穿过透明模式的ospf注意:
透明模式下,防火墙只允许使用两个接口。
防火墙需配管理地址,地址在全局模式下配即可。需要和建ospf邻居的直连在一个网段。
防火墙的两边都要放通ospf流量:access-list nn permit ospf any any
两边路由器的接口类型支持点到点和广播(DR和BDR)。
广播类型下的邻居。
RT1
Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           1   FULL/DR         00:00:31    192.168.1.3     Ethernet0/0
RT2
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR        00:00:30    192.168.1.2     Ethernet0/0
 
 
在RT2上debug ip ospf adj
rt2#
*Mar 1 00:12:12.247: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xCE7 opt 0x52 flag 0x7 len 32 mtu 1500 state INIT
*Mar 1 00:12:12.247: OSPF: 2 Way Communication to 1.1.1.1 on Ethernet0/0, state 2WAY
*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0
*Mar 1 00:12:12.251: OSPF: DR/BDR election on Ethernet0/0
*Mar 1 00:12:12.251: OSPF: Elect BDR 0.0.0.0
*Mar 1 00:12:12.251: OSPF: Elect DR 2.2.2.2
*Mar 1 00:12:12.251:        DR: 2.2.2.2 (Id)   BDR: none
*Mar 1 00:12:12.251: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3C opt 0x52 flag 0x7 len 32
*Mar 1 00:12:12.251: OSPF: First DBD and we are not SLAVE
*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0
*Mar 1 00:12:12.251: OSPF: DR/BDR election on Ethernet0/0
*Mar 1 00:12:12.251: OSPF: Elect BDR 1.1.1.1
*Mar 1 00:12:12.251: OSPF: Elect DR 2.2.2.2
*Mar 1 00:12:12.251:        DR: 2.2.2.2 (Id)   BDR: 1.1.1.1 (Id)
*Mar 1 00:12:12.251: OSPF: Neighbor change Event on interface Ethernet0/0
*Mar 1 00:12:12.255: OSPF: DR/BDR election on Ethernet0/0
*Mar 1 00:12:12.255: OSPF: Elect BDR 1.1.1.1
*Mar 1 00:12:12.259: OSPF: Elect DR 2.2.2.2
*Mar 1 00:12:12.259:        DR: 2.2.2.2 (Id)   BDR: 1.1.1.1 (Id)
*Mar 1 00:12:12.267: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3C opt 0x52 flag 0x2 len 52 mtu 1500 state EXSTART
*Mar 1 00:12:12.267: OSPF: NBR Negotiation Done. We are the MASTER
*Mar 1 00:12:12.267: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3D opt 0x52 flag 0x3 len 52
*Mar 1 00:12:12.279: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3D opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 00:12:12.283: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0xC3E opt 0x52 flag 0x1 len 32
*Mar 1 00:12:12.287: OSPF: Send LS REQ to 1.1.1.1 length 12 LSA count 1
*Mar 1 00:12:12.303: OSPF: Rcv LS REQ from 1.1.1.1 on Ethernet0/0 length 36 LSA count 1
*Mar 1 00:12:12.307: OSPF: Send UPD to 192.168.1.2 on Ethernet0/0 length 64 LSA count 1
*Mar 1 00:12:12.311: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0xC3E opt 0x52 flag 0x0 len 32 mtu 1500 state EXCHANGE
*Mar 1 00:12:12.311: OSPF: Exchange Done with 1.1.1.1 on Ethernet0/0
*Mar 1 00:12:12.351: OSPF: Rcv LS UPD from 1.1.1.1 on Ethernet0/0 length 88 LSA count 1
*Mar 1 00:12:12.351: OSPF: Synchronized with 1.1.1.1 on Ethernet0/0, state FULL
*Mar 1 00:12:12.355: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Ethernet0/0 from LOADING to FULL, Loading Done
*Mar 1 00:12:12.679: OSPF: Rcv LS UPD from 1.1.1.1 on Ethernet0/0 length 88 LSA count 1
*Mar 1 00:12:12.767: OSPF: Build router LSA for area 0, router ID 2.2.2.2, seq 0x80000004
*Mar 1 00:12:12.855: OSPF: Build network LSA for Ethernet0/0, router ID 2.2.2.2
*Mar 1 00:12:12.859: OSPF: Build network LSA for Ethernet0/0, router ID 2.2.2.2
 
 
透明模式下做NAT没成功。
静态路由,不能递归查到直连路由的路由不进全局路由表?
 
 
 
 
 
 
路由模式下的ospf:
路由模式下,和防火墙建ospf邻居,因为无流量穿过,不需要放通。防火墙为DR,RT1,RT2为BDR。
默认的接口类型为广播,可以改成点对点非广播类型。
 
 
Pix路由模式下做NAT ,即使没开启nat-control ,也一定要做排除nat,排除私网的地址,不然会导致私网不通。(nat命令只是匹配触发的流量)
 
 
 
 
Ctp步骤:抓取触发流量
         Aaa authenticate match acclist interfacename LOCAL/AAA SERVER
 
 
Ssl *** 没做。