安全 : Cisco ASA 5500 系列自适应安全设备

ASA版本9.2.1 OSPF增强配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文解释在可适应安全工具(ASA)软件版本9.2.1和命令介绍的新特性涉及与开放最短路径优先(OSPF)协议。

贡献用马格纳斯Mortensen和Dinkar夏尔马, Cisco TAC工程师。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息根据运行Cisco ASA软件版本9.2.(1)及以后的Cisco ASA 5500-X系列防火墙。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

配置

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

配置

OSPF 支持快速 Hello 包

OSPF Hello数据包是OSPF程序发送给其OSPF邻居为了维护与那些邻居的连接的数据包。这些Hello数据包被发送在可配置间隔(以秒钟)。默认是以太网链路的10秒和非广播链路的30秒。Hello数据包包括Hello数据包在Dead间隔内接收所有邻居的列表。Dead间隔也是可配置间隔(以秒钟)和默认对四倍Hello间隔的值。值所有Hello间隔必须是相同的在网络内。同样,值所有Dead间隔必须是相同的在网络内。

OSPF快速Hello数据包参考被发送在间隔少于1秒的Hello数据包。为了启用OSPF快速Hello数据包,请输入ospf Dead间隔命令。对于分秒的hello, Dead间隔设置对1秒或最小和Hello multiplier值设置为您希望发送由于1秒Hello数据包的数量。例如,如果Dead间隔为1秒设置和Hello multiplier为4设置, hello将发送每0.25秒。

当快速Hello数据包在接口时配置, Hello间隔在被派出此接口设置到0的Hello数据包通告。在此接口接收的Hello数据包的Hello间隔忽略。请注意Dead间隔一定是一致在分段。它是否设置为1对其他值的秒(快速Hello数据包)或集,一定是一致在该分段的邻居间。只要至少一Hello数据包在Dead间隔内,发送Hello multiplier不需要是相同的为整个分段。

为了启用与多个的快速hello的4,请输入ospf Dead间隔最小Hello multiplier 4命令在适当的接口配置下。

 interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 198.51.100.1 255.255.255.0
ospf dead-interval minimal hello-multiplier 4

router ospf 1
network 198.51.100.0 255.255.255.0 area 0

显示OSPF接口命令验证。

asa(config)# show ospf interface

inside is up, line protocol is up
Internet Address 198.51.100.1 mask 255.255.255.0, Area 0
Process ID 928, Router ID 198.51.100.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 198.51.100.1, Interface address 198.51.100.1
No backup designated router on this network
Timer intervals configured, Hello 250 msec, Dead 1, Wait 1, Retransmit 5
Hello due in 48 msec
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 0
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)

链路状态广播的新的OSPF计时器限制的命令和SPF

这些命令在ASA版本9.2.1介绍及以后:作为OSPF路由器配置一部分,计时器LSA到达步调的计时器计时器节流LSA计时器节流spf

asa(config-router)# timers ?

router mode commands/options:
lsa OSPF LSA timers
pacing OSPF pacing timers
throttle OSPF throttle timers

这些命令删除:timers spf计时器LSA分组定步

关于限制的林克状态广告(LSA)和Shortest Path First (SPF)的好处的更多信息可以在这些文档找到:

过滤与ACL的OSPF路由

当前支持与访问控制表(ACL)的路由过滤。这用distribute-list命令过滤路由完成。

例如,为了过滤10.20.20.0/24的路由,配置如下所示: :

access-list ospf standard deny host 10.20.20.0
access-list ospf standard permit any4
!
router ospf 1
 network 198.51.100.0 255.255.255.0 area 0
 log-adj-changes
 distribute-list ospf in interface inside

当相关的ACL被检查时,表明有增加点击的计数:

asa(config)# show access-list ospf
access-list ospf; 2 elements; name hash: 0xb5dd06eb
access-list ospf line 1 standard deny host 10.20.20.0 (hitcnt=1) 0xe29503b8
access-list ospf line 2 standard permit any4 (hitcnt=2) 0x51ff4e67

