
  no peer default ip address
  dialer map ip 10.100.200.2 name isdn2-2 broadcast 4327528
  dialer-group 1
  ppp authentication chap
  ppp chap hostname ospf_backup1
 !
 router ospf 10
  network 0.0.0.0 255.255.255.255 area 100
 !
 dialer-list 1 protocol ip permit

isdn1-7
interface Tunnel0
ip address 10.100.100.1 255.255.255.0
ip ospf cost 100
tunnel source Ethernet0
tunnel destination 172.16.25.51
tunnel key 1234
!
interface Ethernet0
ip address 172.16.25.9 255.255.255.240
media-type 10BaseT
!
router ospf 10
redistribute static
network 0.0.0.0 255.255.255.255 area 100
!
ip classless
ip route 172.16.25.51 255.255.255.255 172.16.25.1

isdn1-4
interface Ethernet0
  ip address 172.16.25.4 255.255.255.240
 !
 router ospf 10
  network 0.0.0.0 255.255.255.255 area 100

显示命令

下列是上面路由器的show命令输出

isdn2-1 show 命令

isdn2-1#show ip ospf
 Routing Process "ospf 10" with ID 10.0.2.2
 Supports only single TOS(TOS0) routes
 It is an area border and autonomous system boundary router
 Summary Link update interval is 00:30:00 and the update due in 00:00:06
 External Link update interval is 00:30:00 and the update due in 00:27:25
 Redistributing External Routes from,
    static with metric mapped to 100, includes subnets in redistribution
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Number of DCbitless external LSA 0
 Number of DoNotAge external LSA 0
 Number of areas in this router is 2. 2 normal 0 stub 0 nssa
    Area BACKBONE(0)
        Number of interfaces in this area is 4
        Area has no authentication
        SPF algorithm executed 38 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:29:21
        Link State Age Interval is 00:20:00 and due in 00:06:06
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
    Area 100
        Number of interfaces in this area is 1
        Area has no authentication
        SPF algorithm executed 35 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:00:37
        Link State Age Interval is 00:20:00 and due in 00:00:05
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 6

isdn2-1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is 172.16.25.49 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 4 subnets
C       10.0.2.0 is directly connected, Loopback1
C       10.0.3.0 is directly connected, Loopback2
C       10.100.100.0 is directly connected, Tunnel0
C       10.0.1.0 is directly connected, Loopback0
     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C       172.16.25.48/28 is directly connected, Ethernet2/0
S       172.16.25.9/32 [1/0] via 172.16.25.49
S    171.68.0.0/15 [1/0] via 172.16.25.49

isdn2-2 show 命令

isdn2-2#show ip ospf
 Routing Process "ospf 10" with ID 172.16.25.52
 Supports only single TOS(TOS0) routes
 It is an area border router
 Summary Link update interval is 00:30:00 and the update due in 00:03:21
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Number of DCbitless external LSA 0
 Number of DoNotAge external LSA 0
 Number of areas in this router is 3. 3 normal 0 stub 0 nssa
    Area BACKBONE(0)
        Number of interfaces in this area is 26
        Area has no authentication
        SPF algorithm executed 9 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:03:20
        Link State Age Interval is 00:20:00 and due in 00:03:19
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
    Area 100
        Number of interfaces in this area is 0
        Area has no authentication
        SPF algorithm executed 34 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:00:00
        Link State Age Interval is 00:20:00 and due in 00:03:19
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 10
    Area 200
        Number of interfaces in this area is 0
        Area has no authentication
        SPF algorithm executed 1 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:00:00
        Link State Age Interval is 00:20:00 and due in 00:03:19
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0

isdn2-2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is 172.16.25.49 to network 0.0.0.0

     172.16.0.0/28 is subnetted, 1 subnets
C       172.16.25.48 is directly connected, Ethernet0
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA    10.100.100.0/24 [110/110] via 172.16.25.51, 00:07:07, Ethernet0
O       10.0.3.3/32 [110/11] via 172.16.25.51, 00:09:40, Ethernet0
O       10.0.2.2/32 [110/11] via 172.16.25.51, 00:09:40, Ethernet0
O       10.0.1.1/32 [110/11] via 172.16.25.51, 00:09:40, Ethernet0
O E2 171.68.0.0/15 [110/200] via 172.16.25.49, 00:07:07, Ethernet0

isdn2-2#show ip ospf interface virtual-template 1
Virtual-Template1 is down, line protocol is down
   OSPF not enabled on this interface

isdn1-7 show 命令

isdn1-7#show ip ospf
 Routing Process "ospf 10" with ID 172.16.25.9
 Supports only single TOS(TOS0) routes
 It is an autonomous system boundary router
 External Link update interval is 00:30:00 and the update due in 00:03:54
 Redistributing External Routes from,
    static
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Number of DCbitless external LSA 0
 Number of DoNotAge external LSA 0
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
    Area 100
        Number of interfaces in this area is 3
        Area has no authentication
        SPF algorithm executed 32 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:10:38
        Link State Age Interval is 00:20:00 and due in 00:10:38
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 6

isdn1-7#show ip ospf neighbor details
 Neighbor 172.16.25.5, interface address 172.16.25.5
    In the area 100 via interface Ethernet0
    Neighbor priority is 1, State is FULL
    DR is 172.16.25.5 BDR is 172.16.25.4
    Options 2
    Dead timer due in 00:00:32
 Neighbor 172.16.25.4, interface address 172.16.25.4
    In the area 100 via interface Ethernet0
    Neighbor priority is 1, State is FULL
    DR is 172.16.25.5 BDR is 172.16.25.4
    Options 2
    Dead timer due in 00:00:39
 Neighbor 10.0.2.2, interface address 10.100.100.2
    In the area 100 via interface Tunnel0
    Neighbor priority is 1, State is FULL
    DR is 0.0.0.0 BDR is 0.0.0.0
    Options 2
    Dead timer due in 00:00:37

isdn1-7#show ip ospf interface tunnel0
Tunnel0 is up, line protocol is up
  Internet Address 10.100.100.1/24, Area 100
  Process ID 10, Router ID 172.16.25.9, Network Type POINT_TO_POINT, Cost: 100
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:04
  Neighbor Count is 0, Adjacent neighbor count is 0
  Suppress hello for 0 neighbor(s)

isdn1-7#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is 172.16.25.1 to network 0.0.0.0

