OSPF路由的认证实验:区域认证和接口认证的使用方法
【这次实验目的】OSPF的认证有2个方面一个是区域认证,另一个是接口认证;两者必须配合起来才能起作用。在实验中,演示如何使用.
OSPF 的认证,在实验中我们在区域 0中做认证,并在接口上配合认证。
【配置步骤】
(1)具体的配置会在实验结尾处给出来,拓扑如下:
(2) 区域认证配置:
[R1-ospf-1-area-0.0.0.0]authentication-mode simple
[R2-ospf-1-area-0.0.0.0]authentication-mode simple
(3)
[R1-S0/6/0]ospf authentication-mode simple plain 123
[R2-S0/6/0]ospf authentication-mode simple plain 123
【测试结果】
(1)在没有使用认证技术前,我们来观察一下R1和R2之间的邻居关系
- [R1]dis ospf peer
- OSPF Process 1 with Router ID 10.1.1.2
- Neighbor Brief Information
- Area: 0.0.0.0
- Router ID Address Pri Dead-Time Interface State
- 10.1.1.3 3.3.3.2 1 40 S0/6/0 Full/ -
- [R2]dis ospf peer
- OSPF Process 1 with Router ID 10.1.1.3
- Neighbor Brief Information
- Area: 0.0.0.0
- Router ID Address Pri Dead-Time Interface State
- 10.1.1.2 3.3.3.1 1 38 S0/6/0 Full/ -
(2)在R1使用了认证,而R2未使用认证的时候
- [R1]dis ospf peer
- OSPF Process 1 with Router ID 10.1.1.2
- Neighbor Brief Information
- [R1]
- [R2]dis ospf peer
- OSPF Process 1 with Router ID 10.1.1.3
- Neighbor Brief Information
分别在R1和R2上开启debugging ospf packet后发现各自都在不断地发包,R1发的包中autype字段中填充的是01,R2发的包中autype
字段中填充的字段是00,经查资料autype字段填充00表示无认证,01填充表示simple认证,02填充表示md5认证。
- R1:*Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:OSPF 1: SEND Packet.
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Source Address: 3.3.3.1
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Destination Address: 224.0.0.5
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Ver# 2, Type: 1, Length: 44.
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Router: 10.1.1.2, Area: 0.0.0.0, Checksum: 61598.
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:AuType: 01, Key(ascii): 31 32 33 0 0 0 0 0.
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Net Mask: 255.255.255.252, Hello Int: 10, Option: _E_.
- *Jan 16 21:44:26:62 2013 R1 RM/6/RMDEBUG:Rtr Priority: 1, Dead Int: 40, DR: 0.0.0.0, BDR: 0.0.0.0.
- R2:
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:OSPF 1: SEND Packet.
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Source Address: 3.3.3.2
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Destination Address: 224.0.0.5
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Ver# 2, Type: 1, Length: 44.
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Router: 10.1.1.3, Area: 0.0.0.0, Checksum: 61598.
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:AuType: 00, Key(ascii): 0 0 0 0 0 0 0 0.
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Net Mask: 255.255.255.252, Hello Int: 10, Option: _E_.
- *Jan 16 21:45:11:484 2013 R2 RM/6/RMDEBUG:Rtr Priority: 1, Dead Int: 40, DR: 0.0.0.0, BDR: 0.0.0.0.
(3)2台设备都使用了 simple 认证之后,二者的邻居关系正常
(4)接下来我们把他们的认证方式改成 MD5后再来看一下
[R1-ospf-1-area-0.0.0.0]authentication-mode md5
[R2-ospf-1-area-0.0.0.0]authentication-mode md5
(3)
[R1-S0/6/0]ospf authentication-mode md5 1 cipher abcde
[R2-S0/6/0]ospf authentication-mode md5 1 cipher abcde
配置完成后仍然可以建立邻居。
附加说明:
当两边的密码不同时:
debugging ospf packet 发现一直发包
debugging ospf event 报以下错误:OSPF 1 :OSPF received packet with mismatch authentication key.
