h3cte實驗手冊-排錯報告范例2、ospf版

OSPF網(wǎng)絡(luò)拓H3CTE原題就是這 。不過設(shè)備之間相連的IP地址是不一樣的。而且都是30位的掩碼?？偛糠植恳约稗k事處的業(yè)務(wù)網(wǎng)段地址都是此圖上面的，包括GREoverIPSEC的接口地址備注：以下各設(shè)備的配置文件中加粗部分均為考試時故障點。故障記錄時間是2011-06-16。OSPF網(wǎng)絡(luò)需求version5.20,Release#sysname#stpinstance1rootprimarystpinstance2rootsecondarystpenableregion-nameh3crevision-level1instance1vlaninstance2vlan#interfaceBridge-portlink-typeporttrunkpermitvlan110 故障點，原題此處沒有配#interfaceVlan-interface1ipaddress100.1.1.2vrrpvrid3virtual-ipvrrpvrid3priority#descriptiontor1ipaddress10.1.11.2ospfcost#descriptiontos-masteripaddress192.168.0.2vrrpvrid1virtual-ipvrrpvrid1priorityvrrpvrid1trackinterfaceVlan-interface2故障點，沒有上行鏈路。與題意不符#descriptiontoq-backupipaddress172.1.0.2vrrpvrid2virtual-ip#interfaceEthernet1/0/2portlink-modebridgeportaccessvlan2#interfaceEthernet1/0/3descriptiontosw3portlink-typetrunkporttrunkpermitvlan110#interfaceEthernet1/0/4portlink-modebridgeportlink-typetrunkporttrunkpermitvlan110#interfaceEthernet1/0/6portlink-modebridgeportlink-typetrunkporttrunkpermitvlan110#ospfsilent-interfaceVlan-interface10silent-interfaceVlan-interface20area0.0.0.0network10.1.11.2network100.1.1.2network192.168.0.2network172.1.0.2 沒有出去此業(yè)務(wù)VLAN接口地#[SWA]disipRoutingTables:PublicDestinations: Routes: Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0[SWA]disospfrou[SWA]disospfroutingOSPFProcess1withRouterID192.168.0.2RoutingTablesRoutingfor111TransitRoutingfor111TotalNets:IntraArea: ASE: NSSA:[SWA]disvrrp[SWA]disvrrpver[SWA]disvrrpverboseRunMethod Totalnumberofvirtualrouters:3:Vlan-::Admin::Config:Run:Preempt:Delay:Auth::Virtual:0000-5e00-Master::Vlan-::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE::Pri:::0000-5e00-Master::Vlan-::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE:Master::[SWA]disstpb STP0ALTE0 0 1 1 2 2 [SWA]disinterBridge-Aggregation1IPPacketFrameType:PKTFMT_ETHNT_2,HardwareAddress:0023-8943-16e3Description:Bridge-Aggregation1Interface200Mbps-speedmode,full-duplexLinkspeedtypeisautonegotiation,linkduplextypeisautonegotiationPVID:1Portlink-type:VLANpassing:1(defaultvlan),10,20VLANpermitted:1(defaultvlan),10,20Trunkportencapsulation:IEEE802.1q[SWA]dis[SWA]dislink-aggregationsu[SWA]dislink-aggregationsummaryAggregationInterfaceBAGG--Bridge-Aggregation,RAGG--Route-AggregationAggregationMode:S--Static,D--DynamicLoadsharingType:Shar--Loadsharing,NonS--Non-LoadsharingActorSystemID:0x8000,0023-8943-16d0

PartnerID

version5.20,Release#sysname#stpinstance1rootsecondarystpinstance2rootprimarystpenableregion-nameh3crevision-level1instance1vlaninstance2vlan#portlink-typetrunkporttrunkpermitvlan110 沒有配置鏈路聚#interfaceVlan-interface1ipaddress100.1.1.3vrrpvrid3virtual-ip#descriptiontor2ipaddress10.1.22.2ospfcost#descriptiontos-backupipaddress192.168.0.3vrrpvrid1virtual-ipvrrpvrid1authentication-modesimple 沒有配置認#descriptiontoq-masteripaddress172.1.0.3vrrpvrid2virtual-ipvrrpvrid2priority105 原題優(yōu)先級為90，與題意不符。