VPN中运行OSPF
#
sysname SW01
#
vlan batch 100 to 101
#
ip vpn-instance ospf0
ipv4-family
#
interface Vlanif100
ip binding vpn-instance ospf0
ip address 192.168.100.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.101.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface LoopBack0
ip binding vpn-instance ospf0
ip address 192.168.111.1 255.255.255.255
#
ospf 1 router-id 192.168.111.1 vpn-instance ospf0
area 0.0.0.0
network 192.168.100.0 0.0.0.255
network 192.168.111.1 0.0.0.0
#
#
sysname SW02
#
vlan batch 100
#
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface LoopBack0
ip address 192.168.111.2 255.255.255.255
#
ospf 32 router-id 192.168.111.2
area 0.0.0.0
network 192.168.100.0 0.0.0.255
network 192.168.111.2 0.0.0.0
#
<SW01>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.101.0/24 Direct 0 0 D 192.168.101.1 Vlanif101
192.168.101.1/32 Direct 0 0 D 127.0.0.1 Vlanif101
<SW01>dis ip routing-table vpn-instance ospf0
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: ospf0
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.100.0/24 Direct 0 0 D 192.168.100.1 Vlanif100
192.168.100.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.111.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
192.168.111.2/32 OSPF 10 1 D 192.168.100.2 Vlanif100
<SW01>dis lld nei brief
Local Intf Neighbor Dev Neighbor Intf Exptime
GE0/0/1 SW02 GE0/0/1 97
<SW01>
<SW02>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 6 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.100.0/24 Direct 0 0 D 192.168.100.2 Vlanif100
192.168.100.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.111.1/32 OSPF 10 1 D 192.168.100.1 Vlanif100
192.168.111.2/32 Direct 0 0 D 127.0.0.1 LoopBack0
<SW02>dis lld nei brief
Local Intf Neighbor Dev Neighbor Intf Exptime
GE0/0/1 SW01 GE0/0/1 116
<SW02>
- 路由隔离:
ospf0
VPN实例将192.168.100.0/24和192.168.111.1/32路由严格隔离在独立路由表中(dis ip routing-table vpn-instance ospf0
),与全局路由表(dis ip routing-table
)完全分离。 - 接口隔离:
Vlanif100
绑定到ospf0
VPN实例,仅处理VPN内流量。Vlanif101
在全局路由表,无法访问VPN内的192.168.100.0/24网段。
- OSPF域隔离:OSPF进程在
ospf0
实例内运行,邻居关系仅限于VPN实例内的接口。
- 无隔离:所有接口(Vlanif100、LoopBack0)和OSPF路由均在全局路由表,暴露所有路由(包括192.168.111.2/32)。
- 攻击面扩大:若SW02被入侵,攻击者可通过OSPF学习到全部拓扑信息。
- 允许的通信:
- SW01的VPN实例(192.168.100.1)与SW02的全局接口(192.168.100.2)通过OSPF建立邻居(
dis lldp nei
验证)。 - 路由交换:SW01学到192.168.111.2/32(VPN内),SW02学到192.168.111.1/32(全局)。
- SW01的VPN实例(192.168.100.1)与SW02的全局接口(192.168.100.2)通过OSPF建立邻居(
- 禁止的通信:
- SW02无法访问SW01的Vlanif101(192.168.101.0/24),因其不在OSPF宣告范围内且无路由泄露。
- SW01的全局实例(Vlanif101)无法访问SW02的任何地址。
- VPN实例优势:SW01的
ospf0
实例提供逻辑隔离,即使全局路由被渗透,VPN内路由仍受保护。 - SW02暴露风险:LoopBack0(192.168.111.2/32)暴露在全局OSPF中,可能被未授权访问。
- 缺乏加密:OSPF明文传输,存在路由欺骗风险(需配合IPsec等加密)。
-
OSPF邻居建立(允许):
- SW01-Vlanif100 (VPN实例) ↔ SW02-Vlanif100 (全局)
- 交换路由:192.168.111.1/32 ↔ 192.168.111.2/32
- SW01-Vlanif100 (VPN实例) ↔ SW02-Vlanif100 (全局)
-
隔离区域(禁止通信):
- SW01-Vlanif101 (全局) ⇨ ✖ 无法访问任何SW02接口
- SW02全局路由表 ⇨ ✖ 无法访问SW01-Vlanif101 (192.168.101.0/24)
-
隔离性:
- SW01通过VPN实例实现纵向隔离:VPN内路由与全局路由严格分离。
- SW02缺乏隔离,所有路由全局可见。
-
安全性建议:
- SW02改进:将OSPF迁移至VPN实例,减少攻击面。
- 加密增强:在物理链路部署IPsec,保护OSPF报文。
- 访问控制:在SW01的全局实例与VPN实例间配置策略路由,按需开放通信。
-
设计适用场景:
- SW01模型:适用于多租户环境(如云网络),需严格隔离业务流量。
- SW02模型:仅适用于可信内部网络,无安全隔离需求。