2012-02-07

9. Configuring OSPF Authentication

网络图:

image.png


配置各路由器的IP地址信息,OSPF信息,并测试连通性。

 

查看R1和R2的OSPF路由表:

R1>show ip route OSPF
O IA 172.16.0.0/16 [110/193] via 192.168.1.2, 00:15:14, Serial0/0
     192.168.1.0/30 is subnetted, 3 subnets
O IA    192.168.1.8 [110/192] via 192.168.1.2, 00:15:14, Serial0/0
O IA    192.168.1.4 [110/128] via 192.168.1.2, 00:15:21, Serial0/0

 

R2>show ip route ospf
O IA 172.16.0.0/16 [110/129] via 192.168.1.6, 00:17:01, Serial0/1
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O       10.1.2.1/32 [110/65] via 192.168.1.1, 00:17:01, Serial0/0
O       10.1.1.1/32 [110/65] via 192.168.1.1, 00:17:01, Serial0/0
O       10.1.0.0/16 is a summary, 00:17:01, Null0
     192.168.1.0/30 is subnetted, 3 subnets
IA    192.168.1.8 [110/128] via 192.168.1.6, 00:17:01, Serial0/1

 

在R1上启用明文认证:

R1(config)#int s0/0
R1(config-if)#ip ospf authentication
R1(config-if)#ip ospf authentication-key xiaoyang
R1(config-if)#exit

 

打开debug,查看系统提示:

*Mar  1 00:21:30.371: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.5 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

R1#debug ip ospf events 
OSPF events debugging is on
R1#
*Mar  1 00:23:20.071: OSPF: Send hello to 224.0.0.5 area 1 on Serial0/0 from 192.168.1.1
*Mar  1 00:23:20.395: OSPF: Rcv pkt from 192.168.1.2, Serial0/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1

 

在R2上启用明文认证:

R2(config)#int s0/0
R2(config-if)#ip ospf authentication
R2(config-if)#ip ospf authentication-key xiaoyang
R2(config-if)#exit

 

再观察R1上的调试信息:

*Mar  1 00:33:40.183: OSPF: Send hello to 224.0.0.5 area 1 on Serial0/0 from 192.168.1.1
*Mar  1 00:33:40.427: OSPF: Rcv pkt from 192.168.1.2, Serial0/0 : Mismatch Authentication Key - Clear Text
R1#
*Mar  1 00:33:50.187: OSPF: Send hello to 224.0.0.5 area 1 on Serial0/0 from 192.168.1.1
*Mar  1 00:33:50.455: OSPF: Rcv hello from 192.168.1.5 area 1 from Serial0/0 192.168.1.2
*Mar  1 00:33:50.459: OSPF: 2 Way Communication to 192.168.1.5 on Serial0/0, state 2WAY
*Mar  1 00:33:50.463: OSPF: Send DBD to 192.168.1.5 on Serial0/0 seq 0x142 opt 0x52 flag 0x7 len 32
*Mar  1 00:33:50.467: OSPF: End of hello processing
*Mar  1 00:33:50.507: OSPF: Rcv DBD from 192.168.1.5 on Serial0/0 seq 0xEDE opt 0x52 flag 0x7 len 32  mtu 1500 state EXSTART(启动状态)
*Mar  1 00:33:50.511: OSPF: NBR Negotiation Done. We are the SLAVE(从属的)
*Mar  1 00:33:50.511: OSPF: Send DBD to 192.168.1.5 on Serial0/0 seq 0xEDE opt 0x52 flag 0x2 len 132
*Mar  1 00:33:50.519: OSPF: Rcv DBD from 192.168.1.5 on Serial0/0 seq 0xEDF opt 0x52 flag 0x3 len 132  mtu 1500 state EXCHANGE(交换)
*Mar  1 00:33:50.523: OSPF: Send DBD to 192.168.1.5 on Serial0/0 seq 0xEDF opt 0x52 flag 0x0 len 32
*Mar  1 00:33:50.527: OSPF: Database request to 192.168.1.5 
*Mar  1 00:33:50.527: OSPF: sent LS REQ packet to 192.168.1.2, length 12
*Mar  1 00:33:50.547: OSPF: Rcv DBD from 192.168.1.5 on Serial0/0 seq 0xEE0 opt 0x52 flag 0x1 len 32  mtu 1500 state EXCHANGE
*Mar  1 00:33:50.547: OSPF: Exchange Done with 192.168.1.5 on Serial0/0
*Mar  1 00:33:50.547: OSPF: Send DBD to 192.168.1.5 on Serial0/0 seq 0xEE0 opt 0x52 flag 0x0 len 32
*Mar  1 00:33:50.551: OSPF: Synchronized with 192.168.1.5 on Serial0/0, state FULL
*Mar  1 00:33:50.551: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.5 on Serial0/0 from LOADING to FULLLoading Done
*Mar  1 00:34:00.191: OSPF: Send hello to 224.0.0.5 area 1 on Serial0/0 from 192.168.1.1
*Mar  1 00:34:00.427: OSPF: Rcv hello from 192.168.1.5 area 1 from Serial0/0 192.168.1.2
*Mar  1 00:34:00.431: OSPF: End of hello processing