     172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA    172.16.25.48/28 [110/1520] via 172.16.25.5, 00:10:33, Ethernet0
S       172.16.25.51/32 [1/0] via 172.16.25.1
C       172.16.25.0/28 is directly connected, Ethernet0
C       172.16.25.3/32 is directly connected, Virtual-Access1
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O IA    10.0.3.3/32 [110/1521] via 172.16.25.5, 00:10:33, Ethernet0
O IA    10.0.2.2/32 [110/1521] via 172.16.25.5, 00:10:33, Ethernet0
O IA    10.0.1.1/32 [110/1521] via 172.16.25.5, 00:10:33, Ethernet0
C       10.100.100.0/24 is directly connected, Tunnel0
O       10.100.65.1/32 [110/11] via 172.16.25.5, 00:10:33, Ethernet0
O       10.100.60.1/32 [110/11] via 172.16.25.5, 00:10:33, Ethernet0
O       10.100.55.1/32 [110/11] via 172.16.25.5, 00:10:33, Ethernet0
O       10.100.50.1/32 [110/11] via 172.16.25.5, 00:10:33, Ethernet0
O       10.100.200.0/24 [110/1510] via 172.16.25.5, 00:10:33, Ethernet0
O E2 171.68.0.0/15 [110/200] via 172.16.25.5, 00:10:33, Ethernet0

isdn1-5 show 命令

isdn1-5#show ip ospf
 Routing Process "ospf 10" with ID 172.16.25.5
 Supports only single TOS(TOS0) routes
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Number of DCbitless external LSA 0
 Number of DoNotAge external LSA 3
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
    Area 100
        Number of interfaces in this area is 6
        Area has no authentication
        SPF algorithm executed 45 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:05:12
        Link State Age Interval is 00:20:00 and due in 00:05:11
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 7

isdn1-5#show ip ospf neighbor details
 Neighbor 172.16.25.52, interface address 10.100.200.2
    In the area 100 via interface BRI0
    Neighbor priority is 1, State is FULL
    Options 34
    Dead timer due in 00:00:34
 Neighbor 172.16.25.9, interface address 172.16.25.9
    In the area 100 via interface Ethernet0
    Neighbor priority is 1, State is FULL
    Options 2
    Dead timer due in 00:00:36
 Neighbor 172.16.25.4, interface address 172.16.25.4
    In the area 100 via interface Ethernet0
    Neighbor priority is 1, State is FULL
    Options 2
    Dead timer due in 00:00:36

isdn1-5#show ip ospf interface bri0
BRI0 is up, line protocol is up (spoofing)
  Internet Address 10.100.200.1/24, Area 100
  Process ID 10, Router ID 172.16.25.5, Network Type POINT_TO_POINT, Cost: 1500
  Configured as demand circuit.
  Run as demand circuit.
  DoNotAge LSA allowed.
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:02
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 172.16.25.52  (Hello suppressed)
  Suppress hello for 1 neighbor(s)

isdn1-5#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O IA    10.0.3.3/32 [110/111] via 172.16.25.9, 00:00:56, Ethernet0
O IA    10.0.2.2/32 [110/111] via 172.16.25.9, 00:00:56, Ethernet0
O IA    10.0.1.1/32 [110/111] via 172.16.25.9, 00:00:56, Ethernet0
O       10.100.100.0/24 [110/110] via 172.16.25.9, 00:00:56, Ethernet0
C       10.100.65.0/24 is directly connected, Loopback3
C       10.100.60.0/24 is directly connected, Loopback2
C       10.100.55.0/24 is directly connected, Loopback1
C       10.100.50.0/24 is directly connected, Loopback0
C       10.100.200.2/32 is directly connected, BRI0
C       10.100.200.0/24 is directly connected, BRI0
     172.16.0.0/28 is subnetted, 2 subnets
O IA    172.16.25.48 [110/120] via 172.16.25.9, 00:00:57, Ethernet0
C       172.16.25.0 is directly connected, Ethernet0
O E2 171.68.0.0/15 [110/200] via 172.16.25.9, 00:00:58, Ethernet0

isdn1-4 show 命令

isdn1-4#show ip ospf
 Routing Process "ospf 10" with ID 172.16.25.4
 Supports only single TOS(TOS0) routes
 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
 Number of DCbitless external LSA 0
 Number of DoNotAge external LSA 3
 Number of areas in this router is 1. 1 normal 0 stub 0 nssa
    Area 100
        Number of interfaces in this area is 1
        Area has no authentication
        SPF algorithm executed 27 times
        Area ranges are
        Link State Update Interval is 00:30:00 and due in 00:20:41
        Link State Age Interval is 00:20:00 and due in 00:00:40
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 6

isdn1-4#show ip ospf neighbor details
 Neighbor 172.16.25.9, interface address 172.16.25.9
    In the area 100 via interface Ethernet0
    Neighbor priority is 1, State is FULL
    Options 2
    Dead timer due in 00:00:35
 Neighbor 172.16.25.5, interface address 172.16.25.5
    In the area 100 via interface Ethernet0
    Neighbor priority is 1, State is FULL
    Options 2
    Dead timer due in 00:00:30

