OSPF 虛鏈路
在前文中我們曾經提到過：OSPF采用由兩層組成的分層結構，所以要求所有的非主干區域都必須直接與主干區域連接。Area1和Area 2中路由不能直接相連。區域中傳輸的數據必須經過主干區域 Area 0 。
今天我們要學習的虛鏈路，可以將不連續的區域0連接起來，還可以將區域通過中轉區域連接到區域0。
虛鏈路是OSPF開放標準的組成部分，從10.0版本起，cisco IOS 軟件就支持虛鏈路。虛鏈路類似于標準的OSPF鄰接關系，但使用虛鏈路時，鄰接路由器之間無需直接相連。
在虛鏈路上，Hello協議的工作方式與在標準鏈路上相同，即每隔10秒鐘就發送一個hello分組。在虛鏈路上，LSA更新的運行方式是不同的。LSA通常每隔30分鐘刷新一次，但通過虛鏈路獲悉的LSA的DoNotAge （DNA）選項被配置，因此不會過期。為避免在虛鏈路上過度擴散，DNA技術是必不可少的。
好了，接下來我們來配置OSPF虛鏈路。試驗拓撲圖如下： 試驗環境介紹：
如上圖所示，Area 2 和 Area 0 之間被Area1 隔開，為了使Area2和Area0 之間能夠相互通訊，需要將Area1作為中轉區域，在Area1中建立一條虛鏈路。
OSPF虛鏈路配置命令為：
area area-id virtual-link 虛鏈路另一端的路由器ID ? Ok，開始工作了！
多區域的OSPF的基本配置在前文中已經提到過，在此就省略基本步驟了！
在完成OSPF的基本配置后，R1和 R4 是不會學到對方的信息的， pc1 和pc 2是不能相互通訊的。
分別查看R1 和 R4 的路由表信息。
R1 r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets
C?????? 172.16.1.0 is directly connected, FastEthernet1/0
???? 10.0.0.0/24 is subnetted, 1 subnets
C?????? 10.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.1.2, 00:00:11, Serial0/0
R4 r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets
C?????? 172.16.100.0 is directly connected, FastEthernet1/0
???? 40.0.0.0/24 is subnetted, 1 subnets
C?????? 40.1.1.0 is directly connected, Loopback0
C??? 192.168.3.0/24 is directly connected, Serial0/0 既然R1 和 R4學不到對方的路由信息，那么pc1 和 pc2? 不能ping通是必然的
VPCS 1 >ping 172.16.100.2
host (172.16.100.2) not reachable
為了能讓他們之間相互通訊，在R2、R3上配置虛鏈路，配置命令如下： r2(config-router)#area 1 virtual-link 30.1.1.1
r3(config-router)#area 1 virtual-link 20.1.1.1 配置完虛鏈路后，讓我們再查看一下R1和R4的路由表信息。如下內容顯示，R1和R4都學到了對方的信息。
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets
C?????? 172.16.1.0 is directly connected, FastEthernet1/0
O IA??? 172.16.100.0 [110/193]?via 192.168.1.2, 00:01:37, Serial0/0
???? 40.0.0.0/32 is subnetted, 1 subnets
O IA??? 40.1.1.1 [110/193]?via 192.168.1.2, 00:01:37, Serial0/0
???? 10.0.0.0/24 is subnetted, 1 subnets
C?????? 10.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0
O IA 192.168.2.0/24 [110/128]?via 192.168.1.2, 00:01:37, Serial0/0
O IA 192.168.3.0/24 [110/192]?via 192.168.1.2, 00:01:37, Serial0/0
???? 30.0.0.0/32 is subnetted, 1 subnets
O IA??? 30.1.1.1 [110/129]?via 192.168.1.2, 00:01:37, Serial0/0 R4
r4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets
O IA??? 172.16.1.0 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
C?????? 172.16.100.0 is directly connected, FastEthernet1/0
???? 40.0.0.0/24 is subnetted, 1 subnets
C?????? 40.1.1.0 is directly connected, Loopback0
???? 10.0.0.0/32 is subnetted, 1 subnets
O IA??? 10.1.1.1 [110/193] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.1.0/24 [110/192] via 192.168.3.1, 00:01:46, Serial0/0
O IA 192.168.2.0/24 [110/128] via 192.168.3.1, 00:01:55, Serial0/0
