FW的路由模式和透明模式下，OSPF的解析（技術發燒）

 

穿過透明模式的ospf注意：

透明模式下，防火牆只允許使用兩個接口。

防火牆需配管理地址，地址在全局模式下配即可。需要和建ospf鄰居的直連在一個網段。

防火牆的兩邊都要放通ospf流量：access－list nn permit ospf any any

兩邊路由器的接口類型支持點到點和廣播（DR和BDR）。

廣播類型下的鄰居。

RT1

Neighbor ID     Pri   State           Dead Time   Address         Interface

2.2.2.2           1   FULL/DR         00:00:31    192.168.1.3     Ethernet0/0

RT2

Neighbor ID     Pri   State           Dead Time   Address         Interface

1.1.1.1           1   FULL/BDR        00:00:30    192.168.1.2     Ethernet0/0

 

 

在RT2上debug ip ospf adj

rt2#

*Mar 1 00:12:12.247: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xCE7 opt 0x52 flag 0x7 len 32 mtu 1500 state INIT

*Mar 1 00:12:12.247: OSPF: 2 Way Communication to 1.1.1.1 on Ethernet0/0, state 2WAY

*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0

*Mar 1 00:12:12.251: OSPF: DR/BDR election on Ethernet0/0

*Mar 1 00:12:12.251: OSPF: Elect BDR 0.0.0.0

*Mar 1 00:12:12.251: OSPF: Elect DR 2.2.2.2

*Mar 1 00:12:12.251:        DR: 2.2.2.2 (Id)   BDR: none

*Mar 1 00:12:12.251: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3C opt 0x52 flag 0x7 len 32

*Mar 1 00:12:12.251: OSPF: First DBD and we are not SLAVE

*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0

*Mar 1 00:12:12.251: OSPF: DR/BDR election on Ethernet0/0

*Mar 1 00:12:12.251: OSPF: Elect BDR 1.1.1.1

*Mar 1 00:12:12.251: OSPF: Elect DR 2.2.2.2

*Mar 1 00:12:12.251:        DR: 2.2.2.2 (Id)   BDR: 1.1.1.1 (Id)

*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0

*Mar 1 00:12:12.255: OSPF: DR/BDR election on Ethernet0/0

*Mar 1 00:12:12.255: OSPF: Elect BDR 1.1.1.1

*Mar 1 00:12:12.259: OSPF: Elect DR 2.2.2.2

*Mar 1 00:12:12.259:        DR: 2.2.2.2 (Id)   BDR: 1.1.1.1 (Id)

*Mar 1 00:12:12.267: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3C opt 0x52 flag 0x2 len 52 mtu 1500 state EXSTART

*Mar 1 00:12:12.267: OSPF: NBR Negotiation Done. We are the MASTER

*Mar 1 00:12:12.267: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3D opt 0x52 flag 0x3 len 52

*Mar 1 00:12:12.279: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3D opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE

*Mar 1 00:12:12.283: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3E opt 0x52 flag 0x1 len 32

*Mar 1 00:12:12.287: OSPF: Send LS REQ to 1.1.1.1 length 12 LSA count 1

*Mar 1 00:12:12.303: OSPF: Rcv LS REQ from 1.1.1.1 on Ethernet0/0 length 36 LSA count 1

*Mar 1 00:12:12.307: OSPF: Send UPD to 192.168.1.2 on Ethernet0/0 length 64 LSA count 1

*Mar 1 00:12:12.311: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3E opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE

*Mar 1 00:12:12.311: OSPF: Exchange Done with 1.1.1.1 on Ethernet0/0

*Mar 1 00:12:12.351: OSPF: Rcv LS UPD from 1.1.1.1 on Ethernet0/0 length 88 LSA count 1

*Mar 1 00:12:12.351: OSPF: Synchronized with 1.1.1.1 on Ethernet0/0, state FULL

*Mar 1 00:12:12.355: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/0 from LOADING to FULL, Loading Done

*Mar 1 00:12:12.679: OSPF: Rcv LS UPD from 1.1.1.1 on Ethernet0/0 length 88 LSA count 1

*Mar 1 00:12:12.767: OSPF: Build router LSA for area 0, router ID 2.2.2.2, seq 0x80000004

*Mar 1 00:12:12.855: OSPF: Build network LSA for Ethernet0/0, router ID 2.2.2.2

*Mar 1 00:12:12.859: OSPF: Build network LSA for Ethernet0/0, router ID 2.2.2.2

 

 

透明模式下做NAT沒成功。

靜態路由，不能遞歸查到直連路由的路由不進全局路由表？

 

 

 

 

 

 

路由模式下的ospf：

路由模式下，和防火牆建ospf鄰居，因爲無流量穿過，不需要放通。防火牆爲DR，RT1，RT2爲BDR。

默認的接口類型爲廣播，可以改成點對點非廣播類型。

 

 

Pix路由模式下做NAT ，即使沒開啓nat－control ，也一定要做排除nat，排除私網的地址，不然會導致私網不通。（nat命令只是匹配觸發的流量）

 

 

 

 

Ctp步驟：抓取觸發流量

         Aaa authenticate match acclist interfacename LOCAL/AAA SERVER

 

 

Ssl *** 沒做。