isdn1-4#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O IA    10.0.3.3/32 [110/111] via 172.16.25.9, 00:02:00, Ethernet0
O IA    10.0.2.2/32 [110/111] via 172.16.25.9, 00:02:01, Ethernet0
O IA    10.0.1.1/32 [110/111] via 172.16.25.9, 00:02:01, Ethernet0
O       10.100.100.0/24 [110/110] via 172.16.25.9, 00:02:11, Ethernet0
O       10.100.65.1/32 [110/11] via 172.16.25.5, 00:02:11, Ethernet0
O       10.100.60.1/32 [110/11] via 172.16.25.5, 00:02:11, Ethernet0
O       10.100.55.1/32 [110/11] via 172.16.25.5, 00:02:11, Ethernet0
O       10.100.50.1/32 [110/11] via 172.16.25.5, 00:02:11, Ethernet0
O       10.100.200.0/24 [110/1510] via 172.16.25.5, 00:02:11, Ethernet0
     172.16.0.0/28 is subnetted, 2 subnets
O IA    172.16.25.48 [110/120] via 172.16.25.9, 00:02:01, Ethernet0
C       172.16.25.0 is directly connected, Ethernet0
O E2 171.68.0.0/15 [110/200] via 172.16.25.9, 00:02:01, Ethernet0

调试与验证

从isdn1-4的当前路由到171.68.191.1是通过isdn1-7,在隧道接口对isdn2-1和通过172.16.25.49。

isdn1-4#show ip route 171.68.0.0
Routing entry for 171.68.0.0/15, supernet
  Known via "ospf 10", distance 110, metric 200, type extern 2, forward metric 120
  Redistributing via ospf 10
  Last update from 172.16.25.9 on Ethernet0, 00:00:04 ago
  Routing Descriptor Blocks:
  * 172.16.25.9, from 10.0.2.2, 00:00:04 ago, via Ethernet0
      Route metric is 200, traffic share count is 1

我们能看到此路由使用traceroute命令在Cisco内部网络的一台主机。数据包获得如何返回给我们是毫不相关的在此方案。

isdn1-4#traceroute 171.68.191.1

Type escape sequence to abort.
Tracing the route to dpeng-sun.cisco.com (171.68.200.127)

  1 172.16.25.9 4 msec 4 msec 4 msec      (isdn1-7)
  2 10.100.100.2 4 msec 8 msec 8 msec     (isdn2-1)
  3 172.16.25.49 4 msec 4 msec 4 msec
  4 171.68.191.1 8 msec 8 msec 4 msec

请更改在isdn1-7的通道密钥促成隧道接口断开。如果我们等待一全双工Dead间隔(40秒是默认停止间隔),对等体检测,当下来和我们的备份开始。

isdn1-7#
*Mar  1 02:31:17.916: OSPF: 10.0.2.2 address 10.100.100.2 on Tunnel0 is dead

区域备用路由器是isdn1-5。它运行OSPF根据要求,因此有域间路由丰富知识通过备用会聚路由器。然而, OSPF开销通过备份链路更加高,因而,当区域100和骨干网之间的主链路是UP时,数据包仍然流经isdn1-7。因为我们中断了在isdn1-7的主链路, isdn1-5's路由当前是更加好,并且在OSPF数据库上的变化触发呼叫到备用会聚路由器。

isdn1-5#
*Mar  7 04:58:09.955: ISDN BR0: TX ->  SETUP pd = 8  callref = 0x05
*Mar  7 04:58:09.959:         Bearer Capability i = 0x8890
*Mar  7 04:58:09.959:         Channel ID i = 0x83
*Mar  7 04:58:09.963:         Keypad Facility i = '4327528'
*Mar  7 04:58:10.103: ISDN BR0: RX <-  CALL_PROC pd = 8  callref = 0x85
*Mar  7 04:58:10.107:         Channel ID i = 0x89
*Mar  7 04:58:10.963: ISDN BR0: RX <-  CONNECT pd = 8  callref = 0x85
*Mar  7 04:58:10.975: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
*Mar  7 04:58:11.007: ISDN BR0: TX ->  CONNECT_ACK pd = 8  callref = 0x05
*Mar  7 04:58:12.019: %LINEPROTO-5-UPDOWN: 
Line protocol on Interface BRI0:1, changed state to up
*Mar  7 04:58:17.131: %ISDN-6-CONNECT: 
Interface BRI0:1 is now connected to 4327528 isdn2-2
*Mar  7 04:58:24.159: OSPF: 
Cannot see ourself in hello from 172.16.25.52 on BRI0, state INIT
*Mar  7 04:58:27.867: OSPF: Rcv DBD from 172.16.25.52 on BRI0 seq 0x6FE 
opt 0x22 flag 0x7 len 32 state INIT
*Mar  7 04:58:27.871: OSPF: 2 Way Communication to 172.16.25.52 
on BRI0, state 2WAY
*Mar  7 04:58:27.875: OSPF: Send DBD to 172.16.25.52 on BRI0 seq 
0xEBC opt 0x22 flag 0x7 len 32
*Mar  7 04:58:27.879: OSPF: NBR Negotiation Done. We are the SLAVE
*Mar  7 04:58:27.879: OSPF: Send DBD to 172.16.25.52 on BRI0 seq 
0x6FE opt 0x22 flag 0x2 len 432
*Mar  7 04:58:28.031: OSPF: Rcv DBD from 172.16.25.52 on BRI0 seq 
0x6FF opt 0x22 flag 0x3 len 432 state EXCHANGE
*Mar  7 04:58:28.035: OSPF: Send DBD to 172.16.25.52 on BRI0 seq 
0x6FF opt 0x22 flag 0x0 len 32
*Mar  7 04:58:28.043: OSPF: Database request to 172.16.25.52
*Mar  7 04:58:28.043: OSPF: sent LS REQ packet to 10.100.200.2, 
length 24
*Mar  7 04:58:28.079: OSPF: Rcv DBD from 172.16.25.52 on BRI0 seq 
0x700 opt 0x22 flag 0x1 len 32 state EXCHANGE
*Mar  7 04:58:28.079: OSPF: Exchange Done with 172.16.25.52 on BRI0
*Mar  7 04:58:28.083: OSPF: Send DBD to 172.16.25.52 on BRI0 seq 
0x700 opt 0x22 flag 0x0 len 32
*Mar  7 04:58:28.099: OSPF: Synchronized with 172.16.25.52 on BRI0, 
state FULL
*Mar  7 04:58:28.099: OSPF: Tried to build Router LSA within 
MinLSInterval

