鸿鹄论坛 › CCNA求助答疑 › OSPF组建的局域网配置ACL的问题

yayawuyi 发表于 2013-1-12 13:01:37

OSPF组建的局域网配置ACL的问题

本帖最后由 yayawuyi 于 2013-1-12 19:17 编辑


如图先用OSPF搭建起网络构架，此时完全正常，然后在R2上配置了ACL访问控制，列表1.1.1.1 只能访问3.3.3.3
11.1.1.1 只能访问33.3.3.3，结果输入命令的最初阶段是正常的大概十几秒后就发现全部ping不通了，检查路由表
发现只剩下了直连路由，通过OSPF学到的路由都消失了 邻居表里同样邻居也消失了请问这个是什么原因

qianpeng4 发表于 2013-1-12 13:03:33

不错不错，支持顶个

qq360870025 发表于 2013-1-12 13:19:43

本帖最后由 qq360870025 于 2013-1-12 13:26 编辑

你放行的什么流量了哦， 把配置发出来看下,估计你把OSPF的流量个隐含拒绝了

xuexue705 发表于 2013-1-12 13:22:18

OSPF是链路状态数据库，是要同步的，一但数据啼不同步。很明显是会DOWN的，你可以用distribute-list in 来控制路由。{:6_269:}

yayawuyi 发表于 2013-1-12 13:57:03

一   已R3为例 这是刚搭建的ospf的环境
    1.0.0.0/24 is subnetted, 1 subnets
O       1.1.1.0 via 23.1.1.1, 00:00:06, Serial0/1
   33.0.0.0/24 is subnetted, 1 subnets
C       33.3.3.0 is directly connected, Loopback1
   3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
   23.0.0.0/24 is subnetted, 1 subnets
C       23.1.1.0 is directly connected, Serial0/1
   11.0.0.0/24 is subnetted, 1 subnets
O       11.1.1.0 via 23.1.1.1, 00:00:06, Serial0/1
   12.0.0.0/24 is subnetted, 1 subnets
O       12.1.1.0 via 23.1.1.1, 00:00:07, Serial0/1
二   测试结果从R1 ping R3通讯正常
Router#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/45/52 ms
Router#ping 33.3.3.3 source 11.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/45/52 ms

三 在R2的入接口s0/0上配置扩展ACL
Router(config)#access-list 101 permit ip 1.1.1.1 0.0.0.255 3.3.3.3 0.0.0.255
Router(config)#access-list 101 permit ip 11.1.1.1 0.0.0.255 33.3.3.3 0.0.0.255
Router(config-if)#ip access-group 101 in

四 结果一刚敲完执行ACL的命令 此时达成了1.1.1.1 能访问3.3.3.3 但不能访问33.3.3.3的目的
Router#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/68 ms
Router#ping 33.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)

五 几秒钟后再做测试 发现 1.1.1.1 ping 3.3.3.3 已经ping不通了
Router#ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)

六此时查看R3上的路由表 从R1上学到的1.1.1.0 和11.1.1.0 的路由条目消失了
   33.0.0.0/24 is subnetted, 1 subnets
C       33.3.3.0 is directly connected, Loopback1
   3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, Loopback0
   23.0.0.0/24 is subnetted, 1 subnets
C       23.1.1.0 is directly connected, Serial0/1
   12.0.0.0/24 is subnetted, 1 subnets
O       12.1.1.0 via 23.1.1.1, 00:04:36, Serial0/1

qianpeng4 发表于 2013-1-12 14:02:13

{:6_285:}{:6_285:}{:6_278:}

qianpeng4 发表于 2013-1-12 14:02:32

{:6_283:}{:6_277:}

qianpeng4 发表于 2013-1-12 14:39:55

{:6_295:}

qq360870025 发表于 2013-1-12 14:48:56

yayawuyi 发表于 2013-1-12 13:57 static/image/common/back.gif
一   已R3为例 这是刚搭建的ospf的环境
    1.0.0.0/24 is subnetted, 1 subnets
O       1.1.1.0

你s1/0是R2和R1连接的网段吧，你把这些流量放行了，但是 你没放行12.1.1.1 也就是R1过来的 OSPF流量，你R1和R2之间的邻居就down了，没路由传递给R1，R1肯定ping不同了

permit ospf any any精确点就是 R1的接口地址 和R2的接口地址

rs365 发表于 2013-1-12 14:50:25

加一条：access-list 101 permit ospf any any

lijianwei652 发表于 2013-1-12 15:09:33

ospf是组播的holle包，你把224.0.0.5,224.0.0.6放开试试。。。

yayawuyi 发表于 2013-1-12 19:13:10

谢谢楼上各位大大的回复刚试了加了两句不同的语法上去
access-list 101 permit ospf any any
access-list 101 permit ip any host 224.0.0.5
结果实验都是可行的那应该说明了OSPF 的hello 包走的是IP协议
Router(config-router)#do ping 33.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
Router(config-router)#do ping 3.3.3.3 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/48/60 ms
Router(config-router)#do ping 3.3.3.3 source 11.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.1
U.U.U
Success rate is 0 percent (0/5)
Router(config-router)#do ping 33.3.3.3 source 11.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.1
!!!!!

316098438 发表于 2013-1-13 02:31:11

access-list 101 permit ospf any any（这条已经允许了ospf的所有包，包括了224.0.0.5的hello组播包）
access-list 101 permit ip any host 224.0.0.5(这条可以删了)

另外，想达到你所述要求，正统的应该是用distribute-list，直接接口套用acl会有很多问题出现。

linzhidan120 发表于 2013-1-13 10:12:58

{:6_267:}

落叶000000000 发表于 2013-1-14 18:19:23

{:6_267:}

查看完整版本: OSPF组建的局域网配置ACL的问题