The most detailed on the entire network! Huawei ospf commonly used configuration analysis, a must-see for network workers

It is not easy to organize articles. If you like, please like, comment, forward and support~ For
more technical problems, please also comment on private messages, thank you!

1. Experimental topology and requirements

1. Configure the ip address including the loopback address, and the router underneath has at least two user network segments for test summary

2. Carry out multi-area design and announce ospf (the sign of completion is the formation of the adjacency of each router)

3. Inject the default route into the egress device (the sign of completion is that each router has learned the default route)

4. The user network segments are summarized on the ABR, and the core device routing table is simplified (the core and export can see the detailed user routes before the summary, and only the summarized user routes can be seen after the summary)

5. Set the stub area to a completely stub area and streamline the edge device routing table (the front edge router can see the interval routing information and the default route of E2 after setting, and the interval route cannot be seen after setting, and the default route becomes IA)

6. Modify the cost value to achieve reasonable data distribution, and the back and forth paths are the same (modified the first two lines to be equal to the load balance, after the modification, only the main line is used, and the main lines of dormitory 1 and dormitory 2 are separated)

7. Modify the interface network type to point-to-point to speed up the convergence speed (it takes 40s to elect dr after establishing a neighbor before the amendment, and quickly converge without electing dr after the amendment)

8. Configure egress NAT

9. Configure security enhancement strategy

9.1 Configure the interface connected to the user as a passive interface (before setting, the user interface can be connected to the routing device by enabling ospf to establish a neighbor, but it cannot be established after setting)

9.2 Open ospf authentication, and use md5 algorithm to encrypt the password

2. OSPF basic configuration

1. Configure the IP address (omitted)

2. OSPF basic configuration. After the configuration is complete, you can view the neighbor relationship
[AR1]router id 1.1.1.1
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0] net 10.0.0.0 0.255.255.255

[AR2]router id 2.2.2.2
[AR2]ospf 1
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

[AR3]router id 3.3.3.3
[AR3]ospf 1
[AR3-ospf-1]area 0
[AR3-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

[AR4]router id 4.4.4.4
[AR4]ospf 1
[AR4-ospf-1]area 0
[AR4-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
[AR4-ospf-1-area-0.0.0.0]area 10
[AR4-ospf-1-area-0.0.0.10]network 11.0.0.0 0.255.255.255

[AR5]router id 5.5.5.5
[AR5]ospf 1
[AR5-ospf-1]area 0
[AR5-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
[AR5-ospf-1-area-0.0.0.0]area 20
[AR5-ospf-1-area-0.0.0.10]network 12.0.0.0 0.255.255.255

[AR6]router id 6.6.6.6
[AR6]ospf 1
[AR6-ospf-1]area 10
[AR6-ospf-1-area-0.0.0.10]network 0.0.0.0 0.0.0.0

[AR7]router id 7.7.7.7
[AR7]ospf 1
[AR7-ospf-1]area 20
[AR7-ospf-1-area-0.0.0.10]network 0.0.0.0 0.0.0.0

verification:

Check the neighbor relationship, the following is the output result of AR1, other devices are omitted
[AR1]display ospf peer brief

Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 2.2.2.2 Full
0.0.0.0 GigabitEthernet0/0/2 3.3.3.3 Full

View routing, the following is the routing table of AR1, other devices omitted
[AR1]display ip routing-table protocol ospf
Route Flags: R-relay, D-download to fib
Public routing table: OSPF
Destinations: 11 Routes: 18

OSPF routing table status : <Active>
Destinations : 11 Routes : 18

Destination/Mask Proto Pre Cost Flags NextHop Interface

 10.10.23.0/24  OSPF    10   2           D   10.10.12.2      GigabitEthernet

0/0/1
OSPF 10 2 D 10.10.13.3 GigabitEthernet
0/0/2
10.10.24.0/24 OSPF 10 2 D 10.10.12.2 GigabitEthernet
0/0/1
…

3. Configure OSPF to import default routes

In the border device, configure to import the default route, so that all ospf routers can learn the default route

[AR1-ospf-1]default-route-advertise always

Verification (each device can see the default route)
[AR3]display ip routing-table
Route Flags: R-relay, D-download to fib
Routing Tables: Public
Destinations: 26 Routes: 29

Destination/Mask Proto Pre Cost Flags NextHop Interface

    0.0.0.0/0   O_ASE   150  1           D   10.10.13.1      GigabitEthernet

0/0/2

4. Configure OSPF stub area

Configure route summarization to streamline the routing table. The route summary is configured on the ABR, which can streamline inter-area routing, and the configuration on the ASBR can streamline the imported external routes.
[AR4]ospf 1
[AR4-ospf-1]area 10
[AR4-ospf-1-area-0.0.0.10]abr-summary 192.168.0.0 255.255.0.0

验证：
[AR1]dis ip routing-table 192.168.0.1
Routing Table : Public
Summary Count : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface

192.168.0.0/16  OSPF    10   3           D   10.10.12.2      GigabitEthernet

0/0/1
OSPF 10 3 D 10.10.13.3 GigabitEthernet
0/0/2

5. Configure OSPF interface cost to realize OSPF routing optimization

The stub area is configured as a completely stub area, which can simplify the routing table to the greatest extent, and replace various ospf detailed routes with a default route.
[AR4]ospf 1
[AR4-ospf-1]area 10
[AR4-ospf-1-area-0.0.0.10]stub no-summary

[AR6]ospf 1
[AR6-ospf-1]area 10
[AR6-ospf-1-area-0.0.0.10]stub no-summary

verification:

[AR6]dis ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib
Public routing table : OSPF
Destinations : 1 Routes : 1

OSPF routing table status : <Active>
Destinations : 1 Routes : 1

Destination/Mask Proto Pre Cost Flags NextHop Interface

    0.0.0.0/0   OSPF    10   2           D   11.10.46.4      GigabitEthernet

0/0/2

6. Configure OSPF network type to speed up OSPF convergence

[AR4]int gi0/0/1
[AR4-GigabitEthernet0/0/1]ospf cost 1000

[AR5]int gi0/0/2
[AR5-GigabitEthernet0/0/2]ospf cost 1000

[AR2]int gi0/0/2
[AR2-GigabitEthernet0/0/2]ospf cost 1000

[AR3]int gi0/0/1
[AR3-GigabitEthernet0/0/1]ospf cost 1000

verification:

The path to access the external network, AR4 and AR5 respectively take different paths

[AR4]dis ip routing-table 8.8.8.8
Route Flags: R - relay, D - download to fib

Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

    0.0.0.0/0   O_ASE   150  1           D   10.10.24.2      GigabitEthernet

0/0/0

[AR5]dis ip routing-table 8.8.8.8
Route Flags: R - relay, D - download to fib

Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

    0.0.0.0/0   O_ASE   150  1           D   10.10.35.3      GigabitEthernet

0/0/0

Return packet path, take different paths for 192 and 172 network segments

[AR1]dis ip routing-table 192.168.0.1
Route Flags: R - relay, D - download to fib

Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

192.168.0.0/16  OSPF    10   3           D   10.10.12.2      GigabitEthernet

0/0/1

[AR1]dis ip routing-table 172.16.0.1
Route Flags: R - relay, D - download to fib
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface

 172.16.0.0/16  OSPF    10   3           D   10.10.13.3      GigabitEthernet

0/0/2

7. Configure the network boundary ASBR to realize the external network connection

The Ethernet interface is broadcast by default, and it takes 40s to elect Dr.
But if there are only two routers on a broadcast link, there is no need to choose DR. You can modify the interface type to point-to-point to speed up the convergence.
[AR1]int gi0/0/1
[AR1-GigabitEthernet0/0/1]ospf network-type p2p

[AR2]int gi0/0/1
[AR2-GigabitEthernet0/0/1]ospf network-type p2p

验证：
[AR1]display ospf peer | include DR

 OSPF Process 1 with Router ID 1.1.1.1
     Neighbors 

Area 0.0.0.0 interface 10.10.12.1(GigabitEthernet0/0/1)'s neighbors
DR: None BDR: None

8. Configure OSPF passive interface to strengthen security

In the asbr connected to the external network, configure the conventional nat and default route.
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
rule 10 permit source 172.16.0.0 0.0.255.255
rule 15 deny

nat address-group 1 64.1.1.2 64.1.1.3
interface GigabitEthernet0/0/0
ip address 64.1.1.1 255.255.255.0
nat outbound 2000 address-group 1

ip route-static 0.0.0.0 0.0.0.0 64.1.1.6

验证：
在ar6上，使用loopback接口地址，访问外网
[AR6]ping -a 192.168.0.1 8.8.8.8
PING 8.8.8.8: 56 data bytes, press CTRL_C to break
Reply from 8.8.8.8: bytes=56 Sequence=1 ttl=252 time=30 ms
Reply from 8.8.8.8: bytes=56 Sequence=2 ttl=252 time=30 ms
Reply from 8.8.8.8: bytes=56 Sequence=3 ttl=252 time=30 ms
Reply from 8.8.8.8: bytes=56 Sequence=4 ttl=252 time=30 ms
Reply from 8.8.8.8: bytes=56 Sequence=5 ttl=252 time=40 ms

--- 8.8.8.8 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/32/40 ms

9. Configure OSPF authentication to strengthen security

The passive interface is used to connect to the interface of the terminal. When receiving the hello message, it will be discarded, which can improve the security and avoid being affected by the protocol.
On the interface connected to other routers, you can configure neighbor authentication, and enter the correct password to establish a neighbor

Passive interface
[AR6-ospf-1] silent-interface gi0/0/0

邻居验证
[AR4-GigabitEthernet0/0/2]ospf authentication-mode md5 1 zhynet
[AR6-GigabitEthernet0/0/2]ospf authentication-mode md5 1 zhynet