在isdn1-5的备份过程完成,并且ISDN接口当前是区域100和骨干区域之间的链路。

isdn1-5#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O IA    10.0.3.3/32 [110/1511] via 10.100.200.2, 00:00:35, BRI0
O IA    10.0.2.2/32 [110/1511] via 10.100.200.2, 00:00:35, BRI0
O IA    10.0.1.1/32 [110/1511] via 10.100.200.2, 00:00:35, BRI0
O       10.100.100.0/24 [110/110] via 172.16.25.9, 00:00:35, Ethernet0
C       10.100.65.0/24 is directly connected, Loopback3
C       10.100.60.0/24 is directly connected, Loopback2
C       10.100.55.0/24 is directly connected, Loopback1
C       10.100.50.0/24 is directly connected, Loopback0
C       10.100.200.2/32 is directly connected, BRI0
C       10.100.200.0/24 is directly connected, BRI0
     172.16.0.0/28 is subnetted, 2 subnets
O IA    172.16.25.48 [110/1510] via 10.100.200.2, 00:00:36, BRI0
C       172.16.25.0 is directly connected, Ethernet0
O E2 171.68.0.0/15 [110/200] via 10.100.200.2, 00:00:37, BRI0

isdn1-5#show ip route 171.68.0.0
Routing entry for 171.68.0.0/15, supernet
  Known via "ospf 10", distance 110, metric 200, type extern 2, forward metric 1510
  Redistributing via ospf 10
  Last update from 10.100.200.2 on BRI0, 00:09:33 ago
  Routing Descriptor Blocks:
  * 10.100.200.2, from 10.0.2.2, 00:09:33 ago, via BRI0
      Route metric is 200, traffic share count is 1

当前查找在isdn1-4,我们看到Cisco内部网络的汇总路由当前有isdn1-5下一跳。

isdn1-4#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O IA    10.0.3.3/32 [110/1521] via 172.16.25.5, 00:01:49, Ethernet0
O IA    10.0.2.2/32 [110/1521] via 172.16.25.5, 00:01:49, Ethernet0
O IA    10.0.1.1/32 [110/1521] via 172.16.25.5, 00:01:49, Ethernet0
O       10.100.100.0/24 [110/110] via 172.16.25.9, 00:01:49, Ethernet0
O       10.100.65.1/32 [110/11] via 172.16.25.5, 00:01:49, Ethernet0
O       10.100.60.1/32 [110/11] via 172.16.25.5, 00:01:49, Ethernet0
O       10.100.55.1/32 [110/11] via 172.16.25.5, 00:01:49, Ethernet0
O       10.100.50.1/32 [110/11] via 172.16.25.5, 00:01:49, Ethernet0
O       10.100.200.0/24 [110/1510] via 172.16.25.5, 00:01:49, Ethernet0
     172.16.0.0/28 is subnetted, 2 subnets
O IA    172.16.25.48 [110/1520] via 172.16.25.5, 00:01:49, Ethernet0
C       172.16.25.0 is directly connected, Ethernet0
O E2 171.68.0.0/15 [110/200] via 172.16.25.5, 00:01:49, Ethernet0

isdn1-4#show ip route 171.68.0.0
Routing entry for 171.68.0.0/15, supernet
  Known via "ospf 10", distance 110, metric 200, type extern 2, 
  forward metric 1520
  Redistributing via ospf 10
  Last update from 172.16.25.5 on Ethernet0, 00:02:04 ago
  Routing Descriptor Blocks:
  * 172.16.25.5, from 10.0.2.2, 00:02:04 ago, via Ethernet0
      Route metric is 200, traffic share count is 1

traceroute命令展示路径更改。

isdn1-4#traceroute 171.68.191.1

     Type escape sequence to abort.
     Tracing the route to dpeng-sun.cisco.com (171.68.200.127)

       1 172.16.25.5 4 msec 4 msec 4 msec         (isdn1-5)
       2 10.100.200.2 16 msec 16 msec 16 msec     (isdn2-2)
       3 172.16.25.49 28 msec 16 msec 72 msec
       4 171.68.191.1 16 msec 16 msec 16 msec

请查看什么在备用会聚路由器发生,当主链路(隧道接口)时发生故障,并且区域备用路由器拨号。首先,备用会聚路由器收到从区域备用路由器的呼叫:

*Mar  1 01:12:20.587: ISDN Se0:23: RX <-  SETUP pd = 8  callref = 0x1B
*Mar  1 01:12:20.591:         Bearer Capability i = 0x8890
*Mar  1 01:12:20.595:         Channel ID i = 0xA98393
*Mar  1 01:12:20.599:         Calling Party Number i = '!', 0x83, '4082322044'
*Mar  1 01:12:20.603:         Called Party Number i = 0xC1, '4084327528'
*Mar  1 01:12:20.691: %LINK-3-UPDOWN: Interface Serial0:18, changed state to up
*Mar  1 01:12:20.727: Se0:18 PPP: Treating connection as a callin
*Mar  1 01:12:20.731: Se0:18 PPP: Phase is ESTABLISHING, Passive Open
*Mar  1 01:12:20.735: Se0:18 LCP: State is Listen
*Mar  1 01:12:20.755: ISDN Se0:23: TX ->  CALL_PROC pd = 8  callref = 0x801B
*Mar  1 01:12:20.759:         Channel ID i = 0xA98393
*Mar  1 01:12:20.791: ISDN Se0:23: TX ->  CONNECT pd = 8  callref = 0x801B
*Mar  1 01:12:20.791:         Channel ID i = 0xA98393
*Mar  1 01:12:20.863: ISDN Se0:23: RX <-  CONNECT_ACK pd = 8  callref = 0x1B

