OSPF
RIP defects
- The maximum number of hops limits the size of the network
- Taking the number of hops as a measure can not accurately determine the optimal path
- Routing update sending a complete routing table consumes network bandwidth
- Slow convergence
- The protocol generates a routing self ring
definition
- Open shortest path first, based on link state characteristics
- Working at IP layer, protocol No. 89
OSPF initialization process
1. Establish neighbors and adjacency
send out hello Packet discovery and neighbor establishment, multicast address 224.0.0.5 Interface UP Bilateral interface IP Address in the same network segment Both interfaces are in the same area election DR/BDR,Establish adjacency relationship DR/BDR election: Election reason: make routing information exchange more high-speed and orderly in broadcast network Election range: one election is required on each broadcast link DR And one BDR Election rules: 1.If the priority number is higher, the default priority is 1 2.Router-id Big priority Router-id: Identifies the identity of the router Generation method: 1.Manually configure one IPv4 Address format as Rid 2.Automatic election a.Election in all loopback ports IP Address maximum as Rid b.Election in all physical interfaces IP Address maximum as Rid It is recommended to manually configure a local loop return port IP Address as Rid Relationship status: 1.DRother And DR Establish adjacency relationship 2.DRother And BDR Establish adjacency relationship 3.DR And BDR Establish adjacency relationship 4.Two DRother Maintain a neighbor relationship between
2. Link state information is exchanged between adjacent routers to realize the synchronization of link state database in the region
Related concepts: Link status notification: LSA,It is used to describe the interface of the router and the relevant information of the routing entry Link state database: LSDB,Store locally owned LSA Workflow: 1.Send to adjacent router DD Message, local notification LSDB All in LSA Summary information for 2.received DD After, with local LSDB Compare and send to each other LSR Message, request to send the information required by the machine LSA Complete information about 3.received LSR After that, put what the other party needs LSA The complete information of is packaged into one piece LSU Message, send to the other party 4.received LSU After, reply to the other party LSAck Message, confirm
3. Each router calculates the optimal route to each destination network segment according to the local link state database and writes it into the routing table
OSPF message type
- Hello message: discover, establish and maintain neighbor relationship
- DD message: database description message, which is used to describe the summary of all LSA S in the local LSDB
- LSR message: link status request
- LSU message: link status update
- LSAck message: link status confirmation
OSPF domain management
Subregional causes
- Speed up convergence
- Isolate network faults within the area
Router role
IR Internal router, all interfaces are in the same area ABR Area boundary router, which connects routers in different areas ASBR Autonomous system boundary router, a router connecting external autonomous systems
Area type
Backbone area: there can only be one backbone area, generally area 0, and the backbone area must be continuous Non backbone area: the non backbone area must be connected to the backbone area
Common commands
[h3c]ospf 'process id' router-id 'rid' //Start the OSPF process, specify the router ID, and enter the OSPF protocol view [h3c-ospf-1]area 'area id' //Enter area view [h3c-ospf-1-area 0.0.0.0]network 'ip address' 'wild-mask' //Declare network segment (wild-mask Mask wildcard,0 The corresponding parts need to be consistent, and the corresponding parts of 1 are not checked) [h3c-ospf-1]slient-interface 'interface id' //Configure the silent interface. OSPF will not send or receive protocol messages to the silent interface [h3c]display ospf peer //View OSPF neighbor relationship (FULL: neighbor relationship, 2-Way: neighbor relationship) [h3c]display ospf routing //View OSPF routes
For OSPF related articles, please refer to OSPF protocol Foundation: https://blog.csdn.net/wuhan_aaa/article/details/120529371?spm=1001.2014.3001.5501
ACL packet filtering
ACL
definition
Access control list for data flow matching and filtering
Common functions
- Access control: ACL + packet filter
- Route control: ACL + route policy
- Flow control: ACL+QOS
ACL based packet filtering
definition
- Check incoming and outgoing packets one by one, discard or allow them to pass
- Packet filtering must be configured in one direction of the interface to take effect
- Only one packet filtering policy can be configured in one direction of an interface
Direction of packet filtering
- Incoming direction: filter only incoming packets from the outside
- Outgoing direction: only the packets sent from the inside are filtered
Workflow of packet filtering
- When the packet arrives at the interface, check whether ACL is applied. If yes, enter matching, otherwise release
- The first rule is matched according to the ACL number. If it is matched, the action of this rule will be further checked, otherwise it will be matched with the next rule (if the action is allowed, it will be released, and if the action is rejected, it will be discarded)
- Continue to match. If it matches, check the rule action, otherwise match with the next one
- If all rules do not match, check the default action (if the default action is allowed, it will be released; if the default action is rejected, it will be discarded)
matters needing attention
1.If the default action is allow, at least one reject rule is required 2.If the default action is reject, at least one allow rule is required 3.H3C of ACL It is used for package filtering. It is allowed by default and rejected by default 4.Assign a small range of rules to a top order 5.On the premise of not affecting the actual effect, the packet filtering shall be configured in the incoming direction of the interface closest to the source address as far as possible
ACL classification
Basic ACL
- Only the source address of the packet is matched
- No. 2000-2999
Advanced ACL
- Match the quintuple of the packet (source IP, destination IP, source port, destination port, protocol)
- No. 3000-3999
Common commands
[h3c]acl basic 'acl-number' //Create a basic ACL and enter the ACL view [h3c]acl advanced 'acl-number' //Create advanced ACL and enter ACL view [h3c-acl-basic-2000]rule 'rule id' 'permit/deny' source 'ip address' 'wild-mask' //Create basic ACL rules. If rule ID is not written, the system will automatically increase the sequence number by a multiple of 5 from 0 [h3c-acl-advanced-3000]rule 'rule id' 'permit/deny' 'protocol' source 'ip address' 'wild-mask' source-port 'port' destination 'ip address' 'wild-mask' destination-port 'eq/lt/gt/neq/range' 'port' //Create advanced ACL rules [h3c-GigabitEthernet 0/0]packet-filter 'acl number' 'inbound/outbound' //Configure packet filtering [h3c]packet-filter default deny //Change the default action to reject