【这次实验目的】OSPF的认证有2个方面一个是区域认证,另一个是接口认证;两者必须配合起来才能起作用。在实验中,演示如何使用. OSPF 的认证。 在实验中我们在区域 0中做认证,并在接口上配合认证。
【配置步骤】
(1)具体的配置会在实验结尾处给出来,拓扑如下:
(2) 区域认证配置:
[R1-ospf-1-area-0.0.0.0]authentication-mode simple
[R2-ospf-1-area-0.0.0.0]authentication-mode simple
(3)
[R1-S0/6/0]ospf authentication-mode simple plain 123
[R2-S0/6/0]ospf authentication-mode simple plain 123
【测试结果】
(1)在没有使用认证技术前,我们来观察一下R1和R2之间的邻居关系
[R1]dis ospf peer
OSPF Process 1 with Router ID 10.1.1.2
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time Interface State
10.1.1.3 3.3.3.2 1 40 S0/6/0 Full/ -
[R2]dis ospf peer
OSPF Process 1 with Router ID 10.1.1.3
Neighbor Brief Information
Area: 0.0.0.0
Router ID Address Pri Dead-Time Interface State
10.1.1.2 3.3.3.1 1 38 S0/6/0 Full/ -
(2)在R1使用了认证,而R2未使用认证的时候
[R1]dis ospf peer
OSPF Process 1 with Router ID 10.1.1.2
Neighbor Brief Information
[R1]
[R2]dis ospf peer
OSPF Process 1 with Router ID 10.1.1.3
Neighbor Brief Information
分别在R1和R2上开启debugging ospf packet后发现各自都在不断地发包,R1发的包中autype字段中填充的是01,R2发的包中autype
字段中填充的字段是00,经查资料autype字段填充00表示无认证,01填充表示simple认证,02填充表示md5认证。
R1:*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:OSPF 1: SEND Packet.
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Source Address: 3.3.3.1
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Destination Address: 224.0.0.5
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Ver# 2, Type: 1, Length: 44.
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Router: 10.1.1.2, Area: 0.0.0.0, Checksum: 61598.
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:AuType: 01, Key(ascii): 31 32 33 0 0 0 0 0.
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Net Mask: 255.255.255.252, Hello Int: 10, Option: _E_.
*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Rtr Priority: 1, Dead Int: 40, DR: 0.0.0.0, BDR: 0.0.0.0.
R2:
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:OSPF 1: SEND Packet.
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Source Address: 3.3.3.2
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Destination Address: 224.0.0.5
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Ver# 2, Type: 1, Length: 44.
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Router: 10.1.1.3, Area: 0.0.0.0, Checksum: 61598.
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:AuType: 00, Key(ascii): 0 0 0 0 0 0 0 0.
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Net Mask: 255.255.255.252, Hello Int: 10, Option: _E_.
*Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Rtr Priority: 1, Dead Int: 40, DR: 0.0.0.0, BDR: 0.0.0.0.
(3)2台设备都使用了 simple 认证之后,二者的邻居关系正常
(4)接下来我们把他们的认证方式改成 MD5后再来看一下
[R1-ospf-1-area-0.0.0.0]authentication-mode md5
[R2-ospf-1-area-0.0.0.0]authentication-mode md5
(3)
[R1-S0/6/0]ospf authentication-mode md5 1 cipher abcde
[R2-S0/6/0]ospf authentication-mode md5 1 cipher abcde
配置完成后仍然可以建立邻居。
附加说明:
当两边的密码不同时:
debugging ospf packet 发现一直发包
debugging ospf event 报以下错误:OSPF 1 :OSPF received packet with mismatch authentication key.
如果R1配置了MD5验证,而R2配置了
则debugging ospf event 可以见到
R1 OSPF 1 :OSPF received packet with mismatch authentication type :0.
R2 OSPF 1 :OSPF received packet with mismatch authentication type :2.
R1 debugging信息显示:对端来的是没有验证,我没有办法跟他协商呀!
R2 debugging 信息显示:对端来的是MD5验证,我没办法跟他协商呀!亲,是不是配置错误了!嘻嘻。
R1:
[R1-ospf-1]qu
[R1]dis cu
#
version 5.20, Alpha 1011
#
sysname R1
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface Serial0/6/0
link-protocol ppp
ip address 3.3.3.1 255.255.255.252
ospf authentication-mode simple plain 123
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.2 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
ospf 1 router-id 10.1.1.2
import-route direct
area 0.0.0.0
authentication-mode simple
network 3.3.3.0 0.0.0.3
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
R2
[R2] dis cu
#
version 5.20, Alpha 1011
#
sysname R2
#
password-control login-attempt 3 exceed lock-time 120
#
undo voice vlan mac-address 00e0-bb00-0000
#
ipsec cpu-backup enable
#
undo cryptoengine enable
#
domain default enable system
#
vlan 1
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface Serial0/6/0
link-protocol ppp
ip address 3.3.3.2 255.255.255.252
ospf authentication-mode simple plain 123
#
interface Serial0/6/1
link-protocol ppp
#
interface Serial0/6/2
link-protocol ppp
#
interface Serial0/6/3
link-protocol ppp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.3 255.255.255.255
#
interface Ethernet0/4/0
port link-mode bridge
#
interface Ethernet0/4/1
port link-mode bridge
#
interface Ethernet0/4/2
port link-mode bridge
#
interface Ethernet0/4/3
port link-mode bridge
#
interface Ethernet0/4/4
port link-mode bridge
#
interface Ethernet0/4/5
port link-mode bridge
#
interface Ethernet0/4/6
port link-mode bridge
#
interface Ethernet0/4/7
port link-mode bridge
#
ospf 1 router-id 10.1.1.3
area 0.0.0.0
authentication-mode simple
network 3.3.3.0 0.0.0.3
#
load xml-configuration
#
user-interface con 0
user-interface vty 0 4
#
return
|
不良信息举报Q:2000617|Archiver|ROS软路由论坛 ROSABC.com 网络方案网络工程交流
GMT+8, 2024-5-17 01:56 , Processed in 0.084283 second(s), 15 queries .
Powered by Discuz! X3.4
Copyright © 2001-2021, Tencent Cloud.