PPP协商开始:

*Mar  1 01:12:20.995: Se0:18 LCP: I CONFREQ [Listen] id 166 len 34
*Mar  1 01:12:20.999: Se0:18 LCP:    AuthProto CHAP 
(0x0305C22305)
*Mar  1 01:12:21.003: Se0:18 LCP:    MagicNumber 0x20039D53 
(0x050620039D53)
*Mar  1 01:12:21.003: Se0:18 LCP:    MRRU 1524 (0x110405F4)
*Mar  1 01:12:21.007: Se0:18 LCP:    EndpointDisc 1 Local 
(0x130F016F7370665F6261636B757031)
*Mar  1 01:12:21.015: Se0:18 LCP: O CONFREQ [Listen] id 9 len 15
*Mar  1 01:12:21.015: Se0:18 LCP:    AuthProto CHAP 
(0x0305C22305)
*Mar  1 01:12:21.019: Se0:18 LCP:    MagicNumber 0x60812EEF 
(0x050660812EEF)
*Mar  1 01:12:21.023: Se0:18 LCP: O CONFREJ [Listen] id 166 len 23
*Mar  1 01:12:21.027: Se0:18 LCP:    MRRU 1524 (0x110405F4)
*Mar  1 01:12:21.027: Se0:18 LCP:    EndpointDisc 1 Local 
(0x130F016F7370665F6261636B757031)
*Mar  1 01:12:21.043: Se0:18 LCP: I CONFACK [REQsent] id 9 len 15
*Mar  1 01:12:21.047: Se0:18 LCP:    AuthProto CHAP 
(0x0305C22305)
*Mar  1 01:12:21.051: Se0:18 LCP:    MagicNumber 0x60812EEF 
(0x050660812EEF)
*Mar  1 01:12:21.055: Se0:18 LCP: I CONFREQ [ACKrcvd] id 167 len 15
*Mar  1 01:12:21.055: Se0:18 LCP:    AuthProto CHAP 
(0x0305C22305)
*Mar  1 01:12:21.059: Se0:18 LCP:    MagicNumber 0x20039D53 
(0x050620039D53)
*Mar  1 01:12:21.063: Se0:18 LCP: O CONFACK [ACKrcvd] id 167 len 15
*Mar  1 01:12:21.063: Se0:18 LCP:    AuthProto CHAP 
(0x0305C22305)
*Mar  1 01:12:21.067: Se0:18 LCP:    MagicNumber 0x20039D53 
(0x050620039D53)
*Mar  1 01:12:21.071: Se0:18 LCP: State is Open

一旦LCP完成协商,我们继续对验证:

*Mar  1 01:12:21.071: Se0:18 PPP: Phase is AUTHENTICATING, 
by both
*Mar  1 01:12:21.075: Se0:18 CHAP: O CHALLENGE id 9 len 28 
from "isdn2-2"
*Mar  1 01:12:21.155: Se0:18 CHAP: I CHALLENGE id 61 len 33 
from "ospf_backup1"
*Mar  1 01:12:21.159: Se0:18 CHAP: I RESPONSE id 9 len 33 
from "ospf_backup1"

我们发送了我们的质询握手验证协议(CHAP)挑战并且接收从对等体的一答复。注意备用区域路由器声称是"ospf_backup1",而不是路由器"isdn1-5"的实际主机名。因为我们使用了ppp chap hostname命令改写默认,这发生。

因为我们验证使用TACACS+的此用户,下我们联系TACACS+服务器。

*Mar  1 01:12:21.167: AAA/AUTHEN: create_user (0x35F5BC) 
user='ospf_backup1' ruser='' port='Serial0:18' 
rem_addr='4082322044/4084327528' authen_type=CHAP service=PPP priv=1
*Mar  1 01:12:21.171: AAA/AUTHEN/START (1579536474): 
port='Serial0:18' list='' action=SENDAUTH service=PPP
*Mar  1 01:12:21.175: AAA/AUTHEN/START (1579536474): 
using "default" list
*Mar  1 01:12:21.179: AAA/AUTHEN (1579536474): 
status = UNKNOWN
*Mar  1 01:12:21.179: AAA/AUTHEN/START (1579536474): 
Method=TACACS+
*Mar  1 01:12:21.183: TAC+: send AUTHEN/START packet 
ver=193 id=1579536474
*Mar  1 01:12:21.403: TAC+: ver=193 id=1579536474 
received AUTHEN status = PASS
*Mar  1 01:12:21.403: AAA/AUTHEN (1579536474): 
status = PASS
*Mar  1 01:12:21.411: AAA/AUTHEN: free_user (0x35F5BC) 
user='ospf_backup1' ruser='' port='Serial0:18' 
rem_addr='4082322044/4084327528' authen_type=CHAP service=PPP priv=1
*Mar  1 01:12:21.415: Se0:18 CHAP: Waiting for peer 
to authenticate first
*Mar  1 01:12:21.419: AAA/AUTHEN: create_user (0x35F5BC) 
user='ospf_backup1' ruser='' port='Serial0:18' 
rem_addr='4082322044/4084327528' authen_type=CHAP service=PPP priv=1
*Mar  1 01:12:21.423: AAA/AUTHEN/START (3035786780): 
port='Serial0:18' list='' action=LOGIN service=PPP
*Mar  1 01:12:21.427: AAA/AUTHEN/START (3035786780): 
using "default" list
*Mar  1 01:12:21.427: AAA/AUTHEN (3035786780): 
status = UNKNOWN
*Mar  1 01:12:21.431: AAA/AUTHEN/START (3035786780): 
Method=TACACS+
*Mar  1 01:12:21.431: TAC+: send AUTHEN/START packet 
ver=193 id=3035786780
*Mar  1 01:12:21.655: TAC+: ver=193 id=3035786780 
received AUTHEN status = PASS
*Mar  1 01:12:21.659: AAA/AUTHEN (3035786780): 
status = PASS

