当在下面的拓扑中出现到 NSSA 外部(LSA 类型 7)路由的新路径时,该路由的现有路径成本会增加以与新路径的成本完全匹配。因此,两条路径都输入到路由表中,这不是所需的行为,因为它会导致非对称路由。不对称流量未能通过 ASA 上的检查过程,我们看到流量被丢弃。
我可以在新路径中的接口上手动增加成本,并恢复预期的路由行为。
但是,我不明白为什么当一条单独的路径打开时,一条更可取/成本更低的路径突然增加了它的指标......
考虑以下拓扑。
- 所有链路都是 1 Gig,并且 OSPF 度量/成本为 10。
- 往返 BGP 和 OSPF 的相互路由重新分配正在ASA1上进行。
- 默认路由从 BGP 注入到ASA1上的 OSPF 区域 10 。
- 从ASA1到R4的链路当前已关闭。
ASA1路由表和配置:
ASA1# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 172.20.10.1 to network 0.0.0.0
B* 0.0.0.0 0.0.0.0 [20/0] via 172.20.10.1, 01:29:39
O IA 10.1.0.0 255.255.255.255 [110/21] via 10.3.5.1, 00:01:29, INSIDE-1
O IA 10.1.2.0 255.255.255.252 [110/30] via 10.3.5.1, 00:01:29, INSIDE-1
O IA 10.1.3.0 255.255.255.252 [110/20] via 10.3.5.1, 00:01:29, INSIDE-1
O IA 10.1.5.0 255.255.255.252 [110/84] via 10.3.5.1, 00:01:29, INSIDE-1
O IA 10.2.0.0 255.255.255.255 [110/21] via 10.3.5.1, 00:01:29, INSIDE-1
O IA 10.2.3.0 255.255.255.252 [110/20] via 10.3.5.1, 00:01:29, INSIDE-1
O 10.3.0.0 255.255.255.255 [110/11] via 10.3.5.1, 00:01:29, INSIDE-1
O 10.3.4.0 255.255.255.252 [110/20] via 10.3.5.1, 00:01:29, INSIDE-1
C 10.3.5.0 255.255.255.252 is directly connected, INSIDE-1
L 10.3.5.2 255.255.255.255 is directly connected, INSIDE-1
O 10.4.0.0 255.255.255.255 [110/21] via 10.3.5.1, 00:01:29, INSIDE-1
O 10.4.1.0 255.255.255.252 [110/30] via 10.3.5.1, 00:01:29, INSIDE-1
O 10.4.10.0 255.255.255.252 [110/84] via 10.3.5.1, 00:01:29, INSIDE-1
O 10.4.100.0 255.255.255.0 [110/30] via 10.3.5.1, 00:01:29, INSIDE-1
O 10.5.0.0 255.255.255.255 [110/85] via 10.3.5.1, 00:01:29, INSIDE-1
B 172.20.0.0 255.255.255.255 [20/0] via 172.20.10.1, 01:29:39
B 172.20.1.0 255.255.255.255 [20/0] via 172.20.10.1, 01:29:39
C 172.20.10.0 255.255.255.252 is directly connected, OUTSIDE
L 172.20.10.2 255.255.255.255 is directly connected, OUTSIDE
ASA1# show run router
router ospf 1
network 10.3.0.0 255.255.0.0 area 10
network 10.4.0.0 255.255.0.0 area 10
area 10 nssa default-information-originate metric 5 metric-type 1
log-adj-changes
redistribute bgp 65500 metric 5 metric-type 1 subnets
!
router bgp 65500
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 172.20.10.1 remote-as 65400
neighbor 172.20.10.1 activate
network 10.0.0.0
redistribute ospf 1
no auto-summary
no synchronization
exit-address-family
!
