Knowledge points of "Xinhua three cup" qualifier in 2021 (OSPF, ACL)


RIP defects

  • The maximum number of hops limits the size of the network
  • Taking the number of hops as a measure can not accurately determine the optimal path
  • Routing update sending a complete routing table consumes network bandwidth
  • Slow convergence
  • The protocol generates a routing self ring


  • Open shortest path first, based on link state characteristics
  • Working at IP layer, protocol No. 89

OSPF initialization process

1. Establish neighbors and adjacency

send out hello Packet discovery and neighbor establishment, multicast address
        Interface UP
        Bilateral interface IP Address in the same network segment
        Both interfaces are in the same area

election DR/BDR,Establish adjacency relationship
        DR/BDR election:
            Election reason: make routing information exchange more high-speed and orderly in broadcast network
            Election range: one election is required on each broadcast link DR And one BDR
            Election rules: 1.If the priority number is higher, the default priority is 1
                    2.Router-id Big priority

            Router-id: Identifies the identity of the router
            Generation method: 1.Manually configure one IPv4 Address format as Rid
                    2.Automatic election
                        a.Election in all loopback ports IP Address maximum as Rid
                        b.Election in all physical interfaces IP Address maximum as Rid
            It is recommended to manually configure a local loop return port IP Address as Rid
        Relationship status: 1.DRother And DR Establish adjacency relationship
                2.DRother And BDR Establish adjacency relationship
                3.DR And BDR Establish adjacency relationship
                4.Two DRother Maintain a neighbor relationship between

2. Link state information is exchanged between adjacent routers to realize the synchronization of link state database in the region

Related concepts:
    Link status notification: LSA,It is used to describe the interface of the router and the relevant information of the routing entry
    Link state database: LSDB,Store locally owned LSA

    1.Send to adjacent router DD Message, local notification LSDB All in LSA Summary information for
    2.received DD After, with local LSDB Compare and send to each other LSR Message, request to send the information required by the machine LSA Complete information about
    3.received LSR After that, put what the other party needs LSA The complete information of is packaged into one piece LSU Message, send to the other party
    4.received LSU After, reply to the other party LSAck Message, confirm

3. Each router calculates the optimal route to each destination network segment according to the local link state database and writes it into the routing table

OSPF message type

  • Hello message: discover, establish and maintain neighbor relationship
  • DD message: database description message, which is used to describe the summary of all LSA S in the local LSDB
  • LSR message: link status request
  • LSU message: link status update
  • LSAck message: link status confirmation

OSPF domain management

Subregional causes
  • Speed up convergence
  • Isolate network faults within the area
Router role
IR	  Internal router, all interfaces are in the same area
ABR   Area boundary router, which connects routers in different areas
ASBR  Autonomous system boundary router, a router connecting external autonomous systems
Area type
Backbone area: there can only be one backbone area, generally area 0, and the backbone area must be continuous
 Non backbone area: the non backbone area must be connected to the backbone area

Common commands

[h3c]ospf 'process id' router-id 'rid'      //Start the OSPF process, specify the router ID, and enter the OSPF protocol view
[h3c-ospf-1]area 'area id'                  //Enter area view
[h3c-ospf-1-area]network 'ip address' 'wild-mask'     //Declare network segment
(wild-mask Mask wildcard,0 The corresponding parts need to be consistent, and the corresponding parts of 1 are not checked)
[h3c-ospf-1]slient-interface 'interface id'    //Configure the silent interface. OSPF will not send or receive protocol messages to the silent interface
[h3c]display ospf peer                     //View OSPF neighbor relationship (FULL: neighbor relationship, 2-Way: neighbor relationship)
[h3c]display ospf routing                  //View OSPF routes

For OSPF related articles, please refer to OSPF protocol Foundation:

ACL packet filtering



Access control list for data flow matching and filtering

Common functions
  • Access control: ACL + packet filter
  • Route control: ACL + route policy
  • Flow control: ACL+QOS

ACL based packet filtering

  • Check incoming and outgoing packets one by one, discard or allow them to pass
  • Packet filtering must be configured in one direction of the interface to take effect
  • Only one packet filtering policy can be configured in one direction of an interface
Direction of packet filtering
  • Incoming direction: filter only incoming packets from the outside
  • Outgoing direction: only the packets sent from the inside are filtered
Workflow of packet filtering
  1. When the packet arrives at the interface, check whether ACL is applied. If yes, enter matching, otherwise release
  2. The first rule is matched according to the ACL number. If it is matched, the action of this rule will be further checked, otherwise it will be matched with the next rule (if the action is allowed, it will be released, and if the action is rejected, it will be discarded)
  3. Continue to match. If it matches, check the rule action, otherwise match with the next one
  4. If all rules do not match, check the default action (if the default action is allowed, it will be released; if the default action is rejected, it will be discarded)
matters needing attention
1.If the default action is allow, at least one reject rule is required
2.If the default action is reject, at least one allow rule is required
3.H3C of ACL It is used for package filtering. It is allowed by default and rejected by default
4.Assign a small range of rules to a top order
5.On the premise of not affecting the actual effect, the packet filtering shall be configured in the incoming direction of the interface closest to the source address as far as possible

ACL classification

Basic ACL
  • Only the source address of the packet is matched
  • No. 2000-2999
Advanced ACL
  • Match the quintuple of the packet (source IP, destination IP, source port, destination port, protocol)
  • No. 3000-3999

Common commands

[h3c]acl basic 'acl-number'                   //Create a basic ACL and enter the ACL view
[h3c]acl advanced 'acl-number'                //Create advanced ACL and enter ACL view

[h3c-acl-basic-2000]rule 'rule id' 'permit/deny' source 'ip address' 'wild-mask'
//Create basic ACL rules. If rule ID is not written, the system will automatically increase the sequence number by a multiple of 5 from 0

[h3c-acl-advanced-3000]rule 'rule id' 'permit/deny' 'protocol' source 'ip address' 'wild-mask' source-port 'port' destination 'ip address' 'wild-mask' destination-port 'eq/lt/gt/neq/range' 'port'                                            //Create advanced ACL rules

[h3c-GigabitEthernet 0/0]packet-filter 'acl number' 'inbound/outbound' //Configure packet filtering
[h3c]packet-filter default deny                                        //Change the default action to reject

Tags: Network Protocol acl ospf

Posted on Sun, 10 Oct 2021 00:40:25 -0400 by toms100