因为密码正确,并且备用区域路由器验证,我们当前继续对授权阶段。

*Mar  1 01:12:21.663: AAA/AUTHOR/LCP Se0:18: 
Authorize LCP
*Mar  1 01:12:21.667: AAA/AUTHOR/LCP: Serial0:18: 
(221407121): user='ospf_backup1'
*Mar  1 01:12:21.667: AAA/AUTHOR/LCP: Serial0:18: 
(221407121): send AV service=ppp
*Mar  1 01:12:21.671: AAA/AUTHOR/LCP: Serial0:18: 
(221407121): send AV protocol=lcp
*Mar  1 01:12:21.671: AAA/AUTHOR/LCP: Serial0:18: 
(221407121): Method=TACACS+
*Mar  1 01:12:21.675: AAA/AUTHOR/TAC+: (221407121): 
user=ospf_backup1
*Mar  1 01:12:21.679: AAA/AUTHOR/TAC+: (221407121): 
send AV service=ppp
*Mar  1 01:12:21.679: AAA/AUTHOR/TAC+: (221407121): 
send AV protocol=lcp
*Mar  1 01:12:21.903: TAC+: (221407121): received 
author response status = PASS_ADD
*Mar  1 01:12:21.911: AAA/AUTHOR (221407121): 
Post authorization status = PASS_ADD
*Mar  1 01:12:21.911: AAA/AUTHOR/LCP Se0:18: 
Processing AV service=ppp
*Mar  1 01:12:21.915: AAA/AUTHOR/LCP Se0:18: 
Processing AV protocol=lcp
*Mar  1 01:12:21.915: AAA/AUTHOR/LCP Se0:18: 
Processing AV interface-config=ip address 
10.100.200.2 255.255.255.0\nip ospf cost 1500

授权完成。我们获得指示某些配置的属性值对(AVP)必须在我们创建的接口。

即然LCP的认证和授权完成,我们告诉对等体他们允许。

*Mar  1 01:12:21.927: Se0:18 CHAP: O SUCCESS id 9 len 4
*Mar  1 01:12:21.927: Se0:18 CHAP: O RESPONSE id 61 
len 28 from "isdn2-2"
*Mar  1 01:12:21.951: Se0:18 CHAP: I SUCCESS id 61 len 4

LCP进程完成,并且网络控制协议(NCP)当前将被建立,含义我们需要接口。我们启用虚拟配置文件功能,因此我们克隆从虚拟模板接口的一个虚拟访问接口,然后定制配置使用从AAA接收的AVPs。

请查看我们如何创建虚拟访问接口。

*Mar  1 01:12:21.955: Vi1 VTEMPLATE: Reuse Vi1, 
recycle queue size 0
*Mar  1 01:12:21.955: Vi1 VTEMPLATE: Set default 
settings with no ip address
*Mar  1 01:12:22.363: Vi1 VTEMPLATE: Hardware address 
0060.3ef1.6f74
*Mar  1 01:12:22.391: %LINEPROTO-5-UPDOWN: 
Line protocol on Interface Serial0:18, changed state to up
*Mar  1 01:12:22.399: %LINEPROTO-5-UPDOWN: 
Line protocol on Interface Virtual-Access1, changed state to up
*Mar  1 01:12:22.451: %LINK-3-UPDOWN: 
Interface Virtual-Access1, changed state to up
*Mar  1 01:12:22.455: Vi1 PPP: Treating connection 
as a dedicated line
*Mar  1 01:12:22.459: Vi1 PPP: Phase is ESTABLISHING, 
Active Open
*Mar  1 01:12:22.463: Vi1 LCP: O CONFREQ [Closed] 
id 33 len 10
*Mar  1 01:12:22.467: Vi1 LCP:    MagicNumber 0x60813499 
(0x050660813499)

虚拟访问接口的基本配置来自虚拟模板接口1,在配置上指定。

*Mar  1 01:12:22.483: Vi1 VTEMPLATE: 
Has a new cloneblk vtemplate, now it has vtemplate
*Mar  1 01:12:22.487: Vi1 VTEMPLATE: 
Undo default settings
*Mar  1 01:12:22.899: Vi1 VTEMPLATE: 
************* CLONE VACCESS1 *****************
*Mar  1 01:12:22.899: Vi1 VTEMPLATE: 
Clone from vtemplate1
interface Virtual-Access1
no ip address
encap ppp
no ip address
no ip mroute-cache
ppp authentication chap
ppp multilink
end