C??? 192.168.3.0/24 is directly connected, Serial0/0
???? 30.0.0.0/32 is subnetted, 1 subnets
O IA??? 30.1.1.1 [110/65] via 192.168.3.1, 00:01:56, Serial0/0 Pc1 ping? pc2，嘿嘿，現在能相互通訊了吧！
VPCS 1 >ping 172.16.100.2
172.16.100.2 icmp_seq=1 time=138.000 ms
172.16.100.2 icmp_seq=2 time=86.000 ms
172.16.100.2 icmp_seq=3 time=110.000 ms
172.16.100.2 icmp_seq=4 time=80.000 ms
172.16.100.2 icmp_seq=5 time=50.000 ms 我們來查看一下OSPF 虛鏈路的運行情況吧。
下面的內容告訴我們，ospf鄰居以及連接該鄰居的鏈路處于up狀態以及一些其他信息。 r2#show ip ospf virtual-links
Virtual Link OSPF_VL0 to router 30.1.1.1 is up
? Run as demand circuit
? DoNotAge LSA allowed.
? Transit area 1, via interface Serial0/1, Cost of using 64
? Transmit Delay is 1 sec, State POINT_TO_POINT,
? Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
??? Hello due in 00:00:05
??? Adjacency State FULL (Hello suppressed)
??? Index 2/3, retransmission queue length 0, number of retransmission 0
??? First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
??? Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec 總之，OSPF的虛鏈路配置成功并能正常工作了！
OSPF 身份驗證
使用OSPF 身份驗證的原因：
通過對鄰居路由器進行身份驗證，可避免路由器收到偽造的路由更新。通過配置OSPF鄰居身份驗證，可以讓路由器根據預定義的密碼參與路由選擇。 OSPF身份驗證的有關知識：
在路由器上配置鄰居路由器身份驗證后，路由器將對收到的每個路由選擇更新分組的信源進行身份驗證，這是通過交換發送路由器和接收路由器都知道的身份驗證密鑰（密碼）實現的。 默認情況下，OSPF使用身份驗證方法null，即不對通過網絡交換的路由選擇信息進行身份驗證。OSPF還支持其他兩種身份驗證方法：簡單密碼身份驗證（明文身份驗證）和MD5身份驗證。 OSPF MD5身份驗證在每個OSPF分組中加入一個不遞減的序列號，以防范重放攻擊。 今天我們來配置這兩種身份驗證. 首先是簡單身份驗證：
配置命令為（在接口模式下）：
ip ospf authentication?
ip ospf authentication-key 密碼 試驗配置簡單身份驗證，試驗拓撲如下：
? 配置命令如下：（兩個路由器都位于區域0，單區域的OSPF都是小菜了，在此不再復述）
首先，在配置完OSPF后，查看兩個路由器的路由表，看其是否能相互學習到路由信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/32 is subnetted, 1 subnets
O?????? 20.1.1.1 [110/65] via 192.168.1.2, 00:00:04, Serial0/0
???? 10.0.0.0/24 is subnetted, 1 subnets
C?????? 10.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0
R2 r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets
C?????? 20.1.1.0 is directly connected, Loopback0
???? 10.0.0.0/32 is subnetted, 1 subnets
O?????? 10.1.1.1 [110/65] via 192.168.1.1, 00:01:29, Serial0/0
C??? 192.168.1.0/24 is directly connected, Serial0/0 如上內容所示，R1和R2都學習到了相互的路由信息。
驗證是否能相互通訊，如下所示，通訊成功！ r1#ping 20.1.1.1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/92/268 ms 接下來，我們首先在R1上配置簡單的身份驗證。
r1(config)#int s0/0
r1(config-if)#ip ospf authentication
r1(config-if)#ip ospf authentication-key cisco
在R1上配置完身份驗證后，查看R1 和R2 路由表信息，如下顯示，兩個路由器已經不能相互學到路由信息，這是由于我們只在R1上配置了身份驗證。
R1
r1#show ip route
*Mar? 1 00:06:29.315: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 1 subnets
C?????? 10.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0 R2 r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets
C?????? 20.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0 R2要想與R1建立鄰接關系，相互學習路由信息，必須也配置簡單身份驗證，而且密碼必須相同。
好了，我們在R2上也配置簡單身份驗證： r2(config)#int s0/0
r2(config-if)#ip ospf authentication
r2(config-if)#ip ospf authentication-key cisco 在兩個路由器上都正確配置完簡單身份驗證后，讓我們再來查看路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/32 is subnetted, 1 subnets
O?????? 20.1.1.1 [110/65] via 192.168.1.2, 00:00:51, Serial0/0
???? 10.0.0.0/24 is subnetted, 1 subnets
C?????? 10.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0 R2 r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets
C?????? 20.1.1.0 is directly connected, Loopback0
???? 10.0.0.0/32 is subnetted, 1 subnets
O?????? 10.1.1.1 [110/65] via 192.168.1.1, 00:01:21, Serial0/0
C??? 192.168.1.0/24 is directly connected, Serial0/0 OK，簡單身份驗證配置成功！ 接下來我們來配置MD5身份驗證。試驗拓撲還和配置簡單身份驗證時一樣。
要使用OSPF MD5身份驗證，需要在每臺路由器上配置密鑰ID和密鑰。
配置命令如下（同樣是在接口模式下）：
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 密碼 必須在兩個路由器上都配置MD5身份驗證，不然就會出現上面的現象（兩個路由器之間不能通訊）。
R1
r1(config)#int s0/0
r1(config-if)#ip ospf authentication message-digest
r1(config-if)#ip ospf message-digest-key 1 md5 cisco R2
r2(config)#int s0/0
r2(config-if)#ip ospf authentication message-digest
r2(config-if)#ip ospf message-digest-key 1 md5 cisco
在兩個路由器上都配置完MD5身份驗證后，R1和R2之間就能正常通信了，不信我們查看一下兩個路由器的路由表信息。
R1
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/32 is subnetted, 1 subnets
O?????? 20.1.1.1 [110/65] via 192.168.1.2, 00:00:52, Serial0/0
???? 10.0.0.0/24 is subnetted, 1 subnets
C?????? 10.1.1.0 is directly connected, Loopback0
C??? 192.168.1.0/24 is directly connected, Serial0/0 R2
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
?????? D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
?????? N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
?????? E1 - OSPF external type 1, E2 - OSPF external type 2
?????? i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
?????? ia - IS-IS inter area, * - candidate default, U - per-user static route
?????? o - ODR, P - periodic downloaded static route Gateway of last resort is not set 20.0.0.0/24 is subnetted, 1 subnets
C?????? 20.1.1.0 is directly connected, Loopback0
???? 10.0.0.0/32 is subnetted, 1 subnets
O?????? 10.1.1.1 [110/65] via 192.168.1.1, 00:00:43, Serial0/0
C??? 192.168.1.0/24 is directly connected, Serial0/0 嘿嘿，兩種身份驗證方法我們都成功完成！ 在OSPF身份驗證配置完成后，密鑰字符串將以明文方式存儲在路由器配置中。為了保護密碼不被別人知道。使用命令：services password-encryption??可以給明文加密，使密碼更安全！ 試驗完成后，讓我們總結一下在配置身份驗證的時候需要注意那些內容：
1．?必須在兩個路由器的串行接口上同時配置身份驗證；
2．?配置的密碼必須相同；








本文轉自 范琳琳 51CTO博客，原文鏈接：http://blog.51cto.com/fanlinlin/148171，如需轉載請自行聯系原作者

總結

以上是生活随笔為你收集整理的循序渐进 OSPF的详细剖析（四）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。