另外,一个人能检查在ASA的路由信息库(RIB)为了进一步验证功能。输入detail命令显示ospf的肋骨为了报告上一步OSPF路由器进程的全部路由信息数据库。用每个路由关联的‘标志的指示是否在RIB安装。

asa(config)# show ospf rib detail

            OSPF Router with ID (198.51.100.10) (Process ID 1)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*>  172.18.124.0/32, Intra, cost 11, area 0
     SPF Instance 13, age 0:13:59
     Flags: RIB, HiPrio
      via 198.51.100.2, inside, flags: RIB
       LSA: 1/198.51.100.2/198.51.100.2
*   10.20.20.0/32, Intra, cost 11, area 0
     SPF Instance 13, age 0:13:59
     Flags: HiPrio
      via 198.51.100.2, inside, flags: none
       LSA: 1/198.51.100.2/198.51.100.2
*>  192.168.10.0/32, Intra, cost 11, area 0
     SPF Instance 13, age 0:13:59
     Flags: RIB, HiPrio
      via 198.51.100.2, inside, flags: RIB
       LSA: 1/198.51.100.2/198.51.100.2
*   198.51.100.0/24, Intra, cost 10, area 0
     SPF Instance 13, age 0:52:52
     Flags: Connected
      via 198.51.100.10, inside, flags: Connected
       LSA: 2/198.51.100.2/192.151.100.10

在上述输出中,而有标志的无的路由’未安装,用标志的RIB列出的路由器’安装。在全球路由表里应该反射这。用show route命令检查。 

asa(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.106.44.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 10.106.44.1, tftp
O        172.18.124.0 255.255.255.0 [110/11] via 198.51.100.2, 00:00:03, inside
O        192.168.10.0 255.255.255.0 [110/11] via 198.51.100.2, 00:00:03, inside
O        10.20.20.0 255.255.255.0 [110/11] via 198.51.100.2, 00:00:03, inside
S        10.76.76.160 255.255.255.255 [1/0] via 10.106.44.1, tftp
C        10.86.195.0 255.255.255.0 is directly connected, management
L        10.86.195.1 255.255.255.255 is directly connected, management

监控增强的OSPF

这些命令介绍为了帮助监控和观察OSPF路由器进程。从那些命令的输出示例:提供供参考。

显示OSPF接口摘要

输入显示OSPF接口摘要命令为了得到邻接的快速了解在此ASA。

asa(config)# show ospf interface brief

Interface PID Area IP Address/Mask Cost State Nbrs F/C
inside 1 0 198.51.100.2/255.255.255.0 10 DR 1/1

显示ospf统计信息[Detail]

detail命令显示ospf的统计信息提供简要描述关于,当SPF是运行为时,并且多少次运行了。它也指示多少新建的LSA被添加到数据库。

asa(config)# show ospf statistics detail


            OSPF Router with ID (198.51.100.10) (Process ID 1)

  Area 0: SPF algorithm executed 12 times

SPF 3 executed 00:32:56 ago, SPF type Full
  SPF calculation time (in msec):
  SPT    Intra  D-Intr Summ   D-Summ Ext7   D-Ext7 Total
        0      0      0      0      0      0      00
  LSIDs processed R:2 N:1 Stub:1 SN:0 SA:0 X7:0
  Change record 0x0
  LSIDs changed 1
  Changed LSAs. Recorded is LS ID and LS type:
  198.51.100.2(R)

SPF 4 executed 00:28:16 ago, SPF type Full
  SPF calculation time (in msec):
  SPT    Intra  D-Intr Summ   D-Summ Ext7   D-Ext7 Total
        0      0      0      0      0      0      00
  LSIDs processed R:1 N:1 Stub:0 SN:0 SA:0 X7:0
  Change record 0x0
  LSIDs changed 2
  Changed LSAs. Recorded is LS ID and LS type:
  198.51.100.2(R) 198.51.100.10(R)