R3路由表和配置:
R3#show ip route | exc Codes|^
Gateway of last resort is 10.3.5.2 to network 0.0.0.0
O*N1 0.0.0.0/0 [110/15] via 10.3.5.2, 00:15:05, Ethernet1/1
O 10.1.0.0/32 [110/11] via 10.1.3.1, 01:24:20, Ethernet0/1
O 10.1.2.0/30 [110/20] via 10.2.3.1, 01:24:30, Ethernet0/2
C 10.1.3.0/30 is directly connected, Ethernet0/1
L 10.1.3.2/32 is directly connected, Ethernet0/1
O 10.1.5.0/30 [110/74] via 10.1.3.1, 01:24:20, Ethernet0/1
O 10.2.0.0/32 [110/11] via 10.2.3.1, 01:24:30, Ethernet0/2
C 10.2.3.0/30 is directly connected, Ethernet0/2
L 10.2.3.2/32 is directly connected, Ethernet0/2
C 10.3.0.0/32 is directly connected, Loopback0
C 10.3.4.0/30 is directly connected, Ethernet1/0
L 10.3.4.1/32 is directly connected, Ethernet1/0
C 10.3.5.0/30 is directly connected, Ethernet1/1
L 10.3.5.1/32 is directly connected, Ethernet1/1
O 10.4.0.0/32 [110/11] via 10.3.4.2, 01:24:20, Ethernet1/0
O 10.4.1.0/30 [110/20] via 10.3.4.2, 01:16:08, Ethernet1/0
O 10.4.10.0/30 [110/74] via 10.3.4.2, 01:24:20, Ethernet1/0
O 10.4.100.0/24 [110/20] via 10.3.4.2, 01:24:20, Ethernet1/0
O 10.5.0.0/32 [110/75] via 10.3.4.2, 01:24:20, Ethernet1/0
O N1 172.20.0.0 [110/15] via 10.3.5.2, 00:15:05, Ethernet1/1
O N1 172.20.1.0 [110/15] via 10.3.5.2, 00:15:05, Ethernet1/1
R3#show run | sec ospf
router ospf 1
area 10 nssa
network 10.1.0.0 0.0.255.255 area 0
network 10.2.0.0 0.0.255.255 area 0
network 10.3.0.0 0.0.255.255 area 10
R4路由表和配置:
R4#show ip route | exc Codes|^
Gateway of last resort is 10.3.4.1 to network 0.0.0.0
O*N1 0.0.0.0/0 [110/25] via 10.3.4.1, 00:16:13, Ethernet1/0
O IA 10.1.0.0/32 [110/21] via 10.3.4.1, 01:25:28, Ethernet1/0
O IA 10.1.2.0/30 [110/30] via 10.3.4.1, 01:25:33, Ethernet1/0
O IA 10.1.3.0/30 [110/20] via 10.3.4.1, 01:25:33, Ethernet1/0
O IA 10.1.5.0/30 [110/84] via 10.3.4.1, 01:25:28, Ethernet1/0
O IA 10.2.0.0/32 [110/21] via 10.3.4.1, 01:25:33, Ethernet1/0
O IA 10.2.3.0/30 [110/20] via 10.3.4.1, 01:25:33, Ethernet1/0
O 10.3.0.0/32 [110/11] via 10.3.4.1, 01:25:33, Ethernet1/0
C 10.3.4.0/30 is directly connected, Ethernet1/0
L 10.3.4.2/32 is directly connected, Ethernet1/0
O 10.3.5.0/30 [110/20] via 10.3.4.1, 01:18:49, Ethernet1/0
C 10.4.0.0/32 is directly connected, Loopback0
C 10.4.1.0/30 is directly connected, Ethernet1/3
L 10.4.1.1/32 is directly connected, Ethernet1/3
C 10.4.10.0/30 is directly connected, Serial2/0
L 10.4.10.1/32 is directly connected, Serial2/0
C 10.4.100.0/24 is directly connected, Ethernet0/0
L 10.4.100.1/32 is directly connected, Ethernet0/0
O 10.5.0.0/32 [110/65] via 10.4.10.2, 01:26:10, Serial2/0
O N1 172.20.0.0 [110/25] via 10.3.4.1, 00:16:13, Ethernet1/0
O N1 172.20.1.0 [110/25] via 10.3.4.1, 00:16:13, Ethernet1/0
R4#show run | sec ospf
router ospf 1
area 10 nssa
network 10.3.0.0 0.0.255.255 area 10
network 10.4.0.0 0.0.255.255 area 10
从R3到的成本0.0.0.0/0是 15,这是我所期望的:
- 从 R3 的路由表中截取:
O*N1 0.0.0.0/0 [110/15] via 10.3.5.2, 00:15:05, Ethernet1/1 - R3到ASA1是一跳,成本为 10。
- ASA1将默认路由作为类型 1 指标注入,成本为 5。
现在,如果ASA1和R4no shut之间的接口从R3到ASA1的成本增加。
不关闭从R4到ASA1的接口:
ASA1# conf t
ASA1(config)# int g0/2
ASA1(config-if)# show run int g0/2
!