vrrpvrid2trackinterfaceVlan-interface2沒有上行鏈路。vrrpvrid2authentication-modesimple 原題為h2c，認證失敗終端有錯誤提示#interfaceEthernet1/0/2portlink-modebridgeportaccessvlan2#interfaceEthernet1/0/4portlink-modebridgeportlink-typetrunkporttrunkpermitvlan11020portlink-aggregationgroup1#interfaceEthernet1/0/6portlink-modebridgeportlink-typetrunkporttrunkpermitvlan11020portlink-aggregationgroup1#interfaceEthernet1/0/8portlink-modebridgeportlink-typetrunkporttrunkpermitvlan110#ospfsilent-interfaceVlan-interface10silent-interfaceVlan-interface20area0.0.0.0network10.1.22.2network100.1.1.3network192.168.0.3 沒有network172.1.0.3#[SW2]disiprouRoutingTables:PublicDestinations: Routes: Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0[SW2]disospf[SW2]disospfOSPFProcess1withRouterID192.168.0.3RoutingTablesRoutingfor111Routingfor111TotalNets:IntraArea: ASE: NSSA:[SW2]disvrrpIPv4StandbyRunMethod Totalnumberofvirtualrouters:3:Vlan-::Admin::Config:Run:Preempt:Delay:Auth::Master::Vlan-::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE::Master::Vlan-::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE:::Pri:VirtualMAC MasterIP :172.1.0.3version5.20,Release#sysnameSW3配置交換機名稱#vlan10 stpenable stpregion-configuration /STP區(qū)域配置/region-name /區(qū)稱 與SW1/SW2不一致要重新激活域配置revision-level /修訂版本instance1vlan10 instance2vlan20activeregion- /激活STP區(qū)域#ipaddress100.1.1.1#ipaddress192.168.0.1#ipaddress172.1.0.1#interfaceportlink-typetrunk 原題沒有配置trunk。porttrunkpermitvlan11020#interfaceportlink-typeporttrunkpermitvlan110#iproute-static0.0.0.00.0.0.0iproute-static0.0.0.00.0.0.0iproute-static192.0.0.0255.0.0.0iproute-static172.0.0.0255.0.0.0172.1.0.254[SW3]disip[SW3]disiprouting-tableRoutingTables:PublicDestinations: Routes: Static0Direct0Direct0Direct0Direct0Direct0Direct0Static0Direct0Direct0version5.20,Release1509P01,#sysname#ikelocal-name#routerid#ikepeerbranch3remote-addresslocal-address#ikepeerbranch5loaladdress61.7.1.1 原題只有一個E對等體。個人來說不需要在配置一個。但是網(wǎng)#ipsecpolicy-templatebranch1ike-peerbranch3proposal#ike-peerbranch5proposal#ipsecpolicyrt3510isakmptemplate#local-userrt3service-typeppp#aclnumberrule0permitsource192.168.0.0aclnumberrule0permitsource172.1.0.0aclnumberrule0permitsource192.169.1.0aclnumberrule0permitsource172.169.1.0aclnumberrule0permitsource192.169.1.0rule1permitsource192.192.1.0#interfacelink-protocolipaddress10.1.12.1ospfcost#interfaceSerial6/1link-protocolpppchapuserrt1pppchappasswordsimple 此處沒有發(fā)送chap認證ipaddress10.1.13.1#interfaceipaddress10.1.1.1#interfaceipaddress10.10.1.1#portlink-moderouteipaddress10.1.11.1ospfcost#portlink-moderouteipaddress61.67.1.1ipsecpolicy#interfaceipaddress10.13.1.1destinationkeepalive10 此處沒有配#interfaceipaddress10.15.1.1destinationkeepalive10#ospfimport-routestaticroute-policy 此處沒有引入靜態(tài)import-routeospf100type1route-policyp2area0.0.0.0network10.1.12.0network10.1.11.0#ospfimport-routeospf1type1route-policy 此處沒有引入OSPF1并掛載路由areanetwork10.1.13.00.0.0.3#route-policyp1permitnode 