SPF 5 executed 00:28:06 ago, SPF type Full
  SPF calculation time (in msec):
  SPT    Intra  D-Intr Summ   D-Summ Ext7   D-Ext7 Total
        0      0      0      0      0      0      00
  LSIDs processed R:2 N:1 Stub:1 SN:0 SA:0 X7:0
  Change record 0x0
  LSIDs changed 1
  Changed LSAs. Recorded is LS ID and LS type:
  198.51.100.2(R)

SPF 6 executed 00:26:40 ago, SPF type Full
  SPF calculation time (in msec):
  SPT    Intra  D-Intr Summ   D-Summ Ext7   D-Ext7 Total
        0      0      0      0      0      0      00
  LSIDs processed R:1 N:1 Stub:0 SN:0 SA:0 X7:0
  Change record 0x0
  LSIDs changed 2
  Changed LSAs. Recorded is LS ID and LS type:
  198.51.100.2(R) 198.51.100.10(R)

显示邻接OSPF事件

当OSPF是飘荡时,这是有用的命令检查OSPF邻居状态,特别地在案件。它为每个邻居提供事件和状态转换列表与那些事件一起时间戳。在本例中,邻居10.10.40.1通过状态过渡从DOWNFULL。 

asa(config)# show ospf events neighbor


            OSPF Router with ID (198.51.100.10) (Process ID 1)

 279 May 15 13:07:31.737: Neighbor 198.51.100.2, Interface inside state changes from
LOADING to FULL
 280 May 15 13:07:31.737: Neighbor 198.51.100.2, Interface inside state changes from
EXCHANGE to LOADING
 281 May 15 13:07:31.737: Neighbor 198.51.100.2, Interface inside state changes from
EXSTART to EXCHANGE
 290 May 15 13:07:31.737: Neighbor 198.51.100.2, Interface inside state changes from
2WAY to EXSTART
 296 May 15 13:07:31.738: Neighbor 198.51.100.2, Interface inside state changes from
INIT to 2WAY
 297 May 15 13:07:31.728: Neighbor 198.51.100.2, Interface inside state changes from
DOWN to INIT

显示OSPF事件LSA

此命令是有用的检查哪些所有LSA生成并且接收。这些在链路抖动和LSA充斥的情况下是有用的。

asa(config)# show ospf events lsa


            OSPF Router with ID (198.51.100.10) (Process ID 1)

 253 May 15 13:07:49.167: Rcv Changed Type-1 LSA, LSID 198.51.100.2,
Adv-Rtr 198.51.100.2, Seq# 80000002, Age 1, Area 0
 271 May 15 13:07:32.237: Generate New Type-2 LSA, LSID 198.51.100.1,
Seq# 80000001, Age 0, Area 0
 275 May 15 13:07:32.238: Generate Changed Type-1 LSA, LSID 198.51.100.10,
Seq# 80000002, Age 0, Area 0
 276 May 15 13:07:32.228: Rcv New Type-1 LSA, LSID 198.51.100.2,
Adv-Rtr 198.51.100.2, Seq# 80000001, Age 1, Area 0

显示OSPF事件邻居肋骨

此命令提供关于在RIB和路由种类添加的路由的信息安装(内部/相互)。

asa(config)# show ospf events neighbor rib

 255 May 15 13:07:54.168: RIB Update, dest 172.18.124.0, mask 255.255.255.255,
gw 198.51.100.2, via inside, source 198.51.100.2, type Intra
 287 May 15 13:07:31.738: Neighbor 198.51.100.2, Interface inside state changes from
LOADING to FULL
 288 May 15 13:07:31.738: Neighbor 198.51.100.2, Interface inside state changes from
EXCHANGE to LOADING
 289 May 15 13:07:31.738: Neighbor 198.51.100.2, Interface inside state changes from
EXSTART to EXCHANGE
 298 May 15 13:07:31.738: Neighbor 198.51.100.2, Interface inside state changes from
2WAY to EXSTART
 304 May 15 13:07:31.738: Neighbor 198.51.100.2, Interface inside state changes from
INIT to 2WAY
 305 May 15 13:07:31.728: Neighbor 198.51.100.2, Interface inside state changes from
DOWN to INIT