interface GigabitEthernet0/2
shutdown
nameif INSIDE-2
security-level 100
ip address 10.4.1.2 255.255.255.252
ASA1(config-if)# no shut
R4看到邻居建立,现在看到成本为 15 的默认路由:
R4#
*Sep 10 18:42:27.746: %OSPF-5-ADJCHG: Process 1, Nbr 172.20.10.2 on Ethernet1/3 from LOADING to FULL, Loading Done
R4#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.4.1.2 to network 0.0.0.0
O*N1 0.0.0.0/0 [110/15] via 10.4.1.2, 00:01:31, Ethernet1/3
10.0.0.0/8 is variably subnetted, 18 subnets, 3 masks
O IA 10.1.0.0/32 [110/21] via 10.3.4.1, 01:42:37, Ethernet1/0
O IA 10.1.2.0/30 [110/30] via 10.3.4.1, 01:42:42, Ethernet1/0
O IA 10.1.3.0/30 [110/20] via 10.3.4.1, 01:42:42, Ethernet1/0
O IA 10.1.5.0/30 [110/84] via 10.3.4.1, 01:42:37, Ethernet1/0
O IA 10.2.0.0/32 [110/21] via 10.3.4.1, 01:42:42, Ethernet1/0
O IA 10.2.3.0/30 [110/20] via 10.3.4.1, 01:42:42, Ethernet1/0
O 10.3.0.0/32 [110/11] via 10.3.4.1, 01:42:42, Ethernet1/0
C 10.3.4.0/30 is directly connected, Ethernet1/0
L 10.3.4.2/32 is directly connected, Ethernet1/0
O 10.3.5.0/30 [110/20] via 10.4.1.2, 00:01:31, Ethernet1/3
[110/20] via 10.3.4.1, 01:35:58, Ethernet1/0
C 10.4.0.0/32 is directly connected, Loopback0
C 10.4.1.0/30 is directly connected, Ethernet1/3
L 10.4.1.1/32 is directly connected, Ethernet1/3
C 10.4.10.0/30 is directly connected, Serial2/0
L 10.4.10.1/32 is directly connected, Serial2/0
C 10.4.100.0/24 is directly connected, Ethernet0/0
L 10.4.100.1/32 is directly connected, Ethernet0/0
O 10.5.0.0/32 [110/65] via 10.4.10.2, 01:43:19, Serial2/0
172.20.0.0/32 is subnetted, 2 subnets
O N1 172.20.0.0 [110/15] via 10.4.1.2, 00:01:31, Ethernet1/3
O N1 172.20.1.0 [110/15] via 10.4.1.2, 00:01:31, Ethernet1/3
R3现在看到成本为 25 的默认路由(以及所有其他 NSSA 外部/LSA 类型 7 路由)。 即使是直接到ASA1的路由,刚才的成本为 15!
