在IOS12.0以前,如果在一个OSPF Area内任意一个接口上配置了认证,则所有area内的其它路由器的所
有接口也必须配置认证。
在IOS12.0以后,允许在单独在一个接口上配置认证,与area内其它路由器无关。
在IOS12.0以后,允许在单独在一个接口上配置认证,与area内其它路由器无关。
命令语法:
ip ospf authentication-key
password
ip ospf message-digest-key key-id md5 password
ip ospf message-digest-key key-id md5 password
password:在特定接口、区域或Virtual Link上用于密码认证。可以是1-8个字符串。
key-id:用于加密密码的密钥。取值范围1-255。
key-id:用于加密密码的密钥。取值范围1-255。
key-id匹配检测是从小的ID到大的ID的。 大的ID被称为youngest-id。
key-id是基于接口、Virtual-link的,每个接口都有相应的一个key-id范围,相互之间key-id是分别开来的。
key-id是基于接口、Virtual-link的,每个接口都有相应的一个key-id范围,相互之间key-id是分别开来的。
当ospf收到一个ospf packet时:
1>检测packet中的认证类型与当前接口、链路或区域配置是否匹配。0为无认证,1为明文认证,2为MD5认证。
2>检测packet中的密码是否匹配,如果是MD5认证则从key-id小的开始,找到一个匹配则结束。无匹配则不能建立Adjacency关系。
链路两端必须配置相同的password和key-id。
Part I. AREA级明文认证
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication
!
--------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication
!
--------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication
!
++++++++++++++++++++++++++++++
service password-encryption
show ip ospf neighbor
debug ip ospf events
++++++++++++++++++++++++++++++
service password-encryption
show ip ospf neighbor
debug ip ospf events
++++++++++++++++++++++++++++++
Part II. AREA级md5认证
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
Part III. AREA级md5认证切换
因为md5认证在收到时是从认证密码池中依次匹配密码的(密码ID从小到大),所以它可以同时配置多个密码,进而可以实现在多个密码中平滑的过度。
1>增加新密码
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
2>取消旧密码
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
no ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
no ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication message-digest
!
Part IV. 接口级明文认证
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
--------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
--------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
Part V.接口级md5认证
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
Part VI.接口级md5认证切换
因为md5认证在收到时是从认证密码池中依次匹配密码的(密码ID从小到大),所以它可以同时配置多个密码,进而可以实现在多个密码中平滑的过度。
1>增加新密码
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
2>取消旧密码
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
no ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
no ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
1>增加新密码
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
2>取消旧密码
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication message-digest
no ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
!
---------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication message-digest
no ip ospf message-digest-key 1 md5 cisco
ip ospf message-digest-key 2 md5 cisco2
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
!
Part IX. 取消一个接口的的认证(MD5/明文)
!
host r1
!
int s1/0
description conn_to_r2
ip add 192.168.1.1 255.255.255.0
ip ospf authentication-key cisco
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 0
area 0 authentication
!
--------------------------------------------
!
host r2
!
int s1/0
description conn_to_r1
ip add 192.168.1.2 255.255.255.0
ip ospf authentication-key cisco
!
int s1/1
description conn_to_r3
ip add 192.168.2.1 255.255.255.0
ip ospf authentication null
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 0
net 192.168.2.0 0.0.0.255 area 0
area 0 authentication
!
---------------------------------------------
!
host r3
!
int s1/0
description conn_to_r2
ip add 192.168.2.2 255.255.255.0
!
router ospf 100
router-id 10.0.0.3
net 192.168.2.0 0.0.0.255 area 0
!
Part X. Virtual Link上的认证
命令语法:
area transit-area-id virtual-link router-id message-digest-key key-id md5 password
!
host r3
!
int s1/0
description conn_to_area_0
ip add 192.168.0.2 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
!
router ospf 100
router-id 10.0.0.3
net 192.168.0.0 0.0.0.255 area 0
area 0 authentication message-digest
!
--------------------------------------------
!
host r1
!
int s1/0
dscription conn_to_area_1
ip add 192.168.1.1 255.255.255.0
!
int s1/1
description conn_to_area_0
ip add 192.168.0.1 255.255.255.0
ip ospf message-digest-key 1 md5 cisco0
!
router ospf 100
router-id 10.0.0.1
net 192.168.1.0 0.0.0.255 area 1
net 192.168.0.0 0.0.0.255 area 0
area 0 authentication message-digest
area 1 virtual-link 10.0.0.2 message-digest-key 1 md5 cisco1
!
++++++++++++++++++++++++++++++++++++++++++
此处只需配置一个用于验证的密码即可,因为此处是在area0通过area1建立virtual-link,area0已经默认配置好了需要md5认证了。
如果没有最后的area 1 virtual-link 10.0.0.2 message-digest-key 1 md5 cisco1命令,则按规则应该是发送使用key-id为0的packet,当然virtual-link对端不可能配置key-id为0的密码条目,因为key-id可用范围是1-255。对端就会显示:
*Mar 1 00:28:34.043: OSPF: Rcv pkt from 192.168.1.1, OSPF_VL0 : Mismatch Authentication Key - No message digest key 0 on interface
++++++++++++++++++++++++++++++++++++++++++
---------------------------------------------
!
host r2
!
int s1/0
ip add 192.168.1.2 255.255.255.0
!
int s1/1
ip add 192.168.2.1 255.255.255.0
!
router ospf 100
router-id 10.0.0.2
net 192.168.1.0 0.0.0.255 area 1
net 192.168.2.0 0.0.0.255 area 2
area 1 virtual-link 10.0.0.1 authentication message-digest
area 1 virtual-link 10.0.0.1 message-digest-key 1 md5 cisco01
!
----------------------------------------------