策略什么的都是做好的，直接在OSPF里面應(yīng)用即可if-matchaclapplycostroute-policyp1permitnode20if-matchacl2001applycostroute-policyp2permitnode10if-matchacl2002applycostroute-policyp2permitnode20if-matchacl2003applycostroute-policyp5permitnode10if-matchacl2005applycost#iproute-static0.0.0.00.0.0.0iproute-static192.169.1.0255.255.255.0Tunnel3preferenceiproute-static192.192.1.1255.255.255.255Tunnel5preference250原題的下一跳不是接口而是IP#user-interfaceconuser-interfaceaux[RT1]disipsecpathMTU:1500sequencenumber:10mode:templateconnectionid:10encapsulationmode:tunnel address: (5timesmatched)souraddr:61.67.1.0/255.255.255.192 port:0 destaddr: port: protocol:[inboundESPspi:438582685saremainingkeyduration(bytes/sec):1887436800/989maxreceivedsequence-number:1udpencapsulationusedfornattraversal:[outboundESPspi:1676980481saremainingkeyduration(bytes/sec):1887436800/989maxsentsequence-number:1udpencapsulationusedfornattraversal:sequencenumber:10mode:templateconnectionid:11encapsulationmode:tunnel address:remoteaddress: (5timessouraddr:61.67.1.0/255.255.255.192 port:0 destaddr: port: protocol:[inboundESPspi:440636093saremainingkeyduration(bytes/sec):1887436464/3576maxreceivedsequence-number:4udpencapsulationusedfornattraversal:[outboundESPspi:796278866saremainingkeyduration(bytes/sec):1887436464/3576maxsentsequence-number:5udpencapsulationusedfornattraversal:N[RT1]disiprou[RT1]disip[RT1]disiprouting-tableRoutingTables:PublicDestinations: Routes: Static0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct022 Static [RT1]disospfrouOSPFProcess1withRouterID10.1.1.1RoutingTablesRoutingfor122Routingfor11TotalNets:IntraArea: ASE: NSSA:OSPFProcess100withRouterID10.1.1.1RoutingTablesRoutingforRoutingfor1111TotalNets:IntraArea: ASE: NSSA:version5.20,Release1509P01,#sysname#defaultenablesystem#routerid#aclnumberrule0permitsource192.168.0.0aclnumberrule0permitsource172.1.0.0aclnumberrule0permitsource192.169.1.0aclnumberrule0permitsource172.169.1.0#interfaceSerial6/0link-protocolipaddress10.1.12.2ospfcost#interfaceSerial6/2link-protocolppppppmpMp-group1interfaceSerial6/3link-protocolpppmpMp-group 此處沒有加入MP組#interfaceMp-ipaddress10.1.24.1#interfaceipaddress10.1.1.2#portlink-moderouteipaddress10.1.22.1ospfcost#portlink-moderoute#ospfimport-routeospf100type1route-policyareanetwork10.1.12.0network10.1.22.0#ospfimport-routeospf1type1route-policyareaauthentication-modenetwork10.1.24.0#route-policyp1permitnode10if-matchacl2000applycostroute-policyp1permitnode20if-matchacl2001applycostroute-policyp2permitnode10if-matchacl2002applycostroute-policyp2permitnode20if-matchacl2003applycost##user-interfaceconuser-interfaceaux[RT2]disip[RT2]disiprouting-tableRoutingTables:PublicDestinations: Routes: Direct0Direct0Direct0Direct0Mp-Direct0Direct0Direct0Mp-Direct0Direct0Mp-Mp-Direct0Direct02Mp-2Mp-[RT2]disospfrouOSPFProcess1withRouterID10.1.1.2RoutingTablesRoutingfor221Routingfor11TotalNets:IntraArea: ASE: NSSA:OSPFProcess100withRouterID10.1.1.2RoutingTablesRoutingforRoutingfor1111TotalNets:IntraArea: InterArea: ASE: NSSA:version5.20,Release1719,#sysname#ikelocal-name#defaultenablesystem#routerid#qospql1protocolipacl3001queue#aclnumberrule0permitsource192.169.1.0aclnumberrule0permitsource172.169.1.0aclnumberrule0permitsource192.192.1.0#aclnumberrule0permitipsource10.10.3.10destination10.10.1.1 #aclnumberrule0permitipsource192.169.1.00.0.0.255destination192.168.0.0原題此處目的地址的掩碼是8位，需更改16位即可#ikepeerremote-address61.67.1.1#ipsecpolicyrt110isakmpsecurityacl3000proposal1#local-userrt1passwordsimpleh3cservice-typeppp#local-userauthorization-attribuevel3service-type#interfaceSerial6/0link-protocolipaddress10.1.34.1ospfauthentication-modesimple#interfaceSerial6/1link-protocolpppchapuserrt3pppchappasswordsimpleipaddress10.1.13.2ospfauthentication-modesimpleh3cqospqpql1 #interfaceipaddress10.1.1.3#interfaceipaddress10.10.3.1#portlink-moderouteipaddress63.67.1.1ipsecpolicy原題此接口下沒有應(yīng)用IPSEC策略還有就是配置了OSPF認證。需取消OSPF認證在應(yīng)用#portlink-moderoute#vlan-typedot1qvid10ipaddress192.169.1.3vrrpvrid1virtual-ipvrrpvrid1priority#vlan-typedot1qvid20ipaddress172.169.1.3vrrpvrid2virtual-ip#interfaceipaddress10.13.1.2destination#ospfimport-routedirectroute-policyimport-routestaticroute-policy 此處應(yīng)引入靜態(tài)和直連并關(guān)聯(lián)路由策areanetwork10.1.34.00.0.0.3network10.1.13.0#route-policyp1permitnode10if-matchacl2000applycostroute-policyp1permitnode20if-matchacl2001applycostroute-policyp2permitnode10if-matchacl2002applycost#iproute-static0.0.0.00.0.0.0iproute-static192.168.0.0255.255.0.0Tunnel3preference160150#user-interfaceconuser-interfacetty33user-interfaceauxuser-interfacevty04userprivilegelevel3#[RT3]disiprouRoutingTables:PublicDestinations: Routes: Static0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Static0Direct0Direct0Direct0[RT3]disospfrou[RT3]disospfroutingOSPFProcess100withRouterID10.1.1.3RoutingTablesRoutingforRoutingfor1111TotalNets:IntraArea: ASE: NSSA:[RT3]disvrrpverIPv4StandbyRunMethod Totalnumberofvirtualrouters:2:::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE::Pri:::0000-5e00-Master::::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE:Master::[RT3]disipsecpathMTU:1500sequencenumber:10mode:isakmpconnectionid:4encapsulationmode:tunnel address:Flow:souraddr:port:protocol:destaddr:port:protocol:[inboundESPspi:1676980481saremainingkeyduration(bytes/sec):maxreceivedsequence-number:1anti-replaycheckenable:Yanti-replaywindowsize:udpencapsulationusedfornattraversal:[outboundESPspi:438582685saremainingkeyduration(bytes/sec):1887436800/781maxsentsequence-number:1udpencapsulationusedfornattraversal:version5.20,Release1509P01,#sysname#defaultenablesystem#routerid#netserver#qospql1protocolipacl3001queue#aclnumberrule0permitsource192.169.1.0aclnumberrule0permitsource172.169.1.0#aclnumberrule0permitipsource192.169.1.00.0.0.255destination192.168.0.0#interfaceSerial6/0link-protocolipaddress10.1.34.2ospfauthentication-modesimple#interfaceSerial6/2link-protocolppppppmpMp-group1interfaceSerial6/3link-protocolpppmpMp-group#interfaceMp-ipaddress10.1.24.2ospfauthentication-modesimpleqospqpql 