虚拟访问接口开始。

*Mar  1 01:12:23.671: Vi1 PPP: 
Phase is TERMINATING
*Mar  1 01:12:23.671: Vi1 PPP: 
Phase is ESTABLISHING, Active Open
*Mar  1 01:12:23.679: Vi1 LCP: 
O CONFREQ [Closed] id 34 len 15
*Mar  1 01:12:23.679: Vi1 LCP:    
AuthProto CHAP (0x0305C22305)
*Mar  1 01:12:23.683: Vi1 LCP:    
MagicNumber 0x6081395A (0x05066081395A)
*Mar  1 01:12:23.743: Vi1 PPP: 
Phase is TERMINATING
*Mar  1 01:12:23.747: Vi1 PPP: 
Phase is ESTABLISHING, Active Open
*Mar  1 01:12:23.751: Vi1 LCP: 
O CONFREQ [Closed] id 35 len 29
*Mar  1 01:12:23.755: Vi1 LCP:    
AuthProto CHAP (0x0305C22305)
*Mar  1 01:12:23.759: Vi1 LCP:    
MagicNumber 0x608139A3 (0x0506608139A3)
*Mar  1 01:12:23.759: Vi1 LCP:    
MRRU 1524 (0x110405F4)
*Mar  1 01:12:23.763: Vi1 LCP:    
EndpointDisc 1 Local (0x130A016973646E322D32)
*Mar  1 01:12:23.847: Vi1 AAA/AUTHOR: LCP_DOWN
*Mar  1 01:12:23.847: Vi1 AAA/AUTHOR: LCP_DOWN

现在请下载我们从AAA服务器获得的配置AVP。它指定接口的IP地址并且修改默认OSPF开销。

*Mar  1 01:12:23.947: Vi1 VTEMPLATE: 
Has a new cloneblk AAA, now it has vtemplate/AAA
*Mar  1 01:12:23.951: Vi1 VTEMPLATE: 
************* CLONE VACCESS1 *****************
*Mar  1 01:12:23.955: Vi1 VTEMPLATE: 
Clone from AAA
interface Virtual-Access1
ip address 10.100.200.2 255.255.255.0
ip ospf cost 1500
end

*Mar  1 01:12:24.123: OSPF: 
Interface Virtual-Access1 going Up
*Mar  1 01:12:24.127: Vi1 PPP: 
Unsupported or un-negotiated protocol. Link ip
*Mar  1 01:12:24.235: 
AAA/AUTHEN: dup_user (0x35DEA0) user='ospf_backup1' 
ruser='' port='Serial0:18' rem_addr='4082322044/4084327528' 
authen_type=CHAP service=PPP priv=1 source='AAA dup vp_create'

一点诡计允许我们强制经过协商的LCP状态。

*Mar  1 01:12:24.239: Vi1 LCP: 
I FORCED CONFREQ len 11
*Mar  1 01:12:24.243: Vi1 LCP:    
AuthProto CHAP (0x0305C22305)
*Mar  1 01:12:24.247: Vi1 LCP:    
MagicNumber 0x60812EEF (0x050660812EEF)
*Mar  1 01:12:24.247: Vi1 PPP: 
Phase is UP

我们当前准备协商NCP。

*Mar  1 01:12:24.251: AAA/AUTHOR/FSM Vi1: (0): 
Can we start IPCP?
*Mar  1 01:12:24.263: AAA/AUTHOR/FSM: Virtual-Access1: 
(2432251470): user='ospf_backup1'
*Mar  1 01:12:24.263: AAA/AUTHOR/FSM: Virtual-Access1: 
(2432251470): send AV service=ppp
*Mar  1 01:12:24.267: AAA/AUTHOR/FSM: Virtual-Access1: 
(2432251470): send AV protocol=ip
*Mar  1 01:12:24.271: AAA/AUTHOR/FSM: Virtual-Access1: 
(2432251470): Method=TACACS+
*Mar  1 01:12:24.275: AAA/AUTHOR/TAC+: (2432251470): 
user=ospf_backup1
*Mar  1 01:12:24.275: AAA/AUTHOR/TAC+: (2432251470): 
send AV service=ppp
*Mar  1 01:12:24.279: AAA/AUTHOR/TAC+: (2432251470): 
send AV protocol=ip
*Mar  1 01:12:24.503: TAC+: (2432251470): received 
author response status = PASS_ADD
*Mar  1 01:12:24.507: AAA/AUTHOR (2432251470): Post 
authorization status = PASS_ADD
*Mar  1 01:12:24.515: AAA/AUTHOR/FSM Vi1: We can 
start IPCP
*Mar  1 01:12:24.519: Vi1 IPCP: O CONFREQ [Closed] 
id 17 len 10
*Mar  1 01:12:24.523: Vi1 IPCP:    
Address 10.100.200.2 (0x03060A64C802)
*Mar  1 01:12:24.523: Se0:18 PPP: Phase is FORWARDED
*Mar  1 01:12:24.527: Se0:18 IPCP: PPP phase is FORWARDED, 
discarding packet
*Mar  1 01:12:24.531: Se0:18 IPCP: PPP phase is FORWARDED, 
discarding packet
*Mar  1 01:12:25.851: Vi1 LCP: TIMEout: Time 0x424F98 
State Open

对等体想要在其接口的分配10.100.200.1。

*Mar  1 01:12:26.031: Vi1 IPCP: I CONFREQ [REQsent] 
id 56 len 10
*Mar  1 01:12:26.035: Vi1 IPCP:    Address 10.100.200.1 
(0x03060A64C801)
*Mar  1 01:12:26.035: AAA/AUTHOR/IPCP Vi1: Start.  
Her address 10.100.200.1, we want 0.0.0.0

我们查询TACACS+服务器授权IP地址。

*Mar  1 01:12:26.039: AAA/AUTHOR/IPCP Vi1: 
Processing AV service=ppp
*Mar  1 01:12:26.043: AAA/AUTHOR/IPCP Vi1: 
Processing AV protocol=ip
*Mar  1 01:12:26.043: AAA/AUTHOR/IPCP Vi1: 
Processing AV addr=10.100.200.1
*Mar  1 01:12:26.047: AAA/AUTHOR/IPCP Vi1: 
Authorization succeeded

授权授权。

*Mar  1 01:12:26.047: AAA/AUTHOR/IPCP Vi1: Done.  
Her address 10.100.200.1, we want 10.100.200.1

