实验目的:
比较RIP,EIGRP,OSPF的认证
实验拓扑:
实验步骤:
RIP的认证:
Step1:在全局模式,配置KEY-CHAIN:
key chain ccnp//定义钥匙链
key 1
key-string cisco //钥匙链上的钥匙,也即是密码。
step2:在接口中,调用key chain:
R1(config-if)#ip rip authentication key-chain CCNP //调用钥匙链
Step3:在接口中,选择认证类型:(明文/密文)
R1 (config-if)#ip rip authentication mode text (明文)(默认的,可以不打这条命令)
R1 (config-if)#ip rip authentication mode md5 (密文)
明文认证方式:
R1:配置
key chain ccie
key 1
key-string cisco
interface Serial1/1
ip address 192.168.12.1 255.255.255.0
ip rip authentication key-chain ccie
ip rip authentication mode text //系统默认
serial restart-delay 0
只配置一方时,会提示一下错误:
*Jun 4 10:16:39.031: RIP: ignored v2 packet from 192.168.12.2 (invalid authentication)
MD5认证方式:
R2:配置
key chain ccie
key 1
key-string cisco
interface Serial1/1
ip address 192.168.12.2 255.255.255.0
ip rip authentication key-chain ccie
ip rip authentication mode md5
serial restart-delay 0
R2#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 192.168.12.1, 00:00:03, Serial1/0
不知道为什么在debug信息中看不出来认证信息。
R2#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 8 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
Serial1/0 2 2 ccie
Loopback0 2 2
Loopback2 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
2.0.0.0
22.0.0.0
192.168.12.0
Routing Information Sources:
Gateway Distance Last Update
192.168.12.1 120 00:00:17
Distance: (default is 120)
EIGRP 的认证方式:(只支持MD5认证)
R1#show run int s1/1
Building configuration...
Current configuration : 168 bytes
!
interface Serial1/1
ip address 192.168.12.1 255.255.255.0
ip authentication mode eigrp 1 md5 //注意与RIP的命令不一样
ip authentication key-chain eigrp 1 ccie
serial restart-delay 0
end
debug ip eigrp notifications
R2(config-router)#
*Jun 4 10:29:43.347: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.1 (Serial1/0) is up: new adjacency
R2(config-router)#
*Jun 4 10:31:07.435: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.1 (Serial1/0) is down: Interface Goodbye received
R2(config-router)#
*Jun 4 10:31:11.991: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.1 (Serial1/0) is up: new adjacency
R2(config-router)#
*Jun 4 10:31:33.775: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.1 (Serial1/0) is down: Auth failure
R2配置完毕后,R1的调试信息:
R1#debug ip eigrp notifications
IP-EIGRP Event notification debugging is on
R1#
*Jun 4 10:36:43.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.12.2 (Serial1/1) is up: new adjacency
OSPF认证方式:
共有3中认证方式:
1.无认证(默认)
2.明文认证
3.MD5认证
R2:明文认证:
interface Serial1/0
ip address 192.168.12.2 255.255.255.0
ip ospf authentication-key ccie
serial restart-delay 0
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
area 0 authentication
配置完后就会提示如下信息:
2#
*Jun 4 10:43:32.083: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Jun 4 10:43:32.391: OSPF: Rcv pkt from 192.168.12.1, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1
R2#
*Jun 4 10:43:38.903: OSPF: Send hello to 224.0.0.5 area 0 on Serial1/0 from 192.168.12.2
R2#
*Jun 4 10:43:42.359: OSPF: Rcv pkt from 192.168.12.1, Serial1/0 : Mismatch Authentication type. Input packet specified type 0, we use type 1
密文认证:
只改了R2的配置
R2(config-if)#
*Jun 4 10:49:12.331: OSPF: Rcv pkt from 192.168.12.1, Serial1/0 : Mismatch Authentication type. Input packet specified type 1, we use type 2
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
area 0 authentication message-digest
interface Serial1/0
ip address 192.168.12.2 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
serial restart-delay 0