如果R1配置了MD5验证,而R2配置了
则debugging ospf event 可以见到
R1 OSPF 1 :OSPF received packet with mismatch authentication type :0.
R2 OSPF 1 :OSPF received packet with mismatch authentication type :2.
R1 debugging信息显示:对端来的是没有验证,我没有办法跟他协商呀!
R2 debugging 信息显示:对端来的是MD5验证,我没办法跟他协商呀!亲,是不是配置错误了!嘻嘻。
- R1:
- [R1-ospf-1]qu
- [R1]dis cu
- #
- version 5.20, Alpha 1011
- #
- sysname R1
- #
- password-control login-attempt 3 exceed lock-time 120
- #
- undo voice vlan mac-address 00e0-bb00-0000
- #
- ipsec cpu-backup enable
- #
- undo cryptoengine enable
- #
- domain default enable system
- #
- vlan 1
- #
- domain system
- access-limit disable
- state active
- idle-cut disable
- self-service-url disable
- #
- interface Serial0/6/0
- link-protocol ppp
- ip address 3.3.3.1 255.255.255.252
- ospf authentication-mode simple plain 123
- #
- interface Serial0/6/1
- link-protocol ppp
- #
- interface Serial0/6/2
- link-protocol ppp
- #
- interface Serial0/6/3
- link-protocol ppp
- #
- interface NULL0
- #
- interface LoopBack0
- ip address 10.1.1.2 255.255.255.255
- #
- interface Ethernet0/4/0
- port link-mode bridge
- #
- interface Ethernet0/4/1
- port link-mode bridge
- #
- interface Ethernet0/4/2
- port link-mode bridge
- #
- interface Ethernet0/4/3
- port link-mode bridge
- #
- interface Ethernet0/4/4
- port link-mode bridge
- #
- interface Ethernet0/4/5
- port link-mode bridge
- #
- interface Ethernet0/4/6
- port link-mode bridge
- #
- interface Ethernet0/4/7
- port link-mode bridge
- #
- ospf 1 router-id 10.1.1.2
- import-route direct
- area 0.0.0.0
- authentication-mode simple
- network 3.3.3.0 0.0.0.3
- #
- load xml-configuration
- #
- user-interface con 0
- user-interface vty 0 4
- #
- return
- R2
- [R2] dis cu
- #
- version 5.20, Alpha 1011
- #
- sysname R2
- #
- password-control login-attempt 3 exceed lock-time 120
- #
- undo voice vlan mac-address 00e0-bb00-0000
- #
- ipsec cpu-backup enable
- #
- undo cryptoengine enable
- #
- domain default enable system
- #
- vlan 1
- #
- domain system
- access-limit disable
- state active
- idle-cut disable
- self-service-url disable
- #
- interface Serial0/6/0
- link-protocol ppp
- ip address 3.3.3.2 255.255.255.252
- ospf authentication-mode simple plain 123
- #
- interface Serial0/6/1
- link-protocol ppp
- #
- interface Serial0/6/2
- link-protocol ppp
- #
- interface Serial0/6/3
- link-protocol ppp
- #
- interface NULL0
- #
- interface LoopBack0
- ip address 10.1.1.3 255.255.255.255
- #
- interface Ethernet0/4/0
- port link-mode bridge
- #
- interface Ethernet0/4/1
- port link-mode bridge
- #
- interface Ethernet0/4/2
- port link-mode bridge
- #
- interface Ethernet0/4/3
- port link-mode bridge
- #
- interface Ethernet0/4/4
- port link-mode bridge
- #
- interface Ethernet0/4/5
- port link-mode bridge
- #
- interface Ethernet0/4/6
- port link-mode bridge
- #
- interface Ethernet0/4/7
- port link-mode bridge
- #
- ospf 1 router-id 10.1.1.3
- area 0.0.0.0
- authentication-mode simple
- network 3.3.3.0 0.0.0.3
- #
- load xml-configuration
- #
- user-interface con 0
- user-interface vty 0 4
- #
- return