 

清除所有认证信息,继续。

 

在R1上配置基于MD5的密码接口认证:

R1(config)#int s0/0
R1(config-if)#ip ospf aut
R1(config-if)#ip ospf authentication message-digest 
R1(config-if)#ip ospf message-digest-key 1 md5 xiaoyang
R1(config-if)#exit

 

查看R1路由表:

R1(config)#do show ip route     
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.2.0 is directly connected, Loopback1
C       10.1.1.0 is directly connected, Loopback0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Serial0/0

没有从OSPF学习到的路由信息。

 

在R2上配置基于MD5的密码接口认证:

R2(config)#int s0/0
R2(config-if)#no ip ospf au
R2(config-if)#no ip ospf authentication-k
R2(config-if)#ip ospf au me
R2(config-if)#ip ospf au message-digest 
R2(config-if)#ip ospf message-digest-key 1 md5 xiaoyang
R2(config-if)#exit

 

观察R1上的系统反馈信息,并查看路由表:

R1(config)#
*Mar  1 00:56:20.559: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.5 on Serial0/0 from LOADING to FULL, Loading Done
R1(config)#do show ip route
Gateway of last resort is not set

O IA 172.16.0.0/16 [110/193] via 192.168.1.2, 00:00:26, Serial0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.2.0 is directly connected, Loopback1
C       10.1.1.0 is directly connected, Loopback0
     192.168.1.0/30 is subnetted, 3 subnets
O IA    192.168.1.8 [110/192] via 192.168.1.2, 00:00:26, Serial0/0
C       192.168.1.0 is directly connected, Serial0/0
O IA    192.168.1.4 [110/128] via 192.168.1.2, 00:00:26, Serial0/0

 R1和R2重新建立了邻居关系,并重新学习到了OSPF路由信息。

 

 清除所有认证信息,继续。

 

在R1上启用区域的明文认证:

R1(config)#router ospf 1
R1(config-router)#area 1 authentication (为区域1启用OSPF的认证)
R1(config-router)#exit

R1(config)#int s0/0
R1(config-if)#ip ospf authentication-key xiaoyang(明文的)
R1(config-if)#exit

然后就可以看到那个啥又死了:

*Mar  1 00:03:39.603: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.5 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

 

查看R1的路由表:

R1#show ip route
Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.2.0 is directly connected, Loopback1
C       10.1.1.0 is directly connected, Loopback0
     192.168.1.0/30 is subnetted, 1 subnets
C       192.168.1.0 is directly connected, Serial0/0

之前学习到的OSPF路由条目又没了。

 

再去R2上搞搞:

R2(config)#router ospf 1
R2(config-router)#area 1 authentication
R2(config-router)#exit
R2(config)#int s0/0                     
R2(config-if)#ip ospf authentication-key xiaoyang
R2(config-if)#exit

 

 再去R1上看,又活过来了:

R1#
*Mar  1 00:10:01.143: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.5 on Serial0/0 from LOADING to FULL, Loading Done
R1#show ip route
Gateway of last resort is not set

O IA 172.16.0.0/16 [110/193] via 192.168.1.2, 00:00:31, Serial0/0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.1.2.0 is directly connected, Loopback1
C       10.1.1.0 is directly connected, Loopback0
     192.168.1.0/30 is subnetted, 3 subnets
O IA    192.168.1.8 [110/192] via 192.168.1.2, 00:00:31, Serial0/0
C       192.168.1.0 is directly connected, Serial0/0
O IA    192.168.1.4 [110/128] via 192.168.1.2, 00:00:31, Serial0/0

 

清除所有认证信息,继续。

 

在R1和R2上配置基于MD5的密码区域认证:

R1(config)#router ospf 1
R1(config-router)#area 1 authentication message-digest
R1(config-router)#exit
R1(config)#int s0/0
R1(config-if)#ip ospf message-digest-key 1 md5 xiaoyang  
R1(config-if)#exit

*Mar  1 00:02:10.059: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.5 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

 

R2(config)#router ospf 1
R2(config-router)#area 1 authentication message-digest
R2(config-router)#exit
R2(config)#int s0/0
R2(config-if)#ip ospf message-digest-key 1 md5 xiaoyang
R2(config-if)#exit
R2(config)#
*Mar  1 00:04:31.379: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.2.1 on Serial0/0 from LOADING to FULL, Loading Done

正确配置后一切正常。

 

清除所有认证信息,继续。

 

配置更改md5密码,此配置主要用于弃用旧密码,启用新密码时可能会使用(同样适用于区域的md5认证):

R1(config)#int s0/0
R1(config-if)#ip ospf authentication message-digest
R1(config-if)#ip ospf message-digest-key 1 md5 xiaoyang1
R1(config-if)#ip ospf message-digest-key 2 md5 xiaoyang2
R1(config-if)#exit

 

当在接口出现两条md5的密码配置命令时,R2路由会发送两份不同的分组数据包。分别使用1和2的密码。  
一旦新的密码2可以使用了,原的密码1就可以使用no命令取消。完成旧密码到新密码的迁移。

















标签:
作者:天才小网管 | 分类:网络技术 | 浏览:1661 | 评论:0

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

桂ICP备19000498号-3