接口應(yīng)用pq之后記得shut/undoshutqos生效#interfaceipaddress10.1.1.4#vlan-typedot1qvid10ipaddress192.169.1.2vrrpvrid1virtual-ip#vlan-typedot1qvid20ipaddress172.169.1.2vrrpvrid2virtual-ipvrrpvrid2priority#ospfimport-routedirecttype1route-policyareaauthentication-modenetwork10.1.24.0network10.1.34.0#route-policyp1permitnodeif-matchaclapplycostroute-policyp1permitnode20if-matchacl2001applycost#user-interfaceconuser-interfaceauxuser-interfacevty04userprivilegelevel3#[RT4]disip[RT4]disiprouting-tableRoutingTables:PublicDestinations: Routes: Direct0Direct0Mp-Direct0Mp-Direct0Direct0Direct0Direct0Direct0Direct0Mp-Direct0Direct0Direct0Direct0Direct0[RT4]disospfOSPFProcess100withRouterID10.1.1.4RoutingTablesRoutingforRoutingfor1111TotalNets:IntraArea: ASE: NSSA:[RT4]disvrrpver[RT4]disvrrpverboseIPv4StandbyRun:VIRTUAL-VirtualIP::::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE::Master::::Admin::Config:Run:Preempt:Delay:Auth:SIMPLE:Pri::MasterIP:0000-5e00-:version5.20,Release#sysname#defaultenable#netserver#stp#ipaddress200.1.1.1#ipaddress192.169.1.1#ipaddress172.169.1.1#interfaceEthernet1/0/2portlink-modebridgeportlink-typetrunkporttrunkpermitvlan110#interfaceEthernet1/0/4portlink-modebridgeportlink-typetrunkporttrunkpermitvlan110#portlink-modebridgestpedged-portenable#iproute-static0.0.0.00.0.0.0iproute-static172.1.0.0255.255.0.0#user-interfaceauxuser-interfacevty04userprivilegelevel3#[SW4]disiprouRoutingTables:PublicDestinations: Routes: Static0Direct0Direct0Static0Direct0Direct0Direct0Direct0Direct0Direct0version5.20,Release1509P01,#sysname#bandwidth-based-#ikepeerpre-shared-keyh3cipsecpolicyrt110isakmpsecurityacl3000proposal1#aclnumberdescriptiontoipsec 數(shù)據(jù)流匹配錯誤，需與tunnel接口的源和目的相rule0permitipsource10.10.5.10destination10.10.1.1#interfaceipaddress192.192.1.1#interfaceLoopBack100ipaddress10.10.5.1#portlink-moderouteipaddress65.67.1.1ipsecpolicy#interfaceipaddress10.15.1.2destination#iproute-static0.0.0.00.0.0.0iproute-static192.168.0.0255.255.0.0注意原題的靜態(tài)路由是如以下配置的，iproute-static192.0.0.0255.0.0.0tunnel5。題目需求是A流即另外一個問題就是全網(wǎng)設(shè)備除internet設(shè)備外都要可。這個需求很籠統(tǒng)，因為每臺設(shè)備上只有超級。沒有普通的用戶名和，我當時排錯的時候把每臺設(shè)備的net服務(wù)開啟，以及把vty終端下配置了userprivilegelevel3，其他的沒有配置。#[RT5]disiprouRoutingTables:PublicDestinations: Routes: Static0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Static0Direct0[RT5]disipsecsa[RT5]disipsecpathMTU:1500sequencenumber:10mode:connectionid:5encapsulationmode:tunnel address: (5timesmatched)souraddr:65.67.1.0/255.255.255.252 port:0 destaddr: port: protocol:[inboundESPspi:796278866saremainingkeyduration(bytes/sec):1887436464/3272maxreceivedsequence-number:4udpencapsulationusedfornattraversal:[outboundESPspi:440636093saremainingkeyduration(bytes/sec):1887436464/3272maxsentsequence-number:5udpencapsulationusedfornattraversal:version5.20,Release#sysname#netserver#vlan#ipaddress61.67.1.2#ipaddress63.67.1.2#ipaddress65.67.1.2#interfaceEthernet1/0/2portlink-modebridgeportaccessvlan2#interfaceEthernet1/0/4portlink-modebridgeportaccessvlan4#interfaceEthernet1/0/6portlink-modebridgeportaccessvlan6#iproute-static10.10.1.1255.255.255.255iproute-static10.10.3.1255.255.255.255iproute-static10.10.5.1255.255.255.255#[ISP]disip[ISP]disiprouting-tableRoutingTables:PublicDestinations: Routes: Static0Static0Static0Direct0Direct0Direct0Direct0Direct0Direct0Direct0Direct0故障總部與分部接入層交換機接口沒配置為trunk類型(總部SW1.SW2沒配置端口聚合(trunk類型總部SW1.SW2VRRPR1的ipsec沒有配置,R3.R5的ipsec已經(jīng)配置了,但是沒有應(yīng)用到接口中,其中R5的中ACL指定的加密流定義錯誤（要定義loopback接口地址段R2-R4mp-group端口沒有配置完全(端口未全部加入到該組中,只加入了一對端口),R2-R4的chap雙向認證沒有配置或配置錯誤(當事人沒記住)Ospf2需要全網(wǎng)認證,但是R3R4沒有配置認證(當事人沒記住Ospf2的R3Ospf1的R1R3上已經(jīng)有了QOS的配置,沒有應(yīng)用到接口中,但是需要修改ACL24位,R4上沒有配置QOS(QOS使用PQ)故障點明1SW3E1/0/1和E1/0/2SW4E1/0/1E1/0/2access（上行3、SW1上A業(yè)務(wù)的vlan10沒有的vrrp沒有配置到設(shè)備上有報錯提示4、SW2Avlan20的vrrp90（所以主在SW1上了，與題意不符，改成105就好了）5、RT3ospf的區(qū)域視圖下沒有開啟區(qū)域驗證（RT3時沒有任何ospf路由和ospfpeer）6、電信ppp鏈路的兩端chap驗證的chappassword都填的是本端的（賬號都是h3c,密這個鏈路是起來的，要shutdown再undoshut問題就顯現(xiàn)出來了。）7ppp-mp在RT4側(cè)只綁定一個S6/0接口，S6/1沒有綁定。（題外話：ppp-mp鏈路down掉一條后ospf接口cost會翻倍），，8、RT1和RT2ospf互相引入的操作（所以一開始是沒有互相的外部路由的，只有RT1上做ospf100的路由引ospf1的路由。引入的時候需要加入選路策略，在不同，，引入的操作引入時需要帶上路由所以總部不能和辦事處正常通信引入的操作引入時需要帶上路由所以總部不能和辦事處正常通信這里需要在策略，系統(tǒng)已經(jīng)定義好了（策略名為P5cost））internet的那條11、gre隧道默認都是通的(RT1loopback1---RT3loopback1gre隧道，RT1---RT5也loopback建立gre隧道）但是ipsecsa檢查配置發(fā)現(xiàn)幾點錯誤：1、RT5acl寫錯了（tunnelsourcedestination地址。2、RT1上雖然配置了ipsectemplateh3c和ipsecpolicyrt35但是策略沒有調(diào)用模版，等于就是兩個單獨的東西了。undoipsec策略，再建一個新的同名策略后跟模版名，例如：ipsecpolicyrt351isakmptemplateh3cipsec策略是套不到模版里面去的。Ipsec模版policyrt35RT3和RT5ipsec連接。注意：RT3RT5acl源和目的都是保護建立gre隧道的sourcedestinationikepeer指定的remote-address和local-address都是公網(wǎng)接口地址。事處的RT5不通，發(fā)現(xiàn)RT1和RT5上都沒有寫相應(yīng)的靜態(tài)路由。寫上后全網(wǎng)就通了。然后用考官給的super提升權(quán)限配置SNMP。O了SW3SW1的互聯(lián)端口沒有設(shè)置為TRUNK，并在TRUNK中允許AVLAN和非A業(yè)務(wù)VLAN通過；SW3SW2TRUNK，并在TRUNKA業(yè)務(wù)VLAN和非A業(yè)務(wù)VLAN通過。SW1與SW2之間VRRP認證密鑰存在問題，需要將密鑰修改成一樣 MSTPSW3region-nameH3C命令，MSTP中只有這一個故障點，配置以后一定要記住打上activeregion-configuration，重啟生成樹運算，否則命令不生效。RT1和RT3之間PPP驗證錯誤;RT2與RT4之間pppmp中RT4中沒有配RT3與RT4之間ospf鄰居形成不了，是因為RT3和RT4OSPF驗證出現(xiàn)問題，一定保證OSPF鄰居形成正常。RT1中已經(jīng)將ospf1和ospf2相互注入，但沒有相應(yīng)的route-policy,使能正確選路；RT2中沒有將ospf1和ospf2進行相互引入，并沒有相應(yīng)的route-policy，命令都需要添加，route-policy沒有錯誤。SW4中沒RT3RT4互聯(lián)的端口設(shè)置TRUNK，并TRUNK中允許VLANRT3和RT4在ospf中發(fā)布AA業(yè)務(wù)網(wǎng)段路由（方式在重分布時相應(yīng)的route-policy.route-policy沒有任何錯誤SW4上將RT3和RT4互聯(lián)的接口改成TRUNK口，并允許相應(yīng)的VLAN通過。由于在廣域網(wǎng)鏈路全部斷掉以后，用互聯(lián)網(wǎng)做備份鏈路，和辦事處通過GREOVERIPSEC與總部相連，GREOVERIPSEC錯誤點比較多，由于有和辦事處，RT11IPSEC模板做，錯誤點較多，RT5IPSECpolicy應(yīng)用在物理接口上，RT1ACL不正確，排錯比較靈活，可以用主模式和野蠻模式都可以，如果用野蠻模式，注意remote-name的大小寫，也可以重新再配