Cisco 和 PFsense 之间的 OSPF

网络工程 思科 ospf 感知
2021-07-15 10:59:24

Cisco OSPF 具有区域 0 和 10.0.0.0/24。

PFsense OSPF 的区域 0 为 10.0.0.0/24,区域 10 为 10.10.2.0/24,区域 20 为 192.168.122.0/24。

路由器之间具有完整的“FULL/DR”和“FULL/BDR”关系。

但是,尽管“show route”和“ip route”显示了来自各个不同设备的路由,但是ospf 邻居之间不能相互通信。(为了排除 Cisco 和 PFsense 上的防火墙/acl,我设置了静态路由并且它起作用了)。

我还能做些什么来让他们互相交谈?

谢谢。

(ASA 输出)

cisASA# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 107.204.168.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 107.204.168.1, outside
O IA     10.10.2.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside
C        107.0.0.0 255.0.0.0 is directly connected, outside
L        107.204.169.233 255.255.255.255 is directly connected, outside
C        10.0.0.0 255.255.0.0 is directly connected, inside
L        10.0.0.1 255.255.255.255 is directly connected, inside
O IA  192.168.122.0 255.255.255.0 [110/20] via 10.0.0.119, 15:17:07, inside

cisASA# show ospf nei


Neighbor ID     Pri   State           Dead Time   Address         Interface
100.100.100.100   1   FULL/BDR        0:00:39    10.0.0.119    inside
cisASA#

(PFsense 输出)

IPv4 Routes
Destination Gateway Flags   Use Mtu Netif   Expire
0.0.0.0/32  10.0.0.1    UGS 0   1450    em3 
default 10.0.0.1    UGS 57016   1450    em3 
8.8.8.8 00:3d:2c:15:26:57   UHS 17  1450    em3 
10.10.2.0/24    link#2  U   0   1450    em1 
10.10.2.1   link#2  UHS 212364  16384   lo0 
84.200.69.80    00:3d:2c:15:26:57   UHS 166 1450    em3 
127.0.0.1   link#8  UH  823 16384   lo0 
10.0.0.0/16 10.0.0.1    UGS 120297  1450    em3 
10.0.0.119  link#4  UHS 0   16384   lo0 
192.168.122.0/24    link#3  U   63230   1450    em2 
192.168.122.1   link#3  UHS 212299  16384   lo0 


Quagga OSPF Neighbors

    Neighbor ID Pri State           Dead Time Address         Interface            RXmtL RqstL DBsmL
5.5.5.5           1 Full/DR           34.501s 10.0.0.1      em3:10.0.0.119         0     0     0

(ASA 配置)

cisASA# show run

: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4) 
!
hostname cisASA

enable password .jaY8R6W./JP9tz1 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!             
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7.4.1.2 255.0.0.0 
!
interface Vlan3
 no nameif    
 no security-level
 no ip address
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 84.200.69.80
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-100
 subnet 10.0.0.0 255.255.0.0
object network loader
object network ospf-10
 subnet 10.0.2.0 255.255.255.0
object network ospf-20
 subnet 10.0.20.0 255.255.255.0
object network ospf-30
 subnet 10.0.30.0 255.255.255.0
object network ospf-40
 subnet 192.168.122.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1


access-list inside_access_in extended permit ip object obj-100 any4 
access-list inside_access_in extended permit ip object ospf-10 any4 
access-list inside_access_in extended permit ip object ospf-20 any4 
access-list inside_access_in extended permit ip object ospf-30 any4 
access-list inside_access_in extended permit ip object ospf-40 any4 
access-list outside_access_in extended permit ip 192.168.0.0 255.255.0.0 any 
access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0 any 
access-list outside_access_in extended permit ip 172.16.0.0 255.240.0.0 any 
pager lines 24
logging enable
logging buffer-size 987564
logging buffered informational
logging asdm informational
mtu inside 1450
mtu outside 1450
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!

object network obj-1000
 nat (inside,outside) dynamic interface
object network ospf-10
 nat (inside,outside) dynamic interface
object network ospf-20
 nat (inside,outside) dynamic interface
object network ospf-30
 nat (inside,outside) dynamic interface
object network ospf-40
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group open-acl in interface outside
router ospf 5505
 router-id 5.5.5.5
 network 10.0.0.0 255.255.0.0 area 0
 log-adj-changes
 redistribute static subnets
!
route outside 0.0.0.0 0.0.0.0 7.4.1.1

management-access inside

dhcp-client client-id interface outside
dhcpd dns 84.200.69.80 8.8.8.8
dhcpd update dns both override 
dhcpd option 3 ip 10.0.0.1
!
dhcpd address 10.0.1.100-10.0.1.130 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 216.228.192.69 source outside

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:72ade258e5ac8ab26363b2a9beb2724a
: end
cisASA#

(PFsense Config 为 GUI 格式)

But pretty much the same
1个回答

评论的声誉不足,但我认为我在这里得到了很好的观察。你是这么说的:

Cisco OSPF has area 0 with 10.0.0.0/24.
PFsense OSPF has area 0 with 10.0.0.0/24

但是看看ASA 上的这条 /16连接的路由:

C        10.0.0.0 255.255.0.0 is directly connected, inside

通过这个/16接口配置确认:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.0.0 
!

从你的口头描述来看,似乎应该是/24。

同时,这里是所有为“10.0”搜索的 pfsense 路由

IPv4 Routes
Destination Gateway Flags   Use Mtu Netif   Expire
0.0.0.0/32  10.0.0.1    UGS 0   1450    em3 
default 10.0.0.1    UGS 57016   1450    em3 
10.0.0.0/16 10.0.0.1    UGS 120297  1450    em3 
10.0.0.119  link#4  UHS 0   16384   lo0

这是与 em3 相关的所有内容:

IPv4 Routes
Destination Gateway Flags   Use Mtu Netif   Expire
0.0.0.0/32  10.0.0.1    UGS 0   1450    em3 
default 10.0.0.1    UGS 57016   1450    em3 
8.8.8.8 00:3d:2c:15:26:57   UHS 17  1450    em3 
84.200.69.80    00:3d:2c:15:26:57   UHS 166 1450    em3 
10.0.0.0/16 10.0.0.1    UGS 120297  1450    em3

在您的 ASA 上,我会按照您的计划将 vlan1 更改为 /24。

我也想知道你在 pfsense 上的 em3 配置。我没有看到任何与 10.0.0.0/24 对应的配置。

OSPF Hello 数据包格式包括“网络掩码”。我相信两个路由器需要就网络掩码达成一致才能形成邻居关系。

编辑:我很久以前学到的一种技术是记录你想要的网络。然后改变现实以匹配文档。

其它你可能感兴趣的问题
上一篇为什么我会丢失 OSPF 路由? 下一篇Meraki 阻止了一些谷歌(这是不受欢迎的)