OSPF密文认证

原创

ligang636 2011-03-19 17:13:29 ©著作权

©著作权归作者所有：来自51CTO博客作者ligang636的原创作品，请联系作者获取转载授权，否则将追究法律责任

需求：
1、所有路由器运行OSPF，建立虚链路使Area 3接入Area 0；
2、在Area 1做接口上的密文认证；
3、在Area 2做区域的密文认证；
4、在Area 0做区域的密文认证；以上要保证所有链路互通！
======================================================
解决方案：
R1(config)#int s1/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 cisco

R2(config)#int s1/0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
-->在区域1上做接口上的密文认证。

R1#sh ip ospf int s1/0
Serial1/0 is up, line protocol is up
Internet Address 192.168.12.1/24, Area 1
Process ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:09
Supports Link-local Signaling (LLS)
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 4 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1
可以看到s1/0接口上启用了OSPF密文认证。
----------------------------------------------------------------------------
R3(config)#int s1/1
R3(config-if)#ip ospf message-digest-key 1 md5 cisco1
R3(config)#router ospf 1
R3(config-router)#area 2 authentication message-digest

R4(config)#int s1/0
R4(config-if)#ip ospf message-digest-key 1 md5 cisco1 -->接口间的密码必须匹配！
R4(config)#router ospf 1
R4(config-router)#area 2 authentication message-digest
-->在区域2上做区域的密文认证。

R3(config)#router ospf 1
R3(config-router)#area 2 virtual-link 4.4.4.4

R4(config)#router ospf 1
R4(config-router)#area 2 virtual-link 3.3.3.3
-->在区域0和区域3之间建立虚链路。

R3#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
4.4.4.4 0 FULL/ - - 192.168.34.4 OSPF_VL0
2.2.2.2 0 FULL/ - 00:00:35 192.168.23.2 Serial1/0
4.4.4.4 0 FULL/ - 00:00:31 192.168.34.4 Serial1/1
-------------------------------------------------------------------------------------
R2(config)#int s1/1
R2(config-if)#ip ospf message-digest-key 1 md5 cisco2
R2(config)#router ospf 1
R2(config-router)#area 0 authentication message-digest

R3(config)#int s1/0
R3(config-if)#ip ospf message-digest-key 1 md5 cisco2
R3(config)#router ospf 1
R3(config-router)#area 0 authentication message-digest
R3(config-router)#area 2 virtual-link 4.4.4.4 message-digest-key 1 md5 cisco3

R4(config)#router ospf 1
R4(config-router)#area 2 virtual-link 3.3.3.3 message-digest-key 1 md5 cisco3
R4(config-router)#area 0 authentication message-digest
-->在区域0做密文认证，此时需要对虚链路两端做区域0的认证，否则虚链路在重启后会down掉。
或者
R3(config)#router ospf 1
R3(config-router)#area 2 virtual-link 4.4.4.4 authentication null

R4(config)#router ospf 1
R4(config-router)#area 2 virtual-link 3.3.3.3 authentication null
-->用authentication null在虚链路上来屏蔽对区域0的认证。