显示OSPF事件spf

当SPF计算运行,发生的运行时间和LSA机会登陆SPF事件列表。

 asa(config)# show ospf events spf 
 235 May 15 13:07:54.167: End of SPF, SPF time 0ms, next wait-interval 10000ms
 240 May 15 13:07:54.167: Starting External processing in area 0
 241 May 15 13:07:54.167: Starting External processing
 244 May 15 13:07:54.167: Starting summary processing, Area 0
 250 May 15 13:07:54.167: Starting Intra-Area SPF, Area 0, spf_type Full
 251 May 15 13:07:54.167: Starting SPF, wait-interval 5000ms
 254 May 15 13:07:49.167: Schedule SPF, Area 0, spf-type Full, Change in LSA
Type RLSID 198.51.100.2, Adv-Rtr 198.51.100.2
 255 May 15 13:07:37.227: End of SPF, SPF time 0ms, next wait-interval 10000ms
 260 May 15 13:07:37.228: Starting External processing in area 0
 261 May 15 13:07:37.228: Starting External processing
 264 May 15 13:07:37.228: Starting summary processing, Area 0
 268 May 15 13:07:37.228: Starting Intra-Area SPF, Area 0, spf_type Full
 269 May 15 13:07:37.228: Starting SPF, wait-interval 5000ms
 272 May 15 13:07:32.238: Schedule SPF, Area 0, spf-type Full, Change in LSA
Type NLSID 198.51.100.1, Adv-Rtr 198.51.100.10
 274 May 15 13:07:32.238: Schedule SPF, Area 0, spf-type Full, Change in LSA
Type RLSID 198.51.100.10, Adv-Rtr 198.51.100.10
 277 May 15 13:07:32.228: Schedule SPF, Area 0, spf-type Full, Change in LSA
Type RLSID 198.51.100.2, Adv-Rtr 198.51.100.2

显示通用的OSPF事件

此输出包含通用的进程事件例如指定路由器(DR)选择,并且邻接更改。 

asa(config)# show ospf events generic
 236 May 15 13:07:54.167: Generic:  ospf_external_route_sync0x0
 237 May 15 13:07:54.167: Generic:  ospf_external_route_sync0x0
 238 May 15 13:07:54.167: Generic:  ospf_external_route_sync0x0
 239 May 15 13:07:54.168: Generic:  ospf_external_route_sync0x0
 242 May 15 13:07:54.168: Generic:  ospf_inter_route_sync0x0
 243 May 15 13:07:54.168: Generic:  ospf_inter_route_sync0x0
 245 May 15 13:07:54.168: Generic:  post_spf_intra0x0
 246 May 15 13:07:54.168: Generic:  ospf_intra_route_sync0x0
 248 May 15 13:07:54.168: Generic:  ospf_intra_route_sync0x0
 249 May 15 13:07:54.168: DB add:  172.18.124.00x987668 204
 252 May 15 13:07:51.668: Timer Exp:  if_ack_delayed0xcb97dfe0
 256 May 15 13:07:37.228: Generic:  ospf_external_route_sync0x0
 257 May 15 13:07:37.228: Generic:  ospf_external_route_sync0x0
 258 May 15 13:07:37.228: Generic:  ospf_external_route_sync0x0
 259 May 15 13:07:37.228: Generic:  ospf_external_route_sync0x0
 262 May 15 13:07:37.228: Generic:  ospf_inter_route_sync0x0
 263 May 15 13:07:37.228: Generic:  ospf_inter_route_sync0x0
 265 May 15 13:07:37.228: Generic:  post_spf_intra0x0
 266 May 15 13:07:37.228: Generic:  ospf_intra_route_sync0x0
 267 May 15 13:07:37.228: Generic:  ospf_intra_route_sync0x0
 270 May 15 13:07:34.728: Timer Exp:  if_ack_delayed0xcb97dfe0
 273 May 15 13:07:32.238: DB add:  198.51.100.100x987848 206
 278 May 15 13:07:32.228: DB add:  198.51.100.20x987938 205
 283 May 15 13:07:31.738: Elect DR:  inside198.51.100.10
 284 May 15 13:07:31.738: Elect BDR:  inside198.51.100.2
 285 May 15 13:07:31.736: i/f state nbr chg:  inside0x5
 287 May 15 13:07:31.736: Elect DR:  inside198.51.100.10
 288 May 15 13:07:31.736: Elect BDR:  inside198.51.100.2
 289 May 15 13:07:31.736: i/f state nbr chg:  inside0x5
 291 May 15 13:07:31.736: nbr state adjok:  198.51.100.20x3
 293 May 15 13:07:31.736: Elect DR:  inside198.51.100.10
 294 May 15 13:07:31.736: Elect BDR:  inside198.51.100.2
 295 May 15 13:07:31.736: i/f state nbr chg:  inside0x5