R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.3.5.2 to network 0.0.0.0
O*N1 0.0.0.0/0 [110/25] via 10.3.5.2, 00:03:16, Ethernet1/1
[110/25] via 10.3.4.2, 00:03:16, Ethernet1/0
10.0.0.0/8 is variably subnetted, 18 subnets, 3 masks
O 10.1.0.0/32 [110/11] via 10.1.3.1, 01:44:22, Ethernet0/1
O 10.1.2.0/30 [110/20] via 10.2.3.1, 01:44:32, Ethernet0/2
[110/20] via 10.1.3.1, 01:44:22, Ethernet0/1
C 10.1.3.0/30 is directly connected, Ethernet0/1
L 10.1.3.2/32 is directly connected, Ethernet0/1
O 10.1.5.0/30 [110/74] via 10.1.3.1, 01:44:22, Ethernet0/1
O 10.2.0.0/32 [110/11] via 10.2.3.1, 01:44:32, Ethernet0/2
C 10.2.3.0/30 is directly connected, Ethernet0/2
L 10.2.3.2/32 is directly connected, Ethernet0/2
C 10.3.0.0/32 is directly connected, Loopback0
C 10.3.4.0/30 is directly connected, Ethernet1/0
L 10.3.4.1/32 is directly connected, Ethernet1/0
C 10.3.5.0/30 is directly connected, Ethernet1/1
L 10.3.5.1/32 is directly connected, Ethernet1/1
O 10.4.0.0/32 [110/11] via 10.3.4.2, 01:44:22, Ethernet1/0
O 10.4.1.0/30 [110/20] via 10.3.5.2, 00:03:16, Ethernet1/1
[110/20] via 10.3.4.2, 01:36:10, Ethernet1/0
O 10.4.10.0/30 [110/74] via 10.3.4.2, 01:44:22, Ethernet1/0
O 10.4.100.0/24 [110/20] via 10.3.4.2, 01:44:22, Ethernet1/0
O 10.5.0.0/32 [110/75] via 10.3.4.2, 01:44:22, Ethernet1/0
172.20.0.0/32 is subnetted, 2 subnets
O N1 172.20.0.0 [110/25] via 10.3.5.2, 00:03:16, Ethernet1/1
[110/25] via 10.3.4.2, 00:03:16, Ethernet1/0
O N1 172.20.1.0 [110/25] via 10.3.5.2, 00:03:16, Ethernet1/1
[110/25] via 10.3.4.2, 00:03:16, Ethernet1/0
正如我上面所说,我可以通过手动将R4到ASA1的链接上的成本设置得更高,来强制将流量转移到我的首选路径( R3到ASA1 ) :
R4#show run int eth1/3
Building configuration...
Current configuration : 90 bytes
!
interface Ethernet1/3
description ASA1-Gi0/2
ip address 10.4.1.1 255.255.255.252
end
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#int eth1/3
R4(config-if)#ip ospf cost 20
现在, R3在 35 处通过R4看到 0.0.0.0/0 的成本,并将其从路由表中删除,以支持其到ASA1的直接路径。
但它并没有将成本降低到 15!
R3#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "ospf 1", distance 110, metric 25, candidate default path, type NSSA extern 1
Last update from 10.3.5.2 on Ethernet1/1, 00:09:23 ago
Routing Descriptor Blocks:
* 10.3.5.2, from 172.20.10.2, 00:09:23 ago, via Ethernet1/1
Route metric is 25, traffic share count is 1
最后,我可以再次关闭R4和ASA1之间的链路,并且R3和ASA1之间的成本递减回 15。
ASA1# show run int g0/2
!
interface GigabitEthernet0/2
nameif INSIDE-2
security-level 100
ip address 10.4.1.2 255.255.255.252
ASA1# conf t
ASA1(config)# int g0/2
ASA1(config-if)# shut
瞧……
R3#show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "ospf 1", distance 110, metric 15, candidate default path, type NSSA extern 1
Last update from 10.3.5.2 on Ethernet1/1, 00:00:49 ago
Routing Descriptor Blocks:
* 10.3.5.2, from 172.20.10.2, 00:00:49 ago, via Ethernet1/1
Route metric is 15, traffic share count is 1
____ __ ____ __ __ ____ ____ __ ______
\ \ / \ / / | | | | \ \ / / | | | \
\ \/ \/ / | |__| | \ \/ / | | `----) |
\ / | __ | \_ _/ | | / /
\ /\ / | | | | | | |__| |__|
\__/ \__/ |__| |__| |__| (__) __
(__)