我们确认他们的请求的IP地址。

*Mar  1 01:12:26.051: Vi1 IPCP: 
O CONFACK [REQsent] id 56 len 10
*Mar  1 01:12:26.059: Vi1 IPCP:    
Address 10.100.200.1 (0x03060A64C801)
*Mar  1 01:12:26.067: Vi1 LCP: 
O PROTREJ [Open] id 36 len 10 protocol CDPCP (0x820701350004)
*Mar  1 01:12:26.727: %ISDN-6-CONNECT: 
Interface Serial0:18 is now connected to 4082322044 ospf_backup1
*Mar  1 01:12:26.875: Vi1 IPCP: 
TIMEout: Time 0x425294 State ACKsent
*Mar  1 01:12:26.879: Vi1 IPCP: 
O CONFREQ [ACKsent] id 18 len 10
*Mar  1 01:12:26.879: Vi1 IPCP:    
Address 10.100.200.2 (0x03060A64C802)

对等体确认我们的IP地址。

*Mar  1 01:12:26.899: Vi1 IPCP: 
I CONFACK [ACKsent] id 18 len 10
*Mar  1 01:12:26.903: Vi1 IPCP:    
Address 10.100.200.2 (0x03060A64C802)
*Mar  1 01:12:26.903: Vi1 IPCP: 
State is Open
*Mar  1 01:12:26.911: Vi1 AAA/AUTHOR: 
IP_UP
*Mar  1 01:12:26.911: Vi1 AAA/PER-USER: 
processing author params.
*Mar  1 01:12:26.919: Vi1 IPCP: 
Install route to 10.100.200.1

因为IP充分地在此接口, OSPF同步并且设立邻接。

*Mar  1 01:12:29.427: OSPF: Rcv hello from 10.0.2.2 area 0 
from Ethernet0 172.16.25.51
*Mar  1 01:12:29.427: OSPF: End of hello processing
*Mar  1 01:12:35.295: OSPF: service_maxage: Trying to 
delete MAXAGE LSA
*Mar  1 01:12:37.823: OSPF: Rcv hello from 172.16.25.5 
area 100 from Virtual-Access1 10.100.200.1
*Mar  1 01:12:37.823: OSPF: 2 Way Communication to 
172.16.25.5 on Virtual-Access1, state 2WAY
*Mar  1 01:12:37.827: OSPF: Send DBD to 172.16.25.5 on 
Virtual-Access1 seq 0x6FE opt 0x22 flag 0x7 len 32
*Mar  1 01:12:37.831: OSPF: End of hello processing
*Mar  1 01:12:37.871: OSPF: Rcv DBD from 172.16.25.5 on 
Virtual-Access1 seq 0xEBC opt 0x22 flag 0x7 len 32 state EXSTART
*Mar  1 01:12:37.875: OSPF: First DBD and we are not SLAVE
*Mar  1 01:12:37.927: OSPF: Rcv DBD from 172.16.25.5 on 
Virtual-Access1 seq 0x6FE opt 0x22 flag 0x2 len 432 state EXSTART
*Mar  1 01:12:37.931: OSPF: NBR Negotiation Done. 
We are the MASTER
*Mar  1 01:12:37.939: OSPF: Send DBD to 172.16.25.5 on 
Virtual-Access1 seq 0x6FF opt 0x22 flag 0x3 len 432
*Mar  1 01:12:37.943: OSPF: Database request to 172.16.25.5
*Mar  1 01:12:37.947: OSPF: sent LS REQ packet to 10.100.200.1, 
length 96
*Mar  1 01:12:38.031: OSPF: Rcv DBD from 172.16.25.5 on 
Virtual-Access1 seq 0x6FF opt 0x22 flag 0x0 len 32 state EXCHANGE
*Mar  1 01:12:38.035: OSPF: Send DBD to 172.16.25.5 on 
Virtual-Access1 seq 0x700 opt 0x22 flag 0x1 len 32
*Mar  1 01:12:38.115: OSPF: Rcv DBD from 172.16.25.5 on 
Virtual-Access1 seq 0x700 opt 0x22 flag 0x0 len 32 state EXCHANGE
*Mar  1 01:12:38.119: OSPF: Exchange Done with 172.16.25.5 
on Virtual-Access1
*Mar  1 01:12:38.119: OSPF: Synchronized with 172.16.25.5 
on Virtual-Access1, state FULL

OSPF同步完成在区域备用路由器和备用会聚路由器之间。OSPF根据要求协商,因此ISDN链路启用,只有当有数据流流时。

isdn2-2#show ip ospf interface virtual-access 1
Virtual-Access1 is up, line protocol is up
  Internet Address 10.100.200.2/24, Area 100
  Process ID 10, Router ID 172.16.25.52, 
  Network Type POINT_TO_POINT, Cost: 1500
  Run as demand circuit.
  DoNotAge LSA allowed.
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, 
  Wait 40, Retransmit 5
    Hello due in 00:00:05
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 172.16.25.5  
	(Hello suppressed)
  Suppress hello for 1 neighbor(s)

isdn2-2#show interface virtual-access 1 config
Virtual-Access1 is a Virtual Profile interface

Building configuration...

interface Virtual-Access1 configuration...
ip address 10.100.200.2 255.255.255.0
ip ospf cost 1500
no ip mroute-cache
ppp authentication chap

这是isdn1-5 TACACS+配置文件:

user = ospf_backup1 {
        chap = cleartext "cisco"

        service = ppp protocol = lcp {
                interface-config = "ip address 10.100.200.2 255.255.255.0\nip ospf cost 1500"
        }

        service = ppp protocol = ip {
                addr = 10.100.200.1
        }
}

并且RADIUS配置文件:

ospf_backkup1 Password = "cisco"
        Service-Type = Framed,
        Framed-Protocol = PPP,
        Framed-IP-Address = 10.100.200.1
        cisco-avpair = "interface-config=ip address 10.100.200.2 255.255.255.0\nip ospf cost 1

相关信息


Document ID: 13695