Authentication—ospf
一、 实验目的
1. 基于区域的OSPF简单口令认证
2. 基于区域的OSPF MD5认证
3. 基于链路的OSPF简单口令认证
4. 基于链路的OSPF MD5认证
5. FRAME-RELAY的配置
二、 实验拓扑
基于区域的OSPF简单口令认证
1配置Fram-relay交换机
FR1(config)#no ip routing
FR1(config)#frame-relay switching
将路由器模拟成FRAME-RELAY交换机
FR1(config)#int s0/0
FR1(config-if)#frame-relay lmi-type cisco
FR1(config-if)#frame-relay intf-type dce
FR1(config-if)#encapsulation frame-relay
FR1(config-if)#clock rate 64000
R1(config-if)#encapsulation frame-relay
和frame-relay相联接的端口的封装格式也要设置成frame-relay格式。
设置frame-relay路由
FR1(config-if)#frame-relay route 102 int s0/1 201
FR1(config-if)#frame-relay route 201 int s0/0 102
FR1#show fram rout
Input Intf Input Dlci Output Intf Output Dlci Status
Serial0/0 102 Serial0/1 201 active
Serial0/1 201 Serial0/0 102 active
2. 测试R1和R2的联通性
R1#ping 12.1.1.2 si 1000 repeat 1000
Type escape sequence to abort.
Sending 1000, 1000-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R1#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
这是R1可以Ping通对端,但Ping不通自己,是因为它查看的不是路由表,而是frame-relay表
R1#show frame-relay map
Serial0/0 (up): ip 12.1.1.2 dlci 102(0x66,0x1860), dynamic,
broadcast,, status defined, active
它没有到达自己的路由。
3. 启动区域的简单口令验证
R1(config-if)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#net 12.1.1.0 255.255.255.0 are 0.0.0.0
R1(config-router)#net 1.1.1.0 255.255.255.0 are 0.0.0.0 //代表区域0
R1(config-router)#area 0 authentication
R1(config)#int s0/0
R1(config-if)#ip ospf authentication-key cisco //配置验证密码
同理配置R2.
R2(config-if)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#net 12.1.1.0 255.255.255.0 a 0
R2(config-router)#net 2.2.2.0 255.255.255.0 a 0
R2(config-router)#area 0 authentication
R2(config)#int s0/1
R2(config-if)#ip ospf authentication-key cisco
4. 这时你会发现R1和R2并没有成为邻居,原因是
R2(config-router)#do show ip ospf int s0/1
Serial0/1 is up, line protocol is up
Internet Address 12.1.1.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost: 64
解决方法是在进程内互指邻居neighbor 12.1.1.1/2
R2(config-router)#do show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:01:58 12.1.1.1 Serial0/1
,或改变网络类型。
R2(config)#do show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 0 FULL/ - 00:00:32 12.1.1.1 Serial0/1
R2(config)#
R2(config-router)#int s0/1
R2(config-if)#ip ospf network point-to-point
R1(config)#int s0/0
R1(config-if)#ip ospf network point-to-point
注意两种修改后的邻居状态是不同的,因为两者的网络类型不同。NON_BROADCAST选举DR和BDR,而POINT_TO_POINT不选举DR和BDR。
5. R2#show ip ospf int s0/1
Serial0/1 is up, line protocol is up
Internet Address 12.1.1.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
。。。。。
Simple password authentication enabled //表明该接口启用了简单口令验证。
如果只有一方使用了验证,则会出现如下信息
*Mar 1 01:32:47.287: OSPF: Rcv pkt from 12.1.1.2, Serial0/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1
如果一方没有在接口下配置密码或密码错误,则会出现如下信息
*Mar 1 01:39:49.299: OSPF: Send hello to 224.0.0.5 area 0.0.0.0 on Serial0/0 from 12.1.1.1
R1#
*Mar 1 01:39:57.439: OSPF: Rcv pkt from 12.1.1.2, Serial0/0 : Mismatch Authentication Key - Clear Text
基于区域的OSPF MD5认证
配置R3/R4和FR2
FR2
interface Serial0/0
no ip address
encapsulation frame-relay
no ip route-cache
serial restart-delay 0
clock rate 64000
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 304 interface Serial0/1 403
!
interface Serial0/1
no ip address
encapsulation frame-relay
no ip route-cache
serial restart-delay 0
clock rate 64000
frame-relay lmi-type cisco
frame-relay intf-type dce
frame-relay route 403 interface Serial0/0 304
R3
interface Serial0/1
ip address 34.1.1.3 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 34.1.1.4 403
R4
interface Serial0/0
ip address 34.1.1.4 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 34.1.1.3 304
配置OSPF及MD5验证
R3
interface Serial0/1
ip ospf message-digest-key 1 md5 cisco
router ospf 2
router-id 3.3.3.3
log-adjacency-changes
area 2 authentication message-digest
network 3.3.3.0 0.0.0.255 area 2
network 34.1.1.0 0.0.0.255 area 2
neighbor 34.1.1.4
R4
interface Serial0/0
ip ospf message-digest-key 1 md5 cisco
router ospf 2
router-id 4.4.4.4
log-adjacency-changes
area 2 authentication message-digest
network 4.4.4.0 0.0.0.255 area 2
network 34.1.1.0 0.0.0.255 area 2
neighbor 34.1.1.3
R3(config-router)#do show ip ospf int s0/1
Serial0/1 is up, line protocol is up
…….
……..
Message digest authentication enabled
Youngest key id is 1
最后两行信息表明该接口启用了MD5认证,而且密钥ID为1
基于链路的OSPF简单口令认证
R2
R2(config)#int e1/0
R2(config-if)#ip ospf authentication//启用认证
R2(config-if)#ip ospf authentication-key cisco//设置密码
R4
R4(config)#int e1/0
R4(config-if)#ip ospf authentication//启用认证
R4(config-if)#ip ospf authentication-key cisco//设置密码
R3(config-if)#do show ip ospf int e1/0
Ethernet1/0 is up, line protocol is up
……..
Simple password authentication enabled
基于链路的OSPF MD5认证
R2
R2(config)#int e1/0
R2(config-if)#ip ospf authentication message-digest //启用认证
R2(config-if)#ip ospf message-digest-key 1 md5 ciscoR4//设置密码
R4(config)#int e1/0
R4(config-if)#ip ospf authentication message-digest //启用认证
R4(config-if)#ip ospf message-digest-key 1 md5 ciscoR4//设置密码
R3(config-if)#do show ip ospf int e1/0
Ethernet1/0 is up, line protocol is up
Message digest authentication enabled
Youngest key id is 2
要点
1. OSPF 链路认证优于区域认证。
2. OSPF 定义了3种认证类型:0—表示不进行认证,是默认的。1—表示简单口令认证,2—表示MD5认证。