显示ospf肋骨详细信息

此命令,以前被提及,允许管理员发现什么路由从对等体了解,并且那些路由是否在RIB安装。路由在RIB也许不安装由于路由过滤(以前列出)。

asa(config)# show ospf rib detail

            OSPF Router with ID (198.51.100.1) (Process ID 1)
OSPF local RIB
Codes: * - Best, > - Installed in global RIB

*>  172.18.124.0/32, Intra, cost 11, area 0
     SPF Instance 13, age 0:13:59
     Flags: RIB, HiPrio
      via 198.51.100.2, inside, flags: RIB
       LSA: 1/198.51.100.2/198.51.100.2
*   10.20.20.0/32, Intra, cost 11, area 0
     SPF Instance 13, age 0:13:59
     Flags: HiPrio
      via 198.51.100.2, inside, flags: none
       LSA: 1/198.51.100.2/198.51.100.2
*>  192.168.10.0/32, Intra, cost 11, area 0
     SPF Instance 13, age 0:13:59
     Flags: RIB, HiPrio
      via 198.51.100.2, inside, flags: RIB
       LSA: 1/198.51.100.2/198.51.100.2
*   198.51.100.0/24, Intra, cost 10, area 0
     SPF Instance 13, age 0:52:52
     Flags: Connected
      via 198.51.100.10, inside, flags: Connected
       LSA: 2/198.51.100.2/192.151.100.10

show ospf neighbor详细信息

detail命令的show ospf neighbor允许您选派OSPF邻接的状态。

 asa(config)# show ospf neighbor detail

Neighbor 198.51.100.2, interface address 198.51.100.2
In the area 0 via interface ISP
Neighbor priority is 1, State is FULL, 6 state changes
DR is 198.51.100.10 BDR is 198.51.100.2
Options is 0x12 in Hello (E-bit, L-bit)
Options is 0x52 in DBD (E-bit, L-bit, O-bit)
Dead timer due in 0:00:16
Neighbor is up for 00:02:45
Index 1/1, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec

OSPF重新分配BGP

为了支持边界网关协议(BGP)再分配进出其他路由协议, bgp命令的重新分配介绍对OSPF路由器配置。输入此命令为了通过BGP重新分配已路由获知到运行OSPF程序。

asa(config)# router ospf 1
asa(config-router)# redistribute bgp ?
router mode commands/options:
100  Autonomous system number
ASA-1(config-router)# redistribute bgp 100

验证

当前没有可用于此配置的验证过程。

故障排除

目前没有针对此配